2 research outputs found
Effective Pre-Silicon Verification of Processor Cores by Breaking the Bounds of Symbolic Quick Error Detection
We present a novel approach to pre-silicon verification of processor designs.
The purpose of pre-silicon verification is to find logic bugs in a design at an
early stage and thus avoid time- and cost-intensive post-silicon debugging. Our
approach relies on symbolic quick error detection (Symbolic QED, or SQED). SQED
is targeted at finding logic bugs in a symbolic representation of a design by
combining bounded model checking (BMC) with QED tests. QED tests are powerful
in generating short sequences of instructions (traces) that trigger bugs. We
extend an existing SQED approach with symbolic starting states. This way, we
enable the BMC tool to select starting states arbitrarily when generating a
trace. To avoid false positives, (e.g., traces starting in unreachable states
that may not be-have in accordance with the processor instruction-set
architecture), we define constraints to restrict the set of possible starting
states. We demonstrate that these constraints, togeth-er with reasonable
assumptions about the system behavior, allow us to avoid false positives. Using
our approach, we discovered previously unknown bugs in open-source RISC-V
processor cores that existing methods cannot detect. Moreover, our novel
approach out-performs existing ones in the detection of bugs having long traces
and in the detection of hardware Trojans, i.e., unauthorized modifications of a
design.Comment: This article has the full author list which was missing in
arXiv:1908.06757. arXiv admin note: substantial text overlap with
arXiv:1908.0675
Boosting the Bounds of Symbolic QED for Effective Pre-Silicon Verification of Processor Cores
Existing techniques to ensure functional correctness and hardware trust
during pre-silicon verification face severe limitations. In this work, we
systematically leverage two key ideas: 1) Symbolic Quick Error Detection
(Symbolic QED or SQED), a recent bug detection and localization technique using
Bounded Model Checking (BMC); and 2) Symbolic starting states, to present a
method that: i) Effectively detects both "difficult" logic bugs and Hardware
Trojans, even with long activation sequences where traditional BMC techniques
fail; and ii) Does not need skilled manual guidance for writing testbenches,
writing design-specific assertions, or debugging spurious counter-examples.
Using open-source RISC-V cores, we demonstrate the following: 1. Quick (<5
minutes for an in-order scalar core and <2.5 hours for an out-of-order
superscalar core) detection of 100% of hundreds of logic bug and hardware
Trojan scenarios from commercial chips and research literature, and 97.9% of
"extremal" bugs (randomly-generated bugs requiring ~100,000 activation
instructions taken from random test programs). 2. Quick (~1 minute) detection
of several previously unknown bugs in open-source RISC-V designs.Comment: 16 Pages, 6 Figures; Re-organize Table