Patent Application
20110197172
The embodiments discussed herein relate to an apparatus and a program for performing design verification.
Design verification is part of the development process of software and hardware products, which permits the designer to pursue his or her design process while ensuring that the product under development will work as intended. Generally the designer is allowed to write two or more design specifications for a single product design. In the case of, for example, developing an electronic circuit, the designer may write circuit specifications as a collection of functions that the circuit is supposed to offer. (See, for example, Japanese Laid-open Patent Publication No. 2004-185592.) In addition to those functional specifications, the circuit design may include power management specifications described according to the Common Power Format (CPF), Unified Power Format (UPF), or the like, so as to specify the interaction of control signals for power management of the circuit.
The design specifications may be modified as necessary during the course of development. A change made to one of the design specifications, however, could affect other design specifications. In the aforementioned electronic circuit development, a design change made to the circuit implementation necessitates a task of estimating power consumption of the modified circuit. Depending on the result of this power estimation, another design change may become necessary. This sort of iteration occurs in each phase of the development process.
As noted above, an electronic circuit design may include power management specifications. The design process begins with an architecture-level description of the entire circuit and then proceeds to more specific implementation of individual control features. Suppose, for example, that the power management specification uses clock gating as a power saving technique. In this case, a register transfer level (RTL) description of the circuit is generated and subjected to a structural analysis, so that the CAD software tools can turn it into another RTL description suitable for implementation of clock gating mechanisms in the subsequent stage of logic synthesis, or so that the designer can do the same manually.
When estimating the circuit's power consumption as a consequence of a design change, the designer runs a test by using test vectors prepared for verification of the circuit functions. This test yields an estimated power consumption, and if the result does not fall in the range of desired power consumption, the designer changes the implementation again.
The above method, however, has a drawback in its ability to perform a comprehensive test of power management specifications because it relies on the functional test vectors. In other words, it is difficult to verify whether the control signals are exchanged correctly to achieve the desired power management. This drawback is not only of the power management specifications. That is, the conventional method has difficulty in verifying whether the product under development works correctly as defined in other given design specifications.
There is provided a design verification apparatus including a processor to produce and place constraint conditions on verification datasets provided to verify a first design specification of a target product, the constraint conditions being produced from a second design specification of the target product, based on links from units of processing which constitute a procedure defined for each verification item in the second design specification to units of processing in the first design specification, and to output data identifying the verification datasets with the constraint conditions placed by the constraint setting module, together with the verification items corresponding thereto.
The object and advantages of the invention will be realized and attained by means of the elements and combinations particularly pointed out in the claims.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are not restrictive of the invention, as claimed.
Embodiments of the present invention will be described below with reference to the accompanying drawings, wherein like reference numerals refer to like elements throughout. The following description begins with an overview of a design verification apparatus according to a first embodiment and then proceeds to a second embodiment to deliver more specific explanations.
The generating module 1a generates verification datasets for verification of a first design specification 2 of a target product. Here the term “target product” refers to a specific object that is to be tested and verified by the design verification apparatus 1. The target product may be, for example, hardware components, software modules, or a system thereof. The design specification of such a target product is formed from at least one function and describes what its implementation should comply with.
Specifically, preconditions are what have to be satisfied (i.e., conditions that return a value of “true” when tested) before starting a defined series of operations to execute a function. Postconditions are what have to be satisfied when such a series of operations is completed. Invariant conditions are what are supposed to be satisfied until the postconditions become true (i.e., during the course of a series of operations). As an example of such conditions,
Each procedure 20a to 20c has a branch structure in which the nodes represent units of processing to be executed by the defined operation (e.g., primary operation in the case of procedure 20a). Those units of processing may be, for example, message sequence charts (MSC) that define interactions between all objects involved in the function 2a. See, for example, U.S. Pat. No. 7,275,231 for more information about message sequence charts.
The relationships between procedures 20a to 20c are depicted in
As can be seen from
The edges of this structure 3 are directional edges which are each given a specific constraint condition where appropriate. Those constraint conditions describe under what conditions a transition takes place from one sequence to another sequence. For example,
Verification datasets are used to verify a specific procedure (e.g., whether the procedure works as it is intended). Some verification datasets may include identifiers that designate which portions of the given design specification is to be verified. When this is the case, an identifier (label) indicating a specific portion of the design specification is associated with individual units of processing which constitute a procedure. Specifically, for the function 2a illustrated in
The generating module 1a also produces a verification dataset for another procedure 20b describing exceptional operation of the function 2a, so as to associate each of the first, second, and fourth sequences with a relevant portion of the given design specification. In the example of
The generating module 1a further produces a verification dataset for yet another procedure 20c describing alternative operation of the function 2a, so as to associate each of the first and fifth sequences with a relevant portion of the given design specification. In the example of
As a result of the above processing of the generating module 1a, the first sequence has gained three lines of identifiers, which read: “Function#1: Primary,” “Function#1: Exceptional,” and “Function#1: Alternative.” The second sequence has gained two lines of identifiers, which read: “Function#1: Primary” and “Function#1: Exceptional.” The third sequence has gained a single line of identifiers “Function#1: Alternative.” The fourth sequence has gained a single line of identifiers “Function#1: Exceptional.” The fifth sequence has gained a single line of identifiers “Function#1: Alternative.”
The generating module 1a then identifies sequences sharing a particular identifier and extracts each such set of sequences as a verification dataset. In the present example of
Referring back to
Those procedures 20d to 20f have their own branch structures in which each node represents a specific unit of processing to be executed in the corresponding mode. Specifically, the procedure 20d is to execute, as its units of processing, the sixth sequence, seventh sequence, and eighth sequence in that order. Likewise, the procedure 20e is to execute the sixth sequence, seventh sequence, and ninth sequence in that order. The procedure 20f is to execute the sixth sequence and tenth sequence in that order.
The constraint setting module 1c produces constraint conditions, based on the procedures 20d to 20f of each mode described in the second design specification 4 of the target product. The constraint setting module 1c then adds those constraint conditions to the verification datasets 3b, 3c, and 3d. For example, some links are previously defined from the units of processing of each procedure 20d to 20f to those of the verification dataset 3b, 3c, and 3d. The constraint setting module 1c uses these links to determine which constraint condition is assigned to which verification dataset 3b, 3c, and 3d.
In the example of
As mentioned above, the constraint setting module 1c produces constraint conditions from the second design specification 4. According to the present embodiment, each produced constraint condition gives a condition specifying transition to one of the procedures 20d to 20f whose units of processing are linked to a particular unit of processing of the first design specification 2.
Likewise, the seventh sequence having a link to the second sequence is included in two procedures 20d and 20e. Accordingly, the constraint setting module 1c joins the mode names of those two procedures 20d and 20e by using “or” operator, so as to indicate that the procedures 20d and 20e contain a sequence linked to the second sequence. More specifically, two mode names “Mode A” and “Mode B” are joined together, thus forming a precondition for the first sequence. The constraint setting module 1c then associates this precondition with the second sequence.
The eighth sequence having a link to the third sequence is included in one procedure 20d. Accordingly, the constraint setting module 1c selects the mode name “Mode A” of that procedure 20d as a precondition for the third sequence, so as to indicate that the procedure 20d contains a sequence linked to the third sequence. The constraint setting module 1c then associates this precondition with the third sequence.
The ninth sequence having a link to the fourth sequence is included in one procedure 20e. Accordingly, the constraint setting module 1c selects the mode name “Mode B” of that procedure 20e as a precondition for the fourth sequence, so as to indicate that the procedure 20e contains a sequence linked to the fourth sequence. The constraint setting module 1c then associates this precondition with the fourth sequence.
