## Towards Trustworthy RISC-V Processors for Safety-Critical Applications

RISC-V Days Tokyo 2022 Spring



# Agenda

Introduction

RISC-V Processor Core Verification App Application Examples Underlying Technology



# Introduction



## **OneSpin's Industry Proven Solutions**

15 years of cutting-edge formal processor verification solutions





## Enabling High-Quality Processors OneSpin supports the RISC-V community



## **Technology / Solution**

### **Processor Core Integrity Solutions\***

- Core verification
- Integration verification

## **Industry Involvement**

**RISC-V** International

**OpenHW Group** 

Scale4Edge Project

## **User Community**

**Commercial solution adoption** 

- AFRL/ Edaptive
- Infineon
- Bosch
- Renesas







\*Ongoing development



## **Example Bug in Processor Core** DIV result not written back to register file

## How do you catch this?



**Possibilities** 

# **RISC-V Processor Core Verification App**



## **OneSpin's RISC-V Processor Core Verification App** Automate and accelerate processor verification







## **10x Verification Speed-up**

Accelerate coverage closure

**Optimized formal engines** 

**Pinpoint bugs - Quick fix check** 

## **High Degree of Automation**

No writing of functional coverage model

Automatic  $\mu$ -architecture details extraction

Automatic assertion generation

**Built-in disassembler annotation** 

## Exhaustive & Complete Verification

100% functional coverage

**Unbounded proofs** 

No undocumented RTL

**Custom extensions support** 

ISA & privileged ISA compliance

**App Flow** 





## **App GUI**



## Custom Extensions Support

Leverage executable specification to automate verification

## Straightforward to add custom instructions

- Table for custom instructions (JSON format)
- Tabular decoding from RISC-V ISA standard
- Execution specified in subset of Sail language\*
- Disassembly specified for debugger display

Straightforward to add registers/ register files

Support of multiple source/ destination registers

## Automated verification of custom extensions

\*https://github.com/rems-project/sail-riscv

|   | Mnemonic | Decoding                           | Restrictions | Disassembly        | Execution                                 |
|---|----------|------------------------------------|--------------|--------------------|-------------------------------------------|
| 0 | CV.LB    | imm[11:0] rs1/rd2 000 rd 0001011   |              | cv.lb {rd},{imm    | let addr : xlenbits = X(rs1) + EXTS(imm); |
|   | CV.LH    | imm[11:0] rs1/rd2 001 rd 0001011   |              | cv.lh {rd},{imm    | let addr : xlenbits = X(rs1) + EXTS(imm); |
|   | CV.LW    | imm[11:0] rs1/rd2 010 rd 0001011   |              | cv.lw {rd},{imm    | let addr : xlenbits = X(rs1) + EXTS(imm); |
| 0 | CV.LBU   | imm[11:0] rs1/rd2 100 rd 0001011   |              | cv.lbu {rd},{imn   | let addr : xlenbits = X(rs1) + EXTS(imm); |
| 0 | CV.LHU   | imm[11:0] rs1/rd2 101 rd 0001011   |              | cv.lhu {rd},{imn   | let addr : xlenbits = X(rs1) + EXTS(imm); |
|   | CV.SB    | imm[11:5] rs2 rs1/rd2 000 imm[4:0] |              | cv.sb {rs2},{imr   | let addr : xlenbits = X(rs1) + EXTS(imm); |
|   | CV.SH    | imm[11:5] rs2 rs1/rd2 001 imm[4:0] |              | cv.sh {rs2},{imr   | let addr : xlenbits = X(rs1) + EXTS(imm); |
|   | CV.SW    | imm[11:5] rs2 rs1/rd2 010 imm[4:0] |              | cv.sw {rs2},{imi   | let addr : xlenbits = X(rs1) + EXTS(imm); |
|   | CV.ADD.B | 0000000 rs2 rs1 001 rd 1010111     |              | cv.add.b {rd},{r   | X(rd)=(X(rs1)[3124]+X(rs2)[3124]) @       |
|   | CV.ADD.S | 0000000 rs2 rs1 101 rd 1010111     |              | cv.add.sc.b rd, rs | X(rd)=(X(rs1)[3124]+X(rs2)[70]) @ (X(     |
|   | CV.ADD.S | 000000 imm[0 5:1] rs1 111 rd 1010  |              | cv.add.sci.b {rd}  | X(rd)=(X(rs1)[3124]+EXTS(imm)[70])        |
| 0 | CV.DOTUI | 1000000 rs2 rs1 001 rd 1010111     |              | cv.dotup.b {rd},   | X(rd)=mul8(X(rs1)[70],X(rs2)[70])+mu      |
|   | CV.SDOTL | 1010000 rs2 rs1 001 rd/rs3 101011  |              | cv.sdotup.b {rd}   | X(rd)=mul8(X(rs1)[70],X(rs2)[70])+mu      |
|   |          | Add Instructio                     | n            | Remove Instructi   | ion(s)                                    |

