

# Timing Diagrams for Accellera Standard OVL V1.8

Mike Turpin / ARM 18<sup>th</sup> October 2006

# **Contents**

- **§** Introduction to OVL
  - **S** Types of OVL
  - **S OVL Release History & Major Changes**

```
    pre-Accellera
    v1.0
    v1.1, v1.1a, b
    v1.5
    v1.6
    v1.7
    v1.8
    Aug 2005
    Dec 2005
    Mar 2006
    July 2006
    Oct 2006
```

- **Introduction to Timing Diagrams** 
  - **S** Timing Diagram Syntax & Semantics
  - **S** Timing Diagram Template
- S OVL Timing Diagrams (alphabetical order)



# Types of OVL Assertion

Combinatorial

**Combinatorial Assertions** 

s assert\_proposition, assert\_never\_unknown\_async

Single-Cycle

Single-cycle Assertions

s assert\_always, assert\_implication, assert\_range, ...

2-Cycles

Sequential over 2 cycles

s assert\_always\_on\_edge, assert\_decrement, ...

*n*-Cycles

Sequential over num\_cks cycles

s assert\_change, assert\_cycle\_sequence, assert\_next, ...

**Event-bound** 

Sequential between two events

s assert\_win\_change, assert\_win\_unchange, assert\_window



# OVL Release History and Major Changes

- pre-Accellera, April 2003
  - S Verilog updated in April, but VHDL still October 2002
- § v1.0, July 2005
  - S Changed: assert\_fifo\_index (no longer uses property\_type in functionality)
- § v1.1, August 2005
  - S New: assert\_never\_unknown
  - S Changed:
    - § assert\_implication: antecendent\_expr typo fixed
    - s assert\_change: window length fixed to num\_cks
- § v1.1a, August 2005
  - § Fixed: assert\_width
- v1.1b, August 2005 (minor updates to doc)



# OVL Release History and Major Changes

- § v1.5, December 2005
  - § New:
    - S Preliminary PSL support
    - S `OVL\_IGNORE property\_type
  - § Fixed: assert\_always\_on\_edge (startup delayed by 1 cycle)
- § v1.6, March 2006
  - S New: assert\_never\_unknown\_async
- § v1.7, July 2006
  - S Consistent X Semantics & Coverage Levels
  - S PSL support
- § v1.8, Oct 2006
  - **Bug fixes**



# **Contents**

```
§ Introduction to OVL
```

- **Types of OVL**
- **SOUR Release History & Major Changes**

```
    pre-Accellera Apr 2003
    v1.1 July 2005
    v1.1a, b Aug 2005
    v1.5 Dec 2005
    v1.6 Mar 2006
    v1.7 July 2006
    v1.8 Oct 2006
```

# **Introduction to Timing Diagrams**

- **S** Timing Diagram Syntax & Semantics
- **S** Timing Diagram Template
- **S** OVL Timing Diagrams (alphabetical order)



# Introduction: OVL Timing Diagram



## Introduction: Verification of Assertion



Imagine sliding the timing diagram, pipeline style, over each simulation cycle ...

... if all conditions match, then all requirements must hold.



Simulation *might* show this failure, but only if stimulus covers back-to-back REQs.

Formal Verification would never pass this, and should show the failure with a short debug trace.



# **Template**





# **Contents**

```
§ Introduction to OVL
```

- **Types of OVL**
- **SOUR Release History & Major Changes**

```
    pre-Accellera Apr 2003
    v1.1 July 2005
    v1.1a, b Aug 2005
    v1.5 Dec 2005
    v1.6 Mar 2006
    v1.7 July 2006
    v1.8 Oct 2006
```

# **Introduction to Timing Diagrams**

- **S** Timing Diagram Syntax & Semantics
- **Timing Diagram Template**
- S OVL Timing Diagrams (alphabetical order)



#### assert\_always

#(severity\_level, property\_type, msg, coverage\_level)
ul (clk, reset\_n, test\_expr)

#### test\_expr must always hold

Single-Cycle



assert\_always will also *pessimistically* fail if test\_expr is X

Can disable failure on X/Z via:

`define OVL\_XCHECK\_OFF



#### assert\_always\_on\_edge

#(severity\_level, edge\_type, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, sampling\_event, test\_expr)

test\_expr is true immediately following the edge specified by the edge\_type parameter

