

# The Importance of Complete Signoff Methodology for Formal Verification

Iain Singleton, Mahesh Parmer, Geogy Jacob







#### Agenda

- Introduction to formal signoff
- Case Study BPU
  - Block overview
  - Signoff methods
  - Results
- Conclusions











Formal is exhaustive but only with respect to what you write!

• Assertions are verified with respect to constraints

Overconstraints prevent legal inputs from reaching the design & cause missed bugs







Formal is exhaustive but only with respect to what you write!

• The behavior in the design which is tested is limited to the assertions that are written







The ultimate goal of formal signoff is to ensure that "what you write" does in fact cover all the scenarios you expected







#### Case Study – Branch Prediction Unit



The BPU sits within the Instruction Fetch Unit of a high performance low power microprocessor design

The goal of the BPU is to reduce the branch penalty in highly pipelined designs to improve computational performance





#### Case Study – Branch Prediction Unit





# Formal Verification Approach

- BPU chosen target for formal despite extensive simulation testing
  - High level of control complexity and potential for hidden bugs made this a good target
- Initial FV approach did not have a well defined closure criteria
  - Properties developed
  - Designer reviewed properties
  - Human analysis of bounded depths

Human review techniques are valuable but not as extensive as fully defined methodologies





#### Initial FV Work Results

| Metric                | Result       |
|-----------------------|--------------|
| Assertions            | 141          |
| Covers                | 19           |
| Constraints           | 40           |
| Assertion Depth Bound | Capped at 15 |
| %Bounded Proofs       | 80%          |
| Other Metrics         | N/A          |

Large number of bounded proofs Restricting bound could cause missed bugs







## Our Signoff Approach

#### Step 1: Bounded Depth Analysis



- 1. Generate cover points within COI of property
- 2. Analyze cover points using shortest path formal engines
- 3. Maximum depth reached gives a rough idea of the sequential depth of the property any number less than this shows lack of required exploration

Performing this analysis showed us that a number of cover points were reached at depths beyond 15





#### Steps 2 - 5



Our Signoff Approach





Beyond the bounded analysis there is a four step approach to formal signoff



Reachability analysis of cover property targets in the presence of constraints

Identifies any constraints which are preventing legal behaviour





Beyond the bounded analysis there is a four step approach to formal signoff







Beyond the bounded analysis there is a four step approach to formal signoff



Formal analysis of logic required to prove or reach a bounded proof for the properties

Finds holes in verification more accurately than a simple COI analysis





## Formal Core Example

- Formal Core is Stronger than COI
  - Formal Core indicates which signals are involved in the proof of an assertion
  - If something within the COI is not required to prove the property it has not been tested





• For P1 we can see that only full is inside the formal core





## Formal Core Coverage

- Adding P2 means we now have the formal core from two properties
  - push, pop and cnt are involved in the proof of P2 and reported in the Formal Cor



- Formal Core shows that we are testing something about a register BUT
  - What happens to cnt when we have a push or pop?







Beyond the bounded analysis there is a four step approach to formal signoff



Analyze the results of properties in the presence of artificially inserted faults

If at least one property fails in presence of a fault then assertion is good, if none fail then indication of verification holes





#### FTA Example

- FTA is stronger than Formal Core
  - FTA checks whether assertions can catch injected faults
  - Formal Core checks that *something* about a register is checked
  - FTA checks whether *other features* of that logic are checked

- In our example we're only checking the value of the counter when push and pop are low
  - We are testing the counter
  - But only one part of it
  - Lets look at what FTA will do...





#### FTA Example

P1: assert property ( cnt==4'hf |-> full );
P2: assert property ( ~push&~pop |=> \$stable(cnt) );

```
always @(posedge clk or negedge rst x)
  if (!rst x) begin
                                                                            We didn't check for increment and decrement
    cnt <= '0;
                                                                            so P1 and P2 pass with these faults!
  end
  else begin
                                                                            FTA reports "non-detected faults" as verification
    if (0/*push && !pop && cnt!=4'hf*/) // ConditionFalse
                                                                            holes
       cnt <= cnt + 1'b0/*1'b1*/; // BitFlip</pre>
    else if (!push && pop && cnt!=4'h0)
       cnt <= cnt +/*-*/ 1'b1; // Operator</pre>
    else
       cnt <= cnt;
  end
                                                                  Faults in Report
                                                                                     Detected Non-Detected Disabled By User
                                        Class Name
                                                        Faults in Design
                                                                            Non-Activated
                                                                                                               Not Yet Qualified
                                          TopOutputsConnectivity
                                                             0
                                                                       0
assign full = (cnt==4'hf);
                                          ResetConditionTrue
                                                             0
                                                                       0
```



8

0

0

0

15

5

0

8

0

0

0

15

5

0

SynchronousControlFlow

SynchronousDeadAssign

ComboLogicControlFlow

InternalConnectivity

SynchronousLogi ComboLogic

OtherFaults







## Action on Results: Missing Assertions

Analysis had shown that approx. 30% of the design was untested with formal

- Review untested areas with designer
- Add missing checks







## Action on Results: Depth limitation

Analysis had shown the depth of 15 was not sufficient

- Remove depth limitation
- Use abstraction and engine techniques to improve bound







## Conclusions

- Formal verification is a very powerful tool
  - On a well simulated design a number of bugs found in initial work
- Quality of formal is only as good as the properties you write
  - Without thorough analysis potential for missed bugs is there
  - 4 RTL bugs were found and fixed in a well simulated + formal design by using signoff techniques
- Signoff techniques are essential to obtain higher confidence in formal environments
  - All signoff work in this paper performed using Synopsys VC Formal





#### Questions?

