Version 2.

1 Dated 26 October 2015

---------------------------------------------------------------------------
Property Declaration
Formal Friendly SVA Quick Reference
property identifier [ (argument_list ] ;
--------------------------------------------------------------------------- [ clock_expr ] [ disable_clause ]
property_expr ;
This guide is intended as a quick reference guide for endproperty
SystemVerilog Assertions constructs which can be evaluated
efficiently by formal tools. This guide is a recommended subset property P1 (R, S, T) ;
@(posedge clk) disable iff ( !rst_n )
of the SVA constructs which a formal tool would actually A |=> R ##1 S && T;
support. endproperty
This is based upon the IEEE 1800-2012 Standard. Refer to property P1A;
Chapter 16. Assertions and search for the keywords in red. REQ |=> ##[*] GNT;
endproperty
Constructs Not Recommend for Formal A property declaration is merely a definition of behaviour.
Implication Operators
Implies that :
1) As a consequence of an enabling condition occurring
then a fulfilling condition must occur or the property
does not hold.
2) The enabling condition never occurs.
sequence_expr |-> property_expr
Holds under these conditions:
1) If sequence_expr completes then
property_expr starts the same cycle and
subsequently completes
2) sequence_expr never completes
P6: assert property ( A ##1 B |-> C ##1 D );

