1 / 38

Classics Of FPV

Classics Of FPV. Erik Seligman CS 510, Lecture 10, January 2009. Goals. View examples of successful FPV cases Abstracted a bit from real life But concepts reusable for actual design See common patterns of FPV usage Begin building ‘cookbook’ for designers Use past successes as guide

kerry
Download Presentation

Classics Of FPV

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Classics Of FPV Erik Seligman CS 510, Lecture 10, January 2009

  2. Goals • View examples of successful FPV cases • Abstracted a bit from real life • But concepts reusable for actual design • See common patterns of FPV usage • Begin building ‘cookbook’ for designers • Use past successes as guide • Recognize cases well-suited for FPV

  3. Encore Gigamax Cache

  4. What is this example? • From Ken McMillan’s thesis • Key example using BDDs for FPV • Major early-90’s PoC that FPV is viable • Basics of Gigamax Cache • Distributed multiprocessor system • Detailed prototcol for maintaining coherence • Multiple proc need consistent view of memory • Bus free between req & response, for other activity • Memory block may be invalid, shared, or owned state at each processor • One ‘master’ chosen on a bus at each cycle

  5. Gigamax Abstract View

  6. More on Gigamax Protocol

  7. Important Properties for Cache Coherence • Free from deadlock • Sequential Consistency • Various safety properties • Q: state ‘free from deadlock’ in SVA • Given variables readable and writable

  8. Important Properties for Cache Coherence • Free from deadlock • Sequential Consistency • Various safety properties • Q: state ‘free from deadlock’ in SVA • Given variables readable and writable A1: assert property (##[0:$] readable && ##[0:$] writable)

  9. FPV Found Deadlock • Based on abstract model of protocol • Found long sequence of events that would lead to deadlock • Owner of mem block sends write cmd • Remote block sends read to owner • Requests pass in transit • Another remote request for same block • Locks global bus, nobody unlocks • New find, unknown to makers of Gigamax!

  10. PCIE Packet Assembly

  11. Packet Assembly Example • Abstracted from PCI-Express verification • FPV done by Erik • Fixed-size packets (DWORDS) from link layer • Assembled into transactions • Start, end, type markers visible • Data errors detected & abort transaction • Transaction may have variable # of packets • Type info at transaction start • Transaction may commit or abort • “Garbage traffic” must be ignored • System guarantees no fake transaction-start

  12. Link/Transaction Interface (abstract view) Addr Transaction Data DWORDS Assembly Misc commit abort

  13. FPV Challenge • Model complete correctness? • Possible, but would require lots of code • Estimated to rival size of RTL • Insufficient ROI • Instead, create set of safety properties • Observe start, end, commit/abort, and types • Can you guess some properties?

  14. FPV Safety Properties • Examples of implemented properties • If START seen, END seen at legal time • After END, see a COMMIT or ABORT in specified amount of time • Without END, see no COMMIT or ABORT • Required “shadow model” code • Limited modeling but not full packet checking • Kept track of various parts of state: • Inside or outside transaction • Transaction type

  15. FPV Results • Basic method used for several chipsets • Found serious errors missed by sim • Simulation env omitted certain transactions • Garbage traffic created fake transaction • Could get into bad state & not commit or abort one packet • Unlucky data confusing the state machine

  16. Transaction Queue FPV

  17. Transaction Queue • Another abstracted PCIE case • Also FPVed by Erik • FIFO stores incoming transactions New Transaction Misc Logic Backpressure Handle Transaction

  18. Transaction Queue FPV • Designer was worried about overflow • Minimized size due to area/timing worries • But what if transactions arrive too fast? • Misc logic must create backpressure in time • Some transactions need to hold >1 cycle • FPV requirements • Assumption: backpressure works assume property (backpressure |=> !trans_valid); • Assertion: queue won’t overflow assert property (!(fifo_cur == FIFO_MAX));

  19. FPV Results • First got bogus pass, needed coverage cover property (fifo_cur == FIFO_MAX-1); • Revealed some minor assumption errors  Found real bug! • Queue needed to be 1 deeper • Or generate backpressure one cycle earlier • Due to backpressure latency in misc logic • Miscalculation by designer

  20. OpenSparc DDR2 Memory Controller

  21. DDR2 Memory Controller (MC) • Described in 2008 Datta/Singhal paper • Various safety requirements • Priority: refresh, CAS, scrub, read, write • Max # commands in interval

