# CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA 2009 Adapted from DVCon 2009 paper by Eduard Cerny 1, Surrendra Dudani 1,

## Presentation on theme: "CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA 2009 Adapted from DVCon 2009 paper by Eduard Cerny 1, Surrendra Dudani 1,"— Presentation transcript:

CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA 2009 Adapted from DVCon 2009 paper by Eduard Cerny 1, Surrendra Dudani 1, Dmitry Korchemny 2, Lisa Piper, Erik Seligman 2 2 Intel Corp. 1 Synopsys, Inc.

Overview The goal of this presentation is to illustrate new SVA capabilities introduced in 2009 release of IEEE 1800 SystemVerilog standard We chose to illustrate new features and enhancements on important verification use cases –It is not feasible to provide an exhaustive overview of new features in a conference talk Disclaimer: The emerging IEEE 1800 2009 has not been officially approved yet E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman 2 of 31

Verify correctness of XOR implementation a 0 1 1 1 b 0 1 1 1 not_a 1 1 0 0 not_b 1 1 1 0 my_xor 0 1 1 0 Use Case #1 Unclocked Boolean Assertions E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman assign my_xor = a && not_b || not_a && b; assign not_a = !a; assign not_b = !b; assign my_xor = a && not_b || not_a && b; assign not_a = !a; assign not_b = !b; always_comb p: assert (my_xor == a^b); always_comb p: assert (my_xor == a^b); Glitch Immediate assertions may appear in procedural code only SVA 2005 3 of 31 time tick t

Verify correctness of XOR implementation a 0 1 1 1 b 0 1 1 1 not_a 1 1 0 0 not_b 1 1 1 0 my_xor 0 1 1 0 Use Case #1 Unclocked Boolean Assertions E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman assign my_xor = a && not_b || not_a && b; assign not_a = !a; assign not_b = !b; assign my_xor = a && not_b || not_a && b; assign not_a = !a; assign not_b = !b; always_comb p: assert (my_xor == a^b); always_comb p: assert (my_xor == a^b); No glitch SVA 2005SVA 2009 always_comb p: assert #0(my_xor == a^b); always_comb p: assert #0(my_xor == a^b); May appear outside procedural code Deferred assertion Matures in Observed region Deferred assertion Matures in Observed region 4 of 31 time tick t

a 0 1 1 1 b 0 1 1 1 not_a 1 1 0 0 not_b 1 1 1 0 my_xor 1 1 0 1 Use Case #1 Unclocked Boolean Assertions Verify correctness of XOR implementation E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman assign my_xor = a && not_b || not_a && b; assign not_a = !a; assign not_b = !b; assign my_xor = a && not_b || not_a && b; assign not_a = !a; assign not_b = !b; always_comb p: assert (my_xor == a^b); always_comb p: assert (my_xor == a^b); No glitch SVA 2005SVA 2009 p: assert #0(my_xor == a^b); May appear outside procedural code Deferred assertion Matures in Observed region Deferred assertion Matures in Observed region 5 of 31 time tick t

Use Case #2 Compile-time Macros Write an immediate assertion checking one cold encoding E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman SVA 2005 `define ONE_COLD(sig) \ (\$onehot(~(sig)))... assert (`ONE_COLD(a)); `define ONE_COLD(sig) \ (\$onehot(~(sig)))... assert (`ONE_COLD(a)); Global scope Difficult to process with CAD tools SVA 2009 let one_cold(sig) = \$onehot(~sig);... assert (one_cold(a)); let one_cold(sig) = \$onehot(~sig);... assert (one_cold(a)); Local scope Visible CAD tools let construct Not limited to immediate assertions Arguments should be of integral type let construct Not limited to immediate assertions Arguments should be of integral type Function is not directly applicable here 6 of 31

Use Case #3 Clocked Boolean Assertions Check that signal is always high on rising clock edge E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman SVA 2005 This assertion checks also clock fairness: clk should tick infinitely often assert property (@(posedge clk) a); It is costly in FV 7 of 31

Use Case #3 Clocked Boolean Assertions Introduces weak and strong sequential properties E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman SVA 2009 strong(@clk a[*] ##1 b) weak(@clk a[*] ##1 b) Clock should tick enough time for a sequence to match Clock may stop ticking in the middle Default: weak in assert/assume strong in cover Default: weak in assert/assume strong in cover 8 of 31

Use Case #3 Clocked Boolean Assertions Check that signal is always high on rising clock edge E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman SVA 2005 This assertion checks also clock fairness: clk should tick infinitely often assert property (@(posedge clk) a); Costly in FV SVA 2009 No clock fairness checked Cheaper in FV 9 of 31

