

Norwegian University of Science and Technology
Department of Electronics and Telecommunication

# TFE4171 Design of Digital Systems 2

Exercise sets 3 and 4

# **Formal Verification of Digital Systems**

**Lab Tutorial** 

Dominik Stoffel Wolfgang Kunz TU Kaiserslautern, Germany

### **Overview**

- OneSpin 360MV
  - GUI
  - Setup
  - Module Verification

SystemVerilog Assertions (SVA) summary

### **Classical Verification Approach**

### Simulation

- set up a test bench
- create test patterns manually or write a pattern generator
- pattern analysis is not fully automated
- one can examine only a small number of patterns
- runtime limitations



### **Formal Verification**

# **Property Checking**

- no testbench needed
- create a set of properties
- diagnostic output is generated automatically in case of a failing property
- same as automatic, exhaustive simulation
- much faster than exhaustive simulation



## **Supported Modes**

setup mode

module verification (MV)

consistency check (CC)

equivalence checking (EC)



• onespin always starts in the setup mode

- load a VHDL design
- elaborate the design

 switch to the other modes for property checking (MV) or consistency checking (CC)

### **Getting Started**

 Start the GUI by typing "onespin" in a command shell.



### **Setup Mode**

🍕 OneSpin 360 (R) - Database "default" 🥮

### usage modes



#### source files

#### Tcl shell



# **Change Working Directory**

Change working directory to current project subdirectory, e.g., projects/dff.



### loading VHDL files (I):



## reading VHDL files (II):



### elaborate and compile the VHDL design



switch to MV mode:



 Verify formally that a module implements a specified behavior.

• The behavior is described by a set of properties.

Interval Property Checking (IPC)

### Formal Verification – Flow



### **Unreachable Counterexamples**



#### load assertions

**Assertion list** 

warning and error messages are shown in the TCL shell



### load assertions



prove assertions

An assertion can either hold or fail



# Assertion fails (I):

- select assertion
- start the debugger



analyze the counterexample



# **SystemVerilog Assertions (SVA)**

### **Overview**

### What is SVA?

- SystemVerilog Assertions (SVA) is a subset of SystemVerilog.
- It is a property (assertion) language describing design behaviors.
- It is suitable to express temporal design behaviors.
- It can be inserted into the HDL code or formulated in a standalone file.

### Why do we need SVA?

- Verification using HDL is difficult
  - A request is granted exactly in two clock cycles

```
always @(posedge clk) begin
   if (req == 1'b1) cnt <= 1;
   else if (cnt == 1)
        cnt <= cnt + 1;
   else if (cnt == 2) begin
        if (grant == 1'b1)
        $display("request granted");
        else
        $display("request not granted")
   end
end</pre>
```

```
assert property (@(posedge clk) req |-> ##2 grant)
```

# Why do we need SVA?

- Improve bug detection
- Improve the quality of the verification code
- SVA is an IEEE standard, and supported by tools (simulative or formal) from different vendors
- Systematic verification methodology

### **Property vs Assertion**

- In SVA
  - A property is a formal description of some behavior of your design
  - An assertion is a directive to a verification tool to prove the validity of a given property.
- Some people use both notions to refer to the formal description. In this lab we also do so if the context is clear.

### **Immediate Assertions vs. Concurrent Assertions**

- An immediate assertion is a non-temporal expression executed in a procedural code.
- It behaves like a procedural if statement and is evaluated when the control flow reaches the assertion.

```
assert (boolean expression) [action block]
```

- mostly useful in simulation flow.
- In our lab we focus only on concurrent assertions.

### Immediate Assertions vs. Concurrent Assertions

- A concurrent assertion is a temporal expression and usually controlled by a clock.
- It is evaluated at the occurrence of the clock tick.

```
assert property (@(posedge clk) req |-> ##2 grant)
```

### **Assertion Overview**

assert, assume, cover

properties

sequences

Boolean expressions

### **Boolean Expressions**

comparators

- operands
  - design variables, literal constants
  - function calls returning values
- Boolean operators

Boolean constants

NON-zero value, 0

### **Sequences**

- support formulating sequential behavior
- usually consist of Boolean expressions separated by cycle delays (##)

a ##2 b ##0 !c



## Sequences (cycle delay range)

• ##[m:n], where m and n are constants and n>m

```
a ##[0:2] b ##0 !c
```

```
either
a ##0 b ##0 !c
or
a ##1 b ##0 !c
or
a ##2 b ##0 !c
```

