| Login | | Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name. | |
| Who's Online | There are currently, 55 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here | |
 | |
|
Verification Guild: Forums |
|
| View previous topic :: View next topic |
| Author |
Message |
alexg
Senior
![]()
Joined: Jan 07, 2004
Posts: 586
Location: Ottawa
|
 Posted: Mon Oct 18, 2004 4:27 pm Post subject: Models vs Checkers/Scoreboards |
 |
|
| dave_whipp wrote: |
It [model] serves a few purposes: the most important is that it acts as a reference model agaist which we compare the behavior of the RTL. |
Both structural models and checkers/scoreboards can be used to continuosly check DUT functionality in the testbench. In my opinion, checkers/scoreboards are preferable for this task. The main reasons for this are:
1. Ability to implement non-complete functions.
Since checkers are passive components, they can easily implement non-complete functions such as order-independent datapath validation in the packet-oriented media etc.
2. Modularity.
Checkers/Scoreboards allow modular checks implementation with linear (not exponential) complexity/size scaling. It is also possible to build the number of independed checkers. Proper division of these checkers functionality (for example, protocol-specific vs DUT-specific) allows significantly higher level of reuse.
It would be interesting to get more opinions on this topic. |
|
| Back to top |
|
 |
dave_whipp
Senior
Joined: Jan 06, 2004
Posts: 76
Location: Santa Clara, CA
|
| Posted: Mon Oct 18, 2004 8:55 pm Post subject: |
|
|
There are a number of ways to tackle this question, but I think that, for any non-trivial high level behavior, a model is easier to both verify and validate.
As a "simple" example, consider the assertion "this machine has a behavior consistant with the X86 instruction set architecture". The standard implementation of this assertion is to create an ISA model, and create a smart-diff script to compare transaction/state information that are dumped from rtl and model.
The "partial function" point is relevant, but is not exclusive to the assertion approach. The context of the quoted text was discussed the "rtl synchronization" approach, where don't care values are fed back from rtl into the predictor.
Imagine we are doing a simple square-root function, where we have a desired accuracy of +- 1e-6, but the rtl calculates it to a greate accuracy to avoid loss of accuracy in future calculations. This means that the value is a combination of "do care" and "don't care". We can implement this in a synchronized model, by used an assertion of the value we get (assert abs(rtl_value ^2 - predicted_value) < 1e-6), and having validated it, we can use the rtl's value to keep the predictor synchronised with the rtl.
A similar approach can be used anywhere where a partial prediction is needed: add an assertion to validate the value, then use the actual value.
Using a model does not prevent us from using assertions, etc. It just one tool in the toolkit.
The idea of modularity is nice, but features aren't really as orthogonal as we might wish. If the purpose of a test is to draw a teapot, then that test is exercising thousands of individual features, and probably checking 10s of millions of instances of those features. Even if you have assertions for each individual feature, you still want to know if, when they all interact, the picture looks like a teapot. If you need modularity, then to create the model as modular software. |
|
| Back to top |
|
|
alexg
Senior
![]()
Joined: Jan 07, 2004
Posts: 586
Location: Ottawa
|
| Posted: Mon Oct 18, 2004 11:28 pm Post subject: |
|
|
| Quote: | As a "simple" example, consider the assertion "this machine has a behavior consistant with the X86 instruction set architecture". The standard implementation of this assertion is to create an ISA model, and create a smart-diff script to compare transaction/state information that are dumped from rtl and model.
|
This assertion is complex, the same as, for example, assertion "this protocol should be PCI-express compliant". Fortunately, such complex assertions can be sub-divided to the set of more detailed ones. Such division, IMHO, is the most powerful weapon in verification. Thorough analysis of complex functions and their subdivision, either hierarchical or modular, replaces it with a set of more simple ones. Modular checking & functional coverage components can be created for each ones of the functions from this set. Note, that debug and development of these components can be independent from each other, allowing scalability and preserving stability of the testbench.
