CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA 2009 Adapted from DVCon 2009 paper by Eduard Cerny 1 , Surrendra Dudani 1 , Dmitry Korchemny 2 , Lisa Piper, Erik Seligman 2 2 Intel Corp. 1 Synopsys, Inc.
Apr 01, 2015
CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA
2009Adapted from DVCon 2009 paper by
Eduard Cerny1, Surrendra Dudani1, Dmitry Korchemny2,
Lisa Piper, Erik Seligman2
2Intel Corp.1Synopsys, Inc.
Overview
The goal of this presentation is to illustrate new SVA capabilities introduced in 2009 release of IEEE 1800 SystemVerilog standard
• We chose to illustrate new features and enhancements on important verification use cases
– It is not feasible to provide an exhaustive overview of new features in a conference talk
Disclaimer:The emerging IEEE 1800 2009 has not been officially approved yet
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman 2 of 31
Verify correctness of XOR implementation
a 0 1 1 1b 0 1 1 1not_a 1 1 0 0not_b 1 1 1 0my_xor 0 1 1 0
Use Case #1Unclocked Boolean Assertions
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
assign my_xor = a && not_b || not_a && b;assign not_a = !a;assign not_b = !b;
assign my_xor = a && not_b || not_a && b;assign not_a = !a;assign not_b = !b;
always_combp: assert (my_xor == a^b);always_combp: assert (my_xor == a^b);
Glitch
Immediate assertions may appear in procedural code
only
SVA 2005
3 of 31
time tick t
Verify correctness of XOR implementation
a 0 1 1 1b 0 1 1 1not_a 1 1 0 0not_b 1 1 1 0my_xor 0 1 1 0
Use Case #1Unclocked Boolean Assertions
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
assign my_xor = a && not_b || not_a && b;assign not_a = !a;assign not_b = !b;
assign my_xor = a && not_b || not_a && b;assign not_a = !a;assign not_b = !b;
always_combp: assert (my_xor == a^b);always_combp: assert (my_xor == a^b);
No glitch
SVA 2005 SVA 2009
always_combp: assert #0(my_xor == a^b);always_combp: assert #0(my_xor == a^b);
May appear outsideprocedural code
Deferred assertion
Matures in Observed region
4 of 31
time tick t
a 0 1 1 1b 0 1 1 1not_a 1 1 0 0not_b 1 1 1 0my_xor 1 1 0 1
Use Case #1Unclocked Boolean AssertionsVerify correctness of XOR implementation
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
assign my_xor = a && not_b || not_a && b;assign not_a = !a;assign not_b = !b;
assign my_xor = a && not_b || not_a && b;assign not_a = !a;assign not_b = !b;
always_combp: assert (my_xor == a^b);always_combp: assert (my_xor == a^b);
No glitch
SVA 2005 SVA 2009
p: assert #0(my_xor == a^b);p: assert #0(my_xor == a^b);
May appear outsideprocedural code
Deferred assertion
Matures in Observed region
5 of 31
time tick t
Use Case #2Compile-time MacrosWrite an immediate assertion checking one cold
encoding
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2005
`define ONE_COLD(sig) \ ($onehot(~(sig)))...assert (`ONE_COLD(a));
`define ONE_COLD(sig) \ ($onehot(~(sig)))...assert (`ONE_COLD(a));
• Global scope• Difficult to process with CAD
tools
SVA 2009
let one_cold(sig) = $onehot(~sig);...assert (one_cold(a));
let one_cold(sig) = $onehot(~sig);...assert (one_cold(a));
• Local scope• Visible CAD tools
let construct
• Not limited to immediate assertions• Arguments should be of integral type
Function is not directly applicable
here
6 of 31
Use Case #3Clocked Boolean AssertionsCheck that signal is always high on rising clock edge
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2005
This assertion checks also clock fairness: clk should tick infinitely often
assert property (@(posedge clk) a);assert property (@(posedge clk) a);
It is costly in FV
7 of 31
Use Case #3Clocked Boolean Assertions
Introduces weak and strong sequential properties
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2009
strong(@clk a[*] ##1 b)strong(@clk a[*] ##1 b)
weak(@clk a[*] ##1 b)weak(@clk a[*] ##1 b)
Clock should tick enough time for a
sequence to match
Clock may stop ticking in the
middle
Default:• weak in assert/assume• strong in cover
8 of 31
Use Case #3Clocked Boolean AssertionsCheck that signal is always high on rising clock edge
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2005
This assertion checks also clock fairness: clk should tick infinitely often
assert property (@(posedge clk) a);assert property (@(posedge clk) a);
Costly in FV
SVA 2009
No clock fairness checked
Cheaper in FV
9 of 31
Use Case #4Complex Temporal AssertionsCheck that reset eventually becomes deasserted
forever
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2005
