Groebner Bases Based Verification Solution for SystemVerilog Concurrent Assertions

Zhou, Ning; Gao, Xinyan; Wu, Jinzhao; Wei, Jianchao; Li, Dakui

doi:https://doi.org/10.1155/2014/194574

Journal of Applied Mathematics

On this page

Abstract Introduction Preliminaries Conclusion Acknowledgments References Copyright Related Articles

Special Issue

Intelligent Modeling and Verification 2014

View this Special Issue

Research Article | Open Access

Volume 2014 | Article ID 194574 | https://doi.org/10.1155/2014/194574

Groebner Bases Based Verification Solution for SystemVerilog Concurrent Assertions

Ning Zhou,^1,2Xinyan Gao,³Jinzhao Wu,^1,4Jianchao Wei,³and Dakui Li³

Academic Editor: Xiaoyu Song

Received13 Feb 2014

Accepted07 Apr 2014

Published11 Jun 2014

Abstract

We introduce an approach exploiting the power of polynomial ring algebra to perform SystemVerilog assertion verification over digital circuit systems. This method is based on Groebner bases theory and sequential properties checking. We define a constrained subset of SVAs so that an efficient polynomial modeling mechanism for both circuit descriptions and assertions can be applied. We present an algorithm framework based on the algebraic representations using Groebner bases for concurrent SVAs checking. Case studies show that computer algebra can provide canonical symbolic representations for both assertions and circuit designs and can act as a novel solver engine from the viewpoint of symbolic computation.

1. Introduction

SystemVerilog [1, 2] is the most important unified Hardware Description and Verification Language (HDVL) and provides a major set of extensions from the Verilog language with the added benefit of supporting object orientated constructs and assertions feature. SystemVerilog provides special language constructs and assertions, to specify and verify design behavior. An assertion is a statement that a specific condition, or sequence of conditions, in a design is true. In the industry of integrated circuits design, Assertions-based verification (ABV) using SystemVerilog Assertions (SVAs) is now changing the traditional design process. With the help of SVAs, it is easy to formally characterize the design requirements at various levels of abstraction, guide the verification task, and simplify the design of the testbench. Assertions essentially become active design comments, and one important methodology treats them exactly like active design comments.

Moreover, assertions can be attached directly to RTL, working in cycle-precise domain, or they can operate in transactional domain with the help of monitors data extractors. Then, these modular checkers minimize or even eliminate the need of model checkers, which consist of HDL modules to provide the verification.

An important benefit of assertions is the ease of specifying functional coverage. Simulation tools compute the functional coverage, as defined by the assertions, which add a greater level of assurance that the testbench invoked the desired functions.

More recently, the key EDA tool vendors have researched new verification methodologies and languages, which implement functional code coverage, assertion-based coverage. and constrained random techniques inside a complete verification environment.

In [3], a subset of SystemVerilog assertions is defined to apply induction-based bounded model checking (BMC) to this subset of SVAs within acceptable run times and moderate memory requirements. As is well known, the conventional simulation for assertion checking is the well-understood and most commonly used technique, but only feasible for very small scale systems and cannot provide exhaustive checking. While symbolic simulation proposed by Darringer [4] as early as 1979 can provide exhaustive checking by covering many conditions with a single simulation sequence, but it could not handle large circuits due to exponential symbolic expressions. Earlier work in applications of symbolic manipulation and algebraic computation has gained significant extensions and improvements. In [5], a technique framework on Groebner bases demonstrated that computer algebraic geometry method can be used to perform symbolic model checking using an encoding of Boolean sets as the common zeros of sets of polynomials. In [6], a similar technique to framework based Wu’s Method has been further extended to bit level symbolic model checking. In [7], an improved framework of multivalued model checking via Groebner bases method was proposed, which is based on a canonical polynomial representation of the multivalued logics.

In our previous work [8], we proposed a method using Groebner bases to perform SEREs assertion verification for synchronous digital circuit systems. Then we introduced a verification solution based on Wu’s method towards SystemVerilog assertion checking [9]. This paper aims to verify whether a SVA property holds or not on the traces produced after several cycles running over a given synchronous sequential circuit. It is the follow-up work of [9]. Groebner Bases and Wu’s method are the most important methods of computer algebra. Wu’s method of characteristic set is a powerful theorem proving technique, and Groebner Bases allows many important properties of the ideal and the associated algebraic variety to be deduced easily. So Groebner Bases method has a better theoretical guide, and the algorithm based on Wu’s method is more efficient.

Checking SVAs is computationally very complex in general while for practical purposes a subset is sufficient. In this work we(1)define a constrained subset of SVAs;(2)perform algebraization of SVA operators for the constrained subset;(3)do translation of SVAs into polynomial set representations;(4)provide a symbolic computation based algebraic algorithm for SVAs verification.

Our approach can handle safety properties that argue over a bounded number of time steps. Local variables in SVAs can be handled as symbolic constant without any temporal information. Nevertheless, liveness properties and infinite sequences in SVAs are excluded.

2. Preliminaries

In this section, to keep the paper self-contained, we will give the basics of SystemVerilog and algebraic symbolic computation used throughout this paper.

2.1. SystemVerilog Preliminary

SystemVerilog is an IEEE-approved (IEEE 1800-2005) [1] hardware description language. It provides superior capabilities for system architecture, design, and verification.

SystemVerilog has combined many of the best features of both VHDL and Verilog.

