# SystemVerilog Assertions Checker Library

Reference Manual

Version X2005.06 June 2005

Comments?
E-mail your comments about this manual to vcs\_support@synopsys.com



#### **Copyright Notice and Proprietary Information**

Copyright © 2005 Synopsys, Inc. All rights reserved. This software and documentation are owned by Synopsys, Inc., and furnished under a license agreement. The software and documentation may be used or copied only in accordance with the terms of the license agreement. No part of the software and documentation may be reproduced, transmitted, or translated, in any form or by any means, electronic, mechanical, manual, optical, or otherwise, without prior written permission of Synopsys, Inc., or as expressly provided by the license agreement.

#### **Right to Copy Documentation**

The license agreement with Synopsys permits licensee to make copies of the documentation for its internal use only. Each copy shall include all copyrights, trademarks, service marks, and proprietary rights notices, if any. Licensee must assign sequential numbers to all copies. These copies shall contain the following legend on the cover page:

| "This document i | s duplicated wit | th the permission | of Synopsys, | Inc. for the exclu | ısive |
|------------------|------------------|-------------------|--------------|--------------------|-------|
| use of           |                  |                   | and          | d its employees.   | This  |
| is copy number   | ."               |                   |              |                    |       |

#### **Destination Control Statement**

All technical data contained in this publication is subject to the export control laws of the United States of America. Disclosure to nationals of other countries contrary to United States law is prohibited. It is the reader's responsibility to determine the applicable regulations and to comply with them.

#### Disclaimer

SYNOPSYS, INC., AND ITS LICENSORS MAKE NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

#### **Trademarks**

- Synopsys, the Synopsys logo, Arcadia, BiNMOS-CBA, CMOS-CBA, COSSAP, DESIGN (ARROWS), DesignPower, DesignWare, dont\_use, EPIC, ExpressModel, in-Sync, LM-1000, LM-1200, Logic Modeling, Logic Modeling (logo), Memory Architect, ModelAccess, ModelTools, PathMill, *PL*debug, RailMill, SmartLicense, SmartLogic, SmartModel, SmartModels, SNUG, SOLV-IT!, SourceModel Library, Stream Driven Simulator, Synopsys, Synopsys (logo), Synopsys VHDL Compiler, Synthetic Designs, Synthetic Libraries, TestBench Manager, and TimeMill are registered trademarks of Synopsys, Inc
- 3-D Debugging, AMPS, Behavioral Compiler, CBA Design System, CBA-Frame, characterize, Chip Architect, Compiled Designs, Core Network, Core Store, Cyclone, Data Path Express, DataPath Architect, DC Expert, DC Expert Plus, DC Professional, DelayMill, Design Advisor, Design Analyzer, Design Compiler, DesignSource, DesignTime, DesignWare Developer, Direct RTL, Direct Silicon Access, dont\_touch, dont\_touch\_network, ECL Compiler, ECO Compiler, Embedded System Prototype, Floorplan Manager, Formality, FoundryModel, FPGA Compiler, FPGA Express, Frame Compiler, General Purpose Post-Processor, GPP, HDL Advisor, HDL Compiler, Integrator, Interactive Waveform Viewer, Library Compiler, LM-1400, LM-700, LM-family, Logic Model, ModelSource, ModelWare, Module Compiler, MS-3200, MS-3400, Power Compiler, PowerArc, PowerGate, PowerMill, PrimeTime, RTL Analyzer, Shadow Debugger, Silicon Architects, SimuBus, SmartCircuit, SmartModel Windows, Source-Level Design, SourceModel, SWIFT, SWIFT Interface, Synopsys Graphical Environment, Test Compiler, Test Compiler Plus, Test Manager, TestSim, Timing Annotator, Trace-On-Demand, VCS, VCSi, VHDL System Simulator, VirSim, Visualyze, Vivace, VSS Expert, and VSS Professional are trademarks of Synopsys, Inc.

Linux is a registered trademark of Linus Torvalds used by permission.

All other product or company names may be trademarks of their respective owners.

Printed in the U.S.A.

Document Order Number: 38056-000 ZA

System Verilog Assertions Checker Library Reference, Version X-2005.06

# **Table Of Contents**

| The SystemVerilog Assertions (SVA) Checker Library |                                                                                                                                                                                                                                                                                                                                              |
|----------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Overview                                           | 1-2                                                                                                                                                                                                                                                                                                                                          |
| Global Controls                                    | 1-3                                                                                                                                                                                                                                                                                                                                          |
| Checker Triggering                                 | 1-4                                                                                                                                                                                                                                                                                                                                          |
| Custom Reporting                                   | 1-5                                                                                                                                                                                                                                                                                                                                          |
| Viewing Coverage Results                           | 1-5                                                                                                                                                                                                                                                                                                                                          |
| Shared Syntax                                      | 1-6                                                                                                                                                                                                                                                                                                                                          |
| Use Mode in SystemVerilog                          | 1-9                                                                                                                                                                                                                                                                                                                                          |
| Use Mode in VHDL (VCS MX)                          | 1-10                                                                                                                                                                                                                                                                                                                                         |
| SVA Basic Checkers1                                |                                                                                                                                                                                                                                                                                                                                              |
| Checker Descriptions                               | 2-2                                                                                                                                                                                                                                                                                                                                          |
| assert_always                                      | 2-2                                                                                                                                                                                                                                                                                                                                          |
| assert_always_on_edge                              | 2-4                                                                                                                                                                                                                                                                                                                                          |
| assert_change                                      | 2-7                                                                                                                                                                                                                                                                                                                                          |
| assert_cycle_sequence                              | 2-11                                                                                                                                                                                                                                                                                                                                         |
|                                                    | Overview Global Controls Checker Triggering Custom Reporting Viewing Coverage Results Shared Syntax. Use Mode in SystemVerilog The Entire Design Targets SystemVerilog Some Design Files Are Restricted to Verilog2001 Use Mode in VHDL (VCS MX)  SVA Basic Checkers1 Checker Descriptions assert_always assert_always_on_edge assert_change |

| assert_decrement         |
|--------------------------|
| assert_delta             |
| assert_even_parity2-20   |
| assert_fifo_index        |
| assert_frame             |
| assert_handshake         |
| assert_implication       |
| assert_increment         |
| assert_never             |
| assert_next              |
| assert_no_overflow       |
| assert_no_transition     |
| assert_no_underflow      |
| assert_odd_parity        |
| assert_one_cold 2-58     |
| assert_one_hot           |
| assert_proposition       |
| assert_quiescent_state   |
| assert_range             |
| assert_time              |
| assert_transition        |
| assert_unchange          |
| assert_width2-80         |
| assert_win_change        |
| assert_win_unchange      |
| assert_window            |
| assert zero one hot 2-91 |

## 3. SVA Advanced Checkers

| Ch | ecker Descriptions    | 3-2  |
|----|-----------------------|------|
|    | Shared Syntax         | 3-2  |
|    | assert_arbiter        | 3-3  |
|    | assert_bits           | 3-9  |
|    | assert_code_distance  | 3-11 |
|    | assert_data_used      | 3-13 |
|    | assert_driven         | 3-17 |
|    | assert_dual_clk_fifo  | 3-19 |
|    | assert_fifo           | 3-24 |
|    | assert_hold_value     | 3-30 |
|    | assert_memory_async   | 3-33 |
|    | assert_memory_sync    | 3-40 |
|    | assert_multiport_fifo | 3-48 |
|    | assert_mutex          | 3-55 |
|    | assert_next_state     | 3-57 |
|    | assert_no_contention  | 3-61 |
|    | assert_packet_flow    | 3-64 |
|    | assert_rate           | 3-66 |
|    | assert_reg_loaded     | 3-68 |
|    | assert_req_ack_unique | 3-72 |
|    | assert_req_requires   | 3-75 |
|    | assert_stack          | 3-79 |
|    | assert_valid_id       | 3-84 |
|    | assert value          | 3-89 |

1

# The SystemVerilog Assertions (SVA) Checker Library

The SystemVerilog Assertions (SVA) Checker Library consists of two parts:

- SVL (described in Chapter 2) consists of checkers that have the same behavior and controls as those in the Open Verification Library (OVL) - see the Accellera Open Verification Library Reference Manual available at http://www.verificationlib.org/. These checkers have additional features such as coverage in the SVA Library.
- SVA Advanced Checkers (described in Chapter 3) contains checkers that generally verify more complex behaviors. These have similar controls to the SVL checkers, but, in addition, they allow selecting the sampling clock edge(s), posedge or negedge Coverage is also provided.

Note that the header of each checker file also contains a description of the behavior and parameters.

#### **Overview**

The checker library resides in a release in the directory

```
$VCS HOME/packages/sva/
```

The library consists of 53 checker files having the name <code>assert\_checker\_name.v.</code> There is also a symbolic link to that file with the name <code>assert\_checker\_name.sv</code> that can be used in situations where parts of the Verilog design follow Verilog2001 syntax and should be compiled with that in mind to avoid keyword clashes with SystemVerilog keywords. In that way, the extension <code>.sv</code> identifies the checkers to be compiler with SystemVerilog, while the files with the <code>.v</code> extension will compile with Verilog2001 syntax and keywords.

The checkers have dual functions:

- As a verification object using assert property statements.
   This form is employed for verifying the behavior as specified for the checker.
- 2. As a coverage objects using cover property and cover points implemented using the equivalent of covergroup statements. This form is employed to obtain information about the observed presence of certain behavioral patterns in the design coverage of such patterns.

The two forms can coexist or be enabled independently as described later -the sections Global Controls and Shared Syntax.

Note also that there is header file sva\_std\_task.h in the directory. It contains user-modifiable reporting tasks and is included in each checker using \include.

## **Global Controls**

The following symbols are macro's defined using 'define and apply to all instances of the checkers.

```
ASSERT ON
```

When this macro is defined, the assertions and related variables in checkers are included, i.e., the checking functionality is enabled.

```
COVER ON
```

When this macro is defined, the coverage items in the checkers are included. I.e., the coverage functionality is enabled. Note that additional per-instance control is provided using the checker parameters <code>coverage\_level\_1</code>, <code>coverage\_level\_2</code>, and <code>coverage\_level\_3</code>.

#### Note:

The coverage object feature is in an early phase of development and is available as part of an Early Access program requiring LCA license features. For more information contact vcs\_support@synopsys.com

```
ASSERT INIT MSG
```

When this macro is defined, then all checker instances will output a message to stdout to indicate their hierarchical name.

```
ASSERT_GLOBAL_RESET
```

When this macro is defined its defining expression is taken as the reset signal for all the checkers. Otherwise, the reset\_n port signal is used as reset.

```
ASSERT MAX REPORT ERROR
```

When this global macro variable is defined, the assertion instance stops reporting messages if the number of errors for that instance is greater than the value defined by the macro. Using this macro as described requires modifying the reporting tasks in

```
sva std task.h.
```

```
SVA CHECKER INTERFACE
```

If not defined, the interface is a SystemVerilog "module". If defined then the checker interface is "interface". The parameters and ports remain the same in both cases.

```
SVA CHECKER NO MESSAGE
```

When defined it eliminates reporting the user message when a assertion fails. It doesn not control the default failure message from the simulator.

## **Checker Triggering**

In the SVL library (Chapter 2) all but one checker, assert\_proposition, is triggered at the positive edge of a triggering signal or expression clk.

In the Advanced Checker Library (Chapter 3), all the checkers can select the sampling edge(s) using a parameter. It can be either the positive or the negative edge of the clock port expression.

The values of all actual signals or expressions in the ports of the checkers are sampled just before the sampling edge of clk. Therefore, any pulses happening on the signals / expressions between consecutive sampling edges of clk are not observed by the checkers.

Moreover, whenever an edge of a signal / expression on a port of a checker other than the clock is used in the checker, the value is the sampled form of the edge as detected by looking at two consecutive samples of the signal.

The checker assert\_proposition monitors an expression at all times and triggers by a change of its value to 0.

# **Custom Reporting**

As in OVL, if you wish to have more elaborate error reporting, counting, etc., you must edit the sva\_std\_task.h file that is distributed with the library and also resides in the directory

```
$VCS HOME/packages/sva/
```

This file is automatically 'include -ed in each checker. If the location of the header file is changed, the +incdir+ directive must also be modified accordingly.

## **Viewing Coverage Results**

See the VCS User Guide for information on viewing coverage results.

# **Shared Syntax**

Many checkers share the same syntax elements. These elements are described in this section in order to avoid repeating their descriptions throughout this document.

severity level

Severity of the failure with default value of 0. Currently SystemVerilog does not provide support of severity levels through a parameter or a variable, hence this parameter is provided only for compatibility with older versions of the checkers. However by modifying the error tasks in the sva\_std\_task.h file appropriately, severity level can be taken into account. For example, the simulation can be terminated when a failure of an assertion occurs and the checker severity level is set to some specific value.

options

Currently, the only supported option is options=1, which defines the assertion as an assumption for formal tools. The default is 0 (no options specified). <sup>1</sup>

msq

Error message that will be printed when the assertion fires using the default definition of the sva\_checker\_error task that is included in the sva\_std\_task.h file. Its output can also be controlled by the macro SVA CHCKER NO MESSAGE.

<sup>1.</sup> Note that Magellan does not use options to determine the role (assume or assert) of the assertions.

category

Specifies the category of the assertion (Default = 0). This parameter can be used to group assertions used for a similar purpose, and provide a selection/filtering mechanism to enable/ disable individual or groups of assertions.

```
coverage_level_i
```

#### Note:

The coverage object feature is in an early phase of development and is available as part of an Early Access program requiring LCA license features. For more information contact vcs\_support@synopsys.com

Specifies which coverage levels should be enabled (provided that the symbol COVER\_ON is defined) by specifying parameters. There are three coverage levels controlled by parameters coverage\_level\_1, coverage\_level\_2, and coverage\_level\_3. The bits in each of the parameters when set to 1 enable some specific coverage point, one per bit. The number of bits used thus depends on the number of cover points in the checker at each level and varies from checker to checker. Generally, the following levels are supported (Default = Coverage Level 1).

**Level 1**: Basic coverage, implemented using cover property statements. Used by simulation and Magellan.

Level 1 coverages are enabled by setting bits in coverage\_level\_1 to 1.

Example: The number of Enqueues and Dequeues in a FIFO.

**Level 2**: Usually includes data coverage on ranges of values. These are coverage items which show certain interesting activities of the RTL behavior in the form of statistics. Used in simulation only but may also include cover properties on some particular sequences that can be of interest as search goals for formal tools.

Level 2 coverages are enabled by setting bits in coverage level 2 to 1.

Example: Range of latency values classified on at-least-once basis.

**Level 3**: Cover property coverage of specific corner points as specified. Used primarily by formal tools as goals. These cover properties can be enabled in simulation too, however, the same information can be obtained from Level 2 range coverages in the extreme bins. These coverage items ensure that the corner case condition of the RTL design block are verified during testing.

Level 3 coverages are enabled by setting bits in coverage level 3 to 1.

Examples: The number of times FIFO reached HIGH water mark. The number of times ACK was received at the next clock after REQ was issued. The number of times the specified Min latency value was reached.

inst name

Instance name of assertion monitor.

clk

Sampling clock of the assertion.

reset\_n

Signal indicating completed initialization when set to 1. Note that reset\_n is used as an asynchronous reset so that glitches on the sequence or expression may cause the checker to reset.

# Use Mode in SystemVerilog

## The Entire Design Targets SystemVerilog

To use the SVA Checker Library with a design written in SystemVerilog (which thus respects its enlarged set of keywords), you instantiate or bind any number of the checkers in the design and indicate the placement of the library using the Verilog library mechanism as follows:

```
vcs +vc -sverilog +define+ASSERT_ON+COVER_ON \
<design files and other options> \
-y $VCS_HOME/packages/sva +libext+.v \
+incdir+$VCS HOME/packages/sva
```

Note that  $+define+ASSERT_ON$  on the VCS command line is necessary to turn on the assertions in all checker instances. Alternately or in addition, by defining COVER\_ON the coverage functionality can be included (it can be further controlled at the instance level by the checker parameter coverage\_level\_i, where i = 1, 2, or 3.

To gather coverage information using the coverage functionality of the checkers, do not include the -cm assert option. This is because coverage on cover property and covergroup statements is automatically turned on in VCS.

## Some Design Files Are Restricted to Verilog2001

In this case, the Verilog2001 files have names with the . v extensions, while all SystemVerilog files, including the checkers, have a name with the .sv extension. In the case of the checkers, it is the symbolic link with the .sv extension that is used. The vcs compilation command line will then have the following form:

```
vcs +vc -sverilog+define+ASSERT_ON+COVER_ON \
<design files and other options> -y $VCS_HOME/packages/sva \
+libext+.sv +verilog2001ext+.v +incdir+$VCS HOME/packages/sva
```

The compiler uses Verilog2001 syntax for all .v files, and SystemVerilog syntax for all other files including those with the .sv extension.

# **Use Mode in VHDL (VCS MX)**

The SVA Checker Library .v files can be found in the \$VCS\_HOME/packages/sva/ directory.

There is also a VHDL package called sva\_lib in this directory, containing the component definitions for all the checkers in the library. The name of the file is component.sva v.vhd.

To use the SVA library in VHDL, do the following:

1. Compile the component package in a library. For example, suppose that the default WORK library is used. The command to compile the package is then:

```
vhdlan $VCS HOME/packages/sva/components.sva v.vhd
```

2. Compile the selected SVA checkers using vlogan and deposit them in a VHDL library. For example, suppose again that the default WORK library is used and that you wish to compile all the checkers in the library (it takes a fraction of a second to complete). Then the command is:

Other macro definitions can be supplied with +define.

Note that if you choose to compile only some specific checkers that are described in Chapter 2, you also must compile the file sva\_std\_edge\_select.v. This is because these checkers allow specification of the sampling clock edge.

3. To use the compiled checkers in the VHDL design, you must include commands to use the following libraries:

```
library IEEE;
use IEEE.STD_LOGIC_1164.all;
library WORK;
use WORK.sva lib.all;
```

and instantiate the checker component(s) as any other VHDL entity.

Note that the signals on the checker ports are of the IEEE std\_ulogic and unsigned types.

```
library IEEE;
use IEEE.STD_LOGIC_1164.all;
library WORK;
use WORK.sva_lib.all;
entity top is
  generic (P1 : integer := 7;
```

```
P2 : integer := 31);
end top;
architecture top arch of top is
signal a,b,c : std ulogic vector(P1 downto 0);
signal clk : std ulogic;
component child is
    generic (p : integer := 10);
    port (in1, in2 : std ulogic vector(p downto 0);
          clk : std logic;
          out1 : out std ulogic vector(p downto 0));
end component;
begin
-- Some design entity instance
i1 : child generic map(P1) port map(a,b,clk,c);
 -- sva assert always checker
always inst: assert always port map(clk, '1', a(1));
-- sva assert cycle sequence checker
seq inst : assert cycle sequence
          generic map (\overline{0}, P1+1, 0, 0, "a3")
          port map(clk, '1', a);
process
begin
  clk <= '0';
  wait for 3 ns;
  clk <= '1';
  wait for 3 ns;
end process;
end top arch;
configuration cfg top of top is
  for top arch
  end for;
end;
```

2

# **SVA Basic Checkers**

This chapter contains 31checkers. All checkers, except assert\_proposition, are triggered at the positive edge of a triggering signal or expression clk.

The values of all actual signals or expressions in the ports of the checkers are sampled just before the positive edge of clk. Therefore, any pulses happening on the signals / expressions between consecutive positive edges of clk are not observed by the checkers.

Moreover, whenever an edge of a signal / expression on a port of a checker other than the clock is used in the checker, it is the sampled form of the edge as detected by looking at two consecutive samples of the signal.

The checker  $assert_proposition$  monitors an expression at all times and triggers at the falling edge of the  $test_expr$ .

## **Checker Descriptions**

This section provides syntax and descriptions, and examples for all SVA checkers.

### assert\_always

The assert\_always checker continuously monitors  $test_expr$  at every positive edge of clock, clk. It verifies that  $test_expr$  will always evaluate true. If test\_expr evaluates to false, the assertion will fire (that is, an error condition will be detected in the code.) The  $test_expr$  can be any valid Verilog expression

#### **Syntax**

### **Arguments**

```
test expr
```

Expression being verified at the positive edge of clk.

#### **Coverage Modes**

```
cov level 1 0 (bit 0 set in coverage level 1)
```

Cover property cover\_always indicates that the test\_expr was asserted when enabled by reset\_n.

```
'define ASSERT_ON
'define COVER ON
```

```
module testbench;
reg reset n, clk;
child CH (reset n, clk);
initial begin
    clk = 0;
    reset n = 0;
    #40 reset n = 1;
    #980 $finish;
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg [3:0] count;
initial $monitor("count = %b \n", count);
always @(posedge clk) begin
    if (reset n == 0 \mid \mid count >= 9)
        count <= 1'b0;
    else
        count <= count + 1;</pre>
end
assert always //coverage level 1 = 7 level 1
\#(0, 0, 0) "ERROR: count not within 0 and 9", 0, 15, 0, 0)
valid count
(clk, reset n, (count >= 4'b0000) && (count <= 4'b1001));
endmodule
```

## assert\_always\_on\_edge

The checker continuously monitors the  $test\_expr$  at every specified edge of the sampling\_event.  $test\_expr$  should always evaluate true at the  $sampling\_event$ . If  $test\_expr$  evaluates to false the assertion will fire.

Note that the transition on the sampling event is as determined by sampling <code>sampling event</code> at two consecutive clock ticks.

#### **Syntax**

#### **Arguments**

```
edge type
```

Selects the transition for sampling\_event.

- 0 no edge (default)
- 1 positive edge
- 2 negative edge
- 3 any edge

```
sampling event
```

Expression defines when to evaluate  $test\_expr$ . Transition of sampling\_event are selected by  $edge\_type$ .

```
test expr
```

Expression being verified at the positive edge of clk AND if sampling\_event matches transition selected by edge\_type.

