## Overcoming AXI Asynchronous Bridge Verification Challenges with AXI Assertion-Based Verification IP (ABVIP) and Formal Datapath Scoreboards

Bochra El-Meray, ST-Ericsson

Jörg Müller, Cadence





## About the Authors

- Bochra Elmeray
  - Verification Engineer at ST-Ericsson Rabat
  - 5 years experience in IP verification
  - Expert in Formal Verification



- Jörg Müller
  - Solutions Engineer at Cadence Design Systems Munich
  - 15 years experience in ASIC Design and Verification
  - Expert in Formal Verification
  - Supported ST-Ericsson for advanced verification





## Agenda

- Overview GALS Design Verification
- Environments
- Formal Protocol Checking
- Formal Functional Checking
- Technology
- Results
- Conclusion



## **Overview GALS Design Verification**

- Definition: GALS
  - Globally Asynchronous Locally Synchronous design techniques used for SoC
  - Solve physical implementation problems (power, timing, etc)
  - Requires synchronization between clock domains with different frequencies
- Synchronizer between dom
  - Example: AXI2AXI bridge
  - 2 clock domains
    - AXI Master
    - AXI Slave
- Verification Challenges
  - Protocol Compliance
  - Datapath Integrity







# **Verification Environments**

- Traditional
  - Constrained Random Simulation (SpecMan)
  - Metric Driven Analysis (Coverage and Fault)
  - Applied on sub system level only, not on IP level
  - Focus on known application scenarioes only, missed bug
- First Formal
  - Many inconclusive results due to complexity of design
  - Debbugging failures on signal level is difficult
  - No functional checking, only protocol compliance
  - No verification plan or progress metrics
- New Formal
  - Adding methodology and technology to fill holes
  - Replace simulation efforts for IP level features







## New Formal Verification Strategy

- Add 2 new components in the environment
  - New AXI3 Assertion Based Verification IP optimized for protocol checking
  - New methodology for verifying asynchronous datapaths for functional checking
- Embedd it in formal-aware metric driven verification and regression environment
  - Orchestrating and distributing formal environments on server farms
  - Collect results and provide global view of overall verification state
  - Allows tracking of progress and assessment of completenss
- Take advantage of new debugging capabilities
  - Transaction level representation of AXI protocol activity
- Leverage latest formal technology available
  - Incisive Enterprise Verifier XL



### **Protocol Verification**

- Goal: Guarantee protocol compliance against AXI specification
- Technology used: Formal and Assertion Based VIP (ABVIP)
- Optimized properties for formal validation of interface protocol
  - Instantiate and connect to DUT interface
  - Provides checks and constraints for protocol compliance checking
  - Provides constraints for functional checking



## **Functional Verification**

- Goal: Guarantee core functionality of the bridge data transport
- Methodology introduced: Verifying asynchronous datapaths with formal scoreboarding
  - Utilizing symbolic sequences (refers to Wolper, Stangier, Mueller)
  - Formally verifies data integrity
  - Implemented as formal scoreboard (provided by Cadence)
- Fills hole of previous formal verification environment





## Symbols used in Formal Scoreboard

- Using Symbol in Formal Verification
  - Declare one symbol that represents all possible values, in all possible locations, at all possible times, under any possible condition
  - Symbol implemented as non-deterministic constant

wire [31:0] symbol; // uninitialized
assert property(\$stable(symbol));

```
Value chosen by
the formal tool to
trigger failures!
```

- Example sequence "one symbol only" 00...00100..00
  - Symbol used to constrain unique value in input domain sequence

Symbol used to check for matching same value in the output domain sequence

```
assert property (@(posedge out_clk)
    out_symbol_seen && out_dvalid |-> out_data != symbol);
```



# Sequences of Symbols in Formal Scoreboard

- 1. always symbol
- 2. never symbol
- 3. first symbol
- 4. one symbol only
- 5. two consecutive symbol
- 6. two symbol only
- two consecutive symbol only\*
- \* Stangier's approach

| SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS         |
|-------------------------------------------------|
| • • • • • • • • • • • • • • • • • • •           |
| <b>s</b> ????????????????????????????????????   |
| S                                               |
| ••• <b>ss</b> ????????????????????????????????? |
| SS                                              |
|                                                 |

