Viresh Paruthi, IBM Systems and Technology Group, Austin TX, USA
23 October 2010
Large-Scale Formal Application:
From Fact to Fiction
© 2010 IBM Corporation
IBM Systems and Technology Group
A Quick Trip down Memory Lane…
The Future…
Middle Ages
Early Times
Modern Era
2000
2002
2006
Advent of SFV, SEC, Parallel
Larger logics verified; higher coverage
Same “look and feel” as simulation
SEC key to many newer methodologies
Applied to small logics (~100s of registers)
Manual Intensive w/ dedicated resources
Required setting up of complex drivers
2010
Avoid duplicate work
Reusable methodologies / IP
Automation, automation…
Stay tuned!
Large scale FV application
Integrated approach / DLV
Out-of-the-box methodologies
High speed, capacity toolsets
SFV: Semi-formal verification
SEC: Sequential Equivalence Checking
DLV: Designer-level Verification
2
© 2010 IBM Corporation
IBM Systems and Technology Group
Outline
 Topics
 Context: High-end Server Microprocessors and Systems
 Formal Verification Methodology
Formal
H/W Acceleration
 Future Directions
Simulation
 Results
Verification
V. Paruthi, “Large-scale Application of Formal Verification – From Fiction to Fact,” FMCAD 2010
3
© 2010 IBM Corporation
IBM Systems and Technology Group
Topics
Formal methods have matured over years with myriad applications. In this talk...
What we will cover
– Deployment of Functional Formal Verification (FFV) on a large-scale
• Experiences from leveraging the technology extensively on high-end systems
– Application of Sequential Equivalence Checking (SEC) in an industrial setting
• New frontier enabling improved productivity and new methodologies
 What we will not cover
– Advances in formal technology to enable large-scale formal application
• Significant improvements to speed and capacity of FV tools over the years
– Combinational equivalence checking
• Mainstay of the industry to verify equivalence of transistor- and gate-level to RTL
4
© 2010 IBM Corporation
IBM Systems and Technology Group
Outline
 Topics
 Context: High-end Server Microprocessors and Systems
 Formal Verification Methodology
5
Formal
H/W Acceleration
 Future Directions
Simulation
 Results
Verification
© 2010 IBM Corporation
IBM Systems and Technology Group
45nm
IBM POWER Processors
65nm
130nm
RS64IV Sstar
.18um
.25um
.35um
RS64II North Star
RS64I Apache
BiCMOS
-Cobra A10
-64 bit
.22um
.5um
POWER3TM
-630
.35um
.72um
POWER2TM
P2SC
.25um
.35um
RSC
1.0um
.6um
604e
POWER1
-AMERICA’s
1990
6
POWER5TM
-SMT
.5um
.5um
Muskie A35
POWER7
-Multi-core
POWER6TM
-Ultra High Frequency
180nm
RS64III Pulsar
Next Gen.
-603
POWER4TM
-Dual Core
Major POWER® Innovation
-1990 RISC Architecture
-1994 SMP
-1995 Out of Order Execution
-1996 64 Bit Enterprise Architecture
-1997 Hardware Multi-Threading
-2001 Dual Core Processors
-2001 Large System Scaling
-2001 Shared Caches
-2003 On Chip Memory Control
-2003 SMT
-2006 Ultra High Frequency
-2006 Dual Scope Coherence Mgmt
-2006 Decimal Float/VSX
-2006 Processor Recovery/Sparing
-2009 Balanced Multi-core Processor
-2009 On Chip EDRAM
-601
1995
2000
2005
2010
* Dates represent approximate processor power-on dates, not system availability
© 2010 IBM Corporation
IBM Systems and Technology Group
The POWER7 Processor Chip
 Size:
567mm2
 Technology: 45nm lithography, Cu, SOI, eDRAM
 1.2B transistors
– Equivalent function of 2.7B
– eDRAM efficiency
 Eight processor cores
– 12 execution units per core
– 4 Way SMT per core
– 32 Threads per chip
– 256KB L2 per core
– Advanced Pre-fetching (Data and Instruction)
– Binary Compatibility with POWER6
 32MB on chip eDRAM shared L3
 Dual DDR3 Memory Controllers
– 100GB/s Memory bandwidth per chip
sustained
 Scalability up to 32 Sockets
– 360GB/s SMP bandwidth/chip
– 20,000 coherent operations in flight
7
* Statements regarding SMP servers
do not imply that IBM will introduce
a system with this capability.
