Classics Of FPV Erik Seligman CS 510, Lecture 10, January 2009.

Classics Of FPV

Erik Seligman

CS 510, Lecture 10, January 2009

Goals

View examples of successful FPV cases• Abstracted a bit from real life

• But concepts reusable for actual design

See common patterns of FPV usage• Begin building ‘cookbook’ for designers

• Use past successes as guide

• Recognize cases well-suited for FPV

Encore Gigamax Cache

What is this example?

From Ken McMillan’s thesis• Key example using BDDs for FPV

• Major early-90’s PoC that FPV is viable

Basics of Gigamax Cache• Distributed multiprocessor system

• Detailed prototcol for maintaining coherence– Multiple proc need consistent view of memory

– Bus free between req & response, for other activity

– Memory block may be invalid, shared, or owned state at each processor

– One ‘master’ chosen on a bus at each cycle

Gigamax Abstract View

More on Gigamax Protocol

Important Properties for Cache Coherence Free from deadlock Sequential Consistency Various safety properties

Q: state ‘free from deadlock’ in SVA• Given variables readable and writable

Important Properties for Cache Coherence Free from deadlock Sequential Consistency Various safety properties

Q: state ‘free from deadlock’ in SVA• Given variables readable and writable

A1: assert property

(##[0:$] readable && ##[0:$] writable)

FPV Found Deadlock

Based on abstract model of protocol Found long sequence of events that

would lead to deadlock• Owner of mem block sends write cmd

• Remote block sends read to owner– Requests pass in transit

• Another remote request for same block– Locks global bus, nobody unlocks

New find, unknown to makers of Gigamax!

PCIE Packet Assembly

Packet Assembly Example

Abstracted from PCI-Express verification• FPV done by Erik

Fixed-size packets (DWORDS) from link layer• Assembled into transactions

– Start, end, type markers visible– Data errors detected & abort transaction

• Transaction may have variable # of packets– Type info at transaction start

• Transaction may commit or abort

“Garbage traffic” must be ignored• System guarantees no fake transaction-start

Link/Transaction Interface (abstract view)

FPV Challenge

Model complete correctness?• Possible, but would require lots of code

• Estimated to rival size of RTL– Insufficient ROI

Instead, create set of safety properties• Observe start, end, commit/abort, and types

• Can you guess some properties?

FPV Safety Properties

Examples of implemented properties• If START seen, END seen at legal time

• After END, see a COMMIT or ABORT in specified amount of time

• Without END, see no COMMIT or ABORT Required “shadow model” code

• Limited modeling but not full packet checking

• Kept track of various parts of state:– Inside or outside transaction– Transaction type

FPV Results

Basic method used for several chipsets Found serious errors missed by sim

• Simulation env omitted certain transactions

• Garbage traffic created fake transaction

• Could get into bad state & not commit or abort one packet

• Unlucky data confusing the state machine

Transaction Queue FPV

Transaction Queue

Another abstracted PCIE case• Also FPVed by Erik

• FIFO stores incoming transactions

Transaction Queue FPV

Designer was worried about overflow• Minimized size due to area/timing worries

• But what if transactions arrive too fast?– Misc logic must create backpressure in time– Some transactions need to hold >1 cycle

FPV requirements• Assumption: backpressure worksassume property (backpressure |=> !trans_valid);

• Assertion: queue won’t overflowassert property (!(fifo_cur == FIFO_MAX));

FPV Results

First got bogus pass, needed coverage

cover property (fifo_cur == FIFO_MAX-1);

• Revealed some minor assumption errors

Found real bug!• Queue needed to be 1 deeper

– Or generate backpressure one cycle earlier

• Due to backpressure latency in misc logic

• Miscalculation by designer

OpenSparc DDR2 Memory Controller

DDR2 Memory Controller (MC) Described in 2008 Datta/Singhal paper Various safety requirements

• Priority: refresh, CAS, scrub, read, write

• Max # commands in interval

Issue: Complex Startup

Control registers• Set by system during boot

• Take thousands of cycles– FPV would never get a good result!

