CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA 2009 Adapted from DVCon 2009 paper by Eduard Cerny 1, Surrendra Dudani 1,

CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA

2009Adapted from DVCon 2009 paper by

Eduard Cerny1, Surrendra Dudani1, Dmitry Korchemny2,

Lisa Piper, Erik Seligman2

2Intel Corp.1Synopsys, Inc.

http://images.google.com/imgres?imgurl=http://www.ode.state.or.us/images/initiatives/closinggap/2006/intel-logo.gif&imgrefurl=http://www.ode.state.or.us/initiatives/closinggap/2006/sponsors.aspx&h=180&w=275&sz=17&hl=en&start=19&tbnid=gEaAy0wXATBOqM:&tbnh=75&tbnw=114&prev=/images?q=intel+logo&svnum=10&hl=en&rls=GGLD,GGLD:2005-04,GGLD:en

http://images.google.com/imgres?imgurl=http://www.purpletie.com/images/synopsyslogo.gif&imgrefurl=http://www.purpletie.com/&h=31&w=145&sz=3&hl=en&start=1&tbnid=r8_HbxrvW7Aq_M:&tbnh=20&tbnw=95&prev=/images?q=synopsyslogo&svnum=10&hl=en&rls=GGLD,GGLD:2005-04,GGLD:en

Overview

The goal of this presentation is to illustrate new SVA capabilities introduced in 2009 release of IEEE 1800 SystemVerilog standard

• We chose to illustrate new features and enhancements on important verification use cases

– It is not feasible to provide an exhaustive overview of new features in a conference talk

Disclaimer:The emerging IEEE 1800 2009 has not been officially approved yet

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman 2 of 31

Verify correctness of XOR implementation

a 0 1 1 1b 0 1 1 1not_a 1 1 0 0not_b 1 1 1 0my_xor 0 1 1 0

Use Case #1Unclocked Boolean Assertions

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

assign my_xor = a && not_b || not_a && b;assign not_a = !a;assign not_b = !b;


always_combp: assert (my_xor == a^b);always_combp: assert (my_xor == a^b);

Glitch

Immediate assertions may appear in procedural code

only

SVA 2005

3 of 31

time tick t

Verify correctness of XOR implementation


Use Case #1Unclocked Boolean Assertions





No glitch

SVA 2005 SVA 2009

always_combp: assert #0(my_xor == a^b);always_combp: assert #0(my_xor == a^b);

May appear outsideprocedural code

Deferred assertion

Matures in Observed region

4 of 31

time tick t


Use Case #1Unclocked Boolean AssertionsVerify correctness of XOR implementation





No glitch

SVA 2005 SVA 2009

p: assert #0(my_xor == a^b);p: assert #0(my_xor == a^b);

May appear outsideprocedural code

Deferred assertion

Matures in Observed region

5 of 31

time tick t

Use Case #2Compile-time MacrosWrite an immediate assertion checking one cold

encoding


SVA 2005

`define ONE_COLD(sig) \ ($onehot(~(sig)))...assert (ÒNE_COLD(a));

`define ONE_COLD(sig) \ ($onehot(~(sig)))...assert (ÒNE_COLD(a));

• Global scope• Difficult to process with CAD

tools

SVA 2009

let one_cold(sig) = $onehot(~sig);...assert (one_cold(a));

let one_cold(sig) = $onehot(~sig);...assert (one_cold(a));

• Local scope• Visible CAD tools

let construct

• Not limited to immediate assertions• Arguments should be of integral type

Function is not directly applicable

here

6 of 31

Use Case #3Clocked Boolean AssertionsCheck that signal is always high on rising clock edge


SVA 2005

This assertion checks also clock fairness: clk should tick infinitely often

assert property (@(posedge clk) a);assert property (@(posedge clk) a);

It is costly in FV

7 of 31

Use Case #3Clocked Boolean Assertions

Introduces weak and strong sequential properties


SVA 2009

strong(@clk a[*] ##1 b)strong(@clk a[*] ##1 b)

weak(@clk a[*] ##1 b)weak(@clk a[*] ##1 b)