### **Sequences (repetition)**

consecutive repetition[\*]

specify repetition range[\*m:n]

```
either
a ##1 'true ##0 !c

or
a ##1 b ##0 !c

or
a ##1 b ##1 b ##0 !c
```

Note: 'true is not a keyword, but you may define it in Verilog syntax like this: 'define true 1

### Named sequences

```
Basic syntax:
    sequence identifier[formal arguments];
        [variable declaration]
        sequence expressions;
    endsequence
```

```
Example:
    sequence myseq;
    a ##1 b[*2] ##1 c;
    endsequence
```

### **Sequence operators**

AND operation

```
s1 and s2;
// s1 and s2 must match
```

OR operation

```
s1 or s2;
// s1 matches or s2 matches
```

- Note: s1 and s2 start at the same time
- NOT operation

```
not s1;
// inverts s1
```

### **Sequence operators (example)**

```
sequence s1;
 a ##1 b ##0 c;
endsequence
sequence s2;
 d ##1 e;
endsequence
sequence s3;
 s1 and s2;
endsequence
```



Quiz: what ist the difference between the sequences "s1 and s2" and "s1 ##0 s2"?

### **Properties**

# **Properties (implicator)**

Overlapped implicator

a ##2 b ##[1:3] b |-> c





a ##2 b ##[1:3] b |=> c



### Quiz



### System functions (e.g., \$past)

refer to the value of a signal in the past

other system functions: \$onehot, \$onehot0,
 \$isunknown, \$rose, \$fell, \$stable

### **Properties (define local variables)**

```
property data_transfer;
    logic data_tmp;
    (valid_i, data_tmp = data_i) |=>
    ##2 (data_o == data_tmp);
endproperty
```

• The value of data\_i is "frozen", i.e., stored in the temporary variable data\_tmp when valid\_i is active.

**Attention**: Note the difference between assignment (=) and comparator (==)

#### **ASSERT** statement

 assert is a directive to the verification tool instructing it to <u>verify</u> that a given property is valid at all times.

```
label: assert property (@(posedge clk) myproperty);
```

 SVA provides a mechanism to disable an assertion during active reset (disable iff)

### **ASSUME** statement / Environment constraints

 assume is a directive to the verification tool instructing it to <u>assume</u> that a given property is valid at all times.

```
label: assume property (@(posedge clk) myproperty);
```

- All concurrent assertions are verified only for the scenarios (i.e., the input sequences to the design) for which the assumed properties hold.
- This allows formulating environment constraints.

### **Property module and BIND statement**

encapsulate your properties in one module as verification IP

```
module myip(a,b,c);
input logic a,c;
input logic[2:0] b;
// sequences
// properties
// assert directive
endmodule
```

bind the verification IP to your RTL design

```
bind mydesign myip inst_my_ip(.*);

// explicit port mapping: by name (.a(HW_a),.b(HW_b))

// (.*) can only be used if the interfaces of your

// verification IP have the same names as the signals

// in the design.
```

### **Example: Verifying a FIFO**

 The following two requirements need to be fullfilled by a synchronous FIFO:

- The full and empty flags cannot be active at the same time.
- If there is no write operation on the FIFO then the content of FIFO is not altered.

# **Example (cont.)**

```
module fifo property(clk,reset,full,empty,
        wr valid, mem);
input logic clk;
input logic reset;
input logic full,empty;
input logic wr valid;
              //indicates a write action
input logic [7:0] mem;
property requirement 1;
!(full == 1'b1 && empty == 1'b1);
endproperty
// continued on next slide
```

### **Example (cont.)**

```
// continued from previous slide
property requirement 2;
wr valid == 1'b0 |=> $stable(mem);
endproperty
inst1:assert property(@(posedge clk)
  disable iff (reset) requirement 1);
inst2:assert property(@(posedge clk)
  disable iff (reset) requirement 2);
endmodule
bind fifo fifo property fifo property inst(.*);
```

### **Further advanced syntax**

Eduard Cerny, Surrendra Dudani, John Havlicek,
 Dmitry Korchemny:

The Power of Assertions in SystemVerilog Springer, 2010

Srikanth Vijayaraghavan, Meyyappan Ramanathan:
 A Practical Guide for SystemVerilog Assertions
 Springer, 2005

Search the web for "systemverilog assertions tutorial"