#### **Definition:**

- s: Symbol
- .: Anything but symbol
- ?: Anything



# Error Types Detected by Formal Scoreboard

| 1. | loss (arbitrary item)                   | $xxccx \rightarrow xxcx$                                                                                            |
|----|-----------------------------------------|---------------------------------------------------------------------------------------------------------------------|
| 2. | loss all (items of particular value C)  | $xxccx \rightarrow xxx$                                                                                             |
| 3. | creation (arbitrary value) xxxxx        | → XXXXEX                                                                                                            |
| 4. | creation (illegal value only)           | $\mathbf{x}\mathbf{x}\mathbf{x}\mathbf{x} \rightarrow \mathbf{x}\mathbf{x}\mathbf{x}\mathbf{x}\mathbf{x}\mathbf{x}$ |
| 5. | duplication (same value only) XXXCX     | → XXCCXX                                                                                                            |
| 6. | manipulation (to arbitrary value) XXXCX | → XXXEX                                                                                                             |
| 7. | manipulation (to illegal value only)    | $XXXCX \rightarrow XXXYX$                                                                                           |
| 8. | reordering (arbitrary items)            | $XBCXX \rightarrow XCBXX$                                                                                           |

- Different sequences can detect different type of errors
- All sequences overlay to full coverage of error types



### Instantiating Formal Scoreboard



```
if scoreboard #(
   // Parameters
   .DBUS WIDTH
                 (ID WIDTH),
                                      // Size of the external datapath
  vector
   .CHECK WIDTH (CHECK WIDTH)
                                      // Size of the internal datapath
  check
) sb awid (
   // Ports
   .rst_n
                (rst),
                                      // active low reset
   .in clk
                (aclks),
                                       // input clock
   .in data (awids),
                                       // input data vector
   .in dvalid (awvalids && awreadys), // input valid indicator
   .out_clk (aclkm),
                                  // output clock
   .out_data (awidm),
                                  // output data vector
   .out_dvalid
                (awvalidm && awreadym) // output valid indicator
;
```



## Datapaths in the Async AXI Bridge

- For our AXI bridge we identified a total of 7 data transport paths
  - 1. Write Address ID
  - 2. Write Data ID
  - 3. Write Response ID
  - 4. Write Data
  - 5. Read Address ID
  - 6. Read Response ID
  - 7. Read Data
- Each receive a formal scoreboard instance
- Fully covering functional pathes across the clock domain crossing



# Technology in New Formal Environment

- Latest Engines in Incisive Enterprise Verifier
  - Addition and improvements of formal engines and running them all in parallel
  - Contributes to faster runtime and overall improved results
- Assertion Driven Simulation
  - ADS runs simulation using PSL/SVA constraints as testbench
  - Allows fast design exploration and provides instant feedback on constraints
- Replay

14

- Using traces obtained by formal engine to guide ADS activating other properties
- Contributed additional failures on previously explored properties
- Constraint Minimization
  - Patented algorithm to identify minimized set of constraint required for proof
     cādence<sup>®</sup>
  - Contributed additional Fail and Pass results on previously explored

