SVA : Property is a tautology

vivek3016 · October 5, 2017, 7:11am

Hi,

I have hooked up the following assertion to an arbiter

property p_req_to_grant(clk,rst,req,gnt);
  @(posedge clk) disable iff (rst)
  req |-> ##[0:$] gnt;
endproperty

ap_req_to_grant_0 : assert property(p_req_to_grant(clk,ares,req[0],grant[0]));

Basically I just want to check that a grant should come ‘eventually’ for any request.

I am getting this warning that
Warning-[SVAC-TAUT] Property is a tautology .
Property is a tautology. Please correct the assertion and try again.

In a given implementation, It may never happen that grant does not come for a request. But why is this property itself a tautology?

Thanks,
Vivek

sharvil111 · October 5, 2017, 1:14pm

The assertion is unbounded. It will never fail in any simulation. If the req is asserted, then it will wait for infinite time for gnt to get asserted. When req is asserted, it will wait for even 1000 clocks (till end of simulation) for gnt to get HIGH. So, the sequence is true by it’s logic/virtue itself.

You may want to add a bounding condition to your assertion like following sample:

`define MAX_GNT_DELAY 1000
property p_req_to_grant(clk,rst,req,gnt,int n);
  @(posedge clk) disable iff (rst)
  req |-> ##[*0:n] gnt;
endproperty

assert property(p_req_to_grant(clk,ares,req[0],grant[0], `MAX_GNT_DELAY));

For more details, please refer to Section-6.10 of this book.

ben2 · October 5, 2017, 5:18pm

In reply to sharvil111:
Actually, all you need is to make the consequent sequence strong


property p_req_to_grant(clk,rst,req,gnt);
  @(posedge clk) disable iff (rst)
  req |-> strong(##[0:$] gnt);
endproperty
ap_req_to_grant_0 : assert property(p_req_to_grant(clk,ares,req[0],grant[0]));

From my SVA book: Guideline: Qualify as strong properties that are sequences and have range delays or consecutive repetition operators (e.g., [*, [->, [= ) and are consequents in an assertion. This is important when it is necessary to qualify an assertion as a failure if the consequent never terminates at the end of simulation (e.g., with a $finish). Example:

ap_ab_recommend: assert property(@ (posedge clk) a |-> strong([1:$] b)); //GOOD 
ap_ab_weak: assert property(@ (posedge clk) a |-> ([1:$] b)); // weak property 
ap_abc_recommend: assert property(@ (posedge clk) a |-> strong(b[*) ##1 c); // Strong property 
ap_abc_weak: assert property(@ (posedge clk) a |-> (b[*) ##1 c); // weak property

Tools may have a switch such that on finish, you can qualify what the simulator should do. You can specify things like ask, stop, exit.
Ben Cohen
http://www.systemverilog.us/ ben@systemverilog.us
For training, consulting, services: contact Home - My cvcblr

SVA Handbook 4th Edition, 2016 ISBN 978-1518681448
A Pragmatic Approach to VMM Adoption 2006 ISBN 0-9705394-9-5
Using PSL/SUGAR for Formal and Dynamic Verification 2nd Edition, 2004, ISBN 0-9705394-6-0
Real Chip Design and Verification Using Verilog and VHDL, 2002 isbn 978-1539769712
Component Design by Example ", 2001 ISBN 0-9705394-0-1
VHDL Coding Styles and Methodologies, 2nd Edition, 1999 ISBN 0-7923-8474-1
VHDL Answers to Frequently Asked Questions, 2nd Edition ISBN 0-7923-8115

sharvil111 · October 6, 2017, 2:29am

In reply to ben@SystemVerilog.us:

I agree about ‘strong’ qualifier. Also, there can be usage of ‘s_eventually’ over here.

assert property (@(posedge clk) req |-> s_eventually gnt);

Refer to this PDF for more alternatives.

vivek3016 · October 6, 2017, 6:40am

In reply to sharvil111:

Thanks for the explanation !!

vivek3016 · October 6, 2017, 6:45am

In reply to ben@SystemVerilog.us:

@sharvil11 and Ben Cohen
Thanks for the solution.

I have one query here. If a req doesn’t get grant at end of simulation, it will be flagged as failure.
But how will a formal tool treat this case ? Can it fail this property and provide a trace because it can still be said that grant may occur in future.

Regards,
Vivek

sharvil111 · October 6, 2017, 10:05am

In reply to vivek3016:

I think it formal tool will also fail since it mostly follows pessimistic approach. But I am not sure about it since I am not much familiar with formal tool approaches.

nimitz_class · March 30, 2021, 2:48am

I have a situation wherein req comes @(posedge) of clk, but gnt comes at positive duty cycle

clk |-||-||-||-||-||-||-| …

req ___________|-------------------

gnt __________________|---------------

How to write an assertion for such a scenario?

Thanks

ben2 · March 30, 2021, 4:35am

In reply to foxtrot:

WHy do you think that the following will not work?


assert property (@(posedge clk) req |-> s_eventually gnt);

Also, when you say gnt comes at positive duty cycle, you mean in the middle of a cycle. But will it miss the clk sampling @(posedge clk)? If so, you’ll need to latch the gnt so that it can be sampled.
Note that the following solution could work.


assert property (@(posedge clk) req |-> @ (posedge gnt) 1'b1);

In general, SVA is used with clocking event s sampling data. The above uses the gnt as a clocking event; it is an unusual solution.
Ben

nimitz_class · March 30, 2021, 7:29am

In reply to ben@SystemVerilog.us:

This solution is giving me UE results when req and gnt are high?

ben2 · March 30, 2021, 1:28pm

In reply to foxtrot:

UE? Undefined End?
In any case, the @ (posedge gnt) 1’b1)
requires a positive transition on gnt.
If none, then you would get a not finished assertion.

nimitz_class · March 30, 2021, 2:57pm

In reply to ben@SystemVerilog.us:

I see gnt getting asserted on the 4th clock(after req occurs) in the positive duty cycle. I don’t understand why I see Under Evaluation in my waveform.

ben2 · March 30, 2021, 7:51pm

In reply to foxtrot:
You might see Under Evaluation in the waveform in the attempted threads that are waiting for a gnt.