2-Cycles

| ASSERT forall t. conditions imply | assert_always_on_edge #(0,1) |       | Rising |
|-----------------------------------|------------------------------|-------|--------|
| requirements                      | t                            | t + 1 |        |
| sampling_event                    |                              |       |        |
| test_expr                         |                              |       |        |
| clk                               |                              |       |        |

| ASSERT forall t. conditions imply | assert_always_on_edge #(0,2) |       | Fallin<br>edge |
|-----------------------------------|------------------------------|-------|----------------|
| requirements                      | t                            | t + 1 |                |
| sampling_event                    |                              |       |                |
| test_expr                         |                              |       |                |
| clk                               |                              |       |                |

| ASSERT forall t. conditions imply requirements | assert_always<br>_on_edge<br>t | edge_type=0 (default is no edge) |
|------------------------------------------------|--------------------------------|----------------------------------|
| test_expr                                      |                                | Identical to assert_always       |

| ASSERT forall t. conditions imply | assert_always_on_edge #(0,3) |         | Any |
|-----------------------------------|------------------------------|---------|-----|
| requirements                      | t                            | t + 1   |     |
| sampling_event                    | , ,<br>*SE                   | != SE@t |     |
| test_expr                         |                              |         |     |



#### assert\_change

#(severity\_level, width, num\_cks, action\_on\_new\_start, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, start\_event, test\_expr)

test\_expr must change within num\_cks cycles of start\_event

*n*-Cycles



num\_cks=5
-action\_on\_new\_start=0
(`OVL\_IGNORE\_NEW\_START)

Will pass if test\_expr changes at *any* cycle: t+1, t+2, ..., t+num\_cks Fails if test\_expr is stable for all num\_cks cycles.

### **Differs to April 2003**

From OVL version 1.0 the check window spans the entire num\_cks-1 cycles.

#### r\_state (auxiliary logic)



Auxiliary logic necessary, to *ignore* new start.

Checking only begins after start\_event is true and r\_state==START.



#(severity\_level, width, num\_cks, action\_on\_new\_start, property\_type, msg, coverage\_level)
u1 (clk, reset n, start event, test expr)

test\_expr must change within num\_cks cycles of start\_event

*n*-Cycles



num\_cks=5
action\_on\_new\_start=1
(`OVL\_RESET\_ON\_NEW\_START)

extra condition on start\_event

"reset on new start" timing diagram does not require auxiliary logic (see note 2).

### **Differs to April 2003**

From OVL version 1.0 the check window spans the entire num\_cks-1 cycles.



#(severity\_level, width, num\_cks, action\_on\_new\_start, property\_type, msg, coverage\_level)
u1 (clk, reset n, start event, test expr)

test\_expr must change within num\_cks cycles of start\_event

*n*-Cycles



num\_cks=5
action\_on\_new\_start=2
(`OVL\_ERROR\_ON\_NEW\_START)

├ requirement on start\_event



"error on new start" requires **two timing diagrams**, with 2<sup>nd</sup> being the same as "reset on new start"

### **Differs to April 2003**

From OVL version 1.0 the check window spans the entire num\_cks-1 cycles.



num\_cks=5
action\_on\_new\_start=2
(`OVL\_ERROR\_ON\_NEW\_START)

condition on start\_event



#### assert\_cycle\_sequence

#(severity\_level, num\_cks, necessary\_condition, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, event\_sequence)

If the initial sequence holds, the final sequence must also hold (final is 1-cycle or N-1 cycles)

*n*-Cycles



num\_cks=3
-necessary\_condition=0
(`OVL\_TRIGGER\_ON\_MOST\_PIPE)

Both timing diagrams are pipelined. They do not require any auxiliary logic.

num\_cks=3 necessary\_condition=1 (`OVL\_TRIGGER\_ON\_FIRST\_PIPE)



#### assert\_cycle\_sequence

#(severity\_level, num\_cks, necessary\_condition, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, event\_sequence)

If the initial sequence holds, the final sequence must also hold (final is 1-cycle or N-1 cycles)

*n*-Cycles



num\_cks=3
-necessary\_condition=2
(`OVL\_TRIGGER\_ON\_FIRST\_NONPIPE)

#### r\_state (auxiliary logic)



Need auxiliary logic, to *ignore* subsequent event\_seq[num\_cks-1] when non-pipelined.