The tenth sequence having a link to the fifth sequence is included in one procedure 20f. Accordingly, the constraint setting module 1c selects the mode name “Mode C” of that procedure 20f as a precondition for the fifth sequence, so as to indicate that the procedure 20f contains a sequence linked to the fifth sequence. The constraint setting module 1c then associates this precondition with the fifth sequence.
The constraint setting module 1c gives the above preconditions to the verification datasets 3b to 3d in the database 1b as their additional constraint conditions. More specifically, the constraint setting module 1c adds a precondition indicating that a transition from the initial state block 3a to the first sequence takes place when any of the three procedures of “Mode A,” “Mode B,” and “Mode C” is selected.
The constraint setting module 1c also adds another precondition indicating that a transition from the first sequence to the second sequence takes place when either of two procedures of “Mode A” and “Mode B” is selected. Since the second sequence already has a precondition i>0, the constraint setting module 1c uses “&” operator to connect the above new precondition with the existing precondition i>0. Accordingly, the transition from first sequence to second sequence will occur if i>0 while the procedure of either “Mode A” or “Mode B” is selected.
The constraint setting module 1c adds yet another precondition indicating that a transition from the second sequence to the third sequence takes place when the procedure of “Mode A” is selected. Since the third sequence already has a precondition j>0, the constraint setting module 1c uses “&” operator to connect the above new precondition with the existing precondition j>0. Accordingly, the transition from second sequence to third sequence will occur if j>0 while the procedure of “Mode A” is selected.
The constraint setting module 1c adds still another precondition indicating that a transition from the second sequence to the fourth sequence takes place when the procedure of “Mode B” is selected. Since the fourth sequence already has a precondition j≦0, the constraint setting module 1c uses “&” operator to connect the above new precondition with the existing precondition j≦0. Accordingly, the transition from second sequence to fourth sequence will occur if j≦0 while the procedure of “Mode B” is selected.
The constraint setting module 1c adds still another precondition indicating that a transition from the first sequence to the fifth sequence takes place when the mode name “Mode C” is selected as a procedure. Since the fifth sequence already has a precondition i≦0, the constraint setting module 1c uses “&” operator to connect the above new precondition with the existing precondition i≦0. Accordingly, the transition from first sequence to fifth sequence will occur if i≦0 while the procedure of “Mode C” is selected.
As can be seen from the above, the verification dataset 3b is the only verification dataset that implements the procedure 20d of “Mode A.” Similarly, the verification dataset 3c is the only verification dataset that implements the procedure 20e of “Mode B.” The verification dataset 3d is the only verification dataset that implements the procedure 20f of “Mode C.”
Referring back to
As can be seen from the above discussion, the proposed design verification apparatus 1 employs a constraint setting module 1c to produce constraint conditions from the second design specification 4 of the target product and incorporate those constraint conditions into verification datasets 3b, 3c, and 3d. With these features, the proposed design verification apparatus 1 can provide verification datasets 3b, 3c, and 3d including every relevant constraint condition for each test item of the design specification.
The user verifies his or her design with each mode-specific verification dataset 3b, 3c, and 3d which provides a comprehensive test of control signals defined in the second design specification 4, without leaving out necessary test items or duplicating the same test items. That is, the additional constraint conditions of mode take effect on procedures 20a to 20c, meaning that procedures failing to fulfill the constraint conditions of a certain mode will be excluded from the verification dataset of that mode. It is ensured, on the other hand, that necessary verification datasets are fully provided for a procedure that satisfies the constraint conditions of mode.
Suppose, for example, that the user is going to test the operation in Mode C. The constraint condition on the second sequence evaluates to false in this case, meaning that there will be no transition to the second sequence. Verification datasets 3b and 3c including transition to the second sequence are therefore excluded from the Mode-C test. Accordingly, the user has only to execute the verification dataset #3 when testing the procedure 20f of “Mode C.”
While the design verification apparatus 1 of the present embodiment contains a generating module 1a to produce verification datasets, the invention is not limited by this specific feature. For example, the design verification apparatus 1 may also be configured to receive verification datasets that have been produced by some other devices, so that the constraint setting module 1c can give constraint conditions to the received verification datasets. The design verification apparatus 1 in this case may omit the foregoing functions of the generating module 1a and database 1b.
Also, the present embodiment is configured to produce verification datasets that associate specific portions of a given design specification with each sequence constituting a procedure. The embodiment may be modified to assign a priority level to each verification dataset, depending on which portions of the given design specification are to be verified and what their process priorities are. The generating module 1a, however, has only to produce such verification datasets that clarify which sequence is included in each procedure. It is thus possible to omit the task of associating specific portions of the design specification with each sequence constituting a procedure.
This section will describe a more specific embodiment of the design verification apparatus discussed above.
The signal interface 200 is a device that permits the design verification apparatus 10 to communicate with the device 300 by converting their signals into suitable form of each other. This signal interface 200 may be omitted in the case where, for example, the design verification apparatus 10 and device 300 are compatible in their signal specifications.
The device 300 under test (hereafter, device 300) is what will be tested and verified by the design verification apparatus 10, which may be hardware components, software modules, or a system containing the like. The device 300 may be a physical device such as a product prototype manufactured in the course of product development, or a logical simulation model such as a state machine created on the design verification apparatus 10. The following description assumes that a large-scale integration (LSI) circuit is under development and thus subjected to the design verification.
Each function block 21, 22, and 23 describes a single function, which may be, for example, a hardware function called up by a software module, or a software function dependent on some hardware components. Each of those function blocks 21, 22, and 23 has one or more scenario blocks. Specifically, the illustrated function block 21 has two scenario blocks 21a and 21b, each describing a single scenario. Those scenarios are the substantive part of the described function. One function may include two or more scenarios corresponding to different calling conditions. More specifically, a scenario defines a series of operations that will be executed to realize an intended function. To put it in another way, a scenario gives an ordered set of messages exchanged between objects.
Each scenario block 21a and 21b contains one or more message sequence chart (MSC) blocks. In the example of
Message sequence charts give a set of sub-functions offered by the scenario. More specifically, message sequence charts provide a clear definition of what interactions will be made between objects involved in the function. Such objects may include functions described in the LSI design specification 20, as well as an external environment which may interact with the system including that LSI circuit.
Referring to
A function may include all or some of preconditions, post conditions, and invariant conditions as its constraint conditions. The function block contains a description of such conditions if any. In the case where there are no such conditions to apply, they contain an indication of “No Conditions” to state that fact. When, for example, the function has only a precondition, its postcondition and invariant condition are defined to be “No Conditions.”
As described above, the function block 21 defines a function which includes two scenarios A1 and A2 represented by scenario blocks 21a and 21b, respectively. Each scenario A1 and A2 bears a specific property, i.e., “Primary” (primary operation) or “Alternative” (alternative operation) or “Exceptional” (exceptional operation). The scenario blocks 21a and 21b indicate this property under the title of “Type.” In addition, those scenarios A1 and A2 may include all or some of preconditions, postconditions, and invariant conditions as their constraint conditions. Scenario blocks contain a description of such conditions if any. In the case where there are no such conditions to apply, they contain an indication of “No conditions.” In the example of
Message sequence charts of MSC blocks 211a and 212a are distinguished by their respective identifiers (MSC names), “MSC#A” and “MSC#B.” Message sequence charts may include all or some of preconditions, postconditions, and invariant conditions. MSC blocks contain a description of such conditions if any. In the case where there are no such conditions to apply, they contain an indication of “No Conditions” to state that fact.