#### **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
Cover property cover_always_on_edge indicates that the
  test_expr was asserted on the specified edge of
  sampling event.
```

```
'define ASSERT ON
'define COVER ON
module testbench;
reg reset n, clk, sig;
child CH (reset n, clk, sig);
initial begin
    $vcdpluson;
    clk = 0;
    reset n = 0;
    sig = 0;
    #40 reset n = 1;
    #980 $finish;
end
always #20 clk = \simclk;
always #40 \text{ sig} = \sim \text{sig};
endmodule
module child(reset n, clk, sig);
input reset n, clk, sig;
reg [3:0] count;
initial $monitor("count = %b \n", count);
```

```
always @(posedge clk) begin
   if (reset_n == 0 || count >= 9)
        count <= 1'b0;
else
        count <= count + 1;
end

assert_always_on_edge
#(0, 1, 0, "ERROR: count not within 0 and 9", 0, 15, 0, 0)

valid_always_on_edge
   (clk, reset_n, sig,
        (count >= 4'b0000) && (count <= 4'b1001));
endmodule</pre>
```

### assert\_change

Change assert\_change checker continuously monitors the start\_event at every positive edge of the clock. When start\_event is true, the checker ensures that the expression, test\_expr changes values on a clock edge at some point within the next num\_cks number of clocks. This assertion will fire upon a violation.

#### **Syntax**

#### **Arguments**

width

Width of the expression, test expr. Default = 1.

num\_cks

Number of clocks for  $test\_expr$  to change its value before an error is triggered after  $start\ event$  is asserted. Default = 1.

flag

- 0 Ignore any start\_event assertion after the first one has been detected. Default = 0.
- 1 Re-start monitoring  $test\_expr$ , if start\_event is asserted in any subsequent clock while monitoring  $test\_expr$ .
- 2 Issue an error if an asserted start\_event occurs in any clock cycles while monitoring test expr.

start event

Starting event that triggers monitoring of the test expr.

test expr

Expression or variable being verified at the positive edge of clk.

#### **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level 1)
```

Cover property cover\_change indicates that the exp changed within num cks.

```
cov_level_1_1 (bit 1 set in coverage_level_1)
```

Cover property cover\_start\_event indicates that the start event occurred.

```
cov_level_2_0 (bit 0 set in coverage_level_2)
```

Cover point observed\_delay indicates which delays within from start event were observed at least once.

```
cov_level_3_0 (bit 0 set in coverage_level 3)
```

Cover property <code>cover\_overlapping\_start\_events</code> indicates that the <code>start\_event</code> occured while there was another evaluation attempt in progress.

```
cov_level_3_1 (bit 1 set in coverage_level_3)
```

Cover property <code>cover\_change\_after\_1\_clk</code> indicates that the <code>test\_expr</code> changed value at the <code>next clock</code> tick after <code>start event</code>.

```
cov_level_3_2 (bit 2 set in coverage_level_3)
```

Cover property cover\_change\_after\_num\_cks indicates that the test\_expr changed value at num\_clk clock ticks after start\_event.

```
'define ASSERT ON
'define COVER ON
module testbench;
reg reset n, clk;
child CH (reset n, clk);
initial begin
    $vcdpluson;
    clk = 0;
    reset n = 0;
    #40 reset n = 1;
    #1000 $finish;
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg start;
reg [3:0] expr;
integer count;
initial $monitor ("count = %d start = %b expr = %b \n",
count, start, expr);
always @(posedge clk)
begin
     if (reset n == 0)
     begin
         start <= 0;
         expr <= 4'b0000;
         count <= 0;
     end
     else
         count <= count + 1;</pre>
```

## assert\_cycle\_sequence

This checker verifies the following conditions:

- When necessary\_condition = 0, if all num\_cks-1 first events of a sequence (event\_sequence[num\_cks-1:1]) are true, the last sequence (event\_sequence[0]) should follow.
- When necessary\_condition = 1, if the first event of a sequence (event\_sequence[num\_cks-1]) is true, then all the remaining event sequence[num\_cks-2:0] events should follow.

#### **Syntax**

#### **Arguments**

num\_clks

The width of the event\_sequence (number of clock cycles of the  $event\_sequence$ ) that must be valid. Otherwise, an assertion will fire. Should be  $num\ cks > 1$ .

```
necessary condition
```

Either 1 or 0. The default is 0.

```
event sequence
```

A verilog concatenation expression, where each bit represents an event.

#### **Coverage Modes:**

```
cov_level_1_0 (bit 0 set in coverage_level_1) :
   Cover property, cover_cycle_sequence_antecedent_match,
   indicates that the antecedent part of the sequence matched (i.e.,
   the checker was triggered).
```

```
cov_level_1_1 (bit 1 set in coverage_level_1) :
   Cover property, cover_cycle_sequence, indicates that the
   complete sequence occurred.
```

```
cov_level_3_0 (bit 0 set in coverage_level_3) :
```

Cover property, <code>cover\_sequence\_slice[i,]</code> indicates that the sequence matched at least till the <code>'i'-th</code> boolean expression.

```
'define ASSERT ON
'define COVER ON
module testbench;
reg reset n, clk;
child CH (reset n, clk);
initial begin
    $vcdpluson;
    clk = 0;
    reset n = 0;
    #100 \text{ reset n} = 1;
    #980 $finish;
end
always #50 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg e1, e2, e3, e4, e5;
```

```
reg [3:0] count;
initial $monitor ("count = %d e1 = %b e2 = %b e3 = %b e4 =
%b e5 = %b \n", count, e1, e2, e3, e4, e5);
always @(posedge clk)
begin
    if (reset n == 0)
    begin
        count <= 4'b0000;
        e1 <= 0;
        e2 <= 0;
        e3 <= 0;
        e4 <= 0;
        e5 <= 0;
    end
    else
        count <= count + 1;</pre>
    case(count)
        4'b0001: e1 <= 1;
        4'b0010: e2 <= 1;
        4'b0011: e3 <= 1;
        4'b0100: e4 <= 1;
        4'b0101: e5 <= 1;
    endcase
end
//Coverage level 1 enabled by default
assert cycle sequence
\#(0, 5, 1, 0, "ERROR: event sequence did not complete")
valid seq (clk, reset n, {e1,e2,e3,e4,e5});
endmodule
```

### assert\_decrement

The assert\_decrement checker continuously monitors the  $test_expr$  at every positive edge of the clock signal, clk. It checks that the  $test_expr$  will never decrease by anything other than the value specified by value. The  $test_expr$  can be any valid Verilog. The check will not start until the first clock tick after  $reset_expr$  is asserted.

#### **Syntax**

#### **Arguments**

width

Width of test expr with default value of 1.

value

Maximum decrement value allowed for test\_expr with default value of 1.

```
test expr
```

Expression being verified at the positive edge of clk.

#### **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1) :
   Cover property, cover_of_test_expr_change, indicates that
   test_expr changed value.

cov_level_2_0 (bit 0 set in coverage_level_2) :
   Cover point, cover_observed_decrement indicates all the
   observed decrement values of the test expr when it changes.
```

```
cov level 3 0 (bit 0 set in coverage level 3) :
```

Cover property,  $cover\_decrement\_eq\_to\_value$ , indicates that the reduction in  $test\_expr$  was exactly equal to the value parameter.

```
'define ASSERT ON
'define COVER ON
module testbench;
reg reset n, clk;
child CH (reset n, clk);
initial begin
    $vcdpluson;
    clk = 0;
    reset n = 0;
    #40 reset n = 1;
    #980 $finish;
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg [3:0] count;
initial $monitor("count = %b \n", count);
always @(posedge clk)
begin
    if (reset n == 0)
        count <= 4'b1111;</pre>
    else
        count <= count - 2;</pre>
end
```

```
//Coverage level 1 enabled
assert_decrement
#(0, 4, 2, 0, "ERROR: count has decreased beyond allowable
limit ")
valid_count_decrease (clk, reset_n, count);
endmodule
```

#### assert\_delta

The assert\_delta checker continuously monitors the  $test_expr$  at every positive edge of clock signal, clk. It verifies that  $test_expr$  will never change value by anything less than min and anything more than max value. The  $test_expr$  can be any valid Verilog expression. The check will not start until the first clock after  $reset_n$  is asserted.

#### **Syntax**

#### **Arguments**

width

Width of  $test_{expr}$  with default value of 1. However, with the value of 1 the assertion cannot fail and a warning is issued at time 0. The default is set to 1 for compatibility with OVL

min

Minimum changed value allowed for  $test\_expr$  in two consecutive clocks of clk. Default = 1.

max

Maximum changed value allowed for test\_expr in two consecutive clocks of clk. Default = 1.

```
test expr
```

Expression being verified at the positive edge of c1k.

#### **Coverage Modes**

```
cov level 1 0 (bit 0 set in coverage level 1)
```

Cover property, <code>cover\_test\_expr\_change</code>, indicates that the <code>test\_expr</code> has changed value.

```
cov_level_1_1 (bit 1 set in coverage_level_1)
```

Cover property, cover\_delta, indicates that test\_expr changed value within the min:max range.

```
cov level 2 0 (bit 0 set in coverage level 2)
```

Cover point, <code>observed\_delta</code>, reports the observed delta values that occured at least once on a value change in the <code>test\_expr</code>.

```
cov level 3 0 (bit 0 set in coverage level 3)
```

Cover property, <code>cover\_delta\_eq\_to\_min</code>, indicates that the delta value was exactly equal to the specified <code>min</code> value when the <code>test\_expr</code> changed value.

```
cov_level_3_1 (bit 1 set in coverage_level_3) :
```

Cover property,  $cover\_delta\_eq\_to\_max$ , indicates that the delta value was exactly equal to the specified max value when the  $test\_expr$  changed value.

```
'define ASSERT_ON
'define COVER_ON
module testbench;
reg reset_n, clk;
child CH (reset_n, clk);
initial begin
    $vcdpluson;
    clk = 0;
    reset_n = 0;
    #40 reset_n = 1;
    #980 $finish;
```

```
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg [7:0] count;
initial $monitor("count = %b \n", count);
always @(posedge clk)
begin
    if (reset n == 0)
        count <= 8'b11111111;</pre>
    else
        count <= count - 2;</pre>
end
//Coverage level 3 enabled
assert delta
\#(0, 8, 2, 4, 0, "ERROR: count has decreased by greater than
the max (4) or less than the min (2) limit", 0, 0, 0, 15)
valid delta (clk, reset n, count);
endmodule
```

# assert\_even\_parity

The assert\_even\_parity checker continuously monitors the  $test_expr$  at every positive edge of the clock signal, clk. It verifies that  $test_expr$  will always have an even number of bits asserted.

#### **Syntax**

#### **Arguments**

width

Width of the monitored expression test expr.

```
test expr
```

Expression being verified at the positive edge of clk.

# **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
Cover property cover_test_expr_change indicates that the
  test expr changed value.
```

```
'define ASSERT_ON
'define COVER_ON
module testbench;
reg reset_n, clk;
child CH (reset_n, clk);
initial begin
    $vcdpluson;
```

```
clk = 0;
    reset n = 0;
    #40 reset n = 1;
    #980 $finish;
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg [7:0] count;
initial $monitor("count = %b \n", count);
always @(posedge clk)
begin
    if (reset n == 0)
        count <= 8'b11111111;</pre>
    else
        count <= count << 2;</pre>
end
//Coverage level 1 enabled by default
assert even parity // no cover selected
\#(0, 8, 0, \overline{\text{ERROR}}: \text{count has odd number of bits asserted"})
valid count even (clk, reset n, count);
endmodule
```

# assert\_fifo\_index

The assert\_fifo\_index checker ensures that the FIFO element (a) never overflows and underflows (b) allows/disallows simultaneous push and pop.

#### **Syntax**

#### **Arguments**

depth

Depth of the FIFO, default 1. It should never be set to 0, otherwise an assertion will fire.

```
push width
```

Width of the push signal, default 1.

```
pop width
```

Width of the pop signal, default 1.

options

Currently, the only supported option is options=1, which defines the assertion is an assumption for formal tools.

If bit 1 of options is set (i.e., option &2 != 0) then simultaneous push and pop operations are disallowed in the same clock cycle. (Note that multiple pushes or pops are allowed always, provided that <code>push\_width</code>, resp. <code>pop\_width</code>, is greater than 1.)

push

The value of push indicates the number of writes that are occurring on that particular clock cycle. The <code>push\_width</code> defines the width of the <code>push</code> expression. By default, only a single write can be performed on a particular clock cycle.

pop

The value of pop indicates the number of reads that are occurring on that particular clock cycle. The  $pop\_width$  defines the width of the pop expression. By default, only a single read can be performed on a particular clock cycle.

#### **Coverage Modes**

```
cov level 1 0 (bit 0 set in coverage level 1) :
```

Cover property, cover\_nb\_of\_push\_operations, indicates that push was greater than 0.

```
cov_level_1_1 (bit 1 set in coverage_level_1) :
```

Cover property, cover\_nb\_of\_pop\_operations, indicates that pop was greater than 0.

```
cov_level_2_0 (bit 0 set in coverage_level_2) :
```

Cover point, <code>observed\_number\_of\_pushes</code>, reports the observed value of simultaneous pushes (i.e., the value of the <code>push</code> expression) that occurred at least once.

```
cov_level_2_1 (bit 1 set in coverage_level_2) :
```

Cover point, <code>observed\_number\_of\_pops</code>, reports the observed value of simultaneous pops (i.e., the value of the expression <code>push</code>) that occurred at least once.

```
cov level 2 2 (bit 2 set in coverage level 2) :
```

Cover point, <code>observed\_outstanding\_contents</code>, reports the observed value of outstanding contents in the FIFO that occured at least once.

```
cov_level_3_0 (bit 0 set in coverage level 3) :
   Cover property, cover eq nb of simultaneous push pop,
   indicates that push == pop occurred simultaneously, when push
   and pop were not 0.
cov level 3 1 (bit 1 set in coverage level 3) :
   Cover property,
   cover eq nb of simultaneous push pop when empty,
   indicates that push == pop occurred simultaneously, when both
   push and pop were not 0 and the FIFO was empty.
cov level 3 2 (bit 2 set in coverage level 3) :
   Cover property,
   cover eq nb of simultaneous push pop when full, indicates
   that push == pop occurred simultaneously, when both push and
   pop were not 0 and the FIFO was full.
cov_level_3_3 (bit 3 set in coverage level 3) :
   Cover property, cover nb of times empty reached on pop,
   indicates that the FIFO reached empty on a pop.
```

cov\_level\_3\_4 (bit 4 set in coverage level 3) :

indicates that the FIFO reached full on a push.

Cover property, cover nb of times full reached on push,

**SVA Basic Checkers** 

```
'define ASSERT ON
'define COVER ON
module testbench;
reg reset n, clk;
fifo FIFO (reset n, clk);
initial begin
    $vcdpluson;
    clk = 0;
    reset n = 0;
    #40 reset n = 1;
    #1000 $finish;
end
always #20 clk = \simclk;
endmodule
module fifo(reset n, clk);
input reset n, clk;
reg [3:0] fifo;
reg push sig, pop sig;
always @(posedge clk) #5 push sig = ~push sig;
always @(negedge clk) #45 pop sig = ~pop sig;
always @(posedge clk)
begin
    if (reset n == 0)
    begin
        push sig <= 0;</pre>
        pop sig <= 1'b0;</pre>
        fifo <= 4'b0000;
    end
    if (push sig)
    begin
        fifo <= fifo << 1;
```

```
fifo <= fifo + 1;
        $display("time = %d fifo = %b push sig = %b \n",
$time, fifo, push sig);
    end
    if (pop sig)
    begin
        fifo <= fifo >> 1;
        display("time = %d fifo = %b pop sig = %b \n",
$time, fifo, pop_sig);
    end
end
//Coverage level 1 enabled by default
assert_fifo_index
\#(0, 4, 1, 1, 1, "ERROR: Overflow or Underflow in fifo")
invalid fifo (clk, reset n, push sig, pop sig);
endmodule
```

# assert\_frame

The assert\_frame checker validates proper cycle timing relationships between two events in the design. When a start\_event evaluates true, then the test\_expr must evaluate true within a minimum and maximum number of clock cycles.

# **Syntax**

#### **Arguments**

 $min_cks$ 

Minimum number of clock cycles, within which the  $test\_expr$  should not become true. When  $min\_cks$  is 0 then  $test\_expr$  can occur at the same time as  $start\_event$  or after as controlled by max cks. Default = 0.

```
max cks
```

Maximum number of clock cycles, before which  $test\_expr$  must become true. This check will be disabled when  $max\_cks$  is not specified, i.e., when  $min\_cks > 0$  and  $max\_cks == 0$ . If both  $min\_cks$  and  $max\_cks$  are 0 then  $test\_expr$  must occur at the same time as there is a 0 to 1 transition on  $start\_event$ . Default = 0.

flag

- 0 Ignores any asserted start\_event after the first one has been detected (default);
- 1 Re-start monitoring test\_expr if start\_event is asserted in any subsequent clock while monitoring test\_expr;

2 - Issue an error if an asserted <code>start\_event</code> occurs in any clock cycle while monitoring <code>test\_expr</code>.

```
start event
```

Starting event that triggers monitoring of the test\_expr. The start\_event is a cycle transition from 0 to 1.

```
test expr
```

Expression being verified at the positive edge of c1k.

#### **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1) :
```

Cover property, cover\_start\_event, indicates that

the start\_event occured.

```
cov_level_1_1 (bit 1 set in coverage_level_1) :
```

Cover property, <code>cover\_frame</code>, indicates that the <code>test\_expr</code> became true within a minimum and maximum number of clock cycles after the occurence of the <code>start event</code>.

```
cov_level_2_0 (bit 0 set in coverage_level_2) :
```

Cover point, observed\_delay, reports the observed delay from a rising start event to the subsequent rising test expr.

```
cov_level_3_0 (bit 0 set in coverage_level_3) :
```

Cover property, <code>cover\_overlapping\_start\_events</code>, indicates that the <code>start\_event</code> occured while there was already an evaluation in progress.

```
cov_level_3_1 (bit 1 set in coverage_level_3) :
```

Cover property, <code>cover\_frame\_exactly\_at\_min\_cks</code>, indicates that the test\_expr became true exactly at min\_cks after <code>start\_event</code> occurred.

```
cov_level_3_2 (bit 2 set in coverage_level_3) :
   Cover property, cover_frame_exactly_at_max_cks, indicates
   that the test_expr became true exactly at min_cks after
   start event occurred.
```

```
'define ASSERT ON
'define COVER ON
module testbench;
reg reset n, clk;
child CH (reset n, clk);
initial begin
    $vcdpluson;
    clk = 0;
    reset n = 0;
    #40 reset n = 1;
    #1000 $finish;
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg start, expr;
integer count;
initial $monitor ("count = %d start = %b expr = %b \n",
count, start, expr);
always @(posedge clk)
begin
    if (reset n == 0)
    begin
        count <= 0;
        start <= 0;
```

```
expr <= 0;
end
else
    count <= count + 1;

if (count == 3)
    start <= 1;

if (count == 7)
    expr <= 1;
end

//Coverage level 2 enabled
assert_frame
#(0, 2, 4, 0, 1, "ERROR: expr is not true in the intended time window after start_event", 0, 0, 1, 0)
invalid_frame (clk, reset_n, start, expr);
endmodule</pre>
```

# assert\_handshake

The assert\_handshake checker continuously monitors the req and ack signals at every positive edge of the clock clk.

Note that both req and ack must go inactive (0) prior to starting a new cycle.

There are no defaults for this assertion; therefore, if you do not specify parameters, the corresponding assertion is not included. To activate one or more checks in the checker, the corresponding parameters should be specified with a non-zero value.

# **Syntax**

# **Arguments**

```
min_ack_cycle
```

Activate min\_ack\_cycle check if greater than default value of 0.

When this parameter is greater than 0, the assertion will ensure that an ack does not occur before min ack cycle clock ticks.

```
max_ack_cycle
```

Activate max ack cycle check if greater than default value of 0.

When this parameter is greater than 0, the assertion will ensure that an ack does not occur after max ack cycle clock ticks.

```
req drop
```

Activate req drop check if greater than default value of 0.

When this parameter is greater than 0, the assertion will ensure that reg remains active until an ack is asserted.

```
deassert count
```

Activate  $deassert\_count$  if greater than default value of 0. When this parameter is greater than 0, the assertion will ensure that req becomes inactive (0) within  $deassert\_count$  clock ticks after ack is asserted.

```
max ack length
```

Activate max ack length check if greater than default value of 0.

When this parameter is greater than 0, the assertion will ensure that ack is not asserted for greater than  $max\_ack\_length$  clock cycles (that is, check for ack stuck active) and does not become inactive (0) within deassert count clocks after ack is asserted.

req

Signal that starts the transaction.

ack

Signal that terminates the transaction.

# **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1) :
```

Cover property, cover\_nb\_of\_reqs, indicates that req was asserted.

```
cov_level_1_1 (bit 1 set in coverage_level_1) :
```

Cover property, cover\_nb\_of\_acks, indicates that ack was asserted.

```
cov_level_1_2 (bit 2 set in coverage_level_1)
```

Cover property, cover\_req\_eventually\_followed\_by\_ack, indicates that there was a req followed eventually by an ack.

```
cov_level_2_0 (bit 0 set in coverage level 2)
```

Cover point, observed\_delay\_pos\_req\_pos\_ack, records the delay between the arrival of a req and the subsequent arrival of an ack.

```
cov level 2 1 (bit 1 set in coverage level 2)
```

Cover point, observed\_delay\_pos\_ack\_neg\_req, records the delay between arrival of an ack and the deassertion of the req.

```
cov level 3 0 (bit 0 set in coverage level 3)
```

Cover property, cover\_ack\_exactly\_after\_min\_ack\_cycles, indicates that the observed latency between req and ack was equal to the specified ack cycle value.

```
cov level 3 1 (bit 1 set in coverage level 3)
```

Cover property,  $cover\_ack\_exactly\_after\_max\_ack\_cycles$ , indicates that the observed latency between req and ack was equal to the specified ack cycle value.

```
'define ASSERT_ON
'define COVER_ON
module testbench;
reg reset_n, clk;

child CH (reset_n, clk);

initial begin
    $vcdpluson;
    clk = 0;
    reset_n = 0;
    #40 reset_n = 1;
    #1000 $finish;
end

always #20 clk = ~clk;
endmodule
```

```
module child(reset n, clk);
input reset n, clk;
reg req, ack;
integer count;
initial $monitor ("count = %d req = %b ack = %b \n", count,
req, ack);
always @(posedge clk)
begin
    if (reset n == 0)
    begin
        req <= 0;
        ack <= 0;
        count <= 0;
    end
    else
        count <= count + 1;</pre>
    if (count == 4)
        req <= 1;
    if (count == 6)
        ack <= 1;
    if (count == 9)
        ack <= 0;
end
//Default coverage 1 enabled
assert handshake \#(0, 3, 5, 0, 0, 3, 0,
"ERROR: handshake incorrect")
invalid handshake (clk, reset n, req, ack);
endmodule
```

# assert\_implication

The assert\_implication checker continuously monitors the antecedent\_expr. If it evaluates to true, then this checker will verify that the consequent expr is true.

When antecedent\_expr is evaluated to false, then consequent\_expr expression will not be checked at all and the implication is satisfied.

#### **Syntax**

#### **Arguments**

```
antecedent_expr
```

Expression verified at the positive edge of c1k.

```
consequent expr
```

Expression verified if antecedent expr is true.