| Quote: |
Imagine we are doing a simple square-root function, where we have a desired accuracy of +- 1e-6, but the rtl calculates it to a greate accuracy to avoid loss of accuracy in future calculations. This means that the value is a combination of "do care" and "don't care". We can implement this in a synchronized model, by used an assertion of the value we get (assert abs(rtl_value ^2 - predicted_value) < 1e-6), and having validated it, we can use the rtl's value to keep the predictor synchronised with the rtl.
|
I don't see the reason to develop non-precise model and then another "comparing" function between this model and actual RTL. Why not to simply assert: assert (abs (out_rtl_value - SQRT(in_rtl_value)) < 1e-6)) ? This is what we want to check, and this is the easiest and natural implementation of checking function. Then, let's assume that we are verifying ALU which can do more calculations, using the same input and output interface signals. For each function, we can create independent checking function, which can be added anytime and debugged independently of all the others.
| Quote: | | Using a model does not prevent us from using assertions, etc. It just one tool in the toolkit. |
Assertions, or modular checkers, can serve different purposes. They can be attached directly to RTL, working in cycle-precise domain, or they can operate in transactional domain with the help of monitors/data extractors. Then, these modular checkers will completely eliminate the need of the model.
| Quote: | | The idea of modularity is nice, but features aren't really as orthogonal as we might wish. If the purpose of a test is to draw a teapot, then that test is exercising thousands of individual features, and probably checking 10s of millions of instances of those features. Even if you have assertions for each individual feature, you still want to know if, when they all interact, the picture looks like a teapot. If you need modularity, then to create the model as modular software. |
If the features are complex and difficult-to-decompose to either orthogonal (independent) or hierarchical (layered) components, so they are poorly defined. Any complex function definition can be sub-divided to layers, each one being simpler and easier to deal with. If we want to beat complexity, we have to start to do so during specification stage.
Regards,
Alexander Gnusin |
|
| Back to top |
|
|
dave_whipp
Senior
Joined: Jan 06, 2004
Posts: 76
Location: Santa Clara, CA
|
| Posted: Tue Oct 19, 2004 2:04 am Post subject: |
|
|
| Quote: | | Such division, IMHO, is the most powerful weapon in verification. |
Basic decomposition gets you only so far. This is one of those areas at which one can throw quotes. I think it was Dijkstra who said "There is no problem that cannot be solved by an extra level of indirection ... except the problem of too much indirection". If you break a problem into too many parts then it becomes fragments, creating the equally great problem of demonstrating that all the parts work.
I am a great fan of assertions, but I do not beleive that they are a silver bullet. It may be true that, Bertrand Russel quipped, "The advantages of implicit specification over construction are roughly those of theft over honest toil", but we must also remember Knuth: "beware of bugs in the above code; I have only proved it correct, not tried it".
OK, enough of the quotes.
I regard a "predictor model plus diff" as one big assertion. My example with the sqrt function was intended, in part, to demonstrate that for simple things, I agree that we should use assertions (it doesn't make any difference where that assertion is -- rtl or model). But it also shows why we don't need to verify at that level: we assume that sqrt works, and add the assertion to cover that assumption. The interesting questions are how that calculation fits into the big bicture, and how butterfly effects magnify lsb deltas.
Any complex system is both hard to decompose and poorly defined. Any verification methodology that doesn't make that assumption is destined to fail. A model allows to to explore that undefined puzzle, but prodding it at seeing what happens. Unless you have a Prolog engine available, its difficult to do that with assertions (and even if you do, you might not want to wait for the answers). If you've created a model as part of your specification phase, then one of the most important assertions your can write is "my implementation is consistent with the model" because that assertion is equivalent to "... with the specification". (Of course, if you don't need an architectural model to explore the specification, then to don't need to compare against it. But in that case, you don't have a complex system). |
|
| Back to top |
|
|
alexg
Senior
![]()
Joined: Jan 07, 2004
Posts: 586
Location: Ottawa
|
| Posted: Tue Oct 19, 2004 8:25 am Post subject: |
|
|
| Quote: | | I am a great fan of assertions, but I do not beleive that they are a silver bullet. |
Me too. Assertions (checkers) are only part of the whole picture. Another part is functional coverage, which makes sure that our tests invoke the function. Most important is the actual function definition. If we are able to decompose complex funciton to the set of more simple ones, we win.
