2.14 Special Cases 35 <’ struct gen_crc { crc: int; crc = compute_crc(data); keep impose_error == TRUE => crc == crc+1; // Adding 1 to computed value yields a crc error. } ‘> 2.13 Generating Excitement Choosing the values of the external conditional variables and the values of stimulus variables determines the excitation of an instance within its con- text. Pseudo-random excitation is currently the province of commercially available pseudo-random test generators. 2.14 Special Cases The foregoing categories of variables (connectivity, activation, conditions, and stimuli and response) form the basis for pseudo-randomly exercising the target. However, certain aspects of a target’s functionality may not be readily exercised in a pseudo-random manner, but instead require special treatment. These are best defined as special cases, and are often exercised with deterministic tests, or with deterministic test sequences within a pseudo- random sequence. Most special cases will be associated with stimuli or responses, but there may also be other things to verify that just don’t seem to fit neatly into any subset. This should not impede progress in interpreting the design specifi- cations – just write them down as for later classification. Eventually, with time and increasing familiarity with the design, special cases in this latter category will be recast as variables of suitable type with their respective ranges. Treating them as special cases early in the project is a practical convenience that enables progress in spite of a few “loose ends”. Interpreting functionality related to reset often accumulates a number of special cases. For example, checking the state of the target immediately af- ter de-assertion of reset (whether hard reset or soft reset) is more readily accomplished with a deterministic test and merits description as one or 36 Chapter 2 – Analytical Foundation more special cases. Similarly, checking for state preservation upon receiv- ing a soft reset constitutes another batch of special cases. On the other hand, these are better regarded as variables of response whose values are dependent on the type of reset. If indirect conditions are defined for a target, it is important that the dy- namic transition from one value to another during the application of stim- uli under given conditions be recorded as special cases to be exercised and observed. Other external activity such as the connection or disconnection of a ca- ble, entering or leaving power-save states, and entering or leaving test modes (morphing the target) can also be recorded as special cases during early stages of a project. Each of the special cases discussed so far fall into the category fre- quently referred to as scenarios. As will be seen later, these scenarios ac- tually correspond to transitions among values of standard variables, but for the time being they will simply remain on the list as special cases. The second category of special cases lists properties 5 of the target. These describe higher-level (or transcendental) behaviors of the target that are usually not verifiable via CRV, such as the performance (in MIPS) of a processor. Verifying performance is likely to need additional testing above and beyond CRV, which tends to focuses on correctness and completeness rather than speediness. Properties often encompass behavior of multiple clock-domains and are often expressed with inexact requirements. Passing a compliance test (such as for USB or PCI-Express) is also a property of the target. 6 Other properties may be based on aesthetic evalua- tions, such as the quality of an image encoded and decoded by the target, or the sound fidelity produced by the target. Cybernetic properties such as responsiveness to human interaction (in controlling a commercial aircraft, for example) would be listed here as well. 5 Note that the term properties is also used in the context of model checking where a given property of the RTL is to be checked. Properties listed as special cases are not based on RTL, but are based only on the requirements stated in the de- sign specifications. 6 Passing a compliance test does not mean that the risk of a functional bug is zero. Examples abound of products (including IP) that pass compliance tests but still have bugs. 2.15 Summary 37 2.14.1 Example – Special Case A classic example of a property as a special case comes to us from the specifications for Ethernet (IEEE 802.3) that states requirements on the distribution of the back-off slot times. Ethernet uses a collision-detect multiple-access algorithm on a shared medium, the wire carrying the electrical signals. When two (or more) de- vices happen to drive the wire simultaneously, both (or all) devices must stop driving the wire and wait some specified period of time until attempt- ing to drive the wire again. The time each must wait is referred to as the back-off slot time, where a slot corresponds to a specific number of bit times. Testing for this requirement is achieved within a network of compliant, commercially available devices. The back-off slot times used by the device being tested are recorded and then tested for a probabilistic uniform distri- bution. Verifying this particular requirement doesn’t lend itself to CRV testing and isn’t readily verified in simulation. Similarly, functional requirements related to liveness, fairness, or performance of a target may require treat- ment as a special case outside the context of CRV. 2.15 Summary The taxonomy defined in this