Clock should tick enough time for a

sequence to match

Clock may stop ticking in the

middle

Default:• weak in assert/assume• strong in cover

8 of 31

Use Case #3Clocked Boolean AssertionsCheck that signal is always high on rising clock edge


SVA 2005

This assertion checks also clock fairness: clk should tick infinitely often

assert property (@(posedge clk) a);assert property (@(posedge clk) a);

Costly in FV

SVA 2009

No clock fairness checked

Cheaper in FV

9 of 31

Use Case #4Complex Temporal AssertionsCheck that reset eventually becomes deasserted

forever


SVA 2005

not (##[1:$] !rst |-> ##[1:$] rst)not (##[1:$] !rst |-> ##[1:$] rst)

• Non-intuitive• Difficult to write• Readability is

poor

SVA 2009

New temporal operators

• (s_)always• (s_)eventually• (s_)until(_with)• (s_)nexttime• case• #-#, #=# (followed by)• (sync_)accept_on,

(sync_)reject_on• implies• iff

s_eventually always !rsts_eventually always !rst

10 of 31

Explanation Of Ugly Assertionnot (##[1:$] !rst |-> ##[1:$] rst) - Rewrite: not (A|->B) == A #-# (not B) (##[1:$] !rst) #-# (not ##[1:$] rst) - Remember that A #-# B means “A is followed by B

at some point”(an eventual !rst) is followed at some point by (never

seeing reset again)

s_eventually always !rst

Use Case #5Stability AssertionsCheck that signal has constant value


SVA 2005

@clk $stable(a)@clk $stable(a) ?Q: How to check stability between clock ticks?A: Not a problem if clk is a system clock

This assertion checks that a is always X

12 of 31



SVA 2005

@clk ##1 $stable(a)@clk ##1 $stable(a)

Q: How to check stability between clock ticks?A: Not a problem if clk is a system clock

Now it works

13 of 31

Use Case #5Stability Assertions

Introduces a global (=system) clock– Definition

• At most one per design

– Reference– Future-value functions


$global_clock$global_clock

SVA 2009

global clocking @clk;endclocking

global clocking @clk;endclocking

$future_gclk(a)$rising_gclk(a)$falling_gclk(a)$steady_gclk(a)$changing_gclk(a)

$future_gclk(a)$rising_gclk(a)$falling_gclk(a)$steady_gclk(a)$changing_gclk(a)

Value of a at the next tick of

$global_clock

14 of 31



SVA 2005

@clk ##1 $stable(a)@clk ##1 $stable(a)

SVA 2009

@$global_clock $steady_gclk(a)@$global_clock $steady_gclk(a)

• Universal• More

intuitive

15 of 31

Use Case #6Functional CoverageMonitor how many times a ##1 b[*1:2] ##1 c is

matched. Print match notification in debug mode


SVA 2005

cover property(@(posedge clk) !rst throughout ( a ##1 b[*1:2] ##1 c)ìfdef debug $display (“Matched");èndif

cover property(@(posedge clk) !rst throughout ( a ##1 b[*1:2] ##1 c)ìfdef debug $display (“Matched");èndif

• No disable iff with cover statement• Otherwise, when rst is active, (vacuous) success reported

• Reset is synchronous• When cover property expression is sequence every sequence match is

reported

16 of 31

Use Case #6Functional CoverageMonitor how many times a ##1 b[*1:2] ##1 c is

matched. Print match notification in debug mode


SVA 2005

cover property(@(posedge clk) !rst throughout ( a ##1 b[*1:2] ##1 c)ìfdef (debug) $display (“Matched");èndif

cover property(@(posedge clk) !rst throughout ( a ##1 b[*1:2] ##1 c)ìfdef (debug) $display (“Matched");èndif

• disable iff may be used with cover statement• When rst is active, execution is disabled, no success reported

