Using Formal Verification to Replace Mainstream Simulation

Using Formal Verification to Replace
Mainstream Simulation
Erik Seligman
Brandon Smith
[email protected]
[email protected]
For Submission: Author Slide
• Erik Seligman, Intel, 503-712-3134,
[email protected]
• Brandon Smith, Intel, 503-712-6294,
[email protected]
For Submission: Abstract
Formal Verification (FV), the use of EDA software to mathematically prove that all possible behaviors of a
Register Transfer Level (RTL) model will be correct, has been a successful and growing technique in design
validation. While there is general agreement that FV is useful, it has most often been seen as an additional task
to ensure extra safety, rather than a more efficient way to do mainstream validation of a design in progress.
We believe that FV technology can now be used to replace a significant amount of the simulation that is currently
done in our major core designs. There is clearly a need to improve our validation techniques, as our simulation
environments have seemed to grow without bound, and now contain as much code, and as many bugs, as our
actual RTL. Thus, the team decided to launch a pioneering effort to demonstrate that FV really could replace
simulation as our main validation technique.
In order to test this hypothesis, the team enlisted engineers on 11 major units of one of our core designs, and
asked them to attempt to validate their units through formal verification. This group included engineers with little
or no formal verification experience, as well as a few experts. As the team developed formal proofs on these
units, they learned about the challenges of bringing FV to new units with inexperienced engineers, and report on
our key takeaways from this effort.
As a result of this pioneering, we are confident that FV can indeed be used as a primary validation strategy for
applicable units on nearly any future Intel project. We conclude with a set of recommendations for managing the
mix of formal and dynamic techniques during product development.
• This talk summarizes work by a large
team, not just the authors!
– M. Arifin, A. Bunker, V. Frolov, M. Lifshits, K.
Natarajan, T. Schubert, F. Tabesh, A.
Thatcher, C. Wall, R. Yan, C. Yan
Current Validation Methodology
New Vision for Validation
Pioneering The New Vision
Example Validation Plan
Results and Future Plans
Current RTL Validation
Full Chip
Full Chip
Cluster Level
Verification– by
FV Experts
Why More Formal Verification (FV)?
• Early exercise independent of Test Env progress
• “Instant Testbenches” using coverpoint FV on new RTL
• Early block exercise before combining into unit
• Quickly find basic bugs
• Faster integrations by getting healthy RTL earlier
• Other Benefits of Formal Verification:
Validate hard-to-hit conditions with relative ease
Quicker and easier debug due to very short traces
Instant validation of late-binding changes
Complete validation sooner with excellent quality
New Vision for Validation
Full Chip
Full Chip
Cluster Level
Verification– by
FV Experts
Verification– by
Pioneering the New Vision
• 11 core units chosen for pioneering
– Varying levels of FV expertise among owners
– 3-month targeted effort (part time)
• Pioneering goals
– Develop validation plans
• With path to simulation replacement
– Build FV environment & ‘wiggle’ models
– Observe real traffic comparable with
simulation tests
Pioneering Challenges & Solutions
Hard for non-experts to get started:
general FV training overwhelming.
Pair each non-expert with expert for
initial bring-up.
Local reset poorly understood.
Use simulation reset initially.
Experts help to understand.
Conceptual change from active BFMs
to passive assumptions.
Emphasize interface assumes in FV
plan. Also auto-generate simple
Size of some units (300K+ flops) too
large for formal.
FV plan includes reducing structures
& memories. Also need to improve
RTL parameterization.
Complex interfaces don’t enable
simple assumptions.
Encourage reference modeling on
interfaces when applicable, +
reusable interface property sets
Sample Formal Verification Plan
Page Miss Handler
Memory interface
= Reference Model
with Assumptions
Tracking FSM
Backend Queue
Instruction Fetch Unit
= Verification Focus
= Abstract/Reduce or Blackbox
Results of Pioneering
All 11 units are reasonable FV targets
– Assuming expert help to get started
– With proper abstraction & reduction
– Best when full cluster can be built for FV
• FV very useful for design exercise
– “Wiggling” waveforms in early/partial proofs
– Enables quick sanity check in modified RTL
• FV assumption creation effort comparable to sim env development
– But low ROI if good sim env already done
• BUT can’t completely eliminate cluster simulation
– Complex interfaces can be difficult to model passively
– Some subset of non-fv-friendly unit types
– Inherited units with lots of tests don’t want to redo effort
Proposed POR: “FV Where We Can,
Simulate Where We Must”
Eval FV results
Full Simulation
Sim + Formal
Full FV
• Formal Verification IS feasible for mainstream validators
– But need experts to help with initial setup
• FV can replace lots of simulation
– Some effort to bring up FV environment
• But current simulation envs effort-intensive & buggy
– Not 100% of units, but major subset
• We should be doing more FV
– Current efforts need to measure & report results
– Focus on developing reusable FPV collateral
– Demonstrate success to engineers and managers

similar documents