Caveat AMBA:

Exhaustive Formal Verification

to Prevent Disaster

IC Verification Solutions

Arm TechCon
October 2019
 Today’s Agenda
 Level Set: what is “Formal verification”

 Formal Verification IP

 Case Studies

© 2019 Mentor, A Siemens Business

2 Caveat AMBA, Arm TechCon 2019

 What is Formal Verification?
“Formal verification uses mathematical formal methods to prove
or disprove the correctness of a system’s design with respect to
formal specifications expressed as properties….”
[Using Formal Methods to Verify Complex Designs, IBM Haifa Research Lab]

 Mathematical and algorithmic  exhaustive

 Proves implementation meets requirements

 Requires no test bench or stimulus

 Mature: 20+ years of customer use and R&D

© 2019 Mentor, A Siemens Business

3 Caveat AMBA, Arm TechCon 2019

 State Space Coverage

DUT

Initial
states

Exhaustive
proof!

© 2019 Mentor, A Siemens Business

4 Caveat AMBA, Arm TechCon 2019

 The Key Advantage to Formal:
Formal Proofs Are Valid for All Inputs & All Time
Analogy
Finding solutions to ax2 + bx + c = 0
 Constrained-random simulation approach: randomly plug-in
numbers in the hope you eventually satisfy the equation

 Formal approach: algebraically compute the solutions

(to the Boolean equation representing the DUT)

 The formal solution is exhaustive, for all inputs and time!

© 2019 Mentor, A Siemens Business

5 Caveat AMBA, Arm TechCon 2019

 It Starts with a “Property”
A concise description of [un]desired behavior
0 1 2 3 4 5
req

ack

Example intended behavior

“After the request signal is asserted, the

acknowledge signal must come 1 to 3 cycles later”
© 2019 Mentor, A Siemens Business

6 Caveat AMBA, Arm TechCon 2019

 Formal’s Debug Strength: “Counter Examples”
“Counter Example” == Waveform showing
exactly how the DUT can violate a property
0 1 2 3 4 5
req

ack

Possible behavior found by formal

“After the request signal is asserted, the

acknowledge signal could also come 5 cycles later”
© 2019 Mentor, A Siemens Business

7 Caveat AMBA, Arm TechCon 2019

 Counter Examples Put You Right In the Ballpark!

Formal

Formal-generated counter examples save countless hours

of debug time by taking you right to the trouble spot

© 2019 Mentor, A Siemens Business

8 Caveat AMBA, Arm TechCon 2019

 To Learn What Really Goes On Under-the-Hood …

 Part 1: “What is Formal, Anyway?”

— Introducing the basic principals of formal property checking
— How formal differs from simulation
— How constraints on expected inputs apply in the formal world
— How it provides exhaustive results
 Part 2: “Instant Formal Expert”
— What are formal property checking engines, and how do they work?
— Why are they incredibly powerful for some properties, but not so good for others?
https://verificationacademy.com/seminars/what-is-formal-and-how-it-works-under-the-hood
© 2019 Mentor, A Siemens Business

9 Caveat AMBA, Arm TechCon 2019

 Key Spots to Apply Formal
Today’s Focus
Security

Domain A

AMBA
Bus

System Interconnect 0
Interface compliance

System Interconnect 1
Bridge DMA
μC
DMA

Domains B & C Domain D

PHY
Ethernet
Data integrity Controller

RAM RAM Encryption

Engine

SDRAM
SDRAM RAM RAM
Controller
Complex state logic

Arbitration logic

 Use on easy to identify hotspots

 Simple properties can save weeks of simulation
 Easily find complex corner cases
© 2019 Mentor, A Siemens Business

10 Caveat AMBA, Arm TechCon 2019

 Today’s Agenda
 Level Set: what is “Formal verification”

 Formal Verification IP

 Case Studies

© 2019 Mentor, A Siemens Business

11 Caveat AMBA, Arm TechCon 2019

 Preface: Design IP vs. Verification IP
 <<< very high-level slide to level set the audience explaining the
difference between design IP and verification IP >>>

© 2019 Mentor, A Siemens Business

12 Caveat AMBA, Arm TechCon 2019

 Design IP Caveat Emptor
 Independent audits are critical: never use Verification IP and design
IP from the same developer

