We describe a methodology for verifying system-on-chip designs. In our methodology, the problem of verifying system-on-chip designs is decomposed into three tasks. First, we verify, once and for all, the standard bus interconnecting IP Cores in the systcm . The next task is to verify the ~I U C logic, which connects the IP Cores to the buses. Finally, using the verified bus protocols and thc 11' core designs, the complete system is verified. To illustrate our methodology, we verify the PCL Local Bus, a widely used bus protocol in system-on-chip designs. We demonstrate various modeling and verification techniques for buses by modeling the PCI Local Bus with the symbolic model checker SMV.
Introduction
Bridges are used to cxtend such systems in a hierarchical fashion by connecting buses.
IP Cores are often pre-validated. This increases the confidence OF system designer in third party IP Cores. The validation of IP Cores must he part of the IP Core design itself. So in this scenario, where we have a) prc-verificd IP Corcs with certain guarantees and Confidence, b) a standard bus protocol, and c) IP Corc specific glue to connect cores to the bus, we can decomposc the task o f verifying system-on-chip designs into three parts as follows.
5-
Hardware designs have reached a mammoth scale today, with over ten million transistors integrated on a single chip. This breakthrough in technology has, in fact, reached the point, where it is hard to design a complete system from scratch. Industry has already started designing ASICs from a large repertoire of Intellectual Property Components or IP Cores sold by many vendors. System-on-chip designs usually involve the Consequently, the validation of such designs is becoming more 2, Verify tl,e Ip Core specific glue logic:
buses and IP Cores, verify the coinplcte system. and more challenging. In this paper, we outline a new method-since be vel.ified once O W for formally verifying IP Core based, syste1n-on-chip and for all. ~l~~ logic is IP core specific. If we have a collet. tion of protocols for IP Corcs, then we can design an abstrac~p core based system can be viewed as a co~~cction of tion of the glue between the standard bus and each IP Corr proious ~p with interconnecting buses running them tocol. This ahstract model is designed once. Then, we :.itcnd (see ~i~~~~ 1). since the cores are from different to check if the actual glue implementation rejines the abstract vendors, there is a need for standard buses to connect them. model of the glue [7l. Thus, we have reduced the complexWe also envision some kind of interface logic, which we call ity of verifying the glue to checking refinement, When this i s glue, to connect IP Cores to the standard buses. In some cases completed for a l l IP Cores and their glues, wc can procecd to 1P Cores are designed to be compliant to a standard bus pro-the third step.
tocol and can be connected directly to the bus without glue. ~~~~~i~~~~ in industry with IP core based ASIC designs bus protocol is standard, it needs designs.
I
shows that most of the bugs are found in the bus or glue logic. o our knowledge, thcre is still no agreement on a standard bus Protocol for SYstem-on-chiP designs. However, the PcI *This rescarcli is sponsered by the Gigvscale Silicon Research Center (GSRC). Any opinions. findings and conclusions or rccnmmendalions exnresscd in this material BK those of the aUttlDrS and do not iiecessarilv ;h, view ofthe GSRC.
Local Bus protocol [12, 13, 141 is widely accepted by many 0-7R03-5632-2/99/$10.00 0 1999 IEEE microprocessor based system (eg. Pentiuin and Alpha) and IP Core companies. Therefore, we focus in this paper on verifying system-on-chip designs using the PCI Local Bus. This will provide insight into questions like, wliat basic functionality is required of the buses, what kind of standard interraces are needed for IP Core based designs, and how glue logic may he designed and verified for heterogeneous IP Cores. We havc formally verified the correctness of the PCI bus protocol using symbolic model checking 151.
In many cases, bus protocols can be verified with current formal verification techniques as demonstrated by [4] and [SI. We concentrate more on the functional properties of the PCI local bus and bridges rather than performance issues. A formal treatment of PCI bus performance is given by Campos, et al. in 141. In a recent paper [ I I], theorem proving techniques havc been used to validate a proposed solution cor a bug in the PCI bus protocol, but this approach requires considerable expertise in modeling the bus and is not easily automated.
The rest of the paper is organized as follows: In Section 2, we introduce Computation Tree Logic and the symbolic model checker SMV. In Section 3, we provide an overview ol the PCI local bus protocol and systems based on it. In Section 4. we illustrate a systematic approach to verify the PCI bus and bus bridges. We describe modeling and specification techniques, which can be applied to verify othcr bus protocols as well.
In Section 5, we present our experimental results, notably the description of two bugs we havc round in this widely used bus protocol. Finally in Section 6, wc summarize our experience and present a few thoughts on how to reach our ultimatc goal of verification of complete system-on-chip designs.