#### ISA Custom Extensions - Instructions

## **Standard Extension Support**

### Standard extensions also based on JSON database with Sail execution modeling

- OneSpin support derived from officially released Sail model
- OneSpin support possible after Sail model release
  - Customers drive actual decision
- Recently derived bit manipulation support (Zba, Zbb, Zbc, Zbs) from Sail
- Vector extension to follow after Sail model release





## **App Assertions**

|                  | Name                                       | * | Proof Status                                                                                                                                                                  | Witness Status                                                                                                                      | Case Split Status                                                                        | Validity                                     | nre Source                |            |
|------------------|--------------------------------------------|---|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|----------------------------------------------|---------------------------|------------|
|                  | !                                          | - | ! <any stat="" td="" •<=""><td>! <any -<="" statu="" td=""><td>! <any status="" td="" •<=""><td>! <any -<="" td=""><td>1</td><td></td></any></td></any></td></any></td></any> | ! <any -<="" statu="" td=""><td>! <any status="" td="" •<=""><td>! <any -<="" td=""><td>1</td><td></td></any></td></any></td></any> | ! <any status="" td="" •<=""><td>! <any -<="" td=""><td>1</td><td></td></any></td></any> | ! <any -<="" td=""><td>1</td><td></td></any> | 1                         |            |
|                  | Constraints                                |   | /·                                                                                                                                                                            |                                                                                                                                     |                                                                                          |                                              |                           |            |
|                  | <ul> <li>Properties</li> </ul>             |   |                                                                                                                                                                               |                                                                                                                                     |                                                                                          |                                              |                           |            |
|                  | RV chk.ops.BUBBLE a                        |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up to date                                   | core checker.sv:735       |            |
| Interrupts       | RV chk.ops.INTR Handle a                   |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up to date                                   | core checker.sv:740       |            |
| interrupts       | RV_chk.ops.RESET_a                         |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up to date                                   | core_checker.sv:734       |            |
|                  | RV_chk.ops.RV32I.ARITH_a                   |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:745       |            |
|                  | RV_chk.ops.RV32I.BRANCH_a                  |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:744       |            |
|                  | RV_chk.ops.RV32I.Debug.EBREAK_ForcedEntry_ | a | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:757       |            |
|                  | RV_chk.ops.RV32I.Debug.EBREAK_HaltReq_a    |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:756       | RV32IMC    |
|                  | RV_chk.ops.RV32I.EBREAK_BreakPoint_a       |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:753       |            |
| I - Base Integer | RV_chk.ops.RV32I.ECALL_a                   |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:752       | Zicsr      |
| i Base integer   | RV_chk.ops.RV32I.FENCE_a                   |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:749       |            |
|                  | RV_chk.ops.RV32I.JUMP_a                    |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:743       | _Zifencei  |
|                  | RV_chk.ops.RV32I.MEM_a                     |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:746       |            |
|                  | RV_chk.ops.RV32I.MEM_MultiAccess_a         |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:747       |            |
|                  | RV_chk.ops.RV32I.WFI_a                     |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:750       | <b>0</b>   |
|                  | RV_chk.ops.RV32I.xRET_a                    |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:751       |            |
| Μ                | RV_chk.ops.RV32M.DIV_a                     |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:792       |            |
|                  | RV_chk.ops.RV32M.MUL_a                     |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:791       |            |
|                  | RV_chk.ops.RVC.ARITH_a                     |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:905       |            |
| С                | RV_chk.ops.RVC.BRANCH_a                    |   | open                                                                                                                                                                          | open                                                                                                                                |                                                                                          | up_to_date                                   | core_checker.sv:904       | Assertions |
|                  | RV_chk.ops.RVC.JUMP_a                      |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:903       | Assertions |
|                  | RV_chk.ops.RVC.MEM_a                       |   | open                                                                                                                                                                          | open                                                                                                                                |                                                                                          | up_to_date                                   | core_checker.sv:906       |            |
|                  | RV_chk.ops.RVC.MEM_MultiAccess_a           |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:907       |            |
| X                | RV_chk.ops.RVX.instr_CV_LB_2_a             |   | open                                                                                                                                                                          | open                                                                                                                                |                                                                                          | up_to_date                                   | custom_extensions.sv:1802 |            |
|                  | RV_chk.ops.RVX.instr_CV_LB_a               |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | custom_extensions.sv:1801 |            |
| Zicsr & Zifencei | RV_chk.ops.RVZicsr.CSRx_a                  |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:777       |            |
|                  |                                            |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:773       |            |
| Encounter and    | RV_chk.ops.XCPT_IF_ID_a                    |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:737       |            |
| Exceptions       | - RV_chk.ops.XCPT_MEM_a                    |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:738       |            |
| -                | RV_chk.ops.XCPT_WB_a                       |   | open                                                                                                                                                                          | open                                                                                                                                | open                                                                                     | up_to_date                                   | core_checker.sv:739       |            |
|                  | SVA Named Properties                       |   |                                                                                                                                                                               |                                                                                                                                     |                                                                                          |                                              |                           |            |
|                  | SVA Sequences                              |   |                                                                                                                                                                               |                                                                                                                                     |                                                                                          |                                              |                           |            |

