by David Crutchfield, Senior Principle CAD Engineer, Cypress Semiconductor
Because it is time consuming and difficult to exhaustively verify our IP designs, the CAD team at Cypress wanted to increase the use of formal verification throughout our design and verification teams. Formal verification uses mathematical algorithms and heuristics to prove the functional correctness of a design. Because it exhaustively explores all possible input sequences, formal analysis uncovers design errors that would otherwise be missed or be impractical to find with simulation-based methods.
However, formal itself can be difficult to learn and use. Fortunately, in recent years, specialized formal applications have been introduced that deliver the power of formal analysis in focused areas, allowing users who are not familiar with formal techniques to solve some tough verification challenges.
Therefore, in order to make it easier to introduce formal verification to our engineers, we introduced Questa® Formal Apps into our verification management system (VMS), which we had developed in house. By doing so, we sought to automate formal verification, make it easier to use, establish repeatable tests and processes, and make the Formal Apps themselves easy to access.
Initially, we wanted to use the Questa Formal Apps to improve four pain points in our verification flow: connectivity checking, coverage closure, register checks, and code quality. We used Questa Connectivity Check for the connectivity checks, Questa CoverCheck for coverage closure, Questa Register Check for register verification, and Questa AutoCheck for code quality analysis.
We will briefly explain why we wanted to adopt formal applications within Cypress, and how we made it easier to introduce them to our engineers by incorporating them into our VMS. We will then summarize their implementation and usage in the context of the four specific design applications and provide a summary of results.
Verification Management System
Cypress developed our VMS about five years ago, providing a frame work that everyone in the company can use for launching functional verification tools within the environments they have. VMS manages compilation and simulation jobs through Mentor's Questa VRM (Verification Run Management) technology.
VMS establishes a standard approach to design and testbench organization using directories, starting with foundational rules such as specifying the directory structure of projects and work directories, and the standardization of tool invocation and configuration arguments so that the VMS can find them. Our VMS gives users the choice of automated test list creation or they can create standard-based test lists themselves.
|Figure 1. Existing verification system.
The VMS also specifies regression status reporting and live coverage information in pre-defined locations to make it easy for end-users across projects, and the supporting CAD team, when trying to resolve issues that we run into. In short, we know what a testbench looks like, structurally, before we go in to debug something. This allows engineers and CAD support to find any design, verification, or tool issues very quickly, in a manner that's readily reproducible. Anyone can pull a design from the repository and recreate the results using the same CAD flow throughout the company.
Finally, VMS facilitates the introduction of new tools and methodologies so users can rapidly integrate them into their workflows. To do this with formal verification, we enhanced VMS to support the new requirements for the formal applications; i.e., the particular inputs for feeding the formal applications and a standard interface between simulation-based functional flows and formal verification. Once we had these things in place, our users started trying out formal within their IP and SoC verification projects.
Verification Pain Points
Now we will take a closer look at the four main pain points we initially wanted to address with formal verification in general, and how we planned to map the different Questa Formal Apps to these flows.
We have an automated system for stitching together our fully verified IP. We need to make sure that the tool did what it was supposed to, and we would like to do that easily without having to write a large range of functional tests. That means we want an automated way to verify that we connected our IP properly.
These connectivity checks are problematic because functional routing through an IP is very hard to verify exhaustively, as are the programmable interconnects themselves. It's very time consuming to check out all of the routes, especially in an IP that is just there to route pins from one input, or from an input to an output, or from several inputs to several outputs. And it is very hard to identify the programmable interconnects and time consuming to exhaustively verify them. When it comes to the chip-level interconnects, it is also hard and time consuming to exhaustively verify if you properly connected all of the IPs within a chip.
To simplify our connectivity checks we added two new steps to our VMS. First, we generate the connectivity properties (aka assertions) with the Connectivity Check app, which are then proven with the Questa PropCheck formal engines "under the hood". The Questa part of the flow is all automated so users do not need to know anything about writing assertions or formal techniques.
As can be seen in Figure 2, this process is fairly simple. VMS compiles the design, controlled by an interface that is already familiar to our users. We add in one more input, the connectivity specification file, to enable the tool to automatically generate all the corresponding connectivity assertions (aka, properties). Next, the assertions are compiled and fed into the formal property checking engines. If the properties pass, we're good to go. The best part: no testbench is required.
|Figure 2. Connectivity checking flow.
