Assertion-Based Formal Verification for STMicroelectronics ...

Assertion-Based Formal Verification forSTMicroelectronics’ Nomadik TM SmartVideo/Imaging AcceleratorsHPC/APD/CDI/MMSFrançois CLOUTÉElisabeth BERREBIJean-Marc PARETCDN Live! Nice Conference -June, 26 th 20061

Nomadik STn8815Smart Video Accelerator (SVA)SVADMAAHB master port 1CamerainterfacesIPPVCUxbuslocal data busPPP TVOTV outputAMBA AHB MultilayerARM926EJHOSTMMDSP +ITCAHB slave portInterrupt linesAHB master port 2CDNLive06 – 26 June2

Smart Video Accelerator Design Challenge• Objective: First Design Silicon Success• Multimedia Mobile business:• Hardware acceleration• shorter design cycle times• video standards more and more complex• => HW debug earlier and faster• => Full verification ASAP• => Ideally at RTL levelCDNLive06 – 26 June3

RTL Co-simulation for any SVA IP• Specman– Functional-coverage driven– Re-use benefit from• design topology re-use (common protocols)• object-oriented features (e language)– Stimuli generation• Pseudo-random directed tests (constraint solver)• eVCs, eRM for monitoring– Co-simulation with IP bit-true BCA referencemodelCDNLive06 – 26 June4

RTL Co-simulation for any SVA IP• Drawbacks– Dependency from reference model– Covering corner cases is time-consuming– Possible generation holes=> SVA RTL design with Assertion-basedFormal VerificationCDNLive06 – 26 June5

Property Specification for SVA IPs• Embed RTL design with PSL assertions– Formalize expected behavior –executable spec– Formalize legal/illegal use cases– Temporal logic property• HDL boolean layer -reuse• CTL temporal layer –safety&liveness – non HDL-likeexpressiveness• Verification layerCDNLive06 – 26 June6

Property Specification for SVA IPs• Expected benefits– Inner observability –no bug tracing from I/O– Isolate root cause failure – exactly when & where– IP protocol I/Fs – IP integration• Write once, Instanciate many, Verifyboth/either by– Dynamic simulation– Static proofCDNLive06 – 26 June7

SVA Assertion-based Methodology• Common for static/dynamic verification– Target appropriate assertions vs RTL design– Maximize reuse by generic component encapsulation– Simplify assertion by property decomposition• IFV– Assume/guarantee method– Sequence coverage –sanity checks– Identify right RTL hierarchy level for max ROICDNLive06 – 26 June8

SVA Assertion-Based Verification Step1• Input: Add PSL assertions for simulation– Learn PSL– Write properties– First embed them into already verified IPs– Debug assertions– Re-run simulation regressions• Output: 1 hidden bug for an IP (66 properties)– One violated property, w/o incidence at previous co-simulationIP-level:• No bug propagation to IP outputs for that test• And generation holeCDNLive06 – 26 June9

Incisive Formal Verification EvaluationStep2• Relatively small designs– None unreacheable proof– All Immediate proven pass/fail properties• Control/protocol• Data integrity• Data-dominated designs• Out-of-scope of PSL expressivness (PLA-type)• Reuseability• Tool debug features– Counter-example || bug hunting– Root cause searchingCDNLive06 – 26 June10

Incisive Formal Verificationfor new IP block#1• IFV for IP#1– New design from scratch– 100 KG, 130 properties– Focus for control-flow sub-design (4 concurrent FSMs)– Restriction case for datapath width– Prior to any simulation• IP#1 Bug hunting results (out of 110 bugs)– ISV: 7 bugs, whose 4 hardly exerciseable by simulation, 1 unthinkeable– 13 others coould have been fomally proven– Cosimulation vs reference model: 100 other bugs• IFV perfs vs final IP#1+PSL– Property checking : 22 constraints / 33 pass (EDmax=50) / 75 sanity / 0 unreacheable• ISV session: 12h on computer-farm (2h for IFV)• IFV effort for IP#1: 2 person/weeksCDNLive06 – 26 June11

Incisive Formal Verificationfor new IP block#2• IFV for IP#2– New design from scratch– 25 KG, 430 properties– Used at top-level for• control path• data path (16-bit width Alu1, 32-bit width Alu2)– Prior to co-simulation• IP#2 Bug hunting results (out of 40 bugs)– Concurrent debug:• IFV : 10 bugs• Assertion-based simulation: 17 bugs– Cosimulation vs reference model: 12 bugs• One IFV interpretation bug for VHDL signed saturation (work-around)• IFV perfs vs final IP#2+PSL– Property checking : 30 constraints / 320 pass (EDmax=60) / 80 sanity / 80 unreacheable• IFV computer-farm session: up to 1 week• IFV effort for IP#2: 4 person/weeksCDNLive06 – 26 June12

Formal Property Checking with IFVSVA Conclusions• Identify suitable design hots spots vs formal proof• IFV can then definitively debug RTL• Complexity manageable by reuse methodology• Useable by designers• Complementary to simulation but not self-sufficient• Significant acceleration for functional verification• Under controlled deploymentCDNLive06 – 26 June13