Embed Size (px)
Citation preview
1© 2010 Cisco and/or its affiliates. All rights reserved. 1
How We Verified 5000 Lines of RTL with 3 Assertions
Nalin Nimavat (Cisco Systems) [email protected] Singhal (Oski Technology) [email protected] May 2012
2
The Device Under Test (DUT)
FED.vsd
Over 2N possible cases to verify!
3
DUT and Test Plan Implications for the Formal Verification• Key characteristics:
• First pass: (2N + 1) assertions to be formally verified.
• There are N fields, but all the fields are of different widths.
• Though the DUT is more like a register, can we apply memory abstractions to reduce the number of assertions and formal run time?
4
Memory Depth, Width Abstraction
5
Introduction to Symbolic Variables• Symbolic variables can sweep the whole range of variables.
• No change in RTL is required.
// If valid is high, for any given memory address, content of//the memory matches incoming data after 3 cycles.
bit[15:0] formalAddr;
assert property P1 (vld == 1 |-> #3 mem[formalAddr] == $past(inData, 3);)
Symbolic Variable
6
How Symbolic Variables Are Used
• All memory locations and bits are present.
• An arbitrary address formalAddr, with the same width as an actual address, is created.
• An arbitrary bit fvBit, ranging from 0 to max width of data, is created.
• Symbolic variables are free running—they can point to anywhere.
• No change in RTL is required.
• As with abstractions, only one symmetric location and one symmetric data bit are used in the formal proof.
7
DUT: Create Symmetry
8
DUT: Hold Original Widths
9
Symbolic Variable for Depth
10
Symbolic Variable for Width
11
After Applying Symbolic Variables
• Create helper code to determine the msb and lsb of a field in the outVector, outVector(msb, lsb).
• Benefit of symmetry: We can now reduce the first and second requirements from N down to one assertion each!
After applying symbolic constants, only three assertions are used to completely verify the 5000 lines of DUT RTL.
12
Sample DUT Assertion
// If there is space in input to accomodate full field, field // should be copied to the output
property fieldMatch; lsb >= 0 && dataSel[formalIndex] == 1 |-> ##n outVector[$past(lsb, n) + fvBit] == $past(field[formalIndex][fvBit] , n);endproperty
assert_fieldMatch : assert property(fieldMatch);
Symbolic Variable for Depth
Symbolic Variable for
Width
13
Bugs Found with the Formal Tool• All three assertions found bugs:
• Output for fieldM didn’t match • When there is no space for someId, all lsb's were not 0's.• When all N fields are on, 0's were not inserted in rest of lsb's
• Formal hit a bug instantly, took a long time in simulation.• In simulation, a lot of traffic was sent.• One field (in 2N) for which all lsb’s were not 0 for this condition.• Formal hit this bug right away.
• Formal guarantees regular and corner case coverage for all N fields – something impossible to achieve in simulation.
14
Limitations of symbolic variables
• Symbolic variables can be easily applied to memories and other designs with symmetry.
• For non-memory, non-symmetric designs, creating symmetry to exploit power of symbolic variables can be challenging.
• Symbolic variables needs to be properly constrained in order to achieve desired range.
15
Summary
• Applying symbolic variables can dramatically increase the scalability and decrease the run time of formal analysis.
• Creating symmetry and using helper code can dramatically simplify or reduce the number of assertions required.
• Bonus: No modifications to the original RTL are required!
