Research Article Groebner Bases Based Verification...
16
Research Article Groebner Bases Based Verification Solution for SystemVerilog Concurrent Assertions Ning Zhou, 1,2 Xinyan Gao, 3 Jinzhao Wu, 1,4 Jianchao Wei, 3 and Dakui Li 3 1 School of Computer and Information Technology, Beijing Jiaotong University, Beijing 10044, China 2 School of Electronic and Information Engineering, Lanzhou Jiaotong University, Lanzhou 730070, China 3 G & S Labs, School of Soſtware of Dalian University of Technology, Dalian 116620, China 4 Guangxi Key Laboratory of Hybrid Computation and IC Design Analysis, Guangxi University for Nationalities, Nanning 530006, China Correspondence should be addressed to Jinzhao Wu; [email protected] Received 13 February 2014; Accepted 7 April 2014; Published 11 June 2014 Academic Editor: Xiaoyu Song Copyright © 2014 Ning Zhou et al. is is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. We introduce an approach exploiting the power of polynomial ring algebra to perform SystemVerilog assertion verification over digital circuit systems. is method is based on Groebner bases theory and sequential properties checking. We define a constrained subset of SVAs so that an efficient polynomial modeling mechanism for both circuit descriptions and assertions can be applied. We present an algorithm framework based on the algebraic representations using Groebner bases for concurrent SVAs checking. Case studies show that computer algebra can provide canonical symbolic representations for both assertions and circuit designs and can act as a novel solver engine from the viewpoint of symbolic computation. 1. Introduction SystemVerilog [1, 2] is the most important unified Hard- ware Description and Verification Language (HDVL) and provides a major set of extensions from the Verilog lan- guage with the added benefit of supporting object orientated constructs and assertions feature. SystemVerilog provides special language constructs and assertions, to specify and verify design behavior. An assertion is a statement that a specific condition, or sequence of conditions, in a design is true. In the industry of integrated circuits design, Assertions- based verification (ABV) using SystemVerilog Assertions (SVAs) is now changing the traditional design process. With the help of SVAs, it is easy to formally characterize the design requirements at various levels of abstraction, guide the verification task, and simplify the design of the testbench. Assertions essentially become active design comments, and one important methodology treats them exactly like active design comments. Moreover, assertions can be attached directly to RTL, work- ing in cycle-precise domain, or they can operate in trans- actional domain with the help of monitors data extractors. en, these modular checkers minimize or even eliminate the need of model checkers, which consist of HDL modules to provide the verification. An important benefit of assertions is the ease of specifying functional coverage. Simulation tools compute the functional coverage, as defined by the assertions, which add a greater level of assurance that the testbench invoked the desired functions. More recently, the key EDA tool vendors have researched new verification methodologies and languages, which imple- ment functional code coverage, assertion-based coverage. and constrained random techniques inside a complete veri- fication environment. In [3], a subset of SystemVerilog assertions is defined to apply induction-based bounded model checking (BMC) to this subset of SVAs within acceptable run times and moderate memory requirements. As is well known, the conventional simulation for assertion checking is the well-understood and most commonly used technique, but only feasible for very small scale systems and cannot provide exhaustive checking. While symbolic simulation proposed by Darringer [4] as early as 1979 can provide exhaustive checking by covering Hindawi Publishing Corporation Journal of Applied Mathematics Volume 2014, Article ID 194574, 15 pages http://dx.doi.org/10.1155/2014/194574
Transcript of Research Article Groebner Bases Based Verification...
Research ArticleGroebner Bases Based Verification Solution for SystemVerilogConcurrent Assertions
Ning Zhou12 Xinyan Gao3 Jinzhao Wu14 Jianchao Wei3 and Dakui Li3
1 School of Computer and Information Technology Beijing Jiaotong University Beijing 10044 China2 School of Electronic and Information Engineering Lanzhou Jiaotong University Lanzhou 730070 China3 G amp S Labs School of Software of Dalian University of Technology Dalian 116620 China4Guangxi Key Laboratory of Hybrid Computation and IC Design Analysis Guangxi University for NationalitiesNanning 530006 China
Correspondence should be addressed to Jinzhao Wu jzwu205gmailcom
Received 13 February 2014 Accepted 7 April 2014 Published 11 June 2014
Academic Editor Xiaoyu Song
Copyright copy 2014 Ning Zhou et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
We introduce an approach exploiting the power of polynomial ring algebra to perform SystemVerilog assertion verification overdigital circuit systemsThis method is based on Groebner bases theory and sequential properties checkingWe define a constrainedsubset of SVAs so that an efficient polynomial modeling mechanism for both circuit descriptions and assertions can be applied Wepresent an algorithm framework based on the algebraic representations using Groebner bases for concurrent SVAs checking Casestudies show that computer algebra can provide canonical symbolic representations for both assertions and circuit designs and canact as a novel solver engine from the viewpoint of symbolic computation
1 Introduction
SystemVerilog [1 2] is the most important unified Hard-ware Description and Verification Language (HDVL) andprovides a major set of extensions from the Verilog lan-guage with the added benefit of supporting object orientatedconstructs and assertions feature SystemVerilog providesspecial language constructs and assertions to specify andverify design behavior An assertion is a statement that aspecific condition or sequence of conditions in a design istrue In the industry of integrated circuits design Assertions-based verification (ABV) using SystemVerilog Assertions(SVAs) is now changing the traditional design process Withthe help of SVAs it is easy to formally characterize thedesign requirements at various levels of abstraction guidethe verification task and simplify the design of the testbenchAssertions essentially become active design comments andone important methodology treats them exactly like activedesign comments
