#### COMS30026 Design Verification # Assertion-based Verification Kerstin Eder Trustworthy Systems Laboratory https://www.bristol.ac.uk/engineering/research/trustworthy-systems-laboratory/ #### What is an assertion? - An assertion is a statement that a particular property is required to be true. - A property is a Boolean-valued expression, e.g. in SystemVerilog. - Assertions can be checked either during simulation or using a formal property checker. #### What is an assertion? - An assertion is a statement that a particular property is required to be true. - A property is a Boolean-valued expression, e.g. in SystemVerilog. - Assertions can be checked either during simulation or using a formal property checker. - Assertions have been used in SW development for a long time. - assert.h in standard library of C #include <assert.h> - C preprocessor macro assert() - Used to detect NULL pointers, out-of-range data, ensure loop invariants, pre- and post-conditions, etc. #### Assertions in C code ``` 1 #include <stdio.h> 2 #include <assert.h> int mysquare(int n) { int s = 0; int i = 0; int k = 0; /* assertion variable to count the number of times in the loop */ 9 assert (n >= 0); // Pre-condition to catch invalid input 11 assert (s == k*n && i==k); // Invariant to catch mistaken variable initialisation, e.g. i != 0 or s != 0 12 13 while (i < n) { 14 s = s + n; 15 i = i + 1; 16 k = k + 1; assert ((s == k*n) && (i==k)); // Invariant to catch errors in the loop computation 17 18 19 } 20 21 assert (k == n); // Post-condition to catch a mistaken final state of the loop 22 23 assert (s == k*n && i==k); // Invariant to catch errors in the loop computation 24 25 assert (s == n * n); // Check desired post-condition 26 27 return s; 28 } 29 30 31 int main() { 32 int n = -4; 33 int square = 0; 34 35 printf("n = %d\n", n); square = mysquare(n); 36 37 printf("n^2 = %d\n", square); 38 39 return 0; ``` #### Assertions in C code ``` 1 #include <stdio.h> 2 #include <assert.h> 4 int mysquare(int n) { int s = 0: int i = 0; int k = 0; /* assertion variable to count the number of times in the loop */ assert (n >= 0); // Pre-condition to catch invalid input 10 assert (s == k*n && i==k); // Invariant to catch mistaken variable initialisation, e.g. i != 0 or s != 0 11 12 13 while (i < n) { 14 s = s + n; 15 i = i + 1; 16 k = k + 1; assert ((s == k*n) && (i==k)); // Invariant to catch errors in the loop computation 17 18 19 7 20 21 assert (k == n); // Post-condition to catch a mistaken final state of the loop 22 23 assert (s == k*n && i==k); // Invariant to catch errors in the loop computation 24 25 assert (s == n * n); // Check desired post-condition 26 27 return s; 28 } [cskie@it000908:SLIDES$ gcc mysquare.c -o mysquare 29 [cskie@it000908:SLIDES$ ./mysquare 30 31 int main() { n = 4 n^2 = 16 32 int n = -4; 33 int square = 0; cskie@it000908:SLIDES$ gcc mysquare.c -o mysquare 34 [cskie@it000908:SLIDES$ ./mysquare 35 printf("n = %d\n", n); 36 square = mysquare(n); Assertion failed: (n \ge 0), function mysquare, file mysquare.c, y = 0 printf("n^2 = %d\n", square); 37 Abort trap: 6 38 cskie@it000908:SLIDES$ 39 return 0; ``` #### Assertions in C code ``` 1 #include <stdio.h> 2 #include <assert.h> 4 int mysquare(int n) { int s = 0: int i = 0; int k = 0; /* assertion variable to count the number of times in the loop */ assert (n >= 0); // Pre-condition to catch invalid input 10 assert (s == k*n && i==k); // Invariant to catch mistaken variable initialisation, e.g. i != 0 or s != 0 11 12 13 while (i < n) { 14 s = s + n; 15 i = i + 1; 16 k = k + 1; assert ((s == k*n) && (i==k)); // Invariant to catch errors in the loop computation 17 18 19 7 20 21 assert (k == n); // Post-condition to catch a mistaken final state of the loop 22 23 assert (s == k*n && i==k); // Invariant to catch errors in the loop computation 24 25 assert (s == n * n); // Check desired post-condition 26 27 return s; 28 } [cskie@it000908:SLIDES$ gcc mysquare.c -o mysquare 29 [cskie@it000908:SLIDES$ ./mysquare 30 31 int main() { n = 4 n^2 = 16 32 int n = -4; 33 int square = 0; cskie@it000908:SLIDES$ gcc mysquare.c -o mysquare 34 [cskie@it000908:SLIDES$ ./mysquare 35 printf("n = %d\n", n); 36 square = mysquare(n); Assertion failed: (n \ge 0), function mysquare, file mysquare.c, y = 0 printf("n^2 = %d\n", square); 37 Abort trap: 6 38 cskie@it000908:SLIDES$ 39 return 0; ``` #### **HW Assertions** - Combinatorial (i.e. "zero-time") conditions - ensure functional correctness - must be valid at all times - → "The buffer never overflows." - → "The register always holds a single-digit value." - → "The state machine encoding is one hot." #### **HW Assertions** - Combinatorial (i.e. "zero-time") conditions - ensure functional correctness - must be valid at all times - → "The buffer never overflows." - "The register always holds a single-digit value." - → "The state machine encoding is *one hot*." #### Temporal conditions - to verify <u>sequential</u> functional behaviour over a period of time - "The grant signal must be asserted for a single clock cycle." - "A request must always be followed by a grant or an abort within 5 clock cycles." - Temporal assertion languages facilitate specification of temporal properties. - System Verilog Assertions (SVA) - Property Specification Language (PSL) ### The Open Verification Library - Revolution through Foster & Bening's OVL for Verilog in early 2000 - Clever way of encoding a re-usable assertion library originally in Verilog. - 33 assertion checkers - OVL language support for: Verilog, VHDL, PSL, SVA ``` assert_never_logic.v 🗋 🗁 🗐 × 🗐 🦠 🧸 🖺 🖺 🔇 1 // Accellera Standard V2.8.1 Open Verification Library (OVL). 2 // Accellera Copyright (c) 2005-2014. All rights reserved. 5 // ASSERTION `ifdef OVL_ASSERT_ON // 2-STATE wire fire_2state_1; always @(posedge clk) begin if ('OVL_RESET_SIGNAL == 1'b0) begin 14 // OVL does not fire during reset end else beain if (fire_2state_1) begin 17 ovl_error_t(`OVL_FIRE_2STATE,"Test expression is not FALSE"); 19 end 20 end 21 end assign fire_2state_1 = (test_expr == 1'b1); ``` ### The Open Verification Library - Revolution through Foster & Bening's OVL for Verilog in early 2000 - Clever way of encoding a re-usable assertion library originally in Verilog. - 33 assertion checkers - OVL language support for: Verilog, VHDL, PSL, SVA ``` assert_never_logic. 1 // Accellera Standard V2.8.1 Open Verification Library (OVL). 2 // Accellera Copyright (c) 2005-2014. All rights reserved. ifdef OVL_ASSERT_ON // 2-STATE wire fire_2state_1; always @(posedge clk) begin if ('OVL_RESET_SIGNAL == 1'b0) begin 14 // OVL does not fire during reset end else beain if (fire_2state_1) begin ovl_error_t(`OVL_FIRE_2STATE("Test expression is not FALSE" end 20 end end 21 assign fire_2state_1 = (test_expr == 1'b1) ``` ### The Open Verification Library - Revolution through Foster & Bening's OVL for Verilog in early 2000 - Clever way of encoding a re-usable assertion library originally in Verilog. - 33 assertion checkers - OVL language support for: Verilog, VHDL, PSL, SVA - Assertions have now become very popular for Verification, giving rise to Assertion-Based Verification (and also Assertion-Based Design). ``` assert_never_logic 1 // Accellera Standard V2.8.1 Open Verification Library (OVL). 2 // Accellera Copyright (c) 2005-2014. All rights reserved. ifdef OVL_ASSERT_ON // 2-STATE wire fire_2state_1; always @(posedge clk) begin if ('OVL_RESET_SIGNAL == 1'b0) begin 14 // OVL does not fire during reset end else beain if (fire_2state_1) begin ovl_error_t(`OVL_FIRE_2STATE("Test expression is not FALSE end end assign fire_2state_1 = (test_expr == 1'b1); ``` ### OVL is an Accellera Standard http://www.accellera.org/downloads/standards/ovl #### **SAFETY & LIVENESS** ### Safety Properties - Safety: Something bad does not happen - The FIFO does not overflow. - The system does not allow more than one process at a time to modify the shared memory. - Requests are answered within 5 clock cycles. ### Safety Properties - Safety: Something bad does not happen - The FIFO does not overflow. - The system does not allow more than one process at a time to modify the shared memory. - Requests are answered within 5 clock cycles. - More formally: A safety property is a property for which any path violating the property has a finite prefix such that every extension of the prefix violates the property. [Accellera PSL-1.1 2004] Safety properties can be falsified by a finite simulation run. ### Liveness Properties - Liveness: Something good eventually happens - The decoding algorithm eventually terminates. - Every request is eventually acknowledged. - More formally: A liveness property is a property for which any finite path can be extended to a path satisfying the property. [Foster etal.: Assertion-Based Design. 