# **Finding Glitches Using Formal Methods**

Yan Peng<sup>1</sup> Ian W. Jones<sup>2</sup> Mark R. Greenstreet<sup>1</sup>

<sup>1</sup>University of British Columbia, Vancouver, BC, Canada <sup>2</sup>Oracle Labs, Redwood City, California, USA

May 9th 2016

Peng, Jones, Greenstreet

Outline



## 😚 Warming up

- A Small Example
- Glitch Detection Using Ternary Simulation
- Our Glitch Hunting Tool
- Experimental Results
- Conclusion

#### Is the netlist equivalent to the RTL?



- YES! When using standard logical-equivalence checking
- Logical equivalence formulation: "For every input from {T, F}, the netlist produces the same output as the RTL."

#### Signal naming:

- S signals Synchronous to output clock domain
- N signals Non-synchronous to output clock domain

#### Glitches caused by non-synchronous signals



- Standard logical-equivalence is not enough, e.g., when S\_N1\_VALID is 0:
  - RTL: permits only S1 to pass to the MUX output, S\_OUT
  - netlist: allows a glitch to propagate from N1 to S\_OUT

Peng, Jones, Greenstreet

#### Using ternary simulation to detect glitch



Ternary logic values {T, F, X} facilitate detection of glitch paths

### **Our Formal Methods Glitch Hunting Tool**





## A Formal Methods Glitch Hunting Tool using ACL2

- Tool Architecture and Work Flow
- The Formal Definition
- Experimental Results
- Conclusion

#### **The Formal Definition**



For a state-bit, q, let Sq denote the synchronous inputs to the combinational logic for the next-state of q, and Nq denote the non-synchronous inputs. Let B = {0,1}, and B<sup>X</sup> = {0,1, X}

glitchFree(q) = 
$$\forall S_q \in \mathbb{B}^*$$
.  $\forall \mathcal{N}_q \in \mathbb{B}^{X^*}$ .  
(next<sub>q,net</sub>( $S_q, \mathcal{N}_q$ ) = **X**)  $\Rightarrow$  (next<sub>q,RTL</sub>( $S_q, \mathcal{N}_q$ ) = **X**) (1)

#### Outline



- Warming up
- Our Glitch Hunting Tool
- Strate Strate Strategy Strateg
  - Real Designs
  - Performance
  - Conclusion

### **Experimental Results: Real Designs**

|                               | Module A       | Module B         |
|-------------------------------|----------------|------------------|
| Description                   | control module | interface module |
| RTL file size                 | 0.7M           | 2.5M             |
| netlist file size             | 8.2M           | 5.4M             |
| # state-bits                  | 22473          | 4439             |
| # state-bits w N <sup>1</sup> | 1253 (5.6%)    | 957 (21.6%)      |
| # Glitches found              | 0              | 148              |

- Modules have multiple clock domains
- Found all previously known glitches
- Discovered glitch paths that were benign due to unstated assumptions in the RTL

<sup>&</sup>lt;sup>1</sup>N stands for non-synchronous input

### Some remarks about performance



- Theorem checking is compute intensive, but each fan-in tree can be run in parallel
- Preprocessing overhead expected to grow linearly with size of netlist and RTL Verilog

Peng, Jones, Greenstreet

#### **Conclusion and future work**

- Implemented a tool using SAT solving and theorem proving to detect synthesis inserted glitches
- Provide a formal definition of the required glitch-free property
- Successfully demonstrated our tool on real industrial designs
- Future work:
  - Automatically generate simulation scripts for glitch found
  - Larger designs
  - Integrate the method into chip design flow

**Finding Glitches Using Formal Methods** 

# Thank You! Questions?

#### Glitches caused by non-synchronous signals



RTL: N2 is specified to generate only N\_OUT

netlist: even when S\_N1\_VALID is 0, a posedge on N2 can cause a glitch to propagate to S\_OUT

Peng, Jones, Greenstreet

#### **Glitch Demonstration - Glitch Path Extraction**



- Combinational logic fan-in trees often have 100+ inputs
- Challenge:
  - succinctly present glitch path results

Peng, Jones, Greenstreet