Assertion-Based Verification
ABV
Assertion
•
Assertion:
 is a conditional statement that checks for specific behavior and
displays a message if it does not occur.
•
In Traditional Languages:
 Designers historically had the ability to craft assertions using both
the Verilog and VHDL design languages.
 Lacking an assertion statement, the Verilog designer used a
conditional statement to trigger the output of an error message.
 The VHDL designer used the assert statement inherent in VHDL to
check for the violation of a condition and to output a message.
2
Benefits
 Providing internal test points in the design.
 Simplifying the diagnosis and detection of bugs by localizing the occurrence of a
suspected bug to an assertion monitor, which is then checked.
 Allowing designers to verify the same assertions using both simulation and formal
verification.
 Increasing observability in both simulation and formal verification.
 Since the assertions were included in the design as it was created, formal
verification could be started earlier, before any test vectors had been written.
 Assertions are also used at the design boundaries to provide checks for interface
behavior.
− Useful when modules from different designers are integrated. Such interface-checking
assertions make modules more portable.
−  Modules with embedded assertions become self-checking wherever they are later reused.
3
Assertion in VHDL
• Syntax:
assert desired_condition report “repot message” severity severity_level
• Modeling properties of the hardware system via “assert” is hard and tedious
4
Example1
5
Example2:
6
PSL
(Property Specification Language)
• What is PSL?
A declarative language for describing behavior and properties
of system over time
• Key characteristics of PSL :




Mathematically precise well-defined formal semantics.
Known efficient underlying verification algorithms.
Intuitive and easy to learn, read, and write.
A layered language, ideal for reuse, and supports multiple HDL
flavors
−
−
−
−
7
VHDL
Verilog
SystemC
SystemVerilog
Use of PSL
 Documentation:
 easy to read and write but precise
and executable property description
instead of ambiguity of natural
languages is omitted
 Driving Assertion-Based Verification:
Formal verification
( Static verification )
Simulation
( Dynamic verification )
Assertion based verification helps us in
defining bugs at an earlier stage, before
propagating to other parts of design
8
History
Sugar
created at IBM
Haifa Research Labs
FVTC
formed in
Accellera (OVI)
1994
1998
Syntactic
sugaring of
CTL
Branching-time
semantics
plus regular
expressions
FVTC considers:
Temporal e
PSL
CBV
based
on
ForSpec
Sugar 2.0
Sugar
2001
2002
PSL 1.01
Approved
2003
Linear-time
semantics
Added to Sugar
FVTC: Formal Verification Technical Committee.
9
PSL 1.1
Approved
IEEE 1850
PSL
2004
2005
PSL enhancements
and clarifications
PSL: A Layered Language
Modeling
Verification
Temporal
Boolean
10
PSL: A Layered Language
Modeling
Verification
Temporal
Boolean
assert always ( not (A and B) )
11
Boolean Layer
•
The Boolean layer is used to:
 Specify logic expressions without specific timing
information using a standard HDL syntax such as
Verilog and VHDL
•
Example (Verilog):
// A and B are mutually exclusive
( !(A & B) )
•
Example (VHDL):
-- A and B are mutually exclusive
( not (A and B) )
12
Boolean Layer
 Any subprograms, overloaded functions etc. allowed in a
VHDL boolean expression can be used.
•
Example:
always (unsigned(ASLV) <= 10)
always (MYFUNC(B) = '1')
 For a VHDL expression containing only std_logic values,
the equality operator (= ’1’ or = ’0’) can be omitted:
−
•
PSL interprets std_logic ’1’ as true and std_logic ’0’ as false.
Example:
never ((GNT and BUSY) = ’1’)
never (GNT and BUSY)
− For a VHDL expression containing mixed boolean and std_logic values, the
equality to ’1’ or ’0’ is required because VHDL logical operators cannot be used for
combinations of boolean and std_logic types
13
Temporal Layer
•
The temporal layer is used to:
 Specify when the Boolean expression must be valid
Example:
// A and B are always mutually exclusive
always ( not (A and B) )
t.!(A(t) & B(t))
•
There are many temporal operators:





14
always property
never property
next property
until property
…
Temporal Layer Operators
• Occurrence operators:
 always: the property should hold in every cycle.
 never: the property should not hold during any cycle.
 eventually!: the property shall hold in some cycle in the future but
before the end of verification process.
 next: the property shall hold in the next cycle(s).
•
Clock Cycle Definition:
never (GNT and BUSY)@falling_edge(CLK);
always (EN1 or EN2)@(CLK’event and CLK = ’1’);
always(ACK -> next (not BUSY))@rising_edge(CLK);
 It is possible to define a default clock and thus avoid the need to
repeat the explicit clock operator @ in every single assertion.
default clock = (rising_edge (clk));
assert always CONDITION;
15
Temporal Layer Operators
•
until operator:
•
requires that first property hold till the second property holds.
pkt_startop |-> not pkt_xfer_en_n until pkt_endop
once a packet is started, the pkt_xfer_en_n shall be low until the packet ends.
•
before operator:
•
•
requires that one property hold before another.
opcode_fetch before execute_opcode;
an opcode_fetch process should occur before an execute_opcode phase
•
abort operator:
•
there is a need to abort the checking in case of a reset, soft reset, pkt_abort
etc.
•
({pkt_sop} |-> {not pkt_xfer_en_n until pkt_eop}) abort pkt_abort;
aborts checking once a pkt_abort is seen.
16
Verification Layer
•
The verification layer is used to:
 Specify how to use the property:
− assert: the tool should attempt to prove the property,
− assume: the tool may assume the given property is true,
− cover: the tool should measure how often the given property occurs during
simulation.
Example1:
// A and B must always be mutually exclusive
assert always ( not (A and B) );
Example2:
assert (always CONDITION) @(rising_edge (clk));
17
Modeling Layer
•
The modeling layer is used to:
 allows extra code fragments from the underlying language (VHDL)
to be included with the properties to augment what is possible
using PSL alone.
− For example, the modeling layer could be used to calculate the expected value of an
output.
Example:
// If req is asserted, ack must be asserted in the next cycle
SIGNAL req;
req <= readA_req or readB_req;
-- psl assert always (req -> next (ack and gnt)) @rising_edge(clk);
18
PSL Layers
signal req;
req <= readA_req OR readB_req;
-- psl assert always (req -> next (ack AND gnt))
Boolean layer
Temporal layer
Verification layer
Modeling layer
19
Usage
1. Verification directives can be embedded in the HDL
code as comments.
-- psl property ENABLED is always …
• Can break over several lines as long as each line is
commented.
-- These assertions are complete!
-- psl property NOT_GNTBUSY is
-- never (GNT and BUSY)@falling_edge(CLK);
-- psl property P1 is
-- always(ACK -> next (not BUSY))@rising_edge(CLK);
-- psl assert NOT_GNTBUSY;
-- psl assert P1;
Note: VHDL comments are not allowed inside a PSL assertion, i.e.
between psl and the semi-colon terminating the assertion.
20
Usage
• Assertions can be placed anywhere in a VHDL component, but it is
better to group them together at the begining or end of your design code.
2. Alternatively, verification directives can be grouped into
verification units, or vunits, and placed in a separate file.
Note: PSL keywords are case sensitive.
21
PSL Sequences
•
SERE:
 Sequential Extended Regular Expressions:
− Where enabling and fulfilling conditions extended over several cycles.
 PSL sequences enable us to describe a sequence of Boolean expressions
(i.e. states)
 PSL sequences are marked by curly braces ‘{’ and ‘}’.
 Advancement of time occurs with each concatenation operator ‘;’
Example:
{ req; busy; gnt }
22
PSL Sequences Matching
•
A PSL sequence can have multiple matching diagrams
Example:
{ req; busy; gnt }
req
req
busy
busy
gnt
gnt
one possible match
another possible match
 To explicitly match the waveform, we would need to specify the following
Example:
{ req and not busy and not gnt ;
not req and busy and not gnt ;
not req and not busy and gnt }
req
busy
gnt
23
Temporal Operators for Sequences
•
PSL supports the following temporal operators for sequences:
 Overlapping implication
 Non-overlapping implication
− Equivalent to
|->
next |->
Example(s):
sequence S1 = { req; ack } ;
sequence S2 = { start; busy; end } ;
// Event “start” occurs on the same clock cycle as “ack”
property P1 = always S1 |-> S2 ;
// Event “start” occurs on the next clock cycle after “ack”
property P2 = always S1 |=> S2 ;
24
|=>
Temporal Operators for Sequences
•
fifo_almost_full |=> fifo_push |-> fifo_full;
 Once the fifo is almost full, a push in the next clock cycle shall make
the fifo_full to be asserted (in the same clock as the fifo_push
occurred).
25
Liveness Properties
assert always req -> eventually! ack;
− i.e. whenever req is true, ack must go true at some future cycle, but there is no
upper limit on the time by which ack is required to go true.
 This is known as a liveness property.
 Liveness properties are characterized by the fact that they
do not possess a finite counter-example, and hence in
principle they cannot be disproved by simulation.
 However, liveness properties can in principle be proved or
disproved by static model checking tools.
26
Operators for SERE
• PSL supports the following operators for SERE:
 Repetition in n consecutive clock cycles
 Repetition in n non-consecutive clock cycles
 Repetition in n non-consecutive clock cycles
[*n]
[=n]
[->n]
− we want to go to the nth repetition and immediately (1 clock after) after the occurrence of
that last repetition we would like to check for the next expression in sequence. The
intermediate repetitions may be non-consecutive i.e. can be spread across multiple cycles
 Repetition for 0 or any number of clock cycles
[*]
 Repetition for 1 or any number of clock cycles
[+]
 Repetition for n to m clock clock cycles
[*n:m]
• The number of repetitions must be a positive integer
• Keyword inf stands for an infinite number of clock cycles
28
Operators for SERE
 {a[*2]} means {a;a}
− {S; T[*3]; V} Equivalent to {S; T; T; T; V}
 {a[*]} means {a;a;...;a} with a repeated zero or more times
 {a[+]} means {a;a;...;a} with a repeated one or more times
 {[*]} matches any sequence whatsoever
− {S; [*2]; V} Equivalent to {S; -; -; V}
where - represents a cycle in which no checks are performed
 Or operator:
sequence S4 is {B; C};
sequence S5 is {R; S};
property P3 is
always ( {T} |=> {S4} | {S5} );
− After T occurs, either S4 or S5 must start in the next evaluation cycle.
− The following sequences would satisfy this property:Sequence 1 is {T; B; C}
Sequence 2 is {T; R; S}
Sequence 3 is {T; (B and R); S}
− In sequence 3, both S4 and S5 start in the cycle following T. However only S5 completes.
 {a[=2]} means {[*];a;[*];a;[*]}, i.e. non-consecutive repetition
 {a[*1 to 3]} means {a} or {a;a} or {a;a;a}
29
Example
property P1 = { req[+]; ack; wr[*4] } |=> { (wait and (not req))[*];
done } ;
assert always P1;
clock
req
1 or more
0 or more
ack
write
wait
done
31
0 or more
Example
Properties are Derived from Specification
Receiving Data:
When the reception of data is complete, then an interrupt should occur:
•
property done_rcving_implies_int =
always rose(done_rcving) -> rose(int) ;
assert done_rcving_implies_int ;
32
Example
Properties are Derived from Specification
Receiving Data:
If the signal that indicates a reception in progress is active, then it
should remain active until the reception is complete:
property rcving_until_done_rcving =
always rose(rcving) -> (rcving until done_rcving) ;
assert rcving_until_done_rcving ;
For a given property f and signal clk, [email protected](clk), f@(posedge clk), and f@(rising_edge(clk)) all have equivalent
semantics, provided that signal clk takes on only 0 and 1 values, and no signal in f changes at the same time as clk
33
Verification Units
VU for Grouping Properties and Directives
•
Verification with PSL is based on using verification units
vunit <name> [(<module binding>)] {
<declarations and verification layer directives>
};
Usually a separate file from RTL
vunit
Example:
inputs
outputs
vunit my_unit (my_module) {
RTL module
default clock = rising_edge (clk);
assume never read AND write;
A vunit binds to a module or an instance
property P1 = never (full AND write);
assert P1;
assert always (read -> NOT empty);
};
35
Tools ( cont )
37
Refrences
•
•
•
•
•
•
•
•
•
•
•
•
38
URL: http://www.eda.org/vfv/docs/PSL-v1.1.pdf Property Specification Language
Reference Manual Version 1.1
URL: http://www.doulos.com/knowhow/psl
URL: http://www.project-veripage.com/psl_tutorial
URL: http://www.esperan.com/pdf/esperan_introduction_to_psl.pdf
URL: http://www.esperan.com/pdf/esperan_psl.pdf
URL: http://www.esperan.com/pdf/esperan_psl_1-1_tutorial.pdf
URL: http://www.esperan.com/pdf/esperan_psl_tutorial.pdf
URL: http://members.cox.net/vhdlcohen/psl/psl2_pref.pdf
URL: http://members.aol.com/vhdlcohen/vhdl/vhdlcode/PSL_quickrefvhdl.pdf
URL: http://members.aol.com/vhdlcohen/vhdl/vhdlcode/PSL_quickrefvlog.pdf
URL: http://www.jasper-da.com/safelogic/PSL_ref_guide_VHDL.pdf
URL: http://www.pslsugar.org/papers/date04_adriana.pps
Descargar

Document