The goal is always to get 100 percent code and functional coverage closure within our IPs. To do this you have to mine for the unreachable code, and this can be a very time consuming, iterative process. First you develop some tests, then you review the coverage to make sure you're getting what you expect. Next you consult the IP owner to see if there are areas of code that can be excluded from the coverage checks, if you're not hitting those areas. Then you create those exclusions, and you develop more tests. You keep repeating this cycle trying to mine out all of the unreachable code. Making matters worse, if the code changes, you have to go through the cycle, or cycles, all over again.
We looked at three different formal flows within VMS for dealing with coverage closure. In the first flow, we added one new step to the normal exclusion flow by generating exclusions with the Questa CoverCheck Formal App. Note that at this stage we don't need to have to have a testbench to generate the exclusions. As with connectivity checks, the design is already an input to VMS so we can compile it and run it through CoverCheck to generate exclusions directly from the design. Then, we adjust the coverage points as needed to get to a higher percentage of coverage in the end. Note that an exhaustive search for unreachable code can be time consuming because there is a larger state space to look through, but on the plus side you do not have to create a testbench. If you want to bring in simulations you can – the extra information helps "feed" the flow and makes it run a little faster, but it requires
creating test cases.
|Figure 3. Coverage closure — Flow #1.
The second flow uses exclusions generated in the first flow, so no new steps are required – you just adjust the coverage targeting after each regression run based on any holes you spot in the prior runs. Simply compile the design, compile the testbench, run the simulations, and adjust coverage on-the-fly to get to 100 percent coverage.
As in the first flow, we add one new step to the third flow: generating exclusions with the Questa CoverCheck Formal App. However, we create a test to seed coverage to begin with, which narrows down the state space where you need to find unreachable code. This is less time consuming than what we saw in our first coverage flow, but you need a testbench and the required tests. Still, by running simulations you get some amount of coverage generated from that. Then you run the CoverCheck tool to generate exclusions and adjust coverage as needed to get to 100 percent coverage.
|Figure 4. Coverage closure — Flow #3.
We also wanted to automate control and status register verification because this has historically been a time consuming and error prone process. First you have to read and understand the spec – which if you're lucky is only a few pages of tables to study and internalize. Quite often not all the bits are used within a register, so you have to handle non-contiguous masking within all your tests.
Finally, you develop the tests and debug the results. All of this takes about four to six weeks for a 50k design.
Our new solution involves adding one step into the VMS using the Questa Register Check Formal App. Specifically, there is one new input: the register specification in the CSV file format. As with the Connectivity Check flow, the RTL design is fed in and compiled, and the Register Check tool generates all the assertions from the specification. Then it formally verifies those assertions against the design itself. Again, no testbench is required.
|Figure 5. Register check flow.
Typically, the design team does minimal testing on a design before they hand it off to the verification team. They may or may not write a testbench for it, and they may not even compile it. They'll just hand it over and let the verification team start to do their job. More often than not the verification team will go through a bunch of verification cycles to find simple problems like deadlocking state machines, combinational loops, or logic contentions that could have been found by the designer before handing the design off for verification. In other words, the verification team will have wasted analysis cycles only for the design to be kicked back to the designer to fix the code. This is an area that we would like to improve on as well.
Code quality checks require only one new step in VMS. It is an option that any designer could run, and they don't need a testbench. Via the VMS they invoke the Questa AutoCheck Formal App which automatically generates assertions based on the desired checks we'd like to verify or validate for the IP. Then it formally proves those against the design.
|Figure 6. Code quality flow.
Usage and Results
Now we will look at how we used the Questa Formal Apps for each of these and provide some results and comments.
For connectivity checking, you only have to create a simple CSV format file. A simple assertion (or property) created from that spells out exactly what you want it to do. The Questa Connectivity Check Formal App generates this property for you, and then uses a default check or module (also provided by the App) to get that information. We have used this in two areas as follows.
First, we had a PLD-like IP where we were mapping around different analog modules within this IP. We want to make sure the connections are made properly through the logic as specified for this IP. We were able to complete the routing verification in about a week using the Connectivity Check App. This saved us four person-weeks in exhaustive simulation, which is roughly eight months of calendar time. It identified one major bug that would likely have been missed in functional simulation. We would have had to go through many test cases just to get there, and we may or may not have found it. But the Formal Connectivity Check App allowed us to find the bug within a week.
