400 likes | 549 Views
Assertion-Based Verification : Verification of Logical and Temporal Properties. Laurence PIERRE (TIMA). Introduction. Formal / semi-formal verification Does the system comply with its requirements /expected behaviour?. Specification satisfied?. Requirements / Specification.
E N D
Assertion-BasedVerification: Verification of Logical and Temporal Properties Laurence PIERRE (TIMA)
Introduction • Formal / semi-formal verification • Does the system comply with its requirements /expected behaviour? Specification satisfied? Requirements / Specification Workshop - November 2011
Introduction • A formal expression of the specification or requirements is needed • Assertion-Based Verification (ABV) the intended behaviour is formalized as assertions • Temporal logics: CTL (Computation Tree Logic), LTL (Linear Temporal Logic),… • Standardized specification languages: SVA (IEEE Std 1800), PSL (IEEE Std 1850) • Does the design obey these logic and temporal assertions? Workshop - November 2011
Introduction • Static analysis (formal verification) Formal proof tool Specification satisfied? Formal model Requirements / Specification Workshop - November 2011
Introduction • Static analysis at the RT level: model checkers for PSL (IEEE standard 1850) and/or SVA (IEEE standard 1800) • Incisive formal verifier (Cadence) http://www.cadence.com/products/ld/formal_verifier • RuleBase (IBM) http://www.research.ibm.com/haifa/projects/verification/RB_Homepage/ • Solidify (Averant) http://www.averant.com/products-solidify.html • ... Workshop - November 2011
Introduction • Semi-formal (dynamic) verification Simulator Simulation results + Requirements satisfaction Requirements / Specification Input stimuli Workshop - November 2011
Introduction • Dynamic verification at the RT level: support for PSL and/or SVA assertions in simulators • ModelSim (Mentor Graphics) http://www.model.com • VCS (Synopsys) http://www.synopsys.com/Tools/Verification/FunctionalVerification/Pages/VCS.aspx • Incisive (Cadence) http://www.cadence.com/products/sd/enterprise_simulator/pages/default.aspx Workshop - November 2011
SENDING NODE RECEIVING NODE Introduction • Alternative solution for dynamic ABV: construction of assertions checkers DATA_OUT DATA_IN START DATA TRANSLATION READY VALID_DATA ERROR END RST EN STOP Assertion checker PSL assertion always(END -> next (START before ERROR)) Workshop - November 2011
Introduction • Checkers (monitors) = hardware components generated from temporal assertions • FoCs (IBM) RTL https://www.research.ibm.com/haifa/projects/verification/focs/ • MBAC (McGill University, Montreal) RTL M.Boulé and Z.Zilic. Generating Hardware Assertion Checkers: For Hardware Verification, Emulation, Post-Fabrication Debugging and On-Line Monitoring. Springer, 2008 • HORUS and ISIS (TIMA) RTL and TLM http://tima.imag.fr/vds/Horus/ http://tima.imag.fr/vds/Isis/ Workshop - November 2011
ABV at different levels SoC's IP's http://www.synopsysoc.org/viewfromtop/page/3/ Workshop - November 2011
ABV at the RT level IP's Workshop - November 2011
ABV at the RT level • A few words about PSL (Property Specification Language), IEEE standard 1850 • Enables the use of temporal relations: • always p : the property p holds at all times • puntil!q : p holds until q holds • eventually!p : p holds at the current cycle or at some future cycle • pbefore!q : p holds beforeq holds • next_event!(b)(p) : p holds the next time the boolean expression b is true • ... Workshop - November 2011
ABV at the RT level • A few words about PSL (Property Specification Language), cont’d • ... Also enables the use of regular expressions to portray sequences of events: • {e1;e2} : the concatenation of two regular expressions e1 and e2 • {e[*]} and {e[+]}: repeated consecutive concatenations of expression e • {e1 | e2} : one of the alternative expressions holds at the current cycle • ... Workshop - November 2011
ABV at the RT level • Two simple examples • Error should not occur between End and Start always(End-> next (Startbefore Error)) • Two successive Error are forbidden always (Error-> next (not Error)) never {Error[*2]} Workshop - November 2011
ABV at the RT level • Characteristics of the properties of interest at the RT level (or gate level) • Fine-grained properties on the signals of the design • Expressed and evaluated in a clocked context • Example: default clock is (clk’event and clk = ‘1’); assert always(request1 ->next_e[1..8](grant1)); Workshop - November 2011
Assertion checkers • Horus technology: compositional construction, using primitive components • Example: always (Req -> (Busy until! Ack)); • Integration in Dolphin Integration tools (simulator and schematic editor) Formally proven Workshop - November 2011
Application example • Transmission from dual ADCs to serial output Workshop - November 2011
Application example • Transmission from dual ADCs to serial output • Controls 2 external dual ADCs and transmits the 4 resulting 12-bit words through a serial output • The four 12-bit data are received using SPI interfaces • 2 clocks • Clk10meg • Clk: division with a clock gating system of Clk10meg (bit-rate of the serial output) • Transfer protocol: must provide enough time between two acquisitions in order to complete the serial transmission Workshop - November 2011