 Even the most mature IP can produce unexpected issues when

integrated into a new SoC

 Even experienced engineers can misread a spec, improperly

configure protocol parameters, or struggle to debug interface issues

 New risk -- let alone added D&V time – is introduced whenever a

standard interface is customized to help differentiate the end-product

© 2019 Mentor, A Siemens Business

13 Caveat AMBA, Arm TechCon 2019

 Common Benefits of
Commercial Verification IP

Protocol reading Testbench development Productive Verification

Prot Testbench dev Productive Verification

 Captures comprehensive protocol knowledge

 Ease of use via common APIs and configurators
 Optimized for high performance
 Enables you to quickly shift focus to differentiated DUT elements

© 2019 Mentor, A Siemens Business

14 Caveat AMBA, Arm TechCon 2019

 Questa Formal AMBA Library
 Libraries of SVA assertions for popular Arm bus protocols
— AMBA®4 (APB4, AXI4, AXI4Lite, AXI4 Stream)
— AMBA3 (APB3, AXI3)
— AMBA2 (APB2, AHB2)

 Capabilities include:
— Comprehensive set of checks to cover the most complex protocol features
— “Inspection signals” to observe and extend internal behaviors
— Optimized specifically for formal analysis

© 2019 Mentor, A Siemens Business

15 Caveat AMBA, Arm TechCon 2019

 How the Formal Verification IP Works
Checker

SVA
Modeling Code
DUT
Properties
DUT Signals
Clocks
Resets

Annotation
Checker Signals
Signals
Annotate Context Event Inspect Interface Parameter Check

© 2019 Mentor, A Siemens Business

16 Caveat AMBA, Arm TechCon 2019

 << a code concrete SVA code example +
waveform slide from Wesley >>
 << to address the RTL D&V engineers, R&D/PE to create a very
specific, detailed example of what a single AMBA Formal VIP SVA
property would look like, and the corresponding wave form >>

 << the example chosen should be something in the protocol that

anyone generally familiar with AMBA would be recognize instantly
>>

© 2019 Mentor, A Siemens Business

17 Caveat AMBA, Arm TechCon 2019

 Questa Formal AMBA Library Workflow

Counterexamples
Proven or witness traces
RTL Questa Properties

PropCheck
UCDB
Properties
Assertions, Assumes,
Constraints, Covers

Questa Formal
AMBA Library

© 2019 Mentor, A Siemens Business

18 Caveat AMBA, Arm TechCon 2019

 Questa Formal AMBA Library Benefits
 Exhaustively verify the supported standard protocols

 Formally prove that any protocol customizations complement the

original protocol as intended

 Shorten time to market

— Reducing verification bring-up time
— Enable rapid coverage closure of standard interface implementations

© 2019 Mentor, A Siemens Business

19 Caveat AMBA, Arm TechCon 2019

 Today’s Agenda
 Level Set: what is “Formal verification”

 Formal Verification IP

 Case Studies

© 2019 Mentor, A Siemens Business

20 Caveat AMBA, Arm TechCon 2019

 Case Study: Safety Critical Customer in Japan
 << slide on the case study cited in the abstract >>

 << At a different customer in Japan, “safety properties” included in

the AMBA Formal VIP – i.e. properties that specify deadlock
conditions that could occur -- re-produced a bug the customer was
seeing intermittently in silicon but couldn’t isolate with constrained-
random simulation >>

© 2019 Mentor, A Siemens Business

21 Caveat AMBA, Arm TechCon 2019

 Rambus Case Study:
Questa PropCheck+Formal Verification IP Success
 Verification Challenge
— DUT: “CryptoManager” IP with AXI, AHB, and SRAM I/Fs
— Ensure reusablity via to adherence to interface protocol specs
— Verify that the design is secure

 Methodology
— Use Questa Formal AMBA Verification IP with Questa PropCheck
to exhaustively verify interfaces met specs
— Also wrote assertions to formally prove external CPU cannot
access private registers
— Prove that accesses from multiple clients can be serviced concurrently

 Results
— Formal found bugs very quickly that were being missed by constrained
random simulations
— Using the Formal Verification IP was easy, and really expedited the project
— Using external Verification IP allowed for more verification independence
— Will continue to use formal verification IP to verify standard interfaces

© 2019 Mentor, A Siemens Business

22 Caveat AMBA, Arm TechCon 2019

 Formal AMBA VIP Applied to a Variety of DUTs

https://www.mentor.com/events/user2user
© 2019 Mentor, A Siemens Business

23 Caveat AMBA, Arm TechCon 2019

 Case Study: DDR3 Controller IP for Arm SoC

 Post Silicon Bug

— Write to PreCharge timing constraint bug
— Not caught in RTL simulation AXI QFL AXI3

AHB QFL AHB DDR3

 Bug Found Ctrl DDR3
AHB QFL AHB IP
— Found using Questa PropCheck
— Questa Formal AMBA Library assertion IP used AXI QFL AXI3
for AMBA buses
— Simulation testbench used to initialize the DUT