Now, I am not saying that we need to continue this decomposition until we reach the huge number of primitive functions (Design Complier can do it better  ) . I am sayng that we need to end up with the set of MANAGEABLE functions, and then verify each one of them. BTW, the same applies for design as well.
Why Intel succeeded to develop complex processors? Because they succeeded to decompose processor function to the manageable set of more simple functions. Imagine 1200 engineers working on one project? Decomosition and thorough architectural analisys can make it possible.
Look at the human society. As a whole, we perform amazingly complex functions (economical regulation, country management etc). How human beings can do them? Using the same principle: decomposition.
Why do we write Verification Plan? Because at the very beginning we have one big assertion: "Design must implement all functionality defined in Spec". Unfortunately, this assertion is rarely manageable by one person. The whole task of writing Verification plan is nothing more that analytical decomposition of this assertion to the set of smaller and manageable ones.
Modeling is really important to make this decomposition possible. We have to use high-level modeling to explore the function and find optimal decomposition solutions (which naturally become parts of the model). Note, that we are still in Specification stage. Using modeling in specification stage allows us to not use modeling for the verification stage, where it requires much more effors because of continous model refinement and model-to-model verifications after each one of refinements.
Here is another example.
We are contructing new car with advanced engine and want to check that it can reach 200 mph speed. One way to do so is modeling. We can take another car with regular engine and drive both of them, requiring that new car will have the same or higher speed. There are two problems with this approach, though. First, we have to use another car, which may be expensive. Second, we may erroneously assume that our reference car has required speed. How can we guaruantee, that the speed of reference car is 200 mph? The best solution is to check it with the radar. But, having radar, why not to use it directly on the new car?
So, the conclusions are:
1. Usage of Reference car (model) does not eliminate the usage of the radar (checker). We still have to develop checking components and tests to verify our model.
2. Reference car (model) is much more expensive than radar (checker). This is because car has an active device (being able to drive), while radar is only passive device (being able to check).
Regards,
Alexander Gnusin |
|
| Back to top |
|
|
dave_whipp
Senior
Joined: Jan 06, 2004
Posts: 76
Location: Santa Clara, CA
|
| Posted: Tue Oct 19, 2004 11:33 am Post subject: |
|
|
Lets say that I accept your analogy of "putting a new engine oin an old car" as a proxy for a model. Its not perfect, bt it is adequate to demonstrate why models are important during verification.
Your use of the model is simply to compare maximum speed -- which, as you say, is better done by direct measurement, and so is a waste of a good model.
A better way to use it is to drive both cars round a track for a few hours, with different fuel loads, tires, etc. We continuously record as much telemetry as possible fromthe two vehicles -- but to keep things simple, lets say we just have the speed measured every second over a 12 hour test.
What do we do now? We plot the data from both cars and overlay the graphs, WE then look to see how they differ. As a result of this comparison, we notice that when changing to 4th gear on a left hand bend with light fuel load, the acceleration of the new car has a slightly differnt profile compared to the model (its still within spec -- but it catches our eye because it wiggles relative to the model). We decide to investigate this difference, and ultimately find a reliability issue that would have reduce the MTBF for the gear box by 6 months.
You don't use a model to measure a single fact. You use it to make a prediction of complex behavior (over time), and then detect divergence from that prediction without needing to predict where that divergence might be. |
|
| Back to top |
|
|
alexg
Senior
![]()
Joined: Jan 07, 2004
Posts: 586
Location: Ottawa
|
| Posted: Tue Oct 19, 2004 1:26 pm Post subject: |
|
|
Dave,
You are assuming that your reference car (model) is free of bugs. I am assuming that the fact that car is simply different (model is written using another language) doesn't make it perfect by definition. Any models, especially complex ones, require verification too, which means - testbench, test, checker, coverage points etc. Any modification of complex model requires regression tests on the model.