© 2010 IBM Corporation
IBM Systems and Technology Group
POWER7: Core
 Execution Units
–
–
–
–
–
–
–
–
2 Fixed point units
2 Load store units
4 Double precision floating point
1 Vector unit
1 Branch
1 Condition register
1 Decimal floating point unit
6 Wide dispatch/8 Wide Issue
 Recovery Function Distributed
 1,2,4 Way SMT Support
 Out of Order Execution
DFU
ISU
Add
FXU
Boxes
VSX
FPU
IFU
CRU/BRU
LSU
 32KB I-Cache
 32KB D-Cache
 256KB L2
– Tightly coupled to core
8
256KB L2
© 2010 IBM Corporation
IBM Systems and Technology Group
POWER7: Flexibility and Adaptability
 Cores:
– 8, 6, and 4-core offerings with up to 32MB of L3 Cache
– Dynamically turn cores on and off, reallocating energy
– Dynamically vary individual core frequencies, reallocating energy
– Dynamically enable and disable up to 4 threads per core
 Memory Subsystem:
– Full 8 channel or reduced 4 channel configurations
 System Topologies:
– Standard, half-width, and double-width SMP busses supported
 Multiple System Packages
2/4s Blades and Racks
High-End and Mid-Range
Compute Intensive
Single Chip Organic
Single Chip Glass Ceramic
Quad-chip MCM
1 Memory Controller
3 4B local links
9
2 Memory Controllers
3 8B local links
2 8B Remote links
8 Memory Controllers
3 16B local links (on MCM)
© 2010 IBM Corporation
IBM Systems and Technology Group
POWER7: Reliability and Availability
Dynamic Oscillator
Failover
OSC0
OSC1
Fabric Interface
Fabric Bus Interface to other
Chips and Nodes
•ECC protected
•Node hot add /repair
Core Recovery
•Leverage speculative execution
resources to enable recovery
•Error detected in GPRs FPRs VSR,
flushed and retried
•Stacked latches to improve SER
BUF
BUF
BUF
Alternate Processor Recovery
•Partition isolation for core checkstops
BUF
L3 eDRAM
X8 Dimms
•64 Byte ECC on Memory
•Corrects full chip kill on X8 dimms
•Spare X8 devices implemented
•Dual memory chip failures do not cause outage
•Selective memory mirror capability to recover partition
from dimm failures
•HW assisted scrubbing
•SUE handling
•Dynamic sparing on channel interface
•PowerVM Hypervisor protected from full dimm failures
10
IO Hub
• ECC protected
• SUE handling
• Line delete
•Spare rows and columns
GX IO Bus
PCI
Bridge
• ECC protected
• Hot add
InfiniBand® Interface
•Redundant paths
PCI Adapter
* Statements regarding SMP servers
do not imply that IBM will introduce
a system with this capability.
© 2010 IBM Corporation
IBM Systems and Technology Group
Outline
 Topics
 Context: High-end Server Microprocessors and Systems
Formal
H/W Acceleration
 Results
Verification
Simulation
 Formal Verification Methodology
– Verification Technology / Progression
– Integrated Approach
– Sequential Equivalence Checking
 Future Directions
11
© 2010 IBM Corporation
IBM Systems and Technology Group
Verification Technology
RTL
(VHDL, Verilog)
Physical VLSI
Design Tools /
Custom Design
Driver/Checker
Assertions
PSL et al.
