# Formal Technology in the Post Silicon lab

**Real-Life Application Examples** 



Jamil R. Mazzawi Lawrence Loh Jasper Design Automation



## Focus of This Presentation

#### Finding bugs in silicon chips

- Post-silicon production
- Functional bugs: Bugs originate in the RTL
- Reproducing bugs in RTL to root-cause them after initial identification is done in the lab

#### Not concerned with

- Electrical bugs
- Timing bugs
- Synthesis-based bugs (?)
- Manufacturing bugs
- Software bugs
- Etc...



## Post-Silicon Lab, Not a Place You Would Think To Use Formal









## Formal Can Play a Critical Role in the Post-Silicon Debug Lab

|                           | Eile Design Proof Task View Tools Wind                                                        | Image: Signal and Signal a | 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 |                                                            | Red point @17 #1         Image: Constraint of the second seco |            |
|---------------------------|-----------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|
| $\sim$                    | RTL Modules     Show task: <<<          ⊕ ★ top         Type ▼ 1                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | ✓ Include st<br>Engine It<br>H          | ibinstances<br>erations Time<br>(8,1) @ 2.5                | Flops Task<br>- v arbiter                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |            |
|                           | <ul> <li>✓ Assert tu</li> <li>X Assert tu</li> </ul>                                          | p.ad.v_arbiter.a_grant_is_onencto<br>p.arb.v_arbiter.a_grant_is_one_cycle<br>p.arb.v_arbiter_fairness.a_arbiter_fairness<br>p.brdg.v_bridge.a_fifo_no_overflow                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | H<br>H<br>H                             | (0,1) @ 2.3<br>(10,2) @ 2.5<br>(17,9) @ 4.0<br>(8,1) @ 1.2 | - v_arbiter                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |            |
|                           | <ul> <li>✓ Assert tu</li> <li> <sup>™</sup> Assert tu     </li> </ul>                         | pp.brdg.v_bridge.a_fifo_no_underflow<br>pp.eg.v_egress.a_wvalid_2cycle<br>pp_sel.v_port_select.a_int_ready_onehot0                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | H<br>H<br>H                             | (8,1) @ 1.2<br>(20,6) @ 2.5<br>(5,1) @ 1.9                 | - v_bridge                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |            |
|                           | 🖌 Assert to                                                                                   | pp.p_sel.v_port_select.a_int_size_select_00<br>pp.p_sel.v_port_select.a_int_size_select_01<br>pp.p_sel.v_port_select.a_int_size_select_10                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | H<br>H<br>H                             | (5,1) @ 1.9<br>(5,1) @ 1.9<br>(5,1) @ 1.9                  | - v_port_select                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |            |
|                           |                                                                                               | pp.p_sel.v_port_select.a_int_size_select_11                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | H<br>8-11                               | (5,1) @ 1.9                                                |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | Tool ready |
|                           | - unprocessed : 0 ( (<br>- error : 0 ( (<br>covers : 64                                       | 1.1%)<br>1.0%)<br>1.0%)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                                         |                                                            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |            |
| E                         | - covered : 64 ( ^<br>- ar_covered : 0 ( 0<br>- undetermined : 0 ( 0<br>- unprocessed : 0 ( 0 | ).0%)<br>00.0%)<br>).0%)<br>).0%)<br>).0%)<br>).0%)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |                                         |                                                            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |            |
|                           | %  <br>Console Lint messages Proof messages                                                   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                                         |                                                            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |            |
| - 4 - ©2008 Jasper Design |                                                                                               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                                         |                                                            | Proof ready Tool ready J(                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | JASPER     |

design automati

## Outline

- Typical scenario from the post-silicon lab
- Simple principles of using formal in post-silicon debugging
- Two real-life case studies of using JasperGold<sup>®</sup> Formal Verification System
- Case study 1: Detecting bus protocol violation bug
  - Finding "the bug" ~6 times faster than simulation did
  - Verifying bug fix before going to silicon again
- Case study 2: Quickly isolating the block with a bug
  - Interaction between formal team and lab team
  - Two teams interacting, each using their capabilities to help the other team
  - The total power of the two teams together is much greater than either alone



## **Cost of Silicon Bug**

Finding bugs in model testing is the least expensive and most desired approach, but the cost of a bug goes up  $10 \times$  if it's detected in component test,  $10 \times$ more if it's discovered in system test, and  $10 \times$  more if it's discovered in the field, leading to a failure, a recall, or damage to a customer's reputation."

