Automated Method Eliminates
X Bugs in RTL and Gates
Kai-hui Chang, Yen-ting Liu and Chris Browy
Abstract
Due to physical design resource planning and low power requirements,
registers may be left uninitialized creating Xs (unknowns) in the design.
However, logic simulation cannot handle Xs accurately due to Xoptimism and X-pessimism problems, masking such X bugs in
simulation-based verification flows. In this work we propose a
comprehensive methodology and several innovative techniques that
can identify unforseen X problems at the RTL and remove false Xs
popping up in gate-level simulation. The methodology is currently in
production use and has helped resolve X issues for dozens of chips. By
finding X bugs prior to tape out, expensive respins caused by masked
Xs can be avoided.
2
Cause and Effect of Xs in Designs
 X is used to represent an unknown value in logic simulation
– The value can be either 0 or 1
 Common causes of X
– Inputs, registers, or memory not initialized and X corruption on power
down cycle
 Dangers of X
– Xs may cause nondeterministic operation
 Simulator problems with X
– X semantics are inaccurate (optimism, pessimism)
– Leads to RTL vs gate-level simulation mismatch
– X problems are either masked or there are too many false alarms
 Unless fully examined, Xs may exist after tape out causing
expensive respins from designs that don’t work
3
X-Optimism and X-Pessimism in Logic Simulation
 X-Optimism
– 0/1 value propagated instead of X
– Interpretation of X causes
only one conditional branch
to be considered
Example of X-Optimism
always @(*)
if (sel)
reg1 = 0;
else
reg1 = 1;
1’b0
If branch
1’b1
else branch
1’bx
Hardware
Simulation mismatch
 X-pessimism
Example of X-pessimism
Output = ( a & b ) | ( ~a & c );
– Xs are propagated even though
0/1 value is known
1’b1
1’b0 1’b1
1’b1 1’b1
1’b1
1’b1 1’b1
1’b0 1’b1
– Ambiguous results lead to
more X-assignments
1’bx
1’bx 1’b1
1’bx 1’b1
than are unnecessary
Simulation mismatch
4
Existing Solutions and Limitations
 Techniques to find Xs at the RTL
– VCS and VRQ Xprop generate Xs for X-optimism
 May create too many false alarms
– Formal tools can identify real Xs
 Scalability is an issue and writing constraints can be difficult
 Techniques to eliminate Xs at the gate level
– Random deposit replaces Xs with 0/1 values
 May mask bugs
– Structural analysis using Perl/C scripts
 May miss false Xs not in the template
– Replace an X with 0/1 and run simulations
 Requires lots of simulation
 Need a better comprehensive methodology to handle Xs!
5
Finding X Bugs in RTL
Start
Fix RTL
RTL model with
X bugs exposed,
sequential X paths
trace back to X source
module foo(a, b, c, o1, o2, o3);
input a, b, c;
output o, o2, o3;
reg o2, o3;
assign o=a & b;
always @(a, b, c)
o2= a | c;
…
X
optimism
RTL model with
X bugs masked
by X-optimism
X-Prescreener
(Optional)
selects tests
from testsuite for
X analysis
XOPT Formal
detects X bugs
in reg-reg, reg-output
paths
module foo(a, b, c, o1, o2, o3);
input a, b, c;
output o, o2, o3;
reg o2, o3;
assign o=a & b;
always @(a, b, c)
o2= a | c;
…
No X bugs
found in RTL
XOPT Sim (Optional)
heuristically exposes
X problems by biasing
execution paths
Logic
synthesis
6
Finding X Bugs in Gates
Fix RTL
Start
Gate-level netlist with X
bugs hidden among
false Xs
Gate-level netlist
with false Xs removed
and X bugs exposed
Safe Deposit Analysis
(Optional)
formally identifies noncontrolling Xs to reduce
false Xs
SimXACT
formally removes
all combinational
false Xs
Gate-level netlist
with false Xs removed
and no X bugs exposed
Done
7
Case Study: Network Processor
X-Verification
Level
Setup
Results
XOPT Formal
RTL
Auto-partitioned
functional unit into
6 blocks
Found 11 X bugs that required
RTL change and no false
alarms
~300K flops total
~6 hours runtime