Therefore, on the one hand, VHDL users will recognize many of the SystemVerilog constructs, such as enumerated types, records, and multidimensional arrays. On the other hand, Verilog users can reuse existing designs; SystemVerilog is a superset of Verilog so no modification of existing Verilog code is required.

Generally, the SystemVerilog language provides three important benefits over Verilog.(1) Explicit design intent—SystemVerilog introduces several constructs that allow designers to explicitly state what type of logic should be generated.(2) Conciseness of expressions—SystemVerilog includes commands that allow the users to specify design behavior more concisely than previously possible.(3) High level design abstraction—The SystemVerilog interface construct facilitates intermodule communication.

Especially, SystemVerilog provides special language constructs and assertions, to verify design behavior. An assertion is a statement that a specific condition, or sequence of conditions, in a design is true. If the condition or sequence is not true, the assertion statement will generate an error message.

Additionally, one important capability in SystemVerilog is the ability to define assertions outside of Verilog modules and then bind them to a specific module or module instance. This feature allows test engineers to add assertions to existing Verilog models, without having to change the model in any way. One of the goals of SystemVerilog assertions is to provide a common semantic meaning for assertions so that they can be used to drive various design and verification tools.

In SystemVerilog, there are two types of assertions.

(1) Immediate Assertions. Immediate assertions follow simulation event semantics for their execution and are executed like a statement in a procedural block. Immediate assertions are primarily intended to be used with simulation and evaluate using simulation event-based semantics.

(2) Concurrent Assertions. Concurrent assertions are based on clock semantics and use sampled values of variables. All timing glitches (real or artificial due to delay modeling and transient behavior within the simulator) are abstracted away. Concurrent assertions can be used in always block or initial block as a statement, or a module as a concurrent block, or an interface block as a concurrent block, or a program block as a concurrent block.

An example of a property using sequence and formal argument is shown below. ; ; .

This property states that signal and then signal become high and signal will be high in the next cycle.

As illustrated in this example, a concurrent assertion property in SystemVerilog will never be evaluated by itself except when it is invoked by a verification statement. Therefore, the statement: will cause the checker to perform assertion checking.

Basically, the verification statement in SVA has three forms described as follows:(i) assert to specify the property as a checker to ensure that the property holds for the design;(ii) assume to specify the property as an assumption for the environment. Simulators check that the property holds, while formal tools use the information to generate input stimulus. The purpose of the assume statement is to allow properties to be considered as assumptions for formal analysis as well as for dynamic simulation tools;(iii) cover to monitor the property evaluation for coverage.

When a property is assumed, the tools constrain the environment so that the property holds. In simulation, asserted and assumed properties are continuously verified to ensure that the design or the testbench never violate them.

In some tools, the assumptions on the environment can be used as sequential constraints on the DUT (device under test) inputs in constrained-random simulation.

These proofs are usually subject to other properties that describe the assumed behavior of the environment using assume property statements.

2.2. Groebner Bases Preliminary

Firstly, we will recall some of the key notions of Groebner bases theory and symbolic computation. More detailed and elementary introduction to this subject can be available in books, such as those by Little et al. [10] or those by Becker and Weispfenning [11].

We begin by listing some general facts and establishing notations.

Let be an algebraically closed field, and let be the polynomial ring in variables with coefficient in , under addition and multiplication of polynomial. The basic structure of polynomial rings is given in terms of subsets called ideals which is closed under addition and closed under multiplication by any element of the ring.

Here, let be an ideal. As we all know, the following theorem holds.

Theorem 1 (Hilbert basis theorem). Every ideal has a finite generating set. That is, for some .

Then, by the Hilbert basis theorem, there exist finitely many polynomials such that . A polynomial defines a map via evaluation .

The set is called the variety associated with .

If and are the varieties defined by ideals and , then we have and , where . If and , then .

Any set of points in can be regarded as the variety of some ideal. Note that there will be more than one ideal defining a given variety. For example, the ideals and both define the variety .

In order to perform verification, we need to be able to determine when two ideals represent the same set of points. That is to say, we need a canonical representation for any ideal. Groebner bases can be used for this purpose.

An essential ingredient for defining Groebner bases is a monomial ordering on a polynomial ring , which allows us to pick out a leading term for any polynomial.

Definition 2 (monomial ordering). A monomial ordering on is any relation on , or equivalently, any relation on the set of monomials , , satisfying (i) is a total (or linear) ordering on ;(ii) is a well-ordering. This means that every nonempty subset of has a smallest element under ;(iii)for all , .

Examples of monomial ordering include lexicographic order, graded lexicographic order, and graded reverse lexicographic order.

Definition 3 (lexicographic order). Let and . We say if, in the vector difference , the leftmost nonzero entry is positive. We will write if .

Definition 4 (Groebner basis). Fix a monomial order. A finite subset of an ideal is said to be a Groebner basis (or standard basis) if .

Equivalently, but more informally, a set is a Groebner basis of if and only if the leading term of any element of is divisible by one of the .

In [12], Buchberger provided an algorithm for constructing a Groebner basis for a given ideal. This algorithm can also be used to determine whether a polynomial belongs to a given ideal.

A reduced Groebner basis is a Groebner basis where the leading coefficients of polynomials in are all 1 and no monomial of an element of lies in the ideal generated by the leading terms of other elements of and no monomial of is in .

The important result is that, for a fixed monomial ordering, any nonzero ideal has a unique reduced Groebner basis. The algorithm for finding a Groebner basis can easily be extended to output its reduced Groebner basis. Thus we will have a canonical symbolic representation for any ideal.

