| Login | | Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name. | |
| Who's Online | There are currently, 60 guest(s) and 1 member(s) that are online.
You are Anonymous user. You can register for free by clicking here | |
 | |
|
Verification Guild: Forums |
|
| View previous topic :: View next topic |
| Author |
Message |
tblackmore
Senior
Joined: Jan 23, 2004
Posts: 43
Location: Bristol, England
|
 Posted: Wed Aug 25, 2004 7:40 am Post subject: |
 |
|
I fully agree that formally verifying a block does not give 100% confidence that the block is going to function correctly in a system, for the reasons that you give. There are ways to offset these problems, so that the confidence level can approach 100%. However I think that the last three of these issues remain issues for developing block-level testbenches (incompleteness of specs, what to drive and what to check), but now we don't have exhaustivite coverage of the functionality considered.
Formally verifying a chip of 300 blocks would indeed be challenging. But I think the key thing, at least to begin with, is to look among those 300 blocks for likely candidates for formal, or semi-formal, verification. These blocks may be those which have been traditionally problematic, or that are critical to the functioning of the system. In this way the confidence in the correct functioning of these blocks is increased, and hence the confidence in the correct functioning of the chip. This formal or semi-formal verification may augment rather than replace simulation but with a large percentage of chips still needing respins for functional problems it may well be the cheaper option. |
|
| Back to top |
|
 |
alexg
Senior
![]()
Joined: Jan 07, 2004
Posts: 586
Location: Ottawa
|
| Posted: Wed Aug 25, 2004 8:22 am Post subject: |
|
|
| Quote: | | Having a large confidence in the correct functionality of each of the blocks used on a chip is essential. If a chip has 10 blocks, then 99% confidence in each block multiplies up to 90% confidence in the chip, whereas 95% confidence in each block results in only 60% confidence at chip-level (not including integration issues). |
Verification proves that properties defined in specification work in implementation. It means that before verifying any design block, we must have block-level specification document, from which we can extract properties-to-verify. This document should be different from the microarchitecture specification which describes implementation details. It should be rather functional specification of the block. In a case we'll get such documents we may run smooth block-level verification with either formal or dynamic tools, using good old "divide-and-conquier" approach for the chip-level verification.
In practice, there are some serious problems associated with this approach. Our assumption that block-level functional specification documents are correct and compete may be wrong. Extracting correct and complete block-level functional specifications from the chip-level functional specification in many cases is extremely difficult task. On the other hand, without having the full confidence that block-level specification documents are correct and complete, we cannot say that chip-level function A scales to the sum of block-level functions B, C and D. And, if our final product is chip and not the library of IP blocks, our major goal is verification of chip-level (not-block-level) properties.
Formal tools may greatly help to chip architects and designers during specifications development. Properties, defined in the formal languages, can be verified on the pre-RTL stage. For this purpose, formal tools may not have state-explosion problem since the number of registers in a high-level or functionally non-complete model may be significantly reduced. Then, functional verification may inherit these properties, checking them in implementation in either dynamic or static (formal) way.
Regards,
Alexander Gnusin |
|
| Back to top |
|
|
tblackmore
Senior
Joined: Jan 23, 2004
Posts: 43
Location: Bristol, England
|
| Posted: Wed Aug 25, 2004 8:57 am Post subject: |
|
|
| Quote: |
In practice, there are some serious problems associated with this approach. Our assumption that block-level functional specification documents are correct and compete may be wrong. Extracting correct and complete block-level functional specifications from the chip-level functional specification in many cases is extremely difficult task. On the other hand, without having the full confidence that block-level specification documents are correct and complete, we cannot say that chip-level function A scales to the sum of block-level functions B, C and D. And, if our final product is chip and not the library of IP blocks, our major goal is verification of chip-level (not-block-level) properties.
|
Certainly chip-level function may not be the sum of the block-level functions. This is even more likely to be the case where block-level functional specifications are incorrect or incomplete - so that designers of the different blocks cannot be sure of how the neighbouring blocks behave. In the 'Validating the Intel Pentium Processor' paper from DAC 2001 (I think), 11.4% of bugs were attributed to miscommunication and a further 4.4% to inadequate documentation - perhaps both really coming under the heading 'insufficient documentation', and together being the single largest source of bugs. However a property-based approach reduces our need to assume that such specifications are correct, since properties are placed on these interfaces and checked either formally, semi-formally or dynamically. One very positive side-effect of property checking is that documentation is tied down, and everyone is clearer about what is going on. |
|
| Back to top |
|
|
alexg
Senior
![]()
Joined: Jan 07, 2004
Posts: 586
Location: Ottawa
|
| Posted: Wed Aug 25, 2004 10:11 am Post subject: |
|
|
| Quote: | | However a property-based approach reduces our need to assume that such specifications are correct, since properties are placed on these interfaces and checked either formally, semi-formally or dynamically. One very positive side-effect of property checking is that documentation is tied down, and everyone is clearer about what is going on. |
If specification's properties are not correct, verification process is meaningless. Another question is that sometimes it is difficult to specify correct properties without high-level modeling. However, I don't think that extracting specification properties from implementation RTL is a good idea.
Regards,
Alexander Gnusin |
|
| Back to top |
|
|
tblackmore
Senior
Joined: Jan 23, 2004
Posts: 43
Location: Bristol, England
|
| Posted: Wed Aug 25, 2004 10:44 am Post subject: |
|
|
Hi Alexander,
I agree that each block behaving as specified does not on its own ensure correct functionality of a system. However it is necessary to divide a system up into blocks that are manageable by individual designers. It is then necessary to understand the functionality of each of these blocks and how they should communicate. If the block specifications are not correct then it is not only the verification that is meaningless but the whole design process. Of course people have to approach block-level verification intelligently and not just blindly verify to a specification, but satisfy themselves that the specification is sensible. Also, incorrectness in block specifications may be found by verification - for example inconsistencies in two designers' understanding of how their blocks should communicate could be flagged by an assertion (or two) firing during simulation.
In the absence of sufficient specification it may be necessary to extract properties form RTL. In fact for a full formal verification it may be necessary to reverse engineer a complete block into properties, the sum of which describe its functionality (which may be proved by a theorem prover or perhaps just by pencil and paper). If this is necessary then there is all the more need to approach the job intelligently. But working from a good specification is the preferred approach.
I like the idea of formally verifying a high-level model of a system, e.g. to ensure no deadlocks or livelocks exist in the system. Which tools would you recommend for this? What languages do they use? Are you also suggesting that a high-level model could be used to determine suitable places for block boundaries, and which properties these blocks need to satisfy for the correct functioning of the system?
Regards,
Tim.
Editor's note: this topic was split into this topic |
|
| Back to top |
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
| |
|
|
Forum FAQ
Search
Usergroups
Profile
Digest
Log in
