Intelligent Modeling and Verification 2014View this Special Issue
Research Article | Open Access
Ning Zhou, Xinyan Gao, Jinzhao Wu, Jianchao Wei, Dakui Li, "Groebner Bases Based Verification Solution for SystemVerilog Concurrent Assertions", Journal of Applied Mathematics, vol. 2014, Article ID 194574, 15 pages, 2014. https://doi.org/10.1155/2014/194574
Groebner Bases Based Verification Solution for SystemVerilog Concurrent Assertions
We introduce an approach exploiting the power of polynomial ring algebra to perform SystemVerilog assertion verification over digital circuit systems. This method is based on Groebner bases theory and sequential properties checking. We define a constrained subset of SVAs so that an efficient polynomial modeling mechanism for both circuit descriptions and assertions can be applied. We present an algorithm framework based on the algebraic representations using Groebner bases for concurrent SVAs checking. Case studies show that computer algebra can provide canonical symbolic representations for both assertions and circuit designs and can act as a novel solver engine from the viewpoint of symbolic computation.
SystemVerilog [1, 2] is the most important unified Hardware Description and Verification Language (HDVL) and provides a major set of extensions from the Verilog language with the added benefit of supporting object orientated constructs and assertions feature. SystemVerilog provides special language constructs and assertions, to specify and verify design behavior. An assertion is a statement that a specific condition, or sequence of conditions, in a design is true. In the industry of integrated circuits design, Assertions-based verification (ABV) using SystemVerilog Assertions (SVAs) is now changing the traditional design process. With the help of SVAs, it is easy to formally characterize the design requirements at various levels of abstraction, guide the verification task, and simplify the design of the testbench. Assertions essentially become active design comments, and one important methodology treats them exactly like active design comments.
Moreover, assertions can be attached directly to RTL, working in cycle-precise domain, or they can operate in transactional domain with the help of monitors data extractors. Then, these modular checkers minimize or even eliminate the need of model checkers, which consist of HDL modules to provide the verification.
An important benefit of assertions is the ease of specifying functional coverage. Simulation tools compute the functional coverage, as defined by the assertions, which add a greater level of assurance that the testbench invoked the desired functions.
More recently, the key EDA tool vendors have researched new verification methodologies and languages, which implement functional code coverage, assertion-based coverage. and constrained random techniques inside a complete verification environment.
In , a subset of SystemVerilog assertions is defined to apply induction-based bounded model checking (BMC) to this subset of SVAs within acceptable run times and moderate memory requirements. As is well known, the conventional simulation for assertion checking is the well-understood and most commonly used technique, but only feasible for very small scale systems and cannot provide exhaustive checking. While symbolic simulation proposed by Darringer  as early as 1979 can provide exhaustive checking by covering many conditions with a single simulation sequence, but it could not handle large circuits due to exponential symbolic expressions. Earlier work in applications of symbolic manipulation and algebraic computation has gained significant extensions and improvements. In , a technique framework on Groebner bases demonstrated that computer algebraic geometry method can be used to perform symbolic model checking using an encoding of Boolean sets as the common zeros of sets of polynomials. In , a similar technique to framework based Wu’s Method has been further extended to bit level symbolic model checking. In , an improved framework of multivalued model checking via Groebner bases method was proposed, which is based on a canonical polynomial representation of the multivalued logics.
In our previous work , we proposed a method using Groebner bases to perform SEREs assertion verification for synchronous digital circuit systems. Then we introduced a verification solution based on Wu’s method towards SystemVerilog assertion checking . This paper aims to verify whether a SVA property holds or not on the traces produced after several cycles running over a given synchronous sequential circuit. It is the follow-up work of . Groebner Bases and Wu’s method are the most important methods of computer algebra. Wu’s method of characteristic set is a powerful theorem proving technique, and Groebner Bases allows many important properties of the ideal and the associated algebraic variety to be deduced easily. So Groebner Bases method has a better theoretical guide, and the algorithm based on Wu’s method is more efficient.
Checking SVAs is computationally very complex in general while for practical purposes a subset is sufficient. In this work we(1)define a constrained subset of SVAs;(2)perform algebraization of SVA operators for the constrained subset;(3)do translation of SVAs into polynomial set representations;(4)provide a symbolic computation based algebraic algorithm for SVAs verification.
Our approach can handle safety properties that argue over a bounded number of time steps. Local variables in SVAs can be handled as symbolic constant without any temporal information. Nevertheless, liveness properties and infinite sequences in SVAs are excluded.