Theorem 5 (the elimination theorem). Let be an ideal and let be a Groebner basis of with respect to lexicographic order where . Then, for every , the set is a Groebner basis of the th elimination ideal .

Theorem 6. Let be a Groebner basis for an ideal and let . Then if and only if the remainder on division of by is zero, denoted by .

The property given in Theorem 6 can also be taken as the definition of a Groebner basis. Then we will get an efficient algorithm for solving the ideal membership problem. Assuming that we know a Groebner basis for the ideal in question, we only need to compute the remainder with respect to to determine whether .

In this paper, we will then use the ideal or any basis for the ideal as an efficient way of algebraization of system to be verified.

3. System Modeling with Polynomial

3.1. Circuit Representation Model

In this section, we will sketch the underlying digital system model for simulation used in our work.

Most modern circuit design is carried out within the synchronous model, which simplifies reasoning about behavior at the cost of strict requirements on clocking.

As shown in Figure 1, a classical synchronous design is comprised of combinatorial logic and blocks of registers with a global clock. In a synchronous digital system, the clock signal is often regarded as simple control signal and used to define a time reference for the movement of data within that system. Combinational logic performs all the logical functions in the circuit and it typically consists of logic gates. Registers usually synchronize the circuit’s operation to the edges of the clock signal, and are the only elements which have memory properties.

The basic circuit model we used can be abstracted as the following model.

Definition 7 (synchronous circuit model). A synchronous circuit model structure is a tuple: , where(i) is a global synchronous clock signal,(ii) is a set of logical operation units,(iii) is a set of arithmetic operation units,(iv) is a set of multiplex units,(v) is a set of sequential units,(vi) is a set of primary input signals,(vii) is a set of primary output signals.

In the following, we will discuss polynomial representation of a given circuit model. Firstly, let us retrospect the classical circuit representation model.

Traditionally, Binary decision diagrams (BDD) [13], the first generation decision diagrams technique, designed by Akers in 1978, acts as an efficient digital circuit representation (or Boolean functions). Recently, the next generation of decision diagrams, that is, word-level decision diagrams (WLDD) [14], has considerably widened its expressiveness for datapath operations due to processing of data in word-level format.

Generally, ROBDD or WLDD is mapped into hardware description languages according to the following scheme:

Though the dimension of a decision diagram is exponentially bounded by the number of variables, decision diagrams based canonical data structure is very useful in many well-known verification methods.

From the viewpoint of abstract symbolic computation, these decision diagrams based on representation for circuit systems are not suitable any more. Thus, we will adopt an alternative representation form based on polynomial sets instead of decision diagrams according to the following scheme:

As is well known, given a monomial order, there is precisely one polynomial representation of a function.

For convenience, we introduce the following symbols for algebraic representations.(1)For any symbolic (circuit, unit, signal, sequence, property, etc.) , its algebraic representation form is denoted by .(2)If a running cycle is given, its algebraic representation form can be denoted by .(3)Furthermore, if a time range is specified, its algebraic representation form can then be denoted by or .

Here, denotes the current time and denotes time steps.

Cycle-based symbolic simulation will be performed on the system model for verification. Intuitively, cycle-based symbolic simulation is a hybrid approach in the sense that the values that are propagated through the network can be either symbolic expressions or constant values. It assumes that there exists one unified clock signal in the circuit and all inputs of the systems remain unchanged while evaluating their values in each simulation cycle. The results of simulation report only the final values of the output signals or states in the current simulation cycle.

The detailed simulation process can be described as follows. Firstly, cycle-based symbolic simulation is initialized by setting the state of the circuit to the initial vector. Each of the primary input signals will be assigned a distinct symbolic or a constant value. Then, at the end of a simulation step, the expressions representing the next-state functions generally undergo a parametric transformation based optimization. After transformation, the newly generated functions are used as present state for the next state of simulation.

3.2. Arithmetic and Logic Unit Modeling

In this paper, we only focus on arithmetic unit for calculating fixed-point operations. For any arithmetic unit, integer arithmetic operations (addition, subtraction, multiplication, and division) can be constructed by the polynomials in Table 1.

The basic logic operations, like “AND”, “OR”, and “NOT” can be modeled by the following forms. Their corresponding polynomial representations [15] are specified as in Table 2.

Furthermore, we can extend the above rule to other common logic operators. For example,

For all bit level variables , a limitation should be added.

3.3. Branch Unit Modeling

Basically, multiway branch is an important control structure in digital system. It provides a set of condition bits, , a set of target identifiers, , and a mapping from condition bit values to target identifiers. This mapping takes the form of a condition tree.

For any binary signal , its value should be limited to by adding with .

3.4. Sequential Unit Modeling

Each flip-flop (FF) in the circuit can be modeled as a multiplexer. We have the following proposition to state this model.

Proposition 8. For a flip-flop ( is the next state), with an enable signal , its equivalent combinational formal is , , whose polynomial algebraic model can be described as or

Proof. Let be the current state and let denote the next state of the flip-flop. When the signal value is 0, has the same value as so that the FF maintains its present state; when the signal value is 1, takes a new value from the input (where, denotes the new value next state of the FF). Therefore, we have the 2-value multiway branch model and its polynomial set representation for FF.

Proposition 9. Let be an FF model, ( is the next state), without enable signal, then its equivalent combinational formal polynomial algebraic model can be described as: .

Proof. Straightforward.