For checkers, due to their modular srtucture and ability to implement any uncomplete functionality checks, this process is significantly easier.
Regards,
Alexander Gnusin |
|
| Back to top |
|
|
dave_whipp
Senior
Joined: Jan 06, 2004
Posts: 76
Location: Santa Clara, CA
|
| Posted: Tue Oct 19, 2004 3:17 pm Post subject: |
|
|
I don't know where you came up with the idea that I don't think that models (or tests, or assertions) contain bugs. My experience is that the RTL is usually the last place to look: we sometimes joke that the purpose of the RTL is to find bugs in the model. When you are using a model, the thing you look for is a difference between the prediction and the observed behavior. Once you find a difference, you then dig in to localise the difference (model, rtl, diff-script, nfs-cache corruption, etc.), and then work out the root cause.
One of the problems I find with complex assertions is that I don't know how to test them. False-fail is easy to detect, but how do you test that an assertion is not giving you a false-pass? I've seem methodologies where tools insert random bugs into a design to make sure they see every assertion fail, but those tools are not mainstream.
I don't understand your final paragraph" "for checkers, due to their modular nature...". In what way is a system of checkers more modular than a properly written model? And "... ability to implement any uncompelete functionality checks": my first post in this thread explained how to implement incomplete function modeling. |
|
| Back to top |
|
|
alexg
Senior
![]()
Joined: Jan 07, 2004
Posts: 586
Location: Ottawa
|
| Posted: Tue Oct 19, 2004 8:49 pm Post subject: |
|
|
| Quote: | | I don't know where you came up with the idea that I don't think that models (or tests, or assertions) contain bugs |
I made the wrong conclusion from your previous posting, where you've compared CUT (car-under-test ) speed with the reference one.
| Quote: |
One of the problems I find with complex assertions is that I don't know how to test them. False-fail is easy to detect, but how do you test that an assertion is not giving you a false-pass? I've seem methodologies where tools insert random bugs into a design to make sure they see every assertion fail, but those tools are not mainstream.
|
First, let me explain what I mean by assertion or checker. (I don't like the word "assertion" since I've heard the number of different definitions of this term, all of them being different from what I mean ). Let's call it "checker", since the primary function of this component is checking.
In most cases, checkers deal with transactions only. They receive transactions from the monitors. Monitors extract transactions from both external and internal DUT interfaces. Note, that these monitors are protocol-specific (not dut-specific) components which allows 100% reuse of them from project to project. High level of reuse actually make them very stable, since they have to operate in different tesbenches with different stimulus and modes.
Then, there are 2 basic checker types: DUT functions checkers and bus checkers. The funciton of bus checkers is constant validation of protocol rules (those are also DUT-independent and hence highly reusable).
The function of DUT checker is to validate DUT behavior on transaction level only (since it is supported by monitors). This is the only one non-reusable DUT-specific component.
How to verify it? If DUT function is simple, we may verify it together with DUT RTL. If DUT function is complex, we may have transaction-level models developed during architectural stage. Then, this checker may be attached to this model for verification reasons.
Then, DUT checker can be built in the modular way. You can also have the number of independent checkers, which may be developed and debugged incrementally. New checking functionality may be added insensitive to the rest of the logic, which eliminates the need of regression testing. Coverage points may be defined on the top of checking components to verify the invocation of complex DUT functions.
I believe, that verification of models as you describe them is much more complicated. If model contains both transaction-level and cycle-precise, both protocol and DUT-specific logic, it is much more difficult to verify it.
