

### Lessons Learned while Verifying the ZipCPU

Gisselquist Technology, LLC

Daniel E. Gisselquist, Ph.D.



## G Overview

Overview
 Formal Properties
 Formal Tools
 Expectations
 Properties
 Instruction Cache
 Data Cache
 Decoder
 Debug Port
 Abstraction
 Aggregation
 Multi-Pass
 Bugs
 Lessons
 Next time

Backups

#### What is formal verification?

- My expectations before starting
- Initial Formal Properties / Lessons Learned
  - Verifying the cache(s)
  - Instruction Decoder
  - Debug Port
  - Abstraction and the Multiplier
  - Aggregation
  - Multi-Pass Verification
- Bugs found and fixed

We'll be discussing lessons learned along the way

### **G** Formal Properties

Overview Formal  $\triangleright$  Properties Formal Tools Expectations Properties Instruction Cache Data Cache Decoder Debug Port Abstraction Aggregation Multi-Pass Bugs Lessons Next time

Backups

Three types of properties:

- 1. **assume**(): Limits the search space
- 2. **assert**(): Should never happen
  - The solver *wins* if it can find a way to break an assertion A trace is created if an assertion can be made to fail
- 3. **cover**(): Prove something can happen A trace is provided with every success

Given that my assumptions hold, prove that my assertions hold

### **G** Formal Properties

Overview Formal  $\triangleright$  Properties Formal Tools Expectations Properties Instruction Cache Data Cache Decoder Debug Port Abstraction Aggregation Multi-Pass Bugs Lessons Next time

Backups

Three types of properties:

- 1. **assume**(): Limits the search space
- 2. **assert**(): Should never happen
  - The solver *wins* if it can find a way to break an assertion A trace is created if an assertion can be made to fail
- 3. **cover**(): Prove something can happen A trace is provided with every success

Given that my assumptions hold, prove that my assertions hold "The solver is quite a bastard isn't he?" Yes he is.

### **G** Formal Properties

Overview Formal  $\triangleright$  Properties Formal Tools Expectations Properties Instruction Cache Data Cache Decoder **Debug Port** Abstraction Aggregation Multi-Pass Bugs Lessons Next time

Backups

Three types of properties:

- 1. **assume**(): Limits the search space
- 2. **assert**(): Should never happen
  - The solver *wins* if it can find a way to break an assertion A trace is created if an assertion can be made to fail
- 3. **cover**(): Prove something can happen A trace is provided with every success

Given that my assumptions hold, prove that my assertions hold "The solver is quite a bastard isn't he?" Yes he is. For reasoning with time

• **\$past**(X): Value of X one clock ago

## G Formal Tools



## G Formal Tools



## **G** Expectations

Overview Formal Properties Formal Tools ▷ Expectations Properties Instruction Cache Data Cache Decoder Debug Port Abstraction Aggregation Multi-Pass Bugs Lessons Next time

Backups

#### Before starting

- Formally verified all the components
  - Core: Prefetch, I-cache, Decoder, ALU, divide, memory unit
  - Peripherals: timer, counter, interrupt controller
  - Others: bus arbiter(s), delay, etc.
- Only the top level remained

Initially, concerned with pipeline bugs

- Vanishing instructions
- Duplicated instructions
- Register forwarding bugs

## **G** Properties



## **G** Expectations

OverviewFormal PropertiesFormal ToolsExpectations▷ PropertiesInstruction CacheData CacheDecoderDebug PortAbstractionAggregationMulti-PassBugsLessonsNext time

Backups

```
4 Exectution units (ALU, MPY, DIV, MEM, DBG)
```

Only one write to register file at a time

## **G**<sup>T</sup> Properties

Overview Formal Properties Formal Tools Expectations ▷ Properties Instruction Cache Data Cache Decoder Debug Port Abstraction Aggregation Multi-Pass Bugs Lessons Next time

4 Exectution units (ALU, MPY, DIV, MEM, DBG)

- Only write to register file at a time
- Memory operations cannot be rolled back

Backups

## **G** Properties

| Overview          |
|-------------------|
| Formal Properties |
| Formal Tools      |
| Expectations      |
| Properties        |
| Instruction Cache |
| Data Cache        |
| Decoder           |
| Debug Port        |
| Abstraction       |
| Aggregation       |
| Multi-Pass        |
| Bugs              |
| Lessons           |
| Next time         |
|                   |
|                   |