  22. Issue: Complex Startup • Control registers • Set by system during boot • Take thousands of cycles • FPV would never get a good result! • Similar issues with software startup • Many command words needed to initialize  Get simulation values for registers, use assumptions to set & hold constant

  23. Opportunity: Design Symmetry • All bits of datapath basically identical • So reduce width to 1 for FPV • Code must be well-parameterized to enable • 8 Banks in design, all with identical logic • Just need to FPV 1 for good confidence

  24. Issue: Large Counters • 13-bit refresh interval, 12-bit scrub interval • So potentially 2^13 cycles to see error • Worse if independent & need both at once! • Solution: abstract counters • Create cut points at counter outputs • Counters get arbitrary values for FPV • Potential problems?

  25. Issue: Hazard Conditions • Important to check hazards like RAW • Read-after-write (RAW): Read from address with write pending • Requires 32-bit address compare • Complexity for FPV • Solution: free the RAW bit • At arbitrary time, FPV can assume hazard hit • Potential problems?

  26. MC Property Example • No more than 4 ACTIVATE commands may be issued to the DDR2 SDRAM within a window of T_FAW clock cycles • Added verilog code for tfaw_counter • Property violated: bug found!

  27. Basic FPV Patterns

  28. Reference Models i1 RTL o1 i2 o2 Abstract Model o1 o2 • assert property (rtl.o1 == abstract.o1) • assert property (rtl.o2 == abstract.o2)

  29. Shadow Models i1 RTL o1 i2 o2 Shadow Model o1 • assert property (rtl.o1 == abstract.o1) • o2 not represented in model, no property

  30. Arbiters • Classic, common case for useful FPV • Multiple requests come for a bus • Arbiter decides who owns bus each cycle • What are some important properties?

  31. Arbiters • Classic, common case for useful FPV • Multiple requests come for a bus • Arbiter decides who owns bus each cycle • What are some important properties? • Fair req[i] |-> ##[1:`BOUND] owner[i] owner[i] |-> ##[1:`BOUND] !owner[i] • Conflict-free $onehot0(owner) • Efficiency • (|req) |=> (|owner)

  32. State Machines • Another common case for FPV • Common state machine assertions?

  33. State Machines • Another common case for FPV • Common state machine assertions? • Each SM state reachable cover property (state == STATE_VALS[i]); • System consistent with SM state assert property ((state == `WAITING) |-> (req==1)); • State machine will always return to idle assert property ((state == STATE_VAL[i]) |-> ##[1:`BOUND] (state == `IDLE));

  34. General FIFO Assertions • Fifos are another common FPV case. • Fifo assertion ideas?

  35. General FIFO Assertions • Fifos are another common FPV case. • Fifo assertion ideas? • Overflow/underflow assert property (fifo_cur==DEPTH |=> !write); assert property (fifo_cur==0 |=> !read); • Successful flush assert property (flush |=> (fifo_cur==0)); • Cover conditions of filling/emptying queue cover property (fifo_cur==DEPTH-1 ##1 fifo_cur==DEPTH); cover property (fifo_cur==1 ##1 fifo_cur=0);

  36. FIFO: Tracking A Value • Common for FIFO: we saw value go in, make sure it comes out • “Local variable” feature of SVA property data_check; bit [`SIZE:0] lvar; (write, lvar = data_in) |-> ##[0:`BOUND] (read && (data_out == lvar)) ); • Watch for danger of sim performance hit • Many threads may be needed

  37. Sets of Related Properties • Suppose we see many failures in module • Think about common causes • Some overall constraint on inputs missing? • Some conceptual issue missed? • Examples • Clocks/Reset: Are they correct? Are clock ratios legal? • Address/Command const for <n> cycles? • Legal commands supplied?

  38. References / Further Reading • http://www.kenmcmil.com/pubs/thesis.pdf • http://oskitech.com/papers/datta-mc-vlsi08.pdf • http://oskitech.com/wiki/index.php?title=Main_Page • http://www.eetimes.com/news/design/showArticle.jhtml;jsessionid=FQOK0R2XZXMHOQSNDLRSKHSCJUNN2JVN?articleID=190301228&pgno=1 • http://ebook.dicder.com/verification/SystemVerilog%20Assertion%20Handbook.pdf • http://www.amazon.com/Assertion-Based-Design-Information-Technology-Transmission/dp/1402080271/ref=sr_1_1?ie=UTF8&s=books&qid=1233705569&sr=8-1 (especially ch.7)

More Related