FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s...
Transcript of FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s...
![Page 1: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/1.jpg)
1
February 21-23, 2007
FEV’s Greatest Bloopers: False Positives in Formal Equivalence
Erik Seligman, Joonyoung Kim
Digital Enterprise Group
![Page 2: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/2.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 2
Agenda
• Introduction: FEV and False Positives
• Danger #1: Constraints
• Danger #2: Unreachables
• Danger #3: Libraries
• Danger #4: Black Boxes
• Advice and Conclusions
![Page 3: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/3.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 3
Agenda
• Introduction: FEV and False Positives
• Danger #1: Constraints
• Danger #2: Libraries
• Danger #3: Unreachables
• Danger #4: Black Boxes
• Advice and Conclusions
![Page 4: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/4.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 4
What Is Formal Equivalence Verification? (FEV / LEC)
• Formally verify: Design A == Design B
– Design Models: RTL or netlists
– Check synthesis, netlist edits
– Formal = mathematical proofs, not simulation
• No dependence on test vectors
• FEV is widely available & fully deployed
– Efficient: FEV feasible for vast majority of designs
• State matching (mostly) required
• Break logic at latches/flops for comparison
– Reliable: Mathematical proofs == 100% accurate
![Page 5: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/5.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 5
What is a False Positive?
• False Positive: FEV incorrectly labels designs equivalent
– Very costly
• FEV typically gates transition to next design phase
• Wrong FEV answer at tapeout � silicon respin
• Not just theoretical– seen in Intel processors & ASICs
• Not discussing FEV tool bugs
– Many dangers for misuse when tool is OK
![Page 6: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/6.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 6
Agenda
• Introduction: FEV and False Positives
• Danger #1: Constraints
• Danger #2: Libraries
• Danger #3: Unreachables
• Danger #4: Black Boxes
• Advice and Conclusions
![Page 7: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/7.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 7
Constraints in FEV
• Constraints: Reduce the set of possible values
• Turn off scan
• Known conditions on inputs
• Eliminate unused state encodings
• Numerous types can be defined
• Explicit: “add pin constraint 0…”
• RTL construct: $constraint(foo | !bar | baz);
• Within one-many mapping: “a -> b c d”
![Page 8: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/8.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 8
Bad Constraints � False Positive
• Conflicting pair of constraints
– INVERSE(a,b)
– Mapping: “a b -> c” � EQUAL(a,b)
• Result: no valid input space, so module passed
– INVERSE(a,b) && EQUAL(a,b) ???
– Dead silicon in processor A0 stepping!
• New tool feature would catch contradiction
– But what if first constraint was !(A & B)
![Page 9: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/9.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 9
Bad Constraints � False Positive
• Conflicting pair of constraints
– INVERSE(a,b)
– Mapping: “a b -> c” � EQUAL(a,b)
• Result: no valid input space, so module passed
– INVERSE(a,b) && EQUAL(a,b) ???
– Dead silicon in processor A0 stepping!
• New tool feature would catch contradiction
– But what if first constraint was !(A & B)
• Recommendation #1: Review & Formally Verify Your Constraints
![Page 10: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/10.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 10
Agenda
• Introduction: FEV and False Positives
• Danger #1: Constraints
• Danger #2: Libraries
• Danger #3: Unreachables
• Danger #4: Black Boxes
• Advice and Conclusions
![Page 11: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/11.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 11
Library Cells and FEV
• Libraries of common cells used in designs
– AND, OR, Flip-Flops, etc.
– Often developed by remote team
• Library collateral supplied for FEV
– Logic representations trusted for higher-level FEV
• Analyze at transistor level every run? Too hard.
– Library team FEVs logic vs. actual circuits
– May come with assumptions on inputs
• Must prove for library to be valid
![Page 12: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/12.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 12
Example Of Library Assumption
• Shorting together two wires– contention?
• Cell is legal IF we guarantee INVERSE (a,b)
– Save some transistors, power, area
a
~a b
~b
out
Need OR here?
![Page 13: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/13.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 13
Unproven Assumptions � False Positive
• Processor FEV flow has ‘schematic assumption’ step
– Required to prove assumptions on library cell inputs
– Separate step from equivalence verification
• Design engineer didn’t understand requirement
– Formal Property Verification (FPV) optional in other areas
– Schematic Assumption step not run for one block
�Another false positive & broken A0 processor silicon!
![Page 14: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/14.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 14
Unproven Assumptions � False Positive
• Processor FEV flow has ‘schematic assumption’ step
– Required to prove assumptions on library cell inputs
– Separate step from equivalence verification
• Design engineer didn’t understand requirement
– Formal Property Verification (FPV) optional in other areas
– Schematic Assumption step not run for one block
�Another false positive & broken A0 processor silicon!