Use Case #4 Complex Temporal Assertions Check that reset eventually becomes deasserted forever E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman SVA 2005 not (##[1:\$] !rst |-> ##[1:\$] rst) Non-intuitive Difficult to write Readability is poor Non-intuitive Difficult to write Readability is poor SVA 2009 New temporal operators (s_)always (s_)eventually (s_)until(_with) (s_)nexttime case #-#, #=# (followed by) (sync_)accept_on, (sync_)reject_on implies iff New temporal operators (s_)always (s_)eventually (s_)until(_with) (s_)nexttime case #-#, #=# (followed by) (sync_)accept_on, (sync_)reject_on implies iff s_eventually always !rst 10 of 31

Explanation Of Ugly Assertion not (##[1:\$] !rst |-> ##[1:\$] rst) - Rewrite: not (A|->B) == A #-# (not B)  (##[1:\$] !rst) #-# (not ##[1:\$] rst) - Remember that A #-# B means “A is followed by B at some point”  (an eventual !rst) is followed at some point by (never seeing reset again)  s_eventually always !rst

Use Case #5 Stability Assertions Check that signal has constant value E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman SVA 2005 @clk \$stable(a) Q: How to check stability between clock ticks? A: Not a problem if clk is a system clock This assertion checks that a is always X 12 of 31

Use Case #5 Stability Assertions Check that signal has constant value E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman SVA 2005 @clk ##1 \$stable(a) Q: How to check stability between clock ticks? A: Not a problem if clk is a system clock Now it works 13 of 31

Use Case #5 Stability Assertions Introduces a global (=system) clock –Definition At most one per design –Reference –Future-value functions E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman \$global_clock SVA 2009 global clocking @clk; endclocking global clocking @clk; endclocking \$future_gclk(a) \$rising_gclk(a) \$falling_gclk(a) \$steady_gclk(a) \$changing_gclk(a) \$future_gclk(a) \$rising_gclk(a) \$falling_gclk(a) \$steady_gclk(a) \$changing_gclk(a) Value of a at the next tick of \$global_clock 14 of 31

Use Case #5 Stability Assertions Check that signal has constant value E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman SVA 2005 @clk ##1 \$stable(a) SVA 2009 @\$global_clock \$steady_gclk(a) Universal More intuitive Universal More intuitive 15 of 31

Use Case #6 Functional Coverage Monitor how many times a ##1 b[*1:2] ##1 c is matched. Print match notification in debug mode E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman SVA 2005 cover property(@(posedge clk) !rst throughout ( a ##1 b[*1:2] ##1 c) `ifdef debug \$display (“Matched"); `endif cover property(@(posedge clk) !rst throughout ( a ##1 b[*1:2] ##1 c) `ifdef debug \$display (“Matched"); `endif No disable iff with cover statement Otherwise, when rst is active, (vacuous) success reported Reset is synchronous When cover property expression is sequence every sequence match is reported No disable iff with cover statement Otherwise, when rst is active, (vacuous) success reported Reset is synchronous When cover property expression is sequence every sequence match is reported 16 of 31

Use Case #6 Functional Coverage Monitor how many times a ##1 b[*1:2] ##1 c is matched. Print match notification in debug mode E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman SVA 2005 cover property(@(posedge clk) !rst throughout ( a ##1 b[*1:2] ##1 c) `ifdef (debug) \$display (“Matched"); `endif cover property(@(posedge clk) !rst throughout ( a ##1 b[*1:2] ##1 c) `ifdef (debug) \$display (“Matched"); `endif disable iff may be used with cover statement When rst is active, execution is disabled, no success reported Reset is asynchronous When cover property expression is sequence one sequence match is reported, to report every match, use cover sequence disable iff may be used with cover statement When rst is active, execution is disabled, no success reported Reset is asynchronous When cover property expression is sequence one sequence match is reported, to report every match, use cover sequence SVA 2009 `ifndef debug initial \$assertpassoff; `endif cover sequence(@(posedge clk) disable iff (rst) a ##1 b[*1:2] ##1 c) \$info(“Matched"); `ifndef debug initial \$assertpassoff; `endif cover sequence(@(posedge clk) disable iff (rst) a ##1 b[*1:2] ##1 c) \$info(“Matched"); 17 of 31

Use Case #7 Embedded Assertions Embed a concurrent assertion into procedural code Pure syntactical embedding –Loose relation with simulation semantics Problems with cover statement embedding Inability to embed concurrent assertion into procedural loops Introduced simulation semantics for embedded assertions SVA 2005 SVA 2009 E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman 18 of 31

Use Case #8 Concurrent Assertions in Loops Check that the behavior of two vectors is the same with respect to temporality of individual bits logic [7:0] a, b; always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; … end logic [7:0] a, b; always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; … end E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman 19 of 31

