harry-psl
advertisement
PSL
Property Specification Language
Jasper Design Automation
Jasper Design Automation© 2005
1
Introduction to PSL
Jasper Design Automation© 2005
2
Introduction
What is PSL?
o
A language for the formal specification of concurrent systems
– Particularly applicable for the description of hardware designs
– Describe properties (or assertions) that are required to hold on a DUV
Key characteristics of PSL include:
o
Mathematically precise well-defined formal semantics
o
Very expressive coving large class of real world design behaviors
o
Known efficient underlying verification algorithms
o
Intuitive and easy to learn, read, and write
o
PSL is a layered language, ideal for reuse, and supports multiple HDL flavors
– Verilog, VHDL, SystemC, and SystemVerilog
Jasper Design Automation© 2005
3
Background
Sugar
created at IBM
Haifa Research Labs
FVTC
formed in
Accellera (OVI)
1994
1998
Syntactic
sugaring of
CTL
Branching-time
semantics
plus regular
expressions
Jasper Design Automation© 2005
FVTC considers:
Temporal e
PSL
CBV
based
on
ForSpec
Sugar 2.0
Sugar
2001
Linear-time
semantics
Added to Sugar
2002
PSL 1.01
Approved
2003
PSL and
SVA alignment
4
PSL 1.1
Approved
IEEE 1850
PSL
2004
2005
PSL enhancements
and clarifications
Elements of an assertion language
Logic, whose origins date back to the Greek philosophers, allows
us to answer the question:
Does a given model satisfy a given property?
model
logic
property
Jasper Design Automation© 2005
5
true/false
Elements of assertion languages
Classical logic deals with timeless statements.
o
“The moon is a satellite of the earth.”
o
“The moon is rising (now).”
universe
logic
true/false
The moon is rising
However, in classical logic, we cannot express:
o
“The moon will rise again and again”
Jasper Design Automation© 2005
6
Temporal Logic
Our interest – properties of reactive systems.
In reactive systems, processes maintain on-going interaction
with their environment.
Interesting statements about reactive systems depend on time.
o
For example, A and B are mutually exclusive for all values of time
Temporal logic can describe the ordering of events in time without introducing time
explicitly.
o
Without temporal logic, we would be forced to explicitly write equations involving time:
– For example,
Jasper Design Automation© 2005
t.!(A(t) & B(t))
7
Temporal Logic
Pnueli 1977 – use of temporal logic for reasoning about reactive systems
(LTL).
Clarke & Emerson 1981 – model checking (CTL).
Various temporal logics (LTL, CTL, CTL*,…).
The logics differ in
o Syntax
o Semantics – meaning of the formulas.
o Expressiveness – which properties can be expressed.
o Complexity – efficiency of evaluating a property.
o Underlying model of time.
Jasper Design Automation© 2005
8
Temporal Logic
Model of time:
o
Finite computation (simulation) or infinite computation (model
checking).
o
Linear or branching
– Linear – each moment in time has a unique possible future.
– Branching – each moment in time can split into various possible
futures.
p
1
3
1
q
2
2
3
2
2
2
2
1
2
3
1
2
2
2
2
Jasper Design Automation© 2005
9
PSL
Linear-Time Temporal Logic
Intuitive to engineers
o
Reason about expected behavior over linear sequences of states
(computational paths)
o
Thinking is similar to reviewing a simulation trace
Properties evaluated over paths
0
2
Jasper Design Automation© 2005
Infinite path
p
q
1
0
2
1
10
What We can Express in LTL
All Boolean logic properties.
“Process 2 is in the critical section”
next p – p holds in the next state.
“Process 2 will be in the critical section in the next state”
eventually! p – eventually p holds.
“eventually process 2 will enter the critical section”
Jasper Design Automation© 2005
11
What We Cannot Express in LTL?
Counting example:
“p is asserted in every even cycle”
All the following traces satisfy this property
!p,p,!p,p,…
p,p,p,p,….
p,p,!p,p,p,p…
No linear-time temporal formula can express this property.
