# Making RISC-V Market Ready The Economic Case for Formal Verification Dr. Ashish Darbari Founder & CEO Axiomise ### Verification trends Wilson research reports 2022-2024 75% IC/ASIC projects run behind schedule 60-80% Overall verification costs ASICs require two or more respins 83% FPGA designs with non-trivial bug escapes 62% Logical/Functional flaws causing re-spins in designs (>1B gates) 10<sup>30</sup> simulation cycles not finding bugs ### Verification trends #### Wilson research reports 2024 Fig. 1: Number of designs that are functionally correct and manufacturable is declining. Source: Siemens EDA/Wilson Research Group 2024 Functional Verification Study/DVCon SYSTEMS & DESIGN # First-Time Silicon Success Plummets Number of designs that are late increases. Rapidly rising complexity is the leading cause, but tools, training, and workflows need to improve. MARCH 27TH, 2025 - BY: ED SPERLING **...** **F**irst-time silicon success is falling sharply due to rising complexity, the need for more iterations as chipmakers shift from monolithic chips to multi-die assemblies, and an increasing amount of customization that makes design and verification more time-consuming. TECHNICAL PAPERS Scalable And Energy Efficient Solution For Hardware-Based ANNs (KAUST, NUS) MARCH 30, 2025 BY TECHNICAL PAPER LINK GPU Analysis Identifying Performance Bottlenecks That Cause Throughput Plateaus In Large-Batch Inference MARCH 30, 2025 BY TECHNICAL PAPER LINK Strategies For Reducing The Effective GaN/Diamond TBR SIEMENS Cadence SYNOPSYS \*\*KEYSIGHT MOVELLUS ARTERIS axiomise axiomise **NEWSLETTER SIGNUP** ### Formal verification services Scaling formal for big designs – enabling end-to-end sign-off The Axiomise team has experience in verifying over 150 designs DMA controller Multi-threaded processor Bus bridges (AXI/CHI/OCP/TileLink) Cache sub-systems GPU shaders I2C/USB/HDMI/I2S Network-on-chip AI/ML accelerator **Ethernet Switch** Mixed-signal Low-power Power controller # Why is chip verification hard? Why bugs escape to silicon? A holistic approach is missing A unifying perspective is missing ARCHITECTURE DESIGN/MICROARCHITECTURE **NETLIST** **SILICON** ## Modern-day processors Massively optimised Pipelining Interlocking Forwarding Branches Jumps Exceptions Stalls Interrupts Debug **Extensions** Clock gating Arithmetic Power Safety Security ### Complex control and data dependencies Cores have in-order or out-of-order behaviour? #### Branches: - Speculative branches - Forward jumps, Backward jumps, Page size jumps, Page boundary jumps, Jumps across pages (same or different pages) ### Back-to-back memory operations: - Cache hits & cache misses - Write-through stores - Cache bypasses, atomics and cache coherency Accelerating debug and sign-off for custom designs using exhaustive formal ### Our formal RISC-V solution ### Enables adoption of formal methods more widely - 1. No test case to write - 2. No manual checker to write - 3. No verification code to be written - 4. Exhaustively prove that all ISA instructions work as expected under all conditions #### What goes in our APP? - 1. Your RISC-V core - 2. Set up file - Coverage specification #### What comes out? Exhaustive proofs