cs 510 lecture 16 verification case studies evolution from sva 2005 to sva 2009 l.
Download
Skip this Video
Download Presentation
CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA 2009

Loading in 2 Seconds...

play fullscreen
1 / 32

CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA 2009 - PowerPoint PPT Presentation


  • 131 Views
  • Uploaded on

CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA 2009. Adapted from DVCon 2009 paper by Eduard Cerny 1 , Surrendra Dudani 1 , Dmitry Korchemny 2 , Lisa Piper, Erik Seligman 2. 1 Synopsys, Inc. 2 Intel Corp. Overview.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA 2009' - braden


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cs 510 lecture 16 verification case studies evolution from sva 2005 to sva 2009

CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA 2009

Adapted from DVCon 2009 paper by

Eduard Cerny1, Surrendra Dudani1, Dmitry Korchemny2,Lisa Piper, Erik Seligman2

1Synopsys, Inc.

2Intel Corp.

overview
Overview
  • The goal of this presentation is to illustrate new SVA capabilities introduced in 2009 release of IEEE 1800 SystemVerilog standard
    • We chose to illustrate new features and enhancements on important verification use cases
    • It is not feasible to provide an exhaustive overview of new features in a conference talk
  • Disclaimer:
  • The emerging IEEE 1800 2009 has not been officially approved yet

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 1 unclocked boolean assertions
Use Case #1Unclocked Boolean Assertions
  • Verify correctness of XOR implementation

assign my_xor = a && not_b || not_a && b;

assign not_a = !a;

assign not_b = !b;

SVA 2005

Immediate assertions may appear in procedural code only

a 0 11 1

b 0 11 1

not_a 1 10 0

not_b 1 11 0

my_xor 0 11 0

always_comb

p: assert (my_xor == a^b);

time tick t

Glitch

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 1 unclocked boolean assertions4
Use Case #1Unclocked Boolean Assertions
  • Verify correctness of XOR implementation

assign my_xor = a && not_b || not_a && b;

assign not_a = !a;

assign not_b = !b;

Deferred assertion

Matures in Observed region

SVA 2005

SVA 2009

a 0 1 1 1

b 0 1 1 1

not_a 1 1 0 0

not_b 1 1 1 0

my_xor 0 1 1 0

always_comb

p: assert (my_xor == a^b);

always_comb

p: assert #0(my_xor == a^b);

May appear outsideprocedural code

time tick t

No glitch

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 1 unclocked boolean assertions5
Use Case #1Unclocked Boolean Assertions
  • Verify correctness of XOR implementation

assign my_xor = a && not_b || not_a && b;

assign not_a = !a;

assign not_b = !b;

Deferred assertion

Matures in Observed region

SVA 2005

SVA 2009

a 0 1 1 1

b 0 1 1 1

not_a 1 1 0 0

not_b 1 1 1 0

my_xor 1 1 0 1

always_comb

p: assert (my_xor == a^b);

p: assert #0(my_xor == a^b);

May appear outsideprocedural code

time tick t

No glitch

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 2 compile time macros
Use Case #2Compile-time Macros
  • Write an immediate assertion checking one cold encoding

Function is not directly applicable here

SVA 2005

SVA 2009

`define ONE_COLD(sig) \

($onehot(~(sig)))

...

assert (`ONE_COLD(a));

let one_cold(sig) = $onehot(~sig);

...

assert (one_cold(a));

  • Global scope
  • Difficult to process with CAD tools
  • Local scope
  • Visible CAD tools
  • let construct
  • Not limited to immediate assertions
  • Arguments should be of integral type

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 3 clocked boolean assertions
Use Case #3Clocked Boolean Assertions
  • Check that signal is always high on rising clock edge

assert property (@(posedge clk) a);

SVA 2005

This assertion checks also clock fairness: clk should tick infinitely often

It is costly in FV

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 3 clocked boolean assertions8
Use Case #3Clocked Boolean Assertions
  • Introduces weak and strong sequential properties

