Streamline Verification Process with
Formal Property Verification to Meet
Highly Compressed Design Cycle
Prosenjit Chatterjee,
nVIDIA Corporation
Goals

Reach conventional verification goals faster

Reach more verification goals

Fewer verification resources

Prove specific properties of most complex blocks
SFV

Minimal verification environment expertise

Ability to use conventional verification techniques

Non FV-able properties still usable

Use conventional verification techniques at Full Chip
and Super Unit level

However, now fewer bugs to uncover as sub-units
are already SFV-ed

Full time Dedicated Verification Engineer
not required

Designer’s kit
Conventional Verification Process
User writes
TestBench
Input Biasing
Internal Coverage Goal
DUT TestPlan Coverage Goals
TestBench
Reachable Unknown
DUT RTL
Pass
X
Fail
Internal
Properties
DUT Data Transform Model

Unknown
Fail
Sets of vector sequences that

User generates to accomplish coverage goals

Directed or Random Vector sequences

Outputs are “smart-diffed”
SFV Environment
Input Biasing
Input Assumptions
Reachable Unknown Unreachable
DUT TestPlan Coverage Goals
generates
SFV TestBench
DUT RTL
Pass
X
Internal Properties
Proof
Unknown
Fail
DUT Data Transform Model
Fail
Internal Coverage Goal
Reachable Unknown Unreachable
SFV Environment- Test Bench

Input Assumptions provide legal stimulus

Input Biasing provide higher proportion of
important events

Different Random Seeds are applied automatically

Random Simulation obeys Input Assumptions
and Biasing

FV obeys Input Assumptions. Biasing is irrelevant

Auto self adjusts user’s biasing to reach
coverage goals

Coverage goals missed by SFV are reached by
directed testing
Coverage Goals
Automated:

Line Coverage

Condition Coverage
User Specified:

Implementation Specific

Executable Test Plan
Coverage Goals
Rand_B1 Rand_Default Rand_Bm
SFV run with
- biased random ON
- formal engines OFF
Coverage Report
Done
yes
Coverage met ?
no
or
Directed Testing
Partition uncovered goals
Rand_Default
SFV_G1
SFV_Gn
Save SFV generated vectors
C-RTL output compare
SFV run with
- biased random ON
- formal engines ON
Unit Verification Goals Reached

Coverage goals reached or proved expectedly
unreachable




Line,
Condition,
User Specified Implementation Specific,
User Specified Test Plan

SFV traces that reached above goals = Data
Transform Model Output

White Box Properties proved or bounded proved

End to End Data Transport Property proved
SFV Engines
SFV
Process 1
Property Falsification
or
Coverage Goal Reachability
Process 2
Property Proving
or
Coverage Goal Unreachability
Using BMC from interesting start states

Default start state is reset state

SFV tool uses heuristics to find interesting
start states

User identifies subset of coverage goals as
interesting start states

Requires efficient management of the start
states population
Helping SFV tool reach
interesting states faster

Limiting conditions in DUT may be very “deep”

Tolerable Random Logic Addition to fan-in of internal
signals in DUT
fifo_full
= original_RTL_design_logic ||
random_hi_or_low;
Tout_cntr <= random_decision ?
timeout_value :
original_RTL_design_logic;

Primarily for finding bugs using SAT

Coverage Goals reached via such techniques
are ignored
Enhanced Unit Verification Goals Reached

Coverage goals reached or proved expectedly
unreachable




Line,
Condition,
User Specified Implementation Specific,
User Specified Test Plan

SFV traces that reached above goals = Data
Transform Model Output

White Box Properties proved or bounded proved

End to End Data Transport Property proved
Proving Data Transport Functionality Intuition
John
FEDEX gift to
UPS gift to
Dan
Bob

If I want to check FEDEX and UPS always delivers safely THEN

I do not care if Dan changes the gift before sending

Of course Dan cannot expect to deliver nuclear weapons via UPS 
2
f(x)=x^2
4
Original
2
garbage
Too much !
2
+ve
Perfect !
2
2
Imperfect !
Data Transport Properties
A packet entering the system may not be visible
exiting the system if DUT is viewed as a black box
P1
P2
.
.
.
Pn
DUT
Q1
Q2
.
.
.
Qm
n >= 1, m >= 0
This happens due to
- One or more data transform functions inside DUT or
- Legal dropping of a Packet
- Single Packet may split to multiple destinations
- Multiple Packets may merge to single destination
Proving Data Transport Properties
Breakup for FV complexity
Deep FIFO
P enters
via I1
null
1
F(x)
6
P’’ exits via O2
4
2
G(x)
3
Split
M(x)
5
H(x)
Math data transform
Non-Math data transform
N(x)
7
Data filter
P’ exits via O2
Proving Data Transport Properties
Breakup for FV complexity
Deep FIFO
null
1
F(x)
6
4
2
G(x)
3
Split
M(x)
5
H(x)
Math data transform
Non-Math data transform
N(x)
7
Data filter
Tool Assisted User Interactive
Proof Process
A
A’
A’’
B
C
C’
C’’

ABC

A’BC’ = Minimal cut-point to prove the Property

A’’BC’’ = Cut-point that the tool can handle to Prove Property

are internal assumptions added to Prove Property
within A’’BC’’

Internal Assumptions are subject to similar Proof Process
= Cone of Influence of Property
Enhanced SFV Environment
Input Biasing
Input Assumptions
Reachable Unknown Unreachable
DUT TestPlan Coverage Goals
generates
SFV TestBench
DUT RTL
Pass
X
Internal Properties
Proof
Unknown
Fail
DUT Data Transform Model
Fail
DUT Data Transport Property
Reachable Unknown Unreachable
Internal Coverage Goal
Enhanced Unit Verification Goals Reached

Coverage goals reached or proved expectedly
unreachable




Line,
Condition,
User Specified Implementation Specific,
User Specified Test Plan

SFV traces that reached above goals = Data
Transform Model Output

White Box Properties proved or bounded proved

End to End Data Transport Property proved

Important Properties of Complex Control Logic
Blocks proved
Future Improvements

Formal engines parallelized to reach goals faster

Efficient Management of interesting start
states population

Automating “logic addition” to DUT to reach
bugs faster

Automate Assume Guarantee Verification for proofs