intersect throughout Nothing gets checked until we have given a verification P6 would pass if we observe the sequence :
or and directive to the tool which states what should be done with ( A ##1 (B && C) ##1 D );
within expect that behaviour. All properties must have a clock defined
sequence_expr |=> property_expr
first_match() Local Variables explicitly or via a default clock declaration Holds under these conditions:
Immediate Assertions
if property else property 1) If sequence_expr completes then
Verification Directives property_expr starts the next cycle and
sequence.triggered
sequence[->N] label : assert property (prop_expr) subsequently completes
sequence[=N] Directive to the tool to ensure that the property holds, is 2) sequence_expr never completes
true, under all circumstances
P1_INST : assert property (P1(SIG1, SIG2, S3)); P7: assert property ( A ##1 B |=> C ##1 D );
P2: assert property ( @(posedge clk) A |-> B );
Constructs To Use With Caution P3: assert property ( ERROR_CNT != 10 ); P7 would pass if we observe the sequence :
P1A_INS: assert property(@(posedge clka) (P1A)); ( A ##1 B ##1 C ##1 D );
sequence[*N]
$past(expr, N) label : assume property (prop_expr) Recommended not to nest implication operators as it
In both cases keep N as small as possible, e.g. below 10. Directive to the tool to limit the behaviour of the design becomes confusing, for example:
Recommended to model $past() with Auxiliary Code instead. under test (DUT) inputs to the behaviour specified. Also P8: assert property ( A |=> B |=> C );
known as constraints.
Sequence Declaration P4 : assume property (req && !gnt |=> req ); This is exactly the same as:
P5 : assume property ( @(posedge clk3) P8_EQUIV: assert property ( A ##1 B |=> C );
sequence identifier [ argument_list ] ]; not(full && empty) );
sequence_expr [ ; ] P8 or P8_EQUIV would not fail if we observe the
endsequence label : cover property (prop_expr) sequence :
Directive to a formal tool to demonstrate one example of ( A ##1 !B );
sequence SEQ1;
A ##1 B ##1 C; how the sequence can complete given the design and
endsequence assumptions Cycle Delays
sequence SEQ2(LEN, SIG); C1 : cover property (full ##[+] empty );
D ##1 E[*LEN] ##1 SIG; C2 : cover property (@(posedge clk2) (SEQ1)); ##[N:M] ##N
endsequence N and M are constants known at elaboration. M can be the
Recommended to define, or infer, sequence clock at For cover property it is recommended for symbol $ meaning infinity. M>=N. M and N can be 0.
instantiation and not at declaration. A sequence is a series of P8_NXTCYC: assert property( A |=> B ##[0:$] C );
prop_expr to only be a sequence, i.e. not contain
Boolean expression evaluated over time. A sequence of length implication operators |-> or |=> P8_SMECYC: assert property ( A |=> ##3 C );
one cycle is the same as a Boolean expression.
2015 Cadence Design Systems, Inc.
All rights reserved.
 Version 2.1 Dated 26 October 2015
$rose(expr); property P16;
Disabling Properties Returns TRUE if expr is TRUE in this cycle and was FALSE in
@(posedge clk6) A |=> B;
endproperty
disable iff (boolean_expr) the previous cycle, otherwise returns FALSE.
P15_INST_A: assert property (
If boolean expr is true then all current outstanding $fell(expr); @(posedge clk8) (P15));
obligations for that property (including all overlapping ones) Returns TRUE is expr is FALSE in this cycle and was TRUE in P15_INST_B: assert property ( P15 );
are removed. For example, if a property requires that if a the previous cycle, otherwise returns FALSE.
P16_INST: assert property ( P16 );
request is seen then eventually a grant is observed then one $stable(expr);
may expect that a reset removes that obligation for the Returns TRUE is expr has the same value this cycle as it did in
P17: assert property (
@(posedge clk5) A |-> B );
expected grant. Upon the next request after the disable we then
the previous cycle, otherwise returns FALSE.
expect an obligation for a future grant. P18: assert property ( C |-> D );
P9: assert property
$onehot(expr);
If the entire design uses only the posedge clk then it is
( @(posedge clk) disable iff (!rst_n) Returns TRUE if expr has exactly one bit with the value 1b1,
much more efficient for formal if posedge clk is used in
req |=> ##[*] gnt ); otherwise returns FALSE.
*all* properties.
It may get very tedious if the Boolean_expr required to $onehot0(expr);
disable a property is the same for many properties. In that case Returns TRUE if expr has at most one bit with the value 1b1,
a default disable can be defined as a standalone statement: otherwise returns FALSE. Auxiliary Code
default disable iff (boolean_expr); $isunknown(expr); Almost every single problem in formal requires auxiliary
Returns TRUE if any bit of expr is 1bX or 1bZ , otherwise code. This is normal HDL code which makes it easier to
This default disable applies to all properties, in the current write properties, make it easier for the tool and abstracts the
scope only, which do not have an explicit disable iff returns FALSE. Search JasperGold command reference for
-enable_sva_isunknown problem. As an example, below we replicate the behaviour of
defined: a property using the sequence GoTo operator [->]. This is
$countones(expr);
default disable iff (CANCEL) not recommended for formal because it always creates
P10: assert property ( Returns an integer which is the number of bits of expr which
infinite length sequences.
@(posedge clk) disable iff (!rst_n) have the value 1b1.
A |=> B ); WE_WANT_TO_REPLICATE_THIS :
P11: assert property P12 : assert property(req&&!gnt |=> $stable(addr)); assert property( GO |=> A[->3] ##1 B );
( @(posedge clk) C |=> D ); P13 : assert property ( $onehot(GNT_VEC)) );
P14 : assert property ( /////////////////////////////////////////////
P10 is disabled by !rst_n. P11 is disabled by CANCEL ACCEPT_RX |-> $countones(ID_TAGS) != 10 ); reg[2:0] NUM_A; //Count # As
P14A : assert property(!RDY |=> DAT == $past(DAT)); reg GO_SEEN; //Flag if we have seen GO
always @(posedge CLK or negedge RST_N)
default disable iff and an explicit disable iff begin
defined inside the property apply act asynchronously. Clocking Properties if (!RST_N)
begin
Namely, they take precedence over and are not related to the NUM_A <= 0; GO_SEEN <= 1b0;
SVA properties cannot be unclocked. The clock must come end
propertys clocking expression. else
from: an explicit clock declaration when the property is
begin
declared, an explicit clock declaration when the property is if (NUM_A == 3 && B)
Builtin Functions
instantiated or a default clocking declaration. begin
NUM_A <= 0; GO_SEEN <= 1b0;
Several useful and common functions related to assertions are Explicit declaration will always override the default end
predefined. Search IEEE 1800-2012 for sampled value clocking. Sequences with no explicit clock declaration else if (GO_SEEN && A)
NUM_A <= NUM_A+1;
functions and system functions. The system functions inherit the clock from their parent property. default else if (GO)
return an instantaneous value. The sampled value functions clocking applies only to the current scope, in which it is GO_SEEN <= 1b1;
end
describe behaviour over a number of cycles. Cycle is defined.. Only one default clocking allowed per end
defined by the properties clock definition and not, for scope. Only P15_INST_B and P18 use the default clock. GO_3A_B : assert property ( (NUM_A == 3) |-> B );
example, nS, pS, timescale or system hardware clock. NO_OVRLAP_GO: assert property ( GO_SEEN |-> !GO );
default clocking MYCLK @(posedge clk2);
endclocking
$past(expr, N); Where Next?
property P15; http://www.cadence.com/training
Returns the value of expr N cycles ago. N defaults to 1 if A |=> B;
omitted. endproperty
Search for JasperGold and SVA courses
2015 Cadence Design Systems, Inc.
All rights reserved.