Backups

4 Exectution units (ALU, MPY, DIV, MEM, DBG)

- Only write to register file at a time
- Memory operations cannot be rolled back
- Operands going into the execute units *must* match the current register state
- Wishbone interactions must follow interface properties
- Instructions from PF are constant until accepted

This was a common criteria for several stages

### **G**<sup>-</sup> Instruction Cache

| Overview          |
|-------------------|
| Formal Properties |
| Formal Tools      |
| Expectations      |
| Properties        |
| Instruction       |
| ▷ Cache           |
| Data Cache        |
| Decoder           |
| Debug Port        |
| Abstraction       |
| Aggregation       |
| Multi-Pass        |
| Bugs              |
| Lessons           |
| Next time         |
|                   |
| Backups           |
|                   |
|                   |
|                   |

#### Three necessary properties

Pick an arbitrary address and its value

```
(* anyconst *) reg [31:0] f_addr, f_data;
```

### **G**<sup>-</sup> Instruction Cache

```
Overview
Formal Properties
Formal Tools
Expectations
Properties
    Instruction
\triangleright Cache
Data Cache
Decoder
Debug Port
Abstraction
Aggregation
Multi-Pass
Bugs
Lessons
Next time
```

Backups

Three necessary properties

Pick an arbitrary address and its value

```
(* anyconst *) reg [31:0] f_addr, f_data;
```

1. **assume**() the bus response

```
always @(*)
if ((i_wb_ack)&&(returned_address == f_addr))
    assume(i_wb_data == f_data);
```

### **G**<sup>-</sup> Instruction Cache

```
Overview
Formal Properties
Formal Tools
Expectations
Properties
    Instruction
\triangleright Cache
Data Cache
Decoder
Debug Port
Abstraction
Aggregation
Multi-Pass
Bugs
Lessons
Next time
Backups
```

Three necessary properties

Pick an arbitrary address and its value

```
(* anyconst *) reg [31:0] f_addr, f_data;
```

1. **assume**() the bus response

```
always @(*)
if ((i_wb_ack)&&(returned_address == f_addr))
    assume(i_wb_data == f_data);
```

2. **assert**() the cache holds the correct value

```
always @(*)
if (address_is_in_the_cache)
    assert(cache[f_addr[CS-1:0]] == f_data);
```

```
Overview
Formal Properties
                           Formal Tools
Expectations
Properties
    Instruction
\triangleright Cache
Data Cache
                         1.
Decoder
                         2.
Debug Port
Abstraction
                         3.
Aggregation
Multi-Pass
Bugs
Lessons
Next time
```

Backups

Three necessary properties

Pick an arbitrary address and its value

```
(* anyconst *) reg [31:0] f_addr, f_data;
```

- 1. **assume**() the bus response
- 2. **assert**() the cache holds the correct value
- 3. assert() the cache return

```
always @(*)
if ((pf_valid)&&(pf_instruction_pc == f_addr))
    assert(pf_instruction == f_data);
```

```
Overview
Formal Properties
Formal Tools
Expectations
Properties
    Instruction
\triangleright Cache
Data Cache
Decoder
Debug Port
Abstraction
Aggregation
Multi-Pass
Bugs
Lessons
Next time
```

Backups

Three necessary properties

Pick an arbitrary address and its value

```
(* anyconst *) reg [31:0] f_addr, f_data;
```

- 1. **assume**() the bus response
- 2. **assert**() the cache holds the correct value
- 3. **assert**() the cache return

```
always @(*)
if ((pf_valid)&&(pf_instruction_pc == f_addr))
    assert(pf_instruction == f_data);
```

Lesson learned:

Verifying cache components is *really easy*!

```
Overview
Formal Properties
Formal Tools
Expectations
Properties
    Instruction
\triangleright Cache
Data Cache
Decoder
Debug Port
Abstraction
Aggregation
Multi-Pass
Bugs
Lessons
Next time
```

Backups

#### Three necessary properties

Pick an arbitrary address and its value

```
(* anyconst *) reg [31:0] f_addr, f_data;
```

- 1. **assume**() the bus response
- 2. **assert**() the cache holds the correct value
- 3. **assert**() the cache return

```
always @(*)
if ((pf_valid)&&(pf_instruction_pc == f_addr))
    assert(pf_instruction == f_data);
```

Lesson learned:

- Verifying cache components is *really easy*!
- Easier than building the cache in the first place

Overview Formal Properties Formal Tools Expectations Properties Instruction ▷ Cache Data Cache Decoder Debug Port Abstraction Aggregation Multi-Pass Bugs Lessons

Next time

Backups

#### The **cover**() statement is *very* powerful

What must happen to make this true?

