### Gap-Free verification of weakly programmable IPs against their operational ISA model

Markus Wedler, Sacha Loitz, Wolfgang Kunz Department of Electrical and Computer Engineering

University of Kaiserslautern/Germany

# Outline

- Challenges for Formal Verification imposed by Weakly-Programmable IPs (WPIP)
- Interval Property Checking
  - Specification Methodology
  - Gap-Free Specifications
- Operational ISA model
  - Operation-oriented specification
  - Software Constraints
  - Completeness considerations
- Applications

## Example WPIP FlexiTreP



## Example WPIP FlexiTreP



### Standard design flow for ASIPs



### Bottom-up Design Flow for WPIPs



29.03.2010

## WPIP FlexiTreP



# SAT-based Property Checking

Iterative Circuit Model: from i = t to i = t + k



# SAT-based Property Checking



- Unsatisfiability guarantees unbounded validity of  $\mathbf{G}(p)$
- p is specified by a timed Boolean predicate (TBP) in terms of design signals consisting of:
  - Boolean connectives (A,V,...)
  - Generated next state operator X<sup>t</sup>
- A TBP p refers to bounded inspection interval of time  $[t_f, t_l]$

### RT-level module verification: operation by operation



Typical methodology for Property Checking of SoC modules:

- Adopt an operational view of the design
- Each operation can be associated with certain important control states in which the operation starts and ends
- Specify a set of properties for every operation, i.e., for every important control state
- Verify the module operation by operation by moving along the important control states of the design
- The module is verified when every operation has been covered by a set of properties

### Property Checking of processor pipeline

- **Goal:** Prove that instructions are performed correctly
- Spec: Safety properties of type:  $G(a \rightarrow c)$  with bounded inspection interval
- Example: Property in ITL (Interval Language)



### CPU verification: instruction by instruction







### Mutation coverage

A set of (operational) properties *P* is complete for a design *C* with respect to a set of mutations  $M = \{C_1, ..., C_n\}$ , if *C* satisfies the properties in *P* and for every mutation  $C_i$  at least one property fails.

Problems:

- Criterion design-dependent
- Do the mutations reflect designer mistakes?

## Completeness

A set of (operational) properties P is complete if every two designs  $C_1$ ,  $C_2$  satisfying the properties in P are sequentially equivalent.



# Completeness

- Practical extensions:
  - Allow explicit constraints on inputs of designs
  - Weaken sequential equivalence condition by introduction of determination requirements



- Decompose proof with respect to the given properties  $p \in P$ .
  - Sucessor /Case-Split Test:

Every input trace can be covered with a uniquely determined sequence of properties  $(p_i | i \in \mathbb{N})$  such that the determination intervals match without gaps.

Determination Test:

Every property uniquely determines the outputs within its determination interval.

### Completeness



Decompose proof with respect to the given properties  $p \in P$ .

#### Sucessor /Case-Split Test:

Every input trace can be covered with a uniquely determined sequence of properties  $(p_i | i \in \mathbb{N})$  such that the determination intervals match without gaps.

#### Determination Test:

Every property uniquely determines the outputs within its determination interval.

29.03.2010

- Due to specific programming models WPIPs often lack a classical ISA model
  - Instructions correspond to hundreds of classical RISC instructions (referred to a nuclei)
  - Semantics often implicitly given by functional blocks (operations) involved in the execution

How to specify functional behavior of a WPIP?

- The operational ISA model for a WPIP consists of:
  - A relation OISA ⊆ I × O between the set of instructions I and the set of (pipeline) operations O
  - Timed Boolean predicates:
    - □ instr<sub>i</sub>Fetched(): determines whether the instruction  $i \in I$  is issued into the pipeline at a time-point t

•  $op_o(f)$ : specifies functionality of the operation  $o \in O$ 



Manual specifications given by the verification engineer

- $\Box OISA \subseteq I \times O$
- instr<sub>i</sub>Fetched(): determines whether the instruction  $i \in I$  is issued into the pipeline at a time-point t
- op<sub>o</sub>(): specifies functionality of the operation  $o \in O$

Everything else will be generated automatically!