Language Compile
Model Build
Test Program
Generator
(GPro, X-Gen)
Cycle-Based
Model
C++
Testbench
Boolean
Equivalence
Check
(Verity)
12
(Semi-) Formal
Verification
(SixthSense,
RuleBase)
Constraint
Random
Testbench
Software Simulator
(MESA)
Hardware
Accelerator
(Awan)
Hardware
Emulator
© 2010 IBM Corporation
IBM Systems and Technology Group
Formal Verification at IBM
 Vision: Bring FV to the masses
– Common infrastructure → Trivial learning curve, resource savings
– Shared / reusable verification IP → High ROI, tight integration
– High scalability → Improved productivity
Amortize development cost → Higher value proposition
 Synergistic application alongside other verification disciplines
– Focused on the same problems
13
© 2010 IBM Corporation
IBM Systems and Technology Group
Formal Verification Technology
 Scalable Transformation-based Formal and Semi-formal Verification
– Synergistic logic simplifications → Exponential verification speedup
– Use symbolic exploration incompletely, to expose corner-case bugs
– Seamlessly integrated with existing verification framework
• No new languages; specs reused across FV + simulation + acceleration
14
© 2010 IBM Corporation
IBM Systems and Technology Group
Verification Progression
VPO Level
Hardware
Emulation
Hardware /
Firmware
Verification
VBU Level
System Level
Hardware
Acceleration
Chip Level
Element Level
Hardware
Verification
Software
Simulation
Unit Level
Formal
Verification
Block Level
VBU = Virtual Bring-Up (chip)
VPO = Virtual Power-On (system)
15
© 2010 IBM Corporation
IBM Systems and Technology Group
Verification Progression (1)
 Block Level
– Targeted “deep dive” driven by knowledge of the micro-architecture
• Symmetric Multi-Threading, Aggressive out-of-order execution…
– Formal/Semi-formal verification leveraged heavily at this level
• Work closely with designer – documentation may be lacking
– Small size
proofs, Controllability
corner cases
Design-Under-Test
Driver
entity ....
end ...;
architecture....
....
Block Level
Checker
...
end .....
Testbench
16
© 2010 IBM Corporation
IBM Systems and Technology Group
POWER7 Core Block Diagram
6 instructions
Global
Completion
Table
Instruction
Dispatch
Instruction
Decode
8 instructions
Instruction
Cache
Instruction Fetch
Buffer
Branch History
Table
Branch Information
Queue
Branch
Issue
Queue
Branch
Execution
Unit
Condition
Register
Issue
Queue
CR
Execution
Unit
Predecode
32KB, 4-way
Return
stack
Count
Cache
Instruction
Translation
Eight
instructions
Branch Prediction
VSX / FP / DFP / VMX / FX / LSU
Unified Issue Queue
Dual FP
VSX
Execution
Unit
Dual FP
VSX
Execution
Unit
FX
Execution
Unit
Load
Reorder
Queue
LS / FX
Execution
Unit
Store
Reorder
Queue
VMX
Permute
Execution
Unit
DFU
Decimal
Execution
Unit
32-entry
Segment
Lookaside
Buffer
512-entry
Translation
Lookaside
Buffer
(SLB)
(TLB)
Data
Translation
Second level translation
16B
Data Cache
VMX
Compute
Execution
Unit
Store
Data
Queue
FX
Execution
Unit
LS / FX
Execution
Unit
16B
32KB, 8-way
16B store data
32B cache sector
Advanced
Data Prefetch
Engine
Translation
Data
256KB, 8-way
L2 Cache
Load Miss
Queue
(outside the core)
Memory subsystem
17
© 2010 IBM Corporation
IBM Systems and Technology Group
Verification Progression (2)
 Functional Units
– Biased random tests directly against unit interface
• Transaction-, Instruction-based
– Formal/Semi-Formal verification applied selectively at this level
• Well-documented / simpler interfaces, reusable drivers / checkers
• Reference model-based end-to-end check
• Fixed- / Floating-point Unit, Memory Controller…
IEEE Floating
Point Spec
FLAVOR
Unit Level
Floating Point
Unit (FPU)
Full Proof
(dataflow)
Block Level
FLAVOR: FLoAting-point Verif EnviORment
18
© 2010 IBM Corporation
IBM Systems and Technology Group
FPU Datapath Verification
Operands
 Checks numerical correctness of FPU datapath
– E.g., Fused-multiply-add (FMA) instruction: A*B + C
 A “driver” issues an instruction into real, reference FPUs
– Restricted to a single instruction issued in an empty FPU
Reference
FPU
Real
FPU
=
 A “checker” compares the results of the two FPUs for equality
 Provides complete datapath coverage
– Remaining verification resources may focus on other aspects
C. Jacobi, K. Weber, V. Paruthi, and J. Baumgartner, “Automatic formal verification of fused multiply-add FPUs,” DATE 2005
19
© 2010 IBM Corporation
IBM Systems and Technology Group
Verification Progression (3 & 4)
 Element and Chip Level
– Transactions, pre-generated test programs (out-of-memory)
– (Semi-) formal verif used to verify multi-unit/core interactions, architectural aspects…
• Reuse RTL models with suitably abstracting blocks/units with behaviorals
• Multi-unit models with “heavy black-boxing”
• Hangs, stalls, bus protocols, arbitration…
Chip Level
Chiplet
Element Level
Perv
Core
Unit Level
Block Level
20
Perv
Nest
Unit1
Unit2
Unit1
Unit2
Unit3
Unit4
Unit3
Unit4
© 2010 IBM Corporation
IBM Systems and Technology Group
Arbitration / Deadlock Verification
r0(t)
Random
number
generator
r1(t)
r2(t)
 LFSR-based (random-priority) arbiters are used extensively
– Large programmable configurations manifests as tough bugs
– Liveness insufficient, request-to-grant bound crucial performance aspect
0
1
2
3
4
5
...
