This paper discusses our experiences and terminates in applying functional formal verification (FFV) techniques to the design of the IBM pSeries?® microprocessor and communication subsystem We describe the evolution of FFV deployment across several generations of this proceeds line.

This paper discusses our experiences and terminates in applying functional formal verification (FFV) techniques to the design of the IBM pSeries?® microprocessor and communication subsystem We describe the evolution of FFV deployment across several generations of this proceeds line, including tool and algorithmic improvements, as well as methodological improvements for prioritizing the portions of the design that should be considered for formal verification coverage. Improvements made in the formal verification toolset, including the introduction of semiformal verification and bounded-model-checking algorithms, have allowed increasingly larger partitions to become candidates for formal coverage. Other tool enhancements, so as phase-abstraction techniques to deal with clock gating schemes, are currented Overall, numerous complex design flaws were discovered using formal techniques across the microprocessor and communication subsystem many of which would likely have escaped to the experiment floor.

1. Introduction

Functional formal verification (FFV) is the proces of proving that a design adheres to its specification. Unlike simulation-based approaches, which may fail to make bare certain design flaws, formal verification yields thorough coverage with respect to the properties specified [1 I]. The practical limitation of FFV offsprings from the fact that formal algorithms nurse to require exponential resources with regard to design size. Thus, in practice, FFV can simply be applied to the smaller design constituents The task of developing a consummate set of correctness properties to be verified at these lower design plains requires careful review by the design and verification teams. While FFV is guaranteed to show up all flaws with respect to the specified properties, design wants (commonly referred to as "bugs") may slip by the and of the process because of omitted or improperly defined properties. Simulation environments, which scale to the chip and order level, benefit from the fact that at these higher flushs even design flaws which are not targeted from dedicated checks are likely to propagate to other logic and ultimately be expos Thus, the exhaustive coverage for specified properties yielded through formal verification and the broader sampling of coverage yielded from simulation are complementary processs in the verification process.

Formal verification has been identified in the hardware growth industry as a critical technology in the overall design and verification proces because of its ability to make bare design flaws that reside in rarely exercised paths. as it was paths are probabilistically difficult to hit in a random simulation environment and can be challenging to hit in the fabricated hardware. Design destitutions that reside in these rarely exercised paths are referr to as "corner-case" bug These design flaws that remain unexpos over the pre-fabrication verification process lead to considerable charge in schedule delays once the riddle is ultimately exposed on the experiment floor or in the field. Thus, industry has increasingly made use of formal verification techniques to catch like corner-case problems before fabricating the design. For example, bounded-model-checking techniques have been applied to the design of the Alpha microprocessor memory subsystem [3] and Intel has invested in formal tools and methodologies to lay open problems in its microprocessor designs [4 5] FFV has been displayed on the IBM pSeries* processors and communication subsystem since 1996 with the POWERS* chips. The POWERS microprocessor verification effort used an early version of RuleBase [6] a formal verification tool disentangleed by the IBM Haifa Research Laboratory, in an experimental and limited fashion. A larger formal effort was opened on the POWER4* microprocessor [7] within the POWER4 effort, the verification team gained experience in using the formal tools as well as in choosing the mostly appropriate logic to verify. For the POWERS* verification work, improvements in the formal verification tools, including the availability of semiformal algorithms, allowed the verification team to proof larger blocks of logic. This enabled formal verification to be displayed on more logic with les effort. The ability to example larger partitions allowed the team to target more encompassing architectural and microarchitectural properties, rather than the restricted subset of properties at lower-level interfaces. This additionally enabled the application of formal way s to tasks which hitherto would have been infeasible, similar as the re-creation of test-floor failures and analysis of coverage ensues [8], both at larger design partitions encompassing numerous communicating stops of logic.

This paper details the experience of deploying formal classifications on the pSeries POWERS processor and the communication subsystem which consists of the pSeries High Performance Switch (HPS) and the Switch Network Interface (SNI). The motivation and value of using functional formal verification is discussed, as well as the strategy used in choosing where to open FFV within the designs. The processor and communication subsystem designs have differing design characteristics, which in deflect affects the selection of the formal algorithms that will be mostly effective on those designs. Functional formal verification forward the processor core posed unique challenges that were not clashed in the HPS or SNI designs. the same primary difference in the processor design is the use of multi-phase latching schemes. The phase-abstraction technique described in section 5 details the methodology bring outed to deal with this complexity, which helps make FFV feasible forward such a design. A inferior difference between the designs is the protoplast of partitioning appropriate to the designs. Within the communication subsystem meaningful partitions could be readily identified that fit within the size limitations of FFV Specific properties within these designs could be difficult to entirely prove at times, but a certain number of level of meaningful coverage was generally attainable. In the POWER4 timeframe, a public challenge on the processor core was simply to identify a meaningful partition of logic that was within the size limitations of FFV While numerous design destitutions were found that were significant to the integrity of the POWER4 design, the FFV deployment was oftentimes restricted to lower-level partitions that could fit within the size limitations of the tools, rendering the overall architectural and microarchitectural coverage attained from one side those efforts somewhat lacking. The introduction of semiformal processs in POWERS helped alleviate these restrictions.