chapter provides a consistent and compre- hensive nomenclature for all aspects of functional verification regardless of the size or complexity of the digital system to be verified. The entire function space can be characterized completely and exhaustively by a well-defined set of standard variables using the linear algebra for digital systems. The premise stated at the beginning of this chapter bears repeat- ing here: From the standpoint of functional verification, the func- tionality of a digital system, including both the target of verification as well as its surrounding environment, is characterized completely by the variability inherent in the definition of the system. Different teams will interpret specification documents to yield different standard variables, surely differing in name but also differing in definition, 38 Chapter 2 – Analytical Foundation but the sets of variables will be equivalent, each forming orthogonal basis sets. Any non-equivalence indicates one or “bugs” in a document because it is not sufficiently clear or ambiguous in its interpretation. Table 2.1 summarizes this “loosely orthogonal system of basis variables.” Table 2.1. Relations among variables for a target of verification Choose values for these variables: To establish: Internal connectivity Instance External connectivity Context Power, clocking, and reset Activation Morph-related conditions and stimuli Morph Internal conditions Operation External conditions Stimuli Errors Excitation The variables discussed in this chapter already exist in testbenches around the world. However, they simply have not been partitioned into the standard framework. And, without this standard partitioning, it is ex- tremely difficult to compare different verification projects or to use these projects to assess risk for future projects. With this set of standard variables it is now possible to determine the size of the functional space in terms of its points and arcs and, therefore, determine what is required to achieve functional closure, that is, exhaus- tive functional coverage. This will be the topic of the next chapter. References Bailey B, Martin G, and Anderson T (ed.) (2005) Taxonomies for the Develop- ment and Verification of Digital Systems. Springer. Lachish O, Marcus E, Ur S, Ziv A (2002) Hole Analysis for Functional Coverage Data, Proceedings of the 39th conference on Design Automation, ACM Press. Verisity Design Inc. (2002) e Language Reference Manual www.ieee1647.org. Verisity Design Inc. (2005) Spec-Based Verification, whitepaper Chapter 3 – Exploring Functional Space The previous chapter described a method of interpretation of natural- language specification documents into a standard set of variables and their ranges that is applicable to all possible digital systems. Each unique com- bination of values of these variables determines a single function point within the functional space. These function points determine the functional space in a mathematically precise manner, allowing us to determine the size of this space and, consequently, determine what it means to achieve functional closure. Value transition graphs provide a technique for visual- izing this space in a useful way. 3.1 Functional Closure Much recent discussion in the industry has focused on “functional closure” but without providing a solid, substantive definition for this highly desir- able outcome. Intuition tells us that functional closure must exist because, after all, the functionality can be expressed with a finite number of transis- tors. What does it really mean to achieve functional closure? This term is borrowed from timing domain analysis where closure is a genuine outcome. To reach timing closure is to adjust the placement of transistors and the routing of interconnecting wires and polysilicon such that each and every path propagates signals within a predetermined inter- val of time so that setup times at destinations are satisfied. Software tools make exhaustive lists of signal paths and then determine whether all paths have no negative slack. When a signal has positive slack, it means that the signal reaches its destination with time to spare, whether a few picosec- onds or many nanoseconds. A signal with negative slack reaches its desti- nation too late. When all paths have no negative slack, nothing arrives late. Some texts refer to “functional closure” or “coverage closure,” but while also claiming that the size of the space over which this “closure” is reached cannot be determined. This is not correct, as we will see in the analysis in this chapter. A survey of current literature finds many technical papers and articles that tell us, “A good test plan should list all the interesting test cases to 40 Chapter 3 – Exploring Functional Space verify the design.” However, there is no objective way to separate “inter- esting” from “uninteresting” test cases. If so, there would be a software program that could accept as its input these “test cases” in some yet to be defined form and then decide algorithmically whether it is interesting or uninteresting. Clearly, this approach does not seem promising. Similar remarks appear in the current literature regarding coverage, in- forming the reader to “decide on the interesting data fields/registers … im- portant state machines, … interesting interactions between some of the above states or data.” Again, we have no objective way to make these de- cisions regarding interestingness or importance. Formal verification (such as theorem provers of some sort) might some day be able to make such de- cisions. With a complete set of variables and their ranges as described in chapter 2, it is possible to arrive at an understanding of the overall size of the func- tional space of a given target. Because these variables imply all of the mechanisms (elements) that use them, they may be said to represent the functional space completely. This means that it is now possible to gain a complete characterization of the functional space of the target. 