In Assertion Based Formal Verification, if I get an Inconclusive Assertion, then what are the various approached to handle that assertion or to converge it?
Also, Is it a right approach to develop a reference rtl and write assertions to compare reference rtl output with DUT output? Will it increase the valid State Spaces and hence complexity, run time also?
n Assertion Based Formal Verification, if I get an Inconclusive Assertion, then what are the various approached to handle that assertion or to converge it?
You say “inconclusive”, by that you mean could not find a pattern to make it pass?
4.5.1.2.2 Same inputs in antecedent and consequent
Inputs are sometimes used in both the antecedent and consequent of a property. They are often useful in simulation to ensure compliance to protocol by either the higher-level design or by the testbench. For example, the property pACK_START_VALID_DONE states that both the trigger condition (the antecedent) and the EFFECT sequence (consequent) rely on the
input ack_in. // /ch4/4.5/orig_slave_handshake.sv
sequence qACTIVE_REQUEST; req && !ack_in;
property pACK_START_VALID_DONE;
@ (posedge clk) disable iff (!reset_n)
qACTIVE_REQUEST ##1 ack_in |=>
start && !ack_in && valid ##1
(!start && !ack_in && valid)[*3] ##1
(!start && !valid && done);
endproperty : pACK_START_VALID_DONE
apACK_START_VALID_DONE : assert property (pACK_START_VALID_DONE);
When the same input signals are used in the antecedent and consequent side of a property, false negative errors in formal verification can be created because the formal verification tool can assume inputs to have any value at any cycle. This is not a design fault, but rather an error in the definition of the constraints on the inputs. An example of a constraint for the above case would be:
mpCONSTRAINT_ACK_START_VALID_DONE : assume property(@ (posedge clk)
qACTIVE_REQUEST ##1 ack_in |=> !ack_in[*1:$] ##1 (!start && !valid && done));
The mpCONSTRAINT_ACK_START_VALID_DONE assumption states that one clock after state qACTIVE_REQUEST, if ack_in ==1, then it must be zero starting from the next cycle until (!start && !valid && done).
Ben Cohen
http://www.systemverilog.us/ ben@systemverilog.us
In reply to ben@SystemVerilog.us:
Actually, I have written simple enough constraints for APB protocol. And I have created a reference model to mimick DUT.
So my assertions are just to compare reference model output with DUT output on every active clock edge.
In this scenario, can you give me any approaches for Inconclusive Assertions? Also, it would be helpful, if you can give me any paper/article related to Assertion Based Formal Verification, as I am not able to find much on this topic.
In reply to Karan:
In reply to ben@SystemVerilog.us:
Actually, I have written simple enough constraints for APB protocol. And I have created a reference model to mimick DUT.
So my assertions are just to compare reference model output with DUT output on every active clock edge.
In his book on formal verification (see reference below), Erik Seligman addresses the topic of shadow modeling, and it is a good technique, for complex models (e.g., ALUs) to generate the expected results based on the inputs.
In this scenario, can you give me any approaches for Inconclusive Assertions? Also, it would be helpful, if you can give me any paper/article related to Assertion Based Formal Verification, as I am not able to find much on this topic.
Ben Cohen
http://www.systemverilog.us/ ben@systemverilog.us