Formal Verification Seminar Handling Inconclusive Assertions Session Jhou

Handling Inconclusive
Assertions
Verification Academy Course
Jin Hou
Verification Technologist
Agenda
 Overview of handling inconclusive assertions
 Formal complexity reduction
— Reduce assumption complexity
— Reduce assertion complexity
— Reduce design complexity
— Use Questa QFL libraries
Restricted © 2017 Mentor Graphics Corporation
2 JH, Handling Inconclusives, July, 2017

When You Have Inconclusives …
 The first step is to exhaust the easy solutions
— Increase the run time
% qverify –c –do “…; formal verify –show_active_logic –timeout 4h … “
— Run on bigger machines
— Run on one assertion at a time
– Use “netlist targets” to define one assertion as target
— Use the Multi-Core function of Questa PropCheck: formal verify -jobs N
— Use all engines to run on assertion(s): formal verify –engines all
— Use bug hunting mode (or proof mode) to run on assertion(s):
formal verify –engines bug_hunt
— Use “formal load history” to guide engine selection if the inconclusive
assertion could converge in earlier run
— Select specific engines to run on assertion(s)
– See your local Mentor VT for details

Find Where Formal Is Stuck At
 Use “–show_active_logic” with “formal verify”
— Formal_verify.rpt shows the assumptions and state bits used by each engine.
— GUI: Active Logic COI
 Questa Formal lists assumptions and signals such that the ones affecting
formal engines the most are on the top.
 Check the assumptions used
— Remove the assumptions that drag in extra
design signals than the assertion.
— Recode assumptions may help
— Add more assumptions may help
 Check the signals used
— Reducing the size of the most significant registers/
counters/memories helps more

Formal Complexity Reduction
 Reduce assumption complexity

— Under-constraining
— Over-constraining
 Reduce assertion complexity

— Property state reduction
 Reduce design complexity

— Design state reduction

Agenda

Assumption Complexity Reduction
 Under-constraining
— Remove assumptions
— Proof still valid, firing may be false
 Over-constraining
— Add/change assumptions to limit the number of input values
— firing is valid, proof may be false
— Example 1: Reduce the address range address_range: assume property (@(posedge clk)
address >= 0 && address <= 256 );
address_range: assume property (@(posedge clk)
— Example 2: Symbolic value address >= 0 && address <= 32 );
— Formal considers all constant values
Symbolic_sigA: assume property (@(posedge clk) ##1 sigA == $past(sigA));

Agenda

Assertion Complexity
 Look at assertion complexity: Assertions are compiled to
synthesizable logic
 formal_property.rpt reports the size of each assertion logic
Assert sva_atv_ex (sva)
Instance: pci_target_unit.wishbone_master.bind_a_pci_wb_master.sva_atv_ex
Location: File a_pci_wb_master.sva, line 38
Severity: error
Stats: depth=15 gates=1070 flops=185
High flop count and/or
sequentially deep assertions are
more likely to be inconclusive
 Look at the COI (Cone of Influence) of an assertion

Reduce Assertion Complexity
 Property complexity is one of the leading factors in formal
complexity, which may lead to inconclusives
 Properties should be as simple as possible with sequential depth as
short as possible
 Techniques for rewriting assertions:
— Decomposition
 Helper assertions and assumptions
— Reduce the complexity of the fan-in cone

Assertion Decomposition (1)
 AXI_ERRM_WDATA_ORDER assert_always #(ÀXI_SimError, AXI_ERRM_PropertyType,
) axi_errm_wdata_order
— Inconclusive Target (.test_expr (~WDataOrderError)
);
 WDataOrderError is assigned twice in a clocked always block

— Same property is used to capture 2 different violation signatures
— Re-written as 2 properties capturing the different signatures
— Both properties proven
assert_always #(ÀXI_SimError, AXI_ERRM_PropertyType,
) axi_errm_wdata_order_0
L3404
(.test_expr (~WDataOrderError0)
// Valid write data
if (WVALID)
// capture signature from L3404
begin : p_WriteCamWValid );
if (WCountCam[WidMatch] == 5'b0) assert_always #(ÀXI_SimError, AXI_ERRM_PropertyType,
begin ) axi_errm_wdata_order_1
for (i = 1; i <= 16; i = i+1) (.test_expr (~WDataOrderError1)
if (i < WidMatch) // capture signature from L3494
if (WCountCam[i] == 0) );
WDataOrderError0 <= 1'b1;
end
end // if (WVALID) L3494
// Valid write address
if (AWVALID)
begin
begin : p_WriteCamWdataOrder
integer i; // loop counter
for (i = 1; i <= 16; i=i+1)
begin
if (i < AidMatch) // check all earlier bursts
if (WAddrCam[i] != 1'b1) // address not yet received
WDataOrderError <= 1'b1; // trigger assertion
end
end // p_WriteCamWdataOrder
end // new write address
 Complex properties with product terms on the RHS
— decompose them into a number of simple properties
A_XYZ: assert property (