In the example of
The LSI design specification 20 may be represented as a single directed graph including a plurality of message sequence charts. Alternatively, it may also be represented as a single message chart with a flat structure. In the latter case, the flattened message sequence chart indicates the order of messages exchanged between objects. As yet another alternative method, the LSI design specification 20 may be represented as a plurality of cross-embedded directed graphs and a plurality of message sequence charts.
The directed graph 30 includes a plurality of message sequence charts, as well as branches and merges that indicate relationships between those charts, as mentioned above. These relationships permit the message sequence charts to be sorted into one or more sequences.
Message sequence charts, on the other hand, describe relationships between objects. That is, each message sequence chart is used to identify messages exchanged between objects and figure out in what order at least part of such messages are transmitted.
The illustrated directed graph 30 describes relationships between a plurality of subordinate functions executed by a particular function to authenticate prospective users. These functions are defined and visualized by message sequence charts. Each message sequence chart corresponds to a specific function, and the arrows interconnecting blocks indicate the execution order of the functions. The edges of the directed graph 30 are directional edges with optional constraint conditions.
The directed graph 30 of
As can be seen from the above explanation, the illustrated directed graph 30 includes two scenarios. That is, one scenario corresponds to a path that runs from the initial state block 31 to the topmost message sequence chart 32, and then down to the bottom-left message sequence chart 33 in
The edges of the directed graph 30 are directional edges with constraint conditions. Upon completion of messages given by the current message sequence chart, the constraint condition of each relevant edge is evaluated. If either condition is met, then it triggers a transition to the corresponding destination message sequence chart. In the case of hMSC, the destination of transition is its constituent message sequence chart in the same hierarchical level.
In the example of
Note here that message sequence charts in the directed graph 30 may refer to the same set of objects. Also, the directed graph 30 may be associated with some rules requiring that every message defined in a certain message sequence chart be executed before the next message sequence chart on the path becomes executable. The next section will describe a typical structure of message sequence charts.
The message sequence chart 40 illustrated in
Each data event message associates a transmitting object with a receiving object. The points at which those object lines 44, 45, and 46 meet data event messages m1 to m4 are called “events.” Every data event message includes a transmit event associated with its transmitting object and a receive event associated with its receiving object. For example, the topmost data event message m1 in
Such object-event relationships defined in a message sequence chart are supposed to comply with the following two rules: The first rule requires that the transmit event s(m) of a data event message m precede its corresponding receive event r(m). This rule is expressed as s(m)<r(m). The second rule requires that the events on an object line be sequenced from the top to the bottom.
The above two rules mean that message sequence charts describe the order of data event messages between objects. For example, according to the first rule, the transmit event of data event message m1 occurs before the receive event of the same. According to the second rule, on the other hand, the transmit event of data event message m2 occurs before the receive event of data event message m4.
The same applies to other data event messages in
The above rules are transitive. For example, when event e1 precedes event e2 (i.e., e1<e2), and when event e2 precedes event e3 (e2<e3), this means that event e1 precedes event e3 (e1<e3).
The above two rules, however, may not necessarily govern all ordered relationships between data event messages. Think of, for example, a message sequence chart that contains four objects and only two data event messages. In this message sequence chart, a first data event message is sent from a first object to a second object, and a second data event message is sent from a third object to a fourth object. The foregoing two rules, however, provide no particular order of those two data event messages in this example case. That is, the two data event messages can be sent in either order.
The hardware objects 42 and 43 in the example of
The box 48 represents a timeout constraint, with an integer number affixed to indicate a specific timeout value. When such a timeout constraint is encountered during the execution of a sequence, the execution is suspended until the specified timeout period expires. In this timed execution model, the sequence cannot resume until the expiration of a given timeout period. In the example of
Synchronization edges are used to establish a particular ordinal relationship between data event messages. Synchronization edges have the same appearance as ordinary data event messages, except that they are labeled “synch.” Data event messages having a label of “synch” will be referred to as synchronization messages. Think of, for example, a synchronization edge including a transmit event on one hardware object 42 and a receive event on another hardware object 41. In this case, a synchronization message is sent from the hardware object after it receives a data event message m8. This synchronization message is received by the hardware object 41 before it sends a data event message m9.
According to the message sequence chart 40a, the hardware object 42 is supposed to receive data event message m8 before the hardware object 41 sends data event message m9. A synchronization edge, when added, creates a relationship between multiple objects which are otherwise unrelated to each other. According to an embodiment, however, synchronization edges do not actually produce any messages to interrelate objects. In
Referring now to
Specifically, the CPU 101 manipulates information received from the input device interface 105, external secondary storage device 106, interface 107, and communication interface 108. The RAM 102 serves as temporary storage for the whole or part of operating system (OS) programs and application programs that the CPU 101 executes, in addition to other various data objects manipulated at runtime. The HDD 103 stores program and data files of the operating system and applications. In addition, the HDD 103 stores list structures scripted with the Extensible Markup Language (XML).
The graphics processor 104, coupled to a monitor 104a, produces video images in accordance with drawing commands from the CPU 101 and displays them on a screen of the monitor 104a. The input device interface 105 is used to receive signals from external input devices, such as a keyboard 105a and a mouse 105b. Those input signals are supplied to the CPU 101 via the bus 109.
The external secondary storage device 106 reads data from, and writes data to a storage medium. Such storage media include magnetic storage devices, optical discs, magneto-optical storage media, and semiconductor memory devices, for example. Magnetic storage devices include hard disk drives (HDD), flexible disks (FD), and magnetic tapes, for example. Optical discs include digital versatile discs (DVD), DVD-RAM, compact disc read-only memory (CD-ROM), CD-Recordable (CD-R), and CD-Rewritable (CD-RW), for example. Magneto-optical storage media include magneto-optical discs (MO), for example.
The interface 107 is a hardware component configured to transmit data to and receive data from an external device connected to the design verification apparatus 10. Specifically, the interface 107 is used to communicate with a device 300 through a signal interface 200 (see
The computer described above serves as a hardware platform for realizing processing functions of the present embodiment. That is, the design verification apparatus 10 employs functions described below.
The verification scenario generating module 11 produces a verification scenario for each processing scenario based on the data of an LSI design specification 20, which was previously discussed in
While not explicitly illustrated in
The condition setting module 13 gives constraint conditions to the verification scenarios stored in the verification scenario database 12, based on a given power management specification that describes control signals for power control. When adding constraint conditions, the condition setting module 13 produces a mode table and a precondition table. The mode table indicates a mode corresponding to a message sequence chart associated with the given power management specification. The precondition table summarizes the associations between modes and message sequence charts appearing in the produced mode table. How to produce those tables will be described later.
Based on the information in the precondition table, the condition setting module 13 places constraint conditions on verification scenarios. The resulting version of the verification scenarios contains not only the information of the LSI design specification 20, but also some associated information of the power management specification. Those scenarios will thus be referred to as “power management verification scenarios.”
The condition setting module 13 saves the produced power management verification scenarios in a power management verification scenario database 14. The output module 15 outputs a scenario list 15a that enumerates the power management verification scenarios in a predetermined format.
Referring now to
Specifically, scenario “Mode: Full,” when executed, supplies a voltage to all circuits in the LSI circuit defined by the LSI design specification 20, without activating its clock gating functions. Scenario “Mode: Gating,” when executed, activates clock gating at specified portions of the LSI circuit. Scenario “Mode: Suspend” is a power-saving mode used to, for example, temporarily stop the use of the LSI circuit. When executed, this scenario saves current operating state of the LSI circuit in memory, so that the circuit can restore the state it was in before the power is removed.