3.5. Sequential Unrolling

Generally, for a sequential circuit , one time frame of a sequential circuit is viewed as a combinational circuit in which each flip-flop will be converted into two corresponding signals: a pseudo primary input (PPI) and a pseudo primary output (PPO).

Symbolical simulation of a sequential circuit for cycles can be regarded as unrolling the circuit times. The unrolled circuit is still a pure combinational circuit, and the th copy of the circuit represents the circuit at cycle . Thus, the unrolled circuit contains all the symbolic results from the cycles.

3.6. Indexed Polynomial Set Representation

To illustrate the sequential modeling for a given cycle number clearly, we define an indexed polynomial set representation for the th cycle.

Let denote the input signals for the th clock, the intermediate signals, and the output signals. We then have the following time frame expansion model for the sequential circuit: where denote the th time frame model.

Time frame expansion is achieved by connecting the PPIs (e.g., from ) of the time frame to the corresponding PPOs ( from ) of the previous time frame.

4. Sequence Depth Calculation

In this subsection, we will discuss the important feature of SVA, time range, and its signal constraint unrolled model.

In SVA, for each sequence the earliest time step for the evaluation and the latest time step should be determined firstly. The sequence is then unrolled based on above information. Finally, the unrolled sequence will be performed using algebraization process.

In [3], a time range calculating algorithm is provided. Here, we will introduce some related definition and special handling for our purpose.

The following is the syntax definition for time range.

4.1. Time Range

Definition 10 (time range syntax). The syntax of “time range” can be described as follows. .

Note that is computed at compile time and must result in an integer value and can only be 0 or greater.

In this paper, we only focus on constant time range case. Thus, its form can be simplified as:(1)(2).

Here, , are signals and , are sequences.

Assume the starting time is cycle , then we have: the sequence will start sequences of evaluation which are , , , , .

Their corresponding algebraic forms are , , , .

Then we have the equivalent form of above representation set as

4.2. Sequential Depth Calculation

The time range of a sequential is a time interval during which an operation or a terminal of a sequence has to be considered and is denoted by a closed bounded set of positive integers:

Furthermore, the maximum of two intervals and is defined by .

In the same manner, the sum of two time ranges of and is defined as

Definition 11 (maximum sequential depth). The maximum sequential depth of a SVA expression or a sequence, written as , is defined recursively. (i), if is a signal;(ii), if is a signal;(iii), if , are sequences of SVA;(iv), if , are sequences of SVA;(v), if , are sequences of SVA;(vi), if , are sequences of SVA;(vii), if , are sequences of SVA;(viii), if is a sequence of SVA.

For example, the following sequence is used to illustrate how to calculate the sequence depth. and .

Figure 2 shows the binary parsing tree for calculating sequence depth of this sequence. The box denotes operator and cycle denotes signal node in the syntax tree.

Firstly, consider the top layer of the parsing tree and the sequence . Here, because the first operand is a terminal of the sequence, thus this operand becomes relevant at time step 0 only . Since the interval has to be considered, the second operand (the subtree of “and”) matches 2 or 3 time steps later. Therefore, calculating is recursively performed with for the second operand.

Similarly, we can have the sequence depth of the whole sequence and all its subsequences as denoted in the figure.

5. SVA to Polynomial Set Translation

As mentioned previously, SystemVerilog assertions are an integral component of SystemVerilog and provide two kinds of assertions: immediate assertions and concurrent assertions.

In this section, we only discuss concurrent assertions and their temporal layer representation model.

Concurrent assertions express functional design intent and can be used to express assumed input behavior, expected output behavior, and forbidden behavior. That is, assertions define properties that the design must meet. Many properties can be expressed strictly from variables available in the design, while properties are often constructed out of sequential behaviors.

Thus, we will firstly discuss the basic algebraization process for the sequential behavior model.

5.1. Algebraization Process

The properties written in SVA will be unrolled and checked against the design for bounded time steps in our method. Note that only a constrained subset of SVA can be supported by our method (unspecified upper bound time range and first-match operator are excluded).

Firstly, we translate the properties described by the constrained subset of SVA into flat sequences according to the semantics of each supported operator.

As mentioned in [16], the total set of SVA is divided into 4 subgroups, namely, simple sequence expression (SSE), interval sequence expression (ISE), complex sequence expression (CSE), and unbounded sequence expression (USE). Here, in our method, these groups can only be partly supported.

Therefore, we define the following sequence expressions by adding further conditions.(i)Constrained simple sequence expression (CSSE) is formed by Boolean expression, repeat operator, and cycle delay operator.(ii) Constrained interval sequence expression (CISE) is a super set of CSSE formed by extra time range operators.(iii) Constrained complex sequence expression is a super set of CSSE and CISE containing operators or and intersection.

Secondly, the unrolled flat sequences will be added to temporal constraints to form proportional formulas with logical connectives , , and .

Finally, the resulted proportional formulas will be translated into equivalent polynomial set.

Then, the verification problem is reduced to proving zero set inclusion relationship which can be resolved by Groebner bases approaches.

5.2. Boolean Layer Modeling

The Boolean layer of SVA forms an underlying basis for the whole assertion architecture which consists of Boolean expressions that hold or do not hold at a given cycle.

In this paper, we distinguish between signal logic values and truth logic values. That is, for a truth logic statement about a given property, its truth can be evaluated to or . But for a signal, when primary inputs are symbolic values, its signal logic value may not be evaluated as or .