Moreoverassertionscanbeattacheddirectly toRTLwork-ing in cycle-precise domain or they can operate in trans-actional domain with the help of monitors data extractors
Then thesemodular checkersminimize or even eliminate theneed of model checkers which consist of HDL modules toprovide the verification
An important benefit of assertions is the ease of specifyingfunctional coverage Simulation tools compute the functionalcoverage as defined by the assertions which add a greaterlevel of assurance that the testbench invoked the desiredfunctions
More recently the key EDA tool vendors have researchednew verification methodologies and languages which imple-ment functional code coverage assertion-based coverageand constrained random techniques inside a complete veri-fication environment
In [3] a subset of SystemVerilog assertions is defined toapply induction-based bounded model checking (BMC) tothis subset of SVAswithin acceptable run times andmoderatememory requirements As is well known the conventionalsimulation for assertion checking is the well-understood andmost commonly used technique but only feasible for verysmall scale systems and cannot provide exhaustive checkingWhile symbolic simulation proposed by Darringer [4] asearly as 1979 can provide exhaustive checking by covering
Hindawi Publishing CorporationJournal of Applied MathematicsVolume 2014 Article ID 194574 15 pageshttpdxdoiorg1011552014194574
2 Journal of Applied Mathematics
many conditions with a single simulation sequence but itcould not handle large circuits due to exponential symbolicexpressions Earlier work in applications of symbolic manip-ulation and algebraic computation has gained significantextensions and improvements In [5] a technique frameworkon Groebner bases demonstrated that computer algebraicgeometry method can be used to perform symbolic modelchecking using an encoding of Boolean sets as the commonzeros of sets of polynomials In [6] a similar technique toframework based Wursquos Method has been further extendedto bit level symbolic model checking In [7] an improvedframework of multivalued model checking via Groebnerbases method was proposed which is based on a canonicalpolynomial representation of the multivalued logics
In our previous work [8] we proposed a method usingGroebner bases to perform SEREs assertion verification forsynchronous digital circuit systems Then we introduced averification solution based on Wursquos method towards Sys-temVerilog assertion checking [9] This paper aims to verifywhether a SVA property holds or not on the traces producedafter several cycles running over a given synchronous sequen-tial circuit It is the follow-upwork of [9] Groebner Bases andWursquos method are the most important methods of computeralgebra Wursquos method of characteristic set is a powerfultheoremproving technique andGroebner Bases allowsmanyimportant properties of the ideal and the associated algebraicvariety to be deduced easily So Groebner Bases method hasa better theoretical guide and the algorithm based on Wursquosmethod is more efficient
Checking SVAs is computationally very complex in gen-eral while for practical purposes a subset is sufficient In thiswork we
(1) define a constrained subset of SVAs(2) perform algebraization of SVA operators for the
constrained subset(3) do translation of SVAs into polynomial set represen-
tations(4) provide a symbolic computation based algebraic algo-
rithm for SVAs verificationOur approach canhandle safety properties that argue over
a bounded number of time steps Local variables in SVAscan be handled as symbolic constant without any temporalinformation Nevertheless liveness properties and infinitesequences in SVAs are excluded
2 Preliminaries
In this section to keep the paper self-contained we willgive the basics of SystemVerilog and algebraic symboliccomputation used throughout this paper
21 SystemVerilog Preliminary SystemVerilog is an IEEE-approved (IEEE 1800-2005) [1] hardware description lan-guage It provides superior capabilities for system architec-ture design and verification
SystemVerilog has combined many of the best features ofboth VHDL and Verilog
Therefore on the one hand VHDL users will recognizemany of the SystemVerilog constructs such as enumeratedtypes records and multidimensional arrays On the otherhand Verilog users can reuse existing designs SystemVerilogis a superset of Verilog so no modification of existing Verilogcode is required
Generally the SystemVerilog language provides threeimportant benefits over Verilog
(1) Explicit design intentmdashSystemVerilog introduces sev-eral constructs that allow designers to explicitly statewhat type of logic should be generated
(2) Conciseness of expressionsmdashSystemVerilog includescommands that allow the users to specify designbehavior more concisely than previously possible
(3) High level design abstractionmdashThe SystemVeriloginterface construct facilitates intermodule communi-cation
Especially SystemVerilog provides special language con-structs and assertions to verify design behavior An assertionis a statement that a specific condition or sequence ofconditions in a design is true If the condition or sequenceis not true the assertion statement will generate an errormessage
Additionally one important capability in SystemVerilogis the ability to define assertions outside of Verilog modulesand then bind them to a specific module or module instanceThis feature allows test engineers to add assertions to existingVerilog models without having to change the model in anyway One of the goals of SystemVerilog assertions is to providea common semantic meaning for assertions so that they canbe used to drive various design and verification tools
In SystemVerilog there are two types of assertions
(1) Immediate Assertions Immediate assertions follow simu-lation event semantics for their execution and are executedlike a statement in a procedural block Immediate assertionsare primarily intended to be used with simulation andevaluate using simulation event-based semantics
(2) Concurrent Assertions Concurrent assertions are basedon clock semantics and use sampled values of variables Alltiming glitches (real or artificial due to delay modeling andtransient behavior within the simulator) are abstracted awayConcurrent assertions can be used in always block or initialblock as a statement or a module as a concurrent block or aninterface block as a concurrent block or a program block asa concurrent block