## **Reference Cards**

| Assertion Name                   | What is verified? (Instruction/ Exception/ Interrupt)                                                                                        |          |       |  |
|----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------|----------|-------|--|
| RESET_a                          | The behaviour of the pipeline after applying the reset sequence                                                                              |          |       |  |
| BUBBLE_a                         | NOP (The behaviour of the pipeline when nothing is executed due to stalling or nop operations)                                               |          |       |  |
| XCPT_IF_ID_a                     | Debug instruction address breakpoint, instruction address breakpoint, instruction page fault, Instruction access fault, Illegal instruction, |          |       |  |
|                                  | and instruction address misaligned exceptions                                                                                                |          |       |  |
| XCPT_MEM_a                       | Debug Load/Store/AMO address breakpoint, and Load/Store/AMO address breakpoint exceptions                                                    |          |       |  |
| XCPT_WB_a                        | Load/Store/AMO address misaligned, Load/Store/AMO page fault and Load/Store/AMO access fault exceptions                                      |          |       |  |
| INTR_Handle_a                    | User/ Supervisor/ Machine software/ timer/ external interrupts as well as the debug interrupts (including single stepping)                   |          |       |  |
| RV32I.ARITH a                    | LUI,AUIPC,ADDI,SLTI,SLTIU,XORI,ORI,ANDI,SLLI,SRLI,SRAI,ADD,SUB,SLL,SLT,SLTU,XOR,SRL,SRA,OR,AND                                               | I        | 32    |  |
| RV32I.JUMP_a                     | JAL,JALR                                                                                                                                     | I        | 32    |  |
| RV32I.BRANCH_a                   | BEQ, BNE, BLT, BGE, BLTU, BGEU                                                                                                               | L        | 32    |  |
| RV32I.MEM a                      | LB,LH,LW,LBU,LHU,SB,SH,SW                                                                                                                    | I        | 32    |  |
| RV32I.MEM MultiAccess a          | LH,LW,LHU,SH,SW                                                                                                                              | 1        | 32    |  |
| RV32I.FENCE a                    | FENCE                                                                                                                                        | 1        | 32    |  |
| RV32I.ECALL a                    | ECALL (Environment call exception)                                                                                                           | 1        | 32    |  |
| RV32I.EBREAK BreakPoint a        | EBREAK,C.EBREAK (Environment break exception)                                                                                                | 1        | 32    |  |
| RV32I.Debug.EBREAK HaltReq a     | EBREAK,C.EBREAK                                                                                                                              | 1        | 32    |  |
| RV32I.Debug.EBREAK ForcedEntry a | EBREAK,C.EBREAK                                                                                                                              | 1        | 32    |  |
| RV32I.xRET a                     | MRET,SRET,URET,DRET                                                                                                                          |          |       |  |
| RV32I.WFI a                      | WFI                                                                                                                                          |          |       |  |