#### assert\_decrement

#(severity\_level, width, value, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, test\_expr)

If test\_expr changes, it must decrement by the value parameter (modulo 2<sup>width</sup>)

2-Cycles





#### assert\_delta

#(severity\_level, width, min, max, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, test\_expr)

If test\_expr changes, the delta must be min and max

2-Cycles



If test\_expr changes value by delta D ...

... then delta D must be within min/max limits

test\_expr is both a condition and requirement at t+1. Hence it appears on two rows.



#### assert\_even\_parity

#(severity\_level, width, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, test\_expr)

test\_expr must have an even parity, i.e. an even number of bits asserted.

Single-Cycle





#### assert\_fifo\_index

#(severity\_level, depth, push\_width, pop\_width, property\_type, msg, coverage\_level, simultaneous\_push\_pop)
ul (clk, reset\_n, push, pop)

FIFO pointers should never overflow or underflow.

2-Cycles

| ASSERT forall t. conditions imply | assert_fi  | fo_index    |                       |
|-----------------------------------|------------|-------------|-----------------------|
| requirements                      | t          | t + 1       |                       |
| push                              | (*H;       |             |                       |
| рор                               | /\<br>(*P/ |             |                       |
| cnt                               | (*C}       | C+H-P depth | } Should not overflow |
| cnt                               | C+H < P    |             | Should not underflow  |
| clk                               |            |             |                       |

The counter "cnt" changes by a (push-pop) delta every cycle.

If simultaneous\_push\_pop is low, there is an additional check to ensure that push and pop are not both >1



#(severity\_level, min\_cks, max\_cks, action\_on\_new\_start, property\_type, msg, coverage\_level)
ul (clk, reset\_n, start\_event, test\_expr)

test\_expr must not hold before min\_cks cycles, but must hold at least once by max\_cks.

*n*-Cycles



min\_cks>0, max\_cks=0 action\_on\_new\_start=0 (`OVL\_IGNORE\_NEW\_START)

Shows min\_cks>0 and max\_cks=0 (no upper limit). Only checks that test\_expr stays low up until t+(min\_cks-1).

#### r\_state (auxiliary logic)



Auxiliary logic necessary, to *ignore* new rising edge on start\_event. The \$rose syntax indicates high now but low in previous cycle.



#(severity\_level, min\_cks, max\_cks, action\_on\_new\_start, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, start\_event, test\_expr)

test\_expr must not hold before min\_cks cycles, but must hold at least once by max\_cks.

*n*-Cycles



min\_cks=0, max\_cks>0 action\_on\_new\_start=0 (OVL\_IGNORE\_NEW\_START)

### r\_state (auxiliary logic)



Important to have test\_expr@t==1'b0 condition. Avoids extra checking if test\_expr already holds at time t.



#(severity\_level, min\_cks, max\_cks, action\_on\_new\_start, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, start\_event, test\_expr)

test\_expr must not hold before min\_cks cycles, but must hold at least once by max\_cks.

*n*-Cycles



### r\_state (auxiliary logic)





#(severity\_level, min\_cks, max\_cks, action\_on\_new\_start, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, start\_event, test\_expr)

test\_expr must not hold before min\_cks cycles, but must hold at least once by max\_cks.

*n*-Cycles



#### r\_state (auxiliary logic)



Auxiliary logic also necessary for "reset on new start", but counter resets to 1 on new rising edge of start\_event.



#(severity\_level, min\_cks, max\_cks, action\_on\_new\_start, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, start\_event, test\_expr)

test\_expr must not hold before min\_cks cycles, but must hold at least once by max\_cks.

*n*-Cycles



#### rose\_start\_event (auxiliary logic)



"error on new start"
has an additional
requirement from t+1
(no new rising edge
on start\_event).



#### assert handshake

#(severity\_level, min\_ack\_cycle, max\_ack\_cycle, req\_drop, deassert\_count, max\_ack\_length,
 property\_type, msg, coverage\_level) u1 (clk, reset\_n, req, ack)

req and ack must follow the specified handshaking protocol

*n*-Cycles



assert\_handshake is highly configurable. This timing diagram shows the most common usage.

Consider splitting up more complex uses into multiple OVL (simplifies formal property checking).



