290 likes | 414 Views
Formally Verifying OCP-based Design IP. Jasper Design Automation, Inc. Agenda. OCP Overview Verification Challenges A Better OCP IP Verification Kit OCP Verification Using Formal Summary. OCP Overview. OCP Overview. OCP is a flexible, point-to-point on-chip bus protocol standard
E N D
Formally Verifying OCP-based Design IP Jasper Design Automation, Inc.
Agenda • OCP Overview • Verification Challenges • A Better OCP IP Verification Kit • OCP Verification Using Formal • Summary
OCP Overview • OCP is a flexible, point-to-point on-chip bus protocol standard • Defines communication protocol, but not the medium on which the data travels • Completely synchronous operation • Widely used in many SoC designs today • Highly configurable • Can use as much of the protocol as needed for an application • Increases protocol flexibility to meet end-user’s needs
Core Core Core … Master Slave Slave OCP Layer Bus Integrator Bus Integrator Bus Integrator On-Chip Bus OCP Defines Simple Point-to-Point Structure
OCP is Highly Configurable • Simplest possible configuration contains just two signals • MCmd, MData • Complete specification contains more than 50 signals • Example configuration parameters: • Supported commands: Write, Read, etc. • Supported bursts: Incr, Wrap, etc. • Address bus width • Active signals: SCmdAccept, MDataValid • Burst threading • OCP standard defines format for configuration file • Configuration file specifies which portions of the protocol are used in the design
Formal Verification of Standard Protocols • Formal is very effective at verifying protocol compliance • Ensures design meets specification under all possible events • Can be used exclusively or alongside simulation depending upon protocol complexity • Formal detects bugs rapidly and ensures absence of bugs for tested properties • Exhaustive verification finds corner case bugs and proves correct design behavior • Predefined property sets exist for many protocols • PCI, USB, AMBA AHB, AMBA AXI, etc. • OCP verification follows similar guidelines
OCP Specification Defines Standard Properties • Interface must fulfill properties in order to be OCP compliant • Example: MAddr must hold for the request phase • Specification also defines activation conditions for each property • Example: request_hold_MAddr – (cmdaccept & addr) • Many specified properties implicitly assume simulation is used • Comparison to “X” and “Z” is simulation-specific • Properties must be modified for most formal verification tools
OCP Creates Challenges for Verification • Flexible configuration makes a single unified OCP verification IP definition challenging • Single definition must cover complete spec and all subsets • Generic properties defined to handle configurability • Fills property file with additional modeling content • Resulting property set creates debugging difficulties • What specific properties are relevant to design-under-test? • Requires knowledge of advanced OCP details not necessarily used in design-under-test • Examples: Threads, XOR wraps, Sideband
OCP Verification - Difficulties for End Users • Existing verification IP setup can be cumbersome • Designs normally only use a small subset of OCP • Engineers need in-depth understanding of complete OCP specification to interpret verification results • Limited availability of formal-friendly property sets
A Better OCP IP Verification Solution Would… • Limit the included property to set to only those required for the design-under-test • Minimize requirements on engineers to learn additional OCP specification to debug errors • Provide output in multiple property languages to fit the design under test • Be able to fully leverage the power of formal analysis across the entire property set to maximize verification confidence
Jasper’s OCP IP Generator Solution JasperGold Formal Verification RTL Files PSL / SVA OCP Tuned Property Set Exhaustively Proven OCP Implementation Jasper OCP IP Generator OCP Config File
Jasper OCP IP Generator Simplifies Verification • Generates a custom OCP verification IP file based on design configuration file • Properties based on OCP specification, but are formal-friendly • Increases usability • Minimizes extra logic in property files • Requires no additional knowledge of OCP beyond what is implemented in the design • Requires only a minimum of JasperGold and PSL / SVA knowledge • Properties can be automatically defined as asserts or assumes based upon interface direction • Optimized for formal analysis • Enables highest confidence available that design conforms to OCP specification
Formal Provides High Confidence forOCP Verification • Formal verification provides the maximum confidence that the protocol is implemented properly • Target exhaustive proofs for critical design behavior • Verification of OCP should check all aspects of the protocol including: • Configuration validity • Signal stability checks relative protocol phases • Signal value checks relative protocol configuration • Burst control handling • Burst address generation correctness • Sideband checks • Formally verifying any protocol should start with a solid verification plan
What functionality will be verified Features Behaviors How each will be verified Verification strategy Technology choice Test Priority Resource allocation When the verification process is complete Coverage goals Completion metrics Formal Protocol Verification Starts With Planning The verification testplan defines: Planning enables predictability in your verification schedule!
A Good Plan Enables the Verification Team to… • Select the highest priority elements to verify first • Most important, risky • Select the best methodology for each element • Simulation, Formal Verification • Better evaluate the status of the effort as it proceeds • “Are we there yet?” • Ensure that no issues go unaddressed • “What did we miss?”
Elements of a Good Verification Plan • Design feature hierarchical breakdown • Functional dependency analysis • Feature prioritization • Well-defined verification methodologies • Reliable tracking metrics • Issue tracking and resolution
Hierarchical Verification Plan Structure Plan Plan focuses on both what to test and how to test it Feature Feature Property Property Assumption Coverage Req Testcase
Property Matrix – Better Success Metrics for Formal • A systematic approach to defining and covering the specification • Properties are prioritized and assigned to either formal or simulation • Enables tracking verification progress throughout development cycle
Strategy • Define the verification plan and proof strategy • Example: Apply constraints to prove requirements • Add constraints to restrict the explored behavior to only read-mode transaction, or only write-mode transactions. • Focuses verification on specific modes of operation • Simplifies the verification process. • Once independent modes function correctly, remove restrictions and the verify IP under all modes of operation.
Coverage • Define a set of required verification coverage goals • Ensure constraints on specific states in your requirements model have not over-constrained the states • Coverage metric varies depending on verification technology • Formal verification: • Measure reachability of specific states in requirement model • Simulation: • Apply functional coverage to states or state sequences in requirements model
Metrics Track Verification Progress and Enable Schedule Predictability • Have all critical features been tested sufficiently? • Captured as Importance / Value field in property matrix • Formal proof increases confidence for complex logic • Have all dependencies for each feature been verified according to the plan? • Dependencies identified through plan analysis • Uncovered dependency means feature insufficiently tested • How much verification work remains? • Untested properties apparent from tracking results • Completed tasks, feature importance provide estimates of remaining work
Summary • OCP is a very powerful, flexible socket protocol in wide use today • Formal verification provides the highest confidence that a protocol implementation meets the specification • Custom IP generators such as Jasper’s tune the properties to the specific design, avoiding the debugging problems of generic verification kits • A methodical verification approach to OCP verification utilizing formal alongside simulation provides the highest verification coverage and insurance of protocol compliance