John Bourgoin, MIPS CEO At a DesignCon 2006 panel





## **On-Chip Post-Silicon Debugging Capabilities**

- Most chips now have some kind of on-chip debugging capability
  - Freeze chip, when certain event is identified
  - On-chip logic analyzer
    - Selected group of signals is mux-ed to external pins
  - Save the value of certain signals, N cycles before freeze event into some memory
  - Using scan chain to scan out all the flops

#### Common capability: Failure trace extraction

- Debugging team can capture a trace for number of signals a few cycles before (and maybe after) a problem is detected
- We refer to this trace as: failure trace



# **Typical Scenario of a Post-Silicon Bug Isolation Process**

### • Silicon chip is misbehaving

- Hanging, stopped responding
- Dropping packets
- Violating protocols
- Producing wrong output
- Etc...
- Lab team: Extract the failing trace
- Lab team now knows that
  - The chip has some illegal behavior
  - But, how did it reach this state?
  - The failing scenario may have taken hours (real time) to reach



## Failing Scenario Identified, but Where Is the Bug?



# The Dynamic-Verification Team Is Called for Help

- Here are the last few cycles of the failing scenario
- Can you please find the root-cause of the problem?
- Can you find how we reached this state, using simulations?
- We don't know where the bug is happening, but we know that it is causing block D to act incorrectly
- The bug happens after 3-4 hours run in the lab, when we inject this kind of traffic (example: only read transactions on bus X)
- Another way to say this:

 "It took us 4 hours of real-time with random traffic of this kind to hit the bug. Let's see how you can reproduce it when your simulation time is x1000 slower.... Ah, that's only 4,000 hours of simulation.... But you can do it, we know you can.... Oh, btw, you have only 1 week to find it."

• With simulations, the verification team is, in many cases, assigned "mission impossible"



## Formal Technology Is Called for Help

• One of the key strengths of formal is its ability to find bugs fast

- Finding CEX (failure of a property) is usually much faster than reaching proof on the same property
- Bug hunting

#### • With simulation:

- We hope that the constrained-random generator will hit the input combination that causes the failure scenario (trigger the bug)

## • With formal:

 The formal engine can mathematically find this failure scenario starting from the extracted failure trace



## **Basic Flow or Process**

• The following few slides outline the steps needed to find the bug

These are fundamentally the same steps one takes in a normal formal verification flow

• Main differences between normal and pre-silicon FV flows:

- We are looking for one specific bug, one specific scenario
- We are not looking for full proof or coverage completeness
- We just need to find the scenario that leads to the illegal behavior
- We can allow over-constraints to simplify the process
  - Example: don't allow Write transactions because the bug happens with Read transactions only
  - This allows us not to support Writes in the assertions and assumptions we write



## Step 1: Choose the Level or Block to Work with

• Option1: Full chip



# Step 1: Choose the Level or Block to Work with

• Option 2: Last two blocks



## Step 1: Choose the Level or Block to Work with

• Option 3: Single block



#### Step 2: Define Your Property: not(illegal\_scenario)

- Start from the description of the problem
  - We have a trace that shows the illegal scenario
  - Or we know that the problem happens when a write trans is followed by another write trans
- All we need to do is define a property that states that:
  - This scenario cannot happen
- Examples:
  - If we know the problem happens when FSM\_X goes from state\_A to state\_B, and this is not allowed:
    - assert (not ( (fsm\_x==state\_A) ##1 (fsm\_x==state\_B) ))
  - If the problem happens when some FIFO overflows, and it is not supposed to: assert (not (fifo\_x.overflow))
  - If the problem happen when slave\_x is responding to a read transaction:
    - Define properties that ensure this slave is adhering to all the protocol rules for read transactions



# Step 3: Optional: Write Input Constraint, as Needed





## Case Study 1: Memory Controller Violating Bus Protocol

- SoC Chip, with a CPU and multiple peripherals 0
- Chip had problems in the market and was re-called
  - It hangs in certain conditions, in the field
- Bug was identified in the post-silicon lab as...

  - DDR2 memory controller is hanging and causing the bus to hang
  - Bug happens with Read transactions to the DDR2 memory controller (no problem in Write)
  - Suspect that the memory controller (bus slave) is violating the bus protocol
- The DDR2 memory controller with the bug is IP from a well-known IP vendor
- Simulation team worked for 3-4 months (with random simulation) until they were able to root-cause the bug
- Imagine the cost of this bug
- Imagine the relationship between simulation team, Chip-Company, IP-Vendor, and Chip-Company's customer during this time  $\bigcirc$

The following names used in this presentation are aliases to protect identity etc...