that "mathematically" prove under all conditions: - Each instruction in the ISA works always as expected - Scenarios specified in the coverage specification can "always" happen - Visualize that scenarios in the coverage specification "can happen" ### Agile formal verification for end-to-end sign-off Saving simulation time, obtaining exhaustive proofs, finding corner-case bugs cv32e40p 9 July cv32e40p 3 Dec Setup 9 July Setup 3 Dec BUGS, PROOFS of BUG ABSENCE & INTER-OPERABLE COVERAGE MODEL | 0 100 | √ «u isa.axiomise | as BEO abstra | ct | | | | | | |--------|-------------------------------|---------------|------------------------------------------------|-------------------------|---|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|--------------| | 0 100 | ✓ «u isa.axiomise | | | | | | ✓ ∉u_isa.au | xiomise_as | | | | as ISA JALR | | | | - | u_isa.ao | xiomise_as | | 0 100 | ✓ «u isa.axiomise | | | | | | ✓ ₀u_isa.ao | xiomise_as | | | ✓ u isa.axiomise | | Name | | 0 | 100 | ✓ «u_isa.ao | xiomise_as | | 0 800 | ✓ «u_isa.genblk7.ax | | | co_ISA_BGES_instr_addr | | - | u_isa.au | xiomise_as | | | ✓ u isa.genblk7.ax | | | _co_ISA_BLTS_instr_addr | 0 | 100 | - | anht-7 aulan | | 0 858 | ✓ «u isa genblk6.ax | - | | co_ISA_BLTU_instr_addr | | - | → Sc | Vc Name | | 0 1000 | ✓ « u isa.axiomise | - | | _co_ISA_BGEU_instr_addr | | - | - | u isa | | | ✓ u isa.axiomise | - | | co_ISA_BNE_instr_addr | | 100 | * 800 | u isa | | 0 800 | ✓ « u isa axiomise | - | | co_ISA_BEQ_instr_addr | | - | - | u isa | | 0 1000 | ✓ «u isa.axiomise | - | u_isa.axiomise_co_ISA | | | 100 | - XXX | u isa | | | ✓ , u isa axiomise | 1= | u_isa.axiomise_co_ISA | | 0 | mitter . | / ES | u isa | | 0 1000 | ✓ « u isa.axiomise | - | u_isa.axiomise_co_ISA | | | - | - Name | u_isa | | | ✓ u isa.axiomise | | u_isa.axiomise_co_ISA | | 0 | 100 | F 100 | u isa | | 0 800 | ✓ « u isa axiomise | - | u_isa.axiomise_co_ISA<br>u_isa.axiomise_co_ISA | | | - | - | u_isa | | | ✓ «u isa.axiomise | 1= | | | | 100 | / NO | u isa | | 0 100 | √ ₃u isa.axiomise | - | u_isa.axiomise_co_ISA<br>u_isa.axiomise_co_ISA | | | | - | u_isa | | 0 850 | ✓ «u isa.axiomise | 1= | | | | - | · 2000 | u_isa. | | 0 000 | ✓ «u isa.axiomise | - | u_isa.axiomise_co_ISA_ | | 0 | 100 | - | u isa | | 0 800 | ✓ , u isa.axiomise | - | u_isa.axiomise_co_ISA<br>u_isa.axiomise_co_ISA | | | - | · *** | u_isa. | | 0 100 | ✓ «u isa.axiomise | - | u_isa.axiomise_co_isA | | | | 100 | u_isa | | | ✓ <sub>1</sub> u isa.axiomise | - | u isa.axiomise co ISA | | 0 | 100 | / COM | u_isa | | 0 800 | ✓ «u isa.axiomise | 1= | u_isa.axiomise_co_isA | | | - | 200 | u_isa | | | ✓ Lu isa.axiomise | - | u isa.axiomise co ISA | | 0 | - | - | u_isa | | 0 1000 | ✓ , u isa axiomise | | u isa.axiomise co ISA | | | - | V 800 | u_isa. | | 0 100 | ✓ «u isa.axiomise | 1= | u isa.axiomise co ISA | | 0 | 100 | - | u_isa | | 0 000 | ✓ u isa.axiomise | - | u isa.axiomise co ISA | | | MACHINE TO A STATE OF THE | - NEW | u_isa | | 0 850 | ✓ , u isa.axiomise | 1 | u isa.axiomise co ISA | | | - | / KIN | u_isa | | 0 100 | ✓ «u isa.axiomise | - | u isa.axiomise co ISA | | | | - | u_isa. | | | √ u isa.axiomise | - | u isa.axiomise co ISA | | 0 | - | - | u_isa | | 0 100 | ✓ « u isa.axiomise | 800 | u isa.axiomise co ISA | | | - | - | u_isa | | | | - | u isa.axiomise co ISA | | | 100 | - | u_isa | | | | 200 | u isa.axiomise co ISA | | | | - | u_isa | | | | - | u isa.axiomise co ISA | | | | 2000 | u_isa | | | | *** | u isa.axiomise co ISA | | | | *** | u_isa | | | | - | u isa.axiomise co ISA | | | | 1000 | u_isa | | | | 800 | u isa axiomise co ISA | | | | 1000 | u_isa. | | | | | u isa.axiomise co ISA | | | | *** | u_isa | | | | 100 | u isa.axiomise co ISA | | | | 100 | u_isa | | | | 100 | u isa.axiomise co ISA | | | | *** | u_isa | | | | 100 | u isa.axiomise co ISA | | | | 800 | u_isa | | | | 100 | u isa.axiomise co ISA | | | | 100 | u_isa | | | | | u isa.axiomise co ISA | | | | 800 m | u_isa. | | | | 800 | u isa.axiomise co ISA | | | | 100 | u_isa | | | | | 0_100.001011186_00_13A | 0210_021_10_0 | | | 800 m | u_isa | | | | | | | | | 1000 | u_isa | | | | | | | | | 1000 | u_isa | | | | | | | | | 1000 | u_isa. | | | | | | | | | | | ### ibex ### Complete democracy – use any tool you like | _ | ibex core.u isa.axiomise ISA JALR | □ ◎ ■ u_isa.axiomise_ ISA_SRLI | | | — sva/u_isa/axiomiseisA_ADDi | pass (4) | noid | |----------|----------------------------------------------|-----------------------------------------|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------|-----------|------| | ~ | IDEX_COTC.d_ISd.dxIoIIIISC_ISA_JALEN | u isa.axiomise ISA ADDI | ✓ Assert | ibex_core.u_isa.inv_block_jal[4].axiomise_inv_isa_jal | sva/u_isa/axiomiseISA_AND | pass (4) | hold | | V | ibex_core.u_isa.axiomise_ISA_LUI | ujsa.axiomise_isA_abbi | <b>✓</b> Assert | ibex_core.u_isa.inv_block_jalr[0].axiomise_inv_isa_jalr | sva/u_isa/axiomise_ISA_ANDI | pass (4) | hold | | | " IFA OD | u isa.axiomise ISA JALR | ✓ Assert | ibex_core.u_isa.inv_block_auipc[0].axiomise_inv_isa_auipc | sva/u_isa/axiomiseISA_BEQ | pass (4) | hold | | <b>✓</b> | ibex_core.u_isa.axiomiseISA_OR | | <b>✓</b> Assert | ibex_core.u_isa.inv_block_auipc[4].axiomise_inv_isa_auipc | sva/u_isa/axiomiseISA_BGES | pass (4) | hold | | | ibex core.u isa.axiomise ISA ORI | u_isa.axiomise_ISA_XORI | ✓ Assert | ibex_core.u_isa.inv_block_auipc[8].axiomise_inv_isa_auipc | sva/u_isa/axiomiseISA_BGEU | pass (4) | hold | | ~ | | u_isa.axiomise_ISA_BEQ | <b>✓</b> Assert | ibex_core.u_isa.inv_block_auipc[12].axiomise_inv_isa_auipc | sva/u_isa/axiomise_ISA_BLTS | pass (5) | hold | | <b>~</b> | ibex_core.u_isa.axiomiseISA_SLL | u_isa.axiomise_ISA_BNE | <b>✓</b> Assert | ibex_core.u_isa.inv_block_auipc[20].axiomise_inv_isa_auipc | sva/u_isa/axiomiseISA_BLTU | pass (5) | hold | | | they care u ica aviemice ISA SIII | u_isa.axiomiseISA_SLTSI_SET_TO_1 | <b>✓</b> Assert | ibex_core.u_isa.inv_block_auipc[24].axiomise_inv_isa_auipc | sva/u_isa/axiomise_ISA_BNE | pass (5) | hold | | <b>✓</b> | ibex_core.u_isa.axiomiseISA_SLLI | u_isa.axiomiseISA_BGEU | <b>✓</b> Assert | ibex_core.u_isa.inv_block_auipc[28].axiomise_inv_isa_auipc | sva/u_isa/axiomiseISA_JAL | pass (4) | hold | | <b>✓</b> | ibex core.u isa.axiomise ISA SLTSI SET TO 0 | □ ◎ ■■ u_isa.axiomiseISA_SLTSI_SET_TO_0 | ✓ Assert | ibex_core.u_isa.axiomise_ISA_JAL | sva/u_isa/axiomise_ISA_JAL_ret_address | pass (5) | hold | | • | | □ ◎ ■ u_isa.axiomise_ISA_XOR | ✓ Assert | ibex_core.u_isa.axiomise_ISA_JAL_ret_address | sva/u_isa/axiomise_ISA_JALR | pass (4) | hold | | ~ | ibex_core.u_isa.axiomiseISA_SLTSI_SET_TO_1 | □ ◎ ■■ u_isa.axiomiseISA_SLTUI_SET_TO_1 | ✓ Assert | ibex_core.u_isa.axiomise_ISA_JALR | sva/u_isa/axiomise_ISA_LUI | pass (4) | hold | | | ibex core.u isa.axiomise ISA SLTS SET TO 0 | u_isa.axiomiseISA_OR | ✓ Assert | ibex_core.u_isa.axiomise_ISA_BEQ | sva/u_isa/axiomiseISA_OR | pass (4) | hold | | <b>~</b> | IDEX_COTE.d_ISd.dxIoIIIISE_ISS_SET_TO_C | □ ◎ ■ u_isa.axiomiseISA_ORI | ✓ Assert | ibex_core.u_isa.axiomise_ISA_BNE | sva/u_isa/axiomise_ISA_ORI | pass (4) | hold | | <b>✓</b> | ibex_core.u_isa.axiomiseISA_SLTS_SET_TO_1 | □ ◎ ■ u_isa.axiomiseISA_SLTUI_SET_TO_0 | <b>✓</b> Assert | ibex_core.u_isa.axiomise_ISA_BGEU | sva/u_isa/axiomiseISA_SLL | pass (4) | hold | | * | | □ ◎ ■ u_isa.axiomiseISA_ANDI | ✓ Assert | ibex_core.u_isa.axiomise_ISA_BLTU | sva/u_isa/axiomise_ISA_SLLI | pass (4) | hold | | <b>✓</b> | ibex_core.u_isa.axiomiseISA_SLTUI_SET_TO_0 | □ ◎ ■ u_isa.axiomiseISA_SLLI | ✓ Assert | ibex_core.u_isa.axiomise_ISA_LUI | sva/u_isa/axiomiseISA_SLTS_SET_TO_0 | pass (4) | hold | | <b>→</b> | ibex core.u isa.axiomise ISA SLTUI SET TO 1 | □ ◎ ■ u_isa.axiomiseISA_SLTS_SET_TO_1 | Assert | ibex_core.u_isa.axiomise_ISA_ADDI | sva/u_isa/axiomiseISA_SLTS_SET_TO_1 | g(3ss (5) | hold | | ~ | | □ ◎ ■ u_isa.axiomiseISA_SLTU_SET_TO_1 | ✓ Assert | ibex core.u isa.axiomise ISA XORI | sva/u_isa/axiomiseISA_SLTSI_SET_TO_0 | pass (4) | hold | | <b>~</b> | ibex_core.u_isa.axiomiseISA_SLTU_SET_TO_0 | □ □ u_isa.axiomiseISA_BLTS | ✓ Assert | ibex_core.u_isa.axiomise_ISA_ORI | sva/u_isa/axiomiseISA_SLTSI_SET_TO_1 | pass (4) | hold | | | they care u ica aviersise ISA SITU SET TO 1 | □ □ u_isa.axiomiseISA_SRAI | ✓ Assert ✓ Assert | ibex_core.u_isa.axiomise_ISA_ONI | sva/u_isa/axiomiseISA_SLTU_SET_TO_0 | pass (4) | hold | | <b>~</b> | ibex_core.u_isa.axiomiseISA_SLTU_SET_TO_1 | □ ○ ■ u_isa.axiomiseISA_SLTS_SET_TO_0 | ✓ Assert ✓ Assert | ibex_core.u_isa.axiomise_ISA_ANDI | sva/u_isa/axiomiseISA_SLTU_SET_TO_1 | pass (5) | hold | | <b>→</b> | ibex core.u isa.axiomise ISA SRA | □ ◎ ■ u_isa.axiomiseISA_SLTU_SET_TO_0 | ✓ Assert ✓ Assert | ibex_core.u_isa.axiomise_isA_BCES | sva/u_isa/axiomiseISA_SLTUI_SET_TO_0 | pass (4) | hold | | _ | | □ ◎ ■ u_isa.axiomiseISA_JAL | Assert Assert | ibex_core.u_isa.axiomise_ISA_BGES ibex_core.u_isa.axiomise_ISA_SLTSI_SET_TO_1 | sva/u_isa/axiomise_ISA_SLTUI_SET_TO_1 | pass (4) | hold | | <b>✓</b> | ibex_core.u_isa.axiomiseISA_SRAI | □ | ✓ Assert ✓ Assert | | sva/u_isa/axiomiseISA_SRA | pass (4) | hold | | | ibex core.u isa.axiomise ISA SRL | □ ◎ ■ u_isa.axiomiseISA_BGES | | ibex_core.u_isa.axiomiseISA_SLTSI_SET_TO_0 | sva/u_isa/axiomise_ISA_SRAI | pass (4) | hold | | ~ | IDEX_COTE.U_ISG.GXIOTHISE_ISA_SILE | □ ◎ ■ u_isa.axiomiseISA_SRA | Assert | ibex_core.u_isa.axiomise_ISA_SLTUI_SET_TO_1 | sva/u_isa/axiomiseISA_SRL | pass (4) | hold | | • | ibex_core.u_isa.axiomiseISA_SRLI | □ ◎ ■ u_isa.axiomiseISA_BLTU | Assert | ibex_core.u_isa.axiomise_ISA_SLTUI_SET_TO_0 | sva/u_isa/axiomise_ISA_SRLI | pass (4) | hold | | | | u_isa.axiomiseISA_ADD | Assert | ibex_core.u_isa.axiomise_ISA_SLLI | sva/u_isa/axiomise_ISA_SUB | pass (4) | hold | | <b>✓</b> | ibex_core.u_isa.axiomiseISA_SUB | □ ◎ ■ u_isa.axiomise_ ISA_AND | Assert | ibex_core.u_isa.axiomise_ISA_SRLI | sva/u_isa/axiomise_ISA_XOR | pass (4) | hold | | | ibex core.u isa.axiomise ISA XOR | □ ◎ □ u isa.axiomise ISA SUB | Assert | ibex_core.u_isa.axiomise_ISA_SRAI | sva/u_isa/axiomise_ISA_XORI | pass (4) | hold | | ~ | IDEA_COTCIG_ISGLGATOTHISCISAT_ACTA | □ ◎ □ u isa.axiomise ISA SLL | <b>✓</b> Assert | ibex_core.u_isa.axiomise_ISA_SLL | sva/u_isa/axiomiseHISA_AUIPC | pass (4) | hold | | <b>₩</b> | ibex_core.u_isa.axiomise_ISA_XORI | u isa.axiomise ISA JAL ret address | <b>✓</b> Assert | ibex_core.u_isa.axiomise_ISA_SRL | sva/u_isa/axiomiseHISA_JALR2 | pass (4) | hold | | <b>Y</b> | IDEA_COTOTO_TOTOTOTOTOTOTOTOTOTOTOTOTOTOTOTO | u_isa.axiomiseisa_jal_rei_address | | 2007 B 371 cons - 100 1 4 symmetry - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - 100 - | SVAJU_ISAJAKIOIIIISAIIISA_JALKE | pass (+) | | # Formal verification Agile bug hunting and proofs of bug absence ### Specification bugs in RISC-V ISA Inconsistencies in the RISC-V ISA v2.2 | 31 | 26 25 | 24 2 | 0 19 | 15 14 | 12 11 | 7 6 | |-----------|----------|------------|----------------------|--------|-------|-----------| | imm[11:6] | imm[5] | imm[4:0] | rs1 | funct3 | rd | opcode | | 6 | 1 | 5 | 5 | 3 | 5 | 7 | | 000000 | shamt[5] | shamt[4:0] | src | SLLI | dest | OP-IMM | | 000000 | shamt[5] | shamt[4:0] | $\operatorname{src}$ | SRLI | dest | OP-IMM | | 010000 | shamt[5] | shamt[4:0] | src | SRAI | dest | OP-IMM | | 000000 | 0 | shamt[4:0] | $\operatorname{src}$ | SLLIW | dest | OP-IMM-32 | | 000000 | 0 | shamt[4:0] | src | SRLIW | dest | OP-IMM-32 | | 010000 | 0 | shamt[4:0] | $\operatorname{src}$ | SRAIW | dest | OP-IMM-32 | Shifts by a constant are encoded as a specialization of the I-type format using the same instruction opcode as RV32I. The operand to be shifted is in rs1, and the shift amount is encoded in the lower 6 bits of the I-immediate field for RV64I. The right shift type is encoded in bit 30. SLLI is a logical left shift (zeros are shifted into the lower bits); SRLI is a logical right shift (zeros are shifted into the upper bits); and SRAI is an arithmetic right shift (the original sign bit is copied into the vacated upper bits). For RV32I, SLLI, SRLI, and SRAI generate an illegal instruction exception if $imm[5] \neq 0$ . | 0000000 | shamt | rs1 | 001 | rd | 0010011 | SLLI | |---------|-------|-----|-----|---------------------|---------|------| | 0000000 | shamt | rs1 | 101 | rd | 0010011 | SRLI | | 0100000 | shamt | rs1 | 101 | $\operatorname{rd}$ | 0010011 | SRAI | Page 30 Page 104 | | ibex | zeroriscy | cv32e40p | | WARP-V | | | | |---------------------------------|------------------------------------------------------|------------------------------------------------------|------------------------|---------------|---------------|---------------|---------------------|--| | Pipeline<br>stages | 2-stage | 2-stage | 4-stage | 6-stage | 4-stage | 2-stage | 2-stage | | | No. of issues | 65 | 77 | 5 | 30 | 30 | 30 | 6 | | | Previously verified | Yes | Yes | No | Yes | Yes | Yes | Yes | | | How was it