• Reset is asynchronous• When cover property expression is sequence one sequence match is

reported, to report every match, use cover sequence

SVA 2009

ìfndef debug initial $assertpassoff;èndifcover sequence(@(posedge clk) disable iff (rst) a ##1 b[*1:2] ##1 c) $info(“Matched");

ìfndef debug initial $assertpassoff;èndifcover sequence(@(posedge clk) disable iff (rst) a ##1 b[*1:2] ##1 c) $info(“Matched");

17 of 31

Use Case #7Embedded AssertionsEmbed a concurrent assertion into procedural code

Pure syntactical embedding– Loose relation with simulation semantics

• Problems with cover statement embedding• Inability to embed concurrent assertion into procedural

loops

Introduced simulation semantics for embedded assertions

SVA 2005

SVA 2009


Use Case #8Concurrent Assertions in LoopsCheck that the behavior of two vectors is the same

with respect to temporality of individual bits

logic [7:0] a, b;always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; … endend






begin (genvar i = 0; i < 8; i++)begin : block r: assert property ( @(posedge clk) a[i] |-> ##[1:2] b[i]);end : block


begin (genvar i = 0; i < 8; i++)begin : block r: assert property ( @(posedge clk) a[i] |-> ##[1:2] b[i]);end : block


Impossible to write concurrent assertion in procedural loop

• Need to replicate the loop as generate

• No locality• Context is lost

SVA 2005

20 of 31



logic [7:0] a, b;always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; r: assert property ( a[i] |-> ##[1:2] b[i]);

… endend

logic [7:0] a, b;always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; r: assert property ( a[i] |-> ##[1:2] b[i]);

… endend


Concurrent assertions may be put in procedural loops

• Locality is preserved• Context may be inferred

SVA 2009

21 of 31

Use Case #9Assertion LibrariesCreate library element to check corporate bus:

– All bus enable bits must be mutually exclusive– If a request bit comes in the corresponding enable bit must

rise in two clock cycles

module check_bus ( logic [BUS_SIZE-1:0] req, en, logic clk, logic rst);

for (genvar i = 0; i < BUS_SIZE; i++) begin : loop a1: assert property ( @(posedge clk) disable iff (rst) req[i] |-> ##[0:2] en[i]); end : loop a2: assert property (@(posedge clk) disable iff (rst) $onehot0(en)); endmodule : check_bus

module check_bus ( logic [BUS_SIZE-1:0] req, en, logic clk, logic rst);

for (genvar i = 0; i < BUS_SIZE; i++) begin : loop a1: assert property ( @(posedge clk) disable iff (rst) req[i] |-> ##[0:2] en[i]); end : loop a2: assert property (@(posedge clk) disable iff (rst) $onehot0(en)); endmodule : check_bus


Assertions should be packaged in a module/interface

• Cannot be instantiated in procedural code

• Clock and reset must be explicitly specified

• Sequences, properties, and events cannot be passed as arguments

SVA 2005

22 of 31

Use Case #9Assertions LibrariesCreate library element to check corporate bus:



checker check_bus ( logic [BUS_SIZE-1:0] req, en, event clk = $inferred_clock, logic rst = $inferred_disable);

for (genvar i = 0; i < BUS_SIZE; i++) begin : loop a1: assert property ( @clk disable iff (rst) req[i] |-> ##[0:2] en[i]); end : loop a2: assert property (@clk disable iff (rst) $onehot0(en)); endchecker : check_bus

checker check_bus ( logic [BUS_SIZE-1:0] req, en, event clk = $inferred_clock, logic rst = $inferred_disable);

for (genvar i = 0; i < BUS_SIZE; i++) begin : loop a1: assert property ( @clk disable iff (rst) req[i] |-> ##[0:2] en[i]); end : loop a2: assert property (@clk disable iff (rst) $onehot0(en)); endchecker : check_bus


Assertions may be packaged in checkers

• Can be instantiated in procedural code

• Clock and reset may be inferred from context

• Sequences, properties, and events can be passed as arguments

SVA 2009

23 of 31

Use Case #9Assertions LibrariesCreate library element to check corporate bus:



Instantiation

default disable iff !rstnn;always @(posedge clk1) begin ... check_bus c1(busreq, busen);end

default disable iff !rstnn;always @(posedge clk1) begin ... check_bus c1(busreq, busen);end


SVA 2009

Checker inherits clock posedge clk1

and reset !rstnn

24 of 31

Use Case #10Assertion ModelingAdd the following condition to above checker:

– A soft error should never happen more than 6 times after reset


SVA 2005

Packaged in a module/interface

• Soft error must be represented as signal• Sequences cannot be

passed as arguments to modules

25 of 31

Use Case #10Assertion ModelingAdd the following condition to above checker:

– A soft error should never happen more than 6 times after reset


Packaged in a checker

• Soft error represented as sequence

• Checkers may contain variable declaration and modeling code• Only NBA are legal in

checker• Sequence triggered

method may be used in assignments

checker check_bus ( logic [BUS_SIZE-1:0] req, en, sequence serr_seq, event clk = $inferred_clock, logic rst = $inferred_disable); … bit [2:0] ctr = '0; let serr = serr_seq.triggered; always @(clk) ctr <= rst ? '0 : ctr + serr; a3: assert property (@clk disable iff (rst) ctr <= 3'd6); endchecker : check_bus

checker check_bus ( logic [BUS_SIZE-1:0] req, en, sequence serr_seq, event clk = $inferred_clock, logic rst = $inferred_disable); … bit [2:0] ctr = '0; let serr = serr_seq.triggered; always @(clk) ctr <= rst ? '0 : ctr + serr; a3: assert property (@clk disable iff (rst) ctr <= 3'd6); endchecker : check_bus

SVA 2009

26 of 31

Use Case #11 Nondeterministic ModelsTransaction service time is 1 or 2 cycles. Use this time value in an

abstract FV model to reason about total latency of the block


module sys(logic clk, ...); bit[1:0] stime; assume property ( @(posedge clk) stime > 0); ...endmodule : sys


SVA 2005• Never assigned• Will probably treated as free by FV

tools• In simulation will keep value 2’bXX

This assumption will always fail in simulation

stime is unconstrained between clk ticks

latency = … + stime + …

27 of 31




SVA 2009



SVA 2005

checker sys(...); rand bit[1:0] stime; assume property( @$global_clock stime > 0);...endchecker : sys

checker sys(...); rand bit[1:0] stime; assume property( @$global_clock stime > 0);...endchecker : sys

• Defined as a free variable• Will be randomized in simulation

respecting imposed assumption

Controlled by $global_clock


28 of 31




SVA 2009



SVA 2005

checker sys(...); rand bit choice; let stime = choice ? 2'b01 : 2'b02; ...endchecker : sys

checker sys(...); rand bit choice; let stime = choice ? 2'b01 : 2'b02; ...endchecker : sys

Better: avoid assumption altogether:

This implementation is more efficient and intuitive


29 of 31

There is much more

Elaboration time severity system tasksEnhancements and clarifications in formal semanticsEnhancements concerning local variables and

recursive propertiesCovergroups and final procedures in checkersBoolean implication

Many others …


Conclusions

IEEE P1800 SystemVerilog 2009 brings powerful enhancements in RTL validation

Two main validation aspects have been addressed– Assertion-based verification using assertion

libraries– Professional exhaustive formal verification

Many new features and enhancements have been added, including clarifications in formal semantics

Many errata have been solved– And probably many new introduced


Out of Scope of SV(A) 2009

There were several important items remained out of scope of SV(A) 2009:– A capability to specify variable number of

arguments for sequence, property and checker instances.• Today, one has to repeat definitions for variants of a

similar pattern of behavior.

Ability to instantiate checkers in tasks or functions– These can be very useful when checkers contain

deferred assertions and modeling code to support them.

Ability to force values of design variables from checkers– This is important to allow design pruning for

formal verification needs.E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman 32 of 31

Documents

CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA 2009 Adapted from DVCon 2009 paper by Eduard Cerny 1, Surrendra Dudani 1,