- Reset
- Instruction Request
- Cache miss
- Fill the cache line
- Return a value from the cache

All returned in a trace.

## G Data Cache

Overview Formal Properties Formal Tools Expectations Properties Instruction Cache  $\triangleright$  Data Cache Decoder Debug Port Abstraction Aggregation Multi-Pass Bugs Lessons Next time Backups

#### Applied the same methods to the data cache

- Developed using Formal Methods
- Still had one bug in simulation
  - ... but only one bug

## G Data Cache

|                   | ۸   |
|-------------------|-----|
| Overview          | Ар  |
| Formal Properties |     |
| Formal Tools      |     |
| Expectations      | _   |
| Properties        |     |
| Instruction Cache |     |
| ⊳ Data Cache      |     |
| Decoder           | les |
| Debug Port        |     |
| Abstraction       |     |
| Aggregation       |     |
| Multi-Pass        |     |
| Bugs              | _   |
| Lessons           |     |
| Next time         |     |
| Backups           |     |

Applied the same methods to the data cache

- Developed using Formal Methods
- Still had one bug in simulation
  - ... but only one bug

#### \_esson learned:

- Formal methods find the most bugs
- Tools can return quickly
- Resulting trace points directly to bug
- Minimum number of logic steps necessary
- Still needed simulation

### **G**<sup>-</sup> Instruction Decoder

Overview Formal Properties Formal Tools Expectations Properties Instruction Cache Data Cache Data Cache Debug Port Abstraction Aggregation Multi-Pass Bugs Lessons Next time

Backups

Mistake:

Only tested the transitions

The check doesn't apply when the pipeline is stalled
 Invalid states not caught during induction

- Ex: Might decode into divide and ALU op

### **G** Instruction Decoder

Overview Formal Properties Formal Tools Expectations Properties Instruction Cache Data Cache Debug Port Abstraction Aggregation Multi-Pass Bugs Lessons Next time

Backups

Lesson learned:

Should have verified the outputs instead of the transitions

```
always @(posedge i_clk)
if (dcd_ce)
    f_last_insn <= pf_insn;
always @(*)
if (dcd_valid)
    assert(o_dcdR == f_last_insn[30:25]);</pre>
```

This check is applied at all times
 Even when the pipeline is stalled

## G Debug Port

- Overview Formal Properties Formal Tools Expectations Properties Instruction Cache Data Cache Decoder ▷ Debug Port Abstraction Aggregation Multi-Pass
- The ZipCPU has a debugging port
- Reset/halt CPU
- $\hfill\square$  Read/set registers within the CPU



Backups

Bugs Lessons Next time

## G Debug Port

Overview Formal Properties Formal Tools Expectations Properties Instruction Cache Data Cache Decoder ▷ Debug Port Abstraction Aggregation Multi-Pass Bugs Lessons Next time Backups

The ZipCPU has a debugging port

- Reset/halt CPU
- Read/set registers within the CPU



This simple interface caused no end of problems!

- At one time, I assumed no debug access just to keep focused
   Problem was the pipeline
- Solution was to reload the pipeline on any debug write

## G Debug Port

Overview Formal Properties Formal Tools Expectations Properties Instruction Cache Data Cache Decoder ▷ Debug Port Abstraction Aggregation Multi-Pass Bugs Lessons Next time Backups

The ZipCPU has a debugging port

- Reset/halt CPU
- Read/set registers within the CPU



This simple interface caused no end of problems!