3.2 Counting Function Points The previous chapter explained that each unique combination of values of standard variables determines a single function point within the functional space. In other words, a function point is represented by a tuple corre- sponding to the location of a point in some large multi-dimensional space, providing us with the coordinates of the point in this space. It is possible to arrive at an exact count P of these points by considering each category of standard variable in turn and how it relates to the other categories of vari- ables. Analysis begins with connectivity. 3.2.1 Variables of Connectivity Variables of connectivity are separated into two categories, variables of in- ternal connectivity and variables of external connectivity. Each variable has a finite range of discrete values that are countable. This is true because these ranges are present in computer programs (verification software tools). In many designs the ranges of variables of connectivity are independent such that every value of some variable of connectivity k A can be associated with each and every value of some other variable of connectivity k B . So, if 3.2 Counting Function Points 41 for example a design has these two variables of internal connectivity k A and k B , then the number of points determined by only these two variables is simply the product of the number of values in the range of each variable. However, for many designs the range of values of certain variables are dependent upon the values of one or more other variables. Some ranges are not simple finite sets of discrete values, but rather must be determined by methodically analyzing dependencies among the variables. Consider the specification for a microprocessor that includes an optional cache control- ler capable of handling caches of varying size. This defines two variables of internal topology: CACHE_PRESENT and CACHE_SIZE. The range of CACHE_PRESENT is [YES,NO] and the range of CACHE_SIZE is (for our example) [4K,8K,16K]. The number of function points is not simply 2 ⋅ 3 = 6 due to the dependency of CACHE_SIZE on CACHE_PRESENT. When CACHE_PRESENT is equal to NO, then there is no related value for CACHE_SIZE. For that matter, one might argue that the variable CACHE_SIZE does not even exist when CACHE_PRESENT is equal to NO. For notational convenience, we will use the value of ∅ (the null value) in the tuple when the value of the corresponding variable is undefined. So, in this example there are actually only 4 function points whose co- ordinates are: • (NO,∅), • (YES,4K), • (YES,8K), and • (YES,16K). One further example illustrates how the count of function points grows quickly even for a design with relatively few variables of connectivity. Consider a simple design with 3 variables of internal connectivity (k i1 , k i2 , and k i3 ) and 2 variables of external connectivity (k e1 and k e2 ). Assume that all 5 variables are mutually independent. Let’s examine first how many different instances of the target can be built. Let k i1 have 2 values in its range, let k i2 have 3 values in its range, and let k i3 have 4 values in its range. Because all 3 variables are mutually independent, there are at most 2 ⋅ 3 ⋅ 4 = 24 different instances that can be built. Now consider how many different external contexts can surround each of these 24 instances. Let k e1 have 5 values in its range and let k e2 have 6 values in its range. Again, because the variables are independent, there are 5 ⋅ 6 = 30 possible different contexts. 42 Chapter 3 – Exploring Functional Space Combining our 24 possible instances with our 30 possible contexts, we find that the subspace of connectivity contains 24 ⋅ 30 = 720 distinct func- tion points in our simple example. In other words, it is possible to build 720 distinctly different systems. Now let’s consider the general case. Consider the set X containing all of the values from the range of a vari- able of connectivity (or any other category of variable, for that matter) and also the null value ∅. The zero norm of X, denoted X , is the number of non-zero elements of X. This zero norm is also known as the Hamming weight of X. For the purposes of analyzing functional spaces, X is de- fined as the number of non-null elements of X. Assume that there are M different variables in k i (variables of internal connectivity) and N different variables in k e (variables of external connec- tivity). To arrive at the maximum number of function points P k in the space of connectivity, we count the number of values in the range of each variable and then take the product of all of these counts. Mathematically this is stated as: P k i = number of instances = X i m m=1 M ∏ and P k e = number of contexts = X i n n=1 N ∏ . (3.1) Then, the number of function points P k in the subspace of connectivity of our design is at most the product of these two products: P k ≤ P k i ⋅ P k e . (3.2) Any dependencies between ranges of variables will reduce the overall number of