Arbiter
0
...
…
...
Arbiter
1
...
...
Arbiter
2
...
15
 Developed reusable method to quantify fairness properties1
– Decouple fairness and arbitration logic and check each independently
 Evolved a generalized bug hunting technique2
– Property strengthening to infer underapproximate abstractions
1. K. Kailas, V. Paruthi, B. Monwai, “Formal Verification of Correctness and Performance of Random Priority-based Arbiters,” FMCAD 2009
2. G. Auerbach, F. Copty, V. Paruthi, “Formal Verification of Arbiters using Property Strengthening and Underapproximations,” FMCAD 2010
21
© 2010 IBM Corporation
IBM Systems and Technology Group
Verification Progression (5)
 System Level
– Pre-generated test-programs
• Multiprocessor models/tests
• I/O chips interactions, asynchronous aspects
– Formal methods applied to study chip interactions
• Dedicated models, high level analysis…
System Level
Chip Level
Element Level
• Traffic flow, asynchronous interfaces, timing
protection windows, deadlocks…
P7
P7
P7
P7
P7
P7
P7
P7
P7
P7
P7
P7
Unit Level
Block Level
22
© 2010 IBM Corporation
IBM Systems and Technology Group
Protocol Analysis
(B) Snoops command
(C) Observer
(A) Issues command
 Standard approaches ineffective for verification of system-level aspects
 Automated protection time window calculation for bus protocol
– Enumerate chip interactions via geometry and routing constraints
 High-level (mathematical) analysis of potential deadlocks
– Analyzed message routing, arbitration deadlocks
M1
Wait
for
M2
Wait
for
M3
Wait
for
 High-level protocol modeling and model checking1
– Murphi model of on-chip interconnect protocol
1. X. Chen, S. German, and G. Gopalakrishnan, “Transaction based modeling and verification of hardware protocols,” FMCAD 2007
23
© 2010 IBM Corporation
IBM Systems and Technology Group
Verification Progression (6 & 7)
 VBU (virtual bring-up) Level
VPO Level
VBU Level
– On-the-fly generated test-programs (H/W exercisers)
– Bootstrap model from undefined initial state
• POR, RAS verification
System Level
 VPO (virtual power-on) Level
Chip Level
Element Level
– Initial Firmware Loading
• Hardware/firmware interaction verified
Unit Level
Block Level
24
© 2010 IBM Corporation
IBM Systems and Technology Group
Pervasive Logic Verification
 Logic to provide reliability, availability, and serviceability (RAS) features
– Intertwined with the mainline function
– Spans block, unit, element, chip boundaries
– Tough to verify – large design slices, sequentially deep logic, etc.
– Scan, BIST, trace and debug, power-on-reset, power management…
ETS
 FFV has demonstrated strength to verify pervasive logic
– Applied extensively at various levels of the hierarchy
– Expose the logic of interest and delete irrelevant logic
ETR
EAF
EAF
EAF
CPU CPU
CPU CPU
CPU CPU
Node1
Node2
Node3
ETR: External Time Reference
ETS: External Time Source
EAF: ETR Attachment Facility
T. Gloekler et. al. “Enabling large-scale pervasive logic verification through multi-algorithmic formal reasoning.” FMCAD 2006.
25
© 2010 IBM Corporation
IBM Systems and Technology Group
Quality Refinement Process
VPO Level
VBU Level
Because controllability, state coverage is higher, and cost
of a bug is lower, at lower levels :
 Every major bug find at higher level is treated as
escape of lower level
System Level
 Lower level team gets feedback to reproduce problems
Chip Level
Element Level
– Harden lower level environments
– Reproduce with targeted block-level checkers
• Proof with (semi-) formal verif environments
Unit Level
Block Level
26
© 2010 IBM Corporation
IBM Systems and Technology Group
Outline
 Topics
 Context: High-end Server Microprocessors and Systems
Formal
H/W Acceleration
 Results
Verification
Simulation
 Formal Verification Methodology
– Verification Technology / Progression
– Integrated Approach
– Sequential Equivalence Checking
 Future Directions
27
© 2010 IBM Corporation
IBM Systems and Technology Group
Integrated Approach: Design
i1
 Assertion-based Verification (ABV)
Designer-level Verification (DLV)
..
