Beruflich Dokumente
Kultur Dokumente
Abstract—In the last decade, functional verification has become reasons, debugging complex temporal assertions remains one
a major bottleneck in the design flow. To relieve this growing of the biggest challenges in their wide spread adoption.
burden, assertion-based verification has gained popularity as Automated circuit debugging techniques have traditionally
a means to increase the quality and efficiency of verification.
Although robust, the adoption of assertion-based verification relied on localizing an error in a circuit. In a similar manner,
poses new challenges to debugging due to presence of errors in the it is possible to synthesize assertions [14]–[16] and allow one
assertions. These unique challenges necessitate a departure from to apply similar circuit localization techniques to assertions.
past automated circuit debugging techniques which are shown to However, this proves ineffective in debugging assertions due
be ineffective. In this work, we present a methodology, mutation to their compact nature, also shown later in the paper. For
model and additional techniques to debug errors in SystemVerilog
assertions. The methodology uses the failing assertion, counter- example, applying path-tracing [7] to the assertion valid
example and mutation model to produce alternative properties ##1 start |=> go, will return the entire assertion as
that are verified against the design. These properties serve potentially erroneous. Moreover, this type of localization does
as a basis for possible corrections. They also provide insight not provide help in directing the engineer towards correcting
into the design behavior and the failing assertion. Experimental it. This suggests an urgent need for a departure from traditional
results show that this process is effective in finding high quality
alternative assertions for all empirical instances. circuit debugging techniques so that we can debug assertions
effectively.
I. I NTRODUCTION In this work, we propose a novel automated debugging
methodology for SystemVerilog assertions (SVA) that takes
Functional verification and debugging are the largest bottle-
a different approach. It aids debugging by generating a set
necks in the design cycle taking up to 46% of the total devel-
of properties closely related to the original failing assertion
opment time [1]. To cope with this bottleneck, new methods
that have been validated against the RTL. These properties
such as assertion-based verification (ABV) [2], [3] have been
serve as a basis for possible corrections to the failing assertion,
adopted by the industry to ease this growing burden. ABV in
providing an intuitive method for debugging and correction.
particular has shown to improve observability, reduce debug
They also provide insight into design behavior by being able
time as well as improve overall verification efficiency [2].
to contrast their differences with the failing assertion.
However even with the adoption of ABV, debugging remains In summary, our major contributions are as follows:
an ongoing challenge taking up to 60% of the total verification
• We introduce a language independent methodology for
time [1].
Modern ABV environments are typically composed of three debugging errors in assertions that produce a set of
main components: design, testbench and assertions. Due to closely related verified properties to aid the debugging
the human factor inherent in the design process, it is equally process. These properties are generated by an input set
likely for errors to be introduced into any one of these of modifications that mutate existing assertions.
• We propose a particular set of modifications for the
components. Commercial solutions [4]–[6] aim to help the
debugging process by allowing manual navigation and visual- SystemVerilog assertion language to mutate the failing
ization of these components. Most existing research in auto- assertion in order to generate closely related properties.
• We introduce two techniques dealing with vacuity and
mated debugging [7]–[11] have focused primarily on locating
errors within the design. The absence of automated debugging multiple errors to enhance the practical viability of this
tools targeting testbenches and assertions remains a critical approach.
roadblock in further reducing the verification bottleneck. An extensive set of experimental results are presented on
The adoption of assertions introduces new challenges to real designs with SystemVerilog assertions written from their
the debugging process. Modern temporal assertion languages specifications. They show that the proposed methodology and
such as SystemVerilog assertions and Property Specification modification model are able to return high quality verified
Language [12], [13] are foreign to most design engineers who properties for all instances. In addition, the multiple error and
are more familiar with RTL semantics. Temporal assertions vacuity techniques are able to filter out inessential properties
concisely define behaviors across multiple cycles and execu- by an average of 23% and 34% respectively.
tion threads, which creates a significant paradigm shift from The remaining sections of the paper are organized as
RTL. For example debugging the failing SystemVerilog asser- follows. Section II provides background material. Our contri-
tion req |=> gnt ##[1:4] ack, requires the engineer butions are presented in Section III, Section IV and Section V.
to analyze four threads over five clock cycles to understand Section VI presents the experimental results and Section VII
the failure. Moreover, a single temporal operator such as a concludes this work.
