Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Abstract—Functional verification is a critical and time- eventually be true, a condition will be true until another fact
consuming task in complex VLSI designs. There are two becomes true, etc.
main challenges to functional verification: the first is to In typical hardware design, there is usually a special
insure that the input stimulus can control the function spots signal called the clock. The entire system synchronizes its
inside the design and the second is to insure that the errors actions along with the clock. Since synchronous design can
can be observed at the design output(s). Over the years, be modeled as Kripke structures (a formal semantics
assertion-based verification techniques have been playing a representing logic systems), researchers often wrote
more important role as part of functional verification specifications in LTL in the early 1980s to express properties
methodologies. In this paper, we provide an overview of such as “hit this state when you receive that signal”. Their
concepts, benefits, languages, and applications of assertion- basic idea is to consider signals as atomic propositions and
based verification. simulation waveform as structures, and thus relations of
signals over clocks can be expressed by LTL formulas.
Keywords—Design verification, assertion-based
verification, assertion languages. B. Formal Verification
Formal verification is the act of proving or disproving the
I. INTRODUCTION correctness of intended algorithms underlying a system with
respect to a certain formal specification or property, using
It is a fact that VLSI designs are getting increasingly more formal methods of mathematics. One approach and formation
complex as times goes on. To maintain a competitive edge in is model checking. This method automatically translates a
marketplace, designers are packing even more logic gates hardware design into symbolic representations of a set of
onto a single chip. Typically, such complex design is formed structures and then proves interesting properties of the design.
by integrating reused blocks or IPs. Such reuse would lead to Another approach is deductive verification. It consists of
a greater challenge in verification. Those blocks function generating from the system and its specifications (and
correctly in old designs, but may fail to work when integrated possibly other annotations) a collection of mathematical proof
together. The new design may violate the assumptions of the obligations, the truth of which imply conformance of the
reused blocks. To insure that new designs meet the specified system to its specification, and discharging these obligations
requirements, any design violations must be found and using either interactive theorem provers, automatic theorem
corrected by verification. provers, or satisfiability modulo theories (SMT) solvers. The
To address the functional verification challenges, growth in complexity of designs increases the importance of
Assertion-Based Verification (ABV) has become a formal verification techniques in the hardware industry.
mainstream methodology [1]. ABV benefits from both
theoretical research on formal methods and industrial practice C. Assertion-based Verification (ABV)
in hardware verification as well as software engineering. Assertion-Based Verification is a methodology for
ABV provides new capabilities in finding bugs, and of most improving the effectiveness of a verification environment.
importance, fits well with existing design and verification Designers use assertions to capture specific design intent and,
flows. With assertion languages standardized and well either through simulation, formal verification, or emulation of
supported by verifications tools, assertions can bring these assertions, verify that the design correctly implements
immediate benefits to most verification projects. that intent.
The paper is organized as follows. In the sections II, we
clarify some basic concepts used in design verification. In III. ADVANTAGES AND INFLUENCES OF ABV
sections III, we explain benefits and effects from assertion-
based verification. In section IV, we introduce three A. Weakness of the traditional verification methods
assertion-based techniques and compare their coverage and Coverage-driven verification is a verification
quality of verification. In section V, we mainly focus on how methodology in which coverage planning precedes the rest of
to implement ABV in the hardware design process. In the the verification process [2]. In this method, test vectors are
final section, we conclude the paper. used to find the errors in the design. The method can notify
the designers that there exist bugs in the design (without
II. BASIC CONCEPTS information about their location). Designers have to look into
the entire system and trace waveforms cycle by cycle in order
A. Linear Temporal Logic (LTL) to find where the bug is located.
In theory, properties are often written as formulas of
linear-time temporal logic (LTL). In LTL, one can encode B. Advantages of ABV
formulas about the future of paths, e.g., a condition will 1. Verification efficiency: Assertions can be verified by
different checking tools both in formal verification or
SVA advanced checkers contains checkers that of abstraction. The low-level layer of PSL, which governs the
generally verify more complex behaviors. These have application domain, can be easily adjusted to many
similar controls to the OVL checkers, but, in addition, applications and design languages. Moreover, the application
they allow selecting the sampling clock edge(s), layer can be even extended or replaced by a different layer to
posedge or negedge. Coverage is also provided. support new applications. In summary, PSL is a multi-
purpose, multi-level, multi-flavor assertion language. In
contrast, SVA is tightly connected to the SystemVerilog
language.
effect. As it is not an enhancement of any language, this metrics need to be measured and what the metrics goals need
library based mechanism has both syntactic and semantic to achieved.
limitations. The assertion statements are basically module
a) Resource logic control: Computation resources, system
instantiation where the actual definition of the assertion is
written in the module. So the future enhancement of the on-chip buses, inter-connections, buffers and memories are
logic structures usually controlled by arbiters and complex
assertion feature will be limited to only the addition of new
port and parameter and also it is not very easy to understand control logic. When creating directed tests for the design,
the meaning and usage of these ports and parameters without verification researchers tend to focus on the high-level
the help of the language reference manual. specifications. They seldom stress the corner cases of these
resource control logic, as a result, some problematic scenarios
are not observed.