In this section, to keep the paper self-contained, we will give the basics of SystemVerilog and algebraic symbolic computation used throughout this paper.
2.1. SystemVerilog Preliminary
SystemVerilog is an IEEE-approved (IEEE 1800-2005)  hardware description language. It provides superior capabilities for system architecture, design, and verification.
SystemVerilog has combined many of the best features of both VHDL and Verilog.
Therefore, on the one hand, VHDL users will recognize many of the SystemVerilog constructs, such as enumerated types, records, and multidimensional arrays. On the other hand, Verilog users can reuse existing designs; SystemVerilog is a superset of Verilog so no modification of existing Verilog code is required.
Generally, the SystemVerilog language provides three important benefits over Verilog.(1) Explicit design intent—SystemVerilog introduces several constructs that allow designers to explicitly state what type of logic should be generated.(2) Conciseness of expressions—SystemVerilog includes commands that allow the users to specify design behavior more concisely than previously possible.(3) High level design abstraction—The SystemVerilog interface construct facilitates intermodule communication.
Especially, SystemVerilog provides special language constructs and assertions, to verify design behavior. An assertion is a statement that a specific condition, or sequence of conditions, in a design is true. If the condition or sequence is not true, the assertion statement will generate an error message.
Additionally, one important capability in SystemVerilog is the ability to define assertions outside of Verilog modules and then bind them to a specific module or module instance. This feature allows test engineers to add assertions to existing Verilog models, without having to change the model in any way. One of the goals of SystemVerilog assertions is to provide a common semantic meaning for assertions so that they can be used to drive various design and verification tools.
In SystemVerilog, there are two types of assertions.
(1) Immediate Assertions. Immediate assertions follow simulation event semantics for their execution and are executed like a statement in a procedural block. Immediate assertions are primarily intended to be used with simulation and evaluate using simulation event-based semantics.
(2) Concurrent Assertions. Concurrent assertions are based on clock semantics and use sampled values of variables. All timing glitches (real or artificial due to delay modeling and transient behavior within the simulator) are abstracted away. Concurrent assertions can be used in always block or initial block as a statement, or a module as a concurrent block, or an interface block as a concurrent block, or a program block as a concurrent block.
An example of a property using sequence and formal argument is shown below. ; ; .
This property states that signal and then signal become high and signal will be high in the next cycle.
As illustrated in this example, a concurrent assertion property in SystemVerilog will never be evaluated by itself except when it is invoked by a verification statement. Therefore, the statement: will cause the checker to perform assertion checking.
Basically, the verification statement in SVA has three forms described as follows:(i) assert to specify the property as a checker to ensure that the property holds for the design;(ii) assume to specify the property as an assumption for the environment. Simulators check that the property holds, while formal tools use the information to generate input stimulus. The purpose of the assume statement is to allow properties to be considered as assumptions for formal analysis as well as for dynamic simulation tools;(iii) cover to monitor the property evaluation for coverage.
When a property is assumed, the tools constrain the environment so that the property holds. In simulation, asserted and assumed properties are continuously verified to ensure that the design or the testbench never violate them.
In some tools, the assumptions on the environment can be used as sequential constraints on the DUT (device under test) inputs in constrained-random simulation.
These proofs are usually subject to other properties that describe the assumed behavior of the environment using assume property statements.
2.2. Groebner Bases Preliminary
Firstly, we will recall some of the key notions of Groebner bases theory and symbolic computation. More detailed and elementary introduction to this subject can be available in books, such as those by Little et al.  or those by Becker and Weispfenning .
We begin by listing some general facts and establishing notations.
Let be an algebraically closed field, and let be the polynomial ring in variables with coefficient in , under addition and multiplication of polynomial. The basic structure of polynomial rings is given in terms of subsets called ideals which is closed under addition and closed under multiplication by any element of the ring.
Here, let be an ideal. As we all know, the following theorem holds.
Theorem 1 (Hilbert basis theorem). Every ideal has a finite generating set. That is, for some .
Then, by the Hilbert basis theorem, there exist finitely many polynomials such that . A polynomial defines a map via evaluation .
The set is called the variety associated with .
If and are the varieties defined by ideals and , then we have and , where . If and , then .
Any set of points in can be regarded as the variety of some ideal. Note that there will be more than one ideal defining a given variety. For example, the ideals and both define the variety .