.
in
– Require designers to capture assumptions as verif objects (checkers)
• Accelerated debug, faster IP integration, documentation…
MUX
o
...
s1 sn
One-hot
– …and perform basic verification leveraging those
• High ROI: Improved productivity / cost / schedule, efficient use of resources
– Reuse events (checkers, coverage)
• Proof design events with FV
FV events / assumptions cross-checked
Simple
Driver
Assertions
Vhdl
Enables
Integrated
Checking
Complete
Driver
Enables
Stimulus
Simulation
H/W
Accel
Semi- Formal
Verification
Assertion-Based Verification
Designer-Level Verification
Block-Level Verification
28
© 2010 IBM Corporation
IBM Systems and Technology Group
Integrated Approach: Verification
 Better synergy with other verification disciplines
– Formal plans drawn collaboratively with design and simulation teams
– Optimized testplans via detailed reviews with simulation team
• Unified view of verification “coverage” inclusive of simulation and formal
 Formal team project manages global plan/priorities/resources
– In consultation with design and verification leadership
 Minimize duplicate work in verif disciplines
Book verification of logics in formal
– LRUs, Debug Bus, Mux-based networks…
29
© 2010 IBM Corporation
IBM Systems and Technology Group
High-level Modeling Support
entity e1 is
port (i1: in std_ulogic_vector(0 to 3);
we,re: std_ulogic;
o1: out std_ulogic_vector(0 to 3));
end;
 Raise level of abstraction of the testbench specification
 Provide rich set of convenience functions as VHDL support library
 Parameterized functions encapsulate commonly used logic constructs
architecture e1 of e1 is
signal ff: hl_fifo(fifo(0 to 3)(0 to 3));
begin
process (ALL)
begin
if (we = '1') then
fifo_push(ff, i1);
end if;
if (re = '1') then
fifo_pop(ff, o1);
end if;
end process;
end;
– Clocks generation (e.g., oscillator), edge detection (falling, rising)
– Vector processing functions – one hot, parity, hamming distance…
– Waveform drivers (wave, pulse), counters, delays, FIFO…
 PSL (VHDL) events managed as part of unified event management support
30
© 2010 IBM Corporation
IBM Systems and Technology Group
Outline
 Topics
 Context: High-end Server Microprocessors and Systems
Formal
H/W Acceleration
 Results
Verification
Simulation
 Formal Verification Methodology
– Verification Technology / Progression
– Integrated Approach
– Sequential Equivalence Checking
 Future Directions
31
© 2010 IBM Corporation
IBM Systems and Technology Group
Equivalence Checking – Combinational vs. Sequential
Equivalence Check
Logic
1
 Method to assess I/O equivalent behavior of two designs
init
Combinational Equivalence Check (CEC)
?
==
d1
init
s
d1
Logic
1
0?
d1
Logic
2
0?
d2
 Requires 1:1 state elements mapping
 Cannot handle sequential behavior
• Validates next-state functions and outputs
w/r/t cutpoints – may cause false mismatches
 Well-established technology
32
init
{x0, x1, …}
Logic
2
d2
Sequential Equivalence Check (SEC)
Logic
1
x
Logic
2
{0, 0, …}?
d2
init
 Supports arbitrary design changes (I/O equivalent)
• Obviates need for 1:1 latch/hierarchy corresp
• Retiming, power saving, redundant logic…
 Explores sequential behavior of the designs
• Computationally more complex than CEC
© 2010 IBM Corporation
IBM Systems and Technology Group
Sequential Equivalence Checking Set-up
Information from designer:
Process outputs:
OLD Design
Simulation
Assertions
SixthSense
Sequential
Equivalence
Checker
NEW Design
Initialization
Data
Input
Constraints
Initialized
OLD Design
Cross-checked
With simulation
Proof of
Equality
Mismatch
Trace
Debugged
by designer
Outputs
=?
Inputs
Initialized
NEW Design
 SEC leveraged effectively to verify non-functional design transformations
– Technology made available in the hands of designers
• Push-button set-up automatically applies clock / pervasive settings
– Retiming, backward-compatibility (mode bits), clock-gating, etc.