- Chip-Company
- IP-Vendor
- ACB Bus
- XYZ Interface

## Formal Is Called for Help

- Formal was called to help after the fact, to see how fast it can be done with formal
- Formal engineer was given the same information the simulation team got (no cheating)
- The bug was found after 2.5 weeks
  - A good part of this time was spent ramping up on the design and protocols involved
  - Once setup is complete and properties are written, actual run time to find the CEX was under 1 minute
  - Compared to weeks of simulations!
- Later, formal was re-run on the fixed RTL code
  - Two other bugs were found





#### Verification Strategy: Step 1: Model the ACB Arbiter





## Verification Strategy: Step 2: Option A Model the DDR2 Interface, Include Memory Controller





#### Verification Strategy: Step 2: Option B Remove the Memory Controller and Model the XYZ Interface

#### XYZ model

- Assumptions on wrapper inputs
- Sample wrapper output to model controller state



#### **ACB** Arbiter model

- Assumptions on the Slave inputs to model legal transaction
  - Checks Slave's output for protocol behavior



## Verification Strategy: Final Decisions

- We ended up using Option B
- The memory controller is considered stable; the wrapper is new code
  - The bug is probably in the wrapper code
  - Avoid the complexity of the DDR2 protocol
- We focused on writing and proving properties to check compliance of the wrapper (as a slave) with the ACB bus protocol
- Important: This is post-silicon verification, not pre-silicon verification
  - Shortcuts are allowed, anything to make us find the bug faster
  - Write properties only where the bug is suspected to be
  - Use assumes to prevent certain scenarios from happening (like Write trans)
  - Put assumes on internal signals:
     assume (top.addr\_decoder.legal\_address == 1)



# Specification: In Plain English

- For a transaction of size M beats, the slave needs to return M rd\_ack
- If the last rd\_ack comes at Cycle N, the rd\_complete needs to be asserted at either Cycle N-1 or N
- If rd\_complete is given at cycle N-1, cycle N must have a valid beat
- Design decision: Always give rd\_complete at cycle N-1 (never at N)



#### Main Assertion – Code Example: Single-Beat Transaction

```
property P_rdComp_is_one_before_last_rdAck_single_beat;
@( posedge clk ) disable iff (!rst_n)
(m0_active_rd & ACB0_SI_rdComp &
m0_trans_is_single_one_beat)
|->
(
        ( ACB0_SI_rdDAck & (m0_trans_length == 1))
        or ( !ACB0_SI_rdDAck & (m0_trans_length == 1))
        ) ;
        ( m0_trans_length == 1)) )
        ) ;
```

endproperty



# Why the Bug Was Hard to Find with Coverage-Driven Random Simulations



# **Testcase 2: Formal Team Hand-in-Hand with Lab Team**

- Existing customers
- Existing experience with formal
- Never used formal for post-silicon before
- Formal is called for help once the bug is identified in the lab
- Formal team worked with the lab team hand-in-hand



## High-Level Block Diagram





## With Formal: Write End-to-End Property

- An End-to-end property was written, from Inputs of B to Outputs of D
   Block A was not relevant
- The property was written based on the illegal trace found by the lab team
- Only inputs that cause the bug are allowed (others are constrained out)



## With Formal: Write End-to-End Property

- An End-to-end property was written, from Inputs of B to Outputs of D
  - Block A was not relevant
- The property was
- Only inputs that c

Information from lab-team helping formal-team narrow their scope of work

y the lab-team strained out)

Block D

ASSUME Property Outputs\_A

End-to-end Property B->D



## Break the End-to-End Property into 3 Properties

The end-to-end property was broken into 3 properties



## Since Block D Is the "Suspect," Start Proving Its Properties

- Run the proof engines on the properties on Block D's outputs
- Property was proven
  - Block D does not have the bug
  - The failure trace cannot happen
- So why do we see this trace in the lab???!!!
  - Maybe the input D assumptions do not hold on outputs of C



## Block D Is Cleared, Block C Is the Suspect

- Using the exhaustive answer from formal team, the lab team moved their focus from Block D to Block C
- Logic analyzer is now probing Block C instead

Wrong output identified



## Block D Is Cleared Block C le the Succest

- Using the exhaustive their focus from Blc
- Logic analyzer is no

# Information from formal team helping lab team focus their scope of work

moved Wrong output identified Block D

Probe is set to monitor block C

Block A

# Formal Team Proves the Properties on C's Outputs

• Using the information from the lab team...



## Block C Is Cleared, Block D Is the "Suspect"

- Lab team moves the focus to Block B, with full confidence the bug is there
- Probe is moved to Block B
- Bug is found by the lab team when they

Wrong output identified



## Summary

- Formal can play key role in the post-silicon lab
- Saves time, \$\$\$, and reputation
- Use the power of formal for bug-hunting
- Case Study 1:
  - Formal totally wins over simulations: seconds vs. weeks of run time
  - Found another bug in the fixed RTL!
- Case Study 2:
  - Better approach: Use formal in the lab from day 1 (once a bug is found)
  - Formal team and lab team work hand-in-hand, feeding information to each other
  - Use exhaustiveness of formal to rule out the existence of the bug in a given block
  - Information from each team helps the other team focus their efforts
- You need Formal tool with capacity
- You need experience in formal, ahead of time
- Maybe, if formal was used in pre-silicon verification, we wouldn't be doing post-silicon verification <sup>(G)</sup>

