PSL Property Specification Language Jasper Design Automation 2005

PSL Property Specification Language Jasper Design Automation© 2005 1

Introduction to PSL Jasper Design Automation© 2005 2

Introduction q What is PSL? o A language for the formal specification of concurrent systems – Particularly applicable for the description of hardware designs – Describe properties (or assertions) that are required to hold on a DUV q Key characteristics of PSL include: o Mathematically precise well-defined formal semantics o Very expressive coving large class of real world design behaviors o Known efficient underlying verification algorithms o Intuitive and easy to learn, read, and write o PSL is a layered language, ideal for reuse, and supports multiple HDL flavors – Verilog, VHDL, System. C, and System. Verilog Jasper Design Automation© 2005 3

Background Sugar created at IBM Haifa Research Labs FVTC formed in Accellera (OVI) 1994 1998 Syntactic sugaring of CTL Branching-time semantics plus regular expressions Jasper Design Automation© 2005 FVTC considers: Temporal e PSL CBV based on For. Spec Sugar 2. 0 Sugar 2001 Linear-time semantics Added to Sugar 2002 PSL 1. 01 Approved 2003 PSL and SVA alignment 4 PSL 1. 1 Approved IEEE 1850 PSL 2004 2005 PSL enhancements and clarifications

Elements of an assertion language q Logic, whose origins date back to the Greek philosophers, allows us to answer the question: Does a given model satisfy a given property? model logic true/false property Jasper Design Automation© 2005 5

Elements of assertion languages q Classical logic deals with timeless statements. o “The moon is a satellite of the earth. ” o “The moon is rising (now). ” universe logic true/false The moon is rising q However, in classical logic, we cannot express: o “The moon will rise again and again” Jasper Design Automation© 2005 6

Temporal Logic q Our interest – properties of reactive systems. q In reactive systems, processes maintain on-going interaction with their environment. q Interesting statements about reactive systems depend on time. o q For example, A and B are mutually exclusive for all values of time Temporal logic can describe the ordering of events in time without introducing time explicitly. o Without temporal logic, we would be forced to explicitly write equations involving time: – For example, Jasper Design Automation© 2005 t. !(A(t) & B(t)) 7

Temporal Logic q Pnueli 1977 – use of temporal logic for reasoning about reactive systems (LTL). q Clarke & Emerson 1981 – model checking (CTL). q Various temporal logics (LTL, CTL*, …). q The logics differ in o Syntax o Semantics – meaning of the formulas. o Expressiveness – which properties can be expressed. o Complexity – efficiency of evaluating a property. o Underlying model of time. Jasper Design Automation© 2005 8

Temporal Logic q Model of time: o Finite computation (simulation) or infinite computation (model checking). o Linear or branching – Linear – each moment in time has a unique possible future. – Branching – each moment in time can split into various possible futures. p 1 3 1 q 2 2 3 2 1 2 2 3 2 2 1 2 2 Jasper Design Automation© 2005 9

PSL Linear-Time Temporal Logic q Intuitive to engineers o Reason about expected behavior over linear sequences of states (computational paths) o Thinking is similar to reviewing a simulation trace q Properties evaluated over paths 0 2 Jasper Design Automation© 2005 Infinite path p q 1 0 2 1 10

What We can Express in LTL q All Boolean logic properties. “Process 2 is in the critical section” q next p – p holds in the next state. “Process 2 will be in the critical section in the next state” q eventually! p – eventually p holds. “eventually process 2 will enter the critical section” Jasper Design Automation© 2005 11

What We Cannot Express in LTL? q Counting example: “p is asserted in every even cycle” All the following traces satisfy this property !p, p, …. p, p, !p, p, p, p… q No linear-time temporal formula can express this property. Jasper Design Automation© 2005 12

Extended Regular Expressions q Extended regular expressions overcome some of the limitations in linear-time temporal logic’s lack of expressiveness. q They are a convenient way to define a temporal pattern that can match (or more aptly put, specify) sequences of states. q Regular expressions let us describe design behavior that involves counting. o Such as modulo n type behavior, with the * operator. q For example, the PSL extended regular expression: {a ; b ; [*3] ; c ; [*2: 3] ; d} Jasper Design Automation© 2005 13

What Cannot be Express with Regular Expressions The property: “eventually p holds forever” q The following property cannot be expressed with regular expressions: o “Eventually, p holds forever” !p !p !p p q Can be expressed in LTL. For example, in PSL: o eventually always p Jasper Design Automation© 2005 14

What We Can Express in LTL and CTL q “Always if req is received, then ack must be received sometime in the future” o LTL: G (req -> F ack) o CTL: AG(req -> AF ack) q Most useful properties are in the common fragment of LTL and CTL (Maidl, 2000). Jasper Design Automation© 2005 15

PSL Layers Jasper Design Automation© 2005 16

PSL is a Layered Language Modeling Verification Temporal Boolean Jasper Design Automation© 2005 17

Boolean Layer q The Boolean layer is used to: o Specify logic expressions without specific timing information using a standard HDL syntax such as Verilog -HDL and VHDL Example (Verilog): // A and B are mutually exclusive ( !(A & B) ) Example (VHDL): -- A and B are mutually exclusive ( not (A and B) ) Jasper Design Automation© 2005 18

Temporal Layer q The temporal layer is used to: Specify when the Boolean expression must be valid o Remove time ambiguities o Example: // A and B are always mutually exclusive always ( !(A & B) ) q There are many temporal operators: always property o never property o next property o Jasper Design Automation© 2005 o until property o … 19

