Cookie-cutter properties to assist non Formal experts Bin Xue

Overview Spec Implement checkers Implement RTL RUN FV checkers failed ? RTL bug? Add constraints Fix RTL Update constraints or checkers RTL designer FV engineer

Challenge of FV deployment Spec Implement FV checkers Implement RTL RUN FV checkers failed ? RTL bug? Add constraints Fix RTL Update constraints or checkers RTL designer FV engineer

Solution Spec Implement checkers Implement RTL RUN FV checkers failed ? RTL bug? Add constraints Fix RTL Update constraints or checkers RTL designer FV engineer FV lib

Agenda What is a cookie cutter set Formal deployment across multiple groups with the help of cookie cutter set Assisting designers to write internal interface assertions with examples Advantages

The Cookie Cutter Set Generic set of properties applicable to various structures in a design. Arbiters Transport FIFOs RAMs State-Machines Cache Forward Progress ….

The Cookie cutter set Reusable set of properties or libraries Can be deployed across multilple users No Formal expertise required Formal verification experts develop the golden set

Cookie Cutter FPV (Formal Property Verification) successfully deployed across designers 1. Guided designers to - write cookie-cutter assertions and - apply cookie cutter proof and bug hunting tricks 2. A sub-set of FV engineers helped with only writing input constraints 3. Parameterized down the design size 4. Designers pressed the button  proof, bug, or unknown 5. Ignored the unknowns and moved on

Assertion – Assumption categories COMBO : A signal or a combination of signals should always obey a certain relationship every cycle (assert_always/never/one_hot/zero_one_hot/implication/bi_implication) between current and previous cycle UNTIL_BEFORE : If a start_event happens then a signal or a combination of signals should assert or hold its value until end_event (assert_hold_throughout_event_interval) change its value after that start_event and before an end_event

Assertion – Assumption categories TRANSPORT : No data or control information gets illegally (assert_fv_{in/out_of/priority}_order_bus_1_to_1) dropped duplicated out of ordered stuck inside DUT forever more responded than requested or responded with garbage LATENCY : An event should happen within finite amount of time SEQUENCE: If a pre-sequence of events happen then a post-sequence of events will follow A sequence of events must never happen (assert_fv_never_sequence)

Assisting designers to write internal interface assertions Develop cookie cutter set Auto generated assertions by Jasper property synthesis tool (SPS/BPS) One hot assertions Counter over/under-flow wires, flops, and expressions stuck at 0 or 1 forever FSM stuck at a state forever Array out of bound

Cookie cutter examples Arbiter grant is zero one hot if client req then don’t de-assert req until gnt if at least 1 client req then gnt>0 gnt must be to a requesting client don’t gnt when downstream busy Fairness: if (req1 && req2 && gnt1) then !gnt1 until gnt2 max latency to get a gnt for a req

Examples Transport (in-order, priority-order, & out-of-order) max_latency checks max latency between successive responses Not all requests are required to come out in order with respect to each other. Need to properly qualify req_granted to only select those sub-set of requests that need to come out in-order. Checks that rsp to req don’t get dropped duplicated Out of order stuck for > max_latency cycles responded consecutively per ID not interleaved between IDs > max_outstanding

Examples Equivalent of "end of simulation" properties Type of structureEnd of test check needed Queues using head/tail pointersQueue is empty Queues using creditsAll credits returned Entry ID/Resource based queueAll IDs released, queue is empty FIFO/LIFO/StackFull/empty signal, pointers, etc checked CAMEmpty/released Resource limited queues (round robin pointers, first available, etc)All pointers returned to known state, all resources released, etc. Caches All ways released when cache is empty (this can also be done with a constant assert to ensure that eviction == way is available for use, then the assertion can be proved through formal). State machinesReturn to IDLE or other known state CountersReturn to 0 or max, as appropriate Valid signalsReturn to 0 (eg, pipelines are empty)

Examples Example of FV friendly assertion for end-of sim assertions: queue can hold max N transactions model a counter (transaction_cnt) to track the number of outstanding transactions in the unit if transaction_cnt==0 and it stays 0 for say 7 cycles then queue.empty==0 must happen by then If the "empty" signal does not exist in RTL design then use the queue's head/tail to compute it.

Advantages Formal expertise can be packaged for easy proliferation in a large design team Formal results and ROI can be greatly increased by broader application of formal, enabled by these reusable properties Effective in catching bugs at the block level, very early in the development cycle The cookie cutter set is that it is gradually enriched and refined over time due to: More design structure formally verified by FV engineer ( more structures to be added to the set or some set could be further classified); More knowledge about the existing structure from the bug history. The cookie cutter set is helpful for fv engineer to prioritize verification tasks in the test plan and focus on the units or functions which are more likely to have bugs; Which are not well covered by simulation;

THANK YOU!