2<sup>nd</sup> Edition, Kluwer, 2010.] #### Liveness Assertion P must eventually be valid after the event occurs. [Credits: Bening & Foster. Principles of Verifiable RTL Design. Kluwer 2001.] #### Liveness Assertion P must eventually be valid after the event occurs. [Credits: Bening & Foster. Principles of Verifiable RTL Design. Kluwer 2001.] Von André Karwath aka Aka -Eigenes Werk, CC BY-SA 2.5, https://commons.wikimedia.org/ w/index.php?curid=103762 Von André Karwath aka Aka -Eigenes Werk, CC BY-SA 2.5, https://commons.wikimedia.org/ w/index.php?curid=103762 ### Liveness Properties - Liveness: Something good eventually happens - The decoding algorithm eventually terminates. - Every request is eventually acknowledged. - More formally: A liveness property is a property for which any finite path can be extended to a path satisfying the property. [Foster etal.: Assertion-Based Design. 2<sup>nd</sup> Edition, Kluwer, 2010.] In theory, liveness properties can only be falsified by an infinite simulation run. - Practically, we often assume that the "graceful end-oftest" represents infinite time. - If the good thing did not happen after this period, we assume that it will never happen, and thus the property is falsified. #### **Bounded Liveness** Assertion P must eventually be valid after the event occurs [Credits: Bening & Foster. Principles of Verifiable RTL Design. Kluwer 2001.] #### **Bounded Liveness** Assertion P must eventually be valid after the start event trigger occurs and before the end event trigger occurs. [Credits: Bening & Foster. Principles of Verifiable RTL Design. Kluwer 2001. #### Invariant #### Invariant Assertion Window: Assertion P is checked and expected to hold after the **start event** occurs and continues to be checked and is expected to hold until the **end event**. [Credits: Bening & Foster. Principles of Verifiable RTL Design. Kluwer 2001.] #### **EXAMPLE OVL CHECKERS** #### ovl\_always Checks that the value of an expression is TRUE. #### **Syntax** #### ovl\_always Checks that the value of an expression is TRUE. #### **Syntax** ALWAYS Error: reg\_a < reg\_b is not TRUE Checks that the value of an expression is TRUE a specified number of cycles after a start event. Checks that the value of an expression is TRUE a specified number of cycles after a start event. #### **y** 1110121 Number of cycles after start\_event is TRUE to wait to check that the value of test\_expr is TRUE. Default: 1. Checks that the value of an expression is TRUE a specified number of cycles after a start event. ``` ovl_next [#(severity level, num cks, check overlapping, check missing start, property_type, msg, coverage_level, clock_edge, reset_polarity, gating_type) ] ``` instance\_name (clock, reset, enable, start\_event, test\_expr, fire); #### Checks that b is TRUE 4 cycles after a is TRUE. Checks that the value of an expression is TRUE a specified number of cycles after a start event. ovl\_next [#(severity level, num cks, check overlapping, check missing start, property\_type, msg, coverage\_level, clock\_edge, reset\_polarity, gating\_type) ] instance\_name (clock, reset, enable, start\_event, test\_expr, fire); #### Checks that b is TRUE 4 cycles after a is TRUE. #### OVL QUICK REFERENCE (www.eda.org/ovl) Last updated: 25th May 2007 | March Marc | | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------| | April Description Descri | | | 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 1.50 | | | 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 2.00 | | | Section Company Comp | | | Auto- | | | Color Colo | | | Section Sect | | | de Copies A placement Service Servic | ger-on-first, 2 ≠rigg er-on-first- | | Column C | | | According to with the first process of the company | | | Septimental control of the o | | | Section 1. Miles in the process of the company with specify place by place of place of the company with a section compa | | | Spies | | | Purpose Purp | _start: 0 =ignore, 1=restart, | | And And Select Selection (Control of Selecti | | | A proposition A promoty (page 1) page 10 | | | The control of co | | | An internal of the proof process proce | | | set doubted of processing processing and processing processing and processing | | | with board of June Control (June Control) Con | | | Opinios of the control contro | | | Signify Fig. 10 and proving your left depth on your depth on your left depth on your depth on your left dept | | | regulations, documents (and particular) and particular (principle) principle) and principle (principle) principle) and principle (principle) principle) and principle (principle) and principle) and principle (principle) and principle) and principle (principle) and principle) and principle (principle) and principle) and principle (principle) and principle) and principle) and principle (principle) and principle) and principle) and principle (principle) and principle) and principle) and principle (principle) and principle) pr | | | Septimized | | | Aprent New Price Pri | | | Services principles on the search of sea | | | | | | Secretary (seed the secretary) level transplaced and process, plead of plea | | | coverage. Joed of Jones, databe Showety, best, with next, count, min, joid, max, point, jops, may coverage loved of Jones by best with min max properly, jops, may coverage loved of Jones by Jones and maximum and properly loved, with properly, jops, may coverage loved of Jones by Jones and maximum maxi | | | All poet, state All poets, st | | | Soverely, look with min. max. properly, long with min. max. properly, long may be present to dook, resid analise, lod, oper, five) Out /ro _ practition Soverely, look with min. max. properly, long may coverage, lovel) Outdook resid analise, lod, oper, five) analise | | | Aboverly, level, with properly, japs, mag coverage level) Sock resid entals, tood, oper for ) Aboverly, level, with properly, japs, mag coverage level) Sock resid entals, tood, oper for ) | | | Assertly, level, with, min, max property, lyss, mag. coverage, level) Clock reset enable, foat, espec, fix to set set, e | | | ingle-Cycle 2. your gold 3. becomety, level, with the property, type, mag coverage, level) 3. becomety, level, with the property, type, mag coverage, level) 3. becomety, level, with the property, type, mag coverage, level) 3. becomety, level, with the property, type, mag coverage, level) 3. becomety, level, levely, level, levely, levely, levely, level, levely, | | | inde-Order St., one Ord Stewnerthy, Next will with property, year, may coverage, level of Stewnerthy, Next will will be property, year, may coverage, level of Stewnerthy, Next will will be property, year, may coverage, level of Stewnerthy, Next will be stated on the control of Stewnerthy, Next will be stated on the control of Stewnerthy, Next will be stated on the control of Stewnerthy, Next will be stated on the stated on the stated of Stewnerthy, Next will be stated on the th | | | you gold Sporety, best with inactive property, fig., mag. coverage, level of sporety, best with property, fig., mag. coverage, level of sporety, best with property, fig., mag. coverage, level of sporety, ma | | | projection by control property, year, many coverage, level) of your proposition of specify year with a specific or property, year, many coverage, level) of your proposition of specify year, with year property, year, many coverage, level) of your proposition of specify year, with year property, year, many coverage, level) of your proposition of specify, year, with year, ye | old) | | Treat of proposition of cycles of cycles of cycles of powerly, level (width, start gourne, and, coverage, level) of cycles of cycles of cycles of powerly, level (width, start gourne, and, coverage, level) of cycles of lipsourity, level (width, start gourne, and, coverage, level) of lipsourity, level (width, start gourne, and, count, property, lyps, mag, coverage, level) of lipsourity, level (width, start gourne, and, count, property, lyps, mag, coverage, level) of lipsourity, level (width, start gourne, and, count, property, lyps, mag, coverage, level) of lipsourity, level (width, start gourne, and, count, property, lyps, mag, coverage, level) of lipsourity, level (width, start gourne, and, count, property, lyps, mag, coverage, level) of lipsourity, level (width, start gourne, and, level) of lipsourity, level (width, start gourne, and, level) of lipsourity, level (width, start gourne, level) of lipsourity, level (width, start gourne, and, level) of lipsourity, level (width, start gourne, level, width, start gourne, level (width, level) of lipsourity, level, width, start gourne, level (width, level) of lipsourity, level, width, level, level (width, level) of lipsourity, level, | ara) | | of Cycles of Javanety, Javanethy, Javanethy | | | Asswerty, level, with min.max property, type, mag. coverage, level) Operation Operatio | ND_OF_SMULATION) | | Accessed with source data within a specified time window dock