non-consecutive repetition may map to a multiple line RTL II. P RELIMINARIES
implementation, adding to the debugging complexity. For these
This section gives a brief overview of the SystemVerilog
1 University of Toronto, ECE Department, Toronto, ON M5S 3G4 ({briank, assertions (SVA) language as well as concepts used extensively
veneris}@eecg.toronto.edu) throughout this paper. For a more detailed treatment please
2 Vennsa Technologies, Inc., Toronto, ON M5V 3B1 (sean@vennsa.com) refer to [12], [17]. SVA is a concise language for describing
3 University of Toronto, CS Department, Toronto, ON M5S 3G4 temporal system behavior for use in verifying RTL designs.
TABLE I
C OMMON SVA O PERATORS of closely related assertions aids in the debugging process
seq expr ::= bool expr in several ways. First, P serves as a suggestion for possible
| seq expr time range seq expr
| bool expr bool abbrv corrections to the failing assertion. As such, it provides an
| seq expr seq op seq expr intuitive method to aid in the debugging and correction pro-
| first_match (seq expr) cess. Second, since the properties in P have been verified, they
| bool expr throughout seq expr provide an in depth understanding of related design behaviors.
| ...
time range ::= | ##k | ##[k1 :k2 ] This provides critical information in understanding the reason
bool abbrv ::= | [*k] | [*k1 :k2 ] | [=k] | [=k1 :k2 ] for the failed assertion. Finally, P allows the engineer to
| [− > k] | [− > k1 :k2 ] contrast the failing assertion with closely related ones, a fact
seq op ::= and | intersect | or | within
prop expr ::= seq expr that allows the user to build intuition regarding the possible
| seq expr |− > property expr sources and causes of errors.
| seq expr |=> property expr The overall methodology is shown in Figure 2 and consists
| property expr or property expr of three main steps. After a failing assertion is detected by
| property expr and property expr
| ... verification, the first step of applying mutations is performed.
This step takes in the failing property along with the mutation
Each system behavior can be specified by writing a SVA model and generates a set of closely related properties, denoted
property which in turn can be used as an assertion. as P , to be verified. Each property in P is generated by taking
Properties are derived from several different types of ex- the original failing assertion and applying one or more pre-
pressions that build upon each other. A sequence expression defined modifications, or mutations, defined by the mutation
specifies the behavior of Boolean expressions over one or more model. This model defines the ability of the methodology to
clock cycles using operators such as delays and repetitions. handle different assertion languages as well as different types
These can be combined to define concise sequence expressions of errors. We define a practical model for SVA in the next
that define multiple linear sequences known as threads. For section but different models based on user experience are also
example, start ##[1:3] stop specifies three separate possible.
threads of start followed by stop with varying lengths The second step of the methodology quickly rules out
of delay in between. If one of the threads evaluates to true invalid properties in P through simulation with the failing
then the sequence is said to match. Threads allow great counter-example. A counter-example in this context is a sim-
ease in specifying common design behaviors but also lead ulation trace that shows one way for the assertion to fail.
to increase difficulty in debugging. A Property expression The intuition here is that since the counter-example causes
specifies more complex combinations of sequence expressions the original assertion to fail, it will also provide a quick filter
such as implications. A grammar of common SVA operators for related properties in P . It accomplishes this by evaluating
is listed in Table I. each property in P for each cycle in the counter-example
The implication property operator (|− >, |=>) is similar through simulation. If any of the properties in P fail for any
to an if-then structure. The left-hand side is called the an- of the evaluations, they are removed from P . The resulting
tecedent and the right-hand side is called the consequent. With set of properties is denoted by P .
respect to the implication operator, a property is said to be The final step of the methodology uses an existing verifica-
vacuously [18] true if every evaluation of the antecedent is tion flow to filter out the remaining invalid properties in P .
false. Example 1 gives an overview of how several common This is the most time-consuming step in this process, which
SVA operators are used. is the reason for generating P . The existing verification flow
can either be a high coverage simulation testbench or a formal
Example 1 Consider the specification: “If start is active, property checker. In the case of the testbench, the properties
data repeats 2 times before stop and one cycle later stop in P will have a high confidence of being true. While with the
should be low.” We can interpret this as the waveform given formal flow, P is a set of proven properties for the design. In
in Figure 1 with respect to clk. This can be concisely written most verification environments, both these flows are automated
as the SVA property: resulting in no wasted manual engineering time. The final set
of filtered properties P are verified by the environment and
start |=> data[->2] ##1 stop ##1 !stop can be presented to the user for analysis.
III. A SSERTION D EBUGGING M ETHODOLOGY IV. S YSTEM V ERILOG A SSERTION M UTATION M ODEL
This section presents a methodology that automatically This section describes a practical mutation model for Sys-
debugs errors in failing assertions. It is assumed that errors temVerilog assertions to be used with the methodology de-
only exist in the assertions and the design is implemented scribed in Section III. These mutations are designed to model
correctly. This follows the convention in circuit debugging [7]–
[11] literature where the verification environment is assumed
clk
to be correct. If this is not the case, then the methodology
still can provide value for debugging by giving insight into start
the design behavior. Note that this methodology makes no
assumptions about the assertion language or the types of errors data
as these are functions of the input model.
