Slide 1

Download Report

Transcript Slide 1 

CS 510 Lecture 16: Verification Case Studies:
Evolution From SVA 2005 to SVA 2009
Adapted from DVCon 2009 paper by
Eduard Cerny1, Surrendra Dudani1, Dmitry Korchemny2,
Lisa Piper, Erik Seligman2
1Synopsys,
Inc.
2Intel
Corp.
Overview
The goal of this presentation is to illustrate new SVA
capabilities introduced in 2009 release of IEEE 1800
SystemVerilog standard
• We chose to illustrate new features and enhancements on
important verification use cases
– It is not feasible to provide an exhaustive overview of new
features in a conference talk
Disclaimer:
The emerging IEEE 1800 2009 has not been officially approved yet
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
2 of 31
Use Case #1
Unclocked Boolean Assertions
Verify correctness of XOR implementation
assign my_xor = a && not_b || not_a && b;
assign not_a = !a;
assign not_b = !b;
SVA 2005
Immediate assertions may
appear in procedural code only
always_comb
p: assert (my_xor == a^b);
a
b
not_a
not_b
my_xor
0
0
1
1
0
1
1
1
1
1
1
1
0
1
1
1
1
0
0
0
time tick t
Glitch
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
3 of 31
Use Case #1
Unclocked Boolean Assertions
Verify correctness of XOR implementation
assign my_xor = a && not_b || not_a && b;
assign not_a = !a;
assign not_b = !b;
SVA 2005
SVA 2009
always_comb
p: assert (my_xor == a^b);
a
b
not_a
not_b
my_xor
0
0
1
1
0
1
1
1
1
1
1
1
0
1
1
1
1
0
0
0
Deferred assertion
Matures in
Observed region
always_comb
p: assert #0(my_xor == a^b);
time tick t
May appear outside
procedural code
No glitch
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
4 of 31
Use Case #1
Unclocked Boolean Assertions
Verify correctness of XOR implementation
assign my_xor = a && not_b || not_a && b;
assign not_a = !a;
assign not_b = !b;
SVA 2005
SVA 2009
always_comb
p: assert (my_xor == a^b);
a
b
not_a
not_b
my_xor
0
0
1
1
1
1
1
1
1
1
1
1
0
1
0
1
1
0
0
1
Deferred assertion
Matures in
Observed region
p: assert #0(my_xor == a^b);
time tick t
May appear outside
procedural code
No glitch
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
5 of 31
Use Case #2
Compile-time Macros
Write an immediate assertion checking one cold encoding
Function is not
directly applicable
here
SVA 2005
`define ONE_COLD(sig) \
($onehot(~(sig)))
...
assert (`ONE_COLD(a));
SVA 2009
let one_cold(sig) = $onehot(~sig);
...
assert (one_cold(a));
• Global scope
• Difficult to process with CAD tools
• Local scope
• Visible CAD tools
let construct
• Not limited to immediate assertions
• Arguments should be of integral type
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
6 of 31
Use Case #3
Clocked Boolean Assertions
Check that signal is always high on rising clock edge
assert property (@(posedge clk) a);
SVA 2005
This assertion checks also clock fairness:
clk should tick infinitely often
It is costly in FV
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
7 of 31
Use Case #3
Clocked Boolean Assertions
SVA 2009
Introduces weak and strong sequential properties
strong(@clk a[*] ##1 b)
weak(@clk a[*] ##1 b)
Clock should tick
enough time for a
sequence to match
Clock may stop
ticking in the middle
Default:
• weak in assert/assume
• strong in cover
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
8 of 31
Use Case #3
Clocked Boolean Assertions
Check that signal is always high on rising clock edge
assert property (@(posedge clk) a);
SVA 2005
This assertion checks also clock
fairness: clk should tick infinitely often
Costly in FV
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2009
No clock fairness checked
Cheaper in FV
9 of 31
Use Case #4
Complex Temporal Assertions
Check that reset eventually becomes deasserted forever
SVA 2005
SVA 2009
not (##[1:$] !rst |-> ##[1:$] rst)
• Non-intuitive
• Difficult to write
• Readability is poor
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
s_eventually always !rst
New temporal operators
•
•
•
•
•
•
•
•
•
(s_)always
(s_)eventually
(s_)until(_with)
(s_)nexttime
case
#-#, #=# (followed by)
(sync_)accept_on, (sync_)reject_on
implies
iff
10 of 31
Explanation Of Ugly Assertion
not (##[1:$] !rst |-> ##[1:$] rst)
- Rewrite: not (A|->B) == A #-# (not B)
 (##[1:$] !rst) #-# (not ##[1:$] rst)
- Remember that A #-# B means “A is followed by B at
some point”