resist, and governity. Seed, the specified time window dock resist, and governity. Seed in the specified time window dock resist, and governity. Seed in the specified time window dock resist, and governity. Seed in the specified time window dock resist, and resist and the specified time window dock resist, and the specified time window dock resist, and the specified time window dock resist, and the specified time window dock resist, and the spe | | | Octobe of Javanethy, Jevel, min, piles, mear, piles, meditod, property, Jype, meg. coverage, Jevel) Octobe of Javanethy, Jevel, min, piles, mear, piles, meditod, property, Jype, meg. coverage, Jevel) Octobe of Javanethy, Jevel, min, piles, mear, piles, property, Jype, meg. coverage, Jevel) Octobe of Javanethy, Jevel, min, piles, mear, piles, property, Jype, meg. coverage, Jevel) Octobe of Javanethy, Jevel, min, piles, main, piles, autority, Jype, piles, power, piles, value, property, Jype, meg. coverage, Jevel) Octobe of Javanethy, Jevel, min, piles, autority, Jype, piles, piles | | | Cycles of _spoorty_lyed_min_cles_may_dispensed_poort_type_mag_coverage_level | | | Cycles of James Sewerty, Jevel, width, depth, push, Jatanop, pop, Jatanop | | | Cycles of Jaconity, Jove III. Operation of Sewerity, Jove III. Indicating page I Jaconity, Jove III. Operation of Sewerity, Jove III. Operation of Jaconity, Jaconity Jove III. Operation of Jaconity Jove III. | fled time window | | Octobes of James J | | | Cycles out_inchange severely_level, width, rum_dex_action_on_new_start_property_lype, mag. Cycles out_inchange severely_level, width, rum_dex_action_on_new_start_property_lype, mag. Cycles out_inchange severely_level, width, rum_dex_action_on_new_start_property_lype, mag. Cycles out_inchange severely_level, width, rum_dex_action_on_new_start_property_lype, mag. Cycles out_inchange Cycles out_inchange Cycles out_inchange Cycles out_inchange Aboverty_level, width_mam_dex_action_out_width property_lype, mag. coverage_level) Cycles out_inchange | | | Cycles out_palict_jd aspectively_level_width_main_piss_max_cles, max_indances, max_ind | | | The instance, por jich | | | Cycles ov_yidth Rowardy_beet intr_cles, max_dis, property_type, mag_coverage_level) clack, reset, enable, tode_ope; fiv) but_expr must hold birt-between min_cles and max_dis cycles are bound only win_change Assembly, level, width, property_type, mag_coverage_level) clack, reset, enable, start_severt, but_expr, onct_owert, but_expr must change between start, overt and enit_event and enit_event and enit_event are relevant only window. Alsowerty_type, mag_coverage_level) clack, reset, enable, start_event, but_expr, mad_event, five bust_expr must hold after the start_event and upto (and including) the enit_event. | | | ant-bound only lyin, change alsowerly, livel, width, property, lyes, mag, coverage, lively (dock, result, malde, start_event, lost_evept, and_event, list_evept must change between start_event and end_event fine). Alsowerly, livel, property, lyes, mag, coverage_lovely (dock, result, malde, start_event, lost_evept, and_event, fine) is ut_evept must hold after the start_event and up to (and including) the end_event. | elst | | ant-bound only lyin, change alsowerly, livel, width, property, lyes, mag, coverage, lively (dock, result, malde, start_event, lost_evept, and_event, list_evept must change between start_event and end_event fine). Alsowerly, livel, property, lyes, mag, coverage_lovely (dock, result, malde, start_event, lost_evept, and_event, fine) is ut_evept must hold after the start_event and up to (and including) the end_event. | | | | | | art-bound only-line unchange afseventy-lives width, property-lype, mag coverage level) (clock, reset, enable, start_overt, best_evert, mod_event, best_evert must not change between start_event and end_event finition. | | | | | | agle-Cycle Carlo Come hot Severify level, width property layer, mag, coverage level (clock, reset enable, text, oper, fre) lest expr must be one-hot or zero, i.e. at most one bits at high | | \* FSM transitions \* X checkers (ovl\_never\_unknown) INPUT ASSUMPTIONS Restricts environment \*Range limits e.g. cache sizes \* Stability e.g. cache sizes \* Handshaking sequences \* No back-to-back regs Examples \* One hot inputs \* Bus protocol PARAMETERS USINGOVL DESIGN ASSERTIONS severity level +define+OVL\_ASSERT\_ON Monitors internal signals & Outputs 'OVL\_FATAL +define+OVL\_MAX\_REPORT\_ERROR=1 