Each scenario is implemented as one or more message sequence charts. Specifically, the first scenario block 51a has three MSC blocks 511a, 512a, and 513a. The second scenario block 51b also has three MSC blocks 511b, 512b, and 513b. The third scenario block 51c has two MSC blocks 511c and 512c.
The message sequence charts of those MSC blocks have distinguishable MSC names. For example, the message sequence charts of MSC blocks 511a, 511b, and 511c have an MSC name of “MSC#a.” The message sequence charts of MSC blocks 512a and 512b have an MSC name of “MSC#b.” The message sequence chart of MSC block 513a has an MSC name of “MSC#c.” The message sequence chart of MSC block 513b has an MSC name of “MSC#d.” The message sequence chart of MSC block 512c has an MSC name of “MSC#e.”
These message sequence charts are each linked to specific message sequence charts in the functional specification of the LSI circuit. For example, message sequence chart MSC#a has a link to message sequence chart MSC#A in
The power management specification may include all or some of preconditions, postconditions, and invariant conditions as constraint conditions on its message sequence charts. MSC blocks contain a description of such conditions if any.
Message sequence charts are allowed to have different constraint conditions even when they have the same MSC name. For example, scenario “Mode: Full” has a message sequence chart named “MSC#a” with a constraint condition of “Clock Gating OFF.” Scenario “Mode: Gating” also has a message sequence chart named “MSC#a.” While having the same MSC name, the latter message sequence chart is given a different constraint condition “Clock Gating ON.”
Some message sequence charts in the power management specification may contain a condition of operating voltage in a specific mode. For example, message sequence chart MSC#a in scenario “Mode: Full” has an operating voltage condition of 1.5V. Message sequence chart MSC#a in scenario “Mode: Gating” also has an operating voltage condition of 1.5V.
Referring now to
The mode table 131a contains MSC names indicating the link destination of each message sequence chart constituting mode scenarios in the power management specification. As discussed in
In addition to the above, scenario “Mode: Gating” has three message sequence charts identified by their MSC names, i.e., MSC#a, MSC#b, and MSC#d. These message sequence charts MSC#a, MSC#b, and MSC#d are linked to other message sequence charts MSC#A, MSC#B, and MSC#D, respectively. Accordingly, the mode table 131a of
Furthermore, scenario “Mode: Suspend” has two message sequence charts identified by their MSC names MSC#a and MSC#e. These message sequence charts MSC#a and MSC#e are linked to other message sequence charts MSC#A and MSC#E, respectively. Accordingly, the mode table 131a of
The MSC name field stores information indicating what message sequence charts are recorded in the MSC name field of the mode table 131a. Specifically, the precondition table 131b of
The precondition field contains mode names corresponding to each message sequence chart seen in the MSC name field. For example, the topmost record of the precondition table 131b of
The mode names seen in this precondition field serve as a precondition that effects a transition to the message sequence chart specified in the corresponding MSC name field. For example, the topmost record of the precondition table 131b denotes that a transition to message sequence chart MSC#A will be made when the expression “Full or Gating or Suspend” evaluates to true, i.e., when either of the scenarios “Full,” “Gating,” and “Suspend” is taken.
Referring to the flowchart of
At the outset, the verification scenario generating module 11 executes a verification scenario generation process on the basis of an LSI design specification 20 specified by the user, thus producing verification scenarios (step S1). The produced are saved in a verification scenario database 12. Subsequently the condition setting module 13 executes a constraint setting process based on a power management specification specified by the user. This constraint setting process places constraint conditions on the verification scenarios stored in the verification scenario database 12 (step S2). The resulting power management verification scenarios are stored in a power management verification scenario database 14. Then the output module 15 produces a scenario list 15a (step S3).
The design verification apparatus 10 basically follows the above process flow. Optionally, the above series of steps may include some interaction with the user. For example, the verification scenario generating module 11 may generate verification scenarios beforehand and save the result in the verification scenario database 12. The design verification apparatus 10 then waits for entry of a power management specification from the user before starting a constraint setting process. Or alternatively, the verification scenario generating module 11 may start generating verification scenarios when the user specifies a power management specification.
The verification scenario generation process first calls another process to add labels to the LSI design specification 20 (step S11). Details of this labeling process will be described later with reference to another flowchart. The process then flattens a directed graph of the labeled LSI design specification produced at step S11 (step S12). Out of the flattened directed graph, the process selects one message sequence chart (MSC) (step S13) and converts the selected message sequence chart into a finite state machine (FSM) (step S14). As a result of this step S14, data event messages exchanged in a series of message sequence charts are expressed as a finite state machine, as will be described in detail later.
The process adds a label to each state of the finite state machine (step S15). This label is what the currently selected message sequence chart has gained at step S11. As a result of steps S14 and S15, the finite state machine has obtained labels with each of its states. The verification scenario generating module 11 saves this labeled version of the finite state machine in its local temporary memory.
It is then determined whether there is any other message sequence chart that awaits processing (step S16). If there is such a remaining message sequence chart (Yes at step S16), the process returns to step S13 to select it and executes subsequent steps S14 and S15 with that newly selected message sequence chart. If no remaining message sequence charts are found (No at step S16), the process consults the labeled design specification saved in step S11 and selects therefrom one message sequence chart (step S17).
The selected message sequence chart may contain some constraints (e.g., synch, timeout). According to such constraints, the process crops the finite state machine by removing unnecessary states from the selected message sequence chart (step S18). Details of this step will be described later.
It is then determined whether there is any other message sequence chart that awaits processing (step S19). If such a message sequence chart is found (Yes at step S19), the process returns to step S17 to select it and executes subsequent step S18 with that newly selected message sequence chart. If there are no remaining message sequence charts (No at step S19), the process selects a function out of those defined in the labeled LSI design specification 20 (step S20 in
The process then selects a scenario from the selected function (step S21) and extracts, from the labeled finite state machines produced at step S15, a finite state machine having the same label as the selected scenario (step S22). The process further extracts a portion of the finite state machine extracted at step S22, which is referred to as a “partial finite state machine” (step S23). The verification scenario generating module 11 saves the extracted partial finite state machine in its temporary memory. The process then generates a verification scenario from the partial finite state machine of step S23 and enters it to the verification scenario database 12 (step S24), as will be described in detail later.
It is determined whether there remains any other scenario in the function selected at step S20 (step S25). If another scenario is found (Yes at step S25), the process returns to step S21 to select it and executes subsequent steps S22 to S24 with that newly selected scenario. If there are no remaining scenarios in the function selected at step S20 (No at step S25), then the process determines whether the LSI design specification 20 has any other function that awaits processing (step S26). If such a remaining function is found (Yes at step S26), the process returns to step S20 to select it and executes subsequent steps S21 to S25 with that newly selected function. If there are no remaining functions (No at step S26), the verification scenario generation process terminates itself.
The labeling process first selects a function from those defined in a given LSI design specification 20 (step S31) and then selects a scenario out of the selected function (step S32). The labeling process further selects a message sequence chart in the selected scenario (step S33) and adds a label to this message sequence chart (step S34), which includes the function name of the currently selected function (i.e., the one selected at step S31) and the scenario name of the currently selected scenario (i.e., the one selected at step S32). In the case where the message sequence chart has an existing label, that label is updated with the additional label. The label may also include a message sequence chart name, in addition to the above-noted function name and scenario name.
The process now looks into the currently selected scenario to determine whether there remains any other message sequence chart that awaits processing (step S35). If such a message sequence chart is found in the scenario (Yes at step S35), the process returns to step S33 to select it and executes subsequent step S34 with the newly selected message sequence chart. If there are no remaining scenarios (No at step S35), then the process determines whether there is any other scenario that awaits processing (step S36). If such a scenario is found (Yes at step S36), the process returns to step S32 to select it and executes subsequent steps S33 to S35 with that newly selected scenario.