Therefore, we have the following definition for signal logic.

Definition 12 (signal logic). In digital circuit systems, signal logic (, for short) is defined as:(i) if a signal is active-high (, for short), then its signal value is defined as 1;(ii) if a signal is active-low (, for short), then its signal value is defined as 0.

Definition 13 (symbolic constant). A symbolic constant is a rigid Boolean variable that forever holds the same Boolean value. The notion of symbolic constant was firstly introduced in STE [17] for two purposes:(1)to encode an arbitrary Boolean constraints among a set of circuit nodes in a parametric form;(2)to encode all possible scalar values for a set of nodes.

Assume denotes a symbolic constant for signal logic and denotes its negative form, if denotes then will be .

Consider == and == as an example. According to our definitions, and are signals belonging to signal logic, while both == and == are of truth logic.

For example, assertion is also a valid Boolean expression stating that the 16-bit vectors and are equal.

In SVA, the following are valid Boolean expressions:(i)(ii)(iii)(iv)(v).

Since the state of a signal variable can be viewed as a zero of a set of polynomials. We have the following.(1) For any signal holds at a given time step , thus, the state of ( is active-high at cycle ) can be represented by polynomial .(2) Alternatively, the state of ( is active-low at cycle ) can be represented by polynomial .(3) Symbolically, the state of ( is active-high at the th cycle) can be modeled as .

5.3. Sequence Operator Modeling

Temporal assertions define not only the values of signals, but also the relationship between signals over time. The sequences are the building blocks of temporal assertions and can express a set of linear behavior lasting for one or more cycles. These sequences are usually used to specify and verify interface and bus protocols.

A sequence is a regular expression over the Boolean expressions that concisely specifies a set of linear sequences. The Boolean expressions must be true at those specific clock ticks for the sequence to be true over time.

SystemVerilog provides several sequence composition operators to combine individual sequences in a variety of ways that enhance code writing and readability which can construct sequence expressions from Boolean expressions.

In this paper, operator, operator, and the operator are not supported by our method.

SystemVerilog defines a number of operations that can be performed on sequences. The sequence composition operators in SVA are listed as follows.

Definition 14 (sequence operator).

//“Boolean expression” form // “local variable sampling” form // “parenthesis” form // “concatenation” form // “fusion” form // “or” form // “intersect” form // “first match” form // “null repetition” form // “unbounded repetition” form // “repetition” repeater //specifying a Boolean expression must hold throughout a sequence //specifying conditions within a sequence.

The resulted sequences constructed by operators are then used in properties for use in assertions and covers.

5.3.1. Cycle Delay Operator

In SystemVerilog, the ## construct is referred to as a cycle delay operator.

“” and “” are concatenation operators: the former is the classical regular expression concatenation; the latter is a variant with one-letter overlapping.

A followed by a number or range specifies the cycles delay from the current clock cycle to the beginning of the sequence that follows.(1)Fixed-length Case sequence fixs; endsequence (2)Time-range Case sequence endsequence .

5.3.2. Intersect Operator

The two operands of intersect operator are sequences. The requirements for match of the intersect operation are as follows.(i) Both operands must match.(ii) The lengths of the two matches of the operand sequences must be the same.

intersect .

starts at the same time as ; the intersection will match if , starting at the same time as , matches at the same time as matches.

Therefore, we have

The sequence length matching intersect operator constructs a sequence like the and nonlength matching operator, except that both sequences must be completed in same cycle.

5.3.3. and Operator

and .

This operator states that starts at the same time as and the sequence expression matches with the later of and matching. This binary operator and is used when both operands are expected to match, but the end times of the operand sequences can be different.

That is, denotes both and holds for the same number cycles. Then, the matches of must satisfy the following:(i)The start point of the match of must be no earlier than the start point of the match of .(ii)The end point of the match of must be no later than the end point of the match of .

The sequence nonlength matching operator constructs a sequence in which two sequences both hold at the current cycle regardless of whether they are completed in the same cycle or in different cycles

Here, , , and .

5.3.4. or Operator

.

The sequence operator constructs a sequence in which one of two alternative sequences hold at the current cycle. Thus, the sequence states that either sequence , or sequence , would satisfy the assertion

Here, , , and .

5.3.5. Local Variables

SystemVerilog provides a feature by which variables can be used in assertions. The user can declare variables local to a property. This feature is highly useful in pipelined designs where the consequent occurrence might be many cycles later than their corresponding antecedents.

Local variables are optional and local to properties. They can be initialized, assigned (and reassigned) a value, operated on, and compared to other expressions.

The syntax of a sequence declaration with a local variable is shown below. ; ; .

The property declaration syntax with a local variable can be illustrated as follows: ; ; .

The variable identifier declaration syntax of a local variable can be illustrated as follows: .

The dynamic creation of a variable and its assignment is achieved by using the local variable declaration in a sequence or property declaration and making an assignment in the sequence.

Thus, local variables of a sequence (or property) may be set to a value, which can be computed from a parameter or other objects (e.g., arguments, constants, and objects visible by the sequence (or property)).

For example, a property of a pipeline with a fixed latency can be specified below. ; ; ; .

This property e is evaluated as follows:

When is true, is assigned the value of . If 3 cycles later, is equal to , then property is true. Otherwise, the property is false. When is false, property is evaluated as true.

For the algebraization of SVA properties with local variables, in our method these local variables will be taken as common signal variables (symbolic constant) without any sequential information.

Thus, we have the polynomial set representation for property : , , .