# **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1) :
   Cover property cover_nb_of_antecedent_expr indicates that the
   antecedent_expr was asserted when enabled by reset_n
cov level 1 1 (bit 1 set in coverage level 1) :
```

Cover property cover\_implication indicates that the implication was non-vacuously covered when enabled by reset\_n.

```
'define ASSERT ON
'define COVER ON
module testbench;
reg reset n, clk;
child CH (reset n, clk);
initial begin
    $vcdpluson;
    clk = 0;
    reset n = 0;
    #40 reset n = 1;
    #1000 $finish;
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg expr1, expr2;
integer count;
initial $monitor ("count = %d expr1 = %b expr2 = %b \n",
count, expr1, expr2);
always @(posedge clk)
begin
    if (reset n == 0)
    begin
        expr1 <= 0;
        expr2 <= 0;
        count <= 0;
    end
    else
        count <= count + 1;</pre>
    if (count == 4)
```

```
begin
            expr1 <= 1;
            expr2 <= 1;
            end

end
//Coverage levels all disabled
assert_implication #(0, 0, "ERROR: implication violated", 0, 0)
invalid_handshake (clk, reset_n, expr1, expr2);
endmodule</pre>
```

# assert\_increment

The assert\_increment checker continuously monitors the  $test\_expr$  at every positive edge of the triggering event, clk. It verifies that  $test\_expr$  will never increase by anything other than the value specified by value. The  $test\_expr$  can be any valid Verilog expression. The check will not start until the first clock after the  $reset\_n$  is asserted.

#### **Syntax**

#### **Arguments**

width

Width of test\_expr with default value of 1. However, with the value of 1 the assertion cannot fail and a warning is issued at time 0. The default is set to 1 for compatibility with OVL.

value

Maximum increment value allowed for  $test\_expr$  with default value of 1.

```
test expr
```

Expression being verified at the positive edge of c1k.

# **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
```

Cover property, cover\_of\_test\_expr\_change, indicates that the test expr changed when enabled by reset n.

```
cov level 2 0 (bit 0 set in coverage level 2)
```

Cover point, observed\_increment, records the increment value of test expr whenever the test expr changes.

```
cov level 3 0 (bit 0 set in coverage level 3) :
```

Cover property,  $cover\_increment\_eq\_to\_value$ , indicates that the increment value of  $test\_expr$  was exactly equal to the specified value.

```
'define ASSERT ON
'define COVER ON
module testbench;
reg reset n, clk;
child CH (reset n, clk);
initial begin
    $vcdpluson;
    clk = 0;
    reset n = 0;
    #40 reset n = 1;
    #980 $finish;
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg [3:0] count;
initial $monitor("count = %b \n", count);
always @(posedge clk)
begin
    if (reset n == 0)
```

# assert\_never

The assert\_never checker continuously monitors the  $test\_expr$  at every positive edge of the triggering event or clock clk. It verifies that  $test\_expr$  will never evaluate true. The  $test\_expr$  can be any valid Verilog expression. When  $test\_expr$  evaluates true, this checker will fail.

# **Syntax**

```
assert_never [#(severity_level, options, msg, category)]
inst_name (clk, reset_n, test_expr);
```

# **Arguments**

```
test expr
```

Expression being verified at the positive edge of c1k.

#### **Notes**

 If the test\_expr contains any x or z values then the checkers is effectively disabled and the assertion

```
assert_never_contains_x_z_value will fire.
```

• There are no cover properties or cover groups in thie checker. Therefore the coverage-level i parameters are not provided.

```
'define ASSERT_ON
module testbench;
reg reset_n, clk;
child CH (reset_n, clk);
initial begin
    clk = 0;
    reset_n = 0;
```

```
#40 reset n = 1;
    #980 $finish;
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg [3:0] count;
initial $monitor("count = %b \n", count);
always @(posedge clk)
begin
    if (reset n == 0 \mid \mid count <= 9)
        count <= 4'b1011;
    else
        count <= count + 1;</pre>
end
assert never #(0, 0, "ERROR: count within 0 and 9")
valid expr
(clk, reset n, (count >= 4'b0000) && (count <= 4'b1001));
endmodule
```

# assert\_next

The assert\_next checker validates proper cycle timing relationships between two events in the design. When a start\_event evaluates true, then the test\_expr must evaluate true exactly num\_cks number of clock cycles later.

This checker supports overlapping sequences. For example, if you assert that  $test\_expr$  will evaluate true exactly four cycles after  $start\_event$ , it is not necessary to wait until the sequence finishes before another sequence can begin.

# **Syntax**

#### **Arguments**

num cks

The number of clocks <code>test\_expr</code> must evaluate to true after <code>start\_event</code> is asserted.

```
check overlapping
```

If true, permits overlapping sequences. In other words, a new start\_event can occur (starting a new sequence in parallel) while the previous sequence continues.

```
only if
```

If true, a test\_expr can only evaluate true, if preceded num\_cks earlier by a start\_event. If test\_expr occurs without a start\_event, then an error is flagged.

```
start event
```

Starting event that triggers monitoring of the test expr.

```
test expr
```

Expression being verified at the positive edge of c1k.

#### **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1) :
   Cover property, cover_start_event, indicates that the
   start_event occurred.

cov_level_1_1 (bit 1 set in coverage_level_1) :
   Cover property, cover_next, indicates that the test_expr became
```

true exactly after num\_cks from the start\_event.

```
cov level 3 0 (bit 0 set in coverage level 3) :
```

Cover property, <code>cover\_overlapping\_start\_events</code>, indicates that a <code>start\_event</code> occured while there was another evaluation in progress.

```
'define ASSERT_ON
'define COVER_ON
module testbench;
reg reset_n, clk;
child CH (reset_n, clk);
initial begin
    $vcdpluson;
    clk = 0;
    reset_n = 0;
    #40 reset_n = 1;
    #1000 $finish;
end
always #20 clk = ~clk;
```

#### endmodule

endmodule

```
module child(reset n, clk);
input reset n, clk;
reg start, expr;
integer count;
initial $monitor ("count = %d start = %b expr = %b\n",
count, start, expr);
always @(posedge clk)
begin
    if (reset n == 0)
    begin
        start <= 0;
        expr <= 0;
        count <= 0;
    end
    else
        count <= count + 1;</pre>
    if (count == 4)
        start <= 1;
    else
        start <= 0;
    if (count == 8)
        expr <= 1;
    else
        expr <= 0;
end
//Cover property, cover_start_event at level 1 enabled
assert next \#(0, 4, 0, 1, 0, "ERROR: expr is not true within
the specified number of clock cycles after start event", 0, 1)
invalid next (clk, reset n, start, expr);
```

# assert\_no\_overflow

The assert\_no\_overflow checker continuously monitors the  $test\_expr$  at every positive edge of the triggering event or clock clk. This assertion verifies that a specified  $test\_expr$  will never:

 Change value from a max value (default (2\*\*width) -1) to a value greater than max

or

• Change value from a max value (default (2\*\*width) -1) to a value less than or equal to a min value (default 0).

The test expr can be any valid Verilog expression.

#### **Syntax**

# **Arguments**

width

Width of the monitored expression test expr.

min

Minimum value sampled at clock (t+1) of clk with default value of 0.

max

Maximum value sampled at clock (t) of clk with default value of (2\*\*width-1).

```
test expr
```

Expression being verified at the positive edge of c1k.

#### **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
Cover property, cover_nb_of_test_expr_changes, indicates that
the test_expr changed value.

cov_level_2_0 (bit 0 set in coverage_level_2)
Cover point, cover_observed_value, reports all the values taken
by test_expr
```

```
cov_level_3_0 (bit 0 set in coverage_level_3)
```

Cover property, cover\_test\_expr\_reached\_min\_value, indicates that the test expr reached the min parameter value.

```
cov_level_3_1 (bit 1 set in coverage_level_3)
```

Cover property, cover\_test\_expr\_reached\_max\_value, indicates that the test expr reached the max parameter value.

```
'define ASSERT_ON
'define COVER_ON
module testbench;
reg reset_n, clk;

child CH (reset_n, clk);

initial begin
    clk = 0;
    reset_n = 0;
    #20 reset_n = 1;
    #980 $finish;
end

always #10 clk = ~clk;
```

#### endmodule

```
module child(reset n, clk);
input reset n, clk;
reg [3:0] count;
initial $monitor("count = %b \n", count);
always @(posedge clk)
begin
    if (reset n == 0)
        count <= 4'b0011;
    if (count >= 4'b0010 && count <= 4'b1001)
    begin
        case (count)
            4'b0010: count <= 4'b1010;
            4'b0011: count <= 4'b1011;
            4'b0100: count <= 4'b1100;
            4'b0101: count <= 4'b1101;
            4'b0110: count <= 4'b1110;
            4'b0111: count <= 4'b1111;
            4'b1000: count <= 4'b0000;
            4'b1001: count <= 4'b0010;
       endcase
    end
    else
    begin
        case (count)
            4'b1010: count <= 4'b0011;
            4'b1011: count <= 4'b0100;
            4'b1100: count <= 4'b0101;
            4'b1101: count <= 4'b0110;
            4'b1110: count <= 4'b0111;
            4'b1111: count <= 4'b1000;
            4'b0000: count <= 4'b1001;
            4'b0001: count <= 4'b0010;
       endcase
    end
end
```

```
//Coverage level 1 enabled by default
assert_no_overflow #(0, 4, 2, 9, 0, "ERROR: count changed
from max (9) value to a value either > max (9) or <= min (2)")
value overflow (clk, reset n, count);</pre>
```

endmodule

# assert\_no\_transition

The assert\_no\_transition checker continuously monitors the  $test\_expr$  variable at every positive edge of the triggering event, positive clk edge. When this variable evaluates to the value of  $start\_state$ , the monitor ensures that  $test\_expr$  will never transition to the value of  $next\_state$ . The width parameter defines the size (that is, number of bits) of the  $test\_expr$ .

#### **Syntax**

#### **Arguments**

width

Width of the monitored expression test expr.

```
test expr
```

Expression being verified at the positive edge of clk.

```
start state
```

Triggering state of test expr.

```
next state
```

Invalid state for the machine represented by  $test\_expr$  when traversed from state  $start\_state$ . The value of  $next\_state$  at the time when  $test\_expr$  becomes equal to  $start\_state$  is that used for comparison with  $test\_expr$  even when  $test\_expression$  changes to a new value in subsequent cycles.

#### **Coverage Modes**

```
Cov_level_1_0 (bit 0 set in coverage_level_1)
Cover property, cover_nb_of_times_start_state_occured,
indicates that test_expr was set to the value specified in
start_state.

cov_level_2_0 (bit 0 set in coverage_level_2) :
Cover point, observed_hold_time, records the number of clk
cycles the test_expr remained in start_state before making a
transition to another state other than next_state.
```

```
'define ASSERT ON
'define COVER ON
module testbench;
reg reset n, clk;
child CH (reset n, clk);
initial begin
   clk = 0;
    reset n = 0;
    #40 reset n = 1;
    #980 $finish;
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg [3:0] count, start, next;
initial $monitor("count = %b \n", count);
always @(posedge clk)
```

```
begin
    if (reset n == 0)
    begin
        count <= 4'b0000;
        start <= 4'b0011;
        next <= 4'b1001;</pre>
    end
    else
       count <= count + 1;</pre>
    if (count == 4'b0011)
        count <= 4'b1001;
end
//Coverage level 2 enabled
assert no transition \#(0, 4, 0, "ERROR: count has reached
the next state of 9 from the start state of 3", 0, 0, 1)
transition stop (clk, reset n, count, start, next);
endmodule
```

# assert\_no\_underflow

The assert\_no\_underflow checker continuously monitors the  $test_expr$  at every positive edge of the triggering event or clock clk. This assertion verifies that  $test_expr$  will never:

Change value from a min value (default = 0) to a value less than min,

or

Change to a value greater than or equal to max (default (2\*\*width) 1).

The test expr can be any valid Verilog expression.

#### **Syntax**

# **Arguments**

width

Width of the monitored expression test expr.

min

Minimum value sampled at clock (t) of clk with default value of 0.

max

Maximum value sampled at clock (t+1) of clk with default value of (2\*\*width - 1).

```
test expr
```

Expression being verified at the positive edge of clk.

#### **Coverage Modes**

```
Cover property, cover_nb_of_test_expr_changes, indicates that the test_expr changed when enabled by reset_n.

cov_level_2_0 (bit 0 set in coverage_level_2)

Cover point, observed_value, records the values taken by test_expr

cov_level_3_0 (bit 0 set in coverage_level_3)

Cover property, cover_test_expr_reached_min_value, indicates that the test_expr changed to value equal to min.

cov_level_3_1 (bit 1 set in coverage_level_3)

Cover property, cover_test_expr_reached_max_value, indicates that the test_expr changed to value equal to max.
```

```
'define ASSERT_ON
'define COVER_ON
module testbench;
reg reset_n, clk;

child CH (reset_n, clk);

initial begin
    clk = 0;
    reset_n = 0;
    #40 reset_n = 1;
    #980 $finish;
end

always #20 clk = ~clk;
endmodule

module child(reset_n, clk);
input reset_n, clk;
```

```
reg [3:0] count;
initial $monitor("count = %b \n", count);
always @(posedge clk)
begin
    if (reset n == 0)
        count <= 4'b0011;
    if (count >= 4'b0010 && count <= 4'b1001)
    begin
        case (count)
            4'b0010: count <= 4'b0001;
            4'b0011: count <= 4'b1011;
            4'b0100: count <= 4'b1100;
            4'b0101: count <= 4'b1101;
            4'b0110: count <= 4'b1110;
            4'b0111: count <= 4'b1111;
            4'b1000: count <= 4'b0000;
            4'b1001: count <= 4'b0010;
       endcase
    end
    else
    begin
        case (count)
            4'b1010: count <= 4'b0011;
            4'b1011: count <= 4'b0100;
            4'b1100: count <= 4'b0101;
            4'b1101: count <= 4'b0110;
            4'b1110: count <= 4'b0111;
            4'b1111: count <= 4'b1000;
            4'b0000: count <= 4'b1001;
            4'b0001: count <= 4'b0010;
       endcase
    end
end
//Coverage level 3 enabled
assert no underflow #(0, 4, 2, 9, 0, "ERROR: count changed from
min (2) to a value either < min (2) or >= max (9)", 0, 0, 0, 0)
value underflow (clk, reset n, count);
endmodule
```

# assert\_odd\_parity

The assert\_odd\_parity checker monitors for odd number of '1's in  $test\_expr$  at every positive edge of the clock, clk. The  $test\_expr$  can be any valid Verilog expression.

### **Syntax**

### **Arguments**

width

Width of the monitored expression test expr.

```
test expr
```

Expression being verified at the positive edge of clk.

## **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
Cover property cover_test_expr_change indicates that the
test expr changed value.
```

```
'define ASSERT_ON
'define COVER_ON
module testbench;
reg reset_n, clk;
child CH (reset_n, clk);
initial begin
    $vcdpluson;
```

```
clk = 0;
    reset n = 0;
    #40 reset n = 1;
    #980 $finish;
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg [6:0] count;
initial $monitor("count = %b \n", count);
always @(posedge clk)
begin
    if (reset n == 0)
    begin
        count <= 7'b1111111;</pre>
    end
    else
        count <= count << 1;</pre>
end
//There are 7 bits in test expr
//By default Level 1 //coverage is enabled
assert odd parity \#(0, 7, 0,
  "ERROR: count does not have an odd number of bits asserted")
valid count odd (clk, reset n, count);
endmodule
```

# assert\_one\_cold

The assert\_one\_cold checker ensures that the variable, test\_expr, has only one bit low at any positive clock edge when the checker is configured for no inactive states.

The checker can also be configured to accept all bits equal to either 0 or 1 as the inactive level.

The test expr can be any valid Verilog expression.

#### **Syntax**

#### **Arguments**

width

Width of the monitored expression test expr.

inactive

Specifies the inactive state of test\_expr.

If *inactive* is set to 0, then this checker acts like a <code>zero\_one\_cold</code> checker (that is, the inactive state of <code>test\_expr</code> is all zeroes).

If *inactive* is set to 1, then this checker acts like a <code>one\_one\_cold</code> checker (that is, the inactive state is all ones).

The default value (that is, 2) specifies that there is no inactive state (that is, always one cold).

```
test expr
```

Expression being verified at the positive edge of c1k.

### **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
   Cover property cover_test_expr_change indicates that the
   test_expr changed value.

cov_level_2_0 (bit 0 set in coverage_level_2)
   Cover point bit_is_0_after_a_change reports which bit in
   test_expr was 0 at least once after a change of test_expr value.
```

```
cov_level_2_1 (bit 1 set in coverage_level_2)
```

Cover property cover\_test\_expr\_with\_all\_1 indicates that the test expr was all 1s. Enabled when inactive == 1.

```
cov_level_2_2 (bit 2 set in coverage_level_2)
```

Cover property cover\_test\_expr\_with\_all\_0 indicates that the test expr was all 0s. Enabled when inactive == 0.

```
cov level 3 0 (bit 0 set in coverage level 3)
```

Cover property cov\_level\_3[i].cover\_test\_expr\_bit\_is\_0 indicates that bit i of test\_expr was 0 when test\_expr changed value.

```
'define ASSERT_ON
'define COVER_ON
module testbench;
reg reset_n, clk;

child CH (reset_n, clk);

initial begin
    $vcdpluson;
    clk = 0;
    reset_n = 0;
    #40 reset_n = 1;
    #980 $finish;
end
```

```
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
req [7:0] count;
initial $monitor("count = %b \n", count);
always @(posedge clk)
begin
    if (reset n == 0)
        count <= 8'b11111110;</pre>
    else
        count <= ((count << 1) | {7'b0000000, count[7]});</pre>
end
//The check is done on count having 8 bits, inactive is 0
//Level 1 coverage is enabled by default.
assert one cold \#(0, 8, 0, 0, "ERROR: count is not one-cold")
  valid_one_cold (clk, reset_n, count);
endmodule
```

# assert\_one\_hot

The assert\_one\_hot checker ensures that the variable, test\_expr, has only one bit set to 1 at any positive clock clk edge. The test\_expr can be any valid Verilog Expression.

### **Syntax**

### **Arguments**

width

Width of the monitored expression test expr.

```
test expr
```

Expression being verified at the positive edge of clk.

Note the following:

## **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
```

Cover property cover\_test\_expr\_change indicates that the test\_expr changed value.

```
cov level 2 0 (bit 0 set in coverage level 2)
```

Cover point cover\_test\_expr\_bit\_is\_1 indicates which bit in test\_expr was 1 at least once after a change of test\_expr value.

```
cov_level_3_0 (bit 0 set in coverage_level_3)
```

# Cover property

test\_expr\_bit\_is\_1[i].cover\_test\_expr\_bit\_is\_1 indicates that bit i of test expr was 1 when test expr changed value.

```
'define ASSERT ON
'define COVER ON
module testbench;
reg reset n, clk;
child CH (reset n, clk);
initial begin
    $vcdpluson;
    clk = 0;
    reset n = 0;
    #40 reset n = 1;
    #980 $finish;
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg [7:0] count;
initial $monitor("count = %b \n", count);
always @(posedge clk)
begin
    if (reset n == 0)
        count <= 8'b00000001;
    else
        count <= ((count << 1) | {7'b0000000, count[7]});</pre>
end
//The width of count is 8 bits
//Coverage Level 1 is enabled by default.
assert one hot #(0, 8, 0, "ERROR: count is not one-hot")
invalid one hot (clk, reset n, count);
endmodule
```

# assert\_proposition

The assert\_proposition checker continuously monitors the  $test\_expr$ . Hence, this assertion is unlike assert\_always; that is,  $test\_expr$  is not being sampled by a clock. This assert\_proposition assertion verifies that  $test\_expr$  will always evaluate true. If  $test\_expr$  evaluates to false while  $reset\_n$  is 1, an assertion will fire (that is, an error condition will be detected in the code). The  $test\_expr$  can be any valid Verilog expression.

#### **Syntax**

### **Arguments**

```
test expr
```

Expression being verified.

#### **Note**

There is no cover property or cover group in this checker. Therefore the <code>coverage\_level\_i</code> parameters are not provided.

```
'define ASSERT_ON
module testbench;
reg reset_n, clk, sig;
child CH (reset_n, sig);
initial begin
    clk = 0;
    reset_n = 0;
    sig = 0;
```

```
#80 \text{ reset n} = 1;
    #980 $finish;
end
always #20 clk = \simclk;
always #40 sig = ~sig;
endmodule
module child(reset n, sig);
input reset n, sig;
reg [3:0] count;
initial $monitor("time = %d count = %b \n", $time, count);
always @(sig)
begin
    if (reset n == 0 \mid \mid count >= 9)
        count <= 4'b0000;
    else
        count <= count + 1;</pre>
end
assert_proposition
\#(0, 0, 0) "ERROR: count not within 3 and 9, both inclusive")
valid proposition
(reset n, (count \geq 4'b0011) && (count \leq 4'b1001));
endmodule
```

# assert\_quiescent\_state

The assert\_quiescent\_state checker verifies that the value in the variable, state\_expr, is equal to the value specified by <code>check\_value</code> and optionally at the end of simulation using the macro <code>`ASSERT\_END\_OF\_SIMULATION</code>. Verification occurs when a sampled rising edge (as sampled by <code>clk</code>) is detected on <code>sample event</code>.

## **Syntax**

### **Arguments**

width

Width of the monitored expression state expr.

```
state_expr
```

Expression being verified at the positive edge of c1k.

```
check value
```

Specifies value for state\_expr when quiescent. (i.e., a signal that holds the value to be compared with state\_expr when sample\_event is asserted).

```
sample event
```

Triggers the quiescent state check when a sampled rising edge is detected (as sampled by clk).