An example of a property using sequence and formalargument is shown below
property 119905119890119904119905 [(119903119890119902 119888 119886119888119896)]
(119901119900119904119890119889119892119890 119888119897119896)
119903119890119902 |minus gt 119888 1 119886119888119896
endproperty [ 119905119890119904119905]
Journal of Applied Mathematics 3
This property states that signal 119903119890119902 and then signal 119888
become high and signal 119886119888119896 will be high in the next cycleAs illustrated in this example a concurrent assertion
property in SystemVerilog will never be evaluated by itselfexcept when it is invoked by a verification statement There-fore the statement assert property 119905119890119904119905(119886 119887 119888) will causethe checker to perform assertion checking
Basically the verification statement in SVA has threeforms described as follows
(i) assert to specify the property as a checker to ensurethat the property holds for the design
(ii) assume to specify the property as an assumption forthe environment Simulators check that the propertyholds while formal tools use the information togenerate input stimulus The purpose of the assumestatement is to allow properties to be considered asassumptions for formal analysis as well as for dynamicsimulation tools
(iii) cover to monitor the property evaluation for cover-age
When a property is assumed the tools constrain theenvironment so that the property holds In simulationasserted and assumed properties are continuously verified toensure that the design or the testbench never violate them
In some tools the assumptions on the environment canbe used as sequential constraints on the DUT (device undertest) inputs in constrained-random simulation
These proofs are usually subject to other properties thatdescribe the assumed behavior of the environment usingassume property statements
22 Groebner Bases Preliminary Firstly we will recall someof the key notions of Groebner bases theory and symboliccomputation More detailed and elementary introduction tothis subject can be available in books such as those by Littleet al [10] or those by Becker and Weispfenning [11]
We begin by listing some general facts and establishingnotations
Let 119896 be an algebraically closed field and let 119896[1199091 119909
119899]
be the polynomial ring in variables 1199091 1199092 119909
119899with coeffi-
cient in 119896 under addition and multiplication of polynomialThe basic structure of polynomial rings is given in termsof subsets called ideals which is closed under addition andclosed under multiplication by any element of the ring
Here let 119868 sube 119896[1199091 119909
119899] be an ideal As we all know the
following theorem holds
Theorem 1 (Hilbert basis theorem) Every ideal 119868 sub 119896[1199091
119909119899] has a finite generating setThat is 119868 = ⟨119892
1 119892
119905⟩ for some
1198921 119892
119905isin 119868
Then by the Hilbert basis theorem there exist finitelymany polynomials 119891
1 119891
119898such that 119868 = ⟨119891
1 119891
119898⟩ A
polynomial 119891 sube 119896[1199091 119909
119899] defines a map 119891 119896
119899rarr 119896 via
evaluation (1198861 119886
119899) 997891rarr 119891(119886
1 119886
119899)
The set 119881(119868) = 119886 isin 119896119899
| forall119891 isin 119868 119891(119886) = 0 sube 119896119899 is called
the variety associated with 119868
If 1198811
= 119881(1198681) and 119881
2= 119881(119868
2) are the varieties defined
by ideals 1198681and 1198682 then we have 119881
1cap 1198812
= 119881(⟨1198681 1198682⟩) and
1198811cup1198812
= 119881(1198681times1198682) where 119868
1times1198682
= ⟨11989111198912
| 1198911
isin 1198681 1198912
isin 1198682⟩ If
1198681
= ⟨1198911 119891
119903⟩ and 119868
2= ⟨ℎ1 ℎ
119904⟩ then 119868
1times1198682
= ⟨119891119894times119892119895
|
1 le 119894 le 119903 1 le 119895 le 119904⟩Any set of points in 119896
119899 can be regarded as the varietyof some ideal Note that there will be more than one idealdefining a given variety For example the ideals ⟨119909
0⟩ and
⟨1199090 11990911199090
minus 1⟩ both define the variety 119881(1199090)
In order to perform verification we need to be able todetermine when two ideals represent the same set of pointsThat is to say we need a canonical representation for any idealGroebner bases can be used for this purpose
An essential ingredient for defining Groebner bases isa monomial ordering on a polynomial ring 119896[119909
1 119909
119899]
which allows us to pick out a leading term for any polynomial
Definition 2 (monomial ordering) A monomial ordering on119896[1199091 119909
119899] is any relation ≺ on 119885
119899
ge0 or equivalently any
relation on the set of monomials 119909120572 120572 isin 119885
119899
ge0 satisfying
(i) ≺ is a total (or linear) ordering on 119885119899
ge0
(ii) ≺ is a well-orderingThis means that every nonemptysubset of 119885
119899
ge0has a smallest element under ≺
(iii) for all 120574 isin 119885119899
ge0 120572 ≺ 120573 rArr 120572 + 120574 ≺ 120573 + 120574
Examples of monomial ordering include lexicographicorder graded lexicographic order and graded reverse lexico-graphic order
Definition 3 (lexicographic order) Let 120572 = (1205721 120572
119899) and
120573 = (1205731 120573
119899) isin 119885
119899
ge0 We say 120572≺lex120573 if in the vector
difference 120572 minus 120573 isin 119885119899 the leftmost nonzero entry is positive
We will write 119909120572≺lex119909120573 if 120572≺lex120573
Definition 4 (Groebner basis) Fix a monomial order A finitesubset 119866 = 119892
1 119892
119905 of an ideal 119868 is said to be a Groebner
basis (or standard basis) if ⟨119871119879(1198921) 119871119879(119892
119905)⟩ = ⟨119871119879(119868)⟩
Equivalently but more informally a set 1198921 119892
119905 sub 119868
is a Groebner basis of 119868 if and only if the leading term of anyelement of 119868 is divisible by one of the 119871119879(119892
119894)
In [12] Buchberger provided an algorithm for construct-ing a Groebner basis for a given idealThis algorithm can alsobe used to determinewhether a polynomial belongs to a givenideal
A reduced Groebner basis 119866 is a Groebner basis wherethe leading coefficients of polynomials in 119866 are all 1 and nomonomial of an element of 119866 lies in the ideal generated bythe leading terms of other elements of 119866 forall119892 isin 119866 and nomonomial of 119892 is in ⟨119871119879(119866 minus 119892)⟩
The important result is that for a fixed monomial order-ing any nonzero ideal has a unique reduced Groebner basisThe algorithm for finding a Groebner basis can easily beextended to output its reduced Groebner basis Thus we willhave a canonical symbolic representation for any ideal
4 Journal of Applied Mathematics
Inputs
Clock
Synchronous digital circuit
Outputs
FFs
Combinationallogic
Presentstates
Nextstates
Figure 1 Synchronous digital circuits model
Theorem 5 (the elimination theorem) Let 119868 sub 119896[1199091 119909
119899]
be an ideal and let 119866 be a Groebner basis of 119868 with respect tolexicographic order where 119909
1≻ 1199092
≻ sdot sdot sdot ≻ 119909119899 Then for every
0 le 119897 le 119899 the set
119866119897= 119866 cap 119896 [119909
119897+1 119909
119899] (1)
is a Groebner basis of the 119897th elimination ideal 119868119897
Theorem 6 Let 119866 be a Groebner basis for an ideal 119868 sub
119896[1199091 119909
119899] and let 119891 isin 119896[119909
1 119909
119899] Then 119891 isin 119868 if and
only if the remainder on division of 119891 by 119866 is zero denoted by119903119890119898119889(119891 119866) = 0
The property given in Theorem 6 can also be taken asthe definition of a Groebner basis Then we will get anefficient algorithm for solving the idealmembership problemAssuming that we know a Groebner basis 119866 for the idealin question we only need to compute the remainder withrespect to 119866 to determine whether 119891 isin 119868
In this paper we will then use the ideal or any basis forthe ideal as an efficient way of algebraization of system to beverified
3 System Modeling with Polynomial
31 Circuit Representation Model In this section we willsketch the underlying digital system model for simulationused in our work
Most modern circuit design is carried out within the syn-chronous model which simplifies reasoning about behaviorat the cost of strict requirements on clocking
As shown in Figure 1 a classical synchronous design iscomprised of combinatorial logic and blocks of registers witha global clock In a synchronous digital system the clocksignal is often regarded as simple control signal and usedto define a time reference for the movement of data withinthat system Combinational logic performs all the logicalfunctions in the circuit and it typically consists of logic gatesRegisters usually synchronize the circuitrsquos operation to theedges of the clock signal and are the only elements whichhave memory properties
The basic circuit model we used can be abstracted as thefollowing model
Definition 7 (synchronous circuit model) A synchronouscircuit model structure is a tuple
C = clk LAMux FFs IO where
(i) clk is a global synchronous clock signal(ii) L is a set of logical operation units(iii) A is a set of arithmetic operation units(iv) Mux is a set of multiplex units(v) FFs is a set of sequential units(vi) I is a set of primary input signals(vii) O is a set of primary output signals
In the following we will discuss polynomial represen-tation of a given circuit model Firstly let us retrospect theclassical circuit representation model
Traditionally Binary decision diagrams (BDD) [13] thefirst generation decision diagrams technique designed byAkers in 1978 acts as an efficient digital circuit representation(or Boolean functions) Recently the next generation ofdecision diagrams that is word-level decision diagrams(WLDD) [14] has considerably widened its expressivenessfor datapath operations due to processing of data in word-level format
Generally ROBDD or WLDD is mapped into hardwaredescription languages according to the following scheme
119865119906119899119888119905119894119900119899 (119888119894119903119888119906119894119905) lArrrArr 119872119900119889119890119897 119894119899 119877119874119861119863119863 | 119882119871119863119863 119891119900119903119898
(2)
Though the dimension of a decision diagram is exponen-tially bounded by the number of variables decision diagramsbased canonical data structure is very useful in many well-known verification methods
From the viewpoint of abstract symbolic computationthese decision diagrams based on representation for circuitsystems are not suitable any more Thus we will adopt analternative representation form based on polynomial setsinstead of decision diagrams according to the followingscheme
119865119906119899119888119905119894119900119899 (119888119894119903119888119906119894119905) lArrrArr 119885119890119903119900 119878119890119905 (119875119900119897119910119899119900119898119894119886119897 119878119890119905) (3)
As is well known given a monomial order there isprecisely one polynomial representation of a function
For convenience we introduce the following symbols foralgebraic representations
(1) Foranysymbolic (circuit unit signal sequence prop-erty etc) 119891 its algebraic representation form is de-noted by ⟦119891⟧
(2) If a running cycle 119905 is given its algebraic representa-tion form can be denoted by ⟦119891⟧
[119905]
(3) Furthermore if a time range [119898 sdot sdot sdot 119899] is specified itsalgebraic representation form can then be denoted by⟦119891⟧119896
[119905]or ⟦119891⟧
[119898sdotsdotsdot119899]
[119905]
Here 119905 denotes the current time and 119896 = (119899 minus 119898) denotestime steps
Journal of Applied Mathematics 5
Table 1 Polynomial model for arithmetic operation
Arithmetic operation Polynomial representation119910 = 119886 + 119887 ⟦+⟧ = (119910 minus 119886 minus 119887)
119910 = 119886 minus 119887 ⟦minus⟧ = (119910 minus 119886 + 119887)
119910 = 119886 lowast 119887 ⟦lowast⟧ = (119910 minus 119886 lowast 119887)
119910 = 119886119887 ⟦⟧ = (119910 lowast 119887 minus 119886)
Table 2 Polynomial model for logic operation
Arithmetic operation Polynomial representation119910 = NOT 119909 ⟦NOT⟧ = (1 minus 119909 minus 119910)
119910 = 1199091AND 119909
2⟦AND⟧ = (119909
1lowast 1199092
minus 119910)
119910 = 1199091OR 119909
2⟦OR⟧ = (119909
1+ 1199092
minus 1199091
lowast 1199092
minus 119910)
Cycle-based symbolic simulation will be performed onthe system model for verification Intuitively cycle-basedsymbolic simulation is a hybrid approach in the sense that thevalues that are propagated through the network can be eithersymbolic expressions or constant values It assumes that thereexists one unified clock signal in the circuit and all inputs ofthe systems remain unchanged while evaluating their valuesin each simulation cycleThe results of simulation report onlythe final values of the output signals or states in the currentsimulation cycle