5.3.6. Repetition Operators

SystemVerilog allows the user to specify repetitions when defining sequences of Boolean expressions. The repetition counts can be specified as either a range of constants or a single constant expression.

Nonconsecutive repetition specifies finitely many iterative matches of the operand Boolean expression, with a delay of one or more clock ticks from one match of the operand to the next successive match and no match of the operand strictly in between. The overall repetition sequence matches at or after the last iterative match of the operand, but before any later match of the operand.

The syntax of repetition operator can be illustrated as follows:

The number of iterations of a repetition can be specified by exact count.

For example, a sequence with repetition can be defined as

The sequence expects that 2 clock cycles after the valid start, signal “” will be repeated three times.

We have .

5.4. Property Operator Modeling

In general, property expressions in SVA are built using sequences, other sublevel properties, and simple Boolean expressions via property operators.

In SVA, a property that is a sequence is evaluated as true if, and only if, there is a nonempty match of the sequence. A sequence that admits an empty match is not allowed as a property.

The success of assertion-based verification methodology relies heavily on the quality of properties describing the intended behavior of the design. Since it is a fairly new methodology, verification and design engineers are often faced with a question of “how to identify good properties” for a design. It may be tempting to write properties that closely resemble the implementation.

Properties we discussed in this paper can be classified as.

(1) Design Centric. Design centric properties represent assertions added by the RTL designers to characterize white box design attributes. These properties are typically towards FSMs, local memories, clock synchronization logic, and other hardware-related designs. The design should conform to the expectations of these properties.

(2) Assumption Centric. Assumption centric properties represent assumptions about the design environment. They are used in informal verification to specify assumptions about the inputs. The assume directive can inform a verification tool to assume such a condition during the analysis.

(3) Requirement/Verification Centric. Many requirement properties are best described using a “cause-to-effect” style that specifies what should happen under a given condition. This type of properties can be specified by implication operator. For example, a handshake can be described as “if request is asserted, then acknowledge should be asserted within 5 cycles”.

In general, property expressions are built using sequences, other sublevel properties, and simple Boolean expressions.

These individual elements are combined using property operators: , , , , and so forth.

The property composition operators are listed as follows.

Definition 15 (property operator).

“sequence” form “parenthesis” form “negation” form “or” form “and” form “implication” form “reset” form .

Note that disable if and only if will not be supported in this paper. Property operators construct properties out of sequence expressions.

5.4.1. Implication

Operators. The SystemVerilog implication operator supports sequence implication and provides two forms of implication: overlapped using operator , and nonoverlapped using operator , respectively.

The syntax of implication is described as follows:

The implication operator takes a sequence as its antecedent and a property as its consequent. Every time the sequence matches the property must hold. Note that both the running of the sequence and the property may span multiple clock cycles and that the sequence may match multiple times.

For each successful match of the antecedent sequence, the consequence sequence (right-hand operand) is separately evaluated, beginning at the end point of the matched antecedent sequence. All matches of antecedent sequence require a match of the consequence sequence.

Moreover, if the antecedent sequence (left hand operand) does not succeed, implication succeeds vacuously by returning true. For many protocol related assertions, it is important to specify the sequence of events (the antecedent or cause) that must occur before checking for another sequence (the consequent or effect). This is because if the antecedent does not occur, then there is no need to perform any further verification. In hardware, this occurs because the antecedent reflects an expression that, when active, triggers something to happen.

A property with a consequent sequence behaves as if the consequent has an implication first-match applied to it.

5.4.2. NOT

Operator. The operator states that the evaluation of the property returns the opposite of the evaluation of the underlying .

5.4.3. AND

Operator. The formula “” states that the property is evaluated as true if, and only if, both and are evaluatd as true.

5.4.4. OR

Operator. The operator “” states that the property is evaluated as true if and only if, at least one of and is evaluated as true.

5.4.5. IF-ELSE

Operator. This operator has two valid forms which are listed as follows.(1).

A property of this form is evaluated as true if, and only if, either is evaluated as false or is evaluated as true.(2).

A property of this form is evaluated as true if, and only if, either is evaluated as true and is evaluated as true or is evaluated as false and is evaluated as true.

From previous discussion, we have the following proposition for property reasoning.

Proposition 16. Assume that , , and are valid properties in SVA, the following rules are used to construct the corresponding verification process. Here, is a self-defined checking function that can determine whether a given “” holds or not with respect to a circuit model “”.(1)(2)(3)(4)(5)∧(6) if else ∧(7) else .

6. Verification Algorithm

In this section, we will describe how an assertion is checked using Groebner bases approach. Firstly, we will discuss a practical algorithm using Groebner bases for assertion checking.

6.1. Basic Principle

As just mentioned, our checking method is based on algebraic geometry which is the study of the geometric objects arising as the common zeros of collections of polynomials. Our aim is to find polynomials whose zeros correspond to pairs of states in which the appropriate assignments are made.

We can regard any set of points in as the variety of some ideal. We can then use the ideal or any basis for the ideal as a way of encoding the set of points.

From Groebner Bases theory [10, 12] every nonzero ideal has a Groebner basis and the following proposition evidently holds.

Proposition 17. Let and be polynomial sets of , and a Groebner basis for , and then we have that holds.