| RV32I.Supervisor.SFENCE VMA a    | SFENCE.VMA                                                                                                                                   | S        |       |  |
| RV64I.ARITH a                    | ADDIW,SLLIW,SRLIW,SRAIW,ADDW,SUBW,SLLW,SRLW,SRAW                                                                                             | I        | 64    |  |
| RV64I.MEM a                      | LWU,SD,LD                                                                                                                                    | I        | 64    |  |
| RV64I.MEM MultiAccess a          | LWU,SD,LD                                                                                                                                    | I        | 64    |  |
| RVZifencei.FENCE_I_a             | FENCE.I                                                                                                                                      | Zifencei | 32/6  |  |
| RVZicsr.CSRx a                   | CSRRW,CSRRS,CSRRC,CSRRWI,CSRRSI,CSRRCI                                                                                                       | Zicsr    | 32/ 6 |  |
| RV32M.MUL a                      | MUL                                                                                                                                          | м        | 32    |  |
| RV32M.MULH a                     | MULH                                                                                                                                         | M        | 32    |  |
| RV32M.MULHSU a                   | MULHSU                                                                                                                                       | м        | 32    |  |
| RV32M.MULHU a                    | MULHU                                                                                                                                        | М        | 32    |  |
| RV32M.DIV_a                      | DIV                                                                                                                                          | М        | 32    |  |
| RV32M.DIVU_a                     | DIVU                                                                                                                                         | M        | 32    |  |
| RV32M.REM_a                      | REM                                                                                                                                          | м        | 32    |  |
| RV32M.REMU_a                     | REMU                                                                                                                                         | м        | 32    |  |
| RV32M.MUL_a                      | MUL,MULH,MULHSU,MULHU                                                                                                                        | M        | 32    |  |
| RV32M.DIV a                      | DIV.DIVU.REM.REMU                                                                                                                            | м        | 32    |  |

## VIP Assertion **VS** Spec Instruction/ Exception **Mapping**



# **Application Examples**



## **Types of Bugs Found** Rocket, CV32E40P, ibex cores



## Application Example 64-Bit Rocket Core

## **Issues reported**<sup>®</sup>

- **#1752** DIV result not written to register file
- **#1861** Illegal opcodes replayed



#1949 Undocumented non-standard CSR

**#2022** DRET instruction is executable outside of debug mode

## Performance

 $\mathbf{Z}$  < 5 days of verification setup

C < 10 minutes run time per property</p>

## <2 hours total runtime</p>

\*<u>https://github.com/freechipsproject/rocket-chip/issues/</u>

#### RV64GC\_Zicsr\_Zifencei Core



- 5-stage single-issue in-order pipeline
- 39-bit virtual memory address space
- 3 privilege levels
- Out-of-order termination
- Branch prediction & replay mechanism
- Verified and taped-out multiple times