not (##[1:$] !rst |-> ##[1:$] rst)not (##[1:$] !rst |-> ##[1:$] rst)
• Non-intuitive• Difficult to write• Readability is
poor
SVA 2009
New temporal operators
• (s_)always• (s_)eventually• (s_)until(_with)• (s_)nexttime• case• #-#, #=# (followed by)• (sync_)accept_on,
(sync_)reject_on• implies• iff
s_eventually always !rsts_eventually always !rst
10 of 31
Explanation Of Ugly Assertionnot (##[1:$] !rst |-> ##[1:$] rst) - Rewrite: not (A|->B) == A #-# (not B) (##[1:$] !rst) #-# (not ##[1:$] rst) - Remember that A #-# B means “A is followed by B
at some point”(an eventual !rst) is followed at some point by (never
seeing reset again)
s_eventually always !rst
Use Case #5Stability AssertionsCheck that signal has constant value
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2005
@clk $stable(a)@clk $stable(a) ?Q: How to check stability between clock ticks?A: Not a problem if clk is a system clock
This assertion checks that a is always X
12 of 31
Use Case #5Stability AssertionsCheck that signal has constant value
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2005
@clk ##1 $stable(a)@clk ##1 $stable(a)
Q: How to check stability between clock ticks?A: Not a problem if clk is a system clock
Now it works
13 of 31
Use Case #5Stability Assertions
Introduces a global (=system) clock– Definition
• At most one per design
– Reference– Future-value functions
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
$global_clock$global_clock
SVA 2009
global clocking @clk;endclocking
global clocking @clk;endclocking
$future_gclk(a)$rising_gclk(a)$falling_gclk(a)$steady_gclk(a)$changing_gclk(a)
$future_gclk(a)$rising_gclk(a)$falling_gclk(a)$steady_gclk(a)$changing_gclk(a)
Value of a at the next tick of
$global_clock
14 of 31
Use Case #5Stability AssertionsCheck that signal has constant value
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2005
@clk ##1 $stable(a)@clk ##1 $stable(a)
SVA 2009
@$global_clock $steady_gclk(a)@$global_clock $steady_gclk(a)
• Universal• More
intuitive
15 of 31
Use Case #6Functional CoverageMonitor how many times a ##1 b[*1:2] ##1 c is
matched. Print match notification in debug mode
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2005
cover property(@(posedge clk) !rst throughout ( a ##1 b[*1:2] ##1 c)`ifdef debug $display (“Matched");`endif
cover property(@(posedge clk) !rst throughout ( a ##1 b[*1:2] ##1 c)`ifdef debug $display (“Matched");`endif
• No disable iff with cover statement• Otherwise, when rst is active, (vacuous) success reported
• Reset is synchronous• When cover property expression is sequence every sequence match is
reported
16 of 31
Use Case #6Functional CoverageMonitor how many times a ##1 b[*1:2] ##1 c is
matched. Print match notification in debug mode
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2005
cover property(@(posedge clk) !rst throughout ( a ##1 b[*1:2] ##1 c)`ifdef (debug) $display (“Matched");`endif
cover property(@(posedge clk) !rst throughout ( a ##1 b[*1:2] ##1 c)`ifdef (debug) $display (“Matched");`endif
• disable iff may be used with cover statement• When rst is active, execution is disabled, no success reported
• Reset is asynchronous• When cover property expression is sequence one sequence match is
reported, to report every match, use cover sequence
SVA 2009
`ifndef debug initial $assertpassoff;`endifcover sequence(@(posedge clk) disable iff (rst) a ##1 b[*1:2] ##1 c) $info(“Matched");
`ifndef debug initial $assertpassoff;`endifcover sequence(@(posedge clk) disable iff (rst) a ##1 b[*1:2] ##1 c) $info(“Matched");
17 of 31
Use Case #7Embedded AssertionsEmbed a concurrent assertion into procedural code
Pure syntactical embedding– Loose relation with simulation semantics
• Problems with cover statement embedding• Inability to embed concurrent assertion into procedural
loops
Introduced simulation semantics for embedded assertions
SVA 2005
SVA 2009
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman 18 of 31
Use Case #8Concurrent Assertions in LoopsCheck that the behavior of two vectors is the same
with respect to temporality of individual bits
logic [7:0] a, b;always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; … endend
logic [7:0] a, b;always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; … endend
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman 19 of 31
Use Case #8Concurrent Assertions in LoopsCheck that the behavior of two vectors is the same
with respect to temporality of individual bits