 Proof conversion of external IP to IBM clocking / latching methodology
 Enabled key methodologies as a reasoning engine
– Clock-, power-gating verification1, soft errors…
1. C. Eisner, A. Nahir and K. Yorav, “Functional verification of power gated designs by compositional reasoning,” CAV 2008
33
© 2010 IBM Corporation
IBM Systems and Technology Group
Sequential Equivalence Checking – Hierarchical Decomposition
Cross-checked
with simulation
Lower levels
black boxed
Chip
Unit 1
Unit m
...
different at
each level
Wrapper 1
Macro 1
Macro 2
Macro 3
Design hierarchy
Lower levels
black boxed
Leaf level
Macro n
...
Lower levels
black boxed
Constraints/
Reset files
 End-to-end SEC process used to verify (entire) design remaps
– Invaluable productivity advantage
• No simulation
Huge resource savings, fast turnaround
 Hierarchical decomposition starting at macros all the way to chip level
– Allow designers to deal with logic partitions they are familiar with
 Avoid potential tool (SixthSense) capacity issues
– RTL hierarchy offers “natural” boundaries – any level (e.g. group of blocks)
34
© 2010 IBM Corporation
IBM Systems and Technology Group
Outline
 Topics
 Context: High-end Server Microprocessors and Systems
 Formal Verification Methodology
35
Formal
H/W Acceleration
 Future Directions
Simulation
 Results
Verification
© 2010 IBM Corporation
IBM Systems and Technology Group
Formal Application Results: POWER7
 Largest and most successful ever application of formal on any IBM project
– Applied at various hierarchies spanning all areas of the chip
• Significant progress in designer owned FV environments
– Found large numbers of documented and undocumented bugs
• Many hard-to-hit-in-sim bugs
 Developed new (reusable) techniques to verify different logics
– Arbitration, LRUs, Linked Lists, ECC…
 Synergistic application as a mainstream verification technology
 Technology of choice to root cause lab bugs, and verify fixes thereof
– Large numbers found as quick extensions of existing FV environments
 Leveraged Sequential Equivalence Checking extensively
– Run by designers / end-to-end process, verify external IP, new methodologies…
36
© 2010 IBM Corporation
IBM Systems and Technology Group
POWER7 Documented Defects
Code / Design Review
Formal Verification*
Unit Verification
Element Verification
Chip / System Mainline
Verification
Performance Verification
Chip Pervasive Verification
Other Verification
* Does NOT include SEC defects and
bugs found by designers leveraging FFV
37
© 2010 IBM Corporation
IBM Systems and Technology Group
Outline
 Topics
 Context: High-end Server Microprocessors and Systems
 Formal Verification Methodology
38
Formal
H/W Acceleration
 Future Directions
Simulation
 Results
Verification
© 2010 IBM Corporation
IBM Systems and Technology Group
Scaling Formal Testbenches
 Wide-spread adoption of FV requires scalability to simulation-sized testbenches
– Easier to specify well-documented functional units vs. components thereof
• Simpler (constraints-based) drivers – higher productivity
– Synthesizable testbenches – reuse / portable across verification disciplines
– System level issues a big concern in multi-processor systems
• Simulation cannot produce traffic seen by the real system
Driver
Block 1
Driver
Driver
Block 1 Checker
(Properties)
Block 2
Driver
Block 2 Checker
(Properties)
(Sub-) Unit
Driver
Block 1
Block 2
Driver
Testbench
Components
Design
Components
39
Block 1 Checker
(Properties)
Block 2 Checker
(Properties)
© 2010 IBM Corporation
IBM Systems and Technology Group
Verification Templates
 “Template” is a blueprint to verify a certain type of logic
– A cook-book approach / recipe to check complex RTL implementations
– Predictable, portable, repeatable, teachable…
– FPU: Architecture-based case-splits against reference model → Reusable
– L2, MC, LSU, ISU…?