# Debugging

| ſ |                   | 4            | BVIP         | TABLES           | j - top.       | axi_mor         | litor.asse      | rt_w_tbl     | _no_ov   | erflow | - SimV | ision    |                | X   |                |        |
|---|-------------------|--------------|--------------|------------------|----------------|-----------------|-----------------|--------------|----------|--------|--------|----------|----------------|-----|----------------|--------|
|   | <u>F</u> ile      | <u>E</u> dit | <u>V</u> iew | E <u>x</u> plore | e For <u>m</u> | at <u>P</u> age | <u>W</u> indows | <u>H</u> elp |          |        |        |          | cāden          | ce  |                |        |
|   | top.              | axi_m        | onitor(A     | X 🔽 📑            | ۲ 🝙 ا          | s 🕺             | ) <b>(</b> ×    | - 1          | Send 1   | Го: 🗽  | æ 🔍    | <b>*</b> |                | »   |                |        |
|   | l<br>d <b>r P</b> | z Tim        | ieA ▼ =      | 15,000           | ,000 🔽         | ns 🔻 🍂          | -               | Searc        | h Times: |        | _      |          | <b>1</b> 0. 0. |     |                |        |
|   | AX                | I 3 T        | ABLE         | ES - to          | p.axi          | monito          | r               | -            |          |        |        |          |                | Δ   |                |        |
|   |                   |              | ABLE         |                  | _              |                 |                 |              |          |        |        |          |                |     |                |        |
| ŕ | ID                |              | Count        | Address          | 3              | CtIDone         | DatStart        | DatDone      | Valid    | Len    | Size   | Burst    | Lock           |     | -              |        |
|   | 'd (              | 217          | 'd 1         | 'h 8FFC          |                | 1               | 1               | 0            | 1        | Len2   | Word   | Wrap     | Normal         |     | ) <del>2</del> |        |
| 0 | 'd i              | 54           | 'd 1         | 'h A04A          | V.             | 1               | 0               | 0            | 1        | Len1   | TwoW   | Incr     | Normal         |     |                |        |
|   | REA               | D TA         | BLE          |                  |                |                 |                 |              |          |        |        |          |                |     |                |        |
|   | ID                |              | Count        | Valid            | Lock           |                 |                 |              |          |        |        |          |                |     |                |        |
|   | 'd I              | 0            | 'd 0         | 0                | 'd 0           |                 |                 |              |          |        |        |          |                |     |                |        |
|   | 'd                | 0            | 'd 0         | 0                | 'd 0           |                 |                 |              |          |        |        |          |                |     | Len8           | Long   |
|   | EXC               | LUSI         | VE TA        | BLE              |                |                 |                 |              |          |        |        |          |                |     |                |        |
|   | ID                |              | Len          | Address          | ;              | Valid           | ExError         | ExRead       | ExWrite  | Size   | Burst  | Prot     | Cache          |     | Хвс69          | C77E   |
|   | 'd I              | 0            | Len1         | 'h 0000          |                | 0               | 0               | 0            | 0        | Byte   | Fixed  | 'b 000   | 'b 0000        |     |                | (Incr) |
|   | 'd I              | 0            | Len1         | 'h 0000          |                | 0               | 0               | 0            | 0        | Byte   | Fixed  | 'b 000   | 'b 0000        |     | 101            | 100    |
|   |                   |              |              |                  |                |                 |                 |              |          |        |        |          |                |     | <u> </u>       | _^     |
|   | $\triangleleft$   |              |              |                  |                |                 |                 |              |          |        |        |          |                | 2   |                |        |
|   | 08                | <b>b</b>     |              |                  |                |                 |                 |              |          |        |        | 0 01     | ojects selec   | ted |                |        |



÷

Wri

### **Regression Suite**





# **Comparing Formal Environments**

|           | Con    | fig 1 | Config2 |       |  |  |  |  |
|-----------|--------|-------|---------|-------|--|--|--|--|
|           | Old    | New   | Old     | New   |  |  |  |  |
| Total     | 115    | 144   | 108     | 141   |  |  |  |  |
| Pass      | 75 108 |       | 74      | 109   |  |  |  |  |
|           | (65%)  | (75%) | (68%)   | (77%) |  |  |  |  |
| Fail      | 8      | 9     | 3       | 9     |  |  |  |  |
|           | (7%)   | (6%)  | (3%)    | (6%)  |  |  |  |  |
| Explored* | 32     | 27    | 31      | 23    |  |  |  |  |
|           | (28%)  | (19%) | (29%)   | (16%) |  |  |  |  |