� Recommendation #2: Make Sure Library Requirements are Verified and Understood
![Page 15: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/15.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 15
Agenda
• Introduction: FEV and False Positives
• Danger #1: Constraints
• Danger #2: Libraries
• Danger #3: Unreachables
• Danger #4: Black Boxes
• Advice and Conclusions
![Page 16: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/16.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 16
Unreachable Points in FEV
• Unreachable: flop/latch that cannot affect output
� can be logically ignored
– Must be ignored, if not in both models
• Common causes
– Synthesis optimizations
– Tied off no-longer-relevant logic
• But be careful about backend logic
– Some flows (scan, bonus cells) connect later
![Page 17: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/17.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 17
Reachable and Unreachable Flops
in1
in1
A out1misc logic
misc logicB
C
A: Reachable
B: Unreachable (logic tieoff)
C: Unreachable (bonus flop)
![Page 18: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/18.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 18
Lost Unreachables � False Positive
• Bonus logic placed in ASIC design
• RTL-netlist FEV passed, backend net-net passed– Bonus cells lost somewhere
– Intermediate FEV owners did not notice
• Problem aggravated by tool feature– Two places for unreachables: loading, mapping
– “Simple” bonus cells removed during loading
• Missing cells discovered at last minute inspection
Recommendation #3: Monitor Unreachable Points Carefully
![Page 19: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/19.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 19
Lost Unreachables � False Positive
• Bonus logic placed in ASIC design
• RTL-netlist FEV passed, backend net-net passed– Bonus cells lost somewhere
– Intermediate FEV owners did not notice
• Problem aggravated by tool feature– Two places for unreachables: loading, mapping
– “Simple” bonus cells removed during loading
• Missing cells discovered at last minute inspection
• Recommendation #3: Monitor Unreachable Points Carefully
![Page 20: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/20.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 20
Agenda
• Introduction: FEV and False Positives
• Danger #1: Constraints
• Danger #2: Unreachables
• Danger #3: Libraries
• Danger #4: Black Boxes
• Advice and Conclusions
![Page 21: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/21.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 21
Black Boxes in FEV
• Some logic usually must be excluded
– IP received as-is from remote teams
– Pure analog blocks
• FEV tools allow black boxing
– Logic to boundaries of black box is verified
– But be careful!
• Audit to ensure everything is verified somewhere
![Page 22: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/22.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 22
“Analog” Black Box? � False Positive
FEV-able Glue Logic
True Analog Logic
Black Boxed Module
![Page 23: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/23.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 23
“Analog” Black Box? � False Positive
FEV-able Glue Logic
True Analog Logic
Black Boxed Module
• Recommendation #4: Be Very Careful About Black Boxing Logic
![Page 24: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/24.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 24
Agenda
• Introduction: FEV and False Positives
• Danger #1: Constraints
• Danger #2: Unreachables
• Danger #3: Libraries
• Danger #4: Black Boxes
• Advice and Conclusions
![Page 25: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/25.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 25
Recommendations
1. Review and formally verify constraints.
2. Make sure libraries are verified & understood.
3. Monitor unreachable points carefully.
4. Be very careful about black boxing logic.
5. Make sure RTL is high-quality & fully linted.
6. Understand your FEV tool, including obscure options.
7. Ensure Synthesis-FEV independence.
8. Sanity-check FEV with at least some GLS (gate-level simulation) runs.
• See paper for details on issues not in presentation
![Page 26: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/26.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 26
Conclusions
• FEV is a powerful tool, reliable if used correctly!
• But false positives are a real danger– Issues seen in many projects at Intel
– Very costly, sometimes requiring new stepping
• Useful to recognize common causes– Misuse of constraints
– Library misunderstandings
– Excluded unreachable points
– Incorrect Blackboxing
• Understand your tools, library, and design!
![Page 27: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/27.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 27
Questions?
![Page 28: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/28.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 28
Backup Slides
![Page 29: FEV’s Greatest Bloopers: False Positives in Formal Equivalence · 1 February 21-23, 2007 FEV’s Greatest Bloopers: False Positives in Formal Equivalence Erik Seligman, Joonyoung](https://reader035.fdocuments.us/reader035/viewer/2022062508/6021f97a1d890254bd43db8f/html5/thumbnails/29.jpg)
Erik Seligman, Joonyoung Kim, Intel Corporation 29
Example Where Constraint Needed
A
B C
Block 1 Block 2
INVERSE (A,B) needed to prove C==0 in Block 2