Google: Static Sign-Off Methodology & Results

Google aspires to create technologies that solve important problems — and we are relying on machine learning to help us reach our goal.

We believe these technologies can promote innovation and further our mission to organize the world’s information and make it universally accessible and useful.

To implement these algorithms and these advanced technologies, for many years we have been relying on Moore’s law to give us the computing power that we need. But as you know, Moore’s Law is in decline and we cannot hope to get larger speedups in terms of the board anymore.

That’s why, at Google, several years ago we started to work on a project. We made custom hardware for machine learning called Tensor Processing Unit or TPUs.

We have been using TPUs in our data center for several years and found them to give us an order of magnitude better optimized performance per watt for machine learning.

This is roughly equivalent to fast-forwarding technology about 7 years into the future — or 3 generations of Moore’s Law.

Let’s look at this chart from Wilson research. According to this research, the main type of flaws contributing to respins are functional bugs and clocking issues — and for clocking, CDC verification is very important.

For both categories, static sign-off / static verification is very important and helps a lot. However, the issue is that for the ASIC design community, static sign-off is usually the last stage and there is no time to ensure quality and robustness.

How do we address this issue?

This slide shows the big picture of the different static verification checks that we run on our code. Before we submit our code, we have “pre-submit”, which run some basic checks on our code.

Then we have linting, in which we have standard rules, as well as some custom rules that we have developed internally.  Elaboration is next to make sure that RTL does not have any elab issues.

We use a combination of static and dynamic approaches for CDC verification. And we also run RDC (reset domain crossing).

Let’s talk about the impact of this early and continuous process. I’ll talk about CDC as one of the main challenges in the static sign-off.

CDC verification used to be the last thing in our design cycle — and I believe many companies are in the same boat.

For one of our projects everything was done, except CDC. We started to run CDC verification and the tool was reporting over 50,000 violations on one of our complex designs. Of course, many of the violations were just false failures, noise, and missing constraints. But good luck reviewing 50,000 violations, and then making sure the design is CDC safe. As you can imagine, that’s not feasible.

That’s why we decided to change our strategy and eat our biggest frog first.

• Now we have a nightly regression in which we run static tools on all the blocks every night from day one of our RTL design.
• The results are parsed, and our dashboard gets updated.
• As part of our continuous process, we will even file a bug and send an email to the corresponding designer if a block is failing.
• We keep the dashboard clean throughout the project lifetime; as you can see it’s not easy for bugs to slip past our methodology and find their way into the later stages of RTL design.

This continuous process is reducing the noise level as one of the most pressing challenges in RTL sign-off.

The results are: 1) significant reduction of later stage RTL changes, and 2) cutting at least a month of chip development time when compared to our previous methodology.