In order to perform verification, we need to be able to determine when two ideals represent the same set of points. That is to say, we need a canonical representation for any ideal. Groebner bases can be used for this purpose.
An essential ingredient for defining Groebner bases is a monomial ordering on a polynomial ring , which allows us to pick out a leading term for any polynomial.
Definition 2 (monomial ordering). A monomial ordering on is any relation on , or equivalently, any relation on the set of monomials , , satisfying (i) is a total (or linear) ordering on ;(ii) is a well-ordering. This means that every nonempty subset of has a smallest element under ;(iii)for all , .
Examples of monomial ordering include lexicographic order, graded lexicographic order, and graded reverse lexicographic order.
Definition 3 (lexicographic order). Let and . We say if, in the vector difference , the leftmost nonzero entry is positive. We will write if .
Definition 4 (Groebner basis). Fix a monomial order. A finite subset of an ideal is said to be a Groebner basis (or standard basis) if .
Equivalently, but more informally, a set is a Groebner basis of if and only if the leading term of any element of is divisible by one of the .
In , Buchberger provided an algorithm for constructing a Groebner basis for a given ideal. This algorithm can also be used to determine whether a polynomial belongs to a given ideal.
A reduced Groebner basis is a Groebner basis where the leading coefficients of polynomials in are all 1 and no monomial of an element of lies in the ideal generated by the leading terms of other elements of and no monomial of is in .
The important result is that, for a fixed monomial ordering, any nonzero ideal has a unique reduced Groebner basis. The algorithm for finding a Groebner basis can easily be extended to output its reduced Groebner basis. Thus we will have a canonical symbolic representation for any ideal.
Theorem 5 (the elimination theorem). Let be an ideal and let be a Groebner basis of with respect to lexicographic order where . Then, for every , the set is a Groebner basis of the th elimination ideal .
Theorem 6. Let be a Groebner basis for an ideal and let . Then if and only if the remainder on division of by is zero, denoted by .
The property given in Theorem 6 can also be taken as the definition of a Groebner basis. Then we will get an efficient algorithm for solving the ideal membership problem. Assuming that we know a Groebner basis for the ideal in question, we only need to compute the remainder with respect to to determine whether .
In this paper, we will then use the ideal or any basis for the ideal as an efficient way of algebraization of system to be verified.
3. System Modeling with Polynomial
3.1. Circuit Representation Model
In this section, we will sketch the underlying digital system model for simulation used in our work.
Most modern circuit design is carried out within the synchronous model, which simplifies reasoning about behavior at the cost of strict requirements on clocking.
As shown in Figure 1, a classical synchronous design is comprised of combinatorial logic and blocks of registers with a global clock. In a synchronous digital system, the clock signal is often regarded as simple control signal and used to define a time reference for the movement of data within that system. Combinational logic performs all the logical functions in the circuit and it typically consists of logic gates. Registers usually synchronize the circuit’s operation to the edges of the clock signal, and are the only elements which have memory properties.
The basic circuit model we used can be abstracted as the following model.
Definition 7 (synchronous circuit model). A synchronous circuit model structure is a tuple: , where(i) is a global synchronous clock signal,(ii) is a set of logical operation units,(iii) is a set of arithmetic operation units,(iv) is a set of multiplex units,(v) is a set of sequential units,(vi) is a set of primary input signals,(vii) is a set of primary output signals.
In the following, we will discuss polynomial representation of a given circuit model. Firstly, let us retrospect the classical circuit representation model.
Traditionally, Binary decision diagrams (BDD) , the first generation decision diagrams technique, designed by Akers in 1978, acts as an efficient digital circuit representation (or Boolean functions). Recently, the next generation of decision diagrams, that is, word-level decision diagrams (WLDD) , has considerably widened its expressiveness for datapath operations due to processing of data in word-level format.
Generally, ROBDD or WLDD is mapped into hardware description languages according to the following scheme:
Though the dimension of a decision diagram is exponentially bounded by the number of variables, decision diagrams based canonical data structure is very useful in many well-known verification methods.
From the viewpoint of abstract symbolic computation, these decision diagrams based on representation for circuit systems are not suitable any more. Thus, we will adopt an alternative representation form based on polynomial sets instead of decision diagrams according to the following scheme:
As is well known, given a monomial order, there is precisely one polynomial representation of a function.
