This document discusses Jasper's formal verification solutions for ARM processor-based system-on-chip (SoC) designs. It describes how Jasper can be used at the IP level to verify ARM Cortex processors and at the system level to verify aspects of full SoCs such as protocol verification, deadlock detection, and connectivity verification. Customers mentioned include Ericsson, Apple, Sony, and AMCC.

1. A Comprehensive Formal Verification
Solution for ARM® Processor Based SoC
Design
Laurent Arditi, PhD – ARM Formal Verification Expert
Ziyad Hanna, PhD – Jasper VP of Research & Chief Architect
May 2, 2012
1

2. Jasper Provides Verification Solutions to
IP and System-on-chip Designs
Property Synthesis
Formal Property Verifica8on
 Automated asser0on genera0on
 Protocol cer0fica0on
 Iden0fica0on of coverage holes
 End-­‐to-­‐end packet integrity
 Inference and synthesis of func0onal proper0es  Asynchronous clocking effects
from RTL and simula0on waveforms
 Asser0on-­‐based verifica0on
RTL Development
Verifica8on IP
 Designer-­‐based verifica0on w/o testbench
 Cer0fica0on of AMBA 4/ACE checkers
 Design trade-­‐off analysis
 Popular standard protocols
 X-­‐propaga0on detec0on and debug
 Configurable, illustra0ve, op0mized for formal
 Power management verifica0on
Architecture Valida8on
Post-­‐Silicon Debug
SoC Integra8on
 Executable spec
 Failure signature matching
 Automated register verifica0on
 Absence of deadlock
 Root cause isola0on
 Glitch detec0on
 Cache coherency
 Candidate cause elimina0on
 Mul0-­‐cycle path verifica0on
 Valida0on of fixes before re-­‐spin
 Chip-­‐level connec0vity
Higher Capacity
Interac8ve Debug Increased Throughput Wider Deployment
Verify complex 100M gate Modify/create proper0es on U0lize mul0ple proof Proliferate across
designs
the fly to explore design engines on parallel compute engineering teams with
behavior
resources
unique adop0on model
Page 2 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
2

3. Customers
Ericsson - A world of communication - Ericsson
Apple
WELCOME TO ERICSSON
Sony
SMI
AMCC
Page 3 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
3

4. Agenda
 IP Level Formal Verification at ARM
 System Level Verification of ARM® processor based
SoC
Page 4 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
4

5. ARM Cortex-R7 Formal Verification with
Jasper
 The ARM formal verification flow based on Jasper
has been found to have capacity to support the
verification of a Cortex-R series real-time processor
 Setup
• All the formal verification tasks for the ARM Cortex-R7
are applied at the top-level
• The top-level constraints are “simple”
• AXI protocol checkers
• Models of RAMs only where needed (mostly cache
tags): CAMs with additional constraints to start from a
non-empty RAM content
• A few assumptions to avoid fails due to software errors
Page 5 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
5

6. Trial ARM Formal Verification Flow
waveforms
RTL
design team
properties
JasperGold
setup
validation team constraints
abstractions
report
leads &
managers
email Excel ValSpider Jira
Trial deployment on several blocks and units, with differing design size.
Page 6 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
6

7. Formal for RTL Development - RTLD
 Designer-based verification w/o testbench
• Allows early RTL exploration without the need to generate input stimulus
• Start with simple behaviors about the design
– cover line_eop
• Group simple behaviors together to build complex scenarios
• Write assertions about events that are always/never true
 Design trade-off analysis
• Behaviors and scenarios allow for easy incremental analysis and RTL
comparison tasks
 Higher quality RTL passed to other teams in the design/verification flow
Page 7 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
7

8. Jasper Flow for RTL Designers*
What-if analysis
Visualize design
behavior w/o testbench
RTL
Debug failing
scenarios
Functional scenario A :
assertion 5 violation
Functional scenario B :
assertion 7 violation Combine and save
Functional scenario C…… multiple functional
Functional scenario D…..
scenarios
Scenario A
Compare saved Scenario B
RTL’ scenarios Scenario C
Database
against modified Scenario D
RTL
Modified RTL
(*Partially used at ARM)
Page 8 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
8