Verification Layer q The verification layer is used to: o Specify how to use the property: – Assertion to be verified against the implementation – Assumption to be used as constraint during the verification – Or functional coverage metric to improve the overall verification coverage Example: // A and B must always be mutually exclusive assert always ( !(A & B) ) ; Jasper Design Automation© 2005 20

Modeling Layer q The modeling layer is used to: o Write auxiliary HDL code required to specify complex properties q You can define HDL functions that are used in your properties, model complex FSMs or expressions Example: // If req is asserted, ack must be asserted the next cycle wire req; assign req = read. A_req || read. B_req; assert always (req -> next (ack && gnt)) ; Jasper Design Automation© 2005 21

PSL Layers wire req; assign req = read. A_req || read. B_req; assert always (req -> next (ack && gnt)) ; Boolean layer Temporal layer Verification layer Modeling layer Jasper Design Automation© 2005 22

PSL Sequences Jasper Design Automation© 2005 23

PSL Sequences q PSL sequences enable us to: o Describe a sequence of Boolean expression (that is, states) q PSL sequences are marked by curly braces ‘{’ and ‘}’ q Advancement of time occurs with each concatenation operator ‘; ’ Example: { req; busy; gnt } Jasper Design Automation© 2005 24

PSL Sequences Matching q A PSL sequence can have multiple matching diagrams Example: { req; busy; gnt } req busy gnt This diagram represents one possible match This diagram represents another possible match q To explicitly match the waveform, we would need to specify the following Example: { req && !busy && !gnt ; !req && !busy && gnt } Jasper Design Automation© 2005 req busy gnt 25

Temporal Operators for Sequences q PSL supports the following temporal operators for sequences: Overlapping implication o Non-overlapping implication o |-> |=> Example(s): sequence S 1 = { req; ack } ; sequence S 2 = { start; busy; end } ; // Event “start” occurs on the same clock cycle as “ack” property P 1 = always S 1 |-> S 2 ; // Event “start” occurs on the next clock cycle after “ack” property P 2 = always S 1 |=> S 2 ; Jasper Design Automation© 2005 26

Operators for SERE q PSL supports the following operators for SERE: o Repetition in n consecutive clock cycles [*n] Repetition in n non-consecutive clock cycles o Repetition for 0 or any number of clock cycles [=n] [->n] [*] Repetition for 1 or any number of clock cycles o Repetition for n to m clock cycles [+] [*n: m] o o q The number of repetitions must be a positive integer q Keyword inf stands for an infinite number of clock cycles Example(s): sequence S 1 = { rd[*5] } ; sequence S 2 = { rd[->3] } |=> { wr } ; // {!rd[*]; rd; !rd[*]; rd} sequence S 3 = { req} |=> { ack[=1]; done} ; // {!ack[*]; ack; !ack[*]} sequence S 4 = { rd[*]; rd; wr }; sequence S 5 = { rd[+]; wr } ; sequence S 6 = { rd[*2: 5] } |=> { wr } ; Jasper Design Automation© 2005 27

Example property P 1 = { req[+]; ack; wr[*4] } |=> { (wait && !req)[*]; done } ; assert always P 1; clock req 1 or more 0 or more ack write wait 0 or more done Jasper Design Automation© 2005 28

Example Properties are Derived from Specification Receiving Data: q When the reception of data is complete, then an interrupt should occur: property done_rcving_implies_int = always rose(done_rcving) -> rose(int) ; assert done_rcving_implies_int ; Jasper Design Automation© 2005 29

Example Properties are Derived from Specification Receiving Data: q If the signal that indicates a reception in progress is active, then it should remain active until the reception is complete: property rcving_until_done_rcving = always rose(rcving) -> (rcving until done_rcving) ; assert rcving_until_done_rcving ; Jasper Design Automation© 2005 30

Example RTL Implementation Queue q Design intent o“If Queue is full, then an attempt to insert data is ignored. ” (Overflow) o“If Queue is empty, then an attempt to remove data is ignored. ” (Underflow) q. Data. In q RTL implementation fragment: function [3: 0] q. Next; input [3: 0] p; q. Next = ((p + 1) mod `q. Size); endfunction; assign q. Full = (q. Next(q. Last) == q. First); assign q. Empty = (q. Last == q. First); … q PSL implementation assertions: q. Last 7 6 5 4 3 2 1 0 cntrl q. First q. Data. Out assert always (q. Full && q. Insert -> next !q. Empty) abort ~rst. N ; assert always (q. Empty && q. Remove -> next !q. Full) abort ~rst. N; Jasper Design Automation© 2005 31 q. Insert q. Remove q. Error q. Empty q. Full

Verification Units for Grouping Properties and Directives q Verification with PSL is based on using verification units vunit <name> [(<module binding>)] { <declarations and verification layer directives> }; Usually a separate file from RTL vunit Example: inputs outputs RTL module vunit my_unit (my_module) { default clock = posedge clk; assume never read & write; property P 1 = never (full & write); assert P 1; assert always (read -> ! empty); A vunit binds to a module or an instance }; Jasper Design Automation© 2005 32

Types of Assertions and PSL Expressiveness Data Integrity High-level requirements • End-to-end • Black box • Based on design intent • Generally require modeling+assertions Packet Ordering Design Intent RTL Implementation RTL implementation assertions • Localized • Implementation-specific • Generally can be expressed using only assertions One Hot Increment By 1 FIFO Overflow Design Behavior Jasper Design Automation© 2005 33

To learn more q www. eda. org/ieee-1850 q Accellera v 1. 1 LRM available at www. accellera. org q My email: Jasper Design Automation© 2005 harry@jasper-da. com 34