\* The explored results were obtained with 1 hour tool effort per property



## **Finding Critical Bugs**

- Failure Detected: ID values across locked access do not match!
- Scenario: Normal data without request enters bridge before lock
- Impact: Potentially blocking entire SoC

| Baseline ▼ = 0 End Cursor-Baseline ▼ = 12ms                      |          | Baseline | = 0 |      |     |        |     |      |     |        |     |      | Time A 12m          |      |
|------------------------------------------------------------------|----------|----------|-----|------|-----|--------|-----|------|-----|--------|-----|------|---------------------|------|
| Name 🕶                                                           | Cursor 🕶 | 0        | 1ms | 2ms  | 3ms | 4ms    | 5ms | 6ms  | 7ms | 8ms    | 9ms | 10ms | TimeA = 12m<br>11ms | 12ms |
|                                                                  |          |          |     |      |     |        |     |      |     |        |     |      |                     |      |
|                                                                  |          |          |     |      |     |        |     |      |     |        |     |      |                     |      |
|                                                                  | 4        |          | _   |      |     |        | _   |      |     |        |     |      |                     |      |
|                                                                  | 1        |          |     |      |     |        |     |      |     |        |     |      |                     |      |
| ····· <mark>∻</mark> aresetn<br>⊡···· ▲666_10_psw_top.axi_slave) |          |          |     |      |     |        |     |      |     |        |     |      |                     |      |
|                                                                  |          |          |     |      |     |        |     |      |     |        |     |      |                     |      |
| ARLOCKM[1:0]                                                     | Lock 💼   | Normal   |     |      |     |        |     |      |     |        |     | Lock |                     |      |
|                                                                  | 'h 001   | 000      |     |      |     |        |     |      |     |        |     | 001  |                     |      |
| Tel ARVALIDM                                                     | 0        |          |     |      |     |        |     |      |     |        |     |      |                     | 1    |
| EI AWVALIDM                                                      | 0        |          |     |      |     |        |     |      |     |        |     |      |                     |      |
| ⊕ <b>Ē</b> ⇔ AWIDM[9:0]                                          | 'h 001   | 000      |     |      |     |        |     |      |     |        |     | 001  |                     |      |
| AWLOCKM[1:0]                                                     | Lock 💼   | Normal   |     |      |     |        |     |      |     |        |     | Lock |                     |      |
| ш                                                                | 'h 000   | 000      |     |      |     |        |     |      |     |        |     |      |                     |      |
| - EI WVALIDM                                                     | 0        |          |     |      |     |        |     |      |     |        |     |      |                     | י    |
| ⊕→= ARLOCKS[1:0]                                                 | Normal 📻 | Lock     |     |      |     | Normal |     |      |     |        |     |      |                     |      |
|                                                                  | 0        |          |     |      |     |        |     |      |     |        |     |      |                     |      |
| 😐 🎝 🖬 ARIDS[9:0]                                                 | 'h 000   | 000      |     | 001  |     | 000    |     |      |     |        |     |      |                     |      |
| 🕀 🎝 AWLOCKS[1:0]                                                 | Normal 📷 | Normal   |     | Lock |     | Normal |     | Lock |     | Normal |     |      |                     |      |
|                                                                  | 0        |          |     |      |     |        |     |      |     |        |     |      |                     |      |
| ⊕ <b>→</b> , AWIDS[9:0]                                          | 'h 000   | 000      |     | 001  |     | 002    |     |      |     | 000    |     |      |                     |      |
| ⊕ <b>→</b> , WIDS[9:0]                                           | 'h 001   | 000      |     |      |     | 003    |     | 000  |     | 001    |     | 000  |                     | 001  |
|                                                                  | 1        |          |     |      |     |        |     |      |     |        |     |      |                     |      |



## Summary

- Pro:
  - Positive experience with with formal verification, scoreboarding and ABVIP
  - Overall quality of results improved tremendously
  - Found corner case bug missed by simulation
- Con:
  - Some bounded proofs remained (although depth increased)
  - Not a push button flow (but that was not expected either)
- Conclusion
  - We count on mixed formal and simulation (ADS) in future projects of that type
  - Completeness of setup (protocol + functional) gives confidence to sign of IP without spending further ressources on verification