SVA 2009

Clock should tick enough time for a sequence to match

strong(@clk a[*] ##1 b)

Clock may stop ticking in the middle

weak(@clk a[*] ##1 b)

  • Default:
  • weak in assert/assume
  • strong in cover

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 3 clocked boolean assertions9
Use Case #3Clocked Boolean Assertions
  • Check that signal is always high on rising clock edge

assert property (@(posedge clk) a);

SVA 2005

SVA 2009

This assertion checks also clock fairness: clk should tick infinitely often

No clock fairness checked

Costly in FV

Cheaper in FV

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 4 complex temporal assertions
Use Case #4Complex Temporal Assertions
  • Check that reset eventually becomes deasserted forever

SVA 2005

SVA 2009

not (##[1:$] !rst |-> ##[1:$] rst)

s_eventually always !rst

  • New temporal operators
  • (s_)always
  • (s_)eventually
  • (s_)until(_with)
  • (s_)nexttime
  • case
  • #-#, #=# (followed by)
  • (sync_)accept_on, (sync_)reject_on
  • implies
  • iff
  • Non-intuitive
  • Difficult to write
  • Readability is poor

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

explanation of ugly assertion
Explanation Of Ugly Assertion
  • not (##[1:$] !rst |-> ##[1:$] rst)
  • - Rewrite: not (A|->B) == A #-# (not B)
  •  (##[1:$] !rst) #-# (not ##[1:$] rst)
  • - Remember that A #-# B means “A is followed by B at some point”
  • (an eventual !rst) is followed at some point by (never seeing reset again)
  • s_eventually always !rst
use case 5 stability assertions
Use Case #5Stability Assertions
  • Check that signal has constant value

SVA 2005

This assertion checks that a is always X

?

@clk $stable(a)

Q: How to check stability between clock ticks?

A: Not a problem if clk is a system clock

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 5 stability assertions13
Use Case #5Stability Assertions
  • Check that signal has constant value

SVA 2005

Now it works

@clk ##1 $stable(a)

Q: How to check stability between clock ticks?

A: Not a problem if clk is a system clock

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 5 stability assertions14
Use Case #5Stability Assertions
  • Introduces a global (=system) clock
    • Definition
      • At most one per design
    • Reference
    • Future-value functions

SVA 2009

global clocking

@clk;

endclocking

$global_clock

$future_gclk(a)

$rising_gclk(a)

$falling_gclk(a)

$steady_gclk(a)

$changing_gclk(a)

Value of a at the next tick of $global_clock

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 5 stability assertions15
Use Case #5Stability Assertions
  • Check that signal has constant value

SVA 2005

SVA 2009

@clk ##1 $stable(a)

@$global_clock $steady_gclk(a)

  • Universal
  • More intuitive

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 6 functional coverage
Use Case #6Functional Coverage
  • Monitor how many times a ##1 b[*1:2] ##1 cis matched. Print match notification in debug mode

SVA 2005

cover property(@(posedge clk)

!rst throughout (

a ##1 b[*1:2] ##1 c)

`ifdef debug

$display (“Matched");

`endif

  • No disable iff with cover statement
    • Otherwise, when rst is active, (vacuous) success reported
  • Reset is synchronous
  • When cover property expression is sequence every sequence match is reported

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 6 functional coverage17
Use Case #6Functional Coverage
  • Monitor how many times a ##1 b[*1:2] ##1 cis matched. Print match notification in debug mode

SVA 2005

SVA 2009

cover property(@(posedge clk)

!rst throughout (

a ##1 b[*1:2] ##1 c)

`ifdef (debug)

$display (“Matched");

`endif

`ifndef debug

initial $assertpassoff;

`endif

cover sequence(@(posedge clk)

disable iff (rst)

a ##1 b[*1:2] ##1 c)

$info(“Matched");

  • disable iff may be used with cover statement
    • When rst is active, execution is disabled, no success reported
  • Reset is asynchronous
  • When cover property expression is sequence one sequence match is reported, to report every match, use cover sequence

