Automated Method Eliminates X Bugs in RTL and Gates
Kai-hui Chang, Yen-ting Liu and Chris Browy
2
Abstract
Due to physical design resource planning and low power requirements, registers may be left uninitialized creating Xs (unknowns) in the design. However, logic simulation cannot handle Xs accurately due to X-optimism and X-pessimism problems, masking such X bugs in simulation-based verification flows. In this work we propose a comprehensive methodology and several innovative techniques that can identify unforseen X problems at the RTL and remove false Xs popping up in gate-level simulation. The methodology is currently in production use and has helped resolve X issues for dozens of chips. By finding X bugs prior to tape out, expensive respins caused by masked Xs can be avoided.
3
Cause and Effect of Xs in Designs
X is used to represent an unknown value in logic simulation – The value can be either 0 or 1
Common causes of X– Inputs, registers, or memory not initialized and X corruption on
power down cycle
Dangers of X– Xs may cause nondeterministic operation
Simulator problems with X– X semantics are inaccurate (optimism, pessimism)– Leads to RTL vs gate-level simulation mismatch– X problems are either masked or there are too many false alarms
Unless fully examined, Xs may exist after tape out causing expensive respins from designs that don’t work
4
X-Optimism and X-Pessimism in Logic Simulation
X-pessimism– Xs are propagated even though
0/1 value is known– Ambiguous results lead to
more X-assignments than are unnecessary
Output = ( a & b ) | ( ~a & c );
Example of X-pessimism
1’b0 1’b1 1’b11’b11’b1
1’b1 1’b1 1’b11’b01’b1
1’bx 1’b1 1’b11’bx1’bx
Simulation mismatch
X-Optimism – 0/1 value propagated instead of X– Interpretation of X causes
only one conditional branch to be considered
Example of X-Optimism
always @(*) if (sel) reg1 = 0; else reg1 = 1;
1’b0 If branch
else branch1’b1
1’bx Hardware
Simulation mismatch
5
Existing Solutions and Limitations Techniques to find Xs at the RTL
– VCS and VRQ Xprop generate Xs for X-optimism May create too many false alarms
– Formal tools can identify real Xs Scalability is an issue and writing constraints can be difficult
Techniques to eliminate Xs at the gate level – Random deposit replaces Xs with 0/1 values
May mask bugs– Structural analysis using Perl/C scripts
May miss false Xs not in the template– Replace an X with 0/1 and run simulations
Requires lots of simulation
Need a better comprehensive methodology to handle Xs!
6
X-Prescreener (Optional)selects tests from testsuite for X analysis
Finding X Bugs in RTL
module foo(a, b, c, o1, o2, o3);input a, b, c;output o, o2, o3;reg o2, o3;assign o=a & b;always @(a, b, c) o2= a | c;…
RTL model with X bugs masked by X-optimism
XOPT Formal detects X bugsin reg-reg, reg-output paths
XOPT Sim (Optional)heuristically exposesX problems by biasingexecution paths
module foo(a, b, c, o1, o2, o3);input a, b, c;output o, o2, o3;reg o2, o3;assign o=a & b;always @(a, b, c) o2= a | c;…
Xoptimism
StartRTL model with X bugs exposed,sequential X pathstrace back to X source
Logic synthesis
No X bugs found in RTL
Fix RTL
7
Finding X Bugs in Gates
Gate-level netlistwith false Xs removedand X bugs exposed
Safe Deposit Analysis (Optional) formally identifies non-controlling Xs to reduce false Xs
SimXACTformally removesall combinationalfalse Xs
Gate-level netlist with X bugs hidden among false Xs
Done
Start
Gate-level netlistwith false Xs removedand no X bugs exposed
Fix RTL
8
Case Study: Network Processor
X-Verification Level Setup Results
XOPT Formal RTL Auto-partitioned functional unit into 6 blocks
~300K flops total
Found 11 X bugs that required RTL change and no false alarms
~6 hours runtime