For convenience, we introduce the following symbols for algebraic representations.(1)For any symbolic (circuit, unit, signal, sequence, property, etc.) , its algebraic representation form is denoted by .(2)If a running cycle is given, its algebraic representation form can be denoted by .(3)Furthermore, if a time range is specified, its algebraic representation form can then be denoted by or .
Here, denotes the current time and denotes time steps.
Cycle-based symbolic simulation will be performed on the system model for verification. Intuitively, cycle-based symbolic simulation is a hybrid approach in the sense that the values that are propagated through the network can be either symbolic expressions or constant values. It assumes that there exists one unified clock signal in the circuit and all inputs of the systems remain unchanged while evaluating their values in each simulation cycle. The results of simulation report only the final values of the output signals or states in the current simulation cycle.
The detailed simulation process can be described as follows. Firstly, cycle-based symbolic simulation is initialized by setting the state of the circuit to the initial vector. Each of the primary input signals will be assigned a distinct symbolic or a constant value. Then, at the end of a simulation step, the expressions representing the next-state functions generally undergo a parametric transformation based optimization. After transformation, the newly generated functions are used as present state for the next state of simulation.
3.2. Arithmetic and Logic Unit Modeling
In this paper, we only focus on arithmetic unit for calculating fixed-point operations. For any arithmetic unit, integer arithmetic operations (addition, subtraction, multiplication, and division) can be constructed by the polynomials in Table 1.
Furthermore, we can extend the above rule to other common logic operators. For example,
For all bit level variables , a limitation should be added.
3.3. Branch Unit Modeling
Basically, multiway branch is an important control structure in digital system. It provides a set of condition bits, , a set of target identifiers, , and a mapping from condition bit values to target identifiers. This mapping takes the form of a condition tree.
For any binary signal , its value should be limited to by adding with .
3.4. Sequential Unit Modeling
Each flip-flop (FF) in the circuit can be modeled as a multiplexer. We have the following proposition to state this model.
Proposition 8. For a flip-flop ( is the next state), with an enable signal , its equivalent combinational formal is , , whose polynomial algebraic model can be described as or
Proof. Let be the current state and let denote the next state of the flip-flop. When the signal value is 0, has the same value as so that the FF maintains its present state; when the signal value is 1, takes a new value from the input (where, denotes the new value next state of the FF). Therefore, we have the 2-value multiway branch model and its polynomial set representation for FF.
Proposition 9. Let be an FF model, ( is the next state), without enable signal, then its equivalent combinational formal polynomial algebraic model can be described as: .
3.5. Sequential Unrolling
Generally, for a sequential circuit , one time frame of a sequential circuit is viewed as a combinational circuit in which each flip-flop will be converted into two corresponding signals: a pseudo primary input (PPI) and a pseudo primary output (PPO).
Symbolical simulation of a sequential circuit for cycles can be regarded as unrolling the circuit times. The unrolled circuit is still a pure combinational circuit, and the th copy of the circuit represents the circuit at cycle . Thus, the unrolled circuit contains all the symbolic results from the cycles.
3.6. Indexed Polynomial Set Representation
To illustrate the sequential modeling for a given cycle number clearly, we define an indexed polynomial set representation for the th cycle.
Let denote the input signals for the th clock, the intermediate signals, and the output signals. We then have the following time frame expansion model for the sequential circuit: where denote the th time frame model.
Time frame expansion is achieved by connecting the PPIs (e.g., from ) of the time frame to the corresponding PPOs ( from ) of the previous time frame.
4. Sequence Depth Calculation
In this subsection, we will discuss the important feature of SVA, time range, and its signal constraint unrolled model.
In SVA, for each sequence the earliest time step for the evaluation and the latest time step should be determined firstly. The sequence is then unrolled based on above information. Finally, the unrolled sequence will be performed using algebraization process.
In , a time range calculating algorithm is provided. Here, we will introduce some related definition and special handling for our purpose.
The following is the syntax definition for time range.
4.1. Time Range
Definition 10 (time range syntax). The syntax of “time range” can be described as follows. .
Note that is computed at compile time and must result in an integer value and can only be 0 or greater.
In this paper, we only focus on constant time range case. Thus, its form can be simplified as:(1)(2).
Here, , are signals and , are sequences.
Assume the starting time is cycle , then we have: the sequence will start sequences of evaluation which are , , , , .
Their corresponding algebraic forms are , , , .