possible instance-context pairs, so P k may usually be less than this upper bound. To illustrate how these dependencies reduce the number of function points, consider the first example in previous chapter that de- scribed the standard variables of external connectivity. In that example we had a simple central bus on which 3 different types of agent could reside: from 1 to 8 processors, from 1 to 4 memory control- lers, and from 1 to 14 I/O controllers for a total of 16 agents. The simple product of the counts of values in the ranges of the respective variables 3.2 Counting Function Points 43 yields a total of 448 function points (448 = 8 ⋅ 4 ⋅ 14). However, this count includes systems that violate the no-more-than-16-agents requirement. Consider a system with one processor and one memory controller. This particular system can include any of 1 to 14 I/O controllers for a total of 14 distinct contexts. A system with one processor and two memory controllers can include any of 1 to 13 I/O controllers for a total of 13 distinct systems. Of course, it’s unlikely that actual systems corresponding to each and every one of these systems would be interesting in a commercial sense, but the point is that such systems are theoretically allowed within the ranges defined by the requirements. Table 3.1. Number of possible contexts based on example in Fig. 2.2 proc_agents mem_agents io_agents Possible contexts 1 [1 14] 14 2 [1 13] 13 3 [1 12] 12 1 4 [1 11] 11 1 [1 13] 13 2 [1 12] 12 3 [1 11] 11 2 4 [1 10] 10 M M M M 1 [1 8] 8 2 [1 7] 7 3 [1 6] 6 7 4 [1 5] 5 1 [1 7] 7 2 [1 6] 6 3 [1 5] 5 8 4 [1 4] 4 Total: 288 Continuing in this manner (see Table 3.1) we see that 50 (50 = 14 + 13 + 12 + 11) distinct single-processor systems can be assembled when only one processor is included. Accounting for the dependency on the range for I/O controllers for the remaining possible N-processor systems, we see that only 288 possible systems can be assembled. This 288 is the actual number of function points in the space of connec- tivity, significantly fewer than the 448 calculated as the simple product, but still a large number of possible contexts in which the target of verifica- tion must operate correctly. This is the challenge for the IP developer. 44 Chapter 3 – Exploring Functional Space In general it is not possible to rely on simple closed-form algebraic ex- pressions (such as in Eq. 3.1 and Eq. 3.2) to determine the number of func- tion points in the subspace of connectivity (or any other subspace, for that matter), but rather these function points must be counted algorithmically. This is accomplished in a straightforward manner with nested for loops that examines each tuple of values of variable of internal connectivity (i.e., each instance) in turn and determining which tuples of values of variables of external connectivity (i.e., contexts) are valid, just as was done to create Table 3.1. 3.2.2 Variables of Activation (and other Time-variant Variables) Variables of activation are categorized into three subsets, namely power, clocking, and reset. For any valid system there may be multiple ways that the system can be activated, each described not by a single tuple of values of these variables, but rather by sequences in time of changing values of these variables. These sequences will be analyzed at length later in this chapter, but some preliminary analysis is in order here. Consider the ex- ample of the multi-processor design that we have been using so far. In a system of multiple processors one of the processors is typically des- ignated as the monarch processor with the remaining processors designated as serfs. Activation of the monarch precedes activation of the serfs, per- haps by holding each serf in its reset state until system resources such as memory are sufficiently initialized for the serfs to begin fetching and exe- cuting instructions on their own. Also, some serf processors might not even be energized until they are needed. And, a given serf might be de- activated to conserve power when it is not needed. Each of these scenarios constitutes a different sequence of values of variables of activation, each sequence composed of multiple function points. Function points corresponding to time-variant variables such as those of activation are not counted as simply as time-invariant variables of connec- tivity. Constructing the value transition graphs (defined later in this chap- ter) is necessary before the corresponding function points can be counted. Accounting for the 4 possible instances of the processor as determined by CACHE_PRESENT and CACHE_SIZE, this yields 1,152 distinct sys- tems, all of which must be verified to function correctly. At first glance this may appear to a rather dire situation for the verification engineer, but, as will be seen later in this chapter, condensation in the functional space can provide significant practical advantages. . determine the size of the functional space in terms of its points and arcs and, therefore, determine what is required to achieve functional closure, that is, exhaus- tive functional coverage. This. functional closure. Value transition graphs provide a technique for visual- izing this space in a useful way. 3.1 Functional Closure Much recent discussion in the industry has focused on functional. Intuition tells us that functional closure must exist because, after all, the functionality can be expressed with a finite number of transis- tors. What does it really mean to achieve functional closure?