Table 1. Comparison of assertion techniques [5]. Properties:
Parameters SVA PSL OVL
Property declaration Y Y Y Ensure the requests are generated correctly based on the
Property check Y Y Y mask, the weight, the credit scheme and so on. This is
Constraint specification Y Y N
Sequential mechanism Y Y Y
done by using procedural descriptions to generate the
Functional coverage Y Y N “glue logic” associated with the corresponding
Clock synchronization Y Y Y assertions.
Immediate assertion Y N N Ensure the arbitration scheme is correct. For
Declaration assertion Y Y N straightforward arbitration schemes (such as round-
Program assertion Y N Y robin, priority, least-recently-used and so on) the arbiter
Built-in function Y Y N checker from an assertion library can be used directly.
Implementation Easy Easy Not easy
Ensure the resource (bus, inter connect, memory) is
addressed by only one master at a time. This can be
PSL, on the other hand, is a totally different language. It done with an assertion language or with the mutex
was not easy to directly encapsulate the whole language checker from an assertion library.
within Verilog and though it is permitted to use the PSL Ensure the resource is de-allocated before it is allocated
constructs directly in the RTL code, it is always used by lot of again. Semaphores lock and release the common
people using pragma mechanism (as an embedded comment resources that do not allow multiple simultaneous
that starts with “PSL”) to keep the RTL design tool accesses. Such locks should be set before an access.
independent of the assertion support.
Methodology:
SystemVerilog is defined as an extension of the Verilog
language including the features of assertion and functional If the design is well modularized (i.e. the targeted control
logic is self-contained), formal model checking can be
coverage. This would help both the designers and the
verification engineers to write tool independent design and applied early even before the simulation environment is
verification modules in the same language without adding ready.
any tool specific pragma or semantics. And moreover this has In a typical system, resources can be requested at any
made both the modules understandable to everyone. It is a time and allocated in any sequence. Verifying all possibilities
pure HDL where both the Hardware Description and its with simulation is tedious (if not impossible). Alternatively,
associated Verification specification (read “design intent”) by capturing the environmental assumptions as assertions,
are covered together. formal model checking can analyze exhaustively all possible
scenarios and detect any potential resource conflict. Once the
V. APPLICATIONS system simulation environment is ready, these assumptions
can be validated in the system environment.
A. Verification hot spots b) Design Interface: Inter-module communication and
Verification hotspots [16] are areas of concern within the interface protocol compliance are infamous for causing a lot
design that are difficult to verify using traditional simulation- of verification failures. When design teams first integrate all
based methodologies. A verification hot spot is typically the blocks together for chip-level simulation, the blocks
difficult to verify because it contains a great number of usually fail to “talk” with each other. To catch this problem
sequential states; it is deeply buried in the design, making it early, assertion-based protocol monitors are added to
difficult to control from the inputs; it has many interactions instrument the on-chip buses and the standard and common
with other state machines and external agents; or it has a lot interfaces.
of the above characteristics. Therefore, a verification hot spot
cannot be completely verified by simulation alone—the Properties:
amount of simulation and the difficulty of creating a Ensure the correctness of the protocol on all of the bus
sufficient input vector set are simply prohibitive. interfaces, especially when there are different modes of
The value of a verification hot spot solution is that it operation. As the popularity of standard assertion
captures and makes explicit the knowledge of how to languages increases, more assertion monitors for
effectively use formal verification and simulation together to standard bus interfaces become available.
fully verify a section of logic [3]. In this way, the expert Ensure the transparency of the interfaces. This property
knowledge of one user can be transmitted to others. This ensures that the interface does not lose transactions. For
knowledge includes such items as how to capture the right example, in a bus bridge design, transactions on the
assertions for a verification hot spot; what mix of formal and master interface should be reflected at the target
simulation analysis is appropriate; what input constraining interface. These requirements can be expressed with an
methodology is effective for the verification hot spot; what assertion language using temporal properties.
examine the bugs found with this methodology, they are all shown in Fig. 4. Therefore to examine if the FSM works
related to complex combinations of events initialized by exactly the same as what the design specification describes is
different data transfers. the key step for its functional verification. The general
verification for a FSM is to assure the transitions between
B. Simulation based SVA verification of UART states are correct and follow the timing requirement.
The work presented in [15] summarizes seven steps of formal
verification planning process, which are demonstrated by
Harry Foster [17]. Because of the disadvantages of formal
verification, simulation is still the main method to do
functional verification currently. To apply this method in
simulation-based verification, we simply reduce and adjust
this method to five steps as follows [4]:
List design interfaces.