Application example • Two sets of assertions: • Check the SPI protocol requested by the external dual ADCs • Check the internal protocol used to synchronize the data default clock is (Clk10meg’event and Clk10meg=‘1’); always ({!REQ;REQ} |-> {{ {(!EN_TX)[+];(EN_TX && ACK)[*1:4]} ; {(!EN_TX)[+];(EN_TX)[*1:4]}[*5] ; !EN_TX } && {!SHIFT[+]}}); Workshop - November 2011
Application example • Simulation reports violations of this internal property Workshop - November 2011
Application example • Property breakpoints stop the simulation when violations occur Workshop - November 2011
Towards embedded monitors • Example of impact on the area: assertions for a wishbone crossbar controller (8 masters, 16 slaves) Altera Cyclone II FPGA, max. frequency 420 MHz Y.Oddos, "Vérification semi-formelle et synthèse automatique de circuits à partir de spécifications temporelles écrites en PSL", Thèse de Doctorat Univ. Grenoble 1, Nov. 2009 Workshop - November 2011
ABV at the system level (TLM) SoC's IP's Workshop - November 2011
ABV at the system level (TLM) • Characteristics of the properties of interest at the SystemC TLM level • More abstract properties, on interactions and transactions (communication actions) • TLM LT (Loosely Timed) or AT (Approximately Timed): no clock • Example property (DMA): The intended (source or destination) address is used when a memory transfer occurs Workshop - November 2011
ABV at the system level (TLM) • Verification of SystemC TLM platforms: no actual solution yet • Previous work: SystemC RTL, or methods not applicable to real-size designs, or no automation • Academic results • Univ. Erlangen (Germany) • Univ. Monastir (Tunisia), PhD thesis in cooperation with ST • Industrial solutions • Infineon Technologies, Munich (Germany) • Cadence Incisive platform: only SystemC signals can be involved in assertions Workshop - November 2011
ISIS: ABV with assertion checkers System requirements SystemC instrumented platform XML configuration files PSL assertions Monitors + observation mechanism Platform SystemC platform ISIS int sc_main(int argc, char *argv[]) { generic_noc generic_noc_inst_ memory memory_inst_0("mem eu_pool eu_pool_inst_0("eu_p eu eu_inst_0("eu_inst_0"); memory memory_inst_1("mem os_config os_config_inst_0("o Simulation Workshop - November 2011
ISIS: ABV with assertion checkers Ex: the intended address is used when a memory transfer occurs PSL assertion ? Design under verification Workshop - November 2011
ISIS: ABV with assertion checkers Simulation of this instrumented design PSL assertion Automatic translation SystemC assertion checker Instrumentation Design under verification Workshop - November 2011
DMA example • Property 1: any time the control register is programmed, an IRQ occurs before the next writing into the control register Observation Workshop - November 2011
DMA example • Property 1: any time the control register is programmed, an IRQ occurs before the next writing into the control register always ( (cpu_initiatorport.write_CALL () && cpu_initiatorport.write.p1 == CONTROL && cpu_initiatorport.write.p2 == START) => next(irq before (cpu_initiatorport.write_CALL () && cpu_initiatorport.write.p1 == CONTROL)) ); Workshop - November 2011
DMA example • Property 2: any time a source address is transferred to the DMA, a read access eventually occurs and the right address is used Observation Workshop - November 2011
DMA example • Property 2: any time a source address is transferred to the DMA, a read access eventually occurs and the right address is used PSL "Modeling layer" int src_add; if (cpu_initiatorport.write_CALL() && cpu_initiatorport.write_CALL.p1 == dma_src_reg) src_add= cpu_initiatorport.write_CALL.p2; assert always((cpu_initiatorport.write_CALL() && cpu_initiatorport.write_CALL.p1 == dma_src_reg) => next_event!(mem1.read_CALL()) (mem1.read_CALL.p1 == src_add)); Workshop - November 2011
DMA example • Various verbosity levels for the monitors Workshop - November 2011
MJPEG decoding platform • Property: the data that are written on the RAMDAC are exactly the ones that have been transmitted by the EU Observation P.Gerin, X.Guérin, and F.Pétrot, "Efficient implementation of native software simulation for MPSoC", Proc. DATE'2008 Workshop - November 2011
MJPEG decoding platform • Property: the data that are written on the RAMDAC are exactly the ones that have been transmitted by the EU PSL "Modeling layer" unsigned int req_data; if (eu.write_CALL()) req_data = eu.write_CALL.p2; assert always(eu.write_CALL() => next_event!(rdac.write_CALL()) (rdac.write_CALL.p2 == req_data)); Workshop - November 2011
MJPEG decoding platform • Identification of property violations Workshop - November 2011
CPU times DMA: 200000 memory transfers MJPEG platform: 10 seconds of video decoding L.Ferro, "Vérification de propriétés logico-temporelles de spécifications SystemC TLM", Thèse de Doctorat Univ. Grenoble, Jul. 2011 Workshop - November 2011
See tomorrow... • Airbus case study (avionics flight control remote module): ABV for the verification of safety requirements • Control of hardware/software interactions for safety requirements • Astrium case study (space high resolution image processing): ABV for the verification of correctness requirements • In particular, discussion on the alternatives for locating the assertions Workshop - November 2011
Thanks... Questions? Workshop - November 2011