#### assert\_implication

#(severity\_level, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, antecedent\_expr, consequent\_expr)

If antecedent\_expr holds then consequent\_expr must hold in the same cycle

Single-Cycle

| ASSERT<br>forall t.<br>conditions imply | assert_<br>implication |
|-----------------------------------------|------------------------|
| requirements                            | t                      |
| antecedent_expr                         |                        |
| consequent_expr                         |                        |
| clk                                     |                        |

Assertion will only fail if consequent\_expr is low when antecedent\_expr holds.

Assertion will trivially pass if conditions do not occur i.e. if antecedent\_expr=0.



#### assert\_increment

#(severity\_level, width, value, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, test\_expr)

If test\_expr changes, it must increment by the value parameter (modulo 2<sup>width</sup>)

2-Cycles





#### assert never

#(severity\_level, property\_type, msg, coverage\_level)
ul (clk, reset\_n, test\_expr)

#### test\_expr must never hold

Single-Cycle



assert\_never will also pessimistically fail if test\_expr is X

Can disable failure on X/Z via: `define OVL\_XCHECK\_OFF



#### assert\_never\_unknown

#(severity\_level, width, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, qualifier, test\_expr)

test\_expr must never be at an unknown value, just boolean 0 or 1.

Single-Cycle



Often used as an explicit X-checking assertion



#### assert\_never\_unknown\_async

#(severity\_level, width, property\_type, msg, coverage\_level)
u1 (reset\_n, test\_expr)

test\_expr must never go to an unknown value asynchronously (must stay boolean 0 or 1).

Combinatorial



This is the asynchronous version of the clocked assert\_never\_unknown.



#(severity\_level, num\_cks, check\_overlapping,check\_missing\_start, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, start\_event, test\_expr)

test\_expr must hold num\_cks cycles after start\_event holds

N Cycles



num\_cks=1
check\_overlapping=1
check\_missing\_start=0



num\_cks=1 ≻check\_overlapping=0 check\_missing\_start=0

├ requirement on start\_event

With check\_overlapping at 0, assertion will error if there is a subsequent start\_event.



#(severity\_level, num\_cks, check\_overlapping,check\_missing\_start, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, start\_event, test\_expr)

test\_expr must hold num\_cks cycles after start\_event holds

N Cycles

| ASSERT forall t. conditions imply | assert_next #(0,1,1,1) |       |
|-----------------------------------|------------------------|-------|
| requirements                      | t                      | t + 1 |
| start_event                       |                        |       |
| test_expr                         |                        |       |

num\_cks=1 ≻check\_overlapping=1 check\_missing\_start=1

condition on start\_event



"check missing start" requires **two timing diagrams**, which together form an *if-and-only-if* check.

| ASSERT forall t. conditions imply | assert_next #(0,1,1,1) |       |
|-----------------------------------|------------------------|-------|
| requirements                      | t                      | t + 1 |
| start_event                       |                        |       |
| test_expr                         |                        |       |

num\_cks=1 -check\_overlapping=1 -check\_missing\_start=1

condition on test\_expr



#### assert\_no\_overflow

#(severity\_level, width, min, max, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, test\_expr)

If test\_expr is at max, in the next cycle test\_expr must be > min and max

2-Cycles



Example can check that a 3-bit pointer cannot do a wrapping increment from 7 back to 0.

The min and max values do not need to span the full range of test\_expr.



#### assert\_no\_transition

#(severity\_level, width, property\_type, msg, coverage\_level)
ul (clk, reset\_n, test\_expr, start\_state, next\_state)

If test\_expr equals start\_state, then test\_expr must not change to next\_state

2-Cycles

| ASSERT forall t. conditions imply | assert_no_transition |               |
|-----------------------------------|----------------------|---------------|
| requirements                      | t                    | t + 1         |
| test_expr                         | start_state          | != next_state |
| clk                               |                      |               |



#### assert\_no\_underflow

#(severity\_level, width, min, max,property\_type, msg, coverage\_level)
u1 (clk, reset\_n, test\_expr)

If test\_expr is at min, in the next cycle test\_expr must be min and < max

2-Cycles



Example can check that a 3-bit pointer cannot do a wrapping decrement from 0 to 7.

The min and max values do not need to span the full range of test\_expr.



### assert\_odd\_parity

#(severity\_level, width, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, test\_expr)

test\_expr must have an odd parity, i.e. an odd number of bits asserted.