List the inside functional spots.
List verification requirement for interface.
Formalize the properties with SVA.
Define coverage spots.
Following the five steps above, we can easily find the
design errors from the waveform window or just from the log
file of the simulation. When it comes to using the SVA to
describe the desired properties, it is quite easy to debug those
errors. This is because every individual assertion has a unique Fig. 4. State transition graph of the UART transmitter.
name, and we usually embed those assertions into different
locations of the source code. By examining the log file, we Table 2 shows the state transitions that need to be
can find both which assertion fails and the exact location of verified. The first row is the current state, while the first
this assertion in the source code. The assertion is close to column indicates the next state. Each check mark indicates a
where the error occurs, thus we can easily find and debug this state transition, which should be verified. Besides those
error. Further, assertions usually are just used in simulation simple pairs of state transitions, extra checks should also be
and do not make up hardware resource, therefore we just add conducted, such as if a complete state transition flow is
as many assertions as possible into the design. performed.
To investigate this method in real designs, we approach it Table 2. State transactions that needed to be verified.
in the functional verification for an RTL model of a universal State transactions Current state
asynchronous receiver/transmitter (UART)—a hardware Other Idle Waiting Sending
module that translates data between parallel and serial forms. Next state Other √
Idle √
a) List the inside functional spots
Waiting √
Fig. 3 depicts the interface signals of the UART Sending √
transmitter, which consists of UART controller, data register,
shift register and count register. In this step of verification,
we consider this design as a “black box”, which means that c) List verification requirement for interface
we do not care about its implementation, while just check
whether the interface signals accord with the requirement of In this step, we list the verification requirements for the
the design specification, especially for the timing interface signals of each module. As to the UART transmitter,
requirement. In this case, we check whether the test bench we check whether it functions well with other blocks sharing
generates valid stimulus for the design under verification. common signals with it. Transmitter is the top module of the
design, thus we examine if the test bench generates valid
input stimulus. To ensure the UART transmitter works
correctly, the test bench should provide control signals in a
proper sequence, as shown in Table 3.
Table 3. Interface signal features to be verified.
Interface Signals and their features
Features Revenant Signals Expected Features
1 Byte_ready, Reset Byte_ready =1 no less than one cycle
after reset is released
2 T_byte, Byte_ready T_byte =1 no less than one cycle
Fig. 3. UART interface model. later when Byte_ready is asserted
3 Load_XML_datareg, When load_XML_datareg is asserted,
b) List the inside functional spots data_bus data_bus must hold valid data
4 … ...
In this step, we list the verification requirements for the
candidate module. These are the properties and the features
inside the module, which need to be verified. One crucial This step is significant especially for a multi-module
component for nearly every design is the control block, which complex design. After the unit level verification, we still need
is also where some vital design errors occur. Thus control a system level verification, and that is why we separate this
block is what we should devote great effort to verify. In the step from previous step. Differentiating interface signals’
UART transmitter, the control block is implemented by FSM,
properties from each other allows us to focus on checking the the simulation or just displaying the fail messages and
coordination/integration of different modules at system level. keeping on the simulation.
d) Formalize the properties with SVA
VI. CONCLUSION
In this step, we convert the natural language requirements
into a set of formal properties using assertion language or In this paper, we discussed assertion-based verification
and its simple application in integrated circuits. Because of
assertion checkers. We can instantiate assertions from library
or express them with assertion language (SVA). the advantages of ABV, verification teams can easily check
the corner cases and locate the design errors. Furthermore,
In the latter case, we describe the functions to be verified assertion coverage reports can be directly used to analyze the
with the combination of several logic events, which can be functional coverage metrics of a design.
described using SVA key word “sequence”. The simplest
logic event is a change on the value of a signal; a logic event We also introduced three kinds of assertion languages and
can also be a change on the value of a Boolean expression. checkers, including SVA, PSL and OVL. Those languages
and checks are widely used in complex VLSI design
Key word “property” in SVA is to represent complex
behaviors of a specific function. Property is the unit being verification processes. At a high level, the choice between
these languages and checkers may depend on interoperability
verified during simulation, and the key word “assert” is used
to check the property. and marketing decisions. Finally, we presented several
applications of ABV.