If no remaining scenarios are found (No at step S36), then the process determines whether there is any other function that awaits processing (step S37). If such a function is found (Yes at step S37), the process returns to step S31 to select it and executes subsequent steps S32 to S36 with that newly selected function. If there are no remaining functions (No at step S26), the verification scenario generation process terminates itself.
The condition setting module 13 first executes a mode table generation process to produce a mode table 131a (step S41). The condition setting module 13 then executes a precondition table generation process to produce a precondition table 131b (step S42). Based on this precondition table 131b, the condition setting module 13 places constraint conditions on the verification scenarios and subsequently terminates the constraint setting process.
The condition setting module 13 first selects a mode name M from among those specified in the given power management specification (step S51), where M is a parameter representing a mode name. The condition setting module 13 then selects an MSC name under the mode name M in the power management specification and follows the link found in the message sequence chart having that MSC name, thus obtaining the MSC name of its linked message sequence chart (step S52). It is then determined whether the mode table 131a has any record that matches with the obtained MSC name (step S53). If the mode table 131a has no such records (No at step S53), the condition setting module 13 adds to the mode table 131a a new record including the obtained MSC name and mode name M (step S54) and moves to step S57. If the obtained MSC name is found in an existing record of the mode table 131a (Yes at step S53), the condition setting module 13 checks the mode name V associated with that MSC name in that record (step S55), where V is a parameter representing a mode name. It is then determined whether the two mode names M and V coincide with each other (step S56). If M is different from V (No at step S56), the process proceeds to step S54 and executes the subsequent steps. If M equals V (Yes at step S56), it is determined whether there is any other message sequence chart under the mode name M selected at step S51 (step S57). This step S57 is also executed next to step S54.
If another message sequence chart is found (Yes at step S57), the process returns to step S52 to select its MSC name and executes subsequent steps S53 to S56 with that newly selected MSC name. If there are no remaining message sequence charts under the mode name M (No at step S57), it is then determined whether the power management specification has any other remaining mode names (step S58). If another mode name is found in the power management specification (Yes at step S58), the process returns to step S51 to select it as a new value of M and executes steps S52 to S57 with that mode name M. If the power management specification has no remaining mode names (No at step S58), then the mode table generation process terminates itself.
The precondition table generation process first selects one MSC name from among those in the mode table 131a (step S61). It is then determined whether the mode table 131a has other records that match with the selected MSC name (step S62). If the mode table 131a has no match (No at step S62), the selected MSC name is added to the MSC name field of the precondition table 131b, and its corresponding mode name is placed in the precondition field of the same (step S63). The process then advances to step S65.
If the mode table 131a has other records that match with the selected MSC name (Yes at step S62), the selected MSC name is added to the MSC name field of the precondition table 131b. The mode names in all those records (including the one from which the current MSC name has been selected) are joined to each other by using “or” operator before they are added to the precondition field of the precondition table 131b (step S64). The precondition added at step S63 or S64 is then set to message sequence charts of relevant verification scenarios (step S65). This means that some preconditions specified in the power management specification have been reflected in the message sequence charts of relevant verification scenarios.
It is now determined whether there remains any other MSC name in the mode table 131a (step S66). If another MSC name is found in the mode table 131a (Yes at step S66), the process returns to step S61 to select it and executes steps S62 to S65 with the newly selected MSC name. If the mode table 131a has no remaining MSC names (No at step S66), then the precondition table generation process terminates itself.
This section describes a specific example of the labeling process discussed in
More specifically, the LSI design specification of
The second scenario similarly activates the graphics accelerator, but ends up with receiving an error message. This second scenario is associated with a function presented in a function block 52, a processing scenario presented in a scenario block 52b, and a path for starting and executing a verification scenario to realize that processing scenario of the scenario block 52b. The verification scenario is implemented by using message sequence charts represented by MSC blocks 521b and 522b. The latter MSC block 522b contains an expression “V=false” as a precondition of its corresponding message sequence chart. The following description refers to the above first scenario as scenario “Done” and the second scenario as scenario “Failed.”
Based on the foregoing rules, the message sequence chart 40b gives the following process: The CPU 41a sends an activation request to the graphics accelerator 42a (step S71). Upon receipt of this activation request, the graphics accelerator 42a sends a data read request to the memory controller 43a (step S72).
Referring now to
Based on the foregoing rules, the message sequence chart 40c gives the following process: Upon receipt of a data read request, the memory controller 43a transfers the requested data back to the graphics accelerator 42a (step S73), which permits the graphics accelerator 42a to execute a graphics operation using the received data. Upon completion of the operation, the graphics accelerator 42a sends an operation completion notice to the CPU 41a (step S74).
Referring then to
Based on the foregoing rules, the message sequence chart 40d gives the following process: The memory controller 43a returns an error to the graphics accelerator 42a (step S75). Upon receipt of this error, the graphics accelerator 42a sends an error message to the CPU 41a (step S76).
The labeling process first consults the LSI design specification 20 and selects function “Start Graphics” given in its function block 52. Out of the selected function, the process then selects scenario “Done” of the scenario block 52a. The process now selects a message sequence chart 35 named “Query,” one of the two message sequence charts of the selected scenario “Done.”
The selected message sequence chart 35 will now be labeled as follows. As described earlier, labels are supposed to include the names of the currently selected function and scenario in the form of “function name; scenario name: scenario type.” Accordingly, in the present example, the message sequence chart 35 is added a label 521a1 which reads “Start Graphics; Done: Primary.” This is what is seen in
The process then determines whether there remains any other message sequence chart in the present scenario block 52a, and thus discovers and selects another message sequence chart 36 named “Read Data Done.” The selected message sequence chart 36 is added a label 522a1 which reads “Start Graphics; Done: Primary.”
The labeling process determines again whether there remains any other message sequence chart in the scenario block 52a. As this test returns a negative result, the process goes back to the function block 52 to see whether there is any other scenario. The process thus discovers and selects another scenario “Failed” of scenario block 52b.
The process now selects a message sequence chart named “Query,” one of the two message sequence charts of the newly selected scenario “Failed.” This message sequence chart “Query” gains a label that reads “Start Graphics; Failed: Exceptional.” Since the message sequence chart “Query” already has a label 521a1, the labeling process updates that label 521a1 with an additional line of “Start Graphics; Failed: Exceptional.”
The process then determines whether there remains any other message sequence chart in the present scenario block 52b, and thus discovers and selects another message sequence chart 37 named “Read Data Failed.” This message sequence chart 37 gains a label 522b1 that reads “Start Graphics; Failed: Exceptional.”
The labeling process determines again whether there remains any other message sequence chart in the scenario block 52b. This test returns a negative result. The labeling process determines whether there remains any other scenario in the function block 52. As this test also returns a negative result, the process terminates itself accordingly.
The descriptions 61, 62, and 63 include new lines 61a, 62a, and 63a, respectively, which have been added by the foregoing labeling process, as indicated by the XML tag <label name>. The contents of each tag derive from the labels added to the finite state machine. As mentioned earlier, these labels may optionally contain the name of a message sequence chart, in addition to what is given in the form of “function name; scenario name: scenario type.”
Referring now to
Referring to the message sequence chart 70 of
The state matrix 80 has its origin at the top-left corner, and the inverted-T symbol “⊥” is used to indicate initial state. Departing the initial state at the top-left corner, state transitions take place in the direction toward the bottom-right corner representing the final state.