#### assert\_one\_cold

#(severity\_level, width, inactive, property\_type, msg, coverage\_level)
ul (clk, reset\_n, test\_expr)

# ${\tt test\_expr} \; {\tt must} \; {\tt be} \; {\tt one-cold}, \; {\tt i.e.} \; {\tt exactly} \; {\tt one} \; {\tt bit} \; {\tt set} \; {\tt low}$

Single-Cycle

| ASSERT forall t. conditions imply | assert_<br>one_cold | inactive=  `OVL_ONE_COLD |
|-----------------------------------|---------------------|--------------------------|
| requirements                      | t                   |                          |
| test_expr                         | one_cold            |                          |
| clk                               |                     |                          |

Unlike one\_hot and zero\_one\_hot, just one configurable OVL is used for one\_cold.

| ASSERT forall t. conditions imply | assert_<br>one_cold | inactive= `OVL_ALL_ZEROS |
|-----------------------------------|---------------------|--------------------------|
| requirements                      | t                   |                          |
| test_expr                         | 0   one_cold        |                          |
| clk                               |                     |                          |



### assert\_one\_hot

#(severity\_level, width, property\_type, msg, coverage\_level)
ul (clk, reset\_n, test\_expr)

 ${\tt test\_expr} \ \textbf{must} \ \textbf{be} \ \textbf{one-hot}, \ \textbf{i.e.} \ \textbf{exactly} \ \textbf{one} \ \textbf{bit} \ \textbf{set} \ \textbf{high}$ 

| ASSERT forall t. conditions imply requirements | assert_<br>one_hot<br>t |
|------------------------------------------------|-------------------------|
| test_expr                                      | one_hot                 |
| clk                                            |                         |



### assert\_proposition

#(severity\_level, property\_type, msg, coverage\_level)
u1 (reset\_n, test\_expr)

test\_expr must hold asynchronously (not just at a clock edge)

Combinatorial

| ASSERT forall t. conditions imply requirements | assert<br>_proposition<br>t |
|------------------------------------------------|-----------------------------|
| test_expr                                      |                             |
|                                                | NOT<br>CLOCKED              |

This is an asynchronous version of the clocked assert\_always



#### assert\_quiescent\_state

#(severity\_level, width, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, state\_expr, check\_value, sample\_event)

state\_expr must equal check\_value on a rising edge of sample\_event

2-Cycles



Can also be checked on rising edge of:

OVL\_END\_OF\_SIMULATION
Used for extra check at simulation end.

Can *just* trigger at end of simulation by setting sample\_event to 1'b0 and defining:

OVL\_END\_OF\_SIMULATION



#### assert\_range

#(severity\_level, width, min, max, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, test\_expr)

test\_expr must be min and max





#### assert time

#(severity\_level, num\_cks, action\_on\_new\_start, property\_type, msg, coverage\_level)
u1 (clk, reset n, start event, test expr)

test\_expr must hold for num\_cks cycles after start\_event

*n*-Cycles



num\_cks=5
action\_on\_new\_start=0
(`OVL\_IGNORE\_NEW\_START)

Only passes if test\_expr is high for *all* cycles: t+1, t+2, ..., t+num\_cks
Fails if test\_expr is low in any of these cycles.

## **r\_state** (auxiliary logic)





#(severity\_level, num\_cks, action\_on\_new\_start, property\_type, msg, coverage\_level)
ul (clk, reset n, start event, test expr)

test\_expr must hold for num\_cks cycles after start\_event

*n*-Cycles



num\_cks=5
action\_on\_new\_start=1
(`OVL\_RESET\_ON\_NEW\_START)

For assert\_time, "reset on new start" effectively perfoms pipelined checking (see note 2).



num\_cks=5
action\_on\_new\_start=2
(`OVL\_ERROR\_ON\_NEW\_START)

├ requirement on start\_event



#### assert\_transition

#(severity\_level, width, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, test\_expr, start\_state, next\_state)

If test\_expr changes from start\_state, then it can only change to next\_state

2-Cycles



test\_expr can remain in start\_state (in which case the condition at t+1 does not hold).

If test\_expr changes from start\_state ...

... it can only change into next\_state

test\_expr is both a condition and requirement at t+1. Hence it appears on two rows.



#### assert unchange

#(severity\_level, width, num\_cks, action\_on\_new\_start, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, start\_event, test\_expr)

test\_expr must not change within num\_cks cycles of start\_event

*n*-Cycles



num\_cks=5
action\_on\_new\_start=0
(`OVL\_IGNORE\_NEW\_START)

Only passes if test\_expr is stable for *all* cycles: t+1, t+2, ..., t+num\_cks
Fails if test\_expr changes in any of these cycles.

## r\_state (auxiliary logic)



Need auxiliary logic to be able to *ignore* new start. Checking only begins after start\_event is true and r\_state==START.



#(severity\_level, width, num\_cks, action\_on\_new\_start, property\_type, msg, coverage\_level)
ul (clk, reset n, start event, test expr)

test\_expr must not change within num\_cks cycles of start\_event

*n*-Cycles



num\_cks=5
action\_on\_new\_start=1
(`OVL\_RESET\_ON\_NEW\_START)

For assert\_unchange "reset on new start" is *pipelined* checking. Don't need auxiliary logic to express this



num\_cks=5
action\_on\_new\_start=2
(`OVL\_ERROR\_ON\_NEW\_START)

├ requirement on start\_event



#### assert\_unchange

#(severity\_level, width, num\_cks, action\_on\_new\_start, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, start\_event, test\_expr)

test\_expr must not change within num\_cks cycles of start\_event

*n*-Cycles

| ASSERT for all t.             | INCOMPLETE #1: assert_unchange #(0,32,5,0) // ignore new start |                                            |   |                                      |             |
|-------------------------------|----------------------------------------------------------------|--------------------------------------------|---|--------------------------------------|-------------|
| conditions imply requirements | t - num_cks                                                    | <b>←</b> - <i>all</i> <b>w1</b> =0(num-1)> | t | <b>←all w2</b> =0(num-1) <b>&gt;</b> | t + num_cks |
| start_event                   |                                                                |                                            |   |                                      |             |
| test_expr                     |                                                                |                                            | \ | test_expr                            | @t          |
| clk                           |                                                                |                                            |   |                                      |             |



Both timing diagrams are incomplete for "ignore new start", as start\_event=0 will mask some errors!



#(severity\_level, min\_cks, max\_cks, property\_type, msg, coverage\_level)
u1 (clk, reset n, test expr)



Exactly min cks cycles



(page 2 of 2)

#(severity\_level, min\_cks, max\_cks, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, test\_expr)

test\_expr must hold for between min\_cks and max\_cks cycles

*n*-Cycles



| ASSERT forall t. conditions imply | assert_width #(0,4,6) // min>1 and max>min |       |              |             |                          |                          |
|-----------------------------------|--------------------------------------------|-------|--------------|-------------|--------------------------|--------------------------|
| requirements                      | t                                          | t + 1 | ← all w1 →   | t + min_cks | <b>←</b> any <b>w3</b> → | t + 2 + w1 + w3          |
| test_expr                         |                                            |       |              |             |                          |                          |
|                                   |                                            | (     | 0(min_cks-2) |             | 0(max-min)               | De-assert by t+max_cks+1 |

#### assert\_win\_change

#(severity\_level, width, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, start\_event, test\_expr, end\_event)

test\_expr must change between start\_event and end\_event

**Event-bound** 



Will pass if test\_expr changes at *any* cycle during window: t+1, ...
Fails if test\_expr is stable for all cycles after start.

## **r\_state** (auxiliary logic)





#### assert\_window

#(severity\_level, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, start\_event, test\_expr, end\_event)

test\_expr must hold after the start\_event and up to (and including) the end\_event

**Event-bound** 



# r\_state (auxiliary logic)





#### assert\_win\_unchange

#(severity\_level, width, property\_type, msg, coverage\_level)
u1 (clk, reset\_n, start\_event, test\_expr, end\_event)

test\_expr must not change between start\_event and end\_event

**Event-bound** 



# r\_state (auxiliary logic)





#### assert\_zero\_one\_hot

#(severity\_level, width, property\_type, msg, coverage\_level)
ul (clk, reset\_n, test\_expr)

test\_expr must be one-hot or zero, i.e. at most one bit set high

| ASSERT forall t. conditions imply | assert_<br>zero_one_hot |  |  |
|-----------------------------------|-------------------------|--|--|
| requirements                      | t                       |  |  |
| test_expr                         | 0   one_hot             |  |  |
| clk                               |                         |  |  |

