Classics%20Of%20FPV

1
Classics Of FPV

• Erik Seligman
• CS 510, Lecture 10, January 2009

2
Goals

• View examples of successful FPV cases
• Abstracted a bit from real life
• But concepts reusable for actual design
• See common patterns of FPV usage
• Begin building cookbook for designers
• Use past successes as guide
• Recognize cases well-suited for FPV

3
Encore Gigamax Cache
4
What is this example?

• From Ken McMillans thesis
• Key example using BDDs for FPV
• Major early-90s PoC that FPV is viable
• Basics of Gigamax Cache
• Distributed multiprocessor system
• Detailed prototcol for maintaining coherence
• Multiple proc need consistent view of memory
• Bus free between req response, for other
  activity
• Memory block may be invalid, shared, or owned
  state at each processor
• One master chosen on a bus at each cycle

5
Gigamax Abstract View
6
More on Gigamax Protocol
7
Important Properties for Cache Coherence

• Free from deadlock
• Sequential Consistency
• Various safety properties
• Q state free from deadlock in SVA
• Given variables readable and writable

8
Important Properties for Cache Coherence

• Free from deadlock
• Sequential Consistency
• Various safety properties
• Q state free from deadlock in SVA
• Given variables readable and writable
• A1 assert property
• (0 readable 0 writable)

9
FPV Found Deadlock

• Based on abstract model of protocol
• Found long sequence of events that would lead to
  deadlock
• Owner of mem block sends write cmd
• Remote block sends read to owner
• Requests pass in transit
• Another remote request for same block
• Locks global bus, nobody unlocks
• New find, unknown to makers of Gigamax!

10
PCIE Packet Assembly
11
Packet Assembly Example

• Abstracted from PCI-Express verification
• FPV done by Erik
• Fixed-size packets (DWORDS) from link layer
• Assembled into transactions
• Start, end, type markers visible
• Data errors detected abort transaction
• Transaction may have variable of packets
• Type info at transaction start
• Transaction may commit or abort
• Garbage traffic must be ignored
• System guarantees no fake transaction-start

12
Link/Transaction Interface (abstract view)
Addr
Transaction
Data
DWORDS
Assembly
Misc
commit
abort
13
FPV Challenge

• Model complete correctness?
• Possible, but would require lots of code
• Estimated to rival size of RTL
• Insufficient ROI
• Instead, create set of safety properties
• Observe start, end, commit/abort, and types
• Can you guess some properties?

14
FPV Safety Properties

• Examples of implemented properties
• If START seen, END seen at legal time
• After END, see a COMMIT or ABORT in specified
  amount of time
• Without END, see no COMMIT or ABORT
• Required shadow model code
• Limited modeling but not full packet checking
• Kept track of various parts of state
• Inside or outside transaction
• Transaction type

15
FPV Results

• Basic method used for several chipsets
• Found serious errors missed by sim
• Simulation env omitted certain transactions
• Garbage traffic created fake transaction
• Could get into bad state not commit or abort
  one packet
• Unlucky data confusing the state machine

16
Transaction Queue FPV
17
Transaction Queue

• Another abstracted PCIE case
• Also FPVed by Erik
• FIFO stores incoming transactions

New Transaction
Misc Logic
Backpressure
Handle Transaction
18
Transaction Queue FPV

• Designer was worried about overflow
• Minimized size due to area/timing worries
• But what if transactions arrive too fast?
• Misc logic must create backpressure in time
• Some transactions need to hold gt1 cycle
• FPV requirements
• Assumption backpressure works
• assume property (backpressure gt !trans_valid)
• Assertion queue wont overflow
• assert property (!(fifo_cur FIFO_MAX))

19
FPV Results

• First got bogus pass, needed coverage
• cover property (fifo_cur FIFO_MAX-1)
• Revealed some minor assumption errors
• ? Found real bug!
• Queue needed to be 1 deeper
• Or generate backpressure one cycle earlier
• Due to backpressure latency in misc logic
• Miscalculation by designer

20
OpenSparc DDR2 Memory Controller
21
DDR2 Memory Controller (MC)

• Described in 2008 Datta/Singhal paper
• Various safety requirements
• Priority refresh, CAS, scrub, read, write
• Max commands in interval

22
Issue Complex Startup

• Control registers
• Set by system during boot
• Take thousands of cycles
• FPV would never get a good result!
• Similar issues with software startup
• Many command words needed to initialize
• ? Get simulation values for registers, use
  assumptions to set hold constant

23
Opportunity Design Symmetry

• All bits of datapath basically identical
• So reduce width to 1 for FPV
• Code must be well-parameterized to enable
• 8 Banks in design, all with identical logic
• Just need to FPV 1 for good confidence

24
Issue Large Counters

• 13-bit refresh interval, 12-bit scrub interval
• So potentially 213 cycles to see error
• Worse if independent need both at once!
• Solution abstract counters
• Create cut points at counter outputs
• Counters get arbitrary values for FPV
• Potential problems?