We also automated our chip-level connectivity verification using CSV generation from a specification that defines all of our platforms or chips within the company, thus we can generate a connectivity spec for us as well. We just feed that connectivity spec into this system. When we generate the chip-level RTL, all the modules should be connected to one another, so we verify formally that this is true: that we have indeed properly connected them together.
Table 1 shows run times and the number of routes between blocks that we verified. It took roughly two minutes for each of the type of runs shown here. Notice that there are lots of lines within the CSV file, so automation of that CSV file creation is essential to yielding substantial time savings. Rephrasing that, to save time and prevent manual error we don't want engineers writing those by hand; so generating that automatically from a spec is very important.
|Table 1. Connectivity check results.
Knowing when to use formal connectivity checks is very important, as it is not a good fit for everything. PLD-type IPs, SoCs where you are just trying to make sure that your interconnects are connected properly, and complex combinatorial logic blocks are all areas where you can take advantage of this tool.
How to combine formal results with the simulation coverage can be a difficult challenge. We find that if you fully covered a routing block using formal, you don't need to run code coverage for that routing block. You formally verify it, and you check it off as done. We also learned that you need to have good, clear specifications of the connectivity and strict code modularity.
Using coverage exclusions generated by the Questa CoverCheck Formal App, without tests provided, (Flow #1 described above), we achieved some promising results. It took about an hour to generate exclusions for our PLD-like IP. The tool found 17,783 unreachable items and generated exclusions for each one of those. That's a lot of exclusions, and a lot of effort if you had to go through to create all of those manually. Thus, it was a very important asset for closing coverage quickly to have the exclusions automatically generated.
One issue we found arises from the fact that we have very highly configurable IP, and currently Questa Formal can only process one configuration at a time. This means that we have to manually come up with all of the configurations up front, and run it through the tool. We would like to be able to specify our parameters and the range of values for those parameters and let the tool automatically create the exclusions for each of those configurations. We are working with Mentor right now come up with a solution for this.
For register verification we first generate the register CSV file and a control file from our internal specification. Both of these files must be generated automatically for this to be a viable solution.
Our PLD-like IP has roughly 2,700 registers, which equates to about 27,000 register fields within those registers. That comes out to about 55,000 AHB accesses that are needed for full verification. It is clearly an enormous challenge to exhaustively verify each of these bits. It takes a very long time to do that: more than 50 CPU hours. So it's important for us to get some help from the Questa Register Check Formal App for this; however, our initial evaluations did not perform as fast as we needed. Still, we realize there things we can do to achieve maximum performance from the tool. For example, we expect that doing some black boxing would give us a 20X improvement. And we believe that more work on profiling would make the performance more reasonable. We are working Mentor on these approaches as we really see the value of ramping up on Register Check.
With the Questa AutoCheck Formal App it was very simple to gain beneficial results. You just turn it on and let the tool do the work for you. It took us about 30 minutes to run the same PLD-like IP through the tool. We found several potential issues within that IP that required going back to the design team to clarify whether are actual problems or not.
Because the AutoCheck App is so simple and quick, our designers now run AutoCheck on their code and make sure it is clean before releasing the IP to the verification team. If it's not, then they'll iterate on it themselves to get it right, eliminating low hanging fruit issues before they hand it off to verification.
Our CAD team is always looking for ways to automate the design and verification flow and make it easier for our design and verification engineers. We believe that formal applications help us do that. The Questa Formal Apps are a good first step into formal techniques and for using formal within our environment. The Formal Apps have proven to be exactly what we wanted as far as introducing formal within the company, and building interest in it.
Our verification team has come to know that they can get to formal applications through the verification management system, and they've come to our CAD team asking things like, "You've given me these applications; now how do I just feed in properties that I create myself and let the tool work on those?" We can allow that through VMS. It automates calling the Formal App tools for them and making their use easy for them. This encourages them to really start using formal to fully verify their IP, and it allows them to get started without a testbench.
Connectivity and code quality checks show the most promise for us right now. We need to do more work to make the coverage and register checks work better within our flow. These include forthcoming tool enhancements from Mentor and better flow integration within our verification management system.
View & Download:
View the Cypress Adopts Questa Formal Apps to Create Pristine IP success story.