previously verified? | Simulation | Simulation | Simulation &<br>Formal | Formal | Formal | Formal | Simulation & Formal | | | Time taken to find issues | < 30 seconds | < 30 seconds | < 30 seconds | < 30 seconds | < 30 seconds | < 30 seconds | <1 min | | | Nature of analysis and issues | Microarchitectural<br>Deadlocks and<br>Architectural | Microarchitectural<br>Deadlocks and<br>Architectural | Architectural | Architectural | Architectural | Architectural | Corner-case bugs | | | When was the issue found? | 2019 | 2019 | 2020 | 2021 | 2021 | 2021 | 2024 | | # cv32e40p 32-bit, 4-stage in-order pipeline axiomise ### CVA6 64-bit six-stage, in-order issue, out-of-order execution, in-order commit #### From the OPENHW Group Page CVA6 is a 6-stage, single issue, in-order CPU which implements the 64-bit RISC-V instruction set. It fully implements I, M, A and C extensions as specified in Volume I: User-Level ISA V 2.3 as well as the draft privilege extension 1.10. It implements three privilege levels M, S, U to fully support a Unix-like operating system. Furthermore, it is compliant to the draft external debug spec 0.13. It has configurable size, separate TLBs, a hardware PTW and branch-prediction (branch target buffer and branch history table). The primary design goal was on reducing critical path length. ### CVA6 64-bit six-stage, in-order issue, out-of-order execution, in-order commit # i-RADAR Debug Intelligent Rapid Analysis Debug and Reporting ## Intelligent debug ### Waveforms, reports # Intelligent debug Waveforms, reports # SURF Reporting Scheduler and Reporter for Formal # SURF dashboard # SURF dashboard RISC-V ### SURF dashboard ### Example reporting bugs ### SURF dashboard ### Example reporting bugs | Assert | s | | | | | | | | | |--------|------------------|-----------------------------------|---------------|---------------|------------|--------|-------|-------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | No. | Instruction type | Property label | Assert status | Preconditions | Proof time | Engine | Bug | Mnemonic | Specifications | | 1. | BASE ITYPE | as_ISA_ADDI_abstract | UNDETERMINED | COVERED | 42783.41 | Tri | Maybe | add rd rs1 imm12 | x[rd] = x[rs1] + imm12. Adds imm12 to register $x[rs1]$ and writes the result to $x[rd]$ , arithmetic overflow is ignored. | | 2. | BASE ITYPE | as_ISA_ADDI | UNDETERMINED | COVERED | 86063.33 | Bm | | add rd rs1 imm12 | x[rd] = x[rs1] + imm12. Adds imm12 to register $x[rs1]$ and writes the result to $x[rd]$ , arithmetic overflow is ignored. | | 3. | BASE ITYPE | as_ISA_XORI_abstract | PROVEN | COVERED | 90.19 | М | No | xori rd rs1 imm12 | $x[rd] = x[rs1] \land imm12$ . Computes the bitwise XOR of registers $x[rs1]$ and imm12 and writes the result to $x[rd]$ . | | 4. | BASE ITYPE | as_ISA_XORI | PROVEN | COVERED | 73.07 | М | No | xori rd rs1 imm12 | $x[rd] = x[rs1] \land imm12$ . Computes the bitwise XOR of registers $x[rs1]$ and imm12 and writes the result to $x[rd]$ . | | 5. | BASE ITYPE | as_ISA_ORI_abstract | PROVEN | COVERED | 67.32 | М | No | ori rd rs1 imm12 | $x[rd] = x[rs1] \mid imm12$ . Computes the bitwise OR of registers $x[rs1]$ and imm12 and writes the result to $x[rd]$ . | | 6. | BASE