Assertion-Based Verification

Introduction to SVA
Harry Foster
Chief Scientist Verification
info@verificationacademy.com | www.verificationacademy.com

Session Overview
After completing this session you will. . .
Learn the structure of the SVA language
Lean how to construct sequence
Lean how to construct properties

2014 Mentor Graphics Corporation, all rights reserved.

Specifying Design Intent

Assertions allow us to specify design intent
in a way that lends itself to automation
clk
reset_n
req0

Arbiter

grant0
grant1

req1

// Assert that the grants for our simple arbiter are mutually exclusive
2014 Mentor Graphics Corporation, all rights reserved.

Identifying the Error Condition

For our arbiter example, we can write a Boolean
expression for the error condition, as follows:
clk
reset_n
req0

Arbiter

grant0
grant1

req1

(grant0 & grant1) // error condition

2014 Mentor Graphics Corporation, all rights reserved.

Checking the Error Condition before Assertions

Doesnt lend itself to automation.
module arbiter (clk, rst_n, req0, req1, grant0, grant1);
...
always @(posedge clk or negedge rst_n) begin
if (rst_n != 1b0)
if (grant0 & grant1)
$display (ERROR: Grants not mutex);

Error
Condition
Boolean
Expression

...

endmodule
2014 Mentor Graphics Corporation, all rights reserved.

IEEE 1800 SystemVerilog Mutex Example

grant0 and grant1 must be mutually exclusive
clk
grant0
grant1
error

assert property ( @(posedge clk) disable iff (rst_n) !(grant0 & grant1));
2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Assertion
Units

Checker packaging

Directives
(assert, cover)
Properties
Sequences
(Sequential Expressions)
Boolean Expressions

assert, assume, cover

Specification of behavior;
desired or undesired
How Boolean events are
related over time
True or false
2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

assert

property (@(posedge clk) disable iff (~rst_n)

!(grant0 & grant1));
Assertion
Units

clk

Directives
(assert, cover)
Properties

rst_n

Sequences
(Sequential Expressions)
Boolean Expressions

!(grant0 & grant1)

error

2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

assert

property (@(posedge clk) disable iff (~rst_n)

!(grant0 & grant1));
Assertion
Units

clk

Directives
(assert, cover)
Properties

rst_n

Sequences
(Sequential Expressions)
Boolean Expressions

!(grant0 & grant1)

error

2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

assert

property (@(posedge clk) disable iff (~rst_n)

!(grant0 & grant1));
Assertion
Units

clk

Directives
(assert, cover)
Properties

rst_n

Sequences
(Sequential Expressions)
Boolean Expressions

!(grant0 & grant1)

error

2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

SVA provides a mechanism to
asynchronously disable a property during a
reset using the SVA disable iff clause

assert property (@(posedge clk) disable iff (~rst_n)

!(grant0 & grant1));

2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Sequences
So far we have examined simple assertions
A Boolean expression must hold at every clock

We now we introduce SVA sequences

Multiple Boolean expressions are evaluated
in a linear order of increasing time

Assertion
Units

Directives
(assert, cover)
Properties
Sequences
(Sequential Expressions)
Boolean Expressions

2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Sequence
Temporal delay ## with integer

start ##1 transfer

clk
start
transfer

2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Sequence
Temporal delay ## with integer

start ##2 transfer

clk
start
transfer

2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Sequence
Temporal delay ## with range [m:n]

start ##[0:2] transfer

clk
start
transfer

2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Sequence
Temporal delay ## with range [m:n]

start ##[0:2] transfer

clk
start
transfer

2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Sequence
Temporal delay ## with range [m:n]

start ##[0:2] transfer

clk
start
transfer

2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Sequence
Consecutive repetition [*m] or range [*m:n]
Use $ to represent infinity

start[*2] ##1 transfer

clk
start
transfer

2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Sequence
Consecutive repetition [*m] or range [*m:n]
Use $ to represent infinity

start[*1:2] ##1 transfer

clk
start
transfer

2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Sequence
Consecutive repetition [*m] or range [*m:n]
Use $ to represent infinity

start[*1:2] ##1 transfer

clk
start
transfer

2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Sequence
Consecutive repetition [*m] or range [*m:n]
Use $ to represent infinity

start[*1:2] ##1 transfer

clk
start
transfer

Note: This also matches the sequence specification!!!!

2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Sequence
Non-consecutive repetition [=m] or [=m:n]

start[=2] ##1 transfer

clk
start
transfer

[*0:$] represents
zero to infinity

start[=2] !start[*0:$] ##1 start ##1 !start[*0:$] ##1 start ##1 !start[*0:$]
2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Sequence
Goto non-consecutive repetition [->m] or [->m:n]

start[->2] ##1 transfer

clk
start
transfer

[*0:$] represents
zero to infinity

start[->2] !start[*0:$] ##1 start ##1 !start[*0:$] ##1 start

2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Properties
Assertion
Units

Directives
(assert, cover)
Properties
Sequences
(Sequential Expressions)
Boolean Expressions

2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Properties
Overlapping sequence implication operator |->
ready ##1 start |-> go ##1 done
clk
ready
start
go
done
assertion property ( @(posedge clk) ready ##1 start |-> go ##1 done );
2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Properties
Non-overlapping sequence implication operator |=>
ready ##1 start |=> go ##1 done
clk
ready
start
go
done