- Timed Boolean predicates that are automatically generated from operational ISA model:
  - instr<sub>i</sub>Performed() =  $\Lambda_{(i,o) \in OISA} \operatorname{op}_{o}()$
  - $op_oTriggered() = V_{(i,o) \in OISA}$  instr<sub>i</sub>Fetched()



### Hazards imply software constraints



- Determine every pair of op<sub>k</sub>, op<sub>j</sub> k ≠ j that refer to the same resource with time slack t
- For all related instructions i<sub>k</sub>, i<sub>j</sub> store (i<sub>k</sub>, i<sub>j</sub>, op<sub>k</sub>, op<sub>j</sub>, t) in conflict list

### Hazards imply software constraints



For every conflict (i<sub>k</sub>, i<sub>j</sub>, op<sub>k</sub>, op<sub>j</sub>,t) in conflict list decide:

- Store automatically generated constraint that forbids sequences where i<sub>k</sub> follows i<sub>j</sub> after t clock cycles
- Manually find weaker constraint
  - □ swConstraint<sub>*j*,*k*</sub>() = instr<sub>*i*,*k*</sub>Fetched()→flags<sub>*i*,*k*</sub>()

### Software compliance with constraints



Strong abstraction feasible for checking compliance of software with detected and now explicitly specified constraints

### Software compliance with constraints



- Strong abstraction feasible for checking compliance of software with detected and now explicitly specified constraints
  - Empty models for operations (only signal names)
  - TBPs op<sub>k</sub>abstr() describe abstracted behavior
    - **\Box** Consider behavior of flags<sub>*i*<sub>*k*</sub>() only</sub>

# Completeness by construction

Case split and successor tests obviously hold and this can easily be verified by a completeness checker

Problem:

TBPs for operations op<sub>o</sub>() only describe modified values for involved state holding elements

⇒ other registers/memory cells remain undetermined

- Description of default behavior is required
  - keep value
  - take default value
- Tedious identification of situations where default behavior needs to be applied is completely automated

# **Experimental Results**

#### HW verification:

- MAP and FlexiTreP, two WPIPs for channel decoding were successfully verified.
- During the verification subtle HW bugs were discovered which had escaped sign-off simulation before
- FlexiTreP has been taped out successfully

- 65nm low power technology
- 41741 standard cells, 15 macros
- Die size without interface 0.74 mm<sup>2</sup>
- 360Mhz, core power ~100mW@1.1V
- Logic utilization 77%
- Silicon available since March 2009



## **Design characteristics**

|                           | МАР     | FlexiTreP |
|---------------------------|---------|-----------|
| # Instructions            | 16      | 104       |
| Lines of RTL Code         | 22689   | 114040    |
| Lines of ADL Code         | 1521    | 8634      |
| # Operations (properties) | 28      | 83        |
| # Generated properties    | 14      | 52        |
| CPU Time regression       | 37,67 s | 18h       |
| Memory Usage              | 593 MB  | 14,3 GB   |

Intel(R) Xeon(R) CPU E5440 @ 2.83GHz / SUSE 11.1

### Bugs discovered by FV

- Wrong sign extensions: res = op1 + op2
- Wrong saturation condition in stage 13 out of 14
- Confirmed bug in RTL code generation for nested if-thenelse statement of commercial ASIP design tool identified
- Scenario for a race condition of parallel value assignments to the same variable identified
- Software constraints have been ignored by some programs

### Results for automatic completion

- FlexiTreP (for industrial application)
  - Automatic completion of the OISA model revealed several inconsistencies/gaps within the property suite
  - All inconsistencies have been successfully resolved
  - All gaps have been closed
- MAP
  - SW-constraints and TBPs for default behavior have originally been set up manually.
  - Automatic analysis revealed that the manual process missed important software constraints
  - Completeness of the generated property set successfully proven with OneSpin 360 MV

Additional manual effort one week