Connecting Pre-Si and Post-Si Verification
25
Connecting Pre-silicon and Post-silicon Verification Sandip Ray and Warren A. Hunt, Jr. Department of Computer Sciences University of Texas at Austin {sandip, hunt}@cs.utexas.edu http://www.cs.utexas.edu/users/ {sandip, hunt} Ray and Hunt (UT Au stin ) Post-s ilicon Verification November 18, 2009 1 / 14
Transcript of Connecting Pre-Si and Post-Si Verification
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 1/25
Connecting Pre-silicon and Post-silicon Verification
Sandip Ray and Warren A. Hunt, Jr.Department of Computer Sciences
University of Texas at Austin
{sandip, hunt}@cs.utexas.edu
http://www.cs.utexas.edu/users/{sandip, hunt}
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 1 / 14
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 2/25
Motivation
Motivation
Formal analysis has shown promise in increasing reliability of computing
systems.
Can catch “high quality” bugs that are difficult to hit during
simulation.
Has been successfully applied to some industrial design components.
• FP execution units
• Control logic for out-of-order pipelines
But formal analysis has primarily been restricted to pre-silicon
Typical targets are RTL models and netlists.
Almost no connection with post-silicon verification.
How do we make use of formal analysis to facilitate post-silicon
design verification?
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 2 / 14
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 3/25
Post-Silicon Verification
Post-silicon Verification
Post-silicon verification is the use of pre-production, physical
circuits to determine logical bugs.
Simulation speed may be 1,000,000,000 times faster than pre-silicon.
Facilitates exploration of very deep states.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 3 / 14
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 4/25
Post-Silicon Verification
Post-silicon Verification
Post-silicon verification is the use of pre-production, physical
circuits to determine logical bugs.
Simulation speed may be 1,000,000,000 times faster than pre-silicon.
Facilitates exploration of very deep states.
BUTControl is limited.
Observability is extremely limited.
Factors limiting observability:
• Limited number of pins• Cost of additional DFD logic.
• ...
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 3 / 14
P Sili V ifi i
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 5/25
Post-Silicon Verification
Post-silicon Verification
Post-silicon verification is the use of pre-production, physical
circuits to determine logical bugs.
Simulation speed may be 1,000,000,000 times faster than pre-silicon.
Facilitates exploration of very deep states.
BUTControl is limited.
Observability is extremely limited.
Factors limiting observability:
• Limited number of pins• Cost of additional DFD logic.
• ...
Post-silicon verification is extremely expensive and tedious.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 3 / 14
P t Sili V ifi ti
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 6/25
Post-Silicon Verification
Post-silicon Debug Process
Start
Intermediate
State
Observe
Problem
Bug!
Start in a known state
Quickly get to a deep state
Continue until a bug occurs
Bug is unobserved
Bug may lay dormant
Finally, observe a problem
It can take substantial effort to find and fix a bug.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 4 / 14
Post Silicon Verification
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 7/25
Post-Silicon Verification
Post-silicon Debug Process
Start
Intermediate
State
Observe
Problem
Bug!
Start in a known state
Quickly get to a deep state
Continue until a bug occurs
Bug is unobserved
Bug may lay dormant
Finally, observe a problem
It can take substantial effort to find and fix a bug.
Typical Approach: Add extra hardware “hook” to improve observability.
But the hooks are added on-demand without analysis of design
invariants.
Once added, they are carried over from one design to next.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 4 / 14
Post Silicon Verification
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 8/25
Post-Silicon Verification
Post-silicon Debug Process
Start
Intermediate
State
Observe
Problem
Bug!
Start in a known state
Quickly get to a deep state
Continue until a bug occurs
Bug is unobserved
Bug may lay dormant
Finally, observe a problem
It can take substantial effort to find and fix a bug.
Typical Approach: Add extra hardware “hook” to improve observability.
But the hooks are added on-demand without analysis of design
invariants.
Once added, they are carried over from one design to next.
A more disciplined process of on-chip instrumentation is necessary.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 4 / 14
Goals
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 9/25
Goals
Our Goal
Facilitate post-silicon verification by pre-silicon analysis.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 5 / 14
Goals
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 10/25
Goals
Our Goal
Facilitate post-silicon verification by pre-silicon analysis.
Pre-silicon Models• Allow complete visibility of internal state.
• Can be mathematically formalized analyzed and reasoned about.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 5 / 14
Goals
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 11/25
Our Goal
Facilitate post-silicon verification by pre-silicon analysis.
Pre-silicon Models• Allow complete visibility of internal state.
• Can be mathematically formalized analyzed and reasoned about.
We use pre-silicon analysis to determine post-silicon observationpoints.• Exploit the connection between pre- and post- silicon models.
• The number of observation points depends on the desired logical guarantee
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 5 / 14
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 12/25
Goals
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 13/25
Overall Vision
AMS
RTL
Microcode
Formal Design/AnnotationDatabase
Guided
Proof
DesignRepresentation
Property/Annotation
FormalSpecification
AIG/BDD
Orchestration
Proof
Flow
Information
SimulationSymbolic
Specification
ExternalTools
Pre−siliconVerification
Post−silicon
Verification
Design
ACL2 Modeling and AnalysisSystem
We envision a single, unified, formal framework for specification,
evaluation, and verification of computing systems.Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 6 / 14
Approach
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 14/25
An Approach: Partition Trace Analysis
Partition post-silicon trace analysis into two components.
small on-chip integrity unit that has full observability
an off-chip partial trace analyzer
The off-chip component can assume that in-silicon analysis has succeeded.