logic [7:0] a, b;always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; … endend
begin (genvar i = 0; i < 8; i++)begin : block r: assert property ( @(posedge clk) a[i] |-> ##[1:2] b[i]);end : block
logic [7:0] a, b;always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; … endend
begin (genvar i = 0; i < 8; i++)begin : block r: assert property ( @(posedge clk) a[i] |-> ##[1:2] b[i]);end : block
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
Impossible to write concurrent assertion in procedural loop
• Need to replicate the loop as generate
• No locality• Context is lost
SVA 2005
20 of 31
Use Case #8Concurrent Assertions in LoopsCheck that the behavior of two vectors is the same
with respect to temporality of individual bits
logic [7:0] a, b;always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; r: assert property ( a[i] |-> ##[1:2] b[i]);
… endend
logic [7:0] a, b;always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; r: assert property ( a[i] |-> ##[1:2] b[i]);
… endend
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
Concurrent assertions may be put in procedural loops
• Locality is preserved• Context may be inferred
SVA 2009
21 of 31
Use Case #9Assertion LibrariesCreate library element to check corporate bus:
– All bus enable bits must be mutually exclusive– If a request bit comes in the corresponding enable bit must
rise in two clock cycles
module check_bus ( logic [BUS_SIZE-1:0] req, en, logic clk, logic rst);
for (genvar i = 0; i < BUS_SIZE; i++) begin : loop a1: assert property ( @(posedge clk) disable iff (rst) req[i] |-> ##[0:2] en[i]); end : loop a2: assert property (@(posedge clk) disable iff (rst) $onehot0(en)); endmodule : check_bus
module check_bus ( logic [BUS_SIZE-1:0] req, en, logic clk, logic rst);
for (genvar i = 0; i < BUS_SIZE; i++) begin : loop a1: assert property ( @(posedge clk) disable iff (rst) req[i] |-> ##[0:2] en[i]); end : loop a2: assert property (@(posedge clk) disable iff (rst) $onehot0(en)); endmodule : check_bus
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
Assertions should be packaged in a module/interface
• Cannot be instantiated in procedural code
• Clock and reset must be explicitly specified
• Sequences, properties, and events cannot be passed as arguments
SVA 2005
22 of 31
Use Case #9Assertions LibrariesCreate library element to check corporate bus:
– All bus enable bits must be mutually exclusive– If a request bit comes in the corresponding enable bit must
rise in two clock cycles
checker check_bus ( logic [BUS_SIZE-1:0] req, en, event clk = $inferred_clock, logic rst = $inferred_disable);
for (genvar i = 0; i < BUS_SIZE; i++) begin : loop a1: assert property ( @clk disable iff (rst) req[i] |-> ##[0:2] en[i]); end : loop a2: assert property (@clk disable iff (rst) $onehot0(en)); endchecker : check_bus
checker check_bus ( logic [BUS_SIZE-1:0] req, en, event clk = $inferred_clock, logic rst = $inferred_disable);
for (genvar i = 0; i < BUS_SIZE; i++) begin : loop a1: assert property ( @clk disable iff (rst) req[i] |-> ##[0:2] en[i]); end : loop a2: assert property (@clk disable iff (rst) $onehot0(en)); endchecker : check_bus
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
Assertions may be packaged in checkers
• Can be instantiated in procedural code
• Clock and reset may be inferred from context
• Sequences, properties, and events can be passed as arguments
SVA 2009
23 of 31
Use Case #9Assertions LibrariesCreate library element to check corporate bus:
– All bus enable bits must be mutually exclusive– If a request bit comes in the corresponding enable bit must
rise in two clock cycles
Instantiation
default disable iff !rstnn;always @(posedge clk1) begin ... check_bus c1(busreq, busen);end
default disable iff !rstnn;always @(posedge clk1) begin ... check_bus c1(busreq, busen);end
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2009
Checker inherits clock posedge clk1
and reset !rstnn
24 of 31
Use Case #10Assertion ModelingAdd the following condition to above checker:
– A soft error should never happen more than 6 times after reset
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2005
Packaged in a module/interface
• Soft error must be represented as signal• Sequences cannot be
passed as arguments to modules
25 of 31
Use Case #10Assertion ModelingAdd the following condition to above checker:
– A soft error should never happen more than 6 times after reset
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