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 7 embedded assertions
Use Case #7Embedded Assertions
  • Embed a concurrent assertion into procedural code
  • Pure syntactical embedding
    • Loose relation with simulation semantics
      • Problems with cover statement embedding
      • Inability to embed concurrent assertion into procedural loops
  • Introduced simulation semantics for embedded assertions

SVA 2005

SVA 2009

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 8 concurrent assertions in loops
Use Case #8Concurrent Assertions in Loops
  • Check that the behavior of two vectors is the same with respect to temporality of individual bits

logic [7:0] a, b;

always @(posedge clk) begin

for (int i = 0; i < 8; i++) begin

a <= …;

b <= …;

end

end

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 8 concurrent assertions in loops20
Use Case #8Concurrent Assertions in Loops
  • Check that the behavior of two vectors is the same with respect to temporality of individual bits

SVA 2005

logic [7:0] a, b;

always @(posedge clk) begin

for (int i = 0; i < 8; i++) begin

a <= …;

b <= …;

end

end

begin (genvar i = 0; i < 8; i++)

begin : block

r: assert property (

@(posedge clk) a[i] |-> ##[1:2] b[i]);

end : block

  • Impossible to write concurrent assertion in procedural loop
  • Need to replicate the loop as generate
  • No locality
  • Context is lost

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 8 concurrent assertions in loops21
Use Case #8Concurrent Assertions in Loops
  • Check that the behavior of two vectors is the same with respect to temporality of individual bits

SVA 2009

logic [7:0] a, b;

always @(posedge clk) begin

for (int i = 0; i < 8; i++) begin

a <= …;

b <= …;

r: assert property (

a[i] |-> ##[1:2] b[i]);

end

end

  • Concurrent assertions may be put in procedural loops
  • Locality is preserved
  • Context may be inferred

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 9 assertion libraries
Use Case #9Assertion Libraries
  • Create library element to check corporate bus:
    • All bus enable bits must be mutually exclusive
    • If a request bit comes in the corresponding enable bit must rise in two clock cycles

SVA 2005

modulecheck_bus (

logic [BUS_SIZE-1:0] req, en,

logic clk,

logic rst);

for (genvar i = 0; i < BUS_SIZE; i++)

begin : loop

a1: assert property (

@(posedge clk) disable iff (rst)

req[i] |-> ##[0:2] en[i]);

end : loop

a2: assert property (@(posedge clk)

disable iff (rst) $onehot0(en));

endmodule : check_bus

  • Assertions should be packaged in a module/interface
  • Cannot be instantiated in procedural code
  • Clock and reset must be explicitly specified
  • Sequences, properties, and events cannot be passed as arguments

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 9 assertions libraries
Use Case #9Assertions Libraries
  • Create library element to check corporate bus:
    • All bus enable bits must be mutually exclusive
    • If a request bit comes in the corresponding enable bit must rise in two clock cycles

SVA 2009

checkercheck_bus (

logic [BUS_SIZE-1:0] req, en,

event clk = $inferred_clock,

logic rst = $inferred_disable);

for (genvar i = 0; i < BUS_SIZE; i++)

begin : loop

a1: assert property (

@clk disable iff (rst)req[i] |-> ##[0:2] en[i]);

end : loop

a2: assert property (@clk

disable iff (rst) $onehot0(en));

endchecker : check_bus

  • Assertions may be packaged in checkers
  • Can be instantiated in procedural code
  • Clock and reset may be inferred from context
  • Sequences, properties, and events can be passed as arguments

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 9 assertions libraries24
Use Case #9Assertions Libraries
  • Create library element to check corporate bus:
    • All bus enable bits must be mutually exclusive
    • If a request bit comes in the corresponding enable bit must rise in two clock cycles
  • Instantiation

SVA 2009

default disable iff !rstnn;

always @(posedge clk1) begin

...