ITYPE | as_ISA_ORI | PROVEN | COVERED | 86.84 | М | No | ori rd rs1 imm12 | $x[rd] = x[rs1] \mid imm12$ . Computes the bitwise OR of registers $x[rs1]$ and imm12 and writes the result to $x[rd]$ . | | 7. | BASE ITYPE | as_ISA_ANDI_abstract | PROVEN | COVERED | 99.02 | М | No | andi rd rs1 imm12 | x[rd] = x[rs1] & imm12. Computes the bitwise OR of registers $x[rs1]$ and imm12 and writes the result to $x[rd]$ . | | 8. | BASE ITYPE | as_ISA_ANDI | PROVEN | COVERED | 66.73 | М | No | andi rd rs1 imm12 | x[rd] = x[rs1] & imm12. Computes the bitwise OR of registers $x[rs1]$ and imm12 and writes the result to $x[rd]$ . | | 9. | BASE ITYPE | as_ISA_SLTI_SET_TO_1_ab<br>stract | PROVEN | COVERED | 79.05 | Tri | No | slti rd rs1 imm12 | x[rd] = x[rs1] <s 0="" 1="" and="" as="" compares="" if="" imm12.="" is="" not.<="" numbers,="" signed="" smaller,="" td="" to="" writes="" x[rd]="" x[rs1]="" x[rs2]=""></s> | # Anatomy of bugs Processor bugs caught by formalISA ### BEQ failure #### Functional verification - ibex Bug caused due to incoming debug request on the debug interface when the controller is in the DECODE state. Nothing in the design to take care of such requests, causing the PC to be not updated correctly. ### BEQ failure Functional verification - ibex Only seen when debug arrives and the controller FSM is in the DECODE state. Precise timing of arrival of debug makes this bug really hard to catch in dynamic simulation. Formal catches it in seconds in 7 cycles! ### Illegal instruction handling cheriot-ibex: Verified in September 2024 The illegal instruction affected the execution of the valid instruction that followed it. #### Issues - Sending the illegal instruction request to the memory. - Wasted execution power. - Invalid data in the register file and subsequently in memory. The illegal load instruction affected the execution of the valid AND (or any R-TYPE) instruction that followed it. ### Illegal instruction handling – bit manipulation After the first bug fix, bit manipulations instructions were broken Looking further into the issue, the culprit seems to be that the id\_fsm\_d logic can't handle exception being issued in the 2nd half of a multi-cycle instruction. Specifically, the illegal\_reg\_cheri results in an EX stage exception but instr\_kill is only raised in the 2nd half of a bit manipulation instruction (when rs3 is accessed). In this case multicycle\_done is never issued and thus id\_fsm\_q will not updated properly. Contributor ) · · · @GregAC do you plan to keep supporting the bit instructions with rs3? if so I can try fix the behavior in cheriot-ibex. You may want to take a look at the upstream ibex implementation as well. https://github.com/microsoft/cheriot-ibex/issues/51 ### **WARP-V** Six stage pipelined processor with a range of bugs # Memory subsystem Caught by our formalISA ### Bugs hard to catch with simulation ### Bugs hard to catch with simulation ### Bugs hard to catch with simulation Incorrect validation of cache line due to the bypass store Design in Area Analyser Footprint Area Analyser Redundancy report Area saved axiomise # footprint Results Open-source designs | Designs | Gate count | Flop count | Redundant component | | Estimated