```
`ASSERT END OF SIMULATION
```

This macro can be used to quiescent the state expression at the end of simulation. For example:

+define+ASSERT\_END\_OF\_SIMULATION=top.sim\_end
If this macro is assocoated with a signal it will trigger when this
signal raises (sampled transition by the clock).

### **Coverage Modes**

```
cov level 1 0 (bit 0 set in coverage level 1)
```

Cover property <code>cover\_quiescent\_state</code> indicates that the quiescent state was reached

```
'define ASSERT ON
'define COVER ON
module testbench;
reg reset n, clk, sig;
child CH (reset n, clk, sig);
initial begin
    $vcdpluson;
    clk = 0;
    reset n = 0;
    sig = 0;
    #80 \text{ reset n} = 1;
    #980 $finish;
end
always #20 clk = \simclk;
always #40 sig = ~sig;
endmodule
module child(reset n, clk, sig);
input reset n, clk, sig;
reg [3:0] count, value;
initial $monitor(" sig = %b count = %b \n", sig, count);
```

```
always @(posedge clk)
begin
    if (reset n == 0)
    begin
        count <= 4'b0000;
        value <= 4'b0100;</pre>
    end
    else
        count <= count + 1;</pre>
    if (count >= 9)
        count <= 1'b0;
end
//Coverage level 1 enabled by default
assert quiescent state #(0, 4, 0, "ERROR: count not equal
to 4 when sampled on posedge of event sig")
valid_q_state (clk, reset_n, count, value, sig);
endmodule
```

## assert\_range

The assert\_range checker continuously monitors the  $test_{expr}$  at every positive edge of the triggering event, clk. The checker ensures that the value of  $test_{expr}$  will always be within the min and max value range. The min and max should be a valid parameter and min must be less than or equal to max. The  $test_{expr}$  can be any valid Verilog expression.

### **Syntax**

### **Arguments**

width

Width of the monitored expression test expr.

min

Minimum value allowed for range check. Default = 0.

max

Maximum value allowed for range check. Default = (2\*\*width - 1).

```
test expr
```

Expression being verified at the positive edge of c1k.

## **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
Coverproperty, cover_nb_of_test_expr_changes, indicates that
the test_expr changed value.
```

```
cov level 2 0 (bit 0 set in coverage level 2)
```

Cover point, cover\_observed\_value, reports all the values taken by test expr

```
cov level 3 0 (bit 0 set in coverage level 3)
```

Cover property, cover\_test\_expr\_reached\_min\_value, indicates that the test expr reached the min parameter value.

```
cov_level_3_1 (bit 1 set in coverage_level_3)
```

Cover property, cover\_test\_expr\_reached\_max\_value, indicates that the test expr reached the max parameter value.

```
'define ASSERT ON
'define COVER ON
module testbench;
reg reset n, clk;
child CH (reset n, clk);
initial begin
    clk = 0;
    reset n = 0;
    #40 reset n = 1;
    #980 $finish;
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg [3:0] count;
initial $monitor("count = %b \n", count);
always @(posedge clk)
begin
    if (reset n == 0)
```

```
begin
        count <= 4'b0010;
    end
    if (count >= 4'b0010 && count <= 4'b1001)
    begin
        case(count)
            4'b0010: count <= 4'b1010;
            4'b0011: count <= 4'b1011;
            4'b0100: count <= 4'b1100;
            4'b0101: count <= 4'b1101;
            4'b0110: count <= 4'b1110;
            4'b0111: count <= 4'b1111;
            4'b1000: count <= 4'b0000;
            4'b1001: count <= 4'b0001;
       endcase
    end
    else
    begin
        case (count)
            4'b1010: count <= 4'b0011;
            4'b1011: count <= 4'b0100;
            4'b1100: count <= 4'b0101;
            4'b1101: count <= 4'b0110;
            4'b1110: count <= 4'b0111;
            4'b1111: count <= 4'b1000;
            4'b0000: count <= 4'b1001;
            4'b0001: count <= 4'b0010;
       endcase
    end
end
//Coverage level 2 enabled
assert range
#(0, 4, 2, 9, 0, "ERROR: count not within 2 and 9", 0, 0, 1, 0)
valid range (clk, reset n, count);
endmodule
```

# assert\_time

The assert\_time checker continuously monitors the  $start_expr$ . When this signal (or expression) evaluates true, the assertion monitor ensures that the  $test_expr$  evaluates to true for the next  $num_cks$  number of clocks.

### **Syntax**

### **Arguments**

num\_cks

The number of clocks  $test_{expr}$  must evaluate to true after  $start\ event$  is asserted.

flag

- 0 Ignores any asserted start\_event after the first one has been detected (default);
- 1 Re-start monitoring <code>test\_expr</code> if <code>start\_event</code> is asserted in any subsequent clock while monitoring <code>test\_expr</code>;
- 2 Issue an error if an asserted <code>start\_event</code> occurs in any clock cycle while monitoring <code>test\_expr</code>.

```
start event
```

Starting event that triggers monitoring of the test expr.

```
test expr
```

Expression being verified at the positive edge of clk.

### **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
```

Cover property cover\_start\_event indicates that there was a start event asserted.

```
cov_level_1_1 (bit 1 set in coverage_level_1)
```

Cover property cover time indicates that there was a match.

```
cov_level_3_0 (bit 0 set in coverage_level_3)
```

Cover property cover\_overlapping\_start\_events indicates that there were overlapping start events.

```
'define ASSERT ON
'define COVER ON
module testbench;
reg reset n, clk;
child CH (reset n, clk);
initial begin
    $vcdpluson;
    clk = 0;
    reset n = 0;
    #40 reset n = 1;
    #1000 $finish;
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg start, expr;
integer count;
initial $monitor ("count = %d start = %b expr = %b \n",
```

```
count, start, expr);
always @(posedge clk)
begin
    if (reset n == 0)
    begin
        start <= 0;
        expr <= 0;
        count <= 0;
    end
    else
        count <= count + 1;</pre>
    if (count == 4)
        start <= 1;
    else
        start <= 0;
     if (count == 4 || count == 5 || count == 6 ||
        count == 7 || count == 8 || count == 9)
        expr <= 1;
    else
        expr <= 0;
end
//The time interval is 4 clock cycles
//Restart checking on start event
//Coverage levels 1 and 3 are enabled
assert time \#(0, 4, 1, 0,
    "ERROR: expr not true within 4 cycles after start",
    0, 15, 0, 15)
valid time (clk, reset n, start, expr);
The time interval is 4 clock cycles, restart checking on
start event and coverage levels 1 and 3 are enabled
*/
endmodule
```

# assert\_transition

The assert\_transition checker continuously monitors the  $test_expr$  variable at every positive edge of the triggering event, clk. When  $test_expr$  evaluates to the value of  $start_state$ , the checker ensures that  $test_expr$  will always change to the value of  $next_state$ . The width parameter defines the size (that is, number of bits) of the  $test_expr$ .

### **Syntax**

#### **Arguments**

width

Width of test expr with default value of 1.

```
test expr
```

State variable representing finite-state machine (FSM) being checked at the positive edge of *clk*.

```
start state
```

Triggering state of test\_expr. The start\_state value should be different from the next state value.

```
next state
```

Next valid state for machine represented by <code>test\_expr</code> when traversed from state <code>start\_state</code>.

#### **Coverage Modes**

```
Cover property, cover_nb_of_times_start_state_occured, indicates that the test_expr entered the start_state.

cov_level_1_1 (bit 1 set in coverage_level_1)

Cover property, cover_nb_of_transitions, indicates that the test_expr entered the start_state and made a transition to the next_state.

cov_level_2_0 (bit 0 set in coverage_level_2)

Cover point, observed_hold_time, reports the number of clk cycles the test_expr remained in the start_state before making a transition to the next_state.
```

```
'define ASSERT ON
'define COVER ON
module testbench;
reg reset n, clk;
child CH (reset n, clk);
initial begin
    clk = 0;
    reset n = 0;
    #40 reset n = 1;
    #980 $finish;
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg [3:0] count, start, next;
```

```
initial $monitor("count = %b \n", count);
always @(posedge clk)
begin
    if (reset n == 0)
    begin
        count <= 4'b0000;
        start <= 4'b0011;
        next <= 4'b1001;
    end
    else
        count <= count + 4'b0001;</pre>
    if (count == 4'b0011)
        count <= 4'b0111;
end
//Cover point cov level 1 1 enabled at level 1 \,
assert transition \#(0, 4, 0, "ERROR: count did not reach the
next state of 9 from the start state of 3", 0, 2, 0, 0)
valid transition (clk, reset n, count, start, next);
endmodule
```

# assert\_unchange

The assert\_unchange checker continuously monitors the start\_event at every positive edge of the triggering event, clk. When this signal (or expression) evaluates true, the checker ensures that the test\_expr will not change values within the next num\_cks number of clock cycles.

### **Syntax**

#### **Arguments**

width

Width of the expression, test expr. Default = 1.

num cks

Number of clock cycles for  $test\_expr$  to change its value before an error is triggered after  $start\_event$  is asserted. Default = 1.

flag

- 0 Ignore any  $start_{event}$  assertion after the first one has been detected. Default = 0.
- 1 Re-start monitoring test\_expr, if start\_event is asserted in any subsequent clock while monitoring test expr.
- 2 Issue an error if an asserted <code>start\_event</code> occurs in any clock cycles while monitoring <code>test\_expr</code>.

```
start event
```

Starting event that triggers monitoring of the test expr.

```
test expr
```

Expression or variable being verified at the positive edge of clk.

#### **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
Cover property cover_start_event indicates that the
   start_event was asserted.
cov level 1 1 (bit 1 set in coverage level 1)
```

Cover property cover\_unchange indicates that the test\_expr remained stable the required time interval.

```
cov_level_3_0 (bit 0 set in coverage_level_3)
```

Cover property <code>cover\_overlapping\_start\_events</code> indicates that a <code>start\_event</code> occurred while a previously triggered evaluation attempt was still in progress.

```
'define ASSERT ON
'define COVER ON
module testbench;
reg reset n, clk;
child CH (reset n, clk);
initial begin
    $vcdpluson;
    clk = 0;
    reset n = 0;
    #40 reset n = 1;
   #1000 $finish;
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
```

```
reg start;
reg [3:0] expr;
integer count;
initial $monitor ("count = %d start = %b expr = %b \n",
count, start, expr);
always @(posedge clk)
begin
    if (reset n == 0)
   begin
        start <= 0;
        expr <= 4'b0000;
        count <= 0;
    end
    else
        count <= count + 1;</pre>
    if (count == 3)
        start <= 1;
    else
        start <= 0;
   if (count == 3 || count == 4 || count == 5 || count ==
6 || count == 7 || count == 8 || count == 9)
        expr <= 4'b0110;
    else
        expr <= expr + 1;
end
// Coverage Level 2 selected by default
assert unchange #(0, 4, 4, 1, 0, "ERROR:test expr changed
within 4 clock cycles")
valid unchange (clk, reset n, start, expr);
```

The value of expr should not change within 4 clock cycles after start. expr has 4 bits and flag = 1, i.e., RESET ON START is requested. Coverage Level 1 is enabled by default.

endmodule

## assert\_width

The assert\_width checker continuously monitors the test\_expr. When this signal (or expression) evaluates true, it ensures that the test\_expr evaluates to true for a specified minimum number of clock cycles and does not exceed a maximum number of clock cycles.

## **Syntax**

### **Arguments**

```
min cks
```

Specifies the minimum number of clock cycles where test\_expr should be true. If the test\_expr goes false before min\_cks, then an error occurs. The default value is 1.

```
max cks
```

Specifies the maximum number of clock cycles where  $test\_expr$  can be true. If set to 0, then there is no maximum check (any value is valid). If the  $test\_expr$  is true for more than  $max\_cks$ , then an error occurs. The default value is 1.

```
test expr
```

Expression being verified at the positive edge of c1k.

## **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1) :
   Cover property, cover_nb_of_test_expr_posedges, indicates
   that a postive edge was observed on the test_expr.
```

```
cov level 1 1 (bit 1 set in coverage level 1) :
```

Cover property, <code>cover\_width</code>, indicates that the <code>test\_expr</code> was asserted for a duration defined by the <code>min\_cks</code> and <code>max\_cks</code> parameters.

```
cov level 2 0 (bit 0 set in coverage level 2) :
```

Cover point, <code>cover\_observed\_hold\_time</code>, reports the observed numbers of clock cycles for which the <code>test\_expr</code> was asserted.

```
cov_level_3_0 (bit 0 set in coverage_level_3) :
```

# Cover property,

cover\_test\_exp\_change\_exactly\_after\_min\_cks, indicates that the test\_expr was sampled deasserted after being asserted for exactly min\_cks clock ticks.

```
cov_level_3_1 (bit 1 set in coverage_level_3) :
```

## Cover property,

cover\_test\_exp\_change\_exactly\_after\_max\_cks, indicates that the test\_expr was sampled deasserted after being asserted for exactly max cks clock ticks.

```
'define ASSERT_ON
'define COVER_ON
module testbench;
reg reset_n, clk;
child CH (reset_n, clk);
initial begin
    $vcdpluson;
    clk = 0;
    reset_n = 0;
    #40 reset_n = 1;
    #1000 $finish;
end
```

```
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg expr;
integer count;
initial $monitor ("time = %d expr = %b, count = %d \n",
$time, expr, count);
always @(posedge clk)
begin
     if (reset n == 0)
     begin
         expr <= 0;
         count <= 0;
     end
     else
         count <= count + 1;</pre>
    if (count == 4 || count == 5 || count == 6 || count == 7)
         expr <= 1;
     else
         expr <= 0;
end
//Coverage is disabled on this instance
assert width \#(0, 0, 4, 0, "ERROR: expr is not true for the
              specified number of clock cycles", 0, 0, 0, 0)
valid width (clk, reset n, expr);
endmodule
```

# assert\_win\_change

The assert\_win\_change checker continuously monitors the start\_event at every positive edge of the triggering event, clk. When this signal (or expression) evaluates true, it ensures that the test expr changes values prior to and including the end event.

### **Syntax**

### **Arguments**

width

Width of test expr with default value of 1.

start\_event

Starting event that triggers monitoring of the test expr

test expr

Expression being verified at the positive edge of clk.

end event

Event that terminates monitoring of a start event.

## **Coverage Modes**

```
cov_level_1_0 (bit 0 is set in coverage_level_1)
```

Cover property, cover\_nb\_of\_start\_events, indicates that the start event was sampled high.

```
cov_level_1_1 (bit 1 is set in coverage_level_1)
```

Cover property, <code>cover\_win\_change</code>, indicates that the <code>test\_expr</code> changed value before and including the <code>end event</code>.

```
cov level 2 0 (bit 0 is set in coverage level 2)
```

Cover point, <code>cover\_observed\_hold\_time</code>, reports the numbers of clock cycles for which the <code>test\_expr</code> remained unchanged after the <code>start event</code> occurred.

```
cov_level_3_0 (bit 0 is set in coverage_level_3)
```

### Cover property,

cover\_test\_exp\_change\_exactly\_at\_end\_event, indicates that a change on the test\_expr was sampled at the same time as the end event occurred.

```
'define ASSERT ON
'define COVER ON
module testbench;
reg reset n, clk;
child CH (reset n, clk);
initial begin
    $vcdpluson;
    clk = 0;
    reset n = 0;
    #40 reset n = 1;
    #1000 $finish;
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg start, expr, end event;
integer count;
initial $monitor ("expr = %b, start = %b end event = %b count
= %d \n", expr, start, end event, count);
```

```
always @(posedge clk)
begin
     if (reset n == 0)
     begin
         start <= 0;
         expr <= 0;
         end event <= 0;
         count <= 0;
     end
     else
         count <= count + 1;</pre>
     if (count == 4)
         start <= 1;
     else
         start <= 0;
     if (count == 7)
         expr = 1;
     if (count == 8)
         end event <= 1;</pre>
     else
         end event <= 0;</pre>
end
//Coverage level 1 enabled by default
assert win change #(0, 1, 0, "ERROR: expr did not change
                   even once between start and end events")
valid win change (clk, reset n, start, expr, end event);
endmodule
```

# assert\_win\_unchange

The assert\_win\_unchange checker continuously monitors the start\_event at every positive edge of the triggering event, clk. When this signal (or expression) evaluates true, it ensures that the test expr will not change in value up to and including the end event.

### **Syntax**

### **Arguments**

width

Width of test expr with default value of 1.

start event

Starting event that triggers monitoring of the test expr

test expr

Expression being verified at the positive edge of clk.

end\_event

Event that terminates monitoring of a start event.

## **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
Cover property, cover_nb_of_start_events, indicates that
    start event was asserted.
```

```
cov level 1 1 (bit 1 set in coverage level 1)
```

Cover property, <code>cover\_win\_unchange</code>, indicates that <code>test\_expr</code> remained stable for the duration between a <code>start\_event</code> and an <code>end\_event</code> including the arrival of <code>end\_event</code>.

```
cov level 2 0 (bit 0 set in coverage level 2)
```

Cover point, observed\_end\_event\_time, records the number of clock cycles between a start\_event and the subsequent end event.

```
cov_level_3_0 (bit 0 set in coverage_level_3)
```

Cover property,

cover\_test\_expr\_changes\_exactly\_after\_end\_event, indicates that the test\_expr changed at the clock tick just after an end event.

# assert\_window

The assert\_window checker continuously monitors the  $start_{event}$  at every positive clock edge clk. When the  $start_{event}$  evaluates true, it ensures that the  $test_{expr}$  evaluates true at every successive positive clock edge clk up to and including the end event expression.

Note: This assertion does not evaluate  $test\_expr$  on  $start\_event$ , it begins evaluating on the next positive clock edge clk.

#### **Syntax**

#### **Arguments**

```
start event
```

Starting event that triggers monitoring of the test\_expr

```
test expr
```

Expression being verified at the positive edge of c1k.

```
end event
```

Event that terminates monitoring of a start\_event.

## **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
Cover property, cover_nb_of_start_events, indicates that
    start event was asserted.
```

```
cov level 1 1 (bit 1 set in coverage level 1)
```

Cover property, cover\_window, indicates that test\_exprremained asserted for the duration between a start\_event and an end event including the arrival of end event.

```
cov level 2 0 (bit 0 set in coverage level 2)
```

Cover point, observed\_end\_event\_time, records the number of clock cycles between a start\_event and the subsequent end event.

```
cov_level_3_0 (bit 0 set in coverage_level_3)
```

### Cover property,

cover\_window\_terminates\_exactly\_after\_end\_event, indicates that the  $test_expr$  was deasserted at the clock tick just after an  $end\ event$ .

```
'define ASSERT_ON
'define COVER_ON
module testbench;
reg reset_n, clk;

child CH (reset_n, clk);

initial begin
    $vcdpluson;
    clk = 0;
    reset_n = 0;
    #40 reset_n = 1;
    #1000 $finish;
end

always #20 clk = ~clk;
endmodule

module child(reset n, clk);
```

```
input reset n, clk;
reg start, expr, end event;
integer count;
initial $monitor ("expr = %b, start = %b end event = %b count
= %d \n", expr, start, end event, count);
always @(posedge clk)
begin
     if (reset n == 0)
     begin
         start <= 0;
         expr <= 0;
         end event <= 0;
         count <= 0;
     end
     else
         count <= count + 1;</pre>
     if (count == 4)
         start <= 1;
     else
         start <= 0;
     if ((count >= 5 && count <= 8))
         expr = 1;
     else
         expr = 0;
     if (count == 8)
         end event <= 1;
     else
         end event <= 0;
end
//Coverage level 3 enabled
assert window #(0, 1, "ERROR: expr did not remain true at
every \overline{\text{clock}} edge between start and end events", 0, 0, 1)
valid window (clk, reset n, start, expr, end event);
endmodule
```

# assert\_zero\_one\_hot

The <code>assert\_zero\_one\_hot</code> checker continuously monitors the test\_expr at every positive edge of the triggering event, clk. It verifies that  $test_expr$  will have exactly one bit asserted or no bit asserted, otherwise, an assertion will fire (that is, an error condition will be detected in the code). The  $test_expr$  can be any valid Verilog expression.

## **Syntax**

## **Arguments**

width

Width of the monitored expression test expr.

```
test expr
```

Expression being verified at the positive edge of clk.

# **Coverage Modes**

```
cov level 1 0 (bit 0 set in coverage level 1)
```

Cover property cover\_test\_expr\_change indicates that the test expr changed value.

```
cov level 2 0 (bit 0 set in coverage level 2)
```

Cover property cover\_test\_expr\_with\_all\_0 indicates that the all 0 value occurred when test\_expr changed value.

```
cov_level_2_1 (bit 1 set in coverage_level_2)
```

Cover point bit\_is\_1\_after\_a\_change reports which bits in test\_expr were set to 1 at least once.

```
cov level 3 0 (bit 0 set in coverage level 3)
```

# Cover property

test\_expr\_bit\_is\_1[i].cover\_test\_expr\_bit\_is\_1 indicates that bit i was 1 after change of value.

## **Example**

```
'define ASSERT ON
'define COVER ON
module testbench;
reg reset n, clk;
child CH (reset n, clk);
initial begin
    $vcdpluson;
    clk = 0;
    reset n = 0;
    #40 reset n = 1;
    #980 $finish;
end
always #20 clk = \simclk;
endmodule
module child(reset n, clk);
input reset n, clk;
reg [7:0] count;
initial begin
    $monitor("count = %b \n", count);
end
always @(posedge clk)
```

```
if (reset_n == 0 || count == 8'b00000000)
        count <= 8'b00000001;
else
        count <= ((count << 1) | {7'b0, count[7]});

if (count == 8'b100000000)
        count <= 8'b00000000;
end

//The tested expression count is 8 bits wide.
//Coverage level 1 enabled by default
assert_zero_one_hot #(0, 8, 0, "ERROR: count is not one-hot")
valid_zero_one_hot (clk, reset_n, count);
endmodule</pre>
```

# 3

# **SVA Advanced Checkers**

The 2nd part of the checker library contains 22 checkers plus an sva\_std\_edge\_select.v file that contains an interface definition that is instantiated in all these new checkers and computes the appropriate clock edge.

The new checkers use the same controls as the SVL checkers in the previous chapter, but in addition they have a clock edge selection parameter, <code>edge expr</code>.

# **Checker Descriptions**

This section provides syntax and descriptions, and examples for all checkers.

# **Shared Syntax**

Many checkers share the same syntax elements. In addition to using severity\_level, reset\_n, clk, msg and  $coverage_level_i$ , where i = 1, 2, or 3, described in Chapter 1, the checkers in this chapter can select the active edge of the clock:

```
edge expr
```

Specifies the active edge for the clock signal (clk) in unit syntax. Use the following values to specify the edge type:

- posedge: 0 (the default)

- negedge: 1

If edge\_expr is not specified, it defaults to posedge.

# assert\_arbiter

Ensures that a resource arbiter provides grants to corresponding requests within min lat and max lat cycles.

The checks are not enabled unless  $reset_n$  evaluates true at the time of the request. The checks are performed on the active clk edge specification.

## **Syntax**

## **Arguments**

```
no\_chnl
```

The number of channels (bits) in requests and grants. Default = 2.

```
bw prio
```

The number of bits that are used to encode  $req_priority$ . Default = 1.

```
grant one chk
```

If true, then the unit will check to ensure that only one grant is issued per clock cycle. Default = 1.