9. Jasper’s Visualize Technology
Simula0on
Visualize
RTL
Waveform
RTL
Waveform
Simulator
VisualizeTM
Testbench
state == READ
ack = 1
state == READ
ack = 1
Target is always in the
Target
waveform
 Simula0on
• More of an ‘input driven’ method, may not exercise desired behavior
• Wiggle the inputs to produce a desired behavior (trial and error)
 Visualize
• More of an ‘output driven’ method and u0lizes formal engines
• QuietTraceTM minimizes inputs and s0ll produces desired behavior
• Interac0vely add constraints to construct desired waveform
Page 9 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
9

10. ARM Experience
Laurent Arditi, Principal Engineer, Processor Division, Jasper User Group 2011
 Some simulation test benches were not ready soon enough to run
the first RTL modules with new features
 So used FV to check these new features
 Use of basic properties to check the RTL is not completely broken
 Use of visualize to show the design is alive and the new features “do
something” not stupid
 It’s much faster to get a working formal setup than a simulation one
 And designers find formal counter-examples to be easier to debug
than simulation failures
Page 10 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
10

11. ARM’s Assertion Based Design with
JasperGold
 Assertions were written for both simulation and formal
 Strong but simple SVA coding guidelines, for the ARM Cortex-R7:
• Avoid non-synthetizable properties (but liveness is accepted)
• Maximize the use of implications to get coverage points for free
• Software constraints turned into assumes for formal
• Critical properties on which a higher effort must be put
 X-Propagation checks
 Depending on the configuration, end-up with thousands of
properties
Page 11 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
11

12. Formal Verification Dashboard
1600
Properties 18%
1400 Proven % fail
16%
Fail
1200 14% % unreachable
Undetermined
12%
1000
Poly. (% fail)
10%
Poly. (% unreachable)
800
8%
6%
600
4%
400
2%
200 0%
0
4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 2 4 6 8 10 12
beta EAC beta EAC
Page 12 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
12

13. JasperGold Found 15% of The Bugs
 Formal found many bugs at the start of the project. They were not tracked
 Started to count the assertion fails in Jan’11, and in Jira in July’11 (beta)
0.18
% fail
0.16
0.14
0.12
0.1
0.08
0.06
0.04
0.02
0
Page 13 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
13

14. Quality of bugs found by JasperGold
 All bugs found by formal were not found earlier by simulation
 Very few false-negatives
• They could be resolved by adding new constraints
• A few remaining are UNPREDICTABLE cases and the constraints to discard them are too
complex to write. So these fails are “explained” and skipped
 Formal provides easy to debug waveforms
 Quality of the bugs found by formal:
• Very good at the beginning: obvious design errors
• Real corner cases
 Assertions are usually simple. More sequential ones would find more complex bugs
 Higher-level properties would allow to discover more fundamental bugs: deadlock,
coherency, determinism. Planned for maturity
Page 14 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
14

15. Agenda
 IP Level Formal Verification at ARM
 System Level Verification of ARM processor based
SoC
Page 15 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
15

16. ARM Based Heterogeneous System-on-Chip
GIC-400 ARM Video LCD
Mali-T604 I/O
graphics device
ARM ARM Network Interconnect
Quad Quad NIC-400
Cortex-A15 Cortex-A7
MMU-400 MMU-400 MMU-400
Cache Coherent Interconnect
CCI-400
Dynamic Memory Controller Network Interconnect
DMC-400 NIC-400
PHY PHY
DDR3/LPDDR2 DDR3/LPDDR2 Slaves Slaves
JUG-2011 Paul Martin
paul.martin@arm.com
Page 16 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
16

17. SoC Integration and Verification
Challenges
 Protocol Modeling and Verification, Coherency
 Standard Interface Modeling and Verification (ProofKits)
 System Level Deadlocks Detection and Verification
 Connectivity and Integration
 Register programming sequence
 Power analysis and verification
 Security checks
Page 17 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
17