Then we have the equivalent form of above representation set as
4.2. Sequential Depth Calculation
The time range of a sequential is a time interval during which an operation or a terminal of a sequence has to be considered and is denoted by a closed bounded set of positive integers:
Furthermore, the maximum of two intervals and is defined by .
In the same manner, the sum of two time ranges of and is defined as
Definition 11 (maximum sequential depth). The maximum sequential depth of a SVA expression or a sequence, written as , is defined recursively. (i), if is a signal;(ii), if is a signal;(iii), if , are sequences of SVA;(iv), if , are sequences of SVA;(v), if , are sequences of SVA;(vi), if , are sequences of SVA;(vii), if , are sequences of SVA;(viii), if is a sequence of SVA.
For example, the following sequence is used to illustrate how to calculate the sequence depth. and .
Figure 2 shows the binary parsing tree for calculating sequence depth of this sequence. The box denotes operator and cycle denotes signal node in the syntax tree.
Firstly, consider the top layer of the parsing tree and the sequence . Here, because the first operand is a terminal of the sequence, thus this operand becomes relevant at time step 0 only . Since the interval has to be considered, the second operand (the subtree of “and”) matches 2 or 3 time steps later. Therefore, calculating is recursively performed with for the second operand.
Similarly, we can have the sequence depth of the whole sequence and all its subsequences as denoted in the figure.
5. SVA to Polynomial Set Translation
As mentioned previously, SystemVerilog assertions are an integral component of SystemVerilog and provide two kinds of assertions: immediate assertions and concurrent assertions.
In this section, we only discuss concurrent assertions and their temporal layer representation model.
Concurrent assertions express functional design intent and can be used to express assumed input behavior, expected output behavior, and forbidden behavior. That is, assertions define properties that the design must meet. Many properties can be expressed strictly from variables available in the design, while properties are often constructed out of sequential behaviors.
Thus, we will firstly discuss the basic algebraization process for the sequential behavior model.
5.1. Algebraization Process
The properties written in SVA will be unrolled and checked against the design for bounded time steps in our method. Note that only a constrained subset of SVA can be supported by our method (unspecified upper bound time range and first-match operator are excluded).
Firstly, we translate the properties described by the constrained subset of SVA into flat sequences according to the semantics of each supported operator.
As mentioned in , the total set of SVA is divided into 4 subgroups, namely, simple sequence expression (SSE), interval sequence expression (ISE), complex sequence expression (CSE), and unbounded sequence expression (USE). Here, in our method, these groups can only be partly supported.
Therefore, we define the following sequence expressions by adding further conditions.(i)Constrained simple sequence expression (CSSE) is formed by Boolean expression, repeat operator, and cycle delay operator.(ii) Constrained interval sequence expression (CISE) is a super set of CSSE formed by extra time range operators.(iii) Constrained complex sequence expression is a super set of CSSE and CISE containing operators or and intersection.
Secondly, the unrolled flat sequences will be added to temporal constraints to form proportional formulas with logical connectives , , and .
Finally, the resulted proportional formulas will be translated into equivalent polynomial set.
Then, the verification problem is reduced to proving zero set inclusion relationship which can be resolved by Groebner bases approaches.
5.2. Boolean Layer Modeling
The Boolean layer of SVA forms an underlying basis for the whole assertion architecture which consists of Boolean expressions that hold or do not hold at a given cycle.
In this paper, we distinguish between signal logic values and truth logic values. That is, for a truth logic statement about a given property, its truth can be evaluated to or . But for a signal, when primary inputs are symbolic values, its signal logic value may not be evaluated as or .
Therefore, we have the following definition for signal logic.
Definition 12 (signal logic). In digital circuit systems, signal logic (, for short) is defined as:(i) if a signal is active-high (, for short), then its signal value is defined as 1;(ii) if a signal is active-low (, for short), then its signal value is defined as 0.
Definition 13 (symbolic constant). A symbolic constant is a rigid Boolean variable that forever holds the same Boolean value. The notion of symbolic constant was firstly introduced in STE  for two purposes:(1)to encode an arbitrary Boolean constraints among a set of circuit nodes in a parametric form;(2)to encode all possible scalar values for a set of nodes.
Assume denotes a symbolic constant for signal logic and denotes its negative form, if denotes then will be .
Consider == and == as an example. According to our definitions, and are signals belonging to signal logic, while both == and == are of truth logic.
For example, assertion is also a valid Boolean expression stating that the 16-bit vectors and are equal.
