140 likes | 234 Views
Using formal techniques to Debug the AMBA System-on-Chip Bus Protocol Abhik Roychoudhury , Tulika Mitra , S.R. Karri Proceedings of the Design,Automation and Test in Europe Conference and Exhibition (DATE’03). PRESENTER: PCLee 2011.12.14. abstract.
E N D
Using formal techniques to Debug the AMBA System-on-Chip Bus ProtocolAbhikRoychoudhury, TulikaMitra, S.R. KarriProceedings of the Design,Automation and Test in Europe Conference and Exhibition (DATE’03) PRESENTER: PCLee2011.12.14
abstract • System-on-chip (SoC) designs use bus protocols for high performance data transfer among the Intellectual Property (IP) cores. These protocols incorporate advanced features such as pipelining, burst and split transfers. In this paper, we describe a case study in formally verifying a widely used SoCbus protocol: the Advanced Micro-controller Bus Architecture (AMBA) protocol from ARM. • In particular, we develop a formal specification of the AMBA protocol. We then employ model checking, a state space exploration based formal verification technique, to verify crucial design invariants. The presence of pipelining and split transfer in the AMBA protocol gives rise to interesting corner cases, which are hard to detect via informal reasoning. Using the SMV model checker, we have detected a potential bus starvation scenario in the AMBA protocol. Such scenarios demonstrate the inherent intricacies in designing pipelined bus protocols.
Related work [1,4,8] formal specification and verification of PCI [11, 12] moniror-based verification This paper
What’s the problem • What’s the problem • Interaction specified informally before • Correctness of protocol is hard to describe • Some bugs cannot be found. (deadlock, starvation…pipeline problem)
Formal verification: model checking-1 design model Formal specification (property of design must to satisfy by CTL…) AHB BUS IP1 IP2 … MODEL CHECKING (check if model satisfies specification) automatic Analyze result manual False negative of system specification Error design
Formal verification: model checking-2 • Advantage: • State space explosion • Verify concurrent finite state system automatically. • Disadvantage: • Restriction on finite state system(controller, communication protocol..)
AHB BUS PROTOCOL • Pipeline and waiting cycle • Split and retry response
Case environment preparation • Design model • Multiple masters • Multiple slaves • Arbiter • Decoder • Default master • Default slave • Using Computation Tree Logic(CTL) to specify property • AG(HBUSREQm⇒ AF HGRANTm) means HGRANT will eventually high if HBUSREQ has been raise. • Experiment environment: • 2 masters and 1 slave • Linux version of Cadence SMV in a Pentium IV 1.3 GHz
Non-Starvation checking • AG(HBUSREQm⇒ AF HGRANTm)is a crucial design invariant of non-starvation. • Starvation situation: • Slave never informs the arbiter that it is now able to service master. • Even after slave has informed its ability to service master, the arbiter ignores the bus request from master forever. • Reason: • Implementation error! • Unfair arbitration policy!
Prove property • Using fair and slave_live to prove • AG(HBUSREQm∧ ¬maskm ⇒ AF HGRANTm) • If slave split the transaction, arbiter must mask the request of master. • If the arbiter doesn’t mask master and the master has bus request, HGRANT of this master must be high eventaully. • AG(splitm ⇒ AF HSPLITm) • The slave must recover from split state if it had split transaction before.
Counter example of starvation scenario Arbiter mask m2. But it is split for m1
Conclusion • Formal verification can find many corner case and more automatic. • Starvation scenario would be hard to detect without automated formal verification.
My conclusion • Model checking may makes debug more quickly. • Formal verification has other method today. It verify system by using algorithm.
MorPACK progress • Goal: • Run standalone verification on RVDS • Problem: • RVDS cant load image file of CIC’s test program • CIC said that wrong version of ads. • I write a simple program. RVDS can load it. • Next: continue to discuss with CIC.