18. ACE Verification – High-level Properties
 Coherence
• If a master s cache has a line in UD or UC, no other master can
have the line in a valid state
• If a master s cache has a line in SD, no other cache master can
have the line in SD
 Deadlock
• At least one transaction can always make forward progress
 Data integrity
• A read always reads the last write to an address
Page 18 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
18

19. Jasper Architectural Validation Flow
Automatic Generation of
SV Model and Properties Architectural proofs
Arch spec. • Consistency
• Completeness
• E.g., coherency property
Architectural
waveforms
without testbench
Table-­‐based entry format
(or Murphi)
Architectural requirements
RTL Executable Export properties RTL formal
document view to RTL simulation verification
Page 19 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
19

20. Advantages
 Verify architectural rules – cache coherence, deadlock
freedom
 Find corner case bugs – deadlocks, coherence issues
 Validate future protocol changes
 Remove specification ambiguities
 Downstream usage as VIP – checks + coverage model
Page 20 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
20

21. ACE Protocol Modeling and Verification
With Jasper
“Verifying cache coherent systems is difficult and designers need
sophisticated VIP to help solve these issues”
“ARM partners with EDA companies like Jasper to ensure our SiP’s are
enabled to take advantage of improved system performance and power
JUG-2011 – Paul Martin
provided by AMBA 4” paul.martin@arm.com
Page 21 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
21

22. Chip-Level Connectivity Verification Solution
 Exhaustively verifies that the RTL matches the connectivity definition
• Verify that point A is equivalent to point B (block or chip level)
as certain signals/modes can impact connections
• No other signals/modes/settings can impact connections
• Important aspect of system integration of many IP’s
 Types of connection
 Structural, Boolean condition, temporal condition, and temporal
connection with latency and delay
 Allow fast and exhaustive verification
 Quickly reconfirm results (regressions) as RTL is being modified
 Automated flow allows early and frequent verification
Page 22 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
22

23. Chip-Level Connectivity Verification Flow
Top-level of SoC
A B
cond
Connec0vity proofs
(asser0ons and covers)
Waveforms
Connectivity map with connectivity
conditions
RTL
Page 23 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
23

24. Automated Register Verification
 Formal proofs are exhaustive
• Checks for all possible sequences of RD/WRs in any order
• Checks for all register addresses
 Conceptually, the following non-deterministic trace is considered
by formal for proving address A
Register
transfer
D1 D2
check update check update check
Expected
Reset value D1 D2
reg-value
Non-deterministic # (zero to infinite) of
Rd/ Wr access to any address except A
reset
Read from address A
D Write D to address A
Page 24 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
24

25. Jasper Provides Verification Solutions to
IP and System-on-chip Designs
Property Synthesis
Formal Property Verifica8on
 Automated asser0on genera0on
 Protocol cer0fica0on
 Iden0fica0on of coverage holes
 End-­‐to-­‐end packet integrity
 Inference and synthesis of func0onal proper0es  Asynchronous clocking effects
from RTL and simula0on waveforms
 Asser0on-­‐based verifica0on
RTL Development
Verifica8on IP
 Designer-­‐based verifica0on w/o testbench
 Cer0fica0on of AMBA 4/ACE checkers
 Design trade-­‐off analysis
 Popular standard protocols
 X-­‐propaga0on detec0on and debug
 Configurable, illustra0ve, op0mized for formal
 Power management verifica0on
Architecture Valida8on
Post-­‐Silicon Debug
SoC Integra8on
 Executable spec
 Failure signature matching
 Automated register verifica0on
 Absence of deadlock
 Root cause isola0on
 Glitch detec0on
 Cache coherency
 Candidate cause elimina0on
 Mul0-­‐cycle path verifica0on
 Valida0on of fixes before re-­‐spin
 Chip-­‐level connec0vity
Higher Capacity
Interac8ve Debug Increased Throughput Wider Deployment
Verify complex 100M gate Modify/create proper0es on U0lize mul0ple proof Proliferate across
designs
the fly to explore design engines on parallel compute engineering teams with
behavior
resources
unique adop0on model
Page 25 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
25

26. Thanks
Page 26 | © 2012, Jasper Design Automation | Confidential
May 2, 2012
26