In SVA, the following are valid Boolean expressions:(i)(ii)(iii)(iv)(v).
Since the state of a signal variable can be viewed as a zero of a set of polynomials. We have the following.(1) For any signal holds at a given time step , thus, the state of ( is active-high at cycle ) can be represented by polynomial .(2) Alternatively, the state of ( is active-low at cycle ) can be represented by polynomial .(3) Symbolically, the state of ( is active-high at the th cycle) can be modeled as .
5.3. Sequence Operator Modeling
Temporal assertions define not only the values of signals, but also the relationship between signals over time. The sequences are the building blocks of temporal assertions and can express a set of linear behavior lasting for one or more cycles. These sequences are usually used to specify and verify interface and bus protocols.
A sequence is a regular expression over the Boolean expressions that concisely specifies a set of linear sequences. The Boolean expressions must be true at those specific clock ticks for the sequence to be true over time.
SystemVerilog provides several sequence composition operators to combine individual sequences in a variety of ways that enhance code writing and readability which can construct sequence expressions from Boolean expressions.
In this paper, operator, operator, and the operator are not supported by our method.
SystemVerilog defines a number of operations that can be performed on sequences. The sequence composition operators in SVA are listed as follows.
Definition 14 (sequence operator).
//“Boolean expression” form // “local variable sampling” form // “parenthesis” form // “concatenation” form // “fusion” form // “or” form // “intersect” form // “first match” form // “null repetition” form // “unbounded repetition” form // “repetition” repeater //specifying a Boolean expression must hold throughout a sequence //specifying conditions within a sequence.
The resulted sequences constructed by operators are then used in properties for use in assertions and covers.
5.3.1. Cycle Delay Operator
In SystemVerilog, the ## construct is referred to as a cycle delay operator.
“” and “” are concatenation operators: the former is the classical regular expression concatenation; the latter is a variant with one-letter overlapping.
A followed by a number or range specifies the cycles delay from the current clock cycle to the beginning of the sequence that follows.(1)Fixed-length Case sequence fixs; endsequence (2)Time-range Case sequence endsequence .
5.3.2. Intersect Operator
The two operands of intersect operator are sequences. The requirements for match of the intersect operation are as follows.(i) Both operands must match.(ii) The lengths of the two matches of the operand sequences must be the same.
starts at the same time as ; the intersection will match if , starting at the same time as , matches at the same time as matches.
Therefore, we have
The sequence length matching intersect operator constructs a sequence like the and nonlength matching operator, except that both sequences must be completed in same cycle.
5.3.3. and Operator
This operator states that starts at the same time as and the sequence expression matches with the later of and matching. This binary operator and is used when both operands are expected to match, but the end times of the operand sequences can be different.
That is, denotes both and holds for the same number cycles. Then, the matches of must satisfy the following:(i)The start point of the match of must be no earlier than the start point of the match of .(ii)The end point of the match of must be no later than the end point of the match of .
The sequence nonlength matching operator constructs a sequence in which two sequences both hold at the current cycle regardless of whether they are completed in the same cycle or in different cycles
Here, , , and .
5.3.4. or Operator
The sequence operator constructs a sequence in which one of two alternative sequences hold at the current cycle. Thus, the sequence states that either sequence , or sequence , would satisfy the assertion
Here, , , and .
5.3.5. Local Variables
SystemVerilog provides a feature by which variables can be used in assertions. The user can declare variables local to a property. This feature is highly useful in pipelined designs where the consequent occurrence might be many cycles later than their corresponding antecedents.
Local variables are optional and local to properties. They can be initialized, assigned (and reassigned) a value, operated on, and compared to other expressions.
The syntax of a sequence declaration with a local variable is shown below. ; ; .
The property declaration syntax with a local variable can be illustrated as follows: ; ; .
The variable identifier declaration syntax of a local variable can be illustrated as follows: .
The dynamic creation of a variable and its assignment is achieved by using the local variable declaration in a sequence or property declaration and making an assignment in the sequence.
Thus, local variables of a sequence (or property) may be set to a value, which can be computed from a parameter or other objects (e.g., arguments, constants, and objects visible by the sequence (or property)).
For example, a property of a pipeline with a fixed latency can be specified below. ; ; ; .
This property e is evaluated as follows:
When is true, is assigned the value of . If 3 cycles later, is equal to , then property is true. Otherwise, the property is false. When is false, property is evaluated as true.