## Application Example 32-Bit RI5CY/ CV32E40P Core

## **Issues reported\***

**#132** Fetch side exception influences earlier instruction execution

**#136, #137, #170** Missed illegal exceptions

**#159** Wrong PMP computation

**#174** Wrong F instruction result written to register file

**#533** Illegal instruction retires

\*<u>https://github.com/openhwgroup/cv32e40p/issues</u>

### RV32IMC[F]\_Zicsr\_Zifencei[\_Xpulp] Core



- 4-stage single-issue in-order pipeline
- Partial support for privileged spec 1.10
  - User Mode & physical memory protection
- Many custom instruction set extensions
  - Post-incrementing load/store instructions
  - Hardware Loops ALU instructions
  - Multiply Accumulate SIMD extensions

## **CV32E40P Bug Case Study** Systematic bug detection

## Assertion CSRx\_a verifies complete architecture register update for 6 CSR instructions



# Underlying Technology



## Instructions Mapped to Operational Assertions OneSpin 360's unique modelling principle

Overall specification broken down into list of operations List of operations forms complete specification

## Operational assertions for all operations enable GapFreeVerification



The tool automatically considers all sequences of operations and all combinations of trigger conditions

Only a Few Operational Assertions for each instruction, exception, interrupt

## **GapFreeVerification**<sup>™</sup>



## **GapFreeVerification™**

Develop executable specification in the form of assertions Prove that executable specification has no gaps or inconsistencies Prove that executable specification and RTL are functionally equivalent

## Abstraction

Specification, RTL

## Scope

New IP, critical IP, untrusted 3PIP

## **Benefits**

Detects errors and inconsistencies in the specification Prove 100% equivalence between specification and implementation

Demonstrate absence of bugs/ Trojans/ ambiguities

## **RISC-V FPU Verification**





- Supports half/single/double bfloat16 and custom precisions
- Supports all 5 rounding modes and 5 exceptions flags
- add, sub, mul, fma, abs, neg, min, max
- Conversion and comparison operations
- Parameters to specify ambiguities in the standard
- Easy to model intended deviations from the IEEE-754 standard

## Integrate Coverage Results Speed-up coverage closure



## **OneSpin's RISC-V Processor Core Verification App**



>10x improvement
on verification setup & runtime



High Degree of Automation Enabling automated verification of generated core from common spec



## **Exhaustive and Complete**

verification leaves no bugs & exposes vulnerabilities



## **Superior & Unique**

Leveraging OneSpin's expertise & unique Interval Property Checking & GapFreeVerification™



## 

CV32E40P is the first open-source core for high-volume chips verified with the state-of-theart process required for high-integrity, commercial SoCs. OneSpin is a key contributor. The OneSpin RISC-V Integrity formal verification solution has systematically detected cornercase bugs in the exception logic and pipeline. These issues would only be triggered under rare conditions in the instruction sequence, memory stalls, and CSRs programming. **Constrained-random simulation tests to find these issues would require large investments in development and simulation time. The pinpointing of the issues' root cause was impressive and a massive time-saver in debug time. The solution also showed almost <b>zero noise** in detecting real RTL bugs, as opposed to other approaches where the issues reported often lead to fixes in the verification environment.

Steve Richmond - Verification Manager - Central R&D Digital at Silicon Labs Arjan Bink - Principal Architect - IoT Digital Systems at Silicon Labs



## Contact

Published by Siemens EDA

Salaheddin Hetalani Field Application Engineer Nymphenburgerstr. 20a 80335 Munich Germany

E-mail salaheddin.hetalani@siemens.com





## **Disclaimer**

© Siemens 2022

Subject to changes and errors. The information given in this document only contains general descriptions and/or performance features which may not always specifically reflect those described, or which may undergo modification in the course of further development of the products. The requested performance features are binding only when they are expressly agreed upon in the concluded contract.

All product designations may be trademarks or other rights of Siemens AG, its affiliated companies or other companies whose use by third parties for their own purposes could violate the rights of the respective owner.