- At one time, I assumed no debug access just to keep focused
   Problem was the pipeline
- Solution was to reload the pipeline on any debug write

Lesson learned:

Simple things aren't

## **G** Abstraction

Overview Formal Properties Formal Tools Expectations Properties Instruction Cache Data Cache Debug Port ▷ Abstraction Aggregation Multi-Pass Bugs Lessons Next time

Backups

#### Ex: Multiply

Returns an arbitrary value

- Solver picks result
- Require: maintains signaling
- Prove CPU logic works

## **G** Abstraction

Overview Formal Properties Formal Tools Expectations Properties Instruction Cache Data Cache Decoder Debug Port Debug Port Abstraction Aggregation Multi-Pass

Bugs

Lessons

Next time

Backups

#### Ex: Multiply

- Returns an arbitrary value
- Solver picks result
- Require: maintains signaling
- Prove CPU logic works

#### Reality:

Top level CPU worked and proven
Missed a bug in the actual multiplier

Lesson Learned:

- Create a property file for each interface
  - Prefetch, decoder, ALU, memory unit

## **G** Aggregation





Prove every component before beginning

## **G** Aggregation





- Swap component assertions with assumptions
- $\hfill\square$  Whole new set of CPU properties

## **G** Aggregation





Lesson learned:

- Sub-module assumptions aren't given
- The need to be proven

## G Multi-Pass Verification

Overview Formal Properties Formal Tools

Expectations

Properties

Instruction Cache

Data Cache

Decoder

Debug Port

Abstraction

Aggregation

▷ Multi-Pass

Bugs

Lessons

Next time

Backups



# G Multi-Pass Verification

Overview Formal Properties Formal Tools Expectations Properties Instruction Cache Data Cache Decoder Debug Port Abstraction Aggregation  $\triangleright$  Multi-Pass Bugs

Lessons Next time

Backups



Anything you've proved, ...

... can become assumptions to prove something more

### **G** Multi-Pass Verification

Overview Formal Properties Formal Tools Expectations Properties Instruction Cache Data Cache Decoder Debug Port Abstraction Aggregation ▷ Multi-Pass Bugs Lessons Next time

Backups



Anything you've proved, ...

... can become assumptions to prove something more
 Must be done in order

- You can't assume stage #1 until you've first proven it via assertions.
- Any logic change will send you back to the beginning

### G Two-Pass Verification

#### First pass

Overview

Formal Properties

Instruction Cache

Formal Tools

Expectations

Properties

Data Cache Decoder

Debug Port Abstraction

Aggregation

Bugs Lessons Next time

Backups

▷ Multi-Pass

- Prove component assumptions
- Ad-hoc assertions
- Pipeline assertions

#### Second pass

- Assume a known instruction
- Verify its implementation

### G Two-Pass Verification

#### First pass

Overview

**Formal Properties** 

Instruction Cache

Formal Tools

Expectations

Properties

Data Cache Decoder

Debug Port Abstraction

Aggregation

Bugs

Lessons Next time

Backups

▷ Multi-Pass

- Prove component assumptions
- Ad-hoc assertions
- Pipeline assertions

#### Second pass

- Assume a known instruction
- Verify its implementation

#### Lesson Learned:

- Assuming a known instruction was a waste of time
- First pass assertions were not trivial
- Most logic proved on the first pass
- One pass would've been easier and simpler

## G ZipCPU Bugs Fixed

|                                                                                                                                                                                                                                   | ZIPCFO Dugs Fixed                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Overview<br>Formal Properties<br>Formal Tools<br>Expectations<br>Properties<br>Instruction Cache<br>Data Cache<br>Decoder<br>Debug Port<br>Abstraction<br>Aggregation<br>Multi-Pass<br>▷> Bugs<br>Lessons<br>Next time<br>Backups | <ul> <li>Bus error on instruction read might not halt CPU</li> <li>Memory reads into the program counter didn't stall the pipeline</li> <li>Interrupts might break compressed instruction words</li> <li>Debug register writes broke register values in the pipeline</li> <li>CPU might halt mid-compressed instruction pair</li> <li>Multicycle ALU operations (i.e. MPY's) set the wrong flags</li> <li>Divides would start before multiplies were finished</li> <li>Break instructions might get ignored</li> <li>Memory instructions might still be issued while an illegal instruction exception was pending</li> <li>Memory FIFO had no overflow protection</li> <li>CPU would switch to an interrupt state before completing memory operations</li> </ul> |
|                                                                                                                                                                                                                                   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |

I was very glad I did it!