If the transmitting object 71 and receiving object 73 had no synchronization edges between them, their state matrix 80 would be a fully-populated n×m state matrix, where n is the number of messages transmitted from the transmitting object 71, and m is the number of messages received by the receiving object 73. The presence of synchronization edges in the message sequence chart 70, however, reduces the number of effective states in the corresponding state matrix 80. That is, a synchronization edge nullifies some states in the state matrix 80, and it is thus possible to cross out such ineffective states.
Transmit event t3, for example, corresponds to a synchronization edge extending from the transmitting object 71 to the receiving object 73. Reception event r3 is associated with that synchronization edge in this case. This means that every event occurring at the receiving object 73 after the receive event r2 should not precede the transmit event t3. Accordingly, receive events r3 to r6 are not allowed to happen before the transmit event t3. Based on this fact of the objects 71 and 73, the finite state machine generation process crosses out an ineffective area 81 of the state matrix 80. Another ineffective area 82 corresponding to the second synchronization edge in the message sequence chart 70 is crossed out similarly.
The remaining areas of the state matrix 80 fully represent the message sequence chart 70. For example, state t2 refers to a state of the transmitting object 71 when it has finished transmit event t2. State r1 refers to a state of the receiving object 73 when it has finished receive event r1.
When it is possible to move from the current state (i, j) to a new state in either of the horizontal and vertical directions, a horizontal transition is fired by transmitting a message. It is subsequently determined whether a message invoking a vertical transition has been received. If that test result is positive, a vertical transition may also take place, in which case the next state will be (i+1, j+1). If the test result is negative, the transition will only happen in the horizontal direction, from (i, j) to (1+1, j).
A timer is employed for an object awaiting a message in order not to let the object wait endlessly. This timer terminates the waiting state upon expiration of an appropriate time. Some states may allow either a vertical transition or a horizontal transition, but not both. For such states, the finite state machine only implements their applicable transitions.
As can be seen from the above, the direction of transition is one of the parameters that affect generation of finite state machines. Another such parameter is a particular type of events related to the state. Take a transmitting object 71 and a receiving object 73 in
With the above-described techniques, finite state machines are generated from given message sequence charts. Specifically, to produce finite state machines corresponding to different scenarios, the generation process traces the path of each scenario and generates a finite state machine for each message sequence chart encountered on the path. The final state of one message sequence chart is linked to the first state of the next message sequence chart on the path. If necessary, the resulting finite state machines may be combined into a single machine.
Finite state machines may be generated and edited automatically by combining signals and variable declarations. The resulting finite state machines can then be used to simulate the operation of the device 300 under test (
Referring now to the flowchart of
In the example of
“Start Graphics; Done: Primary”
“Start Graphics; Failed: Exceptional”
Accordingly, these two labels are given to each of the two states St1 and St2.
Referring now to the LSI design specification 20 of
The verification scenario generation process first consults the design specification of
The process now determines whether there remains any other scenario in the selected function, thus finding another scenario “Failed.” Accordingly, the process selects that scenario “Failed” from the selected function “Start Graphics” and extracts a finite state machine that contains “Failed” in its labels. Specifically, the finite state machine 90a of
The process determines again whether there remains any other scenario in the selected function, but finds no unselected scenarios. The process further determines whether there remains any other function in the design specification, but finds no remaining functions. Accordingly, the process terminates itself.
This section will provide more details of the above-described verification scenario generation, with a focus on how the process of step S24 (
As described in the preceding section, verification scenarios are produced from partial finite state machines. While the task was relatively straightforward in the foregoing examples, that is not always the case. For instance, the verification scenario generating module 11 may actually encounter a finite state machine containing a loop of states. In such a case, the verification scenario generating module 11 may need to cut or divide the given partial finite state machine into several units in order to generate verification scenarios.
For example, a partial finite state machine may be cut into smaller units according to the presence of a state that appears repetitively on the same path. Alternatively, or in addition to that, a plurality of verification scenarios may be produced according to the constraint that at least a minimum number of, or at most a maximum number of states be present in each verification scenario.
Suppose, for example, that the following partial finite state machine has been extracted from the original machine:
One logic used to divide such a partial finite state machine is to cut the loop at a state that appears repetitively. In the present case, state St2 is where this long partial finite state machine will be cut into four verification scenarios as follows:
(1) St2→St4→St6→St7
(2) St2→St3→St6→St7
(3) St2→St3→St5→St7
(4) St2→St3→St5→St2
To produce a longer verification scenario, the verification scenario generating module 11 is allowed to enforce a requirement that at least five states be included in each verification scenario, in addition to the use of St2 as a cutting point. These constraints result in the following two verification scenarios:
(5) St2→St4→St6→St7→St2→St3→St6→St7
(6) St2→St3→St5→St7→St2→St3→St5→St2
This section describes a more specific example of how a mode table 131a and a precondition table 131b are produced from a power management specification.
Scenario “Mode: Full” is realized by two message sequence charts named “MSC#1” and “MSC#2” in MSC blocks 531a and 532a, respectively. When the graphics function collects data successfully, this scenario “Mode: Full” initiates a transition to Full mode.
Scenario “Mode: Suspend” is realized by two message sequence charts named “MSC#1” and “MSC#3” in MSC blocks 531b and 532b, respectively. When the graphics function fails to collect data successfully, this scenario “Mode: Suspend” initiates a transition to Suspend mode.
Each message sequence chart of the power management specification has a link to a specific function defined in the LSI design specification 20. For example, message sequence chart MSC#1 is linked to message sequence chart “Query” in
The condition setting module 13 then determines whether any record that matches with the obtained MSC name “Query” is present in the mode table 131a. Since no such records exist at present, the condition setting module 13 gives the mode table 131a a new record including the selected MSC name “Query” and mode name “Full.”
The condition setting module 13 determines whether there remains any other MSC under the selected mode name “Full” in the power management specification. Since another MSC name “MSC#2” is found, the condition setting module 13 selects it and follows the link in that message sequence chart MSC#2, thus obtaining the MSC name “Read Data Done” of its linked message sequence chart.
The condition setting module 13 then determines whether the mode table 131a has any record that matches with the obtained MSC name “Read Data Done.” Since no such records are found, the condition setting module 13 gives the mode table 131a a new record including the selected MSC name “Read Data Done” and mode name “Full.”
The condition setting module 13 determines whether there remains any other MSC under the selected mode name “Full.” Since no more MSC is present, the condition setting module 13 then determines whether there remains any other mode name in the power management specification. The condition setting module 13 now finds and selects another mode name “Suspend” in the power management specification. Then the condition setting module 13 selects an MSC name “MSC#1” found under the selected mode name “Suspend” and follows the link in the message sequence chart MSC#1, thus obtaining the MSC name “Query” of its linked message sequence chart.
The condition setting module 13 determines whether the mode table 131a has any record that matches with the obtained MSC name “Query.” Since the mode table 131a has a record having “Query” in its MSC name field, the condition setting module 13 looks into the corresponding mode name field, thus finding a mode name “Full” in that record. It is then determined whether the two mode names coincide with each other. Since the selected mode name “Suspend” is different from the current value “Full” of the record, the condition setting module 13 gives the mode table 131a a new record including the selected MSC name “Query” and mode name “Suspend.”
The condition setting module 13 determines whether there remains any other MSC under the selected mode name “Suspend.” The condition setting module 13 now finds and selects an MSC name “MSC#3” and follows the link in that message sequence chart MSC#3, thus obtaining the MSC name “Read Data Failed” of its linked message sequence chart.
The condition setting module 13 now determines whether any record that matches with the obtained MSC name “Read Data Failed” is present in the mode table 131a. Since no such records are found, the condition setting module 13 gives the mode table 131a a new record including the selected MSC name “Read Data Failed” and mode name “Suspend.”