The detailed simulation process can be described asfollows Firstly cycle-based symbolic simulation is initializedby setting the state of the circuit to the initial vector Each ofthe primary input signals will be assigned a distinct symbolicor a constant value Then at the end of a simulation step theexpressions representing the next-state functions generallyundergo a parametric transformation based optimizationAfter transformation the newly generated functions are usedas present state for the next state of simulation
32 Arithmetic and Logic Unit Modeling In this paper weonly focus on arithmetic unit for calculating fixed-point oper-ations For any arithmetic unit integer arithmetic operations(addition subtraction multiplication and division) can beconstructed by the polynomials in Table 1
The basic logic operations like ldquoANDrdquo ldquoORrdquo and ldquoNOTrdquocan be modeled by the following forms Their correspondingpolynomial representations [15] are specified as in Table 2
Furthermore we can extend the above rule to othercommon logic operators For example
119910 = 1199091
oplus 1199092
(or 119910 = 1199091XOR 119909
2)
997904rArr ⟦oplus⟧ = (119910 minus (1199091
+ 1199092
minus 1199091
lowast 1199092) lowast (1 minus 119909
1lowast 1199092))
(4)
For all bit level variables 119909119894
(0 le 119894 le 119899) a limitation ⟨119909119894lowast
119909119894minus 119909119894⟩ should be added
33 Branch Unit Modeling Basically multiway branch is animportant control structure in digital system It provides a setof condition bits 119887119894 (0 le 119894 le 119861) a set of target identifiers(0 119879 minus 1) and a mapping from condition bit values to
target identifiers This mapping takes the form of a conditiontree
For any binary signal119909 its value should be limited to 1 0
by adding 119909 lowast 119909 minus 119909
119910 = 119872119906119909 (1199090 1199091 119909
119899 119904)
119894 = 119904 997888rarr 119910 = 119909119894 (0 le 119894 le 119899)
997904rArr ⟦119872119906119909⟧ = ⟨
119910 minus
119899minus1
sum
119894=1
( prod
119895isin01119899minus1119894
((119904 minus 119895)
(119894 minus 119895)))
lowast119909119894
⟩
(5)
with prod119899minus1
119894=0(119904 minus 119894) = 0
34 Sequential Unit Modeling Each flip-flop (FF) in thecircuit can bemodeled as amultiplexerWehave the followingproposition to state this model
Proposition 8 For a 119863 flip-flop (1198631015840 is the next state) withan enable signal 119888 its equivalent combinational formal is 119910
1015840=
119872119906119909(119863 1198631015840 119904) 119894 = 119904 rarr 119910
1015840= 119909119894 (0 le 119894 lt 2 119909
0= 119863 119909
1=
1198631015840) whose polynomial algebraic model can be described as
⟦119865119865119904⟧ =
⟨(1199101015840minus 119863) lowast (119888
1015840minus 1) (119910
1015840minus 1198631015840) lowast 119888 (119910
1015840minus 119863) lowast (119910
1015840minus 1198631015840)⟩
(6)
or
⟨1199101015840minus 119863 lowast (119888
1015840minus 1) minus 119863
1015840lowast 1198881015840⟩ (7)
Proof Let 119863 be the current state and let 1199101015840 denote the next
state of the flip-flop When the signal 1198881015840 value is 0 1199101015840 has the
same value as 119863 so that the FF maintains its present statewhen the signal 119888
1015840 value is 1 1199101015840 takes a new value from the
1198631015840 input (where 119863
1015840 denotes the new value next state of theFF) Therefore we have the 2-value multiway branch modeland its polynomial set representation for FF
Proposition 9 Let 119863 be an FF model (1198631015840 is the next state)without enable signal then its equivalent combinational formalpolynomial algebraic model can be described as (1199101015840 minus 119863)
Proof Straightforward
35 Sequential Unrolling Generally for a sequential circuitC one time frame of a sequential circuit is viewed as a combi-national circuit in which each flip-flop will be converted intotwo corresponding signals a pseudo primary input (PPI) anda pseudo primary output (PPO)
Symbolical simulation of a sequential circuit for 119899 cyclescan be regarded as unrolling the circuit 119899 timesThe unrolledcircuit is still a pure combinational circuit and the 119894th copy ofthe circuit represents the circuit at cycle 119894 Thus the unrolledcircuit contains all the symbolic results from the 119899 cycles
6 Journal of Applied Mathematics
36 Indexed Polynomial Set Representation To illustrate thesequential modeling for a given cycle number clearly wedefine an indexed polynomial set representation for the 119894thcycle
Let 119909119894[119897]
(0 le 119894 le 119903) denote the input signals for the 119897thclock119898119894
[119897](0 le 119894 le 119904) the intermediate signals and 119910119894
[119897](0 le
119894 le 119905) the output signals We then have the following timeframe expansion model for the sequential circuit
119865119872 =
119899
⋃
119894=0
119865119872 [119894] (8)
where 119865119872[119894] = C(1199091[119894]
1198981[119894]
1198981[119894]
1199091[119894+1]
1198981[119894+1]
1199101[119894+1]
) denote the 119894th time frame modelTime frame expansion is achieved by connecting the
PPIs (eg 1199091[119894+1]
from 119865119872[119894 + 1]) of the time frame to thecorresponding PPOs (1199091
[119894+1]from 119865119872[119894]) of the previous
time frame
4 Sequence Depth Calculation
In this subsection we will discuss the important feature ofSVA time range and its signal constraint unrolled model
In SVA for each sequence the earliest time step for theevaluation and the latest time step should be determinedfirstlyThe sequence is then unrolled based on above informa-tion Finally the unrolled sequence will be performed usingalgebraization process
In [3] a time range calculating algorithm is providedHere we will introduce some related definition and specialhandling for our purpose
The following is the syntax definition for time range
41 Time Range
Definition 10 (time range syntax) The syntax of ldquotime rangerdquocan be described as follows
119888119910119888119897119890 119889119890119897119886119910 119888119900119899119904119905 119903119886119899119892119890 119890119909119901119903119890119904119904119894119900119899 =
119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899