Use Case #8 Concurrent Assertions in Loops Check that the behavior of two vectors is the same with respect to temporality of individual bits logic [7:0] a, b; always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; … end begin (genvar i = 0; i < 8; i++) begin : block r: assert property ( @(posedge clk) a[i] |-> ##[1:2] b[i]); end : block logic [7:0] a, b; always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; … end begin (genvar i = 0; i < 8; i++) begin : block r: assert property ( @(posedge clk) a[i] |-> ##[1:2] b[i]); end : block E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman Impossible to write concurrent assertion in procedural loop Need to replicate the loop as generate No locality Context is lost Impossible to write concurrent assertion in procedural loop Need to replicate the loop as generate No locality Context is lost SVA 2005 20 of 31

Use Case #8 Concurrent Assertions in Loops Check that the behavior of two vectors is the same with respect to temporality of individual bits logic [7:0] a, b; always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; r: assert property ( a[i] |-> ##[1:2] b[i]); … end logic [7:0] a, b; always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; r: assert property ( a[i] |-> ##[1:2] b[i]); … end E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman Concurrent assertions may be put in procedural loops Locality is preserved Context may be inferred Concurrent assertions may be put in procedural loops Locality is preserved Context may be inferred SVA 2009 21 of 31

Use Case #9 Assertion Libraries Create library element to check corporate bus: –All bus enable bits must be mutually exclusive –If a request bit comes in the corresponding enable bit must rise in two clock cycles module check_bus ( logic [BUS_SIZE-1:0] req, en, logic clk, logic rst); for (genvar i = 0; i < BUS_SIZE; i++) begin : loop a1: assert property ( @(posedge clk) disable iff (rst) req[i] |-> ##[0:2] en[i]); end : loop a2: assert property (@(posedge clk) disable iff (rst) \$onehot0(en)); endmodule : check_bus module check_bus ( logic [BUS_SIZE-1:0] req, en, logic clk, logic rst); for (genvar i = 0; i < BUS_SIZE; i++) begin : loop a1: assert property ( @(posedge clk) disable iff (rst) req[i] |-> ##[0:2] en[i]); end : loop a2: assert property (@(posedge clk) disable iff (rst) \$onehot0(en)); endmodule : check_bus E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman Assertions should be packaged in a module/interface Cannot be instantiated in procedural code Clock and reset must be explicitly specified Sequences, properties, and events cannot be passed as arguments Assertions should be packaged in a module/interface Cannot be instantiated in procedural code Clock and reset must be explicitly specified Sequences, properties, and events cannot be passed as arguments SVA 2005 22 of 31

Use Case #9 Assertions Libraries Create library element to check corporate bus: –All bus enable bits must be mutually exclusive –If a request bit comes in the corresponding enable bit must rise in two clock cycles checker check_bus ( logic [BUS_SIZE-1:0] req, en, event clk = \$inferred_clock, logic rst = \$inferred_disable); for (genvar i = 0; i < BUS_SIZE; i++) begin : loop a1: assert property ( @clk disable iff (rst) req[i] |-> ##[0:2] en[i]); end : loop a2: assert property (@clk disable iff (rst) \$onehot0(en)); endchecker : check_bus checker check_bus ( logic [BUS_SIZE-1:0] req, en, event clk = \$inferred_clock, logic rst = \$inferred_disable); for (genvar i = 0; i < BUS_SIZE; i++) begin : loop a1: assert property ( @clk disable iff (rst) req[i] |-> ##[0:2] en[i]); end : loop a2: assert property (@clk disable iff (rst) \$onehot0(en)); endchecker : check_bus E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman Assertions may be packaged in checkers Can be instantiated in procedural code Clock and reset may be inferred from context Sequences, properties, and events can be passed as arguments Assertions may be packaged in checkers Can be instantiated in procedural code Clock and reset may be inferred from context Sequences, properties, and events can be passed as arguments SVA 2009 23 of 31

Use Case #9 Assertions Libraries Create library element to check corporate bus: –All bus enable bits must be mutually exclusive –If a request bit comes in the corresponding enable bit must rise in two clock cycles Instantiation default disable iff !rstnn; always @(posedge clk1) begin... check_bus c1(busreq, busen); end default disable iff !rstnn; always @(posedge clk1) begin... check_bus c1(busreq, busen); end E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman SVA 2009 Checker inherits clock posedge clk1 and reset !rstnn 24 of 31

Use Case #10 Assertion Modeling Add the following condition to above checker: –A soft error should never happen more than 6 times after reset E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman SVA 2005 Packaged in a module/interface Soft error must be represented as signal Sequences cannot be passed as arguments to modules Packaged in a module/interface Soft error must be represented as signal Sequences cannot be passed as arguments to modules 25 of 31