The condition setting module 13 determines whether there remains any other MSC under the selected mode name “Suspend” in the power management specification. Since no more MSCs are present, the condition setting module 13 then determines whether there remains any other mode name in the power management specification. Since there are no more mode names, the condition setting module terminates the current process. The resulting mode table 131a is illustrated in the left half of
The condition setting module 13 now produces a precondition table as follows. Initially the MSC name field and precondition field of the precondition table 131b are both blank. The condition setting module 13 selects an MSC name “Query” from among those in the mode table 131a. It is then determined whether the mode table 131a has other records that match with the selected MSC name. Since the mode table 131a has two such records, the condition setting module 13 adds the selected MSC name “Query” to the MSC name field of the precondition table 131b, and fills its corresponding precondition field with the mode names “Full” and “Suspend” joined by using “or” operator. Based on this precondition field value, the condition setting module 13 gives a precondition “Full or Suspend=true” to the message sequence chart 35 named “Query.” This means that some preconditions in the power management specification have been reflected in the message sequence charts of relevant verification scenarios.
The condition setting module 13 determines whether the mode table 131a has any other remaining MSC names, and thus finds and selects “Read Data Done” from the mode table 131a. It is then determined whether the mode table 131a has other records that match with the selected MSC name “Read Data Done.” Since this test returns a negative result, the condition setting module 13 adds the selected MSC name “Read Data Done” to the MSC name field of the precondition table 131b, together with its corresponding mode name “Full” in the precondition field of the same. Based on this precondition field value, the condition setting module 13 gives a precondition “Full=true” to the message sequence chart 36 named “Read Data Done.” The condition setting module 13 also gives another precondition “Suspend=false” to negate the Suspend mode.
The condition setting module 13 determines whether the mode table 131a has any other remaining MSC names, and thus finds and selects “Read Data Failed” from the mode table 131a. It is then determined whether the mode table 131a has other records that match with the selected MSC name “Read Data Failed.” Since this test returns a negative result, the condition setting module 13 adds the selected MSC name “Read Data Failed” to the MSC name field of the precondition table 131b, together with its corresponding mode name “Suspend” in its corresponding precondition field. Based on this precondition field value, the condition setting module 13 gives a precondition “Suspend=true” to the message sequence chart 37 named “Read Data Failed.” The condition setting module 13 also gives another precondition “Full=false” to negate the Full mode.
The condition setting module 13 determines whether the mode table 131a has any other remaining MSC names. Since there remain no other MSC names in the mode table 131a, the condition setting module 13 terminates the current process. The resulting precondition table 131b is illustrated in the right half of
Power management verification scenarios are produced by setting the above two preconditions to the foregoing verification scenarios Sc1 and Sc2, respectively.
More specifically,
The mode name field contains the name of each mode defined in the power management specification. Specifically, the scenario list 15a of
As can be seen from the above description, the proposed design verification apparatus 10 is configured to place constraints on produced verification scenarios, based on a given power management specification. That is, the design verification apparatus 10 generates power management verification scenarios by incorporating mode-specific constraint conditions into the LSI design specification 20. The user verifies his or her design with the resulting mode-specific power management verification scenarios, thereby achieving an exhaustive test of whether the power control signals are exchanged correctly, without leaving out necessary test items or duplicating the same test items.
Specifically, the constraint conditions take effect on scenarios, meaning that a scenario failing to fulfill its constraint conditions will be excluded from the power management verification scenario. On the other hand, the proposed design verification apparatus 10 outputs every verification dataset for testing a scenario that fulfills its constraint conditions. Referring again to the foregoing example discussed in
Power management verification scenarios can be used in various phases of the design process. For example, power management verification scenarios may be used to analyze and modify an RTL description produced from an LSI design specification 20. Those power management verification scenarios may be used again to analyze and modify a net list generated from the modified RTL description.
According to the present embodiment, the scenario list 15a is configured to enumerate all mode names and their corresponding power management verification scenarios. The embodiment is, however, not limited by this specific configuration. For example, the user may specify a particular mode before starting verification, and the design verification apparatus 10 then produces a listing of power management verification scenarios applicable to that specified mode.
According to the present embodiment, a precondition table 131b is produced and used to add preconditions to relevant message sequence charts. The embodiment is, however, not limited by this specific configuration. It is also possible to produce a postcondition table and an invariant condition table so as to place postconditions and invariant conditions on relevant message sequence charts.
According to the present embodiment, a mode table 131a and a precondition table 131b are produced and used to place preconditions. The embodiment is, however, not limited by these tables. For example, the embodiment may be modified to use a single hash table where hash values are stored along with merged conditions.
The above-described design verification apparatus 10 uses the following mechanism to produce verification scenarios. That is, a verification scenario generating module 11 is employed to produce verification scenarios for a plurality of processing scenarios defined in a given LSI design specification 20 by assigning appropriate labels to message sequence charts of each processing scenario. This feature makes it possible to identify which message sequence charts constitute a specific scenario.
Also, the verification scenario generating module 11 generates a finite state machine from such message sequence charts, where each state of the produced state machine is assigned the label of its corresponding message sequence chart. This feature makes it possible to identify which states constitute a specific scenario.
Further, the verification scenario generating module 11 extracts a finite state machine corresponding to individual processing scenarios of the given LSI design specification 20, so that a verification scenario can be produced for each extracted finite state machine. This feature makes it possible to produce verification scenarios according to a pattern that the user specifies depending on the progress of design and verification.
According to the present embodiment, the power management specification uses clock gating to manage the power consumption of a device. The embodiment is, however, not limited by this specific power management condition. That is, the power management specification may also specify other conditions based on power gating, dynamic voltage scaling, or other power management techniques, instead of or in addition to the clock gating technique.
For example, power gating conditions may be specified as additional constraint conditions on message sequence charts. Those constraint conditions determine whether to stop power supply, thus enabling the resulting verification scenarios to include power gating control.
Voltage conditions may also be specified as additional constraint conditions on message sequence charts. Those constraint conditions designate, for example, recommended operating voltages, so that the verification process is not allowed to proceed to a message sequence chart if the designated operating voltage is not reached. The resulting verification scenarios are directed solely to the processing scenarios that satisfy the specified voltage conditions.
Frequency conditions may also be specified as additional constraint conditions on message sequence charts. For example, in the case where a high-performance operation is needed, the design specification designates an increased frequency to achieve the desired performance, or varies the operating frequency depending on the specified operating voltage. The resulting verification scenarios are directed solely to the processing scenarios that satisfy the specified frequency conditions.
Further, the constraint conditions on message sequence charts may include conditions of control signals provided to another power management specification. This type of constraint conditions are specified in the case where, for example, the power supply circuit uses an integrated circuit (IC) with a power control bus interface. The resulting verification scenarios thus include control of a power supply IC integrated in or placed outside the LSI circuit under test.
This section describes a power management specification with additional power gating conditions.
The above-noted additional constraint conditions permit the LSI circuit to activate the power gating function to stop the power to its graphics accelerator 42a and memory controller 43a when it enters Suspend mode. More specifically, the dotted-line box in
The power management specification is used to add preconditions to verification scenarios. With those preconditions, the resulting power management verification scenarios eliminate all processing scenarios relating to the graphics accelerator 42a and memory controller 43a in Suspend mode.
This section will discuss an example of power management specification with additional voltage conditions, assuming that the LSI design specification 20 includes a video decoder circuit illustrated in the block diagram of
The buffer 121 serves as temporary storage for a given video bit stream. This bit stream contains video data compressed by using discrete cosine transform (DCT), quantization, and variable-length coding techniques. The video coding has been made on macroblocks, or groups of neighboring pixels, in each frame of a given video.
