1 / 32

CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA 2009

CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA 2009. Adapted from DVCon 2009 paper by Eduard Cerny 1 , Surrendra Dudani 1 , Dmitry Korchemny 2 , Lisa Piper, Erik Seligman 2. 1 Synopsys, Inc. 2 Intel Corp. Overview.

braden
Download Presentation

CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS 510 Lecture 16: Verification Case Studies: Evolution From SVA 2005 to SVA 2009 Adapted from DVCon 2009 paper by Eduard Cerny1, Surrendra Dudani1, Dmitry Korchemny2,Lisa Piper, Erik Seligman2 1Synopsys, Inc. 2Intel Corp.

  2. Overview • The goal of this presentation is to illustrate new SVA capabilities introduced in 2009 release of IEEE 1800 SystemVerilog standard • We chose to illustrate new features and enhancements on important verification use cases • It is not feasible to provide an exhaustive overview of new features in a conference talk • Disclaimer: • The emerging IEEE 1800 2009 has not been officially approved yet E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  3. Use Case #1Unclocked Boolean Assertions • Verify correctness of XOR implementation assign my_xor = a && not_b || not_a && b; assign not_a = !a; assign not_b = !b; SVA 2005 Immediate assertions may appear in procedural code only a 0 11 1 b 0 11 1 not_a 1 10 0 not_b 1 11 0 my_xor 0 11 0 always_comb p: assert (my_xor == a^b); time tick t Glitch E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  4. Use Case #1Unclocked Boolean Assertions • Verify correctness of XOR implementation assign my_xor = a && not_b || not_a && b; assign not_a = !a; assign not_b = !b; Deferred assertion Matures in Observed region SVA 2005 SVA 2009 a 0 1 1 1 b 0 1 1 1 not_a 1 1 0 0 not_b 1 1 1 0 my_xor 0 1 1 0 always_comb p: assert (my_xor == a^b); always_comb p: assert #0(my_xor == a^b); May appear outsideprocedural code time tick t No glitch E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  5. Use Case #1Unclocked Boolean Assertions • Verify correctness of XOR implementation assign my_xor = a && not_b || not_a && b; assign not_a = !a; assign not_b = !b; Deferred assertion Matures in Observed region SVA 2005 SVA 2009 a 0 1 1 1 b 0 1 1 1 not_a 1 1 0 0 not_b 1 1 1 0 my_xor 1 1 0 1 always_comb p: assert (my_xor == a^b); p: assert #0(my_xor == a^b); May appear outsideprocedural code time tick t No glitch E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  6. Use Case #2Compile-time Macros • Write an immediate assertion checking one cold encoding Function is not directly applicable here SVA 2005 SVA 2009 `define ONE_COLD(sig) \ ($onehot(~(sig))) ... assert (`ONE_COLD(a)); let one_cold(sig) = $onehot(~sig); ... assert (one_cold(a)); • Global scope • Difficult to process with CAD tools • Local scope • Visible CAD tools • let construct • Not limited to immediate assertions • Arguments should be of integral type E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  7. Use Case #3Clocked Boolean Assertions • Check that signal is always high on rising clock edge assert property (@(posedge clk) a); SVA 2005 This assertion checks also clock fairness: clk should tick infinitely often It is costly in FV E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  8. Use Case #3Clocked Boolean Assertions • Introduces weak and strong sequential properties SVA 2009 Clock should tick enough time for a sequence to match strong(@clk a[*] ##1 b) Clock may stop ticking in the middle weak(@clk a[*] ##1 b) • Default: • weak in assert/assume • strong in cover E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  9. Use Case #3Clocked Boolean Assertions • Check that signal is always high on rising clock edge assert property (@(posedge clk) a); SVA 2005 SVA 2009 This assertion checks also clock fairness: clk should tick infinitely often No clock fairness checked Costly in FV Cheaper in FV E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  10. Use Case #4Complex Temporal Assertions • Check that reset eventually becomes deasserted forever SVA 2005 SVA 2009 not (##[1:$] !rst |-> ##[1:$] rst) s_eventually always !rst • New temporal operators • (s_)always • (s_)eventually • (s_)until(_with) • (s_)nexttime • case • #-#, #=# (followed by) • (sync_)accept_on, (sync_)reject_on • implies • iff • Non-intuitive • Difficult to write • Readability is poor E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  11. Explanation Of Ugly Assertion • not (##[1:$] !rst |-> ##[1:$] rst) • - Rewrite: not (A|->B) == A #-# (not B) •  (##[1:$] !rst) #-# (not ##[1:$] rst) • - Remember that A #-# B means “A is followed by B at some point” •  • (an eventual !rst) is followed at some point by (never seeing reset again) •  • s_eventually always !rst

  12. Use Case #5Stability Assertions • Check that signal has constant value SVA 2005 This assertion checks that a is always X ?  @clk $stable(a) Q: How to check stability between clock ticks? A: Not a problem if clk is a system clock E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  13. Use Case #5Stability Assertions • Check that signal has constant value SVA 2005 Now it works @clk ##1 $stable(a) Q: How to check stability between clock ticks? A: Not a problem if clk is a system clock E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  14. Use Case #5Stability Assertions • Introduces a global (=system) clock • Definition • At most one per design • Reference • Future-value functions SVA 2009 global clocking @clk; endclocking $global_clock $future_gclk(a) $rising_gclk(a) $falling_gclk(a) $steady_gclk(a) $changing_gclk(a) Value of a at the next tick of $global_clock E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  15. Use Case #5Stability Assertions • Check that signal has constant value SVA 2005 SVA 2009 @clk ##1 $stable(a) @$global_clock $steady_gclk(a) • Universal • More intuitive E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  16. Use Case #6Functional Coverage • Monitor how many times a ##1 b[*1:2] ##1 cis matched. Print match notification in debug mode SVA 2005 cover property(@(posedge clk) !rst throughout ( a ##1 b[*1:2] ##1 c) `ifdef debug $display (“Matched"); `endif • No disable iff with cover statement • Otherwise, when rst is active, (vacuous) success reported • Reset is synchronous • When cover property expression is sequence every sequence match is reported E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  17. Use Case #6Functional Coverage • Monitor how many times a ##1 b[*1:2] ##1 cis matched. Print match notification in debug mode SVA 2005 SVA 2009 cover property(@(posedge clk) !rst throughout ( a ##1 b[*1:2] ##1 c) `ifdef (debug) $display (“Matched"); `endif `ifndef debug initial $assertpassoff; `endif cover sequence(@(posedge clk) disable iff (rst) a ##1 b[*1:2] ##1 c) $info(“Matched"); • disable iff may be used with cover statement • When rst is active, execution is disabled, no success reported • Reset is asynchronous • When cover property expression is sequence one sequence match is reported, to report every match, use cover sequence E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  18. Use Case #7Embedded Assertions • Embed a concurrent assertion into procedural code • Pure syntactical embedding • Loose relation with simulation semantics • Problems with cover statement embedding • Inability to embed concurrent assertion into procedural loops • Introduced simulation semantics for embedded assertions SVA 2005 SVA 2009 E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  19. Use Case #8Concurrent Assertions in Loops • Check that the behavior of two vectors is the same with respect to temporality of individual bits logic [7:0] a, b; always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; … end end E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  20. Use Case #8Concurrent Assertions in Loops • Check that the behavior of two vectors is the same with respect to temporality of individual bits SVA 2005 logic [7:0] a, b; always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; … end end begin (genvar i = 0; i < 8; i++) begin : block r: assert property ( @(posedge clk) a[i] |-> ##[1:2] b[i]); end : block • Impossible to write concurrent assertion in procedural loop • Need to replicate the loop as generate • No locality • Context is lost E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  21. Use Case #8Concurrent Assertions in Loops • Check that the behavior of two vectors is the same with respect to temporality of individual bits SVA 2009 logic [7:0] a, b; always @(posedge clk) begin for (int i = 0; i < 8; i++) begin a <= …; b <= …; r: assert property ( a[i] |-> ##[1:2] b[i]); … end end • Concurrent assertions may be put in procedural loops • Locality is preserved • Context may be inferred E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  22. Use Case #9Assertion Libraries • Create library element to check corporate bus: • All bus enable bits must be mutually exclusive • If a request bit comes in the corresponding enable bit must rise in two clock cycles SVA 2005 modulecheck_bus ( logic [BUS_SIZE-1:0] req, en, logic clk, logic rst); for (genvar i = 0; i < BUS_SIZE; i++) begin : loop a1: assert property ( @(posedge clk) disable iff (rst) req[i] |-> ##[0:2] en[i]); end : loop a2: assert property (@(posedge clk) disable iff (rst) $onehot0(en)); endmodule : check_bus • Assertions should be packaged in a module/interface • Cannot be instantiated in procedural code • Clock and reset must be explicitly specified • Sequences, properties, and events cannot be passed as arguments E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  23. Use Case #9Assertions Libraries • Create library element to check corporate bus: • All bus enable bits must be mutually exclusive • If a request bit comes in the corresponding enable bit must rise in two clock cycles SVA 2009 checkercheck_bus ( logic [BUS_SIZE-1:0] req, en, event clk = $inferred_clock, logic rst = $inferred_disable); for (genvar i = 0; i < BUS_SIZE; i++) begin : loop a1: assert property ( @clk disable iff (rst)req[i] |-> ##[0:2] en[i]); end : loop a2: assert property (@clk disable iff (rst) $onehot0(en)); endchecker : check_bus • Assertions may be packaged in checkers • Can be instantiated in procedural code • Clock and reset may be inferred from context • Sequences, properties, and events can be passed as arguments E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  24. Use Case #9Assertions Libraries • Create library element to check corporate bus: • All bus enable bits must be mutually exclusive • If a request bit comes in the corresponding enable bit must rise in two clock cycles • Instantiation SVA 2009 default disable iff !rstnn; always @(posedge clk1) begin ... check_bus c1(busreq, busen); end Checker inherits clock posedge clk1 and reset !rstnn E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  25. Use Case #10Assertion Modeling • Add the following condition to above checker: • A soft error should never happen more than 6 times after reset SVA 2005 • Packaged in a module/interface • Soft error must be represented as signal • Sequences cannot be passed as arguments to modules E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  26. Use Case #10Assertion Modeling • Add the following condition to above checker: • A soft error should never happen more than 6 times after reset SVA 2009 checker check_bus ( logic [BUS_SIZE-1:0] req, en, sequenceserr_seq, event clk = $inferred_clock, logic rst = $inferred_disable); … bit [2:0] ctr = '0; let serr = serr_seq.triggered; always @(clk) ctr <= rst ? '0 : ctr + serr; a3: assert property (@clk disable iff (rst) ctr <= 3'd6); endchecker : check_bus • Packaged in a checker • Soft error represented as sequence • Checkers may contain variable declaration and modeling code • Only NBA are legal in checker • Sequence triggered method may be used in assignments E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  27. Use Case #11 Nondeterministic Models latency = … + stime + … • Transaction service time is 1 or 2 cycles. Use this time value in an abstract FV model to reason about total latency of the block SVA 2005 • Never assigned • Will probably treated as free by FV tools • In simulation will keep value 2’bXX module sys(logic clk, ...); bit[1:0] stime; assume property ( @(posedge clk) stime > 0); ... endmodule : sys This assumption will always fail in simulation stime is unconstrained between clk ticks E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  28. Use Case #11 Nondeterministic Models latency = … + stime + … • Transaction service time is 1 or 2 cycles. Use this time value in an abstract FV model to reason about total latency of the block • Defined as a free variable • Will be randomized in simulation respecting imposed assumption SVA 2005 SVA 2009 module sys(logic clk, ...); bit[1:0] stime; assume property ( @(posedge clk) stime > 0); ... endmodule : sys checker sys(...); rand bit[1:0] stime; assume property( @$global_clock stime > 0); ... endchecker : sys Controlled by $global_clock E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  29. Use Case #11 Nondeterministic Models latency = … + stime + … • Transaction service time is 1 or 2 cycles. Use this time value in an abstract FV model to reason about total latency of the block SVA 2005 SVA 2009 module sys(logic clk, ...); bit[1:0] stime; assume property ( @(posedge clk) stime > 0); ... endmodule : sys checker sys(...); rand bit choice; let stime = choice ? 2'b01 : 2'b02; ... endchecker : sys Better: avoid assumption altogether: This implementation is more efficient and intuitive E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  30. There is much more • Elaboration time severity system tasks • Enhancements and clarifications in formal semantics • Enhancements concerning local variables and recursive properties • Covergroups and final procedures in checkers • Boolean implication • Many others … E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  31. Conclusions • IEEE P1800 SystemVerilog 2009 brings powerful enhancements in RTL validation • Two main validation aspects have been addressed • Assertion-based verification using assertion libraries • Professional exhaustive formal verification • Many new features and enhancements have been added, including clarifications in formal semantics • Many errata have been solved • And probably many new introduced  E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

  32. Out of Scope of SV(A) 2009 • There were several important items remained out of scope of SV(A) 2009: • A capability to specify variable number of arguments for sequence, property and checker instances. • Today, one has to repeat definitions for variants of a similar pattern of behavior. • Ability to instantiate checkers in tasks or functions • These can be very useful when checkers contain deferred assertions and modeling code to support them. • Ability to force values of design variables from checkers • This is important to allow design pruning for formal verification needs. E. Cerny, S. Dudani, D. Korchemny, L. Piper, E. Seligman

More Related