25
Issue Hazard Conditions

• Important to check hazards like RAW
• Read-after-write (RAW) Read from address with
  write pending
• Requires 32-bit address compare
• Complexity for FPV
• Solution free the RAW bit
• At arbitrary time, FPV can assume hazard hit
• Potential problems?

26
MC Property Example

• No more than 4 ACTIVATE commands may be issued
  to the DDR2 SDRAM within a window of T_FAW clock
  cycles
• Added verilog code for tfaw_counter
• Property violated bug found!

27
Basic FPV Patterns
28
Reference Models
i1
RTL
o1
i2
o2
Abstract Model
o1
o2

• assert property (rtl.o1 abstract.o1)
• assert property (rtl.o2 abstract.o2)

29
Shadow Models
i1
RTL
o1
i2
o2
Shadow Model
o1

• assert property (rtl.o1 abstract.o1)
• o2 not represented in model, no property

30
Arbiters

• Classic, common case for useful FPV
• Multiple requests come for a bus
• Arbiter decides who owns bus each cycle
• What are some important properties?

31
Arbiters

• Classic, common case for useful FPV
• Multiple requests come for a bus
• Arbiter decides who owns bus each cycle
• What are some important properties?
• Fair
• reqi -gt 1BOUND owneri
• owneri -gt 1BOUND !owneri
• Conflict-free
• onehot0(owner)
• Efficiency
• (req) gt (owner)

32
State Machines

• Another common case for FPV
• Common state machine assertions?

33
State Machines

• Another common case for FPV
• Common state machine assertions?
• Each SM state reachable
• cover property (state STATE_VALSi)
• System consistent with SM state
• assert property ((state WAITING) -gt
  (req1))
• State machine will always return to idle
• assert property ((state STATE_VALi) -gt
  1BOUND (state IDLE))

34
General FIFO Assertions

• Fifos are another common FPV case.
• Fifo assertion ideas?

35
General FIFO Assertions

• Fifos are another common FPV case.
• Fifo assertion ideas?
• Overflow/underflow
• assert property (fifo_curDEPTH gt !write)
• assert property (fifo_cur0 gt !read)
• Successful flush
• assert property (flush gt (fifo_cur0))
• Cover conditions of filling/emptying queue
• cover property (fifo_curDEPTH-1 1
  fifo_curDEPTH)
• cover property (fifo_cur1 1 fifo_cur0)

36
FIFO Tracking A Value

• Common for FIFO we saw value go in, make sure
  it comes out
• Local variable feature of SVA
• property data_check
• bit SIZE0 lvar
• (write, lvar data_in) -gt 0BOUND
• (read (data_out lvar)) )
• Watch for danger of sim performance hit
• Many threads may be needed

37
Sets of Related Properties

• Suppose we see many failures in module
• Think about common causes
• Some overall constraint on inputs missing?
• Some conceptual issue missed?
• Examples
• Clocks/Reset Are they correct? Are clock
  ratios legal?
• Address/Command const for ltngt cycles?
• Legal commands supplied?

38
References / Further Reading

• http//www.kenmcmil.com/pubs/thesis.pdf
• http//oskitech.com/papers/datta-mc-vlsi08.pdf
• http//oskitech.com/wiki/index.php?titleMain_Page
  
• http//www.eetimes.com/news/design/showArticle.jht
  mljsessionidFQOK0R2XZXMHOQSNDLRSKHSCJUNN2JVN?art
  icleID190301228pgno1
• http//ebook.dicder.com/verification/SystemVerilog
  20Assertion20Handbook.pdf
• http//www.amazon.com/Assertion-Based-Design-Infor
  mation-Technology-Transmission/dp/1402080271/refs
  r_1_1?ieUTF8sbooksqid1233705569sr8-1
  (especially ch.7)