Copyright © 2004 by Doulos Ltd. All Rights Reserved

Experiences ofa PSL Educator

John Aynsley, Technical Director

Copyright © 2004 by Doulos Ltd. All Rights Reserved

• Why our customers use PSL

• What our customers need to learn

(The marketing stuff)

• Teaching temporal reasoning

(The technical stuff)

Experiences of a PSL Educator

Copyright © 2004 by Doulos Ltd. All Rights Reserved

Why PSL?

• Verification is the problem

• The PSL solution is

• Incremental - not disruptive

• Easy to learn

• Non-proprietary

(in Europe, we like to keep EDA vendors hungry)

• Supported by tools today

• Opens the door to formal verification

Copyright © 2004 by Doulos Ltd. All Rights Reserved

What is there to learn?

• Learning the syntax is easy

• Learning why is more challenging!

• The selling job

Copyright © 2004 by Doulos Ltd. All Rights Reserved

Bogus debates

• Properties are a simulation overhead

• so can I turn them off?

• Properties only replace one problem with another

• how do I debug the properties?

Copyright © 2004 by Doulos Ltd. All Rights Reserved

Real debate - who writes properties?

• The system architect (or whoever) writes the spec

• The design and verification engineers interpret the spec and write properties

• The RTL design engineer

• White-box verification, driven by the implementation

• Block-level test benches

• Properties embedded in RTL code

• The verification engineer

• Black-box verification, driven by the specification

• Chip-level test benches

• Properties in separate files

Copyright © 2004 by Doulos Ltd. All Rights Reserved

Who writes properties?

• Writing properties forces you to be more formal

• Finds ambiguities in the spec

• Helps the design engineer understand the design

• Assertion-Based Design

• “Your lab questions aren’t accurate”

• Properties can be used to augment the spec

Copyright © 2004 by Doulos Ltd. All Rights Reserved

Observability

BUG

Bug invisible here!Bug invisible here!

Test vectors

Test vectors

Bug caught by assertionBug caught by assertion

• Increased observability gives better bug coverage from a given set of tests

Watchdog

Sentinel

Copyright © 2004 by Doulos Ltd. All Rights Reserved

Localising Bugs

Block A

Block A

Block B

Block B

Assertion failure => bug detected in block AAssertion failure => bug detected in block A

Assertion failure => end-to-end bug somewhere in the designAssertion failure => end-to-end bug somewhere in the design

Copyright © 2004 by Doulos Ltd. All Rights Reserved

Properties are Reusable

Block ABlock A

PropertiesProperties

Interface PropertiesInterface Properties

Block-level StimulusBlock-level Stimulus

Block ABlock A Block BBlock B Block CBlock C

Chip-level StimulusChip-level Stimulus

Interface PropertiesInterface Properties

• Embedded assertions go on checking, even when you've forgotten about them!

Copyright © 2004 by Doulos Ltd. All Rights Reserved

Temporal reasoning

property p1 is always req -> next grant;property p1 is always req -> next grant;

clk

grant

req

Copyright © 2004 by Doulos Ltd. All Rights Reserved

Temporal reasoning

property p1 is always req -> next grant;property p1 is always req -> next grant;

req holds

clk

grant

req

Copyright © 2004 by Doulos Ltd. All Rights Reserved

Temporal reasoning

property p1 is always req -> next grant;property p1 is always req -> next grant;

req holds

grant holds

clk

grant

req

Copyright © 2004 by Doulos Ltd. All Rights Reserved

Temporal reasoning

property p1 is always req -> next grant;property p1 is always req -> next grant;

req holds

grant holds

clk

grant

req

next grant holds

Copyright © 2004 by Doulos Ltd. All Rights Reserved

Temporal reasoning

property p1 is always req -> next grant;property p1 is always req -> next grant;

req holds

grant holds

clk

grant

req

req -> next grant holds

next grant holds

Copyright © 2004 by Doulos Ltd. All Rights Reserved

Temporal reasoning

property p1 is always req -> next grant;property p1 is always req -> next grant;

req holds

grant holds

clk

grant

req

assert p1;

next grant holds

pass fail

req -> next grant holds

Copyright © 2004 by Doulos Ltd. All Rights Reserved

next [N] versus sequence

assert always req -> next next (grant);assert always req -> next next (grant);

req

grant

pass failpass

clk

assert always {req} |-> {true[*2]; grant};assert always {req} |-> {true[*2]; grant};

assert always req -> next[2] (grant);assert always req -> next[2] (grant);

Copyright © 2004 by Doulos Ltd. All Rights Reserved

next_e versus sequence

req

grant

pass failpass

assert always req -> next_e[1:2] (grant);assert always req -> next_e[1:2] (grant);

clk

assert always {req} |-> {[*1:2]; grant};assert always {req} |-> {[*1:2]; grant};

assert always req -> next(grant) || next[2](grant);assert always req -> next(grant) || next[2](grant);

Copyright © 2004 by Doulos Ltd. All Rights Reserved

rose() versus sequence

assert always rose(req) -> next rose(grant);assert always rose(req) -> next rose(grant);

req

grant

pass fail

clk

assert always {!req; req} |-> {!grant; grant};assert always {!req; req} |-> {!grant; grant};

Copyright © 2004 by Doulos Ltd. All Rights Reserved

until versus sequence

assert always req -> next (ack until grant);assert always req -> next (ack until grant);

req

grant

fail

clk

pass pass

assert always {req} |=> {ack[*]; grant};assert always {req} |=> {ack[*]; grant};

ack

Copyright © 2004 by Doulos Ltd. All Rights Reserved

before versus sequence

assert always req -> (ack before grant);assert always req -> (ack before grant);

req

ack

fail

clk

pass

grant

pass

assert always {req} |-> {{[*];ack} && {!grant[+]}};assert always {req} |-> {{[*];ack} && {!grant[+]}};

Length-matching andLength-matching and

Copyright © 2004 by Doulos Ltd. All Rights Reserved

What we’ve learnt

EndEnd

nextnext

->->

alwaysalways

next[N]next[N]

{ ; ; }{ ; ; }

next_e[m:n]next_e[m:n]

|->|->

[*m:n][*m:n]

true[*n]true[*n]

rose()rose()

untiluntil

|=>|=>

&&&&

[+][+]

beforebefore

[*][*]

Temporal operators Sequences Function