Theorem 18. Suppose that is a property to be verified. is the initial preconditions of , and is a system model to be checked. Let and be the polynomial set representations for and , respectively, constructed by previous mentioned rules. Let , (where, denotes the ideal generated by ) and , then we have

Proof. (1) The polynomial set of system model describes the data-flow relationship that inputs, outputs, and functional transformation should meet. The initial condition can be seen as extra constraint applied by users. There should not exist contradiction between them; that is, the polynomial equations of must have a common solution.
By Hilbert’s Nullstellensatz theory, if we have polynomials , we compute a reduced Groebner basis of the ideal they generate with respect to any ordering. If this basis is , the polynomials have no common zero in ; if the basis is not , they must have a common zero.
Therefore, should hold.
(2) Evidently, by previous proposition, it is easy to have that should hold.
Thus, we have that this theorem holds.

6.2. Checking Algorithm

For simplicity, in this section, we only provide the key decision algorithm.

Firstly, the original system model is transformed into a normal polynomial representation and the assertion as well. Then, calculate the hypothesis set and its Groebner basis using the Buchberger algorithm [18] and their elimination ideals. Finally, examine the inclusion relationship between elimination ideals to determine whether the assertion to be checked holds or not.

From above discussion, we have the following process steps and detailed algorithm description. Algorithm 1.

Input:
(1) circuit model ;
(2) initial condition ;
(3) an assertion ;
Output: Boolean: or ;
BEGIN
/*Step 1: initialize input signals via testbench */
(00) ;
(01) ;
/*Step 2: build polynomial model */
(02) ;
/*Step 3: build polynomial set for initial condition */
(03) ;
/*Step 4: build polynomial set for consequent */
(04) ;
/*Step 5: calculate the */
(05) ;
/*Step 6: calculate the Groebner base of */
(06) ;
/*Step 7: determine the basis is or not */
(07) if() {
(08) return ; }
/*Step 8: check every polynomial */
/**/
(09) ;
(10) {
(11) if() {
(12) return ; }
(13) i++;
(14) } /* endwhile */
(15) return ; /* Assertion does hold */
END;

For convenience, we can derive another version checking procedure named “” which can accept polynomial representations as inputs without explicit polynomial construction process.

Further, by applying Theorem 18 and the checking algorithm “”, we can easily verify all supported properties written in SVA.

7. An Example

In this section, we will study a classical circuit to show how SVA properties are verified by polynomial representation and algebra computation method.

Consider the Johnson counter circuit in Figure 3. Johnson counters can provide individual digit outputs rather than a binary or BCD output, as shown in Table 3. Notice that each legal count may be defined by the location of the last flip-flop to change states and which way it changed state.

7.1. Algebraization of Circuit and Assertion

Johnson counter provides individual digit outputs, as shown in Table 3.

The polynomial set for Johnson counter circuit in Figure 3 can be constructed as follows: where denotes the next state of . For the th cycle, we use to denote variable name in current cycle.

Similarly, another Johnson counter circuit with an error is shown in Figure 4, the corresponding polynomial set can be described by

To illustrate the problem clearly, we define polynomial set representation for th cycle as follows:

Support that the circuit will run 6 cycles for verification, therefore, we have .

For any Boolean variable , we will add an extra constraint: . Thus, we define the corresponding constraints set as follows: .

In the same manner, we have .

The sequential property for this counter circuit can be specified by the following SystemVerilog assertions. ; ; ; ; ; ; ; ; .

We will afterwards demonstrate the verification process step by step.

The circuit model to be verified is as shown below:

The property of this counter can be specified as the following SVA assertion: .

The Algebraization form of the above properties can be modeled as in Table 4.

7.2. Experiment Using Maple

We run this example by using Maple 13. Before running, we manually translated all models into polynomials. The experiment is performed on a PC with a 2.40 GHz CPU (intel i5 M450) and 1024 MB of memory. It took about 0.04 seconds and 0.81 MB of memory when applying Groebner method. with(Groebner) , , , , , , , , , , , , , , , , , , , , , , , [> .

Thus, we can have the Groebner basis as follows: , , , , , , , , , , , , , , , , , .

As shown in maple outputs, the given circuit has been modeled as polynomial set (its Groebner bases is denoted by ) and assertion expected result as . From the running result, we have and return value of is 0 which means is divided with no remainder by .

Thus, from the previously mentioned verification principles, it is easy to conclude that the assertion holds under this circuit model after 3 cycles.

More detailed experiment results for verification of circuit shown in Figure 3 are listed in Table 5.

Conversely, we check these assertions against the circuit shown in Figure 4 in a similar way. More detailed experiment results are demonstrated in Table 6.

From above table, when checking assertion, the result so that we can conclude the assertion does not hold. Therefore, there must exist unexpected errors in the original circuit.

This case is a fairly complete illustration of how the checking algorithm works.

8. Conclusion

In this paper, we presented a new method for SVA properties checking by using Groebner bases based symbolic algebraic approaches. To guarantee the feasibility we defined a constrained subset of SVAs, which is powerful enough for practical purposes.

We first introduce a notion of symbolic constant without any sequential information for handling local variables in SVAs inspired from STE. We then proposed a practical algebraization method for each sequence operator. For sequential circuits verification, we introduce a parameterized polynomial set modeling method based on time frame expansion.

Our approach is based on polynomial models construction for both circuit models and SVA assertions. This method is to eventually translate a simulation based verification problem into a pure algebraic zero set determination problem by a series of proposed steps, which can be performed on any general symbolic algebraic tool.

This method allows users to deal with more than one state and many input combinations every cycle. This advantage comes directly from the fact that many vectors are simulated at once using symbolic value.

