EmbeddedRelated.com
Forums
Memfault State of IoT Report
   Forums    More Forums    comp.arch.embedded  

processor core validation

Started by alb February 8, 2015
Reply by rickman February 11, 20152015-02-11
On 2/11/2015 5:12 PM, alb wrote:

> Hi Tim,
>
> Tim Wescott <seemywebsite@myfooter.really> wrote:
> []
>> You could have a combination hardware/software test harness, where you
>> have a full test app (or perhaps an app that loops through the processor
>> states that are of most interest) while at the same time the processor is
>> getting interrupted by an asynchronous source that either has a different
>> period from the processor's, or which is intentionally random.
>
> This test harness could effectively be running on a simulator, where I
> could use a golden model and crosscheck that throwing random interrupts
> does not cause any deviation from the golden model behavior.
>
> The main difficulty I see would be the functional coverage model I need
> to put in place to tell me I'm done.
>
> There might be corner cases where the only solution would be crafting a
> special purpose test program to generate stimuli (or sequences of
> stimuli) which might be very difficult to achieve otherwise (some sort
> of direct testing and random testing).


I wouldn't put much faith in using random interrupts other than to help 
your thinking to see if they cause any problems you don't think of.  I 
would say it would much more important to analyze the circuitry and 
generate stimuli that test the corner cases.

The problem with random stimuli is just that, it is random... well 
pseudo random and so you don't really know how well it tested things. 
Testing can't prove something works other than the specific things that 
are being tested.



>> Just going through the thing step-by-step and, positing problem modes, and
>> examining the code to ask "how am I going to test for this?" will force
>> you to think in depth about everything -- one of the frequent ways that
>> TDD helps me to find bugs is by forcing me to discover them in the test
>> design, before I even get to the point of throwing software at the test.
>
> I can simply get the spec of the processor and start to classify the
> requirements and then go one by one trying to build my functional
> coverage model. It is possible that going through the code would not be
> needed, even though it might help us discovering corner cases.
>
> Assuming the golden model is provided (I've found one on OVP, yet not
> sure whether it is the right one!) I'll just verify compliance to the
> golden model and maybe present some usecases where some high level
> software is able to run and work without crashing.
>
> The black box approach has some advantages:
>
> 1. no need to know the details (unless we need a fix)
> 2. bfm for processor's interface are /available/ (write_mem, read_mem)
> 3. heuristic approach (let's see if it breaks!)
>
> OTOH we might face the need to open the box and go deeper with our
> verification, where interactions between internal elements have to be
> analyzed.
>
> With the hypothesis that the processor 'state' does not depend on
> previous instructions (there's no cache), the order of the instructions
> does not necessarily matter. Should this be the case I'll probably can
> simply live with throwing random instructions at it.


What about other aspects of the processor?  Surely it has registers and 
very likely the processor *does* have state, flags, status registers, 
control registers, pipelining...

-- 

Rick
Reply by alb February 12, 20152015-02-12
Hi Rick,

rickman <gnuarm@gmail.com> wrote:
[]

>> This test harness could effectively be running on a simulator, where I
>> could use a golden model and crosscheck that throwing random interrupts
>> does not cause any deviation from the golden model behavior.
>>
>> The main difficulty I see would be the functional coverage model I need
>> to put in place to tell me I'm done.
>>
>> There might be corner cases where the only solution would be crafting a
>> special purpose test program to generate stimuli (or sequences of
>> stimuli) which might be very difficult to achieve otherwise (some sort
>> of direct testing and random testing).
> 
> I wouldn't put much faith in using random interrupts other than to help 
> your thinking to see if they cause any problems you don't think of.  I 
> would say it would much more important to analyze the circuitry and 
> generate stimuli that test the corner cases.


I agree with the analysis approach, but I would defer it to analyze 
corner cases instead of the whole design. The reason being that 
analyzing the code may take an effort that is much bigger than its added 
value. If I can get away with testing the 'majority' of the cases with 
contrained random stimuli I'd be much more efficient and focus only on 
coverage holes.


> The problem with random stimuli is just that, it is random... well 
> pseudo random and so you don't really know how well it tested things. 


When I'm talking about random generation is always 'constrained random'. 
I do not simply throw interrupts at random frequency, but try to do it 
when a certain set of instructions are used (like interrupting while 
branching or the like).


> Testing can't prove something works other than the specific things that 
> are being tested.


that is always correct, that's why every circuit is faulty unless proven 
otherwise.

[]

>> With the hypothesis that the processor 'state' does not depend on
>> previous instructions (there's no cache), the order of the instructions
>> does not necessarily matter. Should this be the case I'll probably can
>> simply live with throwing random instructions at it.
> 
> What about other aspects of the processor?  Surely it has registers and 
> very likely the processor *does* have state, flags, status registers, 
> control registers, pipelining...


At higher level the 'state' of the processor is essentially the snapshot 
of all its internal registers at any given time, i.e. general purpose 
registers, memory and pipeline. AFAIK there's no instruction that is 
automatically performed by the processor on a given 'event' (like 
interrupt), so checking for stack/heap integrity is certainly not 
related to the processor itself but to the assembler correctness.

Pushing and popping PC to the stack is the only thing this processor 
does automatically AFAIK and context saving is up to the user. That 
would be fairly easy to verify since it suffice to check that returning 
from the ISR is at the right address.

For what concerns interrupt masking, that's another item, I'm not quite 
sure what is this processor doing with interrupts, whether they are 
latched or masked, but this is only my lack of knowledge and I surely 
need to know what is the processor *specified to do* and verify that it 
does it correctly.

I've read something about the Viper, as Hans suggested, and it looks to 
me that formal verification (from formal specification) is nice but not 
a silver bullet (see here: 
http://www.google.ch/url?sa=t&rct=j&q=avraproofpaper&source=web&cd=1&cad=rja&uact=8&ved=0CCIQFjAA&url=http%3A%2F%2Fwww.cl.cam.ac.uk%2F~mjcg%2Fpapers%2FAvraProofPaper.pdf&ei=3V3cVJOXJcrrUr2rgAg&usg=AFQjCNGkAs9TjCYZbWvN4ubT2Mna8ylflQ&bvm=bv.85761416,d.d24) 

OTOH it seems to me the Viper processor had advanced features that made 
it challenging to verify, like multiway branching, instruction and data 
caches and four pipelines in parallel (a nice beast!).

That being said, I certainly do not underestimate the effort required to 
validate a processor and that is also the reason for the thread. 
Awareness is among engineer's most valuable tools!

Al
You might also like... (promoted content)
Check out Memfault's New Sandbox!
Check out Memfault's New Sandbox!
Check out Memfault's New Sandbox!
New Research Report: The State of IoT Software Development
New Research Report: The State of IoT Software Development
New Research Report: The State of IoT Software Development
Memfault State of IoT Report