Jasper Design Automation© 2005
12
Extended Regular Expressions
Extended regular expressions overcome some of the limitations in linear-time
temporal logic’s lack of expressiveness.
They are a convenient way to define a temporal pattern that can match (or
more aptly put, specify) sequences of states.
Regular expressions let us describe design behavior that involves counting.
o
Such as modulo n type behavior, with the * operator.
For example, the PSL extended regular expression:
{a ; b ; [*3] ; c ; [*2:3] ; d}
Jasper Design Automation© 2005
13
What Cannot be Express with Regular Expressions
The property: “eventually p holds forever”
The following property cannot be expressed with regular
expressions:
o
“Eventually, p holds forever”
!p
!p
!p
p
p
p
Can be expressed in LTL. For example, in PSL:
o
eventually always p
Jasper Design Automation© 2005
14
What We Can Express in LTL and CTL
“Always if req is received, then ack must be received sometime in the
future”
o
LTL:
G (req -> F ack)
o
CTL: AG(req -> AF ack)
Most useful properties are in the common fragment of LTL and CTL
(Maidl, 2000).
Jasper Design Automation© 2005
15
PSL Layers
Jasper Design Automation© 2005
16
PSL is a Layered Language
Modeling
Verification
Temporal
Boolean
Jasper Design Automation© 2005
17
Boolean Layer
The Boolean layer is used to:
o
Specify logic expressions without specific timing
information using a standard HDL syntax such as
Verilog-HDL and VHDL
Example (Verilog):
// A and B are mutually exclusive
( !(A & B) )
Example (VHDL):
-- A and B are mutually exclusive
( not (A and B) )
Jasper Design Automation© 2005
18
Temporal Layer
The temporal layer is used to:
Specify when the Boolean expression must be valid
o Remove time ambiguities
o
Example:
// A and B are always mutually exclusive
always ( !(A & B) )
There are many temporal operators:
always property
o never property
o
o
until property
o …
o
next property
Jasper Design Automation© 2005
19
Verification Layer
The verification layer is used to:
o
Specify how to use the property:
– Assertion to be verified against the implementation
– Assumption to be used as constraint during the verification
– Or functional coverage metric to improve the overall
verification coverage
Example:
// A and B must always be mutually exclusive
assert always ( !(A & B) ) ;
Jasper Design Automation© 2005
20
Modeling Layer
The modeling layer is used to:
o
Write auxiliary HDL code required to specify complex
properties
You can define HDL functions that are used in your
properties, model complex FSMs or expressions
Example:
// If req is asserted, ack must be asserted the next cycle
wire req;
assign req = readA_req || readB_req;
assert always (req -> next (ack && gnt)) ;
Jasper Design Automation© 2005
21
PSL Layers
wire req;
assign req = readA_req || readB_req;
assert always (req -> next (ack && gnt)) ;
Boolean layer
Temporal layer
Verification layer
Modeling layer
Jasper Design Automation© 2005
22
PSL Sequences
Jasper Design Automation© 2005
23
PSL Sequences
PSL sequences enable us to:
o
Describe a sequence of Boolean expression (that is, states)
PSL sequences are marked by curly braces ‘{’ and ‘}’
Advancement of time occurs with each concatenation operator ‘;’
Example:
{ req; busy; gnt }
Jasper Design Automation© 2005
24
PSL Sequences Matching
A PSL sequence can have multiple matching diagrams
Example:
{ req; busy; gnt }
req
req
busy
busy
gnt
gnt
This diagram represents
one possible match
This diagram represents
another possible match
To explicitly match the waveform, we would need to specify the following
Example:
{ req && !busy && !gnt ;
!req && busy && !gnt ;
!req && !busy && gnt }
Jasper Design Automation© 2005
req
busy
gnt
25
Temporal Operators for Sequences
PSL supports the following temporal operators for sequences:
Overlapping implication
o Non-overlapping implication
o
|->
|=>
Example(s):
sequence S1 = { req; ack } ;
sequence S2 = { start; busy; end } ;
// Event “start” occurs on the same clock cycle as “ack”
property P1 = always S1 |-> S2 ;
// Event “start” occurs on the next clock cycle after “ack”
property P2 = always S1 |=> S2 ;
Jasper Design Automation© 2005
26
Operators for SERE
PSL supports the following operators for SERE:
o
Repetition in n consecutive clock cycles
Repetition in n non-consecutive clock cycles
o Repetition in n non-consecutive clock cycles
o
o
Repetition for 0 or any number of clock cycles
Repetition for 1 or any number of clock cycles
o Repetition for n to m clock clock cycles
o
[*n]
[=n]
[->n]
[*]
[+]
[*n:m]
The number of repetitions must be a positive integer
Keyword inf stands for an infinite number of clock cycles
Example(s):
sequence S1 = { rd[*5] } ;
sequence S2 = { rd[->3] } |=> { wr } ;
// {!rd[*]; rd; !rd[*]; rd; !rd[*]; rd}
sequence S3 = { req} |=> { ack[=1]; done} ; // {!ack[*]; ack; !ack[*]}
sequence S4 = { rd[*]; rd; wr };
sequence S5 = { rd[+]; wr } ;
sequence S6 = { rd[*2:5] } |=> { wr } ;
Jasper Design Automation© 2005
27
Example
property P1 = { req[+]; ack; wr[*4] } |=> { (wait && !req)[*]; done } ;
assert always P1;
clock
req
1 or more
0 or more
ack
write
wait
0 or more
done
Jasper Design Automation© 2005
28
Example
Properties are Derived from Specification
Receiving Data:
When the reception of data is complete, then an interrupt should occur:
property done_rcving_implies_int =
always rose(done_rcving) -> rose(int) ;
assert done_rcving_implies_int ;
Jasper Design Automation© 2005
29
Example
Properties are Derived from Specification
Receiving Data:
If the signal that indicates a reception in progress is active, then it
should remain active until the reception is complete:
property rcving_until_done_rcving =
always rose(rcving) -> (rcving until done_rcving) ;
assert rcving_until_done_rcving ;
Jasper Design Automation© 2005
30
Example
RTL Implementation Queue
Design intent
o“If
Queue is full, then an attempt to insert data is ignored.” (Overflow)
o“If
Queue is empty, then an attempt to remove data is ignored.” (Underflow)
qDataIn
RTL implementation fragment:
qLast
function [3:0] qNext;
input [3:0] p;
qNext = ((p + 1) mod `qSize);
endfunction;
assign qFull = (qNext(qLast) == qFirst);
7
6
5
4
3
2
1
0
cntrl
assign qEmpty = (qLast == qFirst);
…
PSL implementation assertions:
qFirst
qDataOut
assert always (qFull && qInsert -> next !qEmpty) abort ~rstN ;
assert always (qEmpty && qRemove -> next !qFull) abort ~rstN;
Jasper Design Automation© 2005
31
qInsert
qRemove
qError
qEmpty
qFull
Verification Units for Grouping
Properties and Directives
Verification with PSL is based on using verification units
vunit <name> [(<module binding>)] {
<declarations and verification layer directives>
Usually a separate file from RTL
};
vunit
Example:
inputs
outputs
RTL module
vunit my_unit (my_module) {
default clock = posedge clk;
assume never read & write;
property P1 = never (full & write);
A vunit binds to a module or an instance
assert P1;
assert always (read -> ! empty);
};
Jasper Design Automation© 2005
32
Types of Assertions and PSL Expressiveness
Data
Integrity
High-level requirements
•
•
•
•
Packet
Ordering
End-to-end
Black box
Based on design intent
Generally require
modeling+assertions
Design Intent
RTL Implementation
RTL implementation assertions
• Localized
• Implementation-specific
• Generally can be
expressed using only
assertions
One
Hot
Increment
By 1
FIFO
Overflow
FIFO
Overflow
Design Behavior
Jasper Design Automation© 2005
33
To learn more
www.eda.org/ieee-1850
Accellera v1.1 LRM available at www.accellera.org
My email:
Jasper Design Automation© 2005
harry@jasper-da.com
34