Analyzed 1 block
~1K safely deposited
eliminating ¼ X source DFFs
~4K DFFs/latches
~1 min runtime
Safe Deposit
SimXACT
Gates
Gates
Ran 10+ functional a few thousand false Xs fixed
units separately
(force/deposit) including a few
hundred gated-clock
~5M DFFs/latches X-pessimism
total
~2 hours runtime/unit analyzed
X bugs will be missed if
random deposit was used
8
X-Prescreener (New Innovation)
 Figures out which tests may expose X problems and should
run through X analysis
– Running X analysis takes time and effort
 X-Prescreener is a simulator add-on that monitors X
activities when running tests
– It collects X activities and aggregates similar X conditions
encountered in different tests
– Then automatically selects subset to cover all the X conditions
 X-Prescreener provides engineers valuable information on
which tests should be used for X analysis
9
Finding X Bugs at the RTL and Gate Level
 RTL XOPT Formal
– Uses symbolic simulation to formally prove whether Xs will cause regreg, reg-output non-determinism for real traces
[DAC’09]
– Spatial and temporal partitioning improves scalability [DATE’10]
– Analysis based on the principle of most astonishment to reduce
formal effort
[IEEE D&T’11]
 RTL XOPT Sim
– Heuristically deposits non-X values to replace Xs when they are
encountered at if/case conditions in logic simulation
– Deposit values are derived from formal analysis to bias logic
simulation toward exploring new execution paths and expose X bugs
 Gate level: Safe Deposit Analysis and SimXACT
– Gate level simulation can detect X bugs but the bugs are hidden
among false Xs − our solution eliminates false Xs to expose real bugs
10
Safe Deposit Analysis (New Innovation)
 Safe deposit analysis identifies non-controlling Xs
– Those Xs will be eliminated by the reset sequence and can be
replaced with 0/1 without masking any bug
– Fewer Xs will generate fewer false Xs, thus reducing analysis effort
 Example
– The X symbol “x1” from Reg1 is non-controlling (masked by
downstream logic) and can be safely replaced with 0/1
0
1
Reg1
Reg2
!x2
x1
Output1
x2
(x1&0) | x2 = x2
Reg4
Reg3
x2
0
11
SimXACT Analysis
[DAC’12, US Patent 8402405]
 SimXACT analysis generates auxiliary behavior code to fix
combinational false Xs
0
a
1
reset
b
c
1
OR
(g1)
reg1
1
OR
(g2)
x INV
(g8)
AND
(g4)
x
x
INV
(g3)
1
NORx x
(g6)
x
AND
(g5)
AND
(g7)
x
reg2
x
1
always @(g1.o or g8.o or g2.o)
if (g8.o === 1’bx && g1.o === 1’b1 &&
g2.o === 1’b1)
force g6.o= 1’b0;
else
release g6.o;
False Xs will be
eliminated by the
“fix”, allowing
gate-level
simulation to
produce correct
results
12
Gated-clock False X Fix (New Innovation)
 False Xs may be generated due to gated-clocks
 The X at wire “o” is false
– if X is treated as 0, “ena” is 0, 0x will not occur, “r1” stays at 0
– if X is treated as 1, “ena” is 1, “reg1” will latch the 0 at “r1”
 o should be 0 either way, but logic simulation produces a false X
 We formally analyze gated-clock structure for false Xs and
1
generate fixes
r2
reg2
0
x o
r1
 Fix example:
reg1
clk
always @(posedge dut.clk)
if (dut.reg1.q === 1’bx && dut.r1 == 1’b0 &&
dut.reg2.q == 1’b1)
$deposit(dut.reg1.q, 0);
01
1
x
1
r2o
A
N
D
ena
x
0x
icg
clk
01
13
Conclusions
 We proposed a comprehensive methodology and several
innovative techniques to find X problems before tape out
 X-Prescreener selects a required set of tests to analyze
 XOPT Formal formally verifies the design to find X bugs
 XOPT Sim heuristically directs logic simulation toward
exposing X bugs
 Safe Deposit Analysis eliminates non-controlling Xs
discovered during reset in gate-level simulation
 SimXACT eliminates all false Xs in gate-level simulation,
exposing real X problems
 The proposed methodology is in commercial production use
and helped resolve X issues in dozens of chips
14