

# Taming Formal to define the Verification Quality

Surinder Sood, ARM Ltd, Manchester UK, *surinder.sood@arm.com*

Kishan Mushar, ARM Ltd , Manchester UK, *kishan.mushar@arm.com*



# Motivation and Problem statement

- There is no technique available to verify specific system behavior which should guarantee
  - Completeness
  - Correctness
  - Consistency
- Lack of 3Cs in formal environments lead to poor verification quality<sup>1</sup>
- Moreover, Proof convergence for all the properties is difficult to achieve using available state-of-the-art formal techniques.
- As the designs scale, convergence of proofs become more challenging, questioning verification quality.

<sup>1</sup><https://dvcon-proceedings.org/document/lets-be-formal-while-talking-about-verification-quality-a-novel-approach-to-qualify-assertion-based-vips/>

# Main Idea: Property refinement based formal verification Qualification



<sup>1</sup>A. Cimatti and S. Tonetta, "Contracts-refinement proof system for component-based embedded systems," *Science of computer programming*, vol. 97, pp. 333–348, 2015.

<sup>2</sup>A novel formal verification technique to System verification using contract refinement, Surinder Sood, Nirmal Jose and Scott Meeth, "DAC 2024, San Francisco, USA"

# Evidence: Formal verification of a Clock and power block [CPB] in SMMU

- CPB manages clock supply and power modes of (TMU) Translation Management Unit in SMMU.
- The CPB not only interfaces with external power and clock controllers but also interfaces with the TMU's constituent blocks once the CPB has decided to powerup, to tell such blocks to perform initialization activities via the dedicated init\_req/done interfaces
- Adjacent table shows few of the issues in the verification testbench which were fixed by applying the proposed methodology

| Design Issue             | Property                                                                                                            | Property Status(UC P/ICP/MP ) | Comments                                                                                                                                                                                                                                                                                        |
|--------------------------|---------------------------------------------------------------------------------------------------------------------|-------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Output signal Stuck at 0 | The power down request should be propagated to connected blocks and that can only be done if <b>qaccept</b> is high | ICP-Converging                | XDMCP* protocol, where the signal <b>qaccept</b> was stuck at 0. The <b>incomplete property</b> passed and does not check complimentary functionality                                                                                                                                           |
| Output signal stuck at 0 | Power down request can only be received when LPIPD is in QREQUEST and PTI Interface Block fence is open.            | ICP-Converging                | XDMCP* protocol, where the signal <b>qdeny</b> was stuck at 0. The <b>incomplete property</b> passed and does not check complimentary functionality. So if fence is open the corresponding interface should accept the incoming traffic, and when fence is closed, <b>qdeny</b> should be high. |
| Output signal stuck at 0 | To enable clock gating in a block, a proper start - done sequence should be followed                                | ICP-Converging                | Start-done handshake protocol, where <b>start</b> signal was stuck at 0. <b>incomplete property</b> passed and does not check complimentary functionality                                                                                                                                       |
| Output signal stuck at 1 | During power down the RAS interface is masked                                                                       | ICP & UCP                     | The property to check the mask behavior for RAS was missing, and when we wrote the property it was not converging. We used Refinement solution to make this property converge, with a guarantee that it covers both the scenarios when mask is set or when mask is cleared                      |

\*<https://www.x.org/releases/X11R7.7/doc/libXdmcp/xdmcp.html>

# Evidence: Formal verification of Clock and power block [CPB]

| Snapshot of Faults in the CPB Block |                  |                 |          |              |         |                                                             |
|-------------------------------------|------------------|-----------------|----------|--------------|---------|-------------------------------------------------------------|
| Fault Category                      | Faults in design | Non-activated * | Detected | Non-detected | Dropped | Comments                                                    |
| Top outputs connectivity            | 33               | 9               | 18       | 1            | 5       | Few of the design faults were dropped as they were trivial. |
| Internal connectivity               | 87               | 15              |          |              | 72      | Internal faults were not of much relevance to this block    |
| Combo Logic                         | 5                | 0               | 5        | 0            | 0       |                                                             |
| Synchronous control flow            | 0                | 0               | 0        | 0            | 0       |                                                             |

- Functional qualification performs a run by injecting faults in the Design Under Verification and executes testcases to measure the ability of the verification environment to detect these faults.
- Weaknesses in the verification can be discovered by analyzing the Non-Activated, Non-Propagated and Non-Detected faults.
- Adjacent table show the results, where it was able to detect flaws in Formal Verification Test Bench.

\*Non activated faults means, the properties to activate these faults is missing



# Summary

1. Design instrumentation is a promising approach to qualify formal testbenches
2. When this approach is integrated with our proof convergence technique (deployed on un-converged properties), the results are very promising as this dual approach not only converge the properties of a bigger design but also qualifies our verification.
3. We are researching further on the following aspects of functional qualification:
  1. Instrumenting the design using custom faults which are meant for specific design blocks (like synchronous/asynchronous/pipelined etc..)
  2. AI Assisted functional qualification.
  3. Security verification qualification: Correlating faults with security threats and checking the quality of a formal TB.