Symbolic Model Checking
individual state variables. The boolean connectives are conjunction, disjunction and negation (A, V, -). Each temporal operator consists of two parts: a path quantifier (A or E) and a tcmporal modality (F, G, X or U). The quantifier indicates whether the operator denotes a property that should be true of all execution paths from a given state or whether the property need only hold on some path. The modalitics describe the ordering of events in time along an execution path and liave the following intuitive meanings:
I. F y ("ip holds sometime in the future") is true oca path if there exists a state on tlic path for which the formula 'p is true. 2. Gip ("9 holds globally") means that ip is true at every state on the path.
3. X 'p ("ip holds in the next state") means that 9 is true in the second state on the path.
4. y U 71, ("9 holds until 6 holds") means that there exists some state on the path for which 3 is true, and Cor all states preceding this one, ip is true.
Each formula oClhe logic is either true or false in a given state.
An atomic proposition is true in a state if the state variable that it rcfcrs to has the appropriate value. "he truth of a formula huilt from boolean connectives depends on the truth of its subformulas in the usual way. A formula whose top level operator is a temporal operator with a universal (existential) path quantifier is true whenever a11 paths (some path) starting at the state havc the property required by the operator's modality. A formula is true of a system if it is true for all the initial states of the system.The following examples illustrate the expressive power of the logic.
Symbolic model checking isapowercul technique for formally verifying finite state concurrent systems automatically [9] . The task of symbolic model checking call be hrokcn down in three phases Modelling, Specijication and Verijicflfion. The first task is to represent system under consideration in a precise model that can be accepted by a model checking tool. Often I. AG(Req + AFAck): it is always the case that if the signal Re4 is true, then eventually Ack will also be true. 2. AGAFDeviceEpIahled: DeviceEnabled holds infinitely often on every computation path.
AG EF ~~~t~~~t :
from any state, it is possible to get to the R~~~~~~~ state, we need to use abstraction to eliminate irrelevant or unimportant details from the design due to limits on time and memory. We used SMV [9], a temporal logic model checker based on binary decision diagrams (BDDs) [I]. SMV has its own builtin dataflow-oriented hardware description language for modeliiig and accepts specifications expressed in the CTL temporal The PCI Local Bus 112, 13, 141 is a high performance, synchronous bus architecture that can transfer 32-bit or 64-bit
In the specification phase, we write the properties in a data. Its primary goal is to establish an industry standard and branching-time temporal logic called CTL ("Computation 0ptimi.x for direct silicon (component) interconnection with Tree Logic") 151. Formulas in CTL are built from three com-minimum glue logic required. It supports most processor deponents: atomic propositions, boolean connectives, and tern-signs and connects various types of devices on a chip. Bridges poral operators. Atomic propositions refer to the values of arc used to extend the PCI bus based systems.
A typical PCI bus transaction is demonstrated in Figure 2 . The posting. Bridges may also attempt to convert onc or more request for a transaction starts when a subsystem asserts its transactions into a large transaction for improved pertormancc request line REQ#. It then waits until being granted the bus by combining, merginz or collapsinz [12].
~~
4 Verifying PCI-bus by~the arbiter by asserting the correspondingGNT# line. This ohase is known as thc arbitration ahase. The transaction begins when signal FRAME# is asscrted. In the first clock after asserting FRAME#, address is put on the datdaddress multi-We verified the PCI bus protocol in two steps. In the first plexed lines in the address phase and the command lines carry step, we lookcd at propertics related to the protocol without the transaction-type. All targct devices listen to this address bridges. In thc second step, wc modeled a PCI bridge and and if the address maps to their address space, thcy assert their verified a produccr-consumer model for bus transactions with DEVSEL# lines, indicating they are present on thc bus. The bridgcs. Figure 3 shows otic configuration that we inodelcd master then asserts the signal IRDY#, meaning that it is ready to verify some bus properties. The arbiter is safe and fair.
for data transfer. The bus target asserts its TRDY# signal to The dummy-master is an abstracted master which has very reindicate that the target is ready for data transfcr. Data trans-stricted functionality and is uscd only for checking arbitration fer occurs when both IRDY# and TRDY# are asserted, which properties. The master and the target are capable of carrying is known as onc data phase. A transaction can have morc out PCI sequences, e.g. fast back to back transactions, bus than one data phase, and wait cyclcs can be inserted between parking, burst transactions, latency requirements, transaction data phases by the master (target) by deasserting the IRDY# termination, ctc. Thc state machincs of PCI master and PCI (TRDY#) signal. One clock cycle before the end of the data target are given in the PCI specification [12] . In order to hantransfer phase, the FRAMW signal is dcassertcd. In the next cycle both IRDY#and TRDY# are deasserted, and the bus goes dack to the idle state. The PCI bus requires afair central arbiter, which implies that cvery master should be served. Note that apart from this requirement, the arbitration algorithm is not part of the PCI bus specification. The arbiter may park the bus at some selected master or allow the bus to float. Since the PCI bus is a high per--abstraction, assumc-guarantee reasoning, symmetry and casc analysis. We developed a single bus model in CBL SMV [IO] with 5 masters and 5 targets. In this model, therc is symmelry within the masters, as well as the targcts. For a bus driving property, we pcrform a case analysis on the actual master and the target that itre active on the bus, then use symmetry to reduce the number of proof obligations. In order to prove these propertics, we first provcd the foliowing non-interference lemmas.