```
req priority chk
```

If true, then this checker will ensure that grants are issued according to the priority indicated in the  $req\_priority$  vector.  $req\_priority\_chk$ .  $req\_priority\_chk$  functions on top of any other scheme using  $arbitration\_rule$ . That is, if priority and, say, FIFO is selected then first priority arbitration is applied and if multiple requests exist at the highest priority level, the final selection must satisfy the FIFO rule.

If  $req\_priority\_chk$  is 0 (disabled), then  $req\_priority$  is not taken into account in any of the other checks. However, the argument  $req\_priority$  must still have the correct dimension even though the actual values do not matter (e.g., pass vector of 0's). The  $req\_priority$  vector may be a design vector (i.e., not a constant array). However, while a request is being processed the  $req\_priority$  should not change, otherwise certain checks may produce incorrect results (success or failure). Default = 0.

```
arbitration rule
```

Selects which arbitration algorithm is verified among fairness, FIFO or least-recently used (LRU). It must be a compile-time constant.

```
arbitration_rule = 0 - no rule checked
arbitration_rule = 1 - fairness (round-robin)
arbitration_rule = 2 - FIFO
arbitration_rule = 3 - LRU
```

If fairness is selected, then this checker will ensure that no channel will be issued more than one grant while other channels have requests pending except if this is the only request at the highest req priority when req priority chk is asserted.

If FIFO is selected, then this checker will ensure that grants are issued according to the order that their requests were received unless  $req_priority_chk$  is asserted which means that the FIFO check is performed only on requests of the current highest  $req_priority$ .

If LRU is selected, then this checker will ensure that grants are issued to the least recently granted request. If  $req\_priority\_chk$  is also asserted than LRU is applied to (simultaneous) highest priority requests. Note that initially, all requests are assumed to have happened equally in the past, so that the selection between them is arbitrary until granted at least once.

min lat

The minimum global grant latency. Default = 1.

If 0, then the grant is expected starting the same cycle as the request (i.e., combinational arbiter is possible with  $max_lat = 0$ ). If priority arbitration check is enabled, then  $min_lat$  should be 0 or 1 only.

max lat

If  $max\_lat > 0$ , it specifies the maximum global grant latency regardless of the selection criterion. That is, a persistent request must be granted within  $max\_lat$  clock cycles. The check is useful in systems where a request must be granted within a certain latency even in the presence of other requests.

If  $max_{lat} = 0$ , the global latency check is disabled. Default = 0.

Requests signals as vectors.

Vector of size  $[no\_chnl-1:0]$  where the bits correspond to the corresponding channels in reqs. req is assumed to be 1 when active.

req priority

A [bw\_prio\*no\_chnl-1 : 0] bitvector of bw\_prio\*no\_chnl bits formed by concatenating non-negative integer req\_priority values corresponding to the request lines. The right-most bw\_prio bits in req\_priority corresponds to channel 0, etc. The req\_priority value 0 is the lowest req\_priority.

grants

Grants signals as vectors. Vector of size  $[no\_chnl-1:0]$  where the bits correspond to the corresponding channels in grants. Assumed to be 1 when active.

## **Assumptions**

When  $req_priority_chk = 0$  it is assumed that the  $req_priority$  vector is set to all 0 values.

It is preferrable that  $min\_lat > 0$  when  $req\_priority\_chk = 0$ , i.e., combinational response is possible only in  $req\_priority$  - based arbitration.

A grant is expected to be one clock cycle wide, unless the grant is for more than one consecutive request.

It is assumed that a request holds asserted until granted. It is assumed that a request is removed on the clock tick the grant is sampled, unless another request is immediately asserted. Its removal before a grant causes the grant to be cancelled, and this does cancel the check for a grant.

#### Failure modes

Upon failure assertion <code>assert\_arbiter\_one\_cycle\_gnt[i]</code> will report <code>!grants[i]</code> as the failing expression meaning that in position <code>i</code> the grant signal was not deasserted on the next cycle.

Assertion assert\_arbiter\_req\_granted[i] will report failure when in position i the grant signal did not arrive within the specified latency.

Assertion assert\_arbiter\_granted\_only\_if\_req[i] will report failure when in position i the grant signal occurred without a request being asserted at the same time.

Assertion assert\_arbiter\_highest\_grant[i] will report failure when line i the granted request was not that of the highest req\_priority.

Assertion assert\_arbiter\_fifo\_chk[i][j] will report failure if on line j the grant was asserted before the grant on line i while the requests came in the opposite order.

Assertion assert\_arbiter\_two\_active[i][j], a failure means that although there were continuous requests on lines i and j, the grant on line i arrived twice without a grant on line j.

Assertion assert\_arbiter\_single\_grant will report failure there were more than one grant at the same time.

# **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
```

Cover property cover\_arbiter\_req\_granted indicates there were granted requests for each channel

```
cov_level_2_0 (bit 0 set in coverage_level_2)
```

Cover property <code>loop\_A[i].cover\_abandoned\_req</code> indicates there were abandoned requests, for each channel

```
cov level 2 1 (bit 1 set in coverage level 2)
```

Cover point observed\_latency indicates which request-to-grant latency within the range min-max occurred at least once.

```
cov level 2 2 (bit 2 set in coverage level 2) :
```

Cover point, <code>concurrent\_requests</code>, reports which multiplicity of concurrent requests occurred. It is sampled when a grant to one of the requests is issued.

```
cov_level_3_0 (bit 1 set in coverage_level_3)
```

## Cover property Cover property

cover\_req\_granted\_exactly\_after\_min\_lat indicates how many times the req-to-grant latency was exactly equal to the specified min lat value.

```
cov_level_3_1 (bit 2 set in coverage_level_3)
```

## Cover property

loop\_A[i].cover\_req\_granted\_exactly\_after\_max\_lat
indicates how many times the req-to-grant latency was exactly
equal to the specified max lat value.

# **Example**

The instance

There are 2 request and 2 grant lines, enabled all the time,  $req\_priority$  is 0 for channel 0 and 1 for channel 1, encoded over one bit;  $grant\_one\_chk=1$ ,  $req\_priority\_chk=1$ ,  $arbitration\_rule=0$ ,  $min\_lat=1$ ,  $max\_lat=5$ . Signals are sampled at posedge clk. The (optional) message is "arbiter failed" and it is output in addition to the standard VCS message. Coverage levels 1 and 2 are enabled.

# assert\_bits

Ensures that the value of exp has between min and max number of bits that are asserted or deasserted as indicated by the asserted flag. To specify a single number and not a range, use min == max.

## **Syntax**

## **Arguments**

min

Minimum number of bits asserted or deasserted. Valid values of constant parameters: min, max must be non-negative integers. Default = 1.

max

Maximum number of bits asserted or deasserted. Valid values of constant parameters: min, max must be non-negative integers. Default = 1.

asserted

If deasserted evaluates true, then the check is to ensure that the specified number or range of bits in exp is 1. Otherwise, the check is to ensure the specified number or range of bits in exp is 0. Default = 1, meaning that the test is for bits set to 1.

exp bw

The number of bits in exp.

#### **Failure Modes**

Upon failure, if asserted = 1, then failure indicates that the number of bits set to 1 in exp was not in the interval [min, max], and if deasserted = 1, then failure indicates that the number of bits set to 0 was not in the specified interval.

## **Coverage Modes**

```
cov level 1 0 (bit 0 set in coverage level 1)
```

Cover property <code>cover\_bits\_exp\_change</code> indicates that the exp changed.

```
cov level 1 1 (bit 1 set in coverage level 1)
```

Cover property cover\_bits indicates that the number of bits asserted was within the min : max range.

```
cov level 3 0 (bit 0 set in coverage level 3)
```

Cover property cover\_min\_bits\_asserted indicates that the number of bits set was exactly equal to the specified min value.

```
cov_level_3_1 (bit 1 set in coverage_level_3)
```

Cover property cover\_max\_bits\_asserted indicates the number of times the number of bits set was exactly equal to the specified max value.

# **Example**

This example verifies that exp of width 4 has between 1 and 3 bits set to 0. The checker is always enabled because  $reset_n$  is 1 and exp is sampled at posedge clk. Coverage levels 1 and 3 are enabled.

```
assert_bits #(0, 1, 3, 0, 4, 5, "bits failed", 0, 15, 0, 15)
   bits inst ( clk, 1, exp);
```

# assert\_code\_distance

Ensures that when exp changes, the number of bits that are different compared to exp2 are at least min but no more than max in number. The check is not enabled unless  $reset_n$  evaluates true. The check is performed on the active clk edge specification.

## **Syntax**

## **Arguments**

min

The minimum number of bits that are different (must be non-negative integer).  $min \le max$ . Default = 1.

max

The maximum number of bits that are different. Default = 1.

bw

The number of bits in exp and exp2. Default = 2.

ехр

Signal being tested.

exp2

Signal that the signal under test (exp) is compared to.

#### **Failure Modes**

The assertion  $assert\_code\_distance$  will report failure when the expressions differ in more bits than the value of the max parameter or less than the min parameter.

## **Coverage Modes**

```
cov level 1 0 (bit 0 set in coverage level 1)
```

Cover property cover\_exp\_change indicates that the exp changed value.

```
cov level 1 1 (bit 1 set in coverage level 1)
```

Cover property cover\_code\_distance\_match indicates that the code distance was within the specified interval when exp changed.

```
cov level 2 0 (bit 0 set in coverage level 2)
```

Cover point observed\_code\_distance repoorts which code distances occured at least once.

```
cov level 3 0 (bit 0 set in coverage level 3)
```

Cover property <code>cover\_code\_distance\_eq\_to\_min</code> indicates that the observed code distance was exactly equal to the specified <code>min</code> value.

```
cov level 3 1 (bit 1 set in coverage level 3)
```

Cover property  $cover\_code\_distance\_eq\_to\_max$  indicates that the observed code distance was exactly equal to the specified max value.

# **Example**

```
assert_code_distance # (0, 1, 3, 4, 0, "bad code", 0, 15, 15, 15)

cd inst (clk, 1, exp1, exp2);
```

Reports failure when the number of different bits is not within the interval 1 to 3 at positive edge of c1k. exp1 and exp2 are 4 bits wide. Coverage levels 1, 2 and 3 are enabled.

# assert\_data\_used.

Ensures that data from src[sleft:sright] appears in dest[dleft:dright] within the window specified as start cycles from after the time trigger is asserted until finish number of cycles after trigger is asserted. The checks are not enabled unless  $reset_n$  evaluates true. The checks are performed on the active clk edge specification.

## **Syntax**

## **Arguments**

sleft

The most significant bit of the source signal's (src) bit slice. Default = 1.

sleft-sright should be equal to dleft-dright otherwise some
bits would be lost or compared with 0

sright

The least significant bit of the source signal's (src) bit slice. Default = 0.

dleft

The most significant bit of the destination signal's (dest) bit slice. Default = 1. dright

The least significant bit of the destination signal's (dest) bit slice. Default = 0.

Note: sleft - sright should be equal to dleft - dright; otherwise some bits would be lost or compared with 0

start

The number of cycles after the trigger signal (trigger) asserts to start the window. Default = 1.

Note that the specified number must be greater than or equal to 1.

finish

The number of cycles after the trigger signal (trigger) asserts to stop the window. Default = 1.

Note that the specified number must be greater than or equal to 0.

start = m, m>0, and finish = 0 means that the open-ended interval [m:\$] is to be used. Note that if this is the case, the assertion cannot be falsified.

trigger

Signal that triggers the start of the window.

src

Source signal.

dest

Destination signal.

#### **Failure Modes**

Upon failure the reported failing expression by the assertion sva\_data\_used is #[start:finish] (dest[dleft:dright] == sva\_v\_src\_value) where sva\_v\_src\_value is a variable that stores the original src value needed for the comparison.

## **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
```

Cover property, cover\_nb\_of\_times\_trigger\_asserted, indicates that trigger was asserted.

```
cov_level_1_1 (bit 1 set in coverage_level_1)
```

Cover property, <code>cover\_data\_used</code>, indicates that the data from <code>src[sleft:sright]</code> appeared in <code>dest[dleft:dright]</code> within the specified window.

```
cov level 2 0 (bit 0 set in coverage level 2)
```

Cover property, <code>observed\_delay</code>, records the delay observed between a <code>trigger</code> and the subsequent arrival of the data at <code>dest[dleft:dright]</code>.

```
cov_level_3_0 (bit 0 set in coverage_level_3)
```

# Cover property,

cover\_data\_used\_exactly\_after\_start\_clk\_cycles, indicates that data arrived at <code>dest[dleft:dright]</code> start number of clock cycle after a <code>trigger</code> was asserted.

```
cov_level_3_1 (bit 1 set in coverage_level_3)
```

# Cover property,

cover\_data\_used\_exactly\_after\_finish\_clk\_cycles, indicates that data arrived at <code>dest[dleft:dright]</code> finish number of clock cycle after a <code>trigger</code> was asserted.

# **Example**

The transfer is triggered by the signal load, from data[15:3] to  $out\_reg[12:0]$ , and it has to happen within 1 to 3 clock cycles. All 3 coverage levels are enabled.

# assert\_driven

Ensure that all bits of exp are driven (none are floating z or x). The check is not enabled unless  $reset_n$  evaluates true (1). The check is performed on the active clk edge specification.

## **Syntax**

## **Arguments**

bw

The number of bits in the signal being tested (exp). Default = 2.

exp

Signal being tested.

# **Coverage Mode**

```
cov level 2 0 (bit 0 set in coverage level 2)
```

Cover point, <code>cover\_observed\_driven\_x\_or\_z</code>, indicates which bits were either <code>x</code> or <code>z</code> at any point of time during the simulation.

NOTE: Since the default coverage is always level 1, this coverage is not enabled by default! There is no coverage at level 1 and at level 3.

# **Example**

```
assert_driven #(0, 16, 1, "bad X or Z", 0, 1, 0)
driven inst (clk, 1 , sig);
```

It will report a failure when at least one bit in the 16-bit bitvector exp was X or Z. Sampling is on negedge of clk due to edge\_expr = 1. Coverage statistics for the level 2 will be generated by default.

NOTE: When this checker is used with SV Compiler for formal tools, the assertion is removed because the tool uses only 2-state signal values (case equality === with 1'bx is not synthesizable).

# assert\_dual\_clk\_fifo

Implements a checker for a dual-clock, single in- and single out-port queue.

## **Syntax**

## **Arguments**

depth

The maximum number of elements in the queue. Default = 2. The specified depth can be at most  $2^{16}$ .

```
elem sz
```

The size of queue elements in bits. Default = 1.

```
hi water mark
```

If  $hi\_water\_mark$  is a positive value, then the level of the fill of the queue after enqueue will be checked to see if  $hi\_water\_mark$  is exceeded. Once high water has been exceeded once, this check is disabled until the FIFO size decreases again to or below the mark. If  $hi\_water\_mark = 0$  then the high-water mark check is disabled and only overflow is checked, i.e., when the depth of the queue is exceeded (provided that  $oflow\_chk = 1$ ). Default = 0, check disabled.

enq lat

A compile-time non-negative integer constant that indicates the number of cycles between enq being asserted 1 and  $enq\_data$  being valid in the corresponding position. At that point all enqueue data is dropped and further checking is disabled until dequeue occurs. If an enqueue and dequeue happen simultaneously then no overflow is reported. Default = 0.

deq lat

The number of  $deq_{clk}$  cycles between deq being asserted 1 and deq data being valid. Default = 0.

oflow chk

When an enq bit is asserted 1: If  $oflow_chk$  evaluates true, ensures that queue does not overflow the max size given in depth. depth (maximum size = t 2\*\*16). Default = 1.

uflow chk

When a deq bit is asserted 1:if  $uflow_chk$  evaluates true, ensures that queue was not empty (underflow); if a dequeue on empty is detected, then the check is disabled until the next enqueue operation. Default = 1.

value\_chk

If  $value\_chk$  evaluates true, ensures  $deq\_data$  as selected by the same position as the highest priority deq bit is the same as that at the head of the queue. Default = 1.

enq\_edge\_expr

The active clock edge of enq clk. Default = 0.

deq edge expr

The active clock edge of deq clk. Default = 0.

eng clk

Clock signal that synchronizes the enqueue side of the queue.

eng

When enq is asserted 1: If  $oflow\_chk$  evaluates true, ensures that queue does not overflow the max size given in depth. The specified depth can be at most 2\*\*16.

eng data

Data being enqueued.

deq clk

Clock signal that synchronizes dequeue side of the queue.

deq

Set to 1 when data is being dequeued.

deq data

Data being dequeued compared with the value at the head of the queue.

#### **Failure Modes**

Assertion assert\_fifo\_dcq\_overflow will report a failure when eng is issued while the FIFO is full.

Assertion assert\_fifo\_dcq\_underflow will report a failure when the dequeue command is issued and the FIFO is empty at that time.

Assertion assert\_fifo\_dcq\_value\_chk will report failure when there is a dequeue, the FIFO is not empty and the dequeued data does not match that on deq data port..

Assertion assert\_fifo\_dcq\_hi\_water\_chk will report a failure if the FIFO is filled above the high-water mark.

## **Coverage Modes**

```
cov level 1 0 (bit 0 set in coverage level 1)
```

Cover property cover\_number\_of\_enqs indicates that an enqueue occurred.

```
cov level 1 1 (bit 1 set in coverage level 1) :
```

Cover property, <code>cover\_number\_of\_deqs</code>, indicates that a dequeue occurred.

```
cov level 1 2 (bit 2 set in coverage level 1)
```

Cover property cover\_enq\_followed\_eventually\_by\_deq indicates that an enqueue was followed later by a dequeue.

```
cov level 2 0 (bit 0 set in coverage level 2)
```

Cover point <code>observed\_outstanding\_contents</code> indicates the fill levels reached at least once, sampled whenever the FIFO occupancy changed.

```
cov level 3 0 (bit 0 set in coverage level 3)
```

Cover property <code>cover\_fifo\_hi\_water\_chk</code> that the high water mark was reached on an enqueue.

```
cov_level_3_1 (bit 1 set in coverage_level_3)
```

Cover property cover\_number\_of\_empty indicates that empty was reached on dequeue.

```
cov_level_3_2 (bit 2 set in coverage_level_3)
```

Cover property <code>cover\_number\_of\_full</code> indicates that full was reached on enqueue.

## **Example**

It will reset the queue when  $reset_n$  is 0 (must cover at least one posedge (by default) eclk and one negedgedclk), the number of elements in the FIFO is 10, high-water mark is disabled by default, the data size is 16 bits, all checks (overflow, underflow and value) are enabled, there is only the default message. All 3 coverage levels are enabled.

# assert\_fifo

Implements a checker for a single-clock, single in- and single outport queue.

# **Syntax**

## **Arguments**

depth

The maximum number of elements in the queue. Default = 2. The specified depth can be at most  $2^{16}$ .

```
elem sz
```

The size of queue elements in bits. Default = 1.

```
hi water mark
```

If  $hi\_water\_mark$  is a positive value, then the level of the fill of the queue after enqueue will be checked to see if  $hi\_water\_mark$  is exceeded. Once high water has been exceeded once, this check is disabled until the FIFO size decreases again to or below the mark. If  $hi\_water\_mark = 0$  then the high-water mark check is disabled and only overflow is checked, i.e., when the depth of the queue is exceeded (provided that  $oflow\_chk = 1$ ). Default = 0, check disabled.

enq lat

A compile-time non-negative integer constant that indicates the number of cycles between enq being asserted 1 and  $enq\_data$  being valid in the corresponding position. At that point all enqueue data is dropped and further checking is disabled until dequeue occurs. If an enqueue and dequeue happen simultaneously then no overflow is reported. Default = 0.

deq lat

The number of  $deq_clk$  cycles between deq being asserted 1 and deq data being valid. Default = 0.

 $oflow_chk$ 

When an enq bit is asserted 1: If  $oflow\_chk$  evaluates true, ensures that queue does not overflow the max size given in depth. depth (maximum size = t 2\*\*16). Default = 1.

uflow chk

When a deq bit is asserted 1:if  $uflow_chk$  evaluates true, ensures that queue was not empty (underflow); if a dequeue on empty is detected, then the check is disabled until the next enqueue operation. Default = 1.

value\_chk

If  $value\_chk$  evaluates true, ensures  $deq\_data$  as selected by the same position as the highest priority deq bit is the same as that at the head of the queue. Default = 1.

pass thru

If an enqueue and dequeue operation happens simultaneously on an empty queue, then the behavior depends on the *pass\_thru* parameter (it must be a compile-time constant):

If  $pass\_thru = 0$  then the dequeue happens before enqueue, hence the empty condition is detected and reported and an underflow (provided that  $uflow\_chk = 1$ ). If  $value\_chk = 1$  then the value check fails. Default = 0.

If pass\_thru = 1 then it is assumed that enqueue happens first and the data is immediately dequeued and compared with deq\_data if value\_chk is enabled. Also, there is no underflow error reported.

If an enqueue and a dequeue operation happen simultaneously on a full queue then no overflow is reported and the new element is enqueued while the element at the head of the queue is dequeued without changing the size of the queue.

enq

When enq is asserted 1: If  $oflow_chk$  evaluates true, ensures that queue does not overflow the max size given in depth. The specified depth can be at most 2\*\*16.

enq data

Data being enqueued.

deq

Set to 1 when data is being dequeued. When deq is asserted 1: If  $uflow_chk$  evaluates true, ensures that queue was not empty (underflow). If a dequeue on empty is detected then the check is disabled until the next enqueue operation.

deq data

Data being dequeued.

#### Failure Modes.

Assertion assert\_fifo\_overflow will report a failure when enq is issued while the FIFO is full.

Assertion  $assert_fifo_underflow$  will report a failure when the deq command is issued delayed by  $deq_lat$  and the FIFO is empty at that time (and no simultaneous enq with  $pass_thru$  is enabled).

Assertion <code>assert\_fifo\_value\_chk</code> will report ( $sva_v_q[sva_v_head_ptr] == deq_data$ ) as the failing expression when there is a dequeue and the FIFO is not empty and the data does not correspond to the expected value. It will report ( $enq_data == deq_data$ ) as the failing expression if there is a dequeue and  $pass_thru$  is enabled (=1), otherwise if there is a dequeue on an empty FIFO it is a failure.

Assertion assert\_fifo\_hi\_water\_chk will report a failure if the FIFO fill crosses the high-water mark.

## **Coverage Modes**

```
cov level 1 0 (bit 0 set in coverage level 1)
```

Cover property cover\_number\_of\_enqs indicates that there was an enqueue operation.

```
cov_level_1_1 (bit 1 set in coverage_level_1)
```

Cover property <code>cover\_number\_of\_deqs</code> indicates that there was a dequeue operation.

```
cov_level_1_2 (bit 2 set in coverage_level_1)
```

Cover property <code>cover\_simultaneous\_enq\_deq</code> indicates the number of simultaneous enqueue and dequeue operations.

```
cov level 1 3 (bit 3 set in coverage level 1)
```

Cover property <code>cover\_enq\_followed\_eventually\_by\_deq</code> matches whenever there is an enqueue followed eventually by a dequeue.

