Industrial Strength Formal Using Abstractions

TL;DR

This paper introduces an abstraction-based methodology for formal verification of concurrent systems, enabling efficient detection of bugs and proof of correctness across diverse design types and application domains.

Contribution

The paper presents a novel abstraction and invariant-based approach for verifying ordering and arbitration in complex, multi-domain concurrent system designs.

Findings

Verified over 100 FIFO types with a single assertion

Adapted FIFO verification to multiple arbiter types

Successfully verified multi-clocked synchronizers and networking designs

Abstract

Verification of concurrent systems with thousands of multiple threads and transactions is a challenging problem not just for simulation or emulation but also for formal. To get designs to work correctly and provide optimal PPA the designers often use complex optimizations requiring sharing of multiple resources amongst active threads and transactions using FIFOs, stallers, pipelining, out-of-order scheduling, and complex layered arbitration. This is true of most non-trivial designs irrespective of a specific application domain such as CPU, GPU or communication. At the outset a lot of these application domains look diverse and complex; however at some level of detail all of these employ common design principles of sequencing, load balancing, arbitration and hazard prevention. We present in this paper a key abstraction based methodology for verifying ordering correctness and arbitration across a range of designs which are derived from different application domains. We show how by using abstractions and supporting them with invariants one can not only find deep corner case bugs in sequentially very deep designs; we can also build exhaustive proofs to prove the absence of critical bugs such as deadlock, starvation, and loss of data integrity. We present experimental results on a range of different designs and show that on some of the designs such as FIFOs we can verify over 100 different types of FIFOs for ordering correctness using a single assertion in a single testbench. We also show how the methodology of FIFO verification can be adapted to verify over half-a-dozen different types of arbiters including a very complex memory subsystem arbiter. We verify a multi-clocked synchronizer and a packet based design from a networking domain using the same abstraction as used in FIFO verification. The results demonstrate the strength of our methodology which is both reusable and compact.