Functional Verification
Testbench
Driver, Checker
We’re broken
here
We had great
Success here
Abstracted Model
Logic Design (e.g., VHDL)
e.g. out-of-order pipe,
cache-coherency protocol,
muxout <=
gate_and(cond, d1(0 to 63)) or
gate_and(not cond, d2(0 to 63));
C. Jacobi, “Formal Verification in Industry – Current State and Future Trends,” FMCAD 2006
40
© 2010 IBM Corporation
IBM Systems and Technology Group
Verification of Complex Math Functions
Modulo reduction
state diagram
idle
Input A & N
 Combine high-level decision procedures and bit-level solvers
Theorem
proving
combines
results
001
Shift amt calc
ACL2
Theorem
Prover
Property
Compilation
Checker/
Driver
Property
True/False
Align data
020
Subtract
while shifting
DUT
If N > A
Other
Decision
Procedure
008
Bit-level solver
200
Debug trace
Result = A mod N
– Decompose check into invariants proven of each state transition with a bit-level solver,
and combine results using a theorem prover to prove desired property
– Powerful ally to verify wide range of complex math functions
• FP Division, Sqrt, Cryptography Asymmetric Math Functions (AMF) such as Modular Reduction…
J. Sawada and E. Reeber, “Acl2six: A hint used to integrate a theorem prover and an automated verification tool,” FMCAD 2006
J. Sawada, “Automatic verification of estimate functions with polynomials of bounded functions,” FMCAD 2010
41
© 2010 IBM Corporation
IBM Systems and Technology Group
Formal Design
 Correct-by-construction design
– Leverage FV feedback early in design process
• Proof high-level specification and verify implementation against it
– Develop a rich set of assertions during design process
• Verified of the specification as well as the implementation
Equiv
Check
Schematic
Optimized
RTL
Equiv
Check
High-level
Model
Parser
Theory solver
42
Specialized
theory
© 2010 IBM Corporation
IBM Systems and Technology Group
Extensions
Core #1
Core #2
L2 / L3
Cache
L2 / L3
Cache
Core #8
........
L2 / L3
Cache
Fabric
 Create automated reusable IP / methodologies
MC
MC
– “Off-the-shelf” implementation agnostic (library of) checkers1
– Characterize logics with functional and/or structural properties
• Employ vacuity and mutation coverage concepts to gauge effectiveness
 Leverage FV to check aspects beyond functional verification
– Verification transcends logic function – performance, throughput, power…
• Verify arbiter performance, throughput across (asynchronous) interfaces
– Employ FFV and SEC as general purpose reasoning engines
• SEC – infer clock-gating opportunities, soft-error analysis, sequential synthesis…
• FFV – optimize data structure logic (e.g. size, area), infer machine settings…
G. Auerbach, H. Chockler, S. Moran and V. Paruthi, “Functional vs. Structural Verification – case study,” Submitted to DATE 2011
43
© 2010 IBM Corporation
IBM Systems and Technology Group
Conclusion
 FV has matured to become a core verification discipline
– Integrated approach with design + verification
– Leverage by the masses
 FV has had a significant and measurable impact
– Improved design quality
minimize bug escapes to silicon
– Boost design and verification productivity
 Formal Application is evolving towards a broader and strategic focus
– New application domains, reusable verification IP, innovative solutions
– Aided by improved speed and capacity of formal and semi-formal toolset
 Large-scale application of Formal Verification is a fact!
44
© 2010 IBM Corporation
IBM Systems and Technology Group
Acknowledgements
 Methodology
– Wolfgang Roesner
– Klaus-Dieter Schubert
– Jason Baumgartner
– Ali El-Zein
 Execution
– Gadiel Auerbach
– Mark Firstenberg
– Paul Roessler
– Jo Lee
– Shiri Moran
– David Levitt
– Fady Copty
– Steven German
– Krishnan Kailas
– Jun Sawada
45
© 2010 IBM Corporation
IBM Systems and Technology Group
46
© 2010 IBM Corporation
Viresh Paruthi, IBM Systems and Technology Group, Austin TX, USA
23 October 2010
Back-Up
© 2010 IBM Corporation
POWER7: Verification Overview
Different
Timescales
Hardware
Accelerator
SMT4
Testcase
Generation
Sequential
Equivalence
Checking
Chip/System
Chip/System
Pervasive
FXU
L2
EndPoints
Formal Verification
PC
Coverage
L3 Verification PervNetwork
Constraint Random
VSU/DFU
Interconnect
Access
IFU
MCU
Bridge
LSU
IO
PwrMgmtCtrl
Result
Predictio
n
48
System Bringup
(HW/SW Co-Simulation)
Nest
Chip Bringup
(BIST, Clock control, Power-On Reset, ...)
Core
Structural
Checking
© 2010 IBM Corporation
Case-Splitting
49
© 2010 IBM Corporation