



by Sutherland HDL, Inc., Portland, Oregon





Presented by Stuart Sutherland Sutherland HDL, Inc. www.sutherland-hdl.com © 2006 by Sutherland HDL, Inc. Portland, Oregon All rights reserved





by Sutherland HDL, Inc., Portland, Oregon

# Why Is Using SystemVerilog Assertions Important?

SUTHERLAND training engineers to be Verling and SystemVerling wizards www.sutherland-hdl.com

8

- It's a verification technique that is embedded in the language
  - Gives "white box" visibility into the design
- Enables specifying design requirements with assertions
  - Can specify design requirements using an executable language
- Enables easier detecting of design problems
  - In simulation, design errors can be automatically detected
     Error reports show when error occurred with insight as to why
  - Formal analysis tools can prove that the model functionality does or does not match the assertion
    - Can generate "counter-examples" (test cases) for assertion failures
- Enables constrained random verification with coverage
  - Assertions can be used to report how effective random stimulus was at covering all aspects of the design

#### 9 What is SUTHERLAND training engineers to be HDL **Formal Verification?** Verilog and SystemVerilog wizards www.sutherland-hdl.com Formal verification can statically (without using simulation) .... Exhaustively prove that design functionality complies with the assertions about that design Find corner case bugs in complex hardware It is not necessary to write a testbench to cover all possible behaviors Demonstrate functional errors with counterexamples A counterexample is a test case that causes an assertion failure Formal tools can automatically create counterexamples Hybrid formal verification tools (such as Synopsys Magellan): Combine random simulation with formal verification Higher capacity than purely formal techniques Better state-space coverage than random simulation alone





































by Sutherland HDL, Inc., Portland, Oregon

|                                                                                                         |                                                                                                        | 28                |
|---------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|-------------------|
| An Assertions Test Plan Example                                                                         | SUTHERLAND<br>training engineers to be<br>Werilog and System Verliog wizards<br>www.sutherland-hdl.com |                   |
| <ul> <li>RAM assertions</li> </ul>                                                                      |                                                                                                        |                   |
| Functionality to Verify                                                                                 | Assertion<br>Type                                                                                      | Assigned To       |
| IrdN and IwrN are mutually exclusive                                                                    | invariant                                                                                              | design team       |
| address never has any X or Z bits when reading from or writing to the RAM                               | invariant                                                                                              | design team       |
| data never has any X or Z bits when reading from or writing to the RAM                                  | sequential                                                                                             | design team       |
| Program Counter assertions                                                                              |                                                                                                        |                   |
| Functionality to Verify                                                                                 | Assertion<br>Type                                                                                      | Assigned To       |
| load and increment are mutually exclusive                                                               | invariant                                                                                              | design team       |
| If increment, then d input never has any X or Z bits                                                    | invariant                                                                                              | design team       |
| If !load and !increment, then on posedge of clock, pc does not change (must allow for clock-to-q delay) | sequential                                                                                             | verification team |
| If increment, then pc increments by 1 (must allow for clock-to-q delay)                                 | sequential                                                                                             | verification team |
| If load, then pc == d input (must allow for clock-to-q delay)                                           | sequential                                                                                             | verification team |

# **An Assertions Test Plan Example**

29

SUTHERLAND training engineers to be Verilog and SystemVerilog wizards www.sutherland-hdl.com

#### ALU assertions

| Functionality to Verify                                                                   | Assertion<br>Type | Assigned To       |
|-------------------------------------------------------------------------------------------|-------------------|-------------------|
| After reset, the A, input never have any X or Z bits                                      | invariant         | design team       |
| After reset, the B input never have any X or Z bits                                       | invariant         | design team       |
| After reset, the opcode input never have any X or Z bits                                  | invariant         | design team       |
| All instructions are decoded                                                              | unique case       | design team       |
| zbit is always set if result == 0                                                         | invariant         | verification team |
| zbit is never set if result != 0                                                          | invariant         | verification team |
| xbit is always set if a mathematical operation results overflow or underflow              | invariant         | verification team |
| xbit is never set if a mathematical operation does not result in an overflow or underflow | invariant         | verification team |
| xbit is never set for non-arithmetic operations                                           | invariant         | verification team |
| If load, then pc == d (must allow for clock-to-q delay)                                   | sequential        | verification team |

by Sutherland HDL, Inc., Portland, Oregon





Presented by Stuart Sutherland Sutherland HDL, Inc. www.sutherland-hdl.com

by Sutherland HDL, Inc., Portland, Oregon



# **Assertion Plan Example 1: Assertions on ALU Inputs**

33

training engineers to be HDL Verilog and SystemVerilog wizards www.sutherland-hdl.com