Use Case #10 Assertion Modeling Add the following condition to above checker: –A soft error should never happen more than 6 times after reset E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman Packaged in a checker Soft error represented as sequence Checkers may contain variable declaration and modeling code Only NBA are legal in checker Sequence triggered method may be used in assignments Packaged in a checker Soft error represented as sequence Checkers may contain variable declaration and modeling code Only NBA are legal in checker Sequence triggered method may be used in assignments checker check_bus ( logic [BUS_SIZE-1:0] req, en, sequence serr_seq, event clk = \$inferred_clock, logic rst = \$inferred_disable); … bit [2:0] ctr = '0; let serr = serr_seq.triggered; always @(clk) ctr <= rst ? '0 : ctr + serr; a3: assert property (@clk disable iff (rst) ctr <= 3'd6); endchecker : check_bus checker check_bus ( logic [BUS_SIZE-1:0] req, en, sequence serr_seq, event clk = \$inferred_clock, logic rst = \$inferred_disable); … bit [2:0] ctr = '0; let serr = serr_seq.triggered; always @(clk) ctr <= rst ? '0 : ctr + serr; a3: assert property (@clk disable iff (rst) ctr <= 3'd6); endchecker : check_bus SVA 2009 26 of 31

Use Case #11 Nondeterministic Models Transaction service time is 1 or 2 cycles. Use this time value in an abstract FV model to reason about total latency of the block E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman module sys(logic clk,...); bit[1:0] stime; assume property ( @(posedge clk) stime > 0);... endmodule : sys module sys(logic clk,...); bit[1:0] stime; assume property ( @(posedge clk) stime > 0);... endmodule : sys SVA 2005 Never assigned Will probably treated as free by FV tools In simulation will keep value 2’bXX Never assigned Will probably treated as free by FV tools In simulation will keep value 2’bXX This assumption will always fail in simulation stime is unconstrained between clk ticks latency = … + stime + … 27 of 31

Use Case #11 Nondeterministic Models Transaction service time is 1 or 2 cycles. Use this time value in an abstract FV model to reason about total latency of the block E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman SVA 2009 module sys(logic clk,...); bit[1:0] stime; assume property ( @(posedge clk) stime > 0);... endmodule : sys module sys(logic clk,...); bit[1:0] stime; assume property ( @(posedge clk) stime > 0);... endmodule : sys SVA 2005 checker sys(...); rand bit[1:0] stime; assume property( @\$global_clock stime > 0);... endchecker : sys checker sys(...); rand bit[1:0] stime; assume property( @\$global_clock stime > 0);... endchecker : sys Defined as a free variable Will be randomized in simulation respecting imposed assumption Defined as a free variable Will be randomized in simulation respecting imposed assumption Controlled by \$global_clock latency = … + stime + … 28 of 31

Use Case #11 Nondeterministic Models Transaction service time is 1 or 2 cycles. Use this time value in an abstract FV model to reason about total latency of the block E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman SVA 2009 module sys(logic clk,...); bit[1:0] stime; assume property ( @(posedge clk) stime > 0);... endmodule : sys module sys(logic clk,...); bit[1:0] stime; assume property ( @(posedge clk) stime > 0);... endmodule : sys SVA 2005 checker sys(...); rand bit choice; let stime = choice ? 2'b01 : 2'b02;... endchecker : sys checker sys(...); rand bit choice; let stime = choice ? 2'b01 : 2'b02;... endchecker : sys Better: avoid assumption altogether: This implementation is more efficient and intuitive Better: avoid assumption altogether: This implementation is more efficient and intuitive latency = … + stime + … 29 of 31

There is much more Elaboration time severity system tasks Enhancements and clarifications in formal semantics Enhancements concerning local variables and recursive properties Covergroups and final procedures in checkers Boolean implication Many others … E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman 30 of 31

Conclusions IEEE P1800 SystemVerilog 2009 brings powerful enhancements in RTL validation Two main validation aspects have been addressed –Assertion-based verification using assertion libraries –Professional exhaustive formal verification Many new features and enhancements have been added, including clarifications in formal semantics Many errata have been solved –And probably many new introduced  E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman 31 of 31

Out of Scope of SV(A) 2009 There were several important items remained out of scope of SV(A) 2009: –A capability to specify variable number of arguments for sequence, property and checker instances. Today, one has to repeat definitions for variants of a similar pattern of behavior. Ability to instantiate checkers in tasks or functions –These can be very useful when checkers contain deferred assertions and modeling code to support them. Ability to force values of design variables from checkers –This is important to allow design pruning for formal verification needs. E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman 32 of 31

Download ppt "CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA 2009 Adapted from DVCon 2009 paper by Eduard Cerny 1, Surrendra Dudani 1,"

Similar presentations