Inactive mastcrs and targets can not drive thc bus
Only one master and one target can be active at a time.
An active master must stay active until onc target becomes activc. formance bus, there arc strict timing requircments on various e An inactive target can not become active until it has an events, like number of wait states, latency for a target asserting I , I . .
~U U T C S S nit its selection line, arbitration latency, ctc.
PCI bridges are used to connect two PCI buses in a transparent manner. PCI devices must follow certain allowable transaction orderings in order to satisfy the Producer-Consumer model discussed in the next section, Bridges can tranSactions in order to improve performance, meaning certain write transactions can bc buffered in the bridges without bcing completed at the target, but the maytcr is not requircd to wait until it completes. In order to observe the producer-consumer model, there are certain restrictions on bridges regarding transactione If a master and a targct are active, then the master must remain active until the target becomes inactive.
If one master starts a transaction with address k, then it will remain active until thc target with address k becomes activc.
Using thesc lemmas, we have proved the following bus driving propcrties:
Once STOP# is asserted, FRAME# should be deasserted as soon as IRDY# is asserted.
If not already deasserted, TRDY#, STOP#, and DE-VSEL# must bc deasserted the clock following the completion of the last data phasc and must be tri-stated in the next clock.
The target cannot drive data on the bus in the cycle immediately after a read transaction begins. data bus should be at least 2 bits wide. The address bus is 2 bits wide. Bridges also have finitedata buffers for postingdata.
We use a simple abstraction to establish the correctness of the PCI bridge transaction ordcring rules. We show that if a symbolic data value x is generated by the producer, then a unique copy of n will be received by the consumer. The variablcflag in the producer-consumer model indicates the status of the data generated by the producer: Hag = 0 means the producer has not written new data; flag = 1 mcans that the producer has writtcn the data value x; flag = 2 means the producer has writtcn a A master or a target should drive the data bus correctly in value different from x. In our model, the producer only generates one instance of the data value x. The Droducer-consumer a data phase. model requires that whenever the consumer sees flag = 1, it Wc vcrified properties about transaction termination, arbi-should then receive x, The f o~~o w i n g three capture tration, latency requirements, etc. These properties primar-the correctness of this behavior ( c denotes consumer). ily followed various must hold statements from the specification. For example considcr the following property: AG(hus.FRAME# + AX(7bus.FRAME# + bus./KDY#)). It says that when FRAME# is first asserted (active low), IRDY# should stay deasscrtcd. SMV determined that this property is true.
flag= I. sets the flag and waits for completion status; while the Consumerwaitsuntilitfinds theflagsct, thenitrcsets theflag,consumcs the data, and writcs thc completion status code. When the Producer finds the completion status code, it resets the code and the scquencc rcpcats. Sincc bridges can post write transactions, it is important to scc that this model is satisfied, i.e.
AG((c.chkFlag
thc Consumer never secs that thc flag is set when the data is not written. The bridge obeys all PCI ordering rules. Wc will dcmonstratc that it satisfics thc Producer-Consumer model as well. We modeled a PCI bridge according to thc PCI bridge This formula means that whenever the master requests a transaction with single data phase, thc target never acknowledges before the master times out, i.c. the target never goes to the SDATA state. We verified that this formula is true, which is inconsistent with the standard. In the second error, the Specification requires that once a master has asserted /RDY#, it cation, we will focus in the future on verifying the glue logic involved in such designs. We also intcnd to verify more complex industrial bus designs using the methodology we have proposed in this paper. Finally, we are interested in high-level specification of bus protocols for verification purposes. [2] J. I<. Burch On an UltraSparc 248MHz machine, it took 46 minutes and 13M BDD nodes to verify a11 the lemmas and properties for multiple mastersltargets. As a comparison, after taking about
Conclusions and Future Work
In this paper, we have proposed a new mcthodologY for verifying system-on-chip designs. As the first example, we have verified the PCI Local Bus protocol using the symbolic model checker SMV. Significantly, we have found two potential bugs in the standard PCI bus specification. In our experience, formally verifying the functionality of bus protocols is feasible using current model checking techniques.
In order to achieve our ultimatc goal of systcm-on-chip verifi- 
