Erik Seligman

Formal verification: From dreams to reality

In Chapter 1, we introduce Formal Verification (FV): the use of tools that mathematically analyze the space of possible behaviors of a design, rather than computing results for particular values. We begin by describing the general concepts and motivations for using FV methods rather than simpler alternatives. We then discuss several major use cases: complete coverage, bug hunting, and exploring designs, as well as providing a brief discussion of more detailed methods used in typical industrial design and validation flows. Having introduced the general topic, we take a step back and briefly trace the historical development of the concepts of formal verification, from Leibniz’s 17th-century dreams to the realities of modern industry EDA tools. We discuss how FV relates to our understanding of the fundamental limitations of computing and mathematics, and the major techniques we use to get around these limitations and make FV a useful and powerful engineering technique. Finally, we provide some advice for getting the most out of this book.

FPV “Apps” for specific SOC problems

Now that we have spent a few chapters on general-purpose FPV, we describe how the focus can be narrowed to form more specific “Apps” to solve particular problems encountered in typical SOC design flows. Reusable Protocol Verification enables proofs of common properties in well-documented protocols without reinventing them for each project. Unreachable Coverage Elimination supplements simulation by using FPV technology to rule out bad cover points. Formal Connectivity Verification enables verification of complex pin connection muxing with full coverage through FPV. Control Register FPV checks that every control register is following its specified access policies correctly, and that no two can interfere with each other. Finally, FPV-based post-silicon debug can enable quick reproduction of tricky logic sightings from a silicon debug environment.

Effective FPV for design exercise

Now that the reader is familiar with the general concepts of FPV, we use this chapter to describe FPV usage for the specific goal of providing “instant testbenches” for early exercise and testing of RTL designs. Using the motivating example of a small traffic light controller implemented with a set of interacting state machines, we walk through the typical steps of design exercise FPV. First we create a design exercise plan, a lightweight collection of goals, properties, complexity staging ideas, and exit criteria. Then we develop the design exercise FPV environment, which includes building the model, creating suitable properties, and other details such as clocks and resets. Once this preparation is done, we demonstrate the “wiggling” process for early debug, followed by more interesting exercise cases. We then conclude by showing how we can evolve this FPV environment to demonstrate more complex model behaviors.

Effective FPV for verification

In this chapter we describe how to effectively use FPV for two main types of design verification: bug hunting, where we supplement simulation to try to find tricky corner case bugs; and full proof FPV, where we try to fully establish that an RTL design implements a desired specification. Using the example of a simple Arithmetic Logic Unit (ALU) design, we then show how to create a plan for bug hunting FPV on this model, exploring and expanding upon the parallels with the design exercise FPV discussed in the previous chapter. We walk through the process of planning, wiggling, and expanding FPV verification, in order to be able to gain confidence that we have verified the basic requirements of our logic, and prevented common errors that would cause incomplete coverage. Finally, we discuss changes that would be required to advance from bug hunting to full proof FPV on this model.

Formal equivalence verification

In this chapter we describe Formal Equivalence Verification (FEV), an FV technique focused on checking whether two designs are logically equivalent. There are several ways we can define equivalence for FEV tools: combinational equivalence, which optimizes the problem by breaking up models at latch/flop boundaries; sequential equivalence, which checks that behavior of two models over a period of time results in equivalent outputs; and transactional equivalence, which checks that certain well-defined operations produce identical results on two models. We then discuss how these types of equivalence fit into some common real design flows: using RTL-RTL equivalence to check design changes or optimizations, and RTL-Netlist equivalence to check synthesis or hand-drawn schematic correctness.

Your new FV-aware lifestyle

In our concluding chapter, we review the multiple motivations for formal verification, including design exercise, bug hunting, full proofs, specialized applications, and formal equivalence, summarizing and highlighting our key points in each area. We then give some general advice for getting prepared and starting FV work, as well as some ideas for measuring ROI (Return On Investment) of FV. Finally, we conclude with a high-level description of the many “hats” an FV engineer might wear, and an overall summary of this book.

Formal verification’s greatest bloopers: The danger of false positives

In Chapter 9, we discuss some real-life examples of cases where FV techniques were applied incorrectly, sometimes resulting in false positives: cases where a “formally proven” design turned out to contain errors. The simplest cases result from misuse or misunderstanding of the System Verilog language, which should be addressed by strong linting and manual reviews. Another class of these problems is vacuity issues, where part of the problem space is ignored; prevent these using tool features, good cover points, review of reset conditions, and simulation of assumptions. A third cause is implicit or misunderstood assumptions, addressable by careful review of assumptions and tool options. Finally, some false positives have resulted from a confused division of labor: be sure to have solid global owners for each verification area. By paying attention to these lessons from real projects, the reader should be able to prevent these issues from recurring in their own designs.

Formal property verification

In Chapter 4, we introduce the basic concepts of Formal Property Verification (FPV), an FV method that checks whether a set of properties, usually specified as assertions, is true of a given piece of RTL. To make the discussion more concrete, we describe FPV in terms of a combination lock design, where we want to determine that there is truly a unique combination that opens the lock. We show how to build a set of useful properties, constructing SVA cover points, assumptions, and assertions related to our example. We then show how to combine this information with clock and reset specifications to create a viable FPV environment, and demonstrate typical results of running FPV on this example. Based on this example, we then summarize the differences between simulation and FPV, and discuss some major FPV usage models.

Introduction to systemverilog assertions

In Chapter 3, we describe the basics of the System Verilog Assertion (SVA) language, which is the current industry standard for verification statements that describe properties of an RTL design. Using a simple arbiter as an example verification target, we introduce each of the basic concepts of SVA. First we define the three types of verification statements: assertions, facts that are claimed to be true; assumptions, axioms used to prove the assertions; and cover points, which specify interesting test conditions. There are two major types of assertion statements that we describe in detail: immediate, or unclocked, and concurrent, or clocked, assertion statements. We then continue by describing useful SVA building blocks including sequences and properties. Finally we provide some practical advice on writing useful assertions.

Basic formal verification algorithms

In Chapter 2 we describe some of the basic algorithms used to develop practical formal verification tools. We start by reviewing basics of formal logic representations, showing how clever exploitation of symmetry can vastly simplify seemingly complex logic. Building on this, we discuss some concepts of verification and of Boolean algebra. We then introduce BDDs, an important data structure which was responsible for enabling the first generation of industrial-strength model checking tools. After this, we discuss the Satisfiability (SAT) problem, a core challenge of FV which was briefly introduced in the previous chapter. In addition, we provide a brief discussion of model checking concepts and some advanced SAT algorithms. By the end of this chapter, the reader should have a general sense of how FV tools work, so this knowledge can inform their usage in the real design and validation processes we discuss in the rest of the book.