### G Lesson Learned

| Overview          |
|-------------------|
| Formal Properties |
| Formal Tools      |
| Expectations      |
| Properties        |
| Instruction Cache |
| Data Cache        |
| Decoder           |
| Debug Port        |
| Abstraction       |
| Aggregation       |
| Multi-Pass        |
| Bugs              |
| ▷ Lessons         |
| Next time         |
|                   |
| Backups           |

#### Before using formal methods

- Simulated many programs on the ZipCPU
- Applied the CPU to many FPGA Boards
- Debugging on an FPGA is difficult
- Simulation requires GB+ traces

### G Lesson Learned

| Overview          |
|-------------------|
| Formal Properties |
| Formal Tools      |
| Expectations      |
| Properties        |
| nstruction Cache  |
| Data Cache        |
| Decoder           |
| Debug Port        |
| Abstraction       |
| Aggregation       |
| Multi-Pass        |
| Bugs              |
| Lessons           |
| Next time         |
|                   |
|                   |

Backups

### Before using formal methods

- Simulated many programs on the ZipCPU
- Applied the CPU to many FPGA Boards
- Debugging on an FPGA is difficult
- $\square$  Simulation requires GB+ traces

#### With formal

- Simulation alone didn't cut it
- Even an incomplete proof is valuable
- What you don't prove, will surprise you
- Simulation requires GB of trace, formal 20-60kB
- $\hfill \$  Still needed simulation
- Can take a simulation symptom, and recreate it to fix it

## G Next time

Overview Formal Properties Formal Tools Expectations Properties Instruction Cache Data Cache Decoder Debug Port Abstraction Aggregation Multi-Pass Bugs Lessons  $\triangleright$  Next time Backups

If I had to do it over ...

- I'd start with formal verification
  - ... even before Simulation
  - ... definitely before code bloat



Prov 14:23a

## GT CPU Survey

| Overview          |
|-------------------|
| Formal Properties |
| Formal Tools      |
| Expectations      |
| Properties        |
| Instruction Cache |
| Data Cache        |
| Decoder           |
| Debug Port        |
| Abstraction       |
| Aggregation       |
| Multi-Pass        |
| Bugs              |
| Lessons           |
| Next time         |
|                   |

▷ Backups

| Feature                                    | NiOS                                  | $\mu$ Blaze    | ECO-32                | RISC-V  | OpenRISC  | LM32    | ZipCPU          |
|--------------------------------------------|---------------------------------------|----------------|-----------------------|---------|-----------|---------|-----------------|
| Open Architecture?                         | No                                    |                |                       | Yes     |           |         |                 |
| Number of Instructions                     | 86                                    | 129            | 61                    | 50+     | 48+       | 62      | 28+             |
| OpCode Bits                                | 6–17                                  | 6–11           | 6                     | 10      | 6–32      | 6       | 5               |
| Interrupt/Exception Vectors                | 1                                     | 6              | 2                     | 9+      | 14        | 32      | None            |
| Register Indirect plus displacement (bits) |                                       | 16 12 16       |                       |         |           | 14      |                 |
| Immediate direct addressing (bits)         |                                       | 16, using R0=0 |                       |         |           | 18      |                 |
| Relative branching (bits)                  |                                       | 16             | 26 (28)               | 21      | 26        | 21      | 18              |
| Conditional branching (bits)               | 16                                    |                | 16 (18)               | 13      | 26        | 16      | 18              |
| Register Size (bits)                       | 32                                    |                | 32 (Opt. 64 Exts.) 32 |         | 32-bits   |         |                 |
| Special Purpose Registers                  | 6                                     | 25             | 6                     | 66+     | 65+       | 10      | 1 (x2)          |
| General Purpose Registers                  | 32 (but R0=0, others are unusable,24) |                |                       |         |           | 14 (x2) |                 |
| 8–bit data                                 | Yes                                   |                |                       |         | Yes       |         |                 |
| 16–bit data                                | Yes                                   |                |                       |         | Yes       |         |                 |
| 32–bit data                                | Yes                                   |                |                       |         | Yes       |         |                 |
| 64–bit data                                | No                                    |                | Yes, by extension     |         | No        | Yes     |                 |
| 32–bit floats                              | Opt                                   | tional         | No                    | Yes, by | extension | No      | Yes, not native |
| MMU                                        | Yes, but optional                     |                |                       |         | Verified  |         |                 |
| Instruction Cache                          | Yes, configurable                     |                |                       |         | Optional  |         |                 |
| Data Cache                                 | Yes, configurable                     |                |                       |         | Optional  |         |                 |
|                                            |                                       |                |                       |         |           |         |                 |

 $\Lambda\Lambda$