@(posedge clk) (a & b |-> x & y & z) );
A_X : assert property ( @(posedge clk) a & b |-> x );

A_Y : assert property ( @(posedge clk) a & b |-> y );
A_Z : assert property ( @(posedge clk) a & b |-> z );
 Prove the simple properties, A_X, A_Y and A_Z first

— leverage them to prove the complex one, A_XYZ
 Having a problem proving any one of the simple properties?
— It will not be possible to prove the complex one

 Decompose end-to-end properties
end-to-end Property
DUT
Sub1 Duuuddd
Sub2 Sub3
P1 P2 P3
 Proven P1 is used as assumption for P2, proven P2 is used as
assumption for P3 automatically by Questa Formal (Assume-
Guarantee)

Adding “Helper” Assumptions
 Add assumption properties to reduce the design space covered by the complex
property
A1: assert property (
@(posedge clk)
(enable && (entry < limit) |-> flow) );
U1: assume property (

@(posedge clk) (entry < 5) );
U2: assume property (
@(posedge clk) (limit < 5) );
 With the assumptions U1, U2, the LHS of the complex property is simplified
significantly

Adding “Helper” Assertions
 Add assertions to guide the formal process.
— Proven assertions are used as assumptions automatically by Questa Formal (Assume-
Guarantee) to reduce the design space
 Example:
reg [7:0] ptr_cnt;

A1: assert property (
@(posedge clk) (enable && ptr_cnt < 256 |-> flow) );
H1: assert property (

@(posedge clk) (ptr_cnt < 16) );
— User defined ptr_cnt as 8-bit, but might be much smaller

— If H1 is proven, the complexity of A1 is reduced

Assume-Guarantee
 Proven assertions are used to constrain and prove others
— Fan-in cone of proven assertions can be removed
 Work done on one assertion is re-used for another
DUT
 Questa Formal automatically uses proven assertions as

assumptions
 Adding helper assertions may help on convergence of the main
16
assertions.
JH, Handling Inconclusives, July, 2017
Non-Determinism (ND)
 ND method: Using free variables (undriven wires or extra inputs) in checker to
let formal consider cases involving all possible values of the variables at once.
— Using ND can reduce verification state
 Example: Verify data integrity for FIFO
— Start at any time t
– Represented by a free variable showtime
– Formal considers all time
— Latch the data enqueued into the FIFO to value,
and the number of elements in the FIFO to idx
— Count the number dequeues until value
enqueued at time t is dequeued
— Check if the value dequeued does match
the value enqueued
Using ND method, the checker for verifying data integrity

is simple and reduces a lot of state bits.

Agenda

Understand What Formal is Analyzing
 Active logic in formal_verify.rpt and GUI
Target: qfl bind_model_qfl_fifo.u_qfl_fifo.QFL_ASSERT.assert_no_overflow safety Engine: 10 Proof Radius: 67
Active Signals:
async_fifo_core_0.rd_addr: ####_#### (8 bits)
bind_model_qfl_fifo.ff_rden_r: # (1 bits)
async_fifo_core_0.rd_addr_gray: ####_#### (8 bits)
async_fifo_core_0.rd_addr_gray_wr_d1: ####_#### (8 bits)
async_fifo_core_0.wr_addr: ####_#### (8 bits)
…
 Can we reduce the sizes of big counters or remodel them?