Regards,
Alexander Gnusin |
|
| Back to top |
|
|
dave_whipp
Senior
Joined: Jan 06, 2004
Posts: 76
Location: Santa Clara, CA
|
| Posted: Tue Oct 19, 2004 10:51 pm Post subject: |
|
|
"I made wrong conclusion from your previous post ... you compared ... to reference"
The act of comparing tells you there's a difference. It doesn't tell you which is right (if either). One danger of simple model Vs rtl comparison is the possibility of common-mode errors. As a rule of thum, you want 3 descriptions of any behavior. So, for example, you might use a self-checking test as the third description.
I can see that I was reading too much into your use of the word "assertion". Checkers as you descibe them are something else entirely.
The methodology you describe is what I think of as the "Testbuilder" methodology, because the first place I saw it really promoted in public was at an Testbuilder (Cadence) seminar about 5 years ago. A company named Azanda presented as a "Success Story": they taped out a switch fabric using a methodology that sounds identical to what you describe. There are probably some papers on the web somewhere
I felt at the time, and continue to believe, that the methodology doesn't scale to complex systems (switch fabrics are somewhat regular, and ahve moderately simple end-to-end behavior). If end-to-end behavior is more than the sum of its parts, then the highest layer of checkers has to span the whole system. I'm not sure that it has to be strictly hierarchical, though Testbuilder used C++ in a non-object-oriented way, so I tend to assume that it is hierarchical.
The thing is, if you push too far in the direction of multi-layer non-hierarchical web of intercommunicating checkers, then what you end up with is a transaction model of the system: created bottomn up. And if you don't push that far, then you'll have holes in your coverage.
A actually agree with your final paragraph: verification of a complex system is much more complex than simply setting up a set of protocol checkers on the interfaces between [sub] units. As Einstein said: "things should be made as simple as possible, but no simpler". |
|
| Back to top |
|
|
alexg
Senior
![]()
Joined: Jan 07, 2004
Posts: 586
Location: Ottawa
|
| Posted: Wed Oct 20, 2004 7:29 pm Post subject: |
|
|
| Quote: | The act of comparing tells you there's a difference. It doesn't tell you which is right (if either). One danger of simple model Vs rtl comparison is the possibility of common-mode errors. As a rule of thum, you want 3 descriptions of any behavior. So, for example, you might use a self-checking test as the third description.
|
I don't see how magic number "3" can solve the problem. What if the third description is yet another model and how many models we have need to create to develop the confidence that specific property is verified? And why to use the models at all, if we still have to develop self-checking test? And, then, why only one self-checking test, which will check the property in only one selected mode and for only one moment of time?
Giving this "rule of thumb", you probably feel, that models as you describe them cannot guarantee that the set of properties defined in Specification will hold for all time moments and in all design modes. Why? Because models are still yet another implementations, written in another way.
Usually, Specification documents contain the mix of specification propeties and implementation details. In some cases, implementation details are proposed (such as key FSMs diagrams), since they will greatly facilitate description of functionality. However, major part of specification document still describes the properties of the system.
Now, properties serve as constraints on implementation space, and there is possible to develop numerous different implementation under the same constraints.
For example, the arbitration has to be fair, as defined in spec. We can come out with the number of implementations of this property. In order to verify them, we may want to develop the model of the arbiter. If we are not familiar with actual implementation and develop the arbiter model in different way, our model<->DUT verification will fail for sure. If we are familiar with implementation, we'll copy this implementation for a model (using, for example, nice object-oriented language) and our testbench will be flawless. However, we'll still dont know whether both the model and implementation are fair...
Another solution will be to develop the checker of fairness property. Once developed, it will be implementation-independent and check exactly what we need to verify in arbiter.
You use another car to check the properties of CUT (car-under-test). Then, you may use yet another car to check the properties of another car. You may spend tons of time and money, without actually verifying the properties.
What if you'll use sensors on CUT without using any other cars at all? Those are devices specially developed to test the properties. They are much cheaper than yet another cars, and they'll give you much better confidence that the properties are working.