check_bus c1(busreq, busen);

end

Checker inherits clock posedge clk1 and reset !rstnn

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 10 assertion modeling
Use Case #10Assertion Modeling
  • Add the following condition to above checker:
    • A soft error should never happen more than 6 times after reset

SVA 2005

  • Packaged in a module/interface
  • Soft error must be represented as signal
    • Sequences cannot be passed as arguments to modules

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 10 assertion modeling26
Use Case #10Assertion Modeling
  • Add the following condition to above checker:
    • A soft error should never happen more than 6 times after reset

SVA 2009

checker check_bus (

logic [BUS_SIZE-1:0] req, en,

sequenceserr_seq,

event clk = $inferred_clock,

logic rst = $inferred_disable);

bit [2:0] ctr = '0;

let serr = serr_seq.triggered;

always @(clk)

ctr <= rst ? '0 : ctr + serr;

a3: assert property (@clk

disable iff (rst) ctr <= 3'd6); endchecker : check_bus

  • Packaged in a checker
  • Soft error represented as sequence
  • Checkers may contain variable declaration and modeling code
    • Only NBA are legal in checker
  • Sequence triggered method may be used in assignments

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 11 nondeterministic models
Use Case #11 Nondeterministic Models

latency = … + stime + …

  • Transaction service time is 1 or 2 cycles. Use this time value in an abstract FV model to reason about total latency of the block

SVA 2005

  • Never assigned
  • Will probably treated as free by FV tools
  • In simulation will keep value 2’bXX

module sys(logic clk, ...);

bit[1:0] stime;

assume property (

@(posedge clk) stime > 0);

...

endmodule : sys

This assumption will always fail in simulation

stime is unconstrained between clk ticks

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 11 nondeterministic models28
Use Case #11 Nondeterministic Models

latency = … + stime + …

  • Transaction service time is 1 or 2 cycles. Use this time value in an abstract FV model to reason about total latency of the block
  • Defined as a free variable
  • Will be randomized in simulation respecting imposed assumption

SVA 2005

SVA 2009

module sys(logic clk, ...);

bit[1:0] stime;

assume property (

@(posedge clk) stime > 0);

...

endmodule : sys

checker sys(...);

rand bit[1:0] stime;

assume property(

@$global_clock stime > 0);

...

endchecker : sys

Controlled by $global_clock

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

use case 11 nondeterministic models29
Use Case #11 Nondeterministic Models

latency = … + stime + …

  • Transaction service time is 1 or 2 cycles. Use this time value in an abstract FV model to reason about total latency of the block

SVA 2005

SVA 2009

module sys(logic clk, ...);

bit[1:0] stime;

assume property (

@(posedge clk) stime > 0);

...

endmodule : sys

checker sys(...);

rand bit choice;

let stime =

choice ? 2'b01 : 2'b02;

...

endchecker : sys

Better: avoid assumption altogether:

This implementation is more efficient and intuitive

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

there is much more
There is much more
  • Elaboration time severity system tasks
  • Enhancements and clarifications in formal semantics
  • Enhancements concerning local variables and recursive properties
  • Covergroups and final procedures in checkers
  • Boolean implication
  • Many others …

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

conclusions
Conclusions
  • IEEE P1800 SystemVerilog 2009 brings powerful enhancements in RTL validation
  • Two main validation aspects have been addressed
    • Assertion-based verification using assertion libraries
    • Professional exhaustive formal verification
  • Many new features and enhancements have been added, including clarifications in formal semantics
  • Many errata have been solved
    • And probably many new introduced 

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

out of scope of sv a 2009
Out of Scope of SV(A) 2009
  • There were several important items remained out of scope of SV(A) 2009:
    • A capability to specify variable number of arguments for sequence, property and checker instances.
      • Today, one has to repeat definitions for variants of a similar pattern of behavior.
  • Ability to instantiate checkers in tasks or functions
    • These can be very useful when checkers contain deferred assertions and modeling code to support them.
  • Ability to force values of design variables from checkers
    • This is important to allow design pruning for formal verification needs.

E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman