Can Assertions Save Military PLD Designs? MAPLD 2009 Presentation Session D: Design and Verification Tools and Methodologies Presented by: Jaroslaw "Jerry" Kaczynski Research Engineer ALDEC, Inc Corporate Cir Henderson, NV
MAPLD 2009 – Session D Introduction In this presentation we are trying to convince designers that Property-Based Design (PBD) and closely related Assertion-Based Verification (ABV) are necessity in Military PLD Design Flow. The most important arguments for assertions use are: Properties and Assertions are relatively simple ideas (once you learn the basics). Although relatively new, they are governed by IEEE standards (PSL, SystemVerilog, VHDL). Properties and Assertions can be used in simulation (better simulation=safer design). Properties and Assertions create ‘live documentation’ (better documentation=easier management). 2
MAPLD 2009 – Session D Key Ideas 3 Property Based DesignAssertion Based Verification Property Based Design extends the term Assertion Based Verification and deals with several key ideas: sequences properties assertions/covers property The very basic idea of PBD/ABV is property: formalized description of certain behavior of your design e.g.“broken window triggers alarm”, “security responds to alarm in 30 seconds”. Properties can be used by verification tools in many ways: assert bad things do not happen assert verifies that bad things do not happen. e.g. “assert [that] broken window always triggers alarm”. cover good things happen cover verifies that good things happen. e.g. “cover response to triggered alarm in 30 seconds”.
MAPLD 2009 – Session D The World of Properties design propertiesplain English Typical digital design specification is full of design properties expressed in plain English. HDL hardware implementation Designer rewrites properties in HDL with correct hardware implementation in mind. Properties, assertions covers pure behaviors Properties, assertions and covers represent pure behaviors (desired or undesired) of the design: documentation They can be very efficient documentation of the design. reference They work as a reference during design verification. verification tools They are accepted by variety of functional and formal verification tools. 4
MAPLD 2009 – Session D The Logic of Properties 5 HOMEWORK HOMEWORK: to learn more, google “linear temporal logic” or “LTL”… temporal logic Formal properties use principles of temporal logic: Boolean logic with added time dimension. discrete time sequences of states If we use discrete time, then properties represent sequences of states of the design. NOTE:all popular PBD/ABV solutions operate on sampled values of objects in the design. temporal operators To express relationships in time (existence, succession, etc.) properties use temporal operators: next, finally, globally, until, etc.
MAPLD 2009 – Session D Building Blocks of Properties Boolean expressions Boolean expressions as we know them from HDLs are the part of properties, but rather a simple part. Sequences temporal building block Sequences are generally recognized as the basic temporal building block of properties: they represent succession of design states seen at discrete time points. Typical sequence represents one simple execution path in the design. You can: fuse fuse sequences (one sequence ends at the same moment the other begins), concatenate concatenate sequences (one sequence ends and the other starts at the next time point), implies say that one sequence implies another sequence, andor and or or sequences, within check if one sequence is contained within another sequence, repeated check if sequence repeated given number of times (consecutively or not). 6
MAPLD 2009 – Session D Using Properties 7 O THER D IRECTIVES ASSERTCOVER Design Specification D ESIGN P ROPERTY F ORMAL P ROPERTY Once design property was formalized, all tools can use it in one of two directives: assert assert – raises alarm when property does not hold, cover cover – confirms that property was successfully tested. Some tools (mainly formal verification, but also some simulators) allow more directives, e.g. to control design stimulus or restrict environmental conditions.
MAPLD 2009 – Session D Languages There are two languages with practical applications of expressing properties, assertions and covers: PSLPSL PSL (Property Specification Language): standard IEEE Std 1850™-2005, comes in VHDL, Verilog, SystemVerilog and SystemC flavors, its Simple Subset is a part of the recent version of VHDL standard (IEEE Std 1076™-2008). SVASVA SVA (SystemVerilog Assertion subset): an assertion-related subset of the SystemVerilog language (initially Accellera project, then standard IEEE Std 1800™-2005), based on Superlog and OpenVera donations, its properties/assertions features also borrow from PSL. 8 ALL property languages are IEEE standards!
MAPLD 2009 – Session D Which Language? VHDL PSL VHDL designers can use both SVA and PSL, but they will feel better with PSL: PSL can be placed directly in VHDL code (live documentation) but SVA cannot, PSL is the part of the latest VHDL standard. Verilog SVA Verilog designers can use both PSL and SVA, but they will feel better with SVA: SVA placed directly in Verilog code can do more than PSL placed directly in Verilog code, SystemVerilog and Verilog are in the process of merging into one standard. 9 Good News:PSL and SVA properties look almost the same…
MAPLD 2009 – Session D Asynchronous reset handlingClocking (sampling) event Properties in Assertions “ACK should be activated 1 to 3 cycles after REQ provided that RESET is not active” Let’s approach typical design property “ACK should be activated 1 to 3 cycles after REQ provided that RESET is not active” using PSL ( shaded box ) and SVA ( framed box ). Note the assertion directive that follows property definition. 10 property req_ack is always( ( {rose(REQ)} |-> {(ACK='0')[*1 to 3]; rose(ACK)} ) async_abort RESET='1' assert (req_ack) report "No timely ACK after REQ!"; property CLK) disable iff (RESET) $rose(REQ) |-> (ACK==0)[*1:3] ##1 $rose(ACK); endproperty assert property(req_ack) else $error("No timely ACK after REQ!"); PSL SVA
MAPLD 2009 – Session D Sampling and To specify sampling/clocking event, at the end of sequence in PSL or at the beginning in SVA – all typical VHDL/Verilog clock detectors are accepted. If all assertion elements in your design use the same clocking event, you can declare default clock. Both PSL and SVA provide mechanism for abandoning property evaluation (e.g. when reset happens): async_abortsync_abort PSL lets you add async_abort or sync_abort operator and reset condition at the end of property: always (({rose(A)} |=> rose(B)) async_abort disable iff () SVA lets you add disable iff (condition) phrase at the beginning of the CLK) disable iff (C) $rose(A) |=> $rose(B); 11
MAPLD 2009 – Session D Rationale for Implication Overlapping ( sequence |-> property ) and non-overlapping ( sequence |=> property ) implication operators are common to PSL and SVA. Consequent of overlapping implication starts at the time point when antecedent ends. Consequent of non-overlapping implication starts one cycle after the end of antecedent. 12 AC AC Properties that contain only sequence of value checks can easily misbehave during verification because their evaluation in attempted in every verification cycle. implication The use of implication with trigger event specified as antecedent solves this little problem.