The main reasons for that is that sensors (checkers) are developed to CHECK, while yet another cars (models) are developed to DRIVE (function the same as DUT).
| Quote: | The thing is, if you push too far in the direction of multi-layer non-hierarchical web of intercommunicating checkers, then what you end up with is a transaction model of the system: created bottomn up. And if you don't push that far, then you'll have holes in your coverage.
|
Idon't think this is true for the checkers. Checkers are purely property-oriented, and don't need to follow implementation details or algorithms (if they do follow, they are useless). The radar don't need to have working 6-cylinder engine in order to check the speed.
Then, property-to-implementation is one-to-many relationship. Even if I'll want to develop the model of the system based on properties defined in specification, I'll create different-from-implementation model which will be useless for verification reasons.
Regards,
Alexander Gnusin |
|
| Back to top |
|
|
dave_whipp
Senior
Joined: Jan 06, 2004
Posts: 76
Location: Santa Clara, CA
|
| Posted: Thu Oct 21, 2004 12:19 am Post subject: |
|
|
| Quote: |
I don't see how magic number "3" can solve the problem
|
Its a matter of dimishing returns. The more idependent formal descriptions you have, the better your confidence will be. But there's a law of dimishing returns. With ony 2 descriptions (one of which being the RTL), experience tells me that you'll have serious holes (I once measured 20% holes in a project where we relied on directed tests -- this was about 8 years ago, but human nature doesn't change). So I like to have 2 different verification descriptions. This could be 2 models (at different abstractions); or it could be a model plus a network of assertions or checkers.
My typical verification strategy will use assertions to test implementation properties (i.e. don't pop an entry from an empty fifo); checkers for transaction integrety (e.g. if we send a TLP over PCIE, then the same TLP arrives at the other end); and models for more holistic properties (E.g. the picture that the RTL draws matches the spec).
| Quote: |
In order to verify them, we may want to develop the model of the arbiter. If we are not familiar with actual implementation and develop the arbiter model in different way, our model<->DUT verification will fail for sure. If we are familiar with implementation, we'll copy this implementation for a model (using, for example, nice object-oriented language) and our testbench will be flawless. However, we'll still dont know whether both the model and implementation are (correct)
|
I wasn't sure whether this was intended as a straw man, or if it reflects your true understanding of how models are used. I'll give you the benefit of the doubt, and assume the latter.
If you create a verification model by looking at the implementation, then you are wasting your time. It'd be a stupid thing to do. For precisely the reason you give.
The alternative is to create a model that accurately reflects the specification, taking care not to add implementation-bias. Modeling an arbiter's fairness is not a good example, because its not a functional requirement: fairness should be checked by a assertion (or checker). My model of an arbiter would probably be a call to a random number generator, which would be replaced by feedback from the rtl for non-trivial tests. The fact that is is a "don't care", however, means that it would matter if you did copy the implementation: it'd waste time, but wouldn't hurt coverage.
Modeling a specifcation while avoiding implementation is difficult. One way around this is to cast the model as an "executable specification", and then tell your RTL coders to copy it. This has the effect of creating a new validation-obligation (you'd need to validate the model), but it does have the advantage that RTL verification can make the assumption that the model is correct (even if it isn't). Believe it or not, this is a popular school of thought (just look at the history of Verilog and VHDL), The end game in this approach is the development of tools that synthesize the RTL (or gates) from the model. As I've stated previously, my prefered approach is the opposite: make the modeling easier by factoring out non-functional details.
| Quote: |
Even if I want to develop the model of the system based on properties defined in specification, I'll create different-from-implementation model which will be useless for verification reasons
|
Why do you assume that a model that is not based on the implementation is useless for verification? As long as it is a model of functional properties, there is no reason why it shouldn't be very useful. Or was the purpose of the statement merely to point out that it is possible to build models for many reasons other than verification -- a statement that is obviously true; and that if you don't try to make it useful for verification, then it probably won't be -- also true. |
|
| Back to top |
|
|
dave_whipp
Senior
Joined: Jan 06, 2004
Posts: 76
Location: Santa Clara, CA
|
| Posted: Thu Oct 21, 2004 1:04 am Post subject: |
|
|
I need to qualify my previous post. When I said it would be "stupid" to create a model by copying an implementation, that was a bad choice of words. Although it was aimed at the act, not the person, I apologize if any offence is felt.
