Second formal check aids deadlock hunting
Arm and Mentor proposed adding a second assertions check to a traditional deadlock-hunting process in a high profile paper at this year’s virtual Design Automation Conference.
In the paper ‘Easy deadlock verification and debug with advanced formal’, the authors describe a traditional strategy. This uses ‘watchdogs’ – usually local but sometimes global monitor clocks – and assertions to which are applied, as before, proofs of liveness based on the LTL (linear temporal logic) semantics within SystemVerilog Assertions and Property Specification Language, but now also an additional set of checks based on CTL (computational tree logic) semantics.
The differences between the two formats is that the LTL approach is better at picking out what Arm and Mentor consider ‘maybe escapable’ deadlocks, while the CTL one is better at spotting those that are ‘unescapable’.
Presenting at DAC, Arm CPU formal verification team leader Laurent Arditi likened the difference between the two definitions to a koala lazing in a tree and not really in the mood to move (‘maybe escapable’) and a racoon caught in a trap (‘unescapable’).
This kind of categorization and filtering makes it easier and quicker to move through and allocate deadlock hunting and debug tasks.
- An inescapable deadlock is a design bug that requires a ticket to be sent back to the design team.
- A scenario with an ‘uninteresting’ escape condition can likely be solved with safety constraints (though will need to be rerun once these have been added).
- A scenario with a ‘valid’ escap condition can, by contrast, probably be addressed using fairness constraints (and, as above, rerun).
The strategy was adopted in the context of Mentor’s Questa Formal verification tool and has been applied by Arm to a large CPU in development across portions such as the instruction fetch unit FSMs, L1 data cache arbiter and credit-based protocol.
Arm’s Vincent Abikhattar told DAC that, “For the proof time, it only took a few minutes to get the results with no special overhead for also running the inescapable deadlock checks.”
Leave a Comment
You must be logged in to post a comment.