The methodology aids debugging by returning a set of stop
verified properties with respect to the design that closely relate
to the failing assertion. We denote this set as P . This set Fig. 1. Example 1: Timing Specification
Name Operator/Expression Mutation
Design Assertions
Logical !,&&,|| Replace with {&&,||};
Remove negation
Bitwise ˜,&,|,∧ Replace with {˜,&,|,∧}
Verification
Arithmetic +,- Replace with {+,-}
Equality <,<=,==,>=,>,!= Replace with
Failing Assertion
{<,<=,==,>=,>,!=}
Apply Mutations
Failing
Mutations Model SVA sequential binary operators make up the next group
Counter-example
P of mutations. These operators have subtle differences that are
easy to misinterpret. For example, intersect is similar to
Simulation and except with the added restriction that the lengths of the
matched sequences must be the same. Another example is
replacing intersect with within which might produce
P
a passing property that can give insight into the underlying
Testbench Formal error. The following table shows the possible mutations.
Name Operator/Expression Mutation
Sequential and,intersect, Replace with
Binary Operators or,within {and,intersect,
P or,within}
# of Properties
1,000
assertions. This motivates the need for the mutation based
debugging methodology presented in this work. 100
[3] B. Tabbara, Y.-C. Hsu, G. Bakewell, and S. Sandler, “Assertion-Based cation, and Verification Language,” IEEE STD 1800-2009, pp. 1–1285,
Hardware Debugging,” in DVCon, 2003. 2009.
[4] Y.-C. Hsu, B. Tabbara, Y.-A. Chen, and F. Tsai, “Advanced techniques [13] “IEEE Standard for Property Specification Language (PSL),” IEEE Std
for RTL debugging,” in Design Automation Conf., 2003, pp. 362–367. 1850-2010, pp. 1–171, apr. 2010.
[5] R. Ranjan, C. Coelho, and S. Skalberg, “Beyond verification: Leveraging [14] S. Das, R. Mohanty, P. Dasgupta, and P. Chakrabarti, “Synthesis of
formal for debugging,” in Design Automation Conf., jul. 2009, pp. 648– System Verilog Assertions,” in Design, Automation and Test in Europe,
651. vol. 2, mar. 2006, pp. 1–6.
[6] M. Siegel, A. Maggiore, and C. Pichler, “Untwist your brain - Efficient [15] J. Long and A. Seawright, “Synthesizing SVA local variables for formal
debugging and diagnosis of complex assertions,” in Design Automation verification,” in Design Automation Conf., 2007, pp. 75–80.
Conf., jul. 2009, pp. 644–647. [16] M. Boulé and Z. Zilic, Generating Hardware Assertion Checkers: For
[7] S. Huang and K. Cheng, Formal Equivalence Checking and Design Hardware Verification, Emulation, Post-Fabrication Debugging and On-
Debugging. Kluwer Academic Publisher, 1998. Line Monitoring. Springer Publishing Company, Incorporated, 2008.
[17] S. Vijayaraghaven and M. Ramanathan, A Practical Guide for Sys-
[8] A. Veneris and I. N. Hajj, “Design Error Diagnosis and Correction Via temVerilog Assertions. Springer, 2005.
Test Vector Simulation,” IEEE Trans. on CAD, vol. 18, no. 12, pp. [18] M. Samer and H. Veith, “Parameterized Vacuity,” in Formal Methods in
1803–1816, 1999. CAD, 2004, vol. 3312, pp. 322–336.
[9] A. Smith, A. Veneris, M. F. Ali, and A. Viglas, “Fault Diagnosis and [19] S. Sutherland, “Adding Last-Minute Assertions: Lessons Learned (a
Logic Debugging Using Boolean Satisfiability,” IEEE Trans. on CAD, little late) about Designing for Verification,” in DVCon, 2009.
vol. 24, no. 10, pp. 1606–1621, 2005. [20] OpenCores.org, “http://www.opencores.org,” 2007.
[10] K.-h. Chang, I. L. Markov, and V. Bertacco, “Automating post-silicon
debugging and repair,” in Int’l Conf. on CAD, 2007, pp. 91–98.
[11] G. Fey, S. Staber, R. Bloem, and R. Drechsler, “Automatic fault
localization for property checking,” IEEE Trans. on CAD, vol. 27, no. 6,
pp. 1138–1149, 2008.
[12] “IEEE Standard for System Verilog-Unified Hardware Design, Specifi-