MAPLD 2009 – Session D Some ‘Sequence’ Property Facts The antecedent of our implication (slide 10) is a simple edge check, but consequent is an example of multi-cycle sequence. If you glue together several states or sub-sequences to form complex sequence, here are your options: fusion zero cycle delay To make elements stick together at the same clock use fusion ( : ) in PSL or zero cycle delay ( ##0 ) in SVA. concatenation one cycle delay To introduce one cycle break between elements use concatenation ( ; ) in PSL or one cycle delay ( ##1 ) in SVA. Sometimes certain condition should last longer than one cycle: consecutive repetition operator Use consecutive repetition operator ( [*m to n] ) to specify how long the sequence that precedes it should hold. 13 Properties are simple – we have just seen features sufficient to write 80% of real-life assertions…
MAPLD 2009 – Session D Readability Please note similarities between PSL and OVA: only order of reset and clocking expressions is different. It seems that anybody with basic knowledge of Math, English and maybe some programming languages should be able to understand what design behavior they represent. 14 Properties are perfect for documenting designs! always( ( {rose(REQ)} |-> {(ACK='0')[*1 to 3]; rose(ACK)} ) async_abort CLK) disable iff (RESET) $rose(REQ) |-> (ACK==0)[*1:3] ##1 $rose(ACK); PSL SVA Let’s have one more look at the core of properties from slide 10:
MAPLD 2009 – Session D Where to Place Assertions bind 1.All tools let you place properties/assertions in separate units and bind them to your regular RTL code (very convenient for Verification Engineers). special comments 2.Good simulators let you place PSL properties/assertions directly in the RTL code, hidden in special comments: --psl property p1 is… or //psl property p2=… (very good for the Hardware Designer). directly 3.Of course SVA can be placed directly in the Verilog code. directly 4.Once VHDL 2008 is implemented, users will be able to place PSL directly in the VHDL code and 2 are perfect if you think that assertions will harm your synthesis flow. 3 and 4 would require the use of synthesis pragmas around assertions.
MAPLD 2009 – Session D Assertions and Synthesis Tools Most popular, regular versions of synthesis tools cannot handle assertions yet. (Exceptions to this rule include some high-end tools like Synplicity’s Identify Pro + Synplify Premiere combo.) Some methods of placing assertions in the design mentioned in the previous slide should make managing assertions in mixed simulation/synthesis flow pretty smooth. Open Verification Library OVL Libraries of ready-to-use property checkers written in VHDL or Verilog may be a solution here. Example: Open Verification Library (OVL) maintained by Accellera started introducing synthesizable versions of some checkers in most recent releases of the library. 16 Properties should not disrupt traditional design flow!
MAPLD 2009 – Session D Verification Directives As we have mentioned before, properties represent design behavior, but cannot do anything by themselves. Appropriate directives/statements tell the verification tool how to handle given property. assertcover We have already seen assert and cover directives, supported by all ABV tools. assume The assume directive tells the tool to constrain testing environment so that the property holds. It should always work in formal tools, but in simulation the effect of assume may be equivalent to the effect of assert. restrictfairness There are some additional directives beyond the scope of this document (e.g. PSL’s restrict or fairness). 17
MAPLD 2009 – Session D Assertions in Military Designs Properties, assertions and covers should find quick and widespread applications in Military and Aerospace Designs: Their presence provides convenient reference to the intended design behavior (even as the HDL code is changing). Assertions and covers create additional verification layer, increasing reliability and safety of designs. Properties used in assertions and covers are excellent, live documentation of the design (enhancing manageability). Assertions, covers and properties are governed by IEEE standards. 18 Those qualities of PBD/ABV are as close as it gets to ”Lifesavers of Military PLD Designs” …
MAPLD 2009 – Session D Summary PropertiesAssertionsCoverage they will Properties, Assertions and Coverage are unavoidable: even if your designs are not using them now, they will – sooner or later. Don’t be afraid of assertions and coverage. Don’t worry which language to choose. Check what your tool supports. Get yourself a good book or decent training. You should be ready to go in one day! Attaining expert level will take a little bit longer… 19
MAPLD 2009 – Session D Resources Temporal Logic in software verification: PLS/Sugar resources: PSL 1.1 free download: SystemVerilog Assertions Introduction (Project Veripage): OVL Users Site (documents, downloads, etc.): Documents and software at ALDEC website: