#### A Methodology for Large-Scale Hardware Verification

Mark D. Aagaard, Robert B. Jones, Thomas F. Melham\*, John W. O'Leary, Carl-Johan H. Seger

> Strategic CAD Labs, Intel Architecture Group Intel Corporation, Hillsboro, OR \*Dept. of Computing Science, Univ. of Glasgow Glasgow, Scotland

#### Why Methodology?

- Theory by itself is not usable (in practice)
- Theory with a system is not usable (in practice)
- A *methodology* is required for theory and a system to be usable in practice

## Outline

- Motivating Example: Floating-Point Adder
  - Proof Overview
- Methodology Requirements
- Methodology Description: datapath verification with STE
  - Wiggling
  - Targeted Scalar Verification
  - Symbolic Verification
  - Theorem Proving
- Conclusion

#### Motivating Example: FP Adder

- IEEE-compliant floating-point addition and subtraction
- Multiple precisions
  - single, double, extended
- Multiple rounding modes
  - toward 0,  $+\infty$ ,  $-\infty$ , to nearest
- FPU from Intel Pentium® Pro processor
  - Large block of RTL code written by architects and logic designers
  - No modification from design database









## Suppose we find solutions...

## "Top 10" reasons we can still fail...

- Spend all your time finding bugs in the spec
- Can't keep up with daily design evolution
- System crashes while printing final BDD order
- At the end, you have no idea what you've actually proved
- And neither does your manager
- Design changes break structural decomposition
- "120,000" line proof little (or no) use for next project
- Spell checker removed those funny ∀ & ∃ characters
- You're the only one who knows how to do this--do you want to verify adders until retirement?
- After three years of effort, project canned because project was "all-or-nothing", and you have ...

#### We Must Also Have ...

- A systematic, pragmatic approach to organizing large-scale hardware verification efforts
- Methodology: a systematic approach to problem solving
  - Scope can be very broad (the scientific method)
  - Or quite narrow (BDD variable ordering)
- Methodologies are familiar in CAD
  - Sometimes called *flows*
  - Dictate the order and scope of design activities
  - Often involve multiple tools and data representations









#### The Methodology

- Intended for datapath verification based on symbolic trajectory evaluation (STE)
- Assumes a comprehensive verification framework
- Our (internal) framework is called Forte
  - Formerly known as Voss [Seger UBC]
  - Programmable interface (FL)
  - Multiple verification engines
  - Debugging support









## Developing Circuit APIs

- Use STE as a scalar simulator
- Begin with trivial inputs
  - We started by adding 0E0 + 0E0
- Observe the simplest outputs
  - We started by looking at the sign bit of the result

Symbolic Verif. Theorem Proving

Targeted Scalar Verif.

Viggling

- We expect the sign bit of 0E0 + 0E0 to be 0
- Appearance of X on an output is symptomatic of incomplete/missing/wrong information in the API
  - Fix API
  - Lather, rinse, and repeat
- For example ...



# Summary: Wiggling

- Artifact: Circuit API that defines circuit interface:
  - ♦ Signals
  - Timing
- Artifact: Primitive specification
- *Time to move on when:* circuit outputs can be driven non-X

#### The Methodology

- Wiggling
- Targeted Scalar Verification
- Symbolic Verification
- Theorem Proving

Wiggling Targeted Scalar Verif. Symbolic Verif. Theorem Proving







## The Methodology

- Wiggling
- Targeted Scalar Verification
- Symbolic Verification
- Theorem Proving







#### Theorem Proving Verifying RTL Against Ref. Model • Used symbolic trajectory evaluation (STE) Specification • Complexity issues: Symbolic Verif. data-dependent shifts in reference algorithm and RTL BDD blowup in RTL's LZA circuitry • Key insights: **Reference Model** split input data space to avoid data-Targeted Scalar Verif. dependent shifts (exploits parametric Circuit API representation) employ two STE verifications w/different BDD orderings (one for LZA circuit, one for result) dynamic weakening of symbolic values FADD RTL • 342 cases verified in parallel on workstation Wiggling network





## The Methodology

- Wiggling
- Targeted Scalar Verification
- Symbolic Verification
- Theorem Proving

Theorem Proving

Symbolic Verif.

Targeted Scalar Verif.

Wiggling

#### **Theorem Proving** • Verify reference model against an **Specification** external benchmark (in this case, a formalization of IEEE compliance) • Algorithm verification, done in a higher order logic theorem prover **Reference Model** • Finds bugs: Proof bugs: incorrect reasoning, Circuit API incomplete case splits Model bugs: missing behavior, corner cases Fixing bugs may require modelchecking modification--which FADD RTL may reveal circuit bugs

## Summary: Theorem Proving

- Artifact: Final version of functional specification
- Artifact: Top-level correctness statement
- Artifact: Collection of model-checking runs
- Artifact: Mechanized proof
  - Connects correctness statement to STE runs
- *Time to move on when:* the top-level specification has been formally linked with the STE runs

#### The Bigger Picture

- In practice of course, methodology stages are not strictly sequential
  - Fair amount of overlap
  - And backtracking
  - And more backtracking ...

Wiggling Targeted Scalar Verif. Symbolic Verif. Theorem Proving

#### Regression

- Finishing theorem proving doesn't mean verification is finished
- A "live" design is still changing
  - Architecture changes for performance enhancements
  - ECOs for circuit implementation issues
- Regression is a significant overhead in an on-going verification effort
  - We were surprised by this finding
  - Optimize both platform and methodology for failing cases

#### Regression

- An effective methodology localizes changes textually
- Greatly assisted by programmable interface to verification engines
- Closely related to regression is proof *re-use*
- *Time to move on when:* Your manager tells you you're "done"

Theorem Proving

Symbolic Verif.

Targeted Scalar Verif.

Wiggling

## Conclusions

- An effective methodology is key to successful verification "in the large"
- An effective methodology must fit skill set of verification team
- We have presented a four-stage methodology for STE datapath verification
  - Proven through many large industrial verifications
  - Applicable in other verification approaches
- Still a work in progress
  - Technology advances require (and enable) advances in methodology
  - Tension between tool capability and usability