For the algebraization of SVA properties with local variables, in our method these local variables will be taken as common signal variables (symbolic constant) without any sequential information.
Thus, we have the polynomial set representation for property : , , .
5.3.6. Repetition Operators
SystemVerilog allows the user to specify repetitions when defining sequences of Boolean expressions. The repetition counts can be specified as either a range of constants or a single constant expression.
Nonconsecutive repetition specifies finitely many iterative matches of the operand Boolean expression, with a delay of one or more clock ticks from one match of the operand to the next successive match and no match of the operand strictly in between. The overall repetition sequence matches at or after the last iterative match of the operand, but before any later match of the operand.
The syntax of repetition operator can be illustrated as follows:
The number of iterations of a repetition can be specified by exact count.
For example, a sequence with repetition can be defined as
The sequence expects that 2 clock cycles after the valid start, signal “” will be repeated three times.
We have .
5.4. Property Operator Modeling
In general, property expressions in SVA are built using sequences, other sublevel properties, and simple Boolean expressions via property operators.
In SVA, a property that is a sequence is evaluated as true if, and only if, there is a nonempty match of the sequence. A sequence that admits an empty match is not allowed as a property.
The success of assertion-based verification methodology relies heavily on the quality of properties describing the intended behavior of the design. Since it is a fairly new methodology, verification and design engineers are often faced with a question of “how to identify good properties” for a design. It may be tempting to write properties that closely resemble the implementation.
Properties we discussed in this paper can be classified as.
(1) Design Centric. Design centric properties represent assertions added by the RTL designers to characterize white box design attributes. These properties are typically towards FSMs, local memories, clock synchronization logic, and other hardware-related designs. The design should conform to the expectations of these properties.
(2) Assumption Centric. Assumption centric properties represent assumptions about the design environment. They are used in informal verification to specify assumptions about the inputs. The assume directive can inform a verification tool to assume such a condition during the analysis.
(3) Requirement/Verification Centric. Many requirement properties are best described using a “cause-to-effect” style that specifies what should happen under a given condition. This type of properties can be specified by implication operator. For example, a handshake can be described as “if request is asserted, then acknowledge should be asserted within 5 cycles”.
In general, property expressions are built using sequences, other sublevel properties, and simple Boolean expressions.
These individual elements are combined using property operators: , , , , and so forth.
The property composition operators are listed as follows.
Definition 15 (property operator).
“sequence” form “parenthesis” form “negation” form “or” form “and” form “implication” form “reset” form .
Note that disable if and only if will not be supported in this paper. Property operators construct properties out of sequence expressions.
Operators. The SystemVerilog implication operator supports sequence implication and provides two forms of implication: overlapped using operator , and nonoverlapped using operator , respectively.
The syntax of implication is described as follows:
The implication operator takes a sequence as its antecedent and a property as its consequent. Every time the sequence matches the property must hold. Note that both the running of the sequence and the property may span multiple clock cycles and that the sequence may match multiple times.
For each successful match of the antecedent sequence, the consequence sequence (right-hand operand) is separately evaluated, beginning at the end point of the matched antecedent sequence. All matches of antecedent sequence require a match of the consequence sequence.
Moreover, if the antecedent sequence (left hand operand) does not succeed, implication succeeds vacuously by returning true. For many protocol related assertions, it is important to specify the sequence of events (the antecedent or cause) that must occur before checking for another sequence (the consequent or effect). This is because if the antecedent does not occur, then there is no need to perform any further verification. In hardware, this occurs because the antecedent reflects an expression that, when active, triggers something to happen.
A property with a consequent sequence behaves as if the consequent has an implication first-match applied to it.
Operator. The operator states that the evaluation of the property returns the opposite of the evaluation of the underlying .
Operator. The formula “” states that the property is evaluated as true if, and only if, both and are evaluatd as true.
Operator. The operator “” states that the property is evaluated as true if and only if, at least one of and is evaluated as true.
Operator. This operator has two valid forms which are listed as follows.(1).
A property of this form is evaluated as true if, and only if, either is evaluated as false or is evaluated as true.(2).
A property of this form is evaluated as true if, and only if, either is evaluated as true and is evaluated as true or is evaluated as false and is evaluated as true.
From previous discussion, we have the following proposition for property reasoning.
Proposition 16. Assume that , , and are valid properties in SVA, the following rules are used to construct the corresponding verification process. Here, is a self-defined checking function that can determine whether a given “” holds or not with respect to a circuit model “”.(1)(2)(3)(4)(5)∧(6) if else ∧(7) else .