(an eventual !rst) is followed at some point by (never seeing
reset again)

s_eventually always !rst
Use Case #5
Stability Assertions
Check that signal has constant value
SVA 2005
@clk $stable(a)
This assertion checks
that a is always X
Q: How to check stability between clock ticks?
A: Not a problem if clk is a system clock
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
12 of 31
Use Case #5
Stability Assertions
Check that signal has constant value
SVA 2005
@clk ##1 $stable(a)
Now it works
Q: How to check stability between clock ticks?
A: Not a problem if clk is a system clock
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
13 of 31
Use Case #5
Stability Assertions
SVA 2009
Introduces a global (=system) clock
global
– Definition
• At most one per design
– Reference
– Future-value functions
$future_gclk(a)
$rising_gclk(a)
$falling_gclk(a)
$steady_gclk(a)
$changing_gclk(a)
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
clocking
@clk;
endclocking
$global_clock
Value of a at the next
tick of $global_clock
14 of 31
Use Case #5
Stability Assertions
Check that signal has constant value
SVA 2005
@clk ##1 $stable(a)
SVA 2009
@$global_clock $steady_gclk(a)
• Universal
• More intuitive
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
15 of 31
Use Case #6
Functional Coverage
Monitor how many times a ##1 b[*1:2] ##1 c is matched.
Print match notification in debug mode
SVA 2005
cover property(@(posedge clk)
!rst throughout (
a ##1 b[*1:2] ##1 c)
`ifdef debug
$display (“Matched");
`endif
• No disable iff with cover statement
• Otherwise, when rst is active, (vacuous) success reported
• Reset is synchronous
• When cover property expression is sequence every sequence match is reported
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
16 of 31
Use Case #6
Functional Coverage
Monitor how many times a ##1 b[*1:2] ##1 c is matched.
Print match notification in debug mode
SVA 2005
cover property(@(posedge clk)
!rst throughout (
a ##1 b[*1:2] ##1 c)
`ifdef (debug)
$display (“Matched");
`endif
SVA 2009
`ifndef debug
initial $assertpassoff;
`endif
cover sequence(@(posedge clk)
disable iff (rst)
a ##1 b[*1:2] ##1 c)
$info(“Matched");
• disable iff may be used with cover statement
• When rst is active, execution is disabled, no success reported
• Reset is asynchronous
• When cover property expression is sequence one sequence match is reported,
to report every match, use cover sequence
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
17 of 31
Use Case #7
Embedded Assertions
Embed a concurrent assertion into procedural code
SVA 2005
Pure syntactical embedding
– Loose relation with simulation semantics
• Problems with cover statement embedding
• Inability to embed concurrent assertion into procedural loops
SVA 2009
Introduced simulation semantics for embedded assertions
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
18 of 31
Use Case #8
Concurrent Assertions in Loops
Check that the behavior of two vectors is the same with
respect to temporality of individual bits
logic [7:0] a, b;
always @(posedge clk) begin
for (int i = 0; i < 8; i++) begin
a <= …;
b <= …;
…
end
end
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
19 of 31
Use Case #8
Concurrent Assertions in Loops
Check that the behavior of two vectors is the same with
respect to temporality of individual bits
logic [7:0] a, b;
always @(posedge clk) begin
for (int i = 0; i < 8; i++) begin
a <= …;
b <= …;
…
end
end
begin (genvar i = 0; i < 8; i++)
begin : block
r: assert property (
@(posedge clk) a[i] |-> ##[1:2] b[i]);
end : block
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2005
Impossible to write
concurrent assertion in
procedural loop
• Need to replicate the loop
as generate
• No locality
• Context is lost
20 of 31
Use Case #8
Concurrent Assertions in Loops
Check that the behavior of two vectors is the same with
respect to temporality of individual bits
logic [7:0] a, b;
always @(posedge clk) begin
for (int i = 0; i < 8; i++) begin
a <= …;
b <= …;
r: assert property (
a[i] |-> ##[1:2] b[i]);
…
end
end
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2009
Concurrent assertions may be
put in procedural loops
• Locality is preserved
• Context may be inferred
21 of 31
Use Case #9
Assertion Libraries
Create library element to check corporate bus:
– All bus enable bits must be mutually exclusive
– If a request bit comes in the corresponding enable bit must rise in
two clock cycles
module check_bus (
logic [BUS_SIZE-1:0] req, en,
logic clk,
logic rst);
for (genvar i = 0; i < BUS_SIZE; i++)
begin : loop
a1: assert property (
@(posedge clk) disable iff (rst)
req[i] |-> ##[0:2] en[i]);
end : loop
a2: assert property (@(posedge clk)
disable iff (rst) $onehot0(en));
endmodule : check_bus
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2005
Assertions should be packaged
in a module/interface
• Cannot be instantiated in
procedural code
• Clock and reset must be
explicitly specified
• Sequences, properties, and
events cannot be passed as
arguments
22 of 31
Use Case #9
Assertions Libraries
Create library element to check corporate bus:
– All bus enable bits must be mutually exclusive
– If a request bit comes in the corresponding enable bit must rise in
two clock cycles
checker
