Design intent verification by formal property coverage

In recent times, most leading chip design companies are seriously investigating the possibility of integrating formal property verification into their pre-silicon validation flows. Unfortunately the state space explosion problem has limited its scope to small and moderate size RTL modules only. Today, we have the language support to express the architectural intent of a design in terms of formal properties. However, due to capacity limitations of existing formal property verification methods, these architectural properties can not be directly verified on the RTL. As a result, a set of lower level RTL properties are developed and verified against the individual RTL modules. It is essential to formally ascertain whether this validation effort effectively guarantees the correctness of the integrated design with respect to the design's architectural intent. Also, in a top-down design approach, the architect would ideally like to know at the time of creating the specifications for the component RTL blocks, whether the blocks (to be designed) together would satisfy the design's architectural intent. The focus of this thesis is on developing formal methods for addressing this problem. We propose a new paradigm for formal property verification, namely design intent coverage, that attempts to formalize the problem of covering the design's architectural intent through local RTL properties over the components of the design. Through our work, we have presented: (1) a method for checking whether the RTL properties are covering the architectural properties; (2) a method to identify which architectural properties are not guaranteed by the RTL properties; and (3) a methodology for representing the gap between the specifications as additional formal properties. Often it is found that the gap between the RTL specification and the architectural specification lies in the behaviors corresponding to specific input scenarios. We have developed formal methodology to find such uncovered input scenarios and to direct simulation toward such coverage points. Additionally, the basic design intent coverage methodology has been enhanced to fit in the assume-guarantee paradigm. We have also extended the design intent coverage algorithm to solve two related problems. Specifically we have presented solutions for: (a) the Intellectual Property (IP) core selection problem, and (b) verifying the consistency of a set of assume-guarantee specifications for a set of closely coupled design blocks.