| 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 $
Note that 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 is computed at compiletime and must result in an integer value and can only be 0or greater
In this paper we only focus on constant time range caseThus its form can be simplified as
(1) 119886[119898 119899]119887 (119898 119899 isin N and 119899 ge 119898 ge 0)
(2) 1198781[119898 119899]119878
2(119898 119899 isin N and 119899 ge 119898 ge 0)
Here 119886 119887 are signals and 1198781 1198782are sequences
Assume the starting time is cycle 119905 then we have thesequence (1) will start (119899 minus 119898 + 1) sequences of evaluationwhich are
119886 119898119887
119886 (119898 + 1)119887
119886(119899 minus 119898 + 1)119887 respectively
Their corresponding algebraic forms are
⟦119886119898119887⟧[119905]
= ⟦119886119905and 119887119905+1
⟧
⟦119886(119898 + 1)119887⟧[119905]
= ⟦119886119905and 119887119905+2
⟧
⟦119886(119899 minus 119898 + 1)119887⟧[119905]
= ⟦119886119905and 119887119905+119899minus119898+1
⟧
Thenwe have the equivalent form of above representationset as
⟦(119886119905and 119887119905+119898
) or sdot sdot sdot or (119886119905and 119887119905+119899
)⟧ (9)
42 Sequential Depth Calculation The time range of asequential is a time interval during which an operation or aterminal of a sequence has to be considered and is denoted bya closed bounded set of positive integers
119879 = [119897 sdot sdot sdot ℎ] = 119909 | 119897 le 119909 le ℎ (here 119909 119897 ℎ isin N) (10)
Furthermore the maximum of two intervals 1198791and 119879
2is
defined by max(1198791 1198792) = [max(119897
1 1198972) sdot sdot sdotmax(ℎ
1 ℎ2)]
In the samemanner the sum of two time ranges of1198791and
1198792is defined as
1198791
+ 1198792
= [(1198971
+ 1198972) sdot sdot sdot (ℎ
1+ ℎ2)] (11)
Definition 11 (maximum sequential depth) The maximumsequential depth of a SVA expression 119865 or a sequence writtenas 119889119890119901(119865) is defined recursively
(i) 119889119890119901(119886) = [1 sdot sdot sdot 1] if 119886 is a signal
(ii) 119889119890119901(not119886) = [1 sdot sdot sdot 1] if 119886 is a signal
(iii) 119889119890119901(119886119887) = 119889119890119901(119886) + 119889119890119901(119887) if 1198651 1198652are sequences
of SVA
(iv) 119889119890119901(1198651[119898 119899]119865
2) = 119889119890119901(119865
1) + 119889119890119901(119865
2) + [119898 sdot sdot sdot 119899]
if 1198651 1198652are sequences of SVA
(v) 119889119890119901(1198651and 119865
2) = max(119889119890119901(119865
1) 119889119890119901(119865
2)) if119865
11198652are
sequences of SVA
(vi) 119889119890119901(1198651or 1198652) = max(119889119890119901(119865
1) 119889119890119901(119865
2)) if 119865
1 1198652are
sequences of SVA
(vii) 119889119890119901(1198651intersect 119865
2) = 119889119890119901(119865
1) + 119889119890119901(119865
2) minus 1 if 119865
1
1198652are sequences of SVA
(viii) 119889119890119901(119865[119899]) = 119899 lowast 119889119890119901(119865) if 119865 is a sequence of SVA
Journal of Applied Mathematics 7
[23]
e And [46]
[12] [23]
a b c d
[35] [35] [46][46]
[00]
Figure 2 Sequence depth parsing tree
For example the following sequence is used to illustratehow to calculate the sequence depth
sequence
119890 [2 sdot sdot sdot 3] ((119886[1sdot sdot sdot 2]119887) and (119888 [1 sdot sdot sdot 2] 119889))
endsequence
Figure 2 shows the binary parsing tree for calculatingsequence depth of this sequence The box denotes operatorand cycle denotes signal node in the syntax tree
Firstly consider the top layer of the parsing tree andthe sequence [2 sdot sdot sdot 3] Here because the first operand 119890
is a terminal of the sequence thus this operand becomesrelevant at time step 0 only (119879
1st = [0 sdot sdot sdot 0]) Since the intervalhas to be considered the second operand (the subtree ofldquoandrdquo)matches 2 or 3 time steps laterTherefore calculating isrecursively performed with 119879 = [0 sdot sdot sdot 0] + [2 sdot sdot sdot 3] = [2 sdot sdot sdot 3]
for the second operandSimilarly we can have the sequence depth of the whole
sequence and all its subsequences as denoted in the figure
5 SVA to Polynomial Set Translation
As mentioned previously SystemVerilog assertions are anintegral component of SystemVerilog and provide two kindsof assertions immediate assertions and concurrent asser-tions
In this section we only discuss concurrent assertions andtheir temporal layer representation model
Concurrent assertions express functional design intentand can be used to express assumed input behavior expectedoutput behavior and forbidden behavior That is assertionsdefine properties that the design must meet Many prop-erties can be expressed strictly from variables available inthe design while properties are often constructed out ofsequential behaviors
Thus we will firstly discuss the basic algebraizationprocess for the sequential behavior model
51 Algebraization Process Theproperties written in SVAwillbe unrolled and checked against the design for bounded timesteps in our method Note that only a constrained subset ofSVA can be supported by our method (unspecified upperbound time range and first-match operator are excluded)
Firstly we translate the properties described by theconstrained subset of SVA into flat sequences according tothe semantics of each supported operator
Asmentioned in [16] the total set of SVA is divided into 4subgroups namely simple sequence expression (SSE) inter-val sequence expression (ISE) complex sequence expression(CSE) and unbounded sequence expression (USE) Here inour method these groups can only be partly supported
Therefore we define the following sequence expressionsby adding further conditions
(i) Constrained simple sequence expression (CSSE) isformed by Boolean expression repeat operator andcycle delay operator
(ii) Constrained interval sequence expression (CISE) isa super set of CSSE formed by extra time rangeoperators
(iii) Constrained complex sequence expression is a superset of CSSE and CISE containing operators or andintersection
Secondly the unrolled flat sequences will be added totemporal constraints to form proportional formulas withlogical connectives (or and and not)
Finally the resulted proportional formulas will be trans-lated into equivalent polynomial set
Then the verification problem is reduced to proving zeroset inclusion relationship which can be resolved by Groebnerbases approaches