NOTE: A |=> B is the same as A |-> ##1 B

2014 Mentor Graphics Corporation, all rights reserved.

Fair Arbitration Scheme Example

Asserting that an arbiter is fair
To be fair, a pending request for a particular client should never
have to wait more than two arbitration cycles
Otherwise, the arbiter unfairly issued multiple grants to a different
client
req[0]
req[1]

gnt[0]

Arbiter

gnt[1]

2014 Mentor Graphics Corporation, all rights reserved.

Fair Arbitration Scheme Example

a_0_fair:
assert property (@(posedge clk) disable iff (reset_n)
not ( $rose(req[0]) ##1 (!gnt[0] throughout (gnt[1])[->2])));

clk
req[0]
req[1]

Arbiter

gnt[0]
gnt[1]

req[0]
gnt[0]
gnt[1]
2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Named properties and sequences
To facilitate reuse, properties and sequences can be
declared and then referenced by name
Can be declared with or without parameters
sequence s_op_retry;
(req ##1 retry);
endsequence
sequence s_cache_fill(req, done, fill);
(req ##1 done [=1] ##1 fill);
endsequence
2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Named properties and sequences
sequence s_op_retry;
(req ##1 retry);
endsequence
sequence s_cache_fill(rdy, done, fill);
(rdy ##1 done [=1] ##1 fill);
endsequence
assert property ( @(posedge clk) disable iff (!reset_n)
s_op_retry |=> s_cache_fill (my_rdy,my_done,my_fill));
2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Named properties and sequences
property p_en_mutex(en0, en1);
@(posedge clk) disable iff (~reset_n)
~(en0 & en1);
endproperty
assert property (p_en_mutex(en[0], en[1]));
2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

Action blocks
An SVA action block specifies the actions that are
taken upon success or failure of the assertion
The action block, if specified, is executed immediately
after the evaluation of the assert expression
assert property ( @(posedge clk) disable iff (reset)
!(grant0 & grant1) )
else begin // action block fail statement
$error(Mutex violation with grants.);
end
2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

System functions
$onehot (<expression>)

- Returns true if only one bit of the expression is high

$onehot0 (<expression>)

- Returns true if at most one bit of the expression is high

$isunknown (<expression>)

- Returns true if any bit of the expression is X or Z

- This is equivalent to ^<expression> === bx

2014 Mentor Graphics Corporation, all rights reserved.

SVA Language Structure

System functions
$rose( expression )
$fell( expression )
$stable( expression )
$past( expression [, number_of_ticks] )

2014 Mentor Graphics Corporation, all rights reserved.

The need for $rose system function

You must be precise when specifying!
assertion property ( @(posedge clk) start |-> ##2 Transfer);

clk
start
transfer

2014 Mentor Graphics Corporation, all rights reserved.

Eliminates multiple matches

You must be precise when specifying!
assertion property ( @(posedge clk)
$rose(start) |-> ##2 Transfer);
clk
start
transfer

$rose(start) is a short cut for the sequence !start ##1 start

2014 Mentor Graphics Corporation, all rights reserved.

Introduction to SVA
Some assertions require additional modeling code
In addition to the assertion constructs
clk
rst_n

FIFO

Controller

put
get

clk
rst_n
data_in

data_out
full
empty

// Assert that the FIFO controller cannot overflow nor underflow

2014 Mentor Graphics Corporation, all rights reserved.

Introduction to SVA
// assertion modeling code not part of the design

`ifdef ASSERT_ON
int cnt = 0;
always @(posedge clk)
if (!rst_n)
cnt <= 0;
else
cnt <= cnt + put get;
// assert no overflow

assert property (@posedge clk disable iff (!rst_n)

!((cnt + put get) > `DEPTH));
// assert no underflow

assert property (@posedge clk disable iff (!rst_n) !((cnt + put) < get));
`endif
2014 Mentor Graphics Corporation, all rights reserved.

SVA Does and Donts

Never assert a sequence!
assert property (@posedge clk) (req ##1 grnt ##1 done));
This says every clock we see req, followed by gnt, followed by done

The correct way to do this is with an implication operator:

assert property (@posedge clk) (req |=> grnt ##1 done));

Its ok to cover a sequence

Its ok to assert a forbidden sequence using not
assert property (@posedge clk) not (req ##1 grnt ##1 done));
2014 Mentor Graphics Corporation, all rights reserved.

Session Recap
In this session we discussed. . .
The structure of the SVA language
How to construct sequences
How to construct properties

2014 Mentor Graphics Corporation, all rights reserved.

Training and Consulting Resources

Mentor Graphics Training
Scalable Verification Courses
- A wide range of instructor led classes
- Located in public training centers in major cities or onsite at your workplace
- Web-based events with live instructors are also available.

Mentor Graphics Consulting

Questa Verification Methodology JumpStart
Knowledge-Sourcing Model
- Infuse knowledge into your organization while addressing your immediate
product development challenges
2014 Mentor Graphics Corporation, all rights reserved.

Other Resources
Assertion-Based Design

Harry Foster, Adam Krolnik, David Lacey

Springer, 2004

Creating Assertion-Based IP
Harry Foster, Adam Krolnik
Springer, 2008

2014 Mentor Graphics Corporation, all rights reserved.

Assertion-Based Verification
Introduction to SVA
Harry Foster
Chief Scientist Verification
info@verificationacademy.com | www.verificationacademy.com