'OVL\_ERROR +define+OVL\_INIT\_MSG Examples +define+OVL\_INIT\_COUNT=<bench>.ovl\_init\_count 'OVL\_WARNING \* One hot FSM 'OVL\_INFO \* Hit default case items +libext+.v+.vlib \* FIFO / Stack property\_type 'OVL\_ASSERT -y < OVL\_DIR >/std\_ovl \* Counters (overflow/increment) +incdir+<OVL\_DIR>/std\_ovl http://www.accellera.org downloads/standards/ovl | PYFE NAME PROSPORT OF A STANDARY | | | | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|--|--| | Single-Cycle Ovl_starce Ovl_ | | | | | Two Cycles Out_poles_pound Two Cycles Out_poles_pound Two Cycles Out_poles_pound Two Cycles Out_poles_pound Two Cycles Two Cycles Out_poles_pound Two Cycles Out_poles_pound Two Cycles Out_poles_pound Two Cycles Out_poles_pound Two Cycles Out_poles_pound Two Cycles Out_poles_pound Two Cycles Out_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_poles_ | | | | | Two Cycles Ovi_porter_stands Two Cycles Ovi_porter_stands Two Cycles Ovi_porter_stands Ovi_porter_stan | | | | | Two Cycles | | | | | Event-bound ovl_memory_async Event-bound Event-bound | | | | | PRO partness should never overflose or underflose Ext. operf, fine) Initial Section on the product of the section of the partness should never overflose or underflose Ext. operf, fine) Initial Section on the product of the section of the partness should never overflose or underflose Cycles Oxf. fine) Initial Section on the partness should never overflose or underflose of the section of the partness should never overflose or underflose Cycles Oxf. fine) Initial Section on the partness should never overflose or underflose of the section sectio | | | | | Cycles Out_production | | | | | Event-bound ovi_memory_sync ovi_monory_sync ovi_memory_sync ovi_memory | | | | | Event-bound September Se | | | | | Includes oil percentage, it must increment by the value parameter (module 2*vidth) str. ren, ractic, ridital, assures the integrity of accesses to an asynchronous memory field, exprict accesses to an asynchronous memory field, exprict accesses to an asynchronous memory field accesses to an asynchronous memory field accesses to an asynchronous memory field accesses to an exprinned accesse | | | | | thick and out_mamory_seyro thick and out_mamory_seyro thick and out_mamory_seyro the bound out_mamory_seyro the bound out_mamory_seyro that _addr, end_addr, end free) are uses the integrity of accesses to an asynchronous memory free) are uses the integrity of accesses to an asynchronous memory free) are uses the integrity of accesses to an asynchronous memory free) are uses the integrity of accesses to an asynchronous memory free) are uses the integrity of accesses to an asynchronous memory free) are uses the integrity of accesses to an asynchronous memory free) are uses the integrity of accesses to an asynchronous memory free) are uses the integrity of accesses to an asynchronous memory free) are uses the integrity of accesses to an asynchronous memory free) are uses the integrity of accesses to an asynchronous memory free) are uses the integrity of accesses to an asynchronous memory free) are used to free integrity of accesses to an asynchronous memory free) are used to free integrity of accesses to an asynchronous memory free) are used to free integrity of accesses to an asynchronous memory free) are used to free integrity of accesses to an asynchronous memory free) are used to free integrity of accesses to an asynchronous memory free) are used to free integrity of accesses to an asynchronous memory free) are used to free integrity of accesses to an asynchronous memory free) are used to free integrity of accesses to an asynchronous memory free) are used to free integrity of accesses to an asynchronous memory free) are used to free integrity of accesses to an asynchronous memory free) are used to free integrity of accesses to an asynchronous memory free integrity of accesses to an asynchronous memory free integrity of accesses to an asynchronous memory free integrity of accesses to an asynchronous memory free integrity of accesses to an asynchronous memory free integrity of accesses to an asynchronous memory free integrity of accesses to an asynchronous me | | | | | ovi_multiport_fito ovi_multiport_fito q_data_dag_data_full, oncures data integrity of a FFO with multiple enqueue and deque ports, and checks underflow and overflow ec-Cycle ovi_mutax s) overwreshaft the bits of an expression are multiple overbready ovi_mutax