52 Boolean LayerModeling TheBoolean layer of SVA formsan underlying basis for the whole assertion architecturewhich consists of Boolean expressions that hold or do nothold at a given cycle
In this paper we distinguish between signal logic valuesand truth logic values That is for a truth logic statementabout a given property its truth can be evaluated to 119905119903119906119890 or119891119886119897119904119890 But for a signal when primary inputs are symbolicvalues its signal logic value may not be evaluated as ℎ119894119892ℎ or119897119900119908
Therefore we have the following definition for signallogic
Definition 12 (signal logic) In digital circuit systems signallogic (SL for short) is defined as
(i) if a signal119909 is active-high (119867 for short) then its signalvalue is defined as 1
(ii) if a signal 119909 is active-low (119871 for short) then its signalvalue is defined as 0
8 Journal of Applied Mathematics
Definition 13 (symbolic constant) A symbolic constant is arigid Boolean variable that forever holds the same BooleanvalueThe notion of symbolic constant was firstly introducedin STE [17] for two purposes
(1) to encode an arbitrary Boolean constraints among aset of circuit nodes in a parametric form
(2) to encode all possible scalar values for a set of nodes
Assume 119867 denotes a symbolic constant for signal logicand 119867 denotes its negative form if 119867 denotes ℎ119894119892ℎ then 119867
will be 119897119900119908Consider (119903119890119902==119867) and (119886119888119896==119867) as an example
According to our definitions 119903119890119902 and 119886119888119896 are signals belong-ing to signal logic while both (119903119890119902==119867) and (119886119888119896==119867) are oftruth logic
For example assertion (119886[15 0] == 119887[15 0]) is also avalid Boolean expression stating that the 16-bit vectors 119886[15
0] and 119887[15 0] are equalIn SVA the following are valid Boolean expressions
(i) 119886119903119903119886119910119860 == 119886119903119903119886119910119861
(ii) 119886119903119903119886119910119860 = 119886119903119903119886119910119861
(iii) 119886119903119903119886119910119860[119894] gt= 119886119903119903119886119910 119861[119895]
(iv) 119886119903119903119886119910119861[119894][119895+ 2] == 119886119903119903119886119910119860[119896][119898minus 2]
(v) (119886119903119903119886119910119860[119894]amp(119886119903119903119886119910119861[119895])) == 0
Since the state of a signal variable can be viewed as a zeroof a set of polynomials We have the following
(1) For any signal 119909 holds at a given time step 119894 thus thestate of 119909 == 1 (119909 is active-high at cycle 119894) can berepresented by polynomial 119909
[119894]minus 1
(2) Alternatively the state of 119909 == 0 (119909 is active-low atcycle 119894) can be represented by polynomial 119909
[119894]
(3) Symbolically the state of 119909 == 119867 (119909 is active-high 119867
at the 119894th cycle) can be modeled as 119909[119894]
minus 119867
53 Sequence Operator Modeling Temporal assertions definenot only the values of signals but also the relationshipbetween signals over time The sequences are the buildingblocks of temporal assertions and can express a set of linearbehavior lasting for one or more cycles These sequences areusually used to specify and verify interface and bus protocols
A sequence is a regular expression over the Booleanexpressions that concisely specifies a set of linear sequencesThe Boolean expressions must be true at those specific clockticks for the sequence to be true over time
SystemVerilog provides several sequence compositionoperators to combine individual sequences in a variety ofways that enhance code writing and readability which canconstruct sequence expressions from Boolean expressions
In this paper throughout operator [1 $] operator andthe first match operator are not supported by our method
SystemVerilog defines a number of operations that canbe performed on sequences The sequence compositionoperators in SVA are listed as follows
Definition 14 (sequence operator)
119877 = 119887ldquoBoolean expressionrdquo form
| (1 V = 119890) ldquolocal variable samplingrdquo form| (119877) ldquoparenthesisrdquo form| (11987711 119877
2) ldquoconcatenationrdquo form
| (11987710 119877
2) ldquofusionrdquo form
| (1198771or 1198772) ldquoorrdquo form
| (1198771intersect 119877
2) ldquointersectrdquo form
| first match (119877) ldquofirst matchrdquo form| 119877[lowast0] ldquonull repetitionrdquo form| 119877[lowast1 $] ldquounbounded repetitionrdquo form| [lowast] [=] [minus gt] ldquorepetitionrdquo repeater| throughoutspecifying a Boolean expression musthold throughout a sequence| withinspecifying conditions within a sequence
The resulted sequences constructed by operators are thenused in properties for use in assertions and covers
531 Cycle Delay Operator In SystemVerilog the con-struct is referred to as a cycle delay operator
ldquo1rdquo and ldquo0rdquo are concatenation operators the formeris the classical regular expression concatenation the latter isa variant with one-letter overlapping
A 119899 followed by a number 119899 or range specifies the 119899
cycles delay from the current clock cycle to the beginning ofthe sequence that follows
(1) Fixed-length Casesequence fixs
119886119899119887
endsequencerArr ⟦119891119894119909119904⟧ = ⟦119886⟧
119905 ⟦119887⟧119905+119899
(2) Time-range Casesequence 119905119898119904
119886[119898 sdot sdot sdot 119899]119887
endsequencerArr ⟦119905119898119904⟧ = ⟦119886⟧
[119905] ⟦119887⟧119898
[119905] or sdot sdot sdot or ⟦119886⟧
[119905] ⟦119887⟧119899
[119905]
532 Intersect Operator The two operands of intersectoperator are sequences The requirements for match of theintersect operation are as follows
(i) Both operands must match(ii) The lengths of the two matches of the operand
sequences must be the same
Journal of Applied Mathematics 9
1198771intersect 119877
2
1198771starts at the same time as 119877
2 the intersection will
match if 1198771 starting at the same time as 119877
2 matches at the
same time as 1198772matches
Therefore we have
⟦1198771intersect 119877
2⟧ = ⟦119877
1⟧119889119890119901(119877
1)
[119905]and ⟦1198772⟧119889119890119901(119877
2)
[119905] (12)
The sequence length matching intersect operator con-structs a sequence like the and nonlength matching operatorexcept that both sequences must be completed in same cycle
533 and Operator 1198771and 119877
2
This operator states that 1198771starts at the same time as 119877
2