 Can we set some of these registers to constant
 Can we reduce the sizes or remodel the memories?
…

Reduce Design Complexity (1)
 Avoid using integer type
— Don’t declare variables as integer type.
– By default, integers will be synthesized into 32-bit registers.
— Change them into bit with the minimum width.
 Reduce parameter sizes
— Reduce the size of storage elements and datapaths
— Minimize the size of RAMs, or multi-dimensional arrays
 Blackbox rams and FIFO memory
— Questa Formal automatically black-boxes memories deeper than 255 locations
— User may want to blackbox modules using netlist blackbox/netlist blackbox instance
 Set inputs and internal signals to constants. Typically used on
— Scan or test pins
— Other mode type pins
— Clock enables
— Data path reduction
— Internal configuration registers

 Cut complex logic in the COI. Typical structures that are cut
— Multipliers
— LFSRs DUT
— Counters
— XOR centric logic
P
X
N
LFSR
 Pick the level of hierarchy to run at F
 Counter remodeling:
— Reduce the size of the counter. Proof and firing may be true or false.
— Reset counter value to X value for Formal to consider all values for
Intial state. Proof is valid, but firing may be true/false.
— Replace the counter with a simple state machine model. Proof and firing may be
true/false.
— Questa automatic counter abstraction that is done at engine level and doesn’t cause false
proof and firing.

Counter Remodeling Example
 Replace the counter with a simple state machine model
— First identify the critical values of the counter that will trigger interesting
design actions
— Create specific states for those values
— Example: Suppose value m, n-1 and n of the counter are critical. We can
replace the counter with the following state machine.

 Memory remodeling
— Reduce the size of memory by reducing its depth and width
— Keep the addresses that influence the property, abstract the rest as free
inputs. Proof is valid, firing may be false
— Use cache of N entries to recover the last N writes, abstract the rest to free
inputs. Proof is valid and firing may be false.
— Use lookup table (case statement) for ROM. There is no state involved to
add formal complexity. Proof and firing are valid.
— Questa formal automatically abstracts memories larger than 255 locations.
Proof is valid and firing may be false.

Memory Remodeling Example
module ext_sram (input HCLK, input HRESETn, output reg [31:0] HRDATAM, input [31:0] HADDRM, input HWRITEM, input HREADYM);
wire [31:0] read_data_mux; wire base_true; wire [23:0] addr; Memories that contain:
reg HWRITEM_r; Lookup Tables
always @(posedge HCLK) ROMs
if (!HRESETn)
HWRITEM_r <= 1'b0; Linked Lists
else
HWRITEM_r <= HWRITEM; Where the user will only read them
assign base_true = (HREADYM && !HWRITEM && HADDRM[31:24] == 8'h06) ? 1'b1 : 1'b0;
Can be modeled with a large case statement
assign addr = {1'b0,HADDRM[23:1]}; Note: There is no state involved to
add formal complexity
reg [31:0] sram_data;
always @(addr)
case (addr)
ìnclude “./zin_files/ext_lut_0008.dat"
24'h200000: sram_data <= 32'h284c_2f73 ;
ìnclude “./zin_files/ext_lut_0010.dat"
24'h200002: sram_data <= 32'he55a_25fc ;
ìnclude “./zin_files/ext_lut_0018.dat" 24'h200004: sram_data <= 32'hd75d_ba1c ;
ìnclude “./zin_files/ext_lut_0020.dat" 24'h200006: sram_data <= 32'h64a0_ad14 ;
24'h200008: sram_data <= 32'h33e3_31c1 ;
default: sram_data <= 32'h00000000; 24'h20000A: sram_data <= 32'hd5c6_435e ;
endcase
….
24'h202682: sram_data <= 32'h2a8c_a5aa ;
assign read_data_mux = !HWRITEM ? sram_data : 32'h00000000;
24'h202684: sram_data <= 32'h75f5_b99f ;
always @(posedge HCLK)
if (!HRESETn) 24'h202696: sram_data <= 32'hf0eb_f161 ;
HRDATAM <= 32'h00000000; 24'h202698: sram_data <= 32'h7b58_0d0a ;
else
HRDATAM <= read_data_mux;
endmodule

 Extract logic out of the DUT to test separately
— Too complex to do within normal DUT
— Example: The end-to-end property cannot converge for the DUT of ECC logic
DUT Inject Error
Encoder d
FIFO Decoder
End-to-end property
— Create a wrapper to only include Encoder and Decoder to verify ECC logic
Wrapper Inject Error
Encoder Decoder
End-to-end property
— Test FIFO separately from Encoder and Decoder

 Date independence (DI)
— The property of a system does not depend on the specific values of the
datapath
— Reduce the width of the datapath
 Example: Verify data integrity for FIFO
— Reduce the FIFO to 1 bit width
— Generator: outputs 0’s; at a random point two consecutive 1’s; then 0’s
again
— Monitor checks for exactly two consecutive “1” bits (not one, not three)
rand
Generator Monitor
FIFO
F
0*0110*0 0*0110*0
— Use QFL libs for data integrity check

Bug Hunting
 Start from non-reset state to find firing
 Use simulation dump file to start deeper into DUT to find firing
 Goal Posting Methodology
— Using a sub-goal as trajectory sequence, Questa PropCheck is used to find
the counterexample to the next sub-goal or the final error
— Questa Propcheck automatically targets counters, property antecedents

and other special design behaviors as subgoals.
— The user can also add assistant cover property to guide the tool.