s) stat_expr_mutar to warhold | | | | | In-Cycles OVI_rnuitiport_IIIO | | | | | a) test, ever more a burn representation and a second | | | | | | | | | | (4, oper two) in set, swermer water on a number on water up and to oper any oper in the set, swermer on a number on water on a number on water on a number of the set, swermer on a number on water on a number of the set, swermer on a number of the set, swermer on a number of the set, swermer on a number of the set, swermer | | | | | lost_expr. fire) test_expr. must hold num_disc cycles after start_event holds | | | | | Single-Cycle ov_mutex state ov_contention bund ov_most_state, fine) arrange is operation transitions only to specified contention rules | | | | | Cycles Out_no_overflow Out_no_transition Single-Cycle Ovt_never Ovt Indiana (state next, state s | | | | | | | | | | Cyclos to Journ June Trade (only in the metry of a left, oper it at finit in the nect cycle lest, oper trade that in the nect cycle lest, oper trade that in the nect cycle lest, oper trade that in the nect cycle lest, oper trade that in the nect cycle lest, oper trade that in the nect cycle lest, oper trade that it is sent to the lest less that the interest of lest is sent to the interest or lest less that it is less that the interest or less that the interest or less that it is | | | | | Solid Design Desi | | | | | out_placeort_eas Out_placeort | | | | | | | | | | cities ovi_raq_ack_unique of an ape citied time window req_follower; and are a very request receives a corresponding acknowledge in a specified time window req_follower; answers that every request went in blates a validing quest-response event sequence that if inshes within a specified time window | | | | | Event-bound ovl_next_state use the data integrity of a stack and ensures that the stack does not overfore or underflow | | | | | bisd_corpt. (fine) bisd_corpt must hold for num_clist cycles after start_event (action_cor_new_start: 0-4gnore, 1-re-start, 2-errorr) | | | | | cycles ovil_transition (test_exprchanges from start_state, then it can only change to next_state | | | | | yolas ovi_unchange | | | | | , fra) Ds do not record of specified families. | | | | | tyl total, your must hold firbidulus mini_das and max_das cycles | | | | | Two Cycles ovi_no_overflow Two cycles Tw | | | | | TWO Cycles ovI_no_transition but_expr. and_exert. but_expr. and_exert but_expr. and_exert. but_expr. and_exert. but_expr. and_exert. | to st_expr must not change between start_event and end_event | | | | de Cycle 244 zero, one into | | | | | APAMETERS Eventify_level Two Cycles ovl_no_underflow Outputs Restricts environment Outputs Restricts environment | | | | | | | | | | Ole lights | | | | | Single-Cycle ovl_one_cold Single-Cycle ovl_one_cold *Range limits e.g. cache sizes *Stability *St | org 🗐 | | | | OVL ASSERT No and the second of o | | | | | OVL_ASSUME +inodir+ <ovl_dir>/std_ovl *FSM transitions *Handshaking sequences downloads/standards</ovl_dir> | | | | | OVL_IGNORE *X checkers (ovi_never_unknown) *Bus protocol #X descriptive string | s/ovl → | | | # WHERE DO ASSERTIONS COME FROM? #### Who writes the assertions? ### Implementation Assertions - Also called "design" assertions. - Specified by the designer. - Encode designer's assumptions. - → Interface assertions: - Catch different interpretations between individual designers. - Conditions of design misuse or design faults: - detect buffer over/under flow - detect buffer read & write at the same time when only one is allowed - Implementation assertions can detect discrepancies between design assumptions and implementation. - But implementation assertions won't detect discrepancies between functional intent and design! (Remember: Verification Independence!) ### **Specification Assertions** - Also called "intent" assertions - Often high-level properties. - Specified by architects, verification engineers, IP providers, standards. - Encode expectations of the design based on understanding of functional intent. - Provide a "functional error detection" mechanism. - Supplement error detection performed by selfchecking testbenches. - Instead of using (implementing) a monitor and checker, in many cases writing a block-level assertion can be much simpler. #### End of Part I COMS30026 Design Verification ## Assertion-based Verification Kerstin Eder Trustworthy Systems Laboratory https://www.bristol.ac.uk/engineering/research/trustworthy-systems-laboratory/