Formal analysis guarantees that the components together are
equivalent to a monitor that has full observability.
We applied the partitioning approach for post-silicon analysis of a
multiprocessor memory system.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 7 / 14
Approach
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 15/25
A Multiprocessor Memory System
CPU(1) CPU(n)CPU(0) ..... CPU(n−1)
Memory
Pre−silicon
Execution
Trace Monitor
The pre-silicon monitor checks for bounded coherence.
Has full observability of all bus transactions.
Obviously impractical for post-silicon.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 8 / 14
Approach
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 16/25
Post-silicon Analysis
A post-silicon trace is a subsequence of a pre-silicon trace with lossy
compression.
CPU(1) CPU(n)CPU(0) ..... CPU(n−1)
Memory
Partial Execution Trace
Post silicon analyzer
SAT solver
Lossy CompressionIntegrity Unit
Pre−silicon
Execution
Trace Monitor
The integrity unit keeps track of internal bus transactions.
It is sufficient to externally observe only a small number of critical
events.Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 9 / 14
Approach
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 17/25
Post-silicon Certification
Theorem. If the integrity unit does not interrupt, then any post-silicon
trace that passes the post-silicon analysis is a subsequence of a trace that
would pass pre-silicon analysis under full observability.
The theorem is proven is ACL2.Makes use of underlying protocol invariants.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 10 / 14
Approach
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 18/25
Post-silicon Certification
Theorem. If the integrity unit does not interrupt, then any post-silicon
trace that passes the post-silicon analysis is a subsequence of a trace that
would pass pre-silicon analysis under full observability.
The theorem is proven is ACL2.Makes use of underlying protocol invariants.
Proven by exploiting a decidable subclass of the logic.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 10 / 14
Approach
C fi
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 19/25
Post-silicon Certification
Theorem. If the integrity unit does not interrupt, then any post-silicon
trace that passes the post-silicon analysis is a subsequence of a trace that
would pass pre-silicon analysis under full observability.
The theorem is proven is ACL2.Makes use of underlying protocol invariants.
Proven by exploiting a decidable subclass of the logic.
The theorem formally connects post-silicon verification with
pre-silicon analysis.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 10 / 14
Results
U i h S
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 20/25
Using the System
The system can identify subtle design errors.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 11 / 14
Results
U i h S
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 21/25
Using the System
The system can identify subtle design errors.
Processor 0 shared grant
Processor 1 exclusive request
Processor 1 exclusive grant
Processor 0 shared request
Processor 2 exclusive request
Such errors are very difficult to exercise in simulation because of thenon-determinism in the protocol.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 11 / 14
Results
U i th S t
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 22/25
Using the System
The system can identify subtle design errors.
Processor 0 shared grant
Processor 1 exclusive request
Processor 0 shared request
Such errors are very difficult to exercise in simulation because of the
non-determinism in the protocol.
The system identifies the error even under very poor observability.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 12 / 14
Related Work
R l t d W k
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 23/25
Related Work
Gopalakrishnan and Chou: Limited observability checkers based on
constraint solving and abstract interpretation.
Aschlager and Wilkins: Model checking to generate a short trace
containing an observed bug.
Safarpour et al : SAT solving to automatically find and repair stuck-at
faults.
De Paula et al : SAT solving to develop a “backspace” from a crashed
state.
Our approach is to introduce some of the analysis or checking into
the silicon.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 13 / 14
Conclusion
Co cl sio a d F t e Wo k
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 24/25
Conclusion and Future Work
To our knowledge our work is the first effort on connecting
pre-silicon and post-silicon verification through formal proofs.
Provides a flexible mechanism for making use of pre-silicon analysis in
post-silicon verification.
Makes use of existing design artifacts to facilitate post-silicon
analysis.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 14 / 14
Conclusion
Conclusion and Future Work
8/8/2019 Connecting Pre-Si and Post-Si Verification
http://slidepdf.com/reader/full/connecting-pre-si-and-post-si-verification 25/25
Conclusion and Future Work
To our knowledge our work is the first effort on connecting
pre-silicon and post-silicon verification through formal proofs.
Provides a flexible mechanism for making use of pre-silicon analysis in
post-silicon verification.
Makes use of existing design artifacts to facilitate post-silicon
analysis.
Of course, the results are preliminary.
Future work:
Exploit information flow for automatic signal winnowing.
Automate partitioning, given an observability and hardware bound.
Tighten connection between pre-silicon and post-silicon.
Exploit faster post-silicon simulation to facilitate pre-silicon analysis.
Ray and Hunt (UT Austin) Post-silicon Verification November 18, 2009 14 / 14
![COnnecting REpositories · dugi czas nie mogem si pogodzi, a i teraz zdarzy si jeszcze, e si zapomne. mylaem o niej jak o nie, z którego kiedy nad ranem si zbudz » [6, c. 56]. »](https://static.fdocuments.us/doc/165x107/611e775f69857940854f75ad/connecting-repositories-dugi-czas-nie-mogem-si-pogodzi-a-i-teraz-zdarzy-si-jeszcze.jpg)