In addition to it being a bad word choice, I must also nuance the underlying sentiment. As part of a well thought out strategy, it might make sense if it enabled a bottom-up validation flow where a fast model is able to run through a wider range of scenarios that a slow RTL simulation. |
|
| Back to top |
|
|
alexg
Senior
![]()
Joined: Jan 07, 2004
Posts: 586
Location: Ottawa
|
| Posted: Thu Oct 21, 2004 7:12 am Post subject: |
|
|
| Quote: | | The more idependent formal descriptions you have, the better your confidence will be. But there's a law of dimishing returns. With ony 2 descriptions (one of which being the RTL), experience tells me that you'll have serious holes (I once measured 20% holes in a project where we relied on directed tests -- this was about 8 years ago, but human nature doesn't change). So I like to have 2 different verification descriptions. This could be 2 models (at different abstractions); or it could be a model plus a network of assertions or checkers. |
The problems with the models is that they are usually more complex, than checkers only. In my experience, we have to think hard how to develop checking functions in modular, clean and the simple way - then, it will be easier to debug them and then I'll be much more confident that they perform correctly. This is especially true for the complex checking funcitons: we need to think how to separate them from the rest of un-related logic (such as cycle-precise protocol logic). Complexity easily rises in exponential way for the model size growing linearly.
Speaking about another independent "checking structure", it should belong to another "verification dimension" to be really independent. We have this another dimension: it is functional coverage. We may define coverage points not only on RTL, but on the top of any verification components, including monitors and checkers. Some of these points are functionally dependent, and then total number of such points "hits" at the end of simulation should match. For example, we develop random error injection on the protocol wich also count the total amount of errors. Then, we count the total number of error recovery control symbols, looking on the top of monitor, which is attached to the bus. Then, we count the total number of correctly validated error recovery scenarios in the bus checker. Then, we can find related signals in RTL which go high any time this event occurs. If, at the end simulation, all these numbers are equal, we'll have high level of confidence that this function works correctly.
| Quote: | | The alternative is to create a model that accurately reflects the specification, taking care not to add implementation-bias. Modeling an arbiter's fairness is not a good example, because its not a functional requirement: fairness should be checked by a assertion (or checker). |
The key point of this example is: Specification document is not providing us implementation algorithm of the arbiter. It rather specifies it's properties (such as fairness). In fact, we are speaking about chip Specification, and not Implementation document. Once the arbiter algorithm is not specified, we don't need to invent our own algorithm to model it.
In fact, looking at Spec and reading the property "fairness" for the arbiter, we can naturally come out with an idea of the fairness checker.
| Quote: | | Why do you assume that a model that is not based on the implementation is useless for verification? As long as it is a model of functional properties, there is no reason why it shouldn't be very useful. |
I think, we are very close on what you are defining as "model of functional property" and I am defining as a checker.  .
Regards,
Alexander Gnusin |
|
| Back to top |
|
|
jmcneal
Senior
Joined: Jan 12, 2004
Posts: 34
Location: Hillsboro, Oregon
|
| Posted: Thu Oct 21, 2004 10:59 am Post subject: |
|
|
Alex, Dave,
For any complex property/function that needs to be verified on a large chip, isn't it often necessary to use a model in order to perform checking?
For example how would you just check correct routing/switching without making use of a model of the routing/switching algorithm? To verify the functionality you have to do some sort of lookup on a table to determine where a packet should emerge. Would you classify a piece of code that does a destination lookup in a routing table to predict where a packet should emerge as a checker or a model?
j |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
| |
|
|
Forum FAQ
Search
Usergroups
Profile
Digest
Log in