Agenda

Use Questa QFL Libraries
 Questa QFL Libraries are formal friendly
— Built for formal so makes use of ND and DI internally
— Increase formal performance
 QFL checker libraries
— General FIFO Checkers
— Memory Mapped Register Checkers
— QFL AMBA libraries

Summary
 In this session we discussed how to handle inconclusive assertions:
— How to find where Formal is stuck at
— What are the easy solutions
— How to reduce assumption complexity
— How to reduce assertion complexity
— How to reduce design complexity
— Use formal friendly QFL libraries

Q&A

www.mentor.com

Formal Verification Seminar Handling Inconclusive Assertions Session Jhou

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Formal Verification Seminar Handling Inconclusive Assertions Session Jhou

Încărcat de

Drepturi de autor:

Formate disponibile

Handling Inconclusive

Restricted © 2017 Mentor Graphics Corporation

2 JH, Handling Inconclusives, July, 2017

3 JH, Handling Inconclusives, July, 2017

Restricted © 2017 Mentor Graphics Corporation

4 JH, Handling Inconclusives, July, 2017

 Reduce assumption complexity

 Reduce assertion complexity

 Reduce design complexity

Restricted © 2017 Mentor Graphics Corporation

5 JH, Handling Inconclusives, July, 2017

Restricted © 2017 Mentor Graphics Corporation

6 JH, Handling Inconclusives, July, 2017

Symbolic_sigA: assume property (@(posedge clk) ##1 sigA == $past(sigA));

Restricted © 2017 Mentor Graphics Corporation

7 JH, Handling Inconclusives, July, 2017

Restricted © 2017 Mentor Graphics Corporation

8 JH, Handling Inconclusives, July, 2017

 Look at the COI (Cone of Influence) of an assertion

Restricted © 2017 Mentor Graphics Corporation

9 JH, Handling Inconclusives, July, 2017

Restricted © 2017 Mentor Graphics Corporation

10 JH, Handling Inconclusives, July, 2017

 WDataOrderError is assigned twice in a clocked always block

A_XYZ: assert property (

A_X : assert property ( @(posedge clk) a & b |-> x );

 Prove the simple properties, A_X, A_Y and A_Z first

Restricted © 2017 Mentor Graphics Corporation

12 JH, Handling Inconclusives, July, 2017

13 JH, Handling Inconclusives, July, 2017

U1: assume property (

Restricted © 2017 Mentor Graphics Corporation

14 JH, Handling Inconclusives, July, 2017

reg [7:0] ptr_cnt;

H1: assert property (

— User defined ptr_cnt as 8-bit, but might be much smaller

Restricted © 2017 Mentor Graphics Corporation

15 JH, Handling Inconclusives, July, 2017

 Questa Formal automatically uses proven assertions as

Using ND method, the checker for verifying data integrity

17 JH, Handling Inconclusives, July, 2017

Restricted © 2017 Mentor Graphics Corporation

18 JH, Handling Inconclusives, July, 2017

 Can we reduce the sizes of big counters or remodel them?

Restricted © 2017 Mentor Graphics Corporation

19 JH, Handling Inconclusives, July, 2017

20 JH, Handling Inconclusives, July, 2017

Restricted © 2017 Mentor Graphics Corporation

21 JH, Handling Inconclusives, July, 2017

Restricted © 2017 Mentor Graphics Corporation

22 JH, Handling Inconclusives, July, 2017

Restricted © 2017 Mentor Graphics Corporation

23 JH, Handling Inconclusives, July, 2017

Restricted © 2017 Mentor Graphics Corporation

24 JH, Handling Inconclusives, July, 2017

— Test FIFO separately from Encoder and Decoder

Restricted © 2017 Mentor Graphics Corporation

25 JH, Handling Inconclusives, July, 2017

26 JH, Handling Inconclusives, July, 2017

— Questa Propcheck automatically targets counters, property antecedents

27 JH, Handling Inconclusives, July, 2017

Restricted © 2017 Mentor Graphics Corporation

28 JH, Handling Inconclusives, July, 2017

Restricted © 2017 Mentor Graphics Corporation