Variable-length codewords in the bit stream are decoded by two VLD processors 122 and 123. The former VLD processor 122 outputs quantized DCT coefficients and quantization step sizes, while the latter VLD processor 123 outputs motion vectors.
The dequantization processor 124 dequantizes quantized DCT coefficients, and the IDCT processor 125 performs inverse DCT on the dequantized DCT coefficients, thereby reproducing a prediction error signal. The memory 126 stores several decoded pictures. Based on a decoded picture(s) read out of the memory 126 and the motion vectors supplied from the VLD processor 123, the MC processor 127 produces a motion-compensated prediction picture. The adder 128 adds the prediction error signal to this prediction picture, thus producing another decoded picture.
The power management specification may specify some voltage conditions in its message sequence charts. Such voltage conditions may include those specifying a voltage for the entire object under test (i.e., the entire decoder circuit 120 in the present case), or those specifying voltages used in individual functions of the object.
For illustrative purposes, it is assumed that the decoder circuit 120 is treated as a single functional block, while it is actually formed from a plurality of functional blocks as illustrated in
The message sequence chart 40e actually includes two message sequence charts named “Query” and “Read Data Done.” Specifically, the illustrated sequence proceeds as follows: At the outset, the CPU 41a sends an operation start command to the decoder circuit 120 (step S81). In response, the decoder circuit 120 initiates a data read request to the memory controller 43a (step S82). The memory controller 43a forwards this data read request to the memory 47a (step S83). Upon receipt of the data read request, the memory 47a transfers the requested data back to the memory controller 43a (step S84). The memory controller 43a forwards this data to the decoder circuit 120 (step S85). The decoder circuit 120 performs its operation with the received data and sends a data write request to the memory controller 43a upon completion of the operation (step S86). The memory controller 43a forwards the data write request to the memory 47a (step S87). The memory 47a sends data corresponding to the data write request to the memory controller 43a (step S88). The memory controller 43a forwards this data to the decoder circuit 120 (step S89). The decoder circuit 120 sends an operation completion notice (flag) to the CPU 41a (step S90).
According to the power management specification of
Voltage_all=1.3V
Voltage_buffer=1.1V
Voltage_VLD=1.2V
Voltage_dequantize=1.3V
Voltage_IDCT=1.3V
Voltage_MC=1.2V
Here, “Voltage_all=1.3V” is a voltage constraint condition to be applied when activating every function of the circuit in Full mode. “Voltage_buffer=1.1V” is a voltage constraint condition to be applied when activating the buffer 121 in Full mode. “Voltage_VLD=1.2V” is a voltage constraint condition to be applied when activating the VLD processors 122 and 123 in Full mode. “Voltage_dequantize=1.3V” is a voltage constraint condition to be applied when activating the dequantization processor 124 in Full mode. “Voltage_IDCT=1.3V” is a voltage constraint condition to be applied when activating the IDCT processor 125 in Full mode. “Voltage_MC=1.2V” is a voltage constraint condition to be applied when activating the MC processor 127 in Full mode.
On the other hand, message sequence chart MSC#a for scenario “Mode: Suspend” have a different set of constraint conditions as follows:
Voltage_all=1.1V
Voltage_buffer=1.1V
Voltage_VLD=1.1V
Voltage_dequantize=1.1V
Voltage_IDCT=1.1V
Voltage_MC=1.1V
Here, “Voltage_all=1.1V” is a voltage constraint condition to be applied when activating every function of the circuit in Suspend mode. “Voltage_buffer=1.1V” is a voltage constraint condition to be applied when activating the buffer 121 in Suspend mode. “Voltage_VLD=1.1V” is a voltage constraint condition to be applied when activating the VLD processors 122 and 123 in Suspend mode. “Voltage_dequantize=1.1V” is a voltage constraint condition to be applied when activating the dequantization processor 124 in Suspend mode. “Voltage_IDCT=1.1V” is a voltage constraint condition to be applied when activating the IDCT processor 125 in Suspend mode. “Voltage_MC=1.1V” is a voltage constraint condition to be applied when activating the MC processor 127 in Suspend mode.
The above-described power management specification places various voltage constraint conditions on verification scenarios when they are produced. Accordingly, the resulting power management verification scenarios do not include any processing scenarios whose message sequence chart assumes other voltages than the specified voltages in Full mode. Suppose, for example, that there is a processing scenario that includes a message sequence chart having “Voltage_all=1.3V” in its constraint conditions. This scenario is rejected for the listing of power management verification scenarios if its constraint condition on the buffer voltage is not “Voltage_buffer=1.1V.”
Similarly to the Full mode described above, the power management verification scenarios do not include any processing scenarios whose message sequence chart assumes other supply voltages than 1.1 V when the functions of the decoder circuit 120 are in Suspend mode.
According to the present embodiment, power management specifications are used as a source of constraint conditions. The embodiment is, however, not limited by this type of specifications. For example, it is also possible to use other various specifications about the product under test, such as those for management of performance (operating speed).
According to the present embodiment, verification scenarios are produced based on two types of specifications (i.e., functional specifications and power management specifications). The embodiment is, however, not limited by this particular number of specifications. It is also possible to use three or more types of specifications to generate verification scenarios.
As still another variation of the present embodiment, the processing functions of the design verification apparatus 10 may be distributed in a plurality of processing devices. For example, one processing device generates verification scenarios and passes them to another device to produce power management verification scenarios.
The processing functions described above may be implemented on a computer system, in which case the functions of the proposed design verification apparatus 10 are encoded and provided in the form of computer programs. A computer system executes such programs to provide the above-described processing functions. Those computer programs may be stored in a computer-readable storage medium. Suitable computer-readable storage media include, but not limited to, magnetic storage devices, optical discs, magneto-optical storage media, and semiconductor memory devices, for example. Magnetic storage devices include hard disk drives (HDD), flexible disks (FD), and magnetic tapes, for example. Optical discs include digital versatile discs (DVD), DVD-RAM, compact disc read-only memory (CD-ROM), CD-Recordable (CD-R), and CD-Rewritable (CD-RW), for example. Magneto-optical storage media include magneto-optical discs (MO), for example.
Portable storage media, such as DVD and CD-ROM, are suitable for distribution of program products. Network-based distribution of software programs may also be possible, in which case several master program files are made available on a server computer for downloading to other computers via a network.
To execute a design verification program, the computer stores necessary software components in its local storage device, which have previously been installed from a portable storage media or downloaded from a server computer. The computer executes the programs read out of the local storage unit, thereby performing the programmed functions. Where appropriate, the user computer may execute program codes read out of the portable storage medium, without previous installation of those programs in its local storage device. Another alternative method is that the user computer dynamically downloads programs from a server computer when they are demanded and executes them upon delivery.
The above sections have described several embodiments of a design verification apparatus and a program therefor. The proposed design verification techniques provide verification datasets for a comprehensive test including relevant constraint conditions of test items described in given design specifications. The features described in those embodiments may be combined on an individual basis.
All examples and conditional language recited herein are intended for pedagogical purposes to aid the reader in understanding the invention and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions, nor does the organization of such examples in the specification relate to a showing of the superiority and inferiority of the invention. Although the embodiments of the present invention have been described in detail, it should be understood that various changes, substitutions, and alterations could be made hereto without departing from the spirit and scope of the invention.
This application is based upon and claims the benefit of priority of U.S. Provisional Application No. 61/302,736, filed on Feb. 9, 2010, the entire contents of which are incorporated herein by reference.
| Number | Date | Country | |
|---|---|---|---|
| 61302736 | Feb 2010 | US |