Fig. 5 shows an example of SVA checker, which is given
valid control signals sequences. First change the checker to REFERENCES
“sending” state, then keep it in this state for several cycles
[1] B. Turumella and M. Sharma, “Assertion-based verification of a 32
and stay in state “idle” at the end. thread spareTM CMT microprocessor”, in DAC 08: Proceedings of
e) Define coverage spots the 45th annual Design Automation Conference. New York, NY,
USA: ACM, 2008, pp. 256-261.
In this step, we define properties as functional coverage [2] Yuan, Jun, Carl Pixley, and Adnan Aziz, “Constraint-based
spots. By using this method, we can analyze the assertion verification” Springer Science & Business Media, 2006.
coverage as an indicator of the functional coverage. [3] Yeung, Ping, and Kenneth Larsen, “Practical assertion-based formal
Typically, there are two functions of an assertion: one is verification for SoC designs.” System-on-Chip, 2005. Proceedings.
2005 International Symposium on. IEEE, 2005.
serving as checker for a specific function; the other is being
[4] Li, Yangyang, et al, “A study on the assertion-based verification of
used for statistical analysis for coverage. To demonstrate this, digital IC,” Information and Computing Science, 2009. ICIC'09.
take the UART for example. We define all the properties Second International Conference on. Vol. 2. IEEE, 2009.
mentioned above as coverage spots. An example of how to [5] Sonny, Ashley T, and S. Lakshmiprabha, “OVL, PSL, SVA: Assertion
describe an assertion and how to define it as a coverage spot based verification using checkers and standard assertion languages.”
is illustrated in Fig. 5. Advanced Computing and Communication Systems (ICACCS), 2013
International Conference on. IEEE, 2013.
We can check whether the transitions between pairs of [6] Eisner C, Shitsevalov I, Hoover R, et al. “A methodology for formal
states are correct, and can also get the information concerning design of hardware control with application to cache coherence
how many of these state transitions are conducted. In fact, protocols”. Proceedings of the 37th Annual Design Automation
this is also a kind of FSM coverage analysis. By analyzing Conference. ACM, 2000: 724-729.
the coverage report, we can judge whether the verification is [7] Y. Wolfsthal, “EU-Sponsored Deployment of PSL”, PSL/Sugar
Consortium Meeting, DATE 04, Feb 2004
sufficient. After defining assertion coverage spots, we can get
[8] Foster, Harry, Kenneth Larsen, and Mike Turpin, “Introduction to the
the statistical analysis of every assertion, such as the number new accellera open verification library.” Proceedings of the
of over all attempts, matches, vacuous matches, and fails. Conference on Design and Automation and Test in Europe: DATE.
Vol. 6. 2006.
[9] Foster, Harry, Kenneth Larsen, and Mike Turpin, “Introduction to the
new accellera open verification library.” Proceedings of the
Conference on Design and Automation and Test in Europe: DATE.
Vol. 6. 2006
[10] Foster, Harry. “Assertion-based verification: Industry myths to
realities (invited tutorial).” Computer Aided Verification. Springer
Berlin Heidelberg, 2008.
[11] Cohen, Ben, Srinivasan Venkataramanan, and Ajeetha Kumari. “Using
PSL/Sugar for formal and dynamic verification: Guide to Property
Specification Language for Assertion-based Verification.” VhdlCohen
Publishing, 2004.
[12] SystemVerilog 3.1a Accellera’s Extensions to Verilog, Accellera,
Napa, California, 2002
[13] Property Specification Language Reference Manual, Accellera,
Version 1.1, 2004
[14] Research.ibm.com. “PSL/Sugar”. N.p., 2016. Web. 29 Feb. 2016.
[15] Ping Yeung and Sundaram Subramanian, “Applying Assertion-Based
Fig. 5. An example of a SVA checker. Formal Verification to Verification Hot Spots”, Mentor Graphics
Technical Library, October 25, 2007
[16] Ping Yeung, “Functional Verification of ARM-based Platform Design
Further, different severity levels can be attached to with Assertion-Based Verification Methodology”, ARM Developers
assertions. If some assertions fail, according to their severity Conference, 2004.
levels, different measures are adopted, such as terminating [17] Harry Foster, “Integrating Formal Verification into a Traditional
Flow”, Mentor Graphics White Paper, 2006.