logic
event
logic
check_bus (
[BUS_SIZE-1:0] req, en,
clk = $inferred_clock,
rst = $inferred_disable);
for (genvar i = 0; i < BUS_SIZE; i++)
begin : loop
a1: assert property (
@clk disable iff (rst)
req[i] |-> ##[0:2] en[i]);
end : loop
a2: assert property (@clk
disable iff (rst) $onehot0(en));
endchecker : check_bus
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2009
Assertions may be packaged
in checkers
• Can be instantiated in
procedural code
• Clock and reset may be
inferred from context
• Sequences, properties, and
events can be passed as
arguments
23 of 31
Use Case #9
Assertions Libraries
Create library element to check corporate bus:
– All bus enable bits must be mutually exclusive
– If a request bit comes in the corresponding enable bit must rise in
two clock cycles
SVA 2009
Instantiation
default disable iff !rstnn;
always @(posedge clk1) begin
...
check_bus c1(busreq, busen);
end
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
Checker inherits clock
posedge clk1 and
reset !rstnn
24 of 31
Use Case #10
Assertion Modeling
Add the following condition to above checker:
– A soft error should never happen more than 6 times after reset
SVA 2005
Packaged in a module/interface
• Soft error must be
represented as signal
• Sequences cannot be
passed as arguments to
modules
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
25 of 31
Use Case #10
Assertion Modeling
Add the following condition to above checker:
– A soft error should never happen more than 6 times after reset
checker check_bus (
logic [BUS_SIZE-1:0] req, en,
sequence serr_seq,
event clk = $inferred_clock,
logic rst = $inferred_disable);
…
bit [2:0] ctr = '0;
let serr = serr_seq.triggered;
always @(clk)
ctr <= rst ? '0 : ctr + serr;
a3: assert property (@clk
disable iff (rst) ctr <= 3'd6);
endchecker : check_bus
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
SVA 2009
Packaged in a checker
• Soft error represented as
sequence
• Checkers may contain
variable declaration and
modeling code
• Only NBA are legal in
checker
• Sequence triggered method
may be used in assignments
26 of 31
Use Case #11
Nondeterministic Models
latency = … + stime + …
Transaction service time is 1 or 2 cycles. Use this time value in an abstract
FV model to reason about total latency of the block
SVA 2005
• Never assigned
• Will probably treated as free by FV tools
• In simulation will keep value 2’bXX
module sys(logic clk, ...);
bit[1:0] stime;
assume property (
@(posedge clk) stime > 0);
...
endmodule : sys
This assumption will always fail in
simulation
stime is unconstrained between clk ticks
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
27 of 31
Use Case #11
Nondeterministic Models
latency = … + stime + …
Transaction service time is 1 or 2 cycles. Use this time value in an abstract
FV model to reason about total latency of the block
SVA 2005
• Defined as a free variable
• Will be randomized in simulation
respecting imposed assumption
module sys(logic clk, ...);
bit[1:0] stime;
assume property (
@(posedge clk) stime > 0);
...
endmodule : sys
SVA 2009
checker sys(...);
rand bit[1:0] stime;
assume property(
@$global_clock stime > 0);
...
endchecker : sys
Controlled by $global_clock
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
28 of 31
Use Case #11
Nondeterministic Models
latency = … + stime + …
Transaction service time is 1 or 2 cycles. Use this time value in an abstract
FV model to reason about total latency of the block
SVA 2005
SVA 2009
module sys(logic clk, ...);
bit[1:0] stime;
assume property (
@(posedge clk) stime > 0);
...
endmodule : sys
checker sys(...);
rand bit choice;
let stime =
choice ? 2'b01 : 2'b02;
...
endchecker : sys
Better: avoid assumption altogether:
This implementation is more efficient and
intuitive
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
29 of 31
There is much more
Elaboration time severity system tasks
Enhancements and clarifications in formal semantics
Enhancements concerning local variables and recursive
properties
Covergroups and final procedures in checkers
Boolean implication
Many others …
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
30 of 31
Conclusions
IEEE P1800 SystemVerilog 2009 brings powerful
enhancements in RTL validation
Two main validation aspects have been addressed
– Assertion-based verification using assertion libraries
– Professional exhaustive formal verification
Many new features and enhancements have been added,
including clarifications in formal semantics
Many errata have been solved
– And probably many new introduced 
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
31 of 31
Out of Scope of SV(A) 2009
There were several important items remained out of scope of
SV(A) 2009:
– A capability to specify variable number of arguments for
sequence, property and checker instances.
• Today, one has to repeat definitions for variants of a similar
pattern of behavior.
Ability to instantiate checkers in tasks or functions
– These can be very useful when checkers contain
deferred assertions and modeling code to support them.
Ability to force values of design variables from checkers
– This is important to allow design pruning for formal
verification needs.
E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman
32 of 31