© 2019 Mentor, A Siemens Business

24 Caveat AMBA, Arm TechCon 2019

SUMMARY

© 2019 Mentor, A Siemens Business

 Summary
 Exhaustively verify the supported standard protocols
— AMBA4 (APB4, AXI4, AXI4Lite)
— AMBA3 (APB3, AXI3)
— AMBA2 (APB2, AHB2)

 Formally prove that any protocol customizations complement the

original protocol as intended

 Quickly debug and verify [customized] standard interfaces

so you can focus on your differentiated IPs & shorten TTM

© 2019 Mentor, A Siemens Business

26 Caveat AMBA, Arm TechCon 2019

 Verification Academy Courses
 Getting Started with
Formal-Based Technology

 Automatic Formal Solutions

 Formal Assertion-Based Verification

 SLEC flows – ECO, Clock Gating, Fault

www.VerificationAcademy.com
© 2019 Mentor, A Siemens Business

27 Caveat AMBA, Arm TechCon 2019

© 2019 Mentor, A Siemens Business
www.mentor.com
 Backup / Scratchpad

© 2019 Mentor, A Siemens Business

29 Caveat AMBA, Arm TechCon 2019

 Formal Usage Is Growing in Both ASIC & FPGA
40% % of ASIC Projects Using Formal Tech. 25% % of FPGA Projects using Formal Tech
35%
20%
30% 34% 21%
19%
25% 15% 18%
25%
20%
22% 14% 13%
10%
15% 10%
9%
10% 13% 5%
5% 4%
CY2012 CY2018 CY2012 CY2018 CY2012 CY2014 CY2016 CY2018 CY2012 CY2014 CY2016 CY2018
0% 0%
Formal property checking Automatic formal verification Formal property checking Automatic formal verification

 Formal usage continues to grow in ASIC world

 Growth rate is even faster in the FPGA user base
 Automated app adoption itself is a key part of this growth
 Increasing automation has enabled this growth
Source: Wilson Research Group and Mentor Graphics, 2018 Functional Verification Study © 2019 Mentor, A Siemens Business

30 Caveat AMBA, Arm TechCon 2019

 What’s Driving Formal Adoption?
 Schedule: the need to start serious verification before a testbench exists

 More customers are demanding exhaustive results

 Results can be easily integrated into the master progress tracking reports

© 2019 Mentor, A Siemens Business

31 Caveat AMBA, Arm TechCon 2019

 Formal “Property” Terminology Primer
 Property
— A property describes a specific behavior

 Assumptions
— Properties that are assumed to be true while analyzing other properties
— Also known as “constraints”

 Assertions
— The properties to be proved or disproved
— Typically elements of the design specification – roughly equivalent to “tests” in simulation
 Covers
— Properties specifying nodes or behaviors in a design that the verification engineer wants to see exercised
— Effectively like “covergroups” in a simulation (and often the exact same code is used/referenced)

 Safety Properties
— In all states and for all time, something bad can never happen

 Liveness Properties
— A desired event or behavior will eventually happen

© 2019 Mentor, A Siemens Business

34 Caveat AMBA, Arm TechCon 2019

 Outline
 50 min total time slot -- 20-25 slides

 What is formal, and how it differs from sim stuff


 What is design IP and what is Verification IP

 What is simulation VIP, and how it differs from Formal VIP

 AMBA formal VIP highlights

 Wesley’s tech examples

 Veiled Japanese customer case study slide
 The veiled DDR success story slide
 Don’t forget to include a slide on the Rambus QFL success story from U2U 2018

© 2019 Mentor, A Siemens Business

35 Caveat AMBA, Arm TechCon 2019

 Abstract
 Today's designs rely heavily on a growing variety of complex interface
protocols whose implementations must be verified to ensure IP
interoperability and proper system behavior. Whether a given standard
interface is used without modification, or is being customized to help
differentiate the end-product, integrating even the most mature IP can
produce unexpected issues. Plus, even experienced RTL developers can
misread an IP spec, or improperly configure a handful of protocol
parameters that can lead to confusing results and wasted time. In this
paper we will show how exhaustive formal verification of RTL protocol
implementations using libraries of properties in IEEE standard SVA can
exhaustively prove that customizations and extensions of the standard
protocol implementation don’t violate the core of the protocol, or create
unexpected corner cases. Examples will be in the context of the popular
AMBA protocol.

© 2019 Mentor, A Siemens Business

36 Caveat AMBA, Arm TechCon 2019