and the sequence expression matches with the later of 1198771and
1198772matching This binary operator and is used when both
operands are expected to match but the end times of theoperand sequences can be different
That is 1198771and 119877
2denotes both 119877
1and 119877
2holds for the
same number cycles Then the matches of 1198771and 119877
2must
satisfy the following
(i) The start point of the match of 1198771must be no earlier
than the start point of the match of 1198772
(ii) The end point of thematch of1198771must be no later than
the end point of the match of 1198772
The sequence nonlength matching and operator con-structs a sequence in which two sequences both hold at thecurrent cycle regardless of whether they are completed in thesame cycle or in different cycles
⟦1198771and 119877
2⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] and ⟦119877
2⟧119895
[119905]) (13)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
534 or Operator 1198771or 1198772
The sequence or operator constructs a sequence in whichone of two alternative sequences hold at the current cycleThus the sequence (1198861119887) or (1198881119889) states that eithersequence 119886 119887 or sequence 119888 119889 would satisfy the assertion
⟦1198771or 1198772⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] or ⟦119877
2⟧119895
[119905]) (14)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
535 Local Variables SystemVerilog provides a feature bywhich variables can be used in assertions The user candeclare variables local to a property This feature is highlyuseful in pipelined designs where the consequent occur-rence might be many cycles later than their correspondingantecedents
Local variables are optional and local to properties Theycan be initialized assigned (and reassigned) a value operatedon and compared to other expressions
The syntax of a sequence declaration with a local variableis shown below
119904119890119902119906119890119899119888119890 119889119890119888119897119886119903119886119905119894119900119899 =
sequence 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119904119890119902119906119890119899119888119890 119890119909119901119903
endsequence [ 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903]
The property declaration syntax with a local variable canbe illustrated as follows
119901119903119900119901119890119903119905119910 119889119890119888119897119886119903119886119905119894119900119899 =
property 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119901119903119900119901119890119903119905119910 119904119901119890119888
endproperty [ 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903]
The variable identifier declaration syntax of a local vari-able can be illustrated as follows
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899 =
V119886119903 119889119886119905119886 119905119910119901119890 119897119894119904119905 119900119891 V119886119903119894119886119887119897119890 119894119889119890119899119905119894119891119894119890119903119904
The dynamic creation of a variable and its assignment isachieved by using the local variable declaration in a sequenceor property declaration and making an assignment in thesequence
Thus local variables of a sequence (or property) may beset to a value which can be computed from a parameter orother objects (eg arguments constants and objects visibleby the sequence (or property))
For example a property of a pipeline with a fixed latencycan be specified below
property 119897119886119905119890119899119888119910119894119899119905 119909(V119886119897119894119889 119894119899 119909 = 119901 119894119899)|minus gt 3(119901 119900119906119905 == (119909 + 1))
endproperty
This property e is evaluated as followsWhen V119886119897119894119889 119894119899 is true 119909 is assigned the value of 119901 119894119899 If 3
cycles later 119901 119900119906119905 is equal to 119909 + 1 then property 119897119886119905119890119899119888119910 istrue Otherwise the property is false When V119886119897119894119889 119894119899 is falseproperty 119897119886119905119890119899119888119910 is evaluated as true
For the algebraization of SVA properties with localvariables in our method these local variables will be takenas common signal variables (symbolic constant) without anysequential information
Thus we have the polynomial set representation forproperty 119897119886119905119890119899119888119910
⟦119897119886119905119890119899119888119910⟧[119905]
=
(V119886119897119894119889 119894119899[119905]
minus 1)(119909 minus 119901 119894119899
[119905])
(119901 119900119906119905[119905+3]
minus (119909 + 1))
10 Journal of Applied Mathematics
536 Repetition Operators SystemVerilog allows the userto specify repetitions when defining sequences of BooleanexpressionsThe repetition counts can be specified as either arange of constants or a single constant expression
Nonconsecutive repetition specifies finitely many itera-tive matches of the operand Boolean expression with a delayof one or more clock ticks from one match of the operandto the next successive match and no match of the operandstrictly in between The overall repetition sequence matchesat or after the last iterative match of the operand but beforeany later match of the operand
The syntax of repetition operator can be illustrated asfollows
119899119900119899 119888119900119899119904119890119888119906119905119894V119890 119903119890119901 = [= 119888119900119899119904119905 119900119903 119903119886119899119892119890 119890119909119901119903] (15)
The number of iterations of a repetition can be specifiedby exact count
For example a sequence with repetition can be defined as
119886 |=gt 119887 [= 3] 1 119888 (16)
The sequence expects that 2 clock cycles after the validstart signal ldquo119887rdquo will be repeated three times
We have ⟦119877[= 119899]⟧ = ⋁119899
119894=0(⟦119877⟧
119894lowast119889119890119901(119877)
[119905])
54 Property OperatorModeling In general property expres-sions in SVA are built using sequences other sublevel proper-ties and simple Boolean expressions via property operators
In SVA a property that is a sequence is evaluated as trueif and only if there is a nonempty match of the sequenceA sequence that admits an empty match is not allowed as aproperty
The success of assertion-based verification methodologyrelies heavily on the quality of properties describing theintended behavior of the design Since it is a fairly newmethodology verification and design engineers are oftