Prabhat Mishra, Nikil Dutt

1

• Prabhat Mishra, Nikil Dutt
• Center for Embedded Computer Systems
• University of California, Irvine
• Narayanan Krishnamurthy, Magdy Abadir
• High Performance Tools and Methodology
• Motorola Inc., Austin, TX
• June 07, 2002

2
Outline

• Motivation
• Top-Down Validation Flow
• Versys2 Symbolic Simulator
• Experiments
• Future Work Directions
• Summary

3
Introduction

• Need for reduction of design cycle time
• Shrinking time-to-market
• Short product lifetime
• Validation is a major component
• implementation implies specification
• Specification Architecture specification
  document
• Implementation RTL / Gate description of
  architecture
• Design validation techniques
• Simulation based approaches
• Formal techniques

4
Introduction

• Design validation techniques
• Simulation based approaches
• Scalar simulation cannot be exhaustive
• Formal techniques
• Can verify small designs completely
• Symbolic simulation
• Bridges the gap
• Versys2 custom-memory verification tool

5
Bottom-up Validation Approaches
Micro-architecture Specification
ISA Specification
Manual Verification
Property Checking
High Level Description
Abstraction
Property Checking
RTL
6
Our Approach

• Top-down validation
• Property checking
• Properties are extracted from specification
• Symbolic simulation
• Verify implementation satisfies the properties

7
Outline

• Motivation
• Top-Down Validation Flow
• Versys2 Symbolic Simulator
• Experiments
• Future Work Directions
• Summary

8
Top-Down Validation Flow
Automatic
Manual
9
Top-Down Validation Flow
Architecture Specification (English Document)
Verification Engineers
Designers
Properties (Verilog)
RTL Design (Verilog)
State Machine
Boolean Model
Automatic
Symbolic Simulation
Manual
Versys2
10
Outline

• Motivation
• Top-Down Validation Flow
• Versys2 Symbolic Simulator
• Experiments
• Future Work Directions
• Summary

11
Versys2

• Performs equivalence checking of custom-memory
  arrays
• Reference model RTL
• Implementation model transistor level
• Generate assertions from RTL design
• Apply them to transistor level design
• Perform Symbolic Trajectory Evaluation

12
Automatic Generation of Assertions

• Microprocessor array structures
• Assertions
• antecedent gt consequent
• Both Antecedent and Consequent
• temporal logic formulae
• simple predicate
• line A is a from t1 to t2
• conjunctions of these simple predicates

Automatic Generation of Assertions for Formal
Verification of PowerPC Microprocessor Arrays
using Symbolic Trajectory Evaluation Li-C. Wang,
Magdy S. Abadir, and Nari Krishnamurthy, DAC 1998
13
Symbolic Trajectory Evaluation

• Simulate the circuit over the weakest trajectory
  for the antecedent .I
• Generate the weakest state sequence corresponding
  to the consequent ..II
• Test whether the weakest trajectory in I is at
  least as strong as the consequent in II

14
Simulation

• n-input NAND gate requires 2n vectors

Inputs
Output
0
0
1
0
1
1
1
1
0
1
0
1

• Ternary simulation requires n1 vectors

0
1
X
X
1
0
1
1
0
15
Symbolic Simulation
C
A
B
0
1
X
X
1
0
1
1
0
Antecedent
Consequent
A
( 0, X ) gt 1
C
B

• Requires only 1 vector
• Antecedent (A is a from 0 to 1) and (B is b from
  0 to 1)
• Consequent (C is (a b) from 1 to 2)

16
State, sequence, trajectory, weakness
0
1
X is weaker than both 0 and 1
X
The state of a node is a value from the set of
logic values 0, 1, X State 01 has at least
as much information as 0x, what about lt 0x, 1x gt
10
00
1x
X0
0x
X1
XX
11
01
A trajectory is a sequence of states such that
each state has at least as much information as
the next-state function applied to the previous
state
17
STE of an Inverter
Assertion (A is 0 from 0 to 1) gt (B is 1 from 1
to 2)
B
A
Time
0
1
2
3
Weakest sequence satisfying antecedent
Weakest antecedent Trajectory
Weakest sequence satisfying consequent
18
STE of an Inverter
Assertion (A is 0 from 0 to 1) gt (B is 1 from 1
to 2)
B
A
Time
0
1
2
3
Weakest sequence satisfying antecedent
( X, X )
( 0, X )
( X, X )
Weakest antecedent Trajectory
Weakest sequence satisfying consequent
19
STE of an Inverter
Assertion (A is 0 from 0 to 1) gt (B is 1 from 1
to 2)
B
A
Time
0
1
2
3
Weakest sequence satisfying antecedent
( X, X )
( 0, X )
( X, X )
Weakest antecedent Trajectory
( X, 1 )
( 0, X )
( X, X )
Weakest sequence satisfying consequent
20
STE of an Inverter
Assertion (A is 0 from 0 to 1) gt (B is 1 from 1
to 2)
B
B
A
Time
0
1
2
3
Weakest sequence satisfying antecedent
( X, X )
( 0, X )
( X, X )
Weakest antecedent Trajectory
( X, 1 )
( 0, X )
( X, X )
Weakest sequence satisfying consequent
( X, X )
( X, 1 )
( X, X )
21
STE of an Inverter
Assertion (A is 0 from 0 to 1) gt (B is 1 from 1
to 2)
1
0
Time
0
1
2
3
X
Weakest sequence satisfying antecedent
( X, X )
( 0, X )
( X, X )
Weakest antecedent Trajectory
( X, 1 )
( 0, X )
( X, X )
Weakest sequence satisfying consequent
( X, X )
( X, 1 )
( X, X )
Pass antecedent trajectory is at least as strong
as the consequent state sequence
22
STE of an Inverter
Assertion (A is 0 from 0 to 1) gt (B is 1 from 1
to 2)
B
B
A
Time
0
1
2
3
Weakest sequence satisfying antecedent
( X, X )
( 0, X )
( X, X )
Weakest antecedent Trajectory
( X, 0 )
( 0, X )
( X, X )
Weakest sequence satisfying consequent
( X, X )
( X, 1 )
( X, X )
Assume actual implementation is buffer
23
STE of an Inverter
Assertion (A is 0 from 0 to 1) gt (B is 1 from 1
to 2)
1
0
Time
0
1
2
3
X
Weakest sequence satisfying antecedent
( X, X )
( 0, X )
( X, X )
Weakest antecedent Trajectory
( X, 0 )
( 0, X )
( X, X )
Weakest sequence satisfying consequent
( X, X )
( X, 1 )
( X, X )
Fail antecedent trajectory is not at least as
strong as the consequent state sequence
24
Outline

• Motivation
• Top-Down Validation Flow
• Versys2 Symbolic Simulator
• Experiments
• Future Work Directions
• Summary

25
A Simple Property

• Carry Lookahead Adder
• Three inputs in0, in1, in2
• One output out

Architecture Specification (English Document)
Properties (Verilog)
RTL Design (Verilog)
State Machine
Boolean Model
Symbolic Simulation
26
A Simple Property

• Carry Lookahead Adder
• Three inputs in0, in1, in2
• One output out

Architecture Specification (English Document)
Properties (Verilog)
RTL Design (Verilog)
State Machine
Boolean Model
Symbolic Simulation
27
A Simple Property

• Carry Lookahead Adder
• Three inputs in0, in1, in2
• One output out
• One simple property
• assign out in0 in1 in2

Architecture Specification (English Document)
Properties (Verilog)
RTL Design (Verilog)
State Machine
Boolean Model
Symbolic Simulation
28
A Simple Property

• Carry Lookahead Adder
• Three inputs in0, in1, in2
• One output out
• One simple property
• assign out in0 in1 in2
• Verification failed

Architecture Specification (English Document)
Properties (Verilog)
RTL Design (Verilog)
State Machine
Boolean Model
Symbolic Simulation
29
A Simple Property

• Carry Lookahead Adder
• Three inputs in0, in1, in2
• One output out
• One simple property
• assign out in0 in1 in2
• Specification of in2 was not complete
• With clear and set logic
• assign temp ( in2 clear ) set
• assign out in0 in1 temp

30
Experiments

• Memory Management Unit
• Supports demand-paged virtual memory
• Three blocks
• Segment registers
• Translation Lookaside Buffer (TLB)
• Entry data information
• LRU least recently used information
• Valid validity of the data
• Block Address Translation (BAT)
• RAM is used at the core

31
Memory Management Unit (MMU) Verification

• All the units have RAM at the core
• Property for read
• assign out (rdClk rdEn) ? ramrdAddr
  32b0
• Property for write
• always _at_ (wrClk or wrEn or dIn or wrAddr)
• begin
• if (wrClk wrEn) ramwrAddr lt dIn
• end
• Name mapping needed

32
Translation Lookaside Buffer (TLB)
33
Memory Management Unit Verification

• TLB miss detection
• assign input ( 1'b1, vsid023,
  ea49, ea1013 )
• assign out0 ( valid0, data0023,
  data02429, data05457 )
• assign out1 ( valid1, data1023,
  data12429, data15457 )
• assign hit0 ( input out0 )
• assign hit1 ( input out1 )
• assign miss ( hit0 hit1 )

data0
data1
Entry 0
Entry 1
vsid
pa
valid0
valid1
Valid 0
Valid 1
ea
LRU
34
Memory Management Unit Verification

• TLB miss detection
• assign input ( 1'b1, vsid023,
  ea49, ea1013 )
• assign out0 ( valid0, data0023,
  data02429, data05457 )
• assign out1 ( valid1, data1023,
  data12429, data15457 )
• assign hit0 ( input out0 )
• assign hit1 ( input out1 )
• assign miss ( hit0 hit1 )
• Assumes access to internal variables
• Hierarchical validation
• Applicable to BAT array miss detection
• Simple extension for associativity n

35
Memory Management Unit Verification

• TLB miss detection
• assign input ( 1'b1, vsid023,
  ea49, ea1013 )
• assign out0 ( valid0, data0023,
  data02429, data05457 )
• assign out1 ( valid1, data1023,
  data12429, data15457 )
• assign hit0 ( input out0 )
• assign hit1 ( input out1 )
• assign miss ( hit0 hit1 )
• No access to internal signals
• Reuse of properties
• assign data0 (rdClk rdEn) ? Entry0ea
  32b0

36
Observations

• Incomplete specification
• Adder with third input not defined
• Mismatch happened due to default case
• assign xyz cond ? expr1 expr 2
• assign out (rdClk rdEn) ? ramrdAddr 32b0
• Mismatch due to simulation semantics
• Signals delayed using temporary latches

37
Outline

• Motivation
• Top-Down Validation Flow
• Versys2 Symbolic Simulator
• Experiments
• Future Work Directions
• Summary

38
Future Work Directions

• Apply on complete microprocessor
• Automatic generation of properties
• Use of an executable specification
• Architecture Description Language
• automatic software toolkit generation
• design space exploration
• useful for verifying pipeline behavior
• well-formed specification
• validation of execution-style

39
Summary

• Verification is complex and expensive
• Present a top-down validation approach
• Generate properties from specification
• Apply these properties on RTL
• Symbolic Simulation
• Extending current methodology
• automatic generation of properties
• apply on a complete microprocessor

40

• Thank you!