6. Verification Algorithm
In this section, we will describe how an assertion is checked using Groebner bases approach. Firstly, we will discuss a practical algorithm using Groebner bases for assertion checking.
6.1. Basic Principle
As just mentioned, our checking method is based on algebraic geometry which is the study of the geometric objects arising as the common zeros of collections of polynomials. Our aim is to find polynomials whose zeros correspond to pairs of states in which the appropriate assignments are made.
We can regard any set of points in as the variety of some ideal. We can then use the ideal or any basis for the ideal as a way of encoding the set of points.
Proposition 17. Let and be polynomial sets of , and a Groebner basis for , and then we have that holds.
Theorem 18. Suppose that is a property to be verified. is the initial preconditions of , and is a system model to be checked. Let and be the polynomial set representations for and , respectively, constructed by previous mentioned rules. Let , (where, denotes the ideal generated by ) and , then we have
Proof. (1) The polynomial set of system model describes the data-flow relationship that inputs, outputs, and functional transformation should meet. The initial condition can be seen as extra constraint applied by users. There should not exist contradiction between them; that is, the polynomial equations of must have a common solution.
By Hilbert’s Nullstellensatz theory, if we have polynomials , we compute a reduced Groebner basis of the ideal they generate with respect to any ordering. If this basis is , the polynomials have no common zero in ; if the basis is not , they must have a common zero.
Therefore, should hold.
(2) Evidently, by previous proposition, it is easy to have that should hold.
Thus, we have that this theorem holds.
6.2. Checking Algorithm
For simplicity, in this section, we only provide the key decision algorithm.
Firstly, the original system model is transformed into a normal polynomial representation and the assertion as well. Then, calculate the hypothesis set and its Groebner basis using the Buchberger algorithm  and their elimination ideals. Finally, examine the inclusion relationship between elimination ideals to determine whether the assertion to be checked holds or not.
From above discussion, we have the following process steps and detailed algorithm description. Algorithm 1.
For convenience, we can derive another version checking procedure named “” which can accept polynomial representations as inputs without explicit polynomial construction process.
Further, by applying Theorem 18 and the checking algorithm “”, we can easily verify all supported properties written in SVA.
7. An Example
In this section, we will study a classical circuit to show how SVA properties are verified by polynomial representation and algebra computation method.
Consider the Johnson counter circuit in Figure 3. Johnson counters can provide individual digit outputs rather than a binary or BCD output, as shown in Table 3. Notice that each legal count may be defined by the location of the last flip-flop to change states and which way it changed state.
7.1. Algebraization of Circuit and Assertion
Johnson counter provides individual digit outputs, as shown in Table 3.
The polynomial set for Johnson counter circuit in Figure 3 can be constructed as follows: where denotes the next state of . For the th cycle, we use to denote variable name in current cycle.
Similarly, another Johnson counter circuit with an error is shown in Figure 4, the corresponding polynomial set can be described by
To illustrate the problem clearly, we define polynomial set representation for th cycle as follows:
Support that the circuit will run 6 cycles for verification, therefore, we have .
For any Boolean variable , we will add an extra constraint: . Thus, we define the corresponding constraints set as follows: .
In the same manner, we have .
The sequential property for this counter circuit can be specified by the following SystemVerilog assertions. ; ; ; ; ; ; ; ; .
We will afterwards demonstrate the verification process step by step.
The circuit model to be verified is as shown below:
The property of this counter can be specified as the following SVA assertion: .
The Algebraization form of the above properties can be modeled as in Table 4.
7.2. Experiment Using Maple
We run this example by using Maple 13. Before running, we manually translated all models into polynomials. The experiment is performed on a PC with a 2.40 GHz CPU (intel i5 M450) and 1024 MB of memory. It took about 0.04 seconds and 0.81 MB of memory when applying Groebner method. with(Groebner) , , , , , , , , , , , , , , , , , , , , , , , [> .
Thus, we can have the Groebner basis as follows: , , , , , , , , , , , , , , , , , .
As shown in maple outputs, the given circuit has been modeled as polynomial set (its Groebner bases is denoted by ) and assertion expected result as . From the running result, we have and return value of is 0 which means is divided with no remainder by .
Thus, from the previously mentioned verification principles, it is easy to conclude that the assertion holds under this circuit model after 3 cycles.