Similar issues with software startup• Many command words needed to initialize

Get simulation values for registers, use assumptions to set & hold constant

Opportunity: Design Symmetry All bits of datapath basically identical So reduce width to 1 for FPV

• Code must be well-parameterized to enable

8 Banks in design, all with identical logic• Just need to FPV 1 for good confidence

Issue: Large Counters

13-bit refresh interval, 12-bit scrub interval• So potentially 2^13 cycles to see error

• Worse if independent & need both at once!

Solution: abstract counters• Create cut points at counter outputs

• Counters get arbitrary values for FPV– Potential problems?

Issue: Hazard Conditions

Important to check hazards like RAW• Read-after-write (RAW): Read from address

with write pending

• Requires 32-bit address compare– Complexity for FPV

Solution: free the RAW bit• At arbitrary time, FPV can assume hazard hit

– Potential problems?

MC Property Example

• No more than 4 ACTIVATE commands may be issued to the DDR2 SDRAM within a window of T_FAW clock cycles

• Added verilog code for tfaw_counter• Property violated: bug found!

Basic FPV Patterns

Reference Models

• assert property (rtl.o1 == abstract.o1)

• assert property (rtl.o2 == abstract.o2)

Shadow Models

• assert property (rtl.o1 == abstract.o1)

• o2 not represented in model, no property

Arbiters

Classic, common case for useful FPV Multiple requests come for a bus

• Arbiter decides who owns bus each cycle

What are some important properties?

Arbiters

Classic, common case for useful FPV Multiple requests come for a bus

• Arbiter decides who owns bus each cycle

What are some important properties?• Fair

req[i] |-> ##[1:`BOUND] owner[i]

owner[i] |-> ##[1:`BOUND] !owner[i]

• Conflict-free$onehot0(owner)

• Efficiency– (|req) |=> (|owner)

State Machines

Another common case for FPV Common state machine assertions?

State Machines

Another common case for FPV Common state machine assertions?

• Each SM state reachable

cover property (state == STATE_VALS[i]);

• System consistent with SM state

assert property ((state == `WAITING) |-> (req==1));

• State machine will always return to idle

assert property ((state == STATE_VAL[i]) |-> ##[1:`BOUND] (state == `IDLE));

General FIFO Assertions

Fifos are another common FPV case. Fifo assertion ideas?

General FIFO Assertions

Fifos are another common FPV case. Fifo assertion ideas?

Overflow/underflowassert property (fifo_cur==DEPTH |=> !write);

assert property (fifo_cur==0 |=> !read);

Successful flushassert property (flush |=> (fifo_cur==0));

Cover conditions of filling/emptying queuecover property (fifo_cur==DEPTH-1 ##1 fifo_cur==DEPTH);

cover property (fifo_cur==1 ##1 fifo_cur=0);

FIFO: Tracking A Value

Common for FIFO: we saw value go in, make sure it comes out

“Local variable” feature of SVA

property data_check;

bit [`SIZE:0] lvar;

(write, lvar = data_in) |-> ##[0:`BOUND]

(read && (data_out == lvar)) ); Watch for danger of sim performance hit

• Many threads may be needed

Sets of Related Properties

Suppose we see many failures in module Think about common causes

• Some overall constraint on inputs missing?

• Some conceptual issue missed?

Examples• Clocks/Reset: Are they correct? Are clock

ratios legal?

• Address/Command const for <n> cycles?

• Legal commands supplied?

References / Further Reading

http://www.kenmcmil.com/pubs/thesis.pdf http://oskitech.com/papers/datta-mc-vlsi08.pdf http://oskitech.com/wiki/index.php?title=Main_Page http://www.eetimes.com/news/design/showArticle.jhtml

;jsessionid=FQOK0R2XZXMHOQSNDLRSKHSCJUNN2JVN?articleID=190301228&pgno=1

http://ebook.dicder.com/verification/SystemVerilog%20Assertion%20Handbook.pdf

http://www.amazon.com/Assertion-Based-Design-Information-Technology-Transmission/dp/1402080271/ref=sr_1_1?ie=UTF8&s=books&qid=1233705569&sr=8-1 (especially ch.7)