In summary, in this research, by suitable restrictions of SVA assertions, we can guarantee the availability of polynomial set representation. Based on this polynomial set model, symbolic simulation can be performed to produce symbolic traces and temporal relationship constraints of signal variables as well. We then apply symbolic algebra approach to check the zeros set relation between their polynomial sets and determine whether the temporal assertion holds or not under current running cycle.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

The project is supported by the National Natural Science Foundation of China under Grant no. 11371003, the Natural Science Foundation of Guangxi under Grants nos. 2011GXNSFA018154, 2012GXNSFGA060003, and 2013GXNSFAA019342, the Science and Technology Foundation of Guangxi under Grant no. 10169-1, the Scientific Research Project no. 201012MS274 from Guangxi Education Department, the Fundamental Research Funds for the Central Universities under Grants nos. DUT14QY05 and HCIC201204 of Guangxi Key Laboratory of Hybrid Computation and IC Design Analysis Open Fund, and the Baguio scholarship Project of Guangxi. The authors would like to thank their colleagues for participating in the research. They also appreciate the anonymous reviewers for their helpful comments.

References

IEEE System Verilog Working Group, IEEE Standard for SystemVerilog C Unified Hardware Design, Specification, and Verification (IEEE Std 1800-2005). IEEE, 2005.
“IEEE draft standard for system verilog—unified hardware design, specification, and verification language,” IEEE P1800/D3, 2011.
View at: Google Scholar
R. Wille, G. Fey, M. Messing, G. Angst, L. Linhard, and R. Drechsler, “Identifying a subset of SystemVerilog assertions for efficient bounded model checking,” in Proceedings of the 11th EUROMICRO Conference on Digital System Design Architectures, Methods and Tools (DSD '08), pp. 542–549, September 2008.
View at: Publisher Site | Google Scholar
L. Darringer, “Application of program verification techniques to hardware verification,” in Proceedings of the IEEE-ACM Design Automation Conference, pp. 375–381, 1979.
View at: Google Scholar
G. S. Avrunin, “Symbolic model checking using algebraic geometry,” in Proceedings of the 8th International Conference on Computer Aided Verification, vol. CAV96, pp. 26–37, Springer, London, UK, 1996.
View at: Google Scholar
W. B. Mao and J. Z. Wu, “Application of Wus method to symbolic model checking,” in Proceedings of the 2005 international Symposium on Symbolic and Algebraic Computation (ISSAC '05), pp. 237–244, ACM Press, Beijing, China, 2005.
View at: Publisher Site | Google Scholar | MathSciNet
J. Wu and L. Zhao, “Multi-valued model checking via groebner basis approach,” in Proceedings of the 1st Joint IEEE/IFIP Symposium on Theoretical Aspects of Software Engineering (TASE '07), pp. 35–44, IEEE Computer Society Press, June 2007.
View at: Publisher Site | Google Scholar
N. Zhou, J. Wu, and X. Gao, “Algebraic verification method for SEREs properties via Groebner bases approaches,” Journal of Applied Mathematics, vol. 2013, Article ID 272781, 10 pages, 2013.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
X. Gao, N. Zhou, J. Wu, and D. Li, “Wu’s characteristic set method for SystemVerilog assertions verification,” Journal of Applied Mathematics, vol. 2013, Article ID 740194, 14 pages, 2013.
View at: Publisher Site | Google Scholar
J. Little, D. Cox, and D. O'Shea, Ideals, Varieties, and Algorithms, Springer, New York, NY, USA, 1992.
View at: MathSciNet
T. Becker and V. Weispfenning, Gröbner Bases: A Computational Approach to Commutative Algebra, Springer, New York, NY, USA, 1993.
View at: Publisher Site | MathSciNet
B. Buchberger, “Groebner bases: an algorithmic method in polynomial ideal theory,” in Multidimensional Systems Theory, pp. 184–232, 1985.
View at: Google Scholar
S. B. Akers, “Binary decision diagrams,” IEEE Transactions on Computers C, vol. 27, no. 6, pp. 509–516, 1978.
View at: Google Scholar
S. Hoereth and R. Drechsler, “Formal verification of word-level specifications,” in Proceedings of the Design, Automation and Test in Europe Conference and Exhibition, pp. 52–58, Munich, Germany, 1999.
View at: Google Scholar
Y. M. Ryabukhin, “Boolean ring,” in Encyclopaedia of Mathematics, Springer, Michiel, Germany, 2001.
View at: Google Scholar
S. Das, R. Mohanty, P. Dasgupta, and P. P. Chakrabarti, “Synthesis of system verilog assertions,” in Proceedings of the Conference on Design, Automation and Test in Europe: Designers’ Forum (DATE ’06), pp. 70–75, European Design and Automation Association, Leuven, Belgium, March 2006.
View at: Publisher Site | Google Scholar
C.-J. Seger and R. E. Bryant, “Formal verification by symbolic evaluation of partially-ordered trajectories,” Formal Methods in System Design, vol. 6, no. 2, pp. 147–190, 1995.
View at: Publisher Site | Google Scholar
D. Cox, J. Little, and D. O'Shea, Ideals, Varieties, and Algorithms An Introduction to Computational Algebraic Geometry and Commutative Algebra, Undergraduate Texts in Mathematics, Springer, New York, 3rd edition, 2007.
View at: Publisher Site | MathSciNet

Copyright

Copyright © 2014 Ning Zhou et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1414

Downloads

959

Citations