Packaged in a checker
• Soft error represented as sequence
• Checkers may contain variable declaration and modeling code• Only NBA are legal in
checker• Sequence triggered
method may be used in assignments
checker check_bus ( logic [BUS_SIZE-1:0] req, en, sequence serr_seq, event clk = $inferred_clock, logic rst = $inferred_disable); … bit [2:0] ctr = '0; let serr = serr_seq.triggered; always @(clk) ctr <= rst ? '0 : ctr + serr; a3: assert property (@clk disable iff (rst) ctr <= 3'd6); endchecker : check_bus
checker check_bus ( logic [BUS_SIZE-1:0] req, en, sequence serr_seq, event clk = $inferred_clock, logic rst = $inferred_disable); … bit [2:0] ctr = '0; let serr = serr_seq.triggered; always @(clk) ctr <= rst ? '0 : ctr + serr; a3: assert property (@clk disable iff (rst) ctr <= 3'd6); endchecker : check_bus
SVA 2009
26 of 31
Use Case #11 Nondeterministic ModelsTransaction service time is 1 or 2 cycles. Use this time value in an
abstract FV model to reason about total latency of the block
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
module sys(logic clk, ...); bit[1:0] stime; assume property ( @(posedge clk) stime > 0); ...endmodule : sys
module sys(logic clk, ...); bit[1:0] stime; assume property ( @(posedge clk) stime > 0); ...endmodule : sys
SVA 2005• Never assigned• Will probably treated as free by FV
tools• In simulation will keep value 2’bXX
This assumption will always fail in simulation
stime is unconstrained between clk ticks
latency = … + stime + …
27 of 31
Use Case #11 Nondeterministic ModelsTransaction service time is 1 or 2 cycles. Use this time value in an
abstract FV model to reason about total latency of the block
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2009
module sys(logic clk, ...); bit[1:0] stime; assume property ( @(posedge clk) stime > 0); ...endmodule : sys
module sys(logic clk, ...); bit[1:0] stime; assume property ( @(posedge clk) stime > 0); ...endmodule : sys
SVA 2005
checker sys(...); rand bit[1:0] stime; assume property( @$global_clock stime > 0);...endchecker : sys
checker sys(...); rand bit[1:0] stime; assume property( @$global_clock stime > 0);...endchecker : sys
• Defined as a free variable• Will be randomized in simulation
respecting imposed assumption
Controlled by $global_clock
latency = … + stime + …
28 of 31
Use Case #11 Nondeterministic ModelsTransaction service time is 1 or 2 cycles. Use this time value in an
abstract FV model to reason about total latency of the block
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2009
module sys(logic clk, ...); bit[1:0] stime; assume property ( @(posedge clk) stime > 0); ...endmodule : sys
module sys(logic clk, ...); bit[1:0] stime; assume property ( @(posedge clk) stime > 0); ...endmodule : sys
SVA 2005
checker sys(...); rand bit choice; let stime = choice ? 2'b01 : 2'b02; ...endchecker : sys
checker sys(...); rand bit choice; let stime = choice ? 2'b01 : 2'b02; ...endchecker : sys
Better: avoid assumption altogether:
This implementation is more efficient and intuitive
latency = … + stime + …
29 of 31
There is much more
Elaboration time severity system tasksEnhancements and clarifications in formal semanticsEnhancements concerning local variables and
recursive propertiesCovergroups and final procedures in checkersBoolean implication
Many others …
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman 30 of 31
Conclusions
IEEE P1800 SystemVerilog 2009 brings powerful enhancements in RTL validation
Two main validation aspects have been addressed– Assertion-based verification using assertion
libraries– Professional exhaustive formal verification
Many new features and enhancements have been added, including clarifications in formal semantics
Many errata have been solved– And probably many new introduced
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman 31 of 31
Out of Scope of SV(A) 2009
There were several important items remained out of scope of SV(A) 2009:– A capability to specify variable number of
arguments for sequence, property and checker instances.• Today, one has to repeat definitions for variants of a
similar pattern of behavior.
Ability to instantiate checkers in tasks or functions– These can be very useful when checkers contain
deferred assertions and modeling code to support them.
Ability to force values of design variables from checkers– This is important to allow design pruning for
formal verification needs.E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman 32 of 31