```
cov_level_2_0 (bit 0 set in coverage_level_2)
```

Cover point observed\_outstanding\_contents reports which FIFO fill levels have been reached at least once.

```
cov level 3 0 (bit 0 set in coverage level 3)
```

Cover property <code>cover\_fifo\_hi\_water\_chk</code> indicates that the high water mark was reached on an enqueue.

```
cov_level_3_1 (bit 1 set in coverage_level_3)
```

Cover property cover\_simultaneous\_enq\_deq\_when\_empty indicates that there were simultaneous enqueue and dequeue operations on an empty queue.

```
cov level 3 2 (bit 2 set in coverage level 3)
```

Cover poperty cover\_simultaneous\_enq\_deq\_when\_full indicates that there were simultaneous enqueue and dequeue operations on a full queue.

```
cov level 3 3 (bit 3 set in coverage level 3)
```

Cover property <code>cover\_number\_of\_empty</code> indicates that empty was reached on dequeue.

```
cov level 3 4 (bit 4 set in coverage level 3)
```

Cover property <code>cover\_number\_of\_full</code> indicates that full was reached on enqueue.

# **Example:**

A FIFO is initialized anytime reset is 1 (synchronously with posedge clk). There are up to 10 elements in the FIFO, the size of the data is 16 bits,  $high\_water$  mark is by default 0 (disabled),  $data\_in$  is enqueued when enqueue is 1 with no latency,  $data\_out$  must be equal to that at the head of the FIFO when dequeue is 1 with latency, and overflow, underflow and value checks are enabled with pass through when empty is allowed. All 3 coverage levels are enabled.

# assert\_hold\_value

Ensure that exp remains at value for min to max number of cycles. That is, it must stay at value for min cycles, then it may change and after max cycles it must change to some other value. bw is the bit width of exp.

The check is not enabled unless  $reset_n$  evaluates true (1). The check is performed on the active clk edge specification and is triggered by a value change of exp to value.

min = max = 0 means that exp will change every cycle (i.e., keeps the value for one cycle).

```
min = max = 1 means that exp will keep value for two cycles.
```

A value min > 0 and max = 0 is interpreted as the open-ended interval [min: \$].

# **Syntax**

# **Arguments**

min

Minimum number of clock cycles to hold the value. Default = 0.

max

Maximum number of clock cycles to hold the value. Default = 0.

For an open-ended interval [min ...], set max equal to zero and min to greater than zero.

bw

The number of bits in the signal being tested (exp). Default = 2.

ехр

Expression or signal being tested.

value

Value to hold by exp.

#### **Failure Modes**

The assertion assert\_hold\_value will report failure if exp does not hold the value for at least min+1 clock ticks or if it does not change from value at max+1 clock ticks at the latest.

## **Coverage Modes**

```
cov level 1 0 (bit 0 set in coverage level 1) :
```

Cover property, cover\_nb\_of\_exp\_changes, indicates that the exp changed value.

```
cov_level_2_0 (bit 0 set in coverage_level_2) :
```

Cover point, observed\_hold\_time, reports the observed number of clock cycles during which exp was held at value triggered whenever there was a transition on exp to value.

```
cov_level_3_0 (bit 0 set in coverage_level_3) :
```

Cover property, cover\_hold\_value\_for\_min\_clks, indicates that the exp was held exactly equal to value for the specified min\_clks.

```
cov_level_3_1 (bit 1 set in coverage_level_3) :
```

Cover property, <code>cover\_hold\_value\_for\_max\_clks</code>, indicates that the <code>exp</code> was held exactly equal to value for the specified <code>max\_clks</code>.

# Example

```
assert_hold_value #(0, 3, 0, 4, 1, "hold_value_error",0,15,15,0)
```

```
hold value inst (clk, 1, sig, 4'h5);
```

A failure is reported if sig did not stay at 5 for at least 4 clock ticks. Since max = 0 there cannot be a failure on sig not changing from the value of 5 because the interval [3:0] is translated into the openended interval [3:\$].

All Level\_1 and Level\_2 coverages are enabled.

# assert\_memory\_async

Ensures the integrity of an asynchronous memory contents and accesses.

### **Syntax**

### **Arguments**

```
data bits
```

Number of bits in the data. Default = 1.

```
addr bits
```

Number of bits in the addresses. Default = 1.

```
mem sz
```

The number of words in the memory. Default = 2. The end\_addr - start addr + 1 must be less than or equal to mem sz.

```
addr chk
```

If 1, checks that address is valid. Default = 1.

```
init chk
```

If 1, checks that addresses read have been previously written. Default = 1.

```
conflict chk
```

If 1, checks that simultaneous reading and writing of the same address does not occur. Default = 0.

This check should only be enabled when rclk == wclk. When the two clocks are different the conflict check does not make much sense.

pass thru

Specifies behavior when read and write happen at the same time on the same address. If 0, read gets the old data before the write. If 1, read gets the new data after the write. Default = 0.

read1 chk

If 1, checks that an address has at most one read between writes. Default = 0.

write1 chk

If 1, checks that an address is read at least once before it is overwritten. Default = 0.

value chk

If 1, checks that the value read from an address is the value that was written to that address. Default = 0.

w\_edge\_expr

The active clock edge of wclk . Default = 0, operation is indicated by negative edge.

r\_edge\_expr

The active clock edge of rclk. Default = 0, operation is indicated by negative edge.

start\_addr

Starting address of the memory.

end\_addr

Ending address of the memory.

ren

Read enable.

raddr

Read address.

rdata

Read data.

wen

Write enable.

waddr

Write address.

wdata

Write data.

#### Note the following:

- When addr\_chk evaluates true, ensures that start\_addr ≤ raddr ≤ end\_addr as sampled by the negedge of ren, and that start\_addr ≤ waddr ≤ end\_addr as sampled by the negedge of wen.
- There is thus no clock other than the ren and wen signals that indicate when each operation is to take place by their falling edges (i.e., it is assumed that they are positive pulses). This is the behavior when r\_edge\_expr (resp. w\_edge\_expr) is 0. When r\_edge\_expr is 1 (resp. w\_edge\_expr), the ren (resp. wen) signal is complemented and the positive edge of the (negative) pulse is used.
- Whenever the port reset\_n is 0, it disables reading and writing to the memory.
- Al other checks apply only if the address is valid. Therefore, we recommend that <code>addr\_chk</code> be enabled.

- When <code>init\_chk</code> evaluates true, ensures that addresses read Separate read and write port RAMs are naturally supported. For single port R/W RAMs, simply associated the same actuals with the appropriate parameters.
- the sampling is by negedge of ren (wen) if r\_edge\_expr (w\_edge\_expr) is 0 and by posedge of ren (wen) if r\_edge\_expr (w\_edge\_expr) is 1...

#### Failure Modes

Assertion assert\_memory\_async\_init will report failure when the location was not initialized before reading as determined by negedge of ren if  $r_edge_expr$  is 0 and by posedge of ren if  $r_edge_expr$  is 1..

Assertion assert\_memory\_async\_waddr\_chk will report failure when the write address was not within the limits just before negedge of wen.

if w edge expr is 0 and by posedge of wen if w edge expr is 1.

if  $r_{edge\_expr}$  (w\_edge\_expr) is 0 and by posedge of ren (wen) if  $r_{edge\_expr}$  (w edge expr) is 1.

Assertion assert\_memory\_async\_raddr\_chk will report failure when the write address was not within the limits just before negedge of ren if  $r_edge_expr$  is 0 and by posedge of ren if  $r_edge_expr$  is 1.

Assertion assert\_memory\_read1\_chk will report failure when the variables recording reads and writes indicated the same state as sampled by negedge of ren. Hence, there was more than one read between writes.

Assertion assert\_memory\_async\_write1\_chk will report failure if after the memory location was initialized the location was not read before the next write as sampled by negedg wen if  $w_edge_expr$  is 0 and by posedge of wen if  $w_edge_expr$  is 1.

Assertion assert\_memory\_async\_val\_chk will report failure if there is a disagreement between the value in the design rdata and that stored in the memory mirror as sampled by negedge of ren if r edge expr is 0 and by posedge of ren if r edge expr is 1.

The ren and wen signals are qualified by  $reset_n$ , i.e., no read or write takes place if  $reset_n$  is asserted low (0).

### **Coverage Modes**

```
cov level 1 0 (bit 0 set in coverage level 1) :
```

Cover property, <code>cover\_number\_of\_reads</code>, indicates that there was a read operation to any address.

```
cov_level_1_1 (bit 1 set in coverage_level_1) :
```

Cover property, <code>cover\_number\_of\_writes</code>, indicates that there was a write operations to any address.

```
cov_level_1_2 (bit 2 set in coverage_level_1) :
```

Cover property, write\_followed\_by\_read, indicates that there was a write followed by a read to the same address.

```
cov_level_2_0 (bit 0 set in coverage_level_2) :
```

Cover point, read, reports which addresses within the range [start\_addr : end\_addr] were read at least once.

```
cov_level_2_1 (bit 1 set in coverage_level_2) :
```

Cover point, write, reports which addresses within the range [start\_addr : end\_addr] were written at least once.

```
cov_level_3_0 (bit 0 set in coverage_level_3) :
   Cover property,
```

cover\_two\_or\_more\_writes\_without\_intervening\_read, indicates that two writes occurred to the same (any) address without an intervening read operation to that address.

cov\_level\_3\_1 (bit 1 set in coverage\_level\_3) :
 Cover property,

cover\_two\_or\_more\_reads\_without\_intervening\_write, indicates that two reads occurred to the same (any) address without an intervening write operation to that address.

cov\_level\_3\_2 (bit 2 set in coverage\_level\_3) :
 Cover property, read\_to\_start\_addr, indicates that a read
 operation occurred to the address start addr.

cov\_level\_3\_3 (bit 3 set in coverage\_level\_3)
Cover property, write\_to\_start\_addr, indicates that a write
 operation occurred to the address start addr.

cov\_level\_3\_4 (bit 4 set in coverage\_level\_3) :
 Cover property, read\_to\_end\_addr, indicates that a read
 operation occurred to the address end addr.

cov\_level\_3\_5 (bit 5 set in coverage\_level\_3) :
 Cover property, write\_to\_end\_addr, indicates that a write
 operation occurred to the address end addr.

cov\_level\_3\_6 (bit 6 set in coverage\_level\_3) :
 Cover property, write\_followed\_by\_read\_to\_start\_addr, that
 there was a write operation followed by a read to the address
 start\_addr.

```
cov level 3 7 (bit 7 set in coverage level 3) :
```

Cover property, write\_followed\_by\_read\_to\_end\_addr, indicates that there was a write operation followed by a read to the address end addr.

#### Example

```
assert_memory_async #(0, 16, 16, 16'h1000, 1, 1, 1, 1, 1)

mem_inst (1'b1, 16'h0000, 16'h0fff,

ren, addr, rdata,

wen, addr, wdata);
```

Memory accesses are to be checked with data and address width of 16 bits. The low address bound is 0, the high address bound is 16'h0fff, the memory size is 2\*\*12 = 16'h1000. addr\_chk, init\_chk, read1\_chk, write1\_chk and value\_chk are enabled. The default message is output upon failure. reset\_n is 1, hence always enabled. Category is 0 by default. Since both w\_edge\_expr and r\_edge\_expr parameters are 0 by default, positive ren and wen pulses are assumed. Coverage Level 1 is enabled by default (all cover properties).

## assert\_memory\_sync

Ensures the integrity of a synchronous memory contents and accesses.

### **Syntax**

```
assert_memory_sync [#(severity_level, data_bits, addr_bits, mem_sz, addr_chk, init_chk, conflict_chk, pass_thru, read1_chk, write1_chk, value_chk, w_edge_expr, r_edge_expr, msg, category, coverage_level_1, coverage_level_2, coverage_level_3)]
inst_name (start_addr, end_addr, ren, raddr, rclk, rdata, wen, waddr, wclk, wdata);
```

## **Arguments**

```
data bits
```

Number of bits in the data. Default = 1.

```
addr bits
```

Number of bits in the addresses. Default = 1.

```
mem sz
```

The number of words in the memory. Default = 2. The end\_addr - start\_addr + 1 must be less than or equal to mem\_sz.

```
addr chk
```

If 1, checks that address is valid. Default = 1.

```
init chk
```

If 1, checks that addresses read have been previously written. Default = 1.

```
conflict chk
```

If 1, checks that simultaneous reading and writing of the same address does not occur. Default = 0.

This check should only be enabled when rclk == wclk. When the two clocks are different the conflict check does not make much sense.

pass thru

Specifies behavior when read and write happen at the same time on the same address. If 0, read gets the old data before the write. If 1, read gets the new data after the write. Default = 0.

read1 chk

If 1, checks that an address has at most one read between writes. Default = 0.

write1 chk

If 1, checks that an address is read at least once before it is overwritten. Default = 0.

value chk

If 1, checks that the value read from an address is the value that was written to that address. Default = 0.

w\_edge\_expr

The active clock edge of wclk. Default = 0.

r\_edge\_expr

The active clock edge of rclk. Default = 0.

 $start\_addr$ 

Starting address of the memory.

end addr

Ending address of the memory.

ren

Read enable.

raddr

Read address.

rclk

Read clock.

rdata

Read data.

wen

Write enable.

waddr

Write address.

wclk

Write clock.

wdata

Write data.

When addr\_chk evaluates true, ensures that start\_addr ≤ raddr ≤ end\_addr when ren is true, and that start\_addr ≤ waddr ≤ end\_addr when wen is true. All other checks apply only if the address is valid. Therefore, we recommend that addr\_chk be enabled.

When <code>init\_chk</code> evaluates true, ensures that addresses read have been previously written.

When <code>value\_chk</code> evaluates true, ensures that the value read from an address is the value that was written to that address.

A read/write conflict occurs when a read operation occurs simultaneous with a write operation on the same address. When a conflict occurs, a read is assumed to happen before a write in the same cycle.

When  $conflict\_chk$  evaluates true, ensures that simultaneous reading and writing of the same address does not occur. This check should only be enabled when rclk == wclk. When the two clocks are different the conflict check does not make much sense.

The <code>pass\_thru</code> specification defines the behavior of the memory when a read and write occur simultaneously on the same address. When <code>pass\_thru</code> = 0 then the read operation obtains the old data (before the write takes place). If <code>pass\_thru</code> = 1, then the read operation gets the new value written in memory. Note that this option has effect only when <code>value\_chk</code> or <code>init\_chk</code> are enabled. Furthermore, <code>pass\_thru</code> should only be enabled when <code>rclk = wclk</code> and <code>conflict\_chk</code> = 0.

When read1\_chk evaluates true, ensures that an address has at most one read in between writes.

When write1\_chk evaluates true, ensures that an address is read at least once before it is over-written by different data.

Separate read and write port RAMs are naturally supported. For single-port R/W RAMs, simply associate the same actuals with the appropriate parameters. For single clock synchronous RAMs, provide the same clock edge parameter for both rclk and wclk.

The parameters <code>data\_bits</code> = number of bits in the data, <code>addr\_bits</code> = number of bits in the addresses, <code>start\_addr</code> = first address, <code>end\_addr</code> = last address, and <code>mem\_sz</code> = number of words, are compile-time constant values which describe the layout of the memory. Note that <code>end\_addr</code> - <code>start\_addr</code> + 1 must be less than or equal to <code>mem\_sz</code>.

#### **Failure Modes**

Assertion assert\_mem\_init will report failure when the memory word was not initialized before reading and there was no simultaneous read and write with pass through allowed.

Assertion assert\_mem\_waddr\_chk will report failure when the write address was not within the limits when wen was asserted.

Assertion assert\_mem\_raddr\_chk will report failure when the read address was not within the limits when ren was asserted.

Assertion assert\_mem\_conflict\_chk will report failure when wen and ren were asserted simultaneously and the write and read addresses were the same sampled by the write clock wclk.

Assertion assert\_mem\_read1\_chk will report failure when at the time of failure the sva variables recording reads and writes indicated the same state. Hence there was more than one read between writes.

Assertion assert\_mem\_write1\_chk will report failure when after a memory location was initialized, neither the location was read before the next write nor there was a simultaneous read and write (as sampled by the write clock wclk) with pass thru disabled.

Assertion <code>assert\_mem\_val\_chk</code> will report failure when pass through is allowed and read and write happen at the same time (as sampled by the read clock rclk) to the same address and the data are not equal.

## **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage level 1)
```

Cover property cover\_number\_of\_reads indicates that a read operation occurred to any address.

```
cov level 1 1 (bit 1 set in coverage level 1)
```

Cover property cover\_number\_of\_writes indicates that a write operation occurred to any address.

```
cov level 1 2 (bit 2 set in coverage level 1)
```

Cover property write\_followed\_by\_read indicates that a write was followed by a read to the same address.

```
cov_level_2_0 (bit 0 set in coverage_level_2)
```

Cover point read indicates which addresses within the range start addr: end addr have been read at least once.

```
cov level 2 1 (bit 1 set in coverage level 2)
```

Cover point write indicates which addresses within the range start addr: end addr have been written at least once.

```
cov level 2 2 (bit 2 set in coverage level 2)
```

Cover point delay\_from\_read\_to\_write reports which delays were observed at least once from the last read in a sequence of reads to the nearest subsequent write.

```
cov_level_2_3 (bit 3 set in coverage_level_2)
```

Cover point delay\_from\_write\_to\_read reports which delays were observed at least once from the last write in a sequence of writes to the nearest subsequent read.

```
cov_level_3_0 (bit 0 set in coverage_level_3)
```

# Cover property

cover\_two\_or\_more\_writes\_without\_intervening\_read indicates that two writes occurred to the same (any) address without an intervening read operation to that address.

cov\_level\_3\_1 (bit 1 set in coverage\_level\_3)

### Cover property

cover\_two\_or\_more\_reads\_without\_intervening\_write indicates that two reads occurred to the same (any) address without an intervening write operation to that address.

```
cov level 3 2 (bit 2 set in coverage level 3)
```

Cover property simultaneous\_read\_and\_write\_to\_same\_addr indicates that there were (quasi)simultaneous read and write operations to the same (any) address as seen by the read clock rclk.

cov\_level\_3\_3 (bit 3 set in coverage\_level\_3)

#### Cover property

simultaneous\_read\_and\_write\_to\_different\_addr indicates that there were (quasi)simultaneous read and write operations to different addresses as seen by the read clock rclk.

```
cov_level_3_4 (bit 4 set in coverage_level_3)
```

Cover property read\_to\_start\_addr indicates that read operations occurred to the address start addr.

```
cov_level_3_5 (bit 5 set in coverage_level_3)
```

Cover property write\_to\_start\_addr indicates that operations occurred to the address start addr.

```
cov_level_3_6 (bit 6 set in coverage_level_3)
```

Cover property read\_to\_end\_addr indicates that read operations occurred to the address end addr.

```
cov_level_3_7 (bit 7 set in coverage_level_3)
```

Cover property write\_to\_end\_addr indicates that write operations occurred to the address end\_addr.

```
cov level 3 8 (bit 8 set in coverage level 3)
```

Cover property write\_followed\_by\_read\_to\_start\_addr indicates that a write operation was followed by a read to the address start addr.

```
cov level 3 9 (bit 9 set in coverage level 3)
```

Cover property write\_followed\_by\_read\_to\_end\_addr indicates that a write operation was followed by a read to the address end addr.

#### **Example**

Memory accesses are to be checked with data and address width of 16 bits, the low address bound is 0, the high address bound is 16'h0fff, the memory size is 2\*\*12 = 16'h1000, the same clock is used for read and write, sampling by posedge in both cases (by default), <code>addr\_chk</code> and <code>init\_chk</code> are enabled by default, <code>conflict\_chk</code> and <code>pass\_thru</code> are enabled, <code>readl\_chk</code> and <code>writel\_chk</code> are disabled by default, and <code>value\_chk</code> is enabled. The default message is output upon failure. By default coverage Level 1 is enabled.

# assert\_multiport\_fifo

Implements a checker for a single-clock, multi-port in and multi-portout queue.

### **Syntax**

#### **Arguments**

depth

The maximum number of elements in the queue. Default = 2. The specified depth can be at most  $2^{16}$ . Default = 2.

```
elem sz
```

The size of queue elements in bits. Default = 1.

```
no ports
```

Number of ports. Default = 2.

```
hi water mark
```

If hi\_water\_mark is a positive value, then the level of the fill of the queue after enqueue will be checked to see if hi\_water\_mark is exceeded. Once high water has been reached once, this check is disabled until the FIFO size decreases again to or below the mark. If hi\_water\_mark = 0 then the high-water mark check is disabled and only overflow is checked, i.e., when the depth of the queue is exceeded (provided that oflow chk = 1). Default = 0.

enq lat

A compile-time non-negative integer constant that indicates the number of cycles between enq being asserted 1 and  $enq\_data$  being valid in the corresponding position. At that point all enqueue data is dropped and further checking is disabled until dequeue occurs. If an enqueue and dequeue happen simultaneously then no overflow is reported. Default = 0.

deq lat

The number of deq\_clk cycles between deq being asserted 1 and deq data being valid. Default = 0.

oflow\_chk

When an enq bit is asserted 1: If  $oflow_chk$  evaluates true, ensures that queue does not overflow the max size given in depth. depth (maximum size = t 2\*\*16). Default = 1.

uflow chk

When a deq bit is asserted 1:if  $uflow_chk$  evaluates true, ensures that queue was not empty (underflow); if a dequeue on empty is detected, then the check is disabled until the next enqueue operation. Default = 1.

value\_chk

If  $value\_chk$  evaluates true, ensures  $deq\_data$  as selected by the same position as the highest priority deq bit is the same as that at the head of the queue. Default = 1.

pass thru

If an enqueue and dequeue operation happens simultaneously on an empty queue, then the behavior depends on the *pass\_thru* parameter (it must be a compile-time constant):

If  $pass\_thru = 0$  then the dequeue happens before enqueue, hence the empty condition is detected and reported and an underflow (provided that  $uflow\_chk = 1$ ). If  $value\_chk = 1$  then the value check fails. Default = 0.

If  $pass\_thru$  = 1 then it is assumed that enqueue happens first and the data is immediately dequeued and compared with  $deq\_data$  if  $value\_chk$  is enabled. Also, there is no underflow error reported.

If an enqueue and a dequeue operation happen simultaneously on a full queue then no overflow is reported and the new element is enqueued while the element at the head of the queue is dequeued without changing the size of the queue.

#### eng and deg

Bit vectors of equal size  $no\_ports$ . Each pair of corresponding bits in these vectors defines the enqueue and dequeue signals for a port. Their priority is such the bit 0 is the lowest priority, the highest order bit  $no\_ports-1$  is the highest priority. That is, the enqueue port and the dequeue port of the highest priority are processed at every clk tick.