SUTHERLAND

#### ALU design engineer assertions example

| Functionality to Verify                                                                                                                                                                                                       | Assertion<br>Type                                | Assigned To                                             |  |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|---------------------------------------------------------|--|
| After reset, the A, input never have any X or Z bits                                                                                                                                                                          | invariant                                        | design team                                             |  |
| After reset, the B input never have any X or Z bits                                                                                                                                                                           | invariant                                        | design team                                             |  |
| After reset, the opcode input never have any X or Z bits                                                                                                                                                                      | invariant                                        | design team                                             |  |
| All instructions are decoded                                                                                                                                                                                                  | unique case                                      | design team                                             |  |
|                                                                                                                                                                                                                               |                                                  |                                                         |  |
| <pre>always_comb begin<br/>// Check that inputs meet design assumptions (no X or Z bits)<br/>ai_a_never_x: assert (^a !== 1'bx);<br/>ai_b_never_x: assert (^b !== 1'bx);<br/>ai_opc_never_x: assert (^opcode !== 1'bx);</pre> |                                                  |                                                         |  |
| <pre>unique case (opcode) // "unique" verifies all opcodes     // decode and execute operations     endcase end</pre>                                                                                                         | Design engined<br>simple to add,<br>reduce hard- | er assertions are<br>and can greatly<br>to-find errors! |  |

by Sutherland HDL, Inc., Portland, Oregon





Presented by Stuart Sutherland Sutherland HDL, Inc. www.sutherland-hdl.com © 2006 by Sutherland HDL, Inc. Portland, Oregon All rights reserved



































| Assertion Plan Example 4:<br>Assertions on the State Machine                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | S I<br>train<br>Verile<br>w w    | 53<br>UTHERLAND<br>ing engineers to be<br>g and SystemVerliog wizards<br>w.sutherland-hdl.com |  |  |  |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------|-----------------------------------------------------------------------------------------------|--|--|--|
| FSM <u>verification engineer</u> assertions example                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |                                  |                                                                                               |  |  |  |
| Functionality to Verify                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | Assertion<br>Type                | Assigned To                                                                                   |  |  |  |
| State is always one-hot                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | invariant                        | verification team                                                                             |  |  |  |
| If !resetN (active low), state RESET                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | invariant                        | verification team                                                                             |  |  |  |
| If in DECODE state, prior state was RESET or STORE                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | sequential                       | verification team                                                                             |  |  |  |
| <pre>property p_fsm_onehot; // FSM state should always be one-<br/>@(posedge clk) disable iff (!rstN) \$onehot(state);<br/>endproperty<br/>ap_fsm_onehot: assert property (p_fsm_onehot);<br/>property p_fsm_reset; // verify asynchronous reset to RES<br/>@(posedge clk) !rstN  -&gt; state == RESET;<br/>endproperty<br/>ap_fsm_reset: assert property (p_fsm_reset);<br/>property p_fsm_decode_entry; // verify how DECODE state v<br/>@(posedge clk) disable iff (!rstN) state == DECODE  -&gt;<br/>Sent(ctate) == DEFET  ! Sent(ctate) == STOPE.</pre> | -hot<br>SET state<br>was entered | Current assertions                                                                            |  |  |  |
| <pre>\$past(state) == RESET    \$past(state) == STORE;<br/>endproperty<br/>ap fsm decode entry: assert property (p fsm decode entry)</pre>                                                                                                                                                                                                                                                                                                                                                                                                                   | can                              | be used to verify coverage too!                                                               |  |  |  |













by Sutherland HDL, Inc., Portland, Oregon





Presented by Stuart Sutherland Sutherland HDL, Inc. www.sutherland-hdl.com