redundant gates | |------------------------------------|------------|----------------------------|---------------------|--------|---------------------------| | | | | Counter | 3 | 768 | | Cheriot-ibex | 303,737 | 14,723 | Register | 313 | 16,440 | | | | | Array | 23 | 7,872 | | | | | Fifo | 32 | 96,352 | | | | | Mux | 16 | 1,872 | | Nocgen – NoC (Network- | 590,144 | 35,200 | Fsm | 48 | 864 | | on-Chip) | 370,144 | 33,200 | Counter | 160 | 3,456 | | | | Register 624 | | | 43,296 | | | | | Array | 32 | 33,600 | | | | | Arbiter | 1 | 2 | | Chipyard – | 29,684,024 | Counter 29,684,024 322,776 | 260 | 23,220 | | | TinyRocket_ChipTop | 29,004,024 | 322,770 | Register | 1,118 | 852,552 | | | | | Array | 4 | 6144 | | | | | Register | 3,858 | 138,438 | | Chipyard –<br>Boomv3Large_BoomCore | 850,191 | 79,989 | Counter | 17 | 5,598 | | 3 - | | | 18,432 | | | | | | | Fsm | 7 | 144 | | Colores and to live | 14 507 | | Counter | 17 | 570 | | Sdram_controller | 14,507 | 1,356 | Register | 135 | 6,498 | | | | | Array | 1 | 792 | | Verilog-ethernet- | 4.054.430 | 47.007 | Register | 104 | 9,096 | | udp_complete | 1,851,130 | 46,807 | Array | 9 | 4,032 | ### Why Axiomise formal verification matters? Covering the entire spectrum of verification requirements High Proof Convergence So that you have higher confidence Bugs & Exhaustive Proofs Making sure your design is bug free Innovation in Abstractions Allowing you to have the highest quality designs, without re-spin Scalable Proof Engineering Our solutions scale as your designs do High Quality Sign-off Functional Safety Security PPA We find bugs that no-one else can; nobody gets proof convergence like us ### Cost of Failure is Expensive https://www.perforce.com/blog/mdx/semiconductor-startups#cost-of-failure-for-semiconductor-startups # Cost of Failure For Semiconductor Startups As mentioned above, semiconductor design needs to be done correctly because the cost of failure is simply too high. How high? It takes an average \$250+ million investment just to get started. If it doesn't work correctly, a respin (design correction and re-fabrication) is long and costly – to the tune of around \$25 million per re-spin. What causes re-spins? The problems often stem from specifications: either incomplete specifications or changing specifications that don't get communicated to the design teams. The root of these problems is a lack of trace of traceability, managing the process of moving from design specifications, through design, to verification and validation -- and all changes along the way. ### Summary Formal methods is a necessity to reduce costs Bugs caught late in the design cycle result in costly fixes and catastrophic failures Formal enables efficient bug hunting, a natural for shift-left paradigm Exhaustiveness establishes "proofs of bug absence" avoiding respins 10<sup>30</sup> simulation cycles are not going to find bugs that formal finds in 7 cycles #### Mantra for success: Architects use formal for validation Designers use formal for verification Verification Engineers use formal for IP and sub-system level, simulation for interfaces www.axiomise.com CONSULTING & SERVICES TRAINING CUSTOM SOLUTIONS info@axiomise.com