Safe Deposit Gates Analyzed 1 block
~4K DFFs/latches
~1K safely deposited eliminating ¼ X source DFFs
~1 min runtime
SimXACT Gates Ran 10+ functional units separately
~5M DFFs/latches total
a few thousand false Xs fixed (force/deposit) including a few hundred gated-clock X-pessimism
~2 hours runtime/unit analyzed
X bugs will be missed if random deposit was used
9
X-Prescreener (New Innovation)
Figures out which tests may expose X problems and should run through X analysis– Running X analysis takes time and effort
X-Prescreener is a simulator add-on that monitors X activities when running tests– It collects X activities and aggregates similar X conditions
encountered in different tests– Then automatically selects subset to cover all the X conditions
X-Prescreener provides engineers valuable information on which tests should be used for X analysis
10
Finding X Bugs at the RTL and Gate Level
RTL XOPT Formal– Uses symbolic simulation to formally prove whether Xs will cause
reg-reg, reg-output non-determinism for real traces [DAC’09]– Spatial and temporal partitioning improves scalability [DATE’10]– Analysis based on the principle of most astonishment to reduce
formal effort [IEEE D&T’11]
RTL XOPT Sim– Heuristically deposits non-X values to replace Xs when they are
encountered at if/case conditions in logic simulation– Deposit values are derived from formal analysis to bias logic
simulation toward exploring new execution paths and expose X bugs
Gate level: Safe Deposit Analysis and SimXACT– Gate level simulation can detect X bugs but the bugs are hidden
among false Xs − our solution eliminates false Xs to expose real bugs
11
Safe Deposit Analysis (New Innovation)
Safe deposit analysis identifies non-controlling Xs– Those Xs will be eliminated by the reset sequence and can be
replaced with 0/1 without masking any bug– Fewer Xs will generate fewer false Xs, thus reducing analysis effort
Example– The X symbol “x1” from Reg1 is non-controlling (masked by
downstream logic) and can be safely replaced with 0/1
Reg1
Reg2
Reg3
Reg4
Output1x1
x2
0
!x2
(x1&0) | x2 = x2
x2
1
0
12
SimXACT Analysis [DAC’12, US Patent 8402405]
SimXACT analysis generates auxiliary behavior code to fix combinational false Xs
always @(g1.o or g8.o or g2.o)if (g8.o === 1’bx && g1.o === 1’b1 &&
g2.o === 1’b1)force g6.o= 1’b0;
elserelease g6.o;
False Xs will be eliminated by the “fix”, allowing gate-level simulation to produce correct results
a
reset
OR(g1)
reg2
OR(g2)
AND(g5)
AND(g4)
reg1
INV(g3)
b
0
1
1
1
1
x
x
x
x
x
c
AND(g7)
1
xINV(g8)
NOR(g6)
x x
13
Gated-clock False X Fix (New Innovation) False Xs may be generated due to gated-clocks The X at wire “o” is false
– if X is treated as 0, “ena” is 0, 0x will not occur, “r1” stays at 0– if X is treated as 1, “ena” is 1, “reg1” will latch the 0 at “r1”
o should be 0 either way, but logic simulation produces a false X
We formally analyze gated-clock structure for false Xs and generate fixes Fix example:
icg
reg1
clk
r1 o
ena
reg2r2
AND
clk
r2o
x
1
0
1
1
x x
0x
01
01always @(posedge dut.clk)if (dut.reg1.q === 1’bx && dut.r1 == 1’b0 && dut.reg2.q == 1’b1) $deposit(dut.reg1.q, 0);
14
Conclusions
We proposed a comprehensive methodology and several innovative techniques to find X problems before tape out
X-Prescreener selects a required set of tests to analyze XOPT Formal formally verifies the design to find X bugs XOPT Sim heuristically directs logic simulation toward
exposing X bugs Safe Deposit Analysis eliminates non-controlling Xs
discovered during reset in gate-level simulation SimXACT eliminates all false Xs in gate-level simulation,
exposing real X problems The proposed methodology is in commercial production use
and helped resolve X issues in dozens of chips