Thought Leadership

Exploring essential concepts in Formal Verification

What is a witness? is it the same as a counterexample?

A witness is a sequence of inputs that demonstrates how an assertion is satisfied, showing that the design behaves as expected. A counterexample, on the other hand, is a sequence of inputs that violates an assertion, indicating a potential bug or design flaw. Both can be used to generate simulation tests that help engineers debug and verify the design.

Example: Consider an assertion in a power management unit that ensures a signal only goes high when the system is in a specific power state. If a counterexample is found, it might show a scenario where the signal incorrectly goes high, suggesting a bug in the power state logic. Conversely, a witness would show the correct sequence of inputs that leads to the signal going high, confirming that the assertion holds true under the specified conditions.

What is a formal app?

Formal apps are specialized tools that solve specific verification problems without the need for user-defined assertions. These apps are designed to address common verification challenges like register specification, connectivity checks, protocol compliance, and clock-domain crossings. They provide a quick and automated way to verify certain aspects of a design, reducing the time and effort required for verification.

Example: In a complex SoC design, a formal app might be used to verify that all intended connections between modules are correctly implemented. This app could quickly identify any missing or incorrect connections, such as a misconfigured bus or an unconnected signal, without requiring the engineer to write detailed assertions. This allows the verification team to focus on more complex verification tasks while ensuring that basic connectivity issues are automatically checked.

Is it possible to combine coverage metrics from simulation and formal?

Yes, combining coverage metrics from simulation and formal verification provides a more comprehensive view of the verification progress. Structural coverage from simulation shows which parts of the design have been exercised by the testbench, while formal coverage from formal verification shows how well the design is covered by assertions.

Example: In the verification of a complex CPU, structural coverage from simulation might reveal that certain portions of the processor’s instruction set have been tested. Coverage from formal verification could then show that all possible faults in the instruction decoding logic have been detected. By combining these metrics, the verification team can identify any gaps in the coverage and focus their efforts on areas that require more attention, ensuring that the CPU is fully verified.

Can emulation or FPGA prototyping replace formal verification?

While emulation and FPGA prototyping can run tests faster and provide valuable insights into system performance, they cannot replace the exhaustive analysis provided by formal verification. Formal verification is unique in its ability to consider all possible scenarios, making it indispensable for ensuring the highest level of design correctness.

Example: An emulation platform might be used to run software on a prototype of an SoC, allowing the development team to test system performance and software integration. However, this approach might miss rare corner-case bugs that only occur under specific conditions. Formal verification, with its ability to analyze all possible input sequences, would complement the emulation by ensuring that these corner cases are not overlooked, providing a more thorough verification of the SoC.

Is formal verification needed for FPGAs?

Absolutely. As FPGAs have evolved into complex system-on-chip (SoC) devices, they require verification processes like those used for ASICs. Formal verification, particularly equivalence checking, is critical for ensuring that design optimizations during FPGA synthesis and place-and-route do not alter the intended functionality.

Example: An FPGA-based network switch might undergo significant optimization during synthesis to meet performance targets. These optimizations could involve moving logic across register stages or reordering state machines. Formal equivalence checking ensures that these changes do not alter the switch’s intended behavior, preventing functional discrepancies in the final deployed system. Without this step, a subtle bug could go unnoticed, leading to costly issues in the field.

In this enhanced blog series, we delve deeper into the world of formal verification, providing Examples to illustrate its critical role in hardware design. By the end of this series, readers will have a comprehensive understanding of formal verification and its application in ensuring robust, reliable hardware designs.

Nicolae Tusinschi
Product Manager Static and Formal Solutions

Nicolae Tusinschi is a product manager for static and formal verification solutions at Siemens EDA. He holds a master’s degree combined between the University of Southampton and the University of Kaiserslautern. After a master’s thesis at Continental, Nicolae joined OneSpin, where he worked in QA, then as a product specialist and later served as product owner for design verification tools at OneSpin. His key projects include integrating simulation coverage with formal metrics, leveraging coverage results in the verification process, formal verification of RISC-V cores.

More from this author

Leave a Reply

This article first appeared on the Siemens Digital Industries Software blog at https://blogs.sw.siemens.com/verificationhorizons/2024/09/18/exploring-essential-concepts-in-formal-verification/