#### enq data

A concatenation of the data from the different ports. It is assumed that it is dimensioned as  $[no\_ports*elem\_size-1:0]$ , with data vectors appearing in the same order as the enq requests. Whenever a bit in enq is asserted 1, the corresponding data part in  $enq\_dat$  must be valid after  $enq\_lat$  clock cycles. Only the highest priority data is actually enqueued.

#### deq data

A concatenation of the data from the different ports. It is assumed that it is dimensioned as  $[no\_ports*elem\_size-1:0]$ , with data vectors appearing in the same order as the deq requests. Whenever a bit in deq is asserted 1, the corresponding data part in  $deq\_dat$  must be valid after  $deq\_lat$  clock cycles. The highest priority data is compared with the data at the head of the queue if  $value\ chk$  evaluates true.

#### **Failure Modes**

Assertion assert\_multiport\_fifo\_overflow will report a failure when enq is issued while the FIFO is full.

Assertion assert\_multiport\_fifo\_underflow will report a failure when the deg command is issued and the FIFO is empty.

Assertion assert\_multiport\_fifo\_value\_chk will report failure when there is a dequeue and the FIFO is not empty and the dequeued value does not correspond to that on deq\_data.

Assertion assert\_fifo\_hi\_water\_chk will report a failure if the FIFO is filled above the high-water mark.

## **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1) :
```

Cover property, <code>cover\_number\_of\_enqs</code>, indicates that an enqueue operation occurred. The cover is incremented whenever <code>enq > 0</code>.

```
cov level 1 1 (bit 1 set in coverage level 1) :
```

Cover property, <code>cover\_number\_of\_deqs</code>, indicates that a dequeue operation occurred. The cover is incremented whenever <code>deq > 0</code>.

```
cov level 1 2 (bit 2 set in coverage level 1) :
```

Cover property, <code>cover\_port\_enqued</code>, indicates for each port separately that that an enqueue operation occurred.

```
cov level 1 3 (bit 3 set in coverage level 1) :
```

Cover property, <code>cover\_port\_dequed</code>, indicates for each port separately that that a dequeue operation occurred.

```
cov_level_1_4 (bit 4 set in coverage_level_1) :
```

Cover property,

cover\_enq\_followed\_eventually\_by\_deq\_per\_port, indicates for each port that a successful enq on a port was followed eventually by a successful deq.

```
cov_level_2_0 (bit 0 set in coverage_level_2) :
```

Cover point, observed\_outstanding\_contents, reports on the FIFO fill levels that occurred at least once.

```
cov_level_2_1 (bit 1 set in coverage_level_2) :
```

Cover property, <code>cover\_ignored\_enque</code>, indicates for each port whether an enqueue was ignored due to other higher priority requests.

```
cov level 2 2 (bit 2 set in coverage level 2) :
```

Cover property, <code>cover\_ignored\_deque</code>, indicates for each port whether a dequeue was ignored due to other higher priority requests.

```
cov level 3 0 (bit 0 set in coverage level 3) :
```

Cover property, <code>cover\_fifo\_hi\_water\_chk</code>, indicates that the high water mark was reached on an enqueue.

```
cov level 3 1 (bit 1 set in coverage level 3) :
```

Cover property, <code>cover\_simultaneous\_enq\_deq\_on\_same\_port</code>, indicates for each port that successful enqueue and dequeue happened at the same time.

```
cov_level_3_2 (bit 2 set in coverage_level_3) :
```

#### Cover property,

cover\_simultaneous\_enq\_deq\_on\_different\_port, indicates that successful enqueue and dequeue happened simultaneously on different ports.

```
cov level 3 3 (bit 3 set in coverage level 3) :
```

Cover property, <code>cover\_simultaneous\_enq\_deq\_when\_empty</code>, indicates that there were successful simultaneous enqueue and dequeue operations on an empty queue.

```
cov_level_3_4 (bit 4 set in coverage_level_3) :
```

Cover poperty, <code>cover\_simultaneous\_enq\_deq\_when\_full</code>, indicates that there were successful simultaneous enqueue and dequeue operations on a full queue.

```
cov level 3 5 (bit 5 set in coverage level 3) :
```

Cover property, <code>cover\_number\_of\_empty</code>, indicates that empty queue was reached on a dequeue.

```
cov_level_3_6 (bit 6 set in coverage_level_3) :
```

Cover property, <code>cover\_number\_of\_full</code>, indicates that full queue was reached on enqueue.

### **Example:**

In this example, a FIFO is initialized anytime reset is 0 (synchronously with posedge clk); there are up to 10 elements in the FIFO; high\_water mark is by default 0 (disabled); the size of the data is 16 bits; there are two channels (by default, i.e., enqueue, dequeue are 2-bit wide, data\_in and data\_out are bitvectors of 2 \* 16 = 32 bits); data\_in[16\*i+:16] is enqueued when enqueue[i] is 1 with no latency; data\_out[16\*i+:16] must be equal to that at the head of the FIFO when dequeue[i] is 1 with no latency; and overflow, underflow and value checks are enabled by default with pass through when empty is allowed. All level 3 coverages are enabled.

## assert\_mutex

Ensures that a and b never evaluate true at the same time. The check is not enabled unless  $reset_n$  evaluates true (1). The checks is performed on the active clk edge specification.

### **Syntax**

## **Arguments**

а

First signal being tested.

b

Second signal being tested.

#### **Failure Modes**

The assertion assert\_mutex will report failure when a and b are both sampled 1 at the positive edge of clk.

# **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
```

Cover property cover\_changes\_on\_a indicates that a changed value.

```
cov_level_1_1 (bit 1 set in coverage level 1)
```

Cover property cover\_changes\_on\_b indicates that b changed value.

## **Example**

```
assert_mutex mutex_inst( clk, 1, gnt[0], gnt[1]);
```

In this example,  $assert_mutex$  verifies that gnt[0] and gnt[1] are never 1 at the same time as sampled by posedge of clk. The checker is always enabled because  $reset_n$  is constant 1. By default Level 1 coverages will be enabled.

## assert\_next\_state

Ensures that when exp is in current state cs that exp will transition to one of the specified legal next states in ns.

## **Syntax**

### **Arguments**

no\_ns

Specifies the number of legal next states possible from current state (cs). Default = 1.

width

The number of bits in the signal being tested (exp), the current state (cs), and each element of the bitvector ns of the concatenated legal state values (ns). Default = 1.

min hold

The minimum number of clock ticks the signal being tested (exp) must hold at the current state (cs) value. Default = 1.

max hold

The maximum number of clock ticks the signal being tested (exp) can hold at the the current state (cs) value. Default = 0.

disallow

If equal to 1, then a transition to none of the values in ns may occur. Otherwise, if disallow is equal to 0 then the check ensures a transition to one of the states occurs.

exp

Signal being tested.

CS

The current state. The check starts when exp = cs (and reset n = 1).

ns

A bitvector of concatenated legal states that exp can transition to from cs.

The state transitions are checked at the active clk edge specification. For example, if width = 3, ns = 2, and the values are 3'b000 and 3'b110 then the value bound to the ns port should be 6'b000 110.

#### Note the following:

- max\_hold indicates the maximum number of clock ticks the signal being tested (exp) may hold at the current state (cs) value.
- min\_hold = max\_hold = 1 indicates that the signal being tested (exp) changes to the next value on the next clock tick.
- min\_hold = m, max\_hold = 0 indicates that the signal being tested
   (exp) must hold the current state value (cs) for at least m clock
   ticks, no upper bound is imposed on when it must change.

 $min\_hold = m$ ,  $max\_hold = n$ ,  $n \Rightarrow m$  indicates that the signal being tested (exp) must hold the current state value (cs) for at least m clock ticks and must advance to the next value within n ticks.

### **Assumptions**

no\_ns > 0 (and the ns array should have the correct number of elements.  $min_hold$  and  $max_hold$  both > 0, except when  $min_hold > 0$  and  $max_hold = 0$ .

#### **Failure Modes**

When disallow = 0, the assertion assert\_next\_state will report failure when exp is not one of the expected next states.

When <code>disallow = 1</code>, the failure of the assertion <code>assert\_next\_state</code> means that the next state values and the hold intervals were satisfied, indicating that the design reached a disallowed state within the correct expected timing.

### **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
```

Cover property,  $cover\_nb\_of\_next\_state\_transitions$ , indicates that the expr changed its state from cs to a state in ns (disallow = 0) or from the curent state to a state outside ns (disallow = 1), while meeting the hold times in the current state as defined by the min hold and max hold parameters.

```
cov_level_2_0 (bit 0 set in coverage_level_2)
```

Cover point, cover\_observed\_hold\_time, reports on the number of clock cycles the test\_expr remained in the current state cs before making a transition to one of the next\_states (disallow = 0) or one of the states other than the next\_states (disallow = 1).

```
cov_level_3_0 (bit 0 set in coverage_level_3)
```

#### Cover property,

cover\_nb\_of\_transitions\_from\_cs\_to\_each\_ns[i], indicates that the  $test_expr$  made a transtion from the current state cs to the 'i'th state in the ns. This coverage is only generated when disallow = 0.

## **Example**

The example will verify that when  $state_var$  takes on the value 0, then on the next posedge clk it will take on one of the values 0 or 2 (disallow = 1). The assertion is enabled when reset is 0.

```
assert_next_state
    #(0, 2, 4, 1, 1, 0, 0, "nxts_inst failed", 0, 1, 1, 1)
    nxt st inst (clk, !reset, state var, 4'h0, {4'h1, 4'h2});
```

All three coverage statistics will be generated for this checker.

# assert\_no\_contention

Ensures that bus always has a single active driver and that there is no X or Z on the bus when driven (en\_vector != 0). The total number of  $en_vector$  bits that are asserted can be at most 1. Specify 0 for no minimum bus quiet time between bus transactions.

## **Syntax**

### **Arguments**

```
min quiet
```

The minimum number of cycles between bus activity during which all bits in  $en\ vector$  must be 0. Default = 0.

```
max quiet
```

The maximum number of cycles that the bus can remain quiet (without an active driver). Default = 0.

```
bw en
```

The number of bits in en\_vector. Default = 2.

```
bw_bus
```

The number of bits in the bus signal being tested (bus1). Default = 2.

```
en vector
```

Enable signals for bus drivers as a vector of cache bits.

bus1

Bus signal being tested.

#### **Failure Modes**

The assertion assert\_no\_contention\_no\_xs will report failure when the bus had an x or z on one of its bits when at least one driver was enabled (i.e., when en vector was not all 0).

NOTE: The assertion assert\_no\_contention\_no\_xs is eliminated when the template or unit is used with Magellan. This is because the tool uses only 2-state signal values.

The assertion assert\_no\_contention\_1\_driver will report failure when there was more than one driver enabled.

The assertion <code>assert\_no\_contention\_quiet\_time</code> will report failure when the bus was not quiet for  $min_quiet$  clock cycles or that it remained quiet after  $max_quiet$  cycles. (Or that there was more than one driver after  $max_quiet$  cycles, however, this can be checked by observing the assertions <code>assert\_no\_contention\_1 driver.</code>)

# **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
```

Cover property driver[i].cover\_driver\_enable indicates indicates that each bit [i] in en vector was set to 1 (enabled).

```
cov_level_2_0 (bit 0 set in coverage_level_2)
```

Cover point <code>observed\_quiet\_cycles</code> reports the numbers of quiet cycles that occurred at least once. The report will also indicate the specified <code>min\_quiet</code> and <code>max\_quiet</code> values.

```
cov level 3 0 (bit 0 set in coverage level 3)
```

### Cover property

cover\_no\_contention\_quiet\_time\_equal\_to\_min\_quiet indicates that the observed quiet time was exactly equal to the specified min\_quiet value.

```
cov_level_3_1 (bit 1 set in coverage_level_3)
```

### Cover property

cover\_no\_contention\_quiet\_time\_equal\_to\_max\_quiet indicates that the observed quiet time was exactly equal to the specified max\_quiet value.

### **Example**

In this example, assert\_no\_contention verifies that signal bus that is 32 bits wide is driven at every clock cycle because  $min_quiet = max_quiet = 0$ , and there are two drivers because  $bw_en$  takes on the default value of 2.  $reset_n$  is a constant 1. Hence the checker is enabled all the time. By default, Level 1 coverage is enabled.

# assert\_packet\_flow

The assert\_packet\_flow checker continuously monitors sop and eop at every positive edge of clock, clk. It does the following checks on the sequencing of sop and eop.

```
assert no eop till sop
```

After eop is issued or just after reset is deasserted, no eop should be asserted till sop is asserted.

```
assert no sop til eop
```

After sop is issued, no sop should be asserted till eop is asserted.

### **Syntax**

# **Arguments**

sop

Signal indicating start of packet.

eop

Signal indicating end of packet.

## **Coverage Modes**

```
cov level 1 0 (bit 0 set in coverage level 1) :
```

Cover property, cover\_sop, indicates the number of sop.

```
cov level 2 0 (bit 0 set in coverage level 2) :
```

Cover point <code>observed\_sop\_eop\_delay</code> provides a profile of the observed separation in clock cycles between <code>sop</code> and <code>eop</code>. The report shows which such delays were observed at least once.

```
cov level 3 0 (bit 0 set in coverage level 3) :
```

Cover property, <code>cover\_simultaneous\_sop\_eop</code>, indicates the number of times eop and sop occured together.

#### **Example**

In this example, assert\_packet\_flow will report failure whenever eop happens without a preceding sop and whenver sop is followed by another sop. All the three coverage levels are enabled.

## assert\_rate

The checker continuously monitors <code>test\_expr</code> and <code>trigger</code> at every positive edge of the clock. Once <code>trigger</code> is sampled asserted, the checker will make sure that <code>test\_expr</code> is remain high intermittently or continuously for <code>[min:max]</code> clock cycles within <code>period</code> clock cycles.

## **Syntax**

#### **Arguments**

min

Minimum number of clock cycles for which  $test_{expr}$  need to be true within period number of clock cycles.

max

Maximum number of clock cycles for which test\_expr need to be true within period number of clock cycles.

period

Number of clock cycles during which  $test_{expr}$  must be true [min:max] number of times.

trigger

Signal indicating the start of evaluation

```
test expr
```

Logical expression that is being verified at the positive edge of clk.

#### **Coverage Modes**

```
cov level 1 0 (bit 0 set in coverage level 1) :
```

Cover property, cover\_rate, indicates the number of times the sequence matched within the limits specified.

```
cov level 1 1 (bit 1 set in coverage level 1) :
```

Cover property, cover\_trigger, indicates the number of times trigger got asserted.

```
cov level 2 0 (bit 0 set in coverage level 2) :
```

Cover point <code>observed\_nb\_of\_test\_expr\_high\_within\_period</code> provides a profile of the number of clock cycles <code>test\_expr</code> was high within period number of clock cycles. The report shows if any of these occurrences were observed at least once.

```
cov level 3 0 (bit 0 set in coverage level 3) :
```

Cover property, cover\_rate\_min, indicates the number of times the sequence matched exactly at min limit.

```
cov level 3 1 (bit 1 set in coverage level 3) :
```

Cover property, cover\_rate\_max, indicates the number of times the sequence matched exactly at max limit.

## **Example**

In this example, <code>assert\_rate</code> will report failure if <code>test\_expr</code> does NOT remain high intermittently or continousely for minimum of 3 clock cycles to a maximum of 5 clock cycles within a continous period of 6 clock cycles once <code>trigger</code> is sampled asserted, where <code>trigger</code> is a pulse indicating the start of the sequence evaluation. All three coverage levels are enabled.

# assert\_reg\_loaded

Ensure that the register  $dst\_reg$  is loaded with src data. The check for  $dst\_reg$  holding the memorized value of src starts with delay cycles (minimum 1 which is default) after the trigger condition evaluates true and within  $end\_cycle$  cycles after the trigger evaluates true or when stop evaluates true (whichever occurs first).

If used to control the end time stop should become true at least one clock cycle after  $dst\_reg$  is loaded which means minimum 2 cycles after trigger.

The src value is "captured" when trigger evaluates true.

The check is made by comparing the src value against the  $dst_reg$  contents during the "load window". Once the register has loaded the value during the window, the check terminates with success.

The check is not enabled unless  $reset_n$  evaluates true. The check is performed on the active clk edge specification.

## **Syntax**

# **Arguments**

delay

The number of cycles after the trigger signal (trigger) goes true to start the window. Default = 1.

```
end cycle
```

The number cycles after the trigger signal (trigger) goes true to end the window. Default = 0.

bw

The number of bits in the source data (src) and the register under test (dst reg). Default = 2.

The width (bw) of src and  $dst\_reg$  should correspond to the actual width of these operands. If bw is less than the actual width, the check might fail if the bits above bw are not zero. If bw is more than the actual width, the additional bits are taken to be zero. A bw of zero is illegal.

```
trigger
```

Signal that is part of starting the window.

src

Data loaded into the register.

reg

Register being tested.

stop

Signal that stops the check.

# **Assumptions**

If the window is terminated only by stop (i.e., there is no timeout and end cycle does not apply), then end cycle must be set to 0.

The width  $b_W$  of the src and  $dst\_reg$  should correspond to the actual width of these operands. If  $b_W$  is less than the actual width, then the check may fail if the bits above the  $b_W$  are not 0. If  $b_W$  is more than the actual width, then the additional bits are taken to be 0.

#### **Failure Modes**

The assertion <code>assert\_reg\_loaded</code> will report failure when either <code>stop</code> became true or maximum delay <code>end\_cycle</code> was reached while <code>dst\_reg</code> was not yet equal to the stored value.

## **Coverage Modes**

```
cov level 1 0 (bit 0 set in coverage level 1) :
```

Cover property, cover\_nb\_of\_triggers, indicates that the trigger rose.

```
cov level 1 1 (bit 1 set in coverage level 1) :
```

Cover property, <code>cover\_reg\_loaded</code>, indicates that the <code>dst\_reg</code> was successfully loaded with <code>src</code> within the specified time limits.

```
cov_level_2_0 (bit 0 set in coverage_level_2) :
```

Cover point, observed\_dst\_reg\_load\_time, reports on the number clock cycles taken to load the dst\_reg. The clock cycles are counted from the first assertion of trigger.

```
cov_level_3_0 (bit 0 set in coverage_level_3) :
```

# Cover property,

cover\_nb\_of\_times\_stop\_happened\_at\_or\_prior\_to\_end\_cycle, indicates that a stop happened at or prior to end\_cycle after the occurrence of a trigger.

```
cov_level_3_1 (bit 1 set in coverage_level_3) :
```

# Cover property,

cover\_nb\_of\_times\_no\_stop\_happened\_till\_end\_cycle, indicates that no stop happened till the end\_cycle expired after the occurrence of a trigger.

```
cov level 3 2 (bit 2 set in coverage level 3) :
```

Coverproperty, cover\_data\_transfer\_exactly\_at\_end\_cycles, indicates that the dst\_reg was loaded wih src exactly at end cycle.

```
cov level 3 3 (bit 3 set in coverage level 3) :
```

Coverproperty, cover\_data\_transfer\_exactly\_at\_delay\_cycles, indicates that the dst reg was loaded wih src exactly at delay.

## **Example**

In this example  $data\_reg$  (of width 8 bits) is to be loaded by the value of data at posedge clk within 1 to 3 clock cycles from load evaluating true. By default Level 1 coverages are enabled.

# assert\_req\_ack\_unique

Verifies that each req receives an ack within the specified interval min\_time and max\_time clock clk ticks. Note that acks are attributed to regs in a FIFO manner.

## **Syntax**

(Unit syntax only)

## **Arguments**

```
min time
```

Defines the minimum time separation between a req and an ack. Default = 1.

```
max time
```

Defines the maximum time separation between a req and an ack Default = 1.

```
max time log 2
```

Specifies the superior integer of log2 of  $max\_time$ , used to dimension the data structures. Default = 4 (= sup(log2(15))).

version

This parameter specifies two versions of the checker:

- 0 Selects a version that is suitable for max\_time <= 15. It uses IDs to identify requests and then generates as many assertions as the max time clock ticks. Default = 0.
- 1 Selects a version that is suitable for <code>max\_time > 15</code>. It uses a time stamp computed mod 2 <code>max\_time</code> to mark the requests, the time stamp is enqueued. When an <code>ack</code> arrives it verifies that the time stamp at the head of the queue satisfies the timing requirements.

## **Coverage Modes**

```
cov level 1 0 (bit 0 set in coverage level 1)
```

Cover property cover\_number\_of\_req indicates that req was asserted.

```
cov level 1 1 (bit 1 set in coverage level 1)
```

Cover property cover\_number\_of\_ack indicates that ack was asserted.

Level 2 and 3 are available only with version = 1 selection

```
cov_level_2_0 (bit 0 set in coverage_level_2)
```

Cover point observed\_latency reports the req-to-ack latencies observed at least once.

```
cov_level_2_1 (bit 1 set in coverage_level_2)
```

Cover point outstanding\_requests reports the numbers of outstanding requests that occurred at least once.

```
cov_level_3_0 (bit 0 set in coverage_level_3)
```

Cover property <code>cover\_ack\_with\_exact\_min\_lat</code> indicates that the observed latency was exactly equal to the specified <code>min\_time</code> value.

```
cov level 3 1 (bit 1 set in coverage level 3)
```

Cover property  $cover\_ack\_with\_exact\_max\_lat$  indicates that the observed latency was exactly equal to the specified  $max\_time$  value.

## **Example**

The instance  $req_grant_1_1$  of  $assert_req_ack_unique$  verifies that for each request there is a grant received within 20 and 100 posedge edges of clk ( $max_time_log2$  is thus set to 7). The checker is reset on  $reset_n$  low. Version 1 is used, i.e., using time stamps. Coverage Levels 1 and 3 are selected (coverage\_level\_1 = 3 and coverage\_level\_3 = 3).

# assert\_req\_requires

Ensures that if the <code>trig\_req</code> expression evaluates true then the <code>follow\_req</code> expression and <code>follow\_resp</code> expression will evaluate true (in sequence) before the <code>trig\_resp</code> expression evaluates true. The check is not enabled unless <code>reset n</code> evaluates true.

## **Syntax**

## **Arguments**

min lat

Defines the minimum latency from trig\_req to trig\_resp. Default = 1.

max lat

Defines the maximum latency from trig\_req to trig\_resp.

max lat == 0 means that there is no upper bound. Default = 0.

Default values min\_lat = 1, max\_lat = 0 indicate that trig\_resp must come at least one clock tick after trig\_req.

The checks are performed on the active clk edge specification, as indicated by the parameter edge\_expr.

## **Assumptions**

```
Time separations (in clock ticks) are t(trig_req) <=
t(follow_req) < t(follow_resp) <= t(trig_resp), i.e.,
trig_req and follow_req, and follow_resp and trig_resp may
coincide.</pre>
```

Note: If multiple overlapping evaluations are triggered, the latency coverage information may not be accurate since the vector does not distinguish which responses belong to which requests.

## **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
```

Cover property cover\_no\_of\_trig\_reqs indicates that the trig req was asserted.

```
cov_level_1_1 (bit 1 set in coverage_level_1)
```

Cover property cover\_cover\_req\_requires indicates that the specified sequence occurred.

```
ov_level_2_0 (bit 0 set in coverage_level_2)
```

Cover point observed\_latency\_btw\_trig\_req\_and\_trig\_resp reports which values of latency between trig\_req and trig\_resp were observed at least once.

```
cov_level_2_1 (bit 1 set in coverage_level_2)
```

Cover point observed\_latency\_btw\_trig\_req\_and\_follow\_req reports which latencies between trig\_req and follow\_req were observed at least once.

```
cov_level_2_2 (bit 2 set in coverage_level_2)
```

## Cover point

observed\_latency\_btw\_follow\_req\_and\_follow\_resp reports which latencies between follow\_req and follow\_resp were observed at least once.

```
cov_level_2_3 (bit 3 set in coverage_level_2)
```

## Cover point

observed\_latency\_btw\_follow\_resp\_and\_trig\_resp reports which latencies between follow\_resp and trig\_resp were observed at least once.

```
cov level 2 4 (bit 4 set in coverage level 2)
```

Cover property cover\_trig\_req\_follow\_req indicates that there was a a follow\_req after a trig\_req within max\_lat cycles.

```
cov level 2 5 (bit 5 set in coverage level 2)
```

Cover property cover\_trig\_req\_follow\_req\_follow\_resp indicates that there was a follow\_req after a trig\_req and then followed by follow resp within max\_lat cycles..

```
cov_level_3_0 (bit 0 set in coverage_level_3)
```

Cover property cover\_trig\_resp\_exactly\_on\_min\_lat indicates that the observed latency between trig\_req and trig\_resp was exactly equal to the min\_lat value.

```
cov_level_3_1 (bit 1 set in coverage_level_3)
```

Cover property  $cover\_trig\_resp\_exactly\_on\_max\_lat$  indicates that the observed latency between  $trig\_req$  and  $trig\_resp$  was exactly equal to the  $max\_lat$  value.

Note:Coverage is collected correctly only when the transactions delimited by trig\_req and trig\_resp asserted do not overlap, i.e., there is no new assertion of trig\_req while such a transaction is in progress.

## **Example:**

meaning that  $min_lat == 1$ ,  $max_lat == 10$ , and coverage Levels 2 and 3 are selected. The assertion verifies that req is followed by resp within 10 clock cycles. All other parameters take default values (posedge clk sampling).

# assert\_stack

Checks operations on a stack.

## **Syntax**

## **Arguments**

depth

The maximum size of the stack, a compile-time integer constant < 2\*\*16. Default = 2.

```
elem sz
```

The width of data elements, a compile-time constant. Default = 1.

```
hi water mark
```

If hi\_water\_mark is a positive value, then the level of the fill of the queue after push will be checked to see if hi\_water\_mark is exceeded. Once high water has been exceeded once, this check is disabled until the stack size decreases again to or below the mark. Default = 0.

```
push lat
```

The number of clk cycles between push being asserted 1 and push data being valid. Default = 0.

```
pop lat
```

The number of clk cycles between pop being asserted 1 and pop data being valid. Default = 0.

value chk

If 1, checks that  $pop\_data$  matches the data at the top of the stack. Default = 1.

push pop chk

If 1, checks that push and pop operations do not occur simultaneously. Default = 1.

push

Set to 1 when data is being pushed.

push data

Data being pushed.

pop

Set to 1 when data is being popped.

pop data

Data being popped.

Note the following:

- All operations including reset are synchronous to a tick of clk.
- reset\_n asserted 0 initializes the stack to empty.
- When push is asserted 1: Ensures no stack overflow. push\_lat specifies the number of ticks of clk between the asserting of push and when push\_data is valid. It must be a compile-time nonnegative integer constant (not an interval).
- If hi\_water\_mark is a positive value, then the fill of the stack after the push will be checked to see if hi\_water\_mark is exceeded (>=). Once high water has been exceeded once, this check is disabled until the stack falls below the mark again (<). hi water mark can be a constant or a design variable.

- If the stack depth is exceeded, a failure is reported and all further checks are disabled until the stack is reset.
- When pop is enabled: Ensures the stack is not empty when popped. If a pop is performed on an empty stack, all checking of pop operations is disabled until reset is applied or a push occurs.
- If value\_chk evaluates to 1, it ensures pop\_data is what was on the top of the stack. pop\_lat specifies the number of cycles of clk between the asserting of pop and when pop\_data is valid. It must be a compile-time non-negative integer constant (not an interval).
- If push\_pop\_chk evaluates 1, ensures that push and pop operations do not occur simultaneously. If push and pop do occur simultaneously, the effect is the same as if push were done first followed by a pop (that is, the stack is not changed). If value\_chk = 1, then pop data is compared with push data.

#### **Failure Modes**

Assertion assert\_stack\_overflow will report a failure when push is issued and the stack is full. The reported time of failure is on the clock tick following the failed deferred push operation.

Assertion assert\_stack\_underflow will report a failure when pop is issued and the stack is empty (and no simultaneous push). The reported time of failure is on the clock tick following the failed deferred push operation.

Assertion assert\_stack\_value\_chk will report failure when pop\_data value does not match the expected top-of-stack value, provided the stack is not empty or when the stack is empty and there is a simultaneous push and the value pushed on the stack does not match the value popped off the stack.

Assertion assert\_stack\_hi\_water\_chk will report a failure if the stack is filled above the high-water mark.

Assertion assert\_stack\_push\_pop\_fail will report a failure if push and pop are enabled simultaneously (and push\_pop\_chk is 1).

## **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
```

Cover property cover\_number\_of\_pushes indicates that there was a push operation.

```
cov level 1 1 (bit 1 set in coverage level 1)
```

Cover property cover\_number\_of\_pops indicates that there was a pop operation.

```
cov_level_1_2 (bit 2 set in coverage_level_1)
```

Cover property cover\_push\_followed\_eventually\_by\_pop indicates that a push was followed eventually by a pop without an intervening push.

```
cov_level_2_0 (bit 0 set in coverage level 2)
```

Cover point observed\_outstanding\_contents reports which observed fill levels were observed at least once.

```
cov level 3 0 (bit 0 set in coverage level 3)
```

Cover property <code>cover\_stack\_hi\_water\_chk</code> indicates that the high water mark was reached.

```
cov_level_3_1 (bit 1 set in coverage_level_3)
```

Cover property cover\_simultaneous\_push\_pop indicates that there were simultaneous push and pop operations.

```
cov level 3 2 (bit 2 set in coverage level 3)
```

Cover property <code>cover\_simultaneous\_push\_pop\_when\_empty</code> indicates that there were simultaneous <code>push</code> and <code>pop</code> operations while the stack was empty.

```
cov level 3 3 (bit 3 set in coverage level 3)
```

Cover property <code>cover\_simultaneous\_push\_pop\_when\_full</code> indicates that there were simultaneous <code>push</code> and <code>pop</code> operations while the stack was full.

```
ccov level 3 4 (bit 4 set in coverage level 3)
```

Cover property cover\_number\_of\_empty indicates that the stack became empty after a pop.

```
ov level 3 5 (bit 5 set in coverage level 3)
```

Cover property cover\_number\_of\_full indicates that the stack became full after a push.

## **Example:**

When  $sys\_reset$  is asserted 1 the stack is initialized. It is 10 elements deep and 16 bits wide. The water mark is set at 8 which means that the water-mark check is enabled. The push and pop latencies are both 0 which means that  $data\_in$  must be present at the same time as push is asserted and  $data\_out$  must be present at the same time as pop is asserted. The value check is enabled meaning that  $data\_out$  will be checked against the data expected on the top of the stack. Push-Pop check is disabled. Coverage Level 1 is selected by default.

# assert\_valid\_id

The signal  $issued\_sig$  asserted 1 validates a request identified by the value in  $issued\_id$ . This request is expected to be acknowledged by  $ret\_id$  validated by  $ret\_sig$  asserted 1 within  $[min\_lat: max\_lat]$  delay. Both  $issued\_id$  and  $ret\_id$  are qualified by  $reset\_n$  being 1. When  $reset\_n$  is 0 then all history of past requests is erased.  $reset\_sig$  asserted clears outstanding requests that match the value of  $reset\_id$ .

## **Syntax**

## **Arguments**

```
id_bw
```

The max. number of bits to encode an id. Default =  $2 \cdot max_{ids}$  must be set less than 256 because it is used to dimension the table of id's.

```
max ids
```

The maximum number of IDs. Default = 4.

The maximum value is 2<sup>16</sup>.

```
max out ids
```

The maximum number of IDs that can be outstanding. Default = 1.

```
max out per id
```

The maximum number of issues outstanding per ID. Default = 1.

#### min lat

Minimum number of clock cycles between an ID being issued and returned. Default = 1.

#### max lat

Maximum number of clock cycles between an ID being issued and returned. Default = 1.

## Note the following:

- When issued\_sig is asserted 1, it ensures that max\_out\_ids and max\_ids are not exceeded and that issued\_id is at most max\_out\_per\_id outstanding (that is, not returned). When max\_out\_per\_id > 1 then the returns for an ID cannot be distinguished. But for any issue, there must be a return of the ID within the latency interval.
- issued\_id, ret\_id, and reset\_id are values encoded using id bw number of bits.
- When  $reset\_sig$  is asserted 1 then the outstanding count of  $reset\_id$  id is reset to 0, if that id has an outstanding return.
- If an <code>issued\_id</code> exceeds the maximum number of outstanding <code>max\_ids</code> or <code>max\_out\_ids</code>, an error is reported. Only those id's are counted that have <code>reset\_n == 1</code> at issuance.
- When  $reset\_sig$  is asserted 1,  $ret\_id$  must match an outstanding id. A returned  $ret\_id$  is counted only against issued id's in the previous clock cycles. It also ensures that  $issued\_id$  is outstanding for at least  $min\_lat$  cycles but no longer than  $max\_lat$  cycles after issuance.
- The issued\_sig and ret\_sig control signals are active for only one clock period.

- To trigger a check for an issued ID,  $reset\_en$  must be asserted 1 at the time  $issued\_sig$  is asserted and also at the time  $ret\_sig$  is asserted. If an ID is returned and  $reset\_n$  is asserted while at issuance of this ID  $reset\_n$  was deasserted, this return is flagged as an error if there is no other outstanding request for that id.
- All checks are performed on the active clk edge specification.
- $min_lat = 1$ ,  $max_lat = 1$  means that the ID must be returned on the next clock cycle after issuance.
- $min\_lat = m$ ,  $max\_lat = n$ ,  $m \le n$ , means that the ID must be returned within the interval [m:n] clock ticks after issuance. max lat must be less than or equal to 2\*\*15.

#### **Failure Modes**

Assertion assert\_valid\_id will report failure when an id of value i has been issued, and that id has already max\_out\_per\_id outstanding requests.

Assertion assert\_valid\_issued\_id\_ok will report failure when an id is issued and the same id is in circulation with the count exceeding max\_out\_per\_id.

Assertion assert\_valid\_ret\_id\_ok will report failure if an id is returned while there is no such id value still in circulation (i.e., this id has not been issued).

Assertion assert\_valid\_max\_issued\_ids\_ok will report failure when an id is issued and the total number of different id's in circulation is already equal to the max\_ids or the max\_out\_ids value.

## **Coverage modes (Only available with version = 1 selection)**

```
cov level 1 0( Bit 0 set in coverage level 1)
```

Cover property, cover\_number\_of\_issued\_sig, indicates that issued sig was asserted regardless the value of issued id.

```
cov_level_1_1( Bit 1 set in coverage_level_1)
```

Cover property, cover\_number\_of\_ret\_sig, indicates that ret sig was asserted regardless the value of ret id.

```
cov_level_1_2( Bit 2 set in coverage_level_1)
```

Cover property, <code>cover\_number\_of\_reset\_sig</code>, indicates that <code>reset\_sig</code> was asserted regardless the value of <code>reset\_id</code>.

```
cov level 2 0 ( Bit 0 set in coverage level 2)
```

Cover point, observed\_latency, reports the *issued\_sig* to ret sig latencies that were observed at least once.

```
cov level 2 1 ( Bit 1 set in coverage level 2)
```

Cover point, outstanding\_ids, reports the numbers of outstanding ids that occurred at least once.

```
cov_level_3_0( Bit 0 set in coverage_level_3)
```

Cover property, <code>cover\_ret\_sig\_with\_exact\_min\_lat</code>, indicates that the observed latency from <code>issued\_sig</code> to <code>ret\_sig</code> was exactly equal to the specified <code>min\_lat</code> value, regardless the id value.

```
cov_level_3_1( Bit 1 set in coverage_level_3)
```

Cover property, <code>cover\_ret\_sig\_with\_exact\_max\_lat</code>, indicates that the observed latency from <code>issued\_sig</code> to <code>ret\_sig</code> was exactly equal to the specified <code>max\_lat</code> value, regardless of the id value.

```
cov_level_3_2( Bit 2 set in coverage_level_3)
```

Cover property, <code>cover\_issued\_ids\_reached\_max\_ids</code>, indicates that the number of outstanding id's was exactly equal to the specified min of <code>max\_ids</code> and <code>max\_out\_ids</code> values.

```
cov level 3 3 ( Bit 3 set in coverage level 3)
```

Cover property, <code>cover\_issued\_ids\_reached\_max\_out\_per\_id</code>, indicates that the number of outstanding <code>issued\_id's</code> was exactly equal to the specified <code>max out per id</code> value.

## Example

The checker is enabled when out of reset. All signals are sampled on posedge clk. There are 3 bits to encode id's. At most 6 id's can be in circulation at any time and that only one copy of each. The count of the copies of an id is reset when clear is asserted with the corresponding id value on clear\_id. An issued id is valid when issued\_valid is asserted, similarly, a returned id is valid when ret\_valid is asserted. An issued id must be returned in 1 to 10 clock cycles. A custom message is appended to the standard failure message. The coverage Level 1 is enabled by default.

## assert\_value

Ensure that exp can only be one of the specified values in vals.

## **Syntax**

## **Arguments**

no vals

The number of entries in the vals specification. Default = 1.

disallow

If disallow evaluates true, then exp is forbidden to take on any of the specified value in vals. Otherwise, the check ensures exp takes on only the specified value in vals. Default = 0.

bw

Number of bits in the signal being tested (exp) and each element of the specified vector of values (val). Default = 2.

exp

Signal or expression being tested.

vals

A bitvector of concatenated values that the signal being tested (exp) must evaluate to.

For example, if bw = 3,  $no\_vals = 2$ , and the values are 3'b000 and 3'b110 then the value bound to the vals port should be 6'b000\_110.

## **Assumptions**

no vals > 0 (and the vals bitvector should have the correct size.)

#### **Failure Modes**

When disallow = 0, the assertion assert\_value will report failure when exp was not one of the expected values in vals at the time when reset n = 1.

When disallow = 1, the failure of the assertion assert\_value means that at the time when  $reset_n = 1$ , the value of exp was one of the values in vals (which was disallowed).

## **Coverage Modes**

```
cov_level_1_0 (bit 0 set in coverage_level_1)
```

Cover property, value[i].cover\_nb\_of\_exp\_changes, indicates that the exp changed value, when enabled by reset n.

For disallow = 0:

```
cov level 1 1 (bit 1 set in coverage level 1)
```

Cover property, cover\_value, indicates that the exp changed to one of the values specified in vals.

```
cov_level_3_0 (bit 0 set in coverage_level_3)
```

Cover property,

value[i].cover\_nb\_of\_transitions\_to\_each\_vals,
indicates that the exp changed to the i (the value specified).

#### For disallow = 1:

```
cov level 1 1 (bit 1 set in coverage level 1) :
```

Cover property,  $cover_value$ , indicates that the exp changed to any value different from the values specified in vals. There is no Level 3 coverage in this case.

## **Example**

When load is 1, then at posedge clk (default) the 4-bit variable  $control\_reg$  must have one of the four values 0, 1, 3 or 5 (since disallow is 0). Coverage Levels 1 and 3 are enabled.

# Index

| advanced checker assert_arbiter 3-3 assert_bits 3-9 assert_code_distance 3-11 assert_data_used 3-13 assert_driven 3-17 assert_dual_clk_fifo 3-19 assert_fifo 3-24 assert_memory_async 3-30 assert_memory_sync 3-40 assert_multiport_fifo 3-48 assert_nutex 3-55 assert_next_state 3-57 assert_no_contention 3-61 assert_rate 3-66 assert_reg_loaded 3-68 assert_req_ack_unique 3-72 assert_req_requires 3-75 assert_stack 3-79 assert_valid_id 3-84 assert_value 3-89 advanced checkers 3-1 always on edge, test expression checker 2-4 always, test expression monitor 2-2 arbiter checker 3-3 | assert_always_on_edge 2-4 assert_arbiter 3-3 assert_bits 3-9 assert_change 2-7 assert_code_distance 3-11 assert_cycle_sequence 2-11 assert_data_used 3-13 assert_decrement 2-14 assert_delta 2-17 assert_driven 3-17 assert_dual_clk_fifo 3-19 assert_even_parity 2-20 assert_fifo 3-24 assert_fifo_index 2-22 assert_frame 2-27 ASSERT_GLOBAL_RESET, global control 1-3 assert_implication 2-35 assert_increment 2-38 ASSERT_INIT_MSG, global control 1-3 ASSERT_MAX_REPORT_ERROR, global control 1-4 assert_memory_async 3-33 |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| arbiter checker 3-3                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | accort_memory_acyme o co                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |

assert\_memory\_sync 3-40 assert multiport fifo 3-48 change checker 2-7 assert\_mutex 3-55 Checker Library 3-1 assert\_never 2-41 Checker Triggering 1-4 assert\_next 2-43 Checker Triggering, triggering checker 1-4 assert next state 3-57 checkers, basic 2-1 assert no contention 3-61 clock cycle checker 2-80 assert\_no\_overflow 2-46 code distance checker 3-11 assert no transition 2-50 controls, global 1-3 assert no underflow 2-53 COVER ON, global control 1-3 assert odd parity 2-56 coverage levels, definitions 1-7 ASSERT ON, global control 1-3 cycle sequence 2-11 assert\_one\_cold 2-58 cycle timing checker 2-43 assert one hot 2-61 assert\_packet flow 3-64  $\Box$ assert proposition 2-63 assert\_quiescent\_state 2-65 data used checker 3-13 assert range 2-68 decrement test expression monitor 2-14 assert rate 3-66 delta, test expression monitor 2-17 assert reg loaded 3-68 driven, bit checker 3-17 assert req ack unique 3-72 dual\_clk\_fifo 3-19 assert reg requires 3-75 dual clk fifo, queue checker 3-19 assert stack 3-79 assert\_time 2-71 F assert transition 2-74 edge expr, shared syntax 3-2 assert unchange 2-77 even parity checker 2-20 assert valid id 3-84 assert value 3-89 assert width 2-80 F assert\_win\_change 2-83 fifo, queue checker 3-24 assert win unchange 2-86 fifo index 2-22 assert window 2-88 assert zero one hot 2-91 G B Global Controls 1-3 Global Controls. Basic Checkers 2-1 ASSERT GLOBAL RESET 1-3 bit, assert checker 3-9 Global Controls, ASSERT INIT MSG 1-3 Global Controls, ASSERT\_MAX\_REPORT\_ERROR 1-4 Global Controls, ASSERT\_ON 1-3 Global Controls, COVER\_ON 1-3 Global Controls, SVA\_CHCKER\_NO\_MESSAGE 1-4 Global Controls, SVA\_CHECKER\_INTERFACE 1-4

## Н

handshake checker 2-31 header file 1-2 hold\_value checker 3-30

## I

ID checker 3-84 implication checker 2-35 increment checker 2-38 interface, SVA 1-4

## I

levels, coverage 1-7 library 3-1 library, location 1-2

## M

memory\_async checker 3-33 memory\_sync checker 3-40 multiport\_fifo, queue checker 3-48 mutex checker 3-55

## N

next, cycle timing checker 2-43 next\_state. transition checker 3-57 no contenction checker 3-61 no transition checker 2-50 no underflow checker 2-53 no\_overflow checker 2-46

# 0

odd parity checker 2-56 one cold, bit checker 2-58 one hot bit checker 2-61 OVL-like checker assert always 2-2 assert always on edge 2-4 assert change 2-7 assert cycle sequence 2-11 assert\_decrement 2-14 assert delta 2-17 assert even parity 2-20 assert fifo index 2-22 assert frame 2-27 assert handshake 2-31 assert\_implication 2-35 assert increment 2-38 assert never 2-41 assert next 2-43 assert no overflow 2-46 assert\_no\_transition 2-50 assert no underflow 2-53 assert odd parity 2-56 assert\_one\_cold 2-58 assert one hot 2-61 assert proposition 2-63 assert\_quiescent\_state 2-65 assert range 2-68 assert time 2-71 assert transition 2-74 assert unchange 2-77 assert width 2-80 assert win change 2-83 assert win unchange 2-86 assert window 2-88 assert zero one hot 2-91

## P

packet flow checker 3-64

proposition test expression checker 2-63

## Q

queue checker 3-19, 3-24, 3-48 quiescent state checker 2-65

## R

range checker 2-68
rate checker 3-66
reg\_loaded checker 3-68
req and ack signals 2-31
req\_ack\_unique checker 3-72
req\_requires checker 3-75

## S

stack checker 3-79
start event checker 2-83, 2-86, 2-88
start expression checker 2-71
SVA\_CHCKER\_NO\_MESSAGE, global control 1-4
SVA\_CHECKER\_INTERFACE, global control 1-4
syntax, shared 3-2
syntax, shared elements 1-6
SystemVerilog, use mode 1-9

## Τ

templates 3-1

test expression monitor 2-2 timing, cycle checker 2-27 transition checker 2-74, 3-57 triggering checkers 1-4

## U

unchange, start event checker 2-77 units 3-1
Use Mode in SystemVerilog 1-9
Use Mode in VHDL 1-10
Use Mode, Verilog 1-5
Use Mode, VHDL 1-10

## V

valid\_id checker 3-84 value checker 3-89 Verilog, use mode 1-5 VHDL use mode 1-10

## W

width, clock cycle checker 2-80 win\_change, start event checker 2-83 win\_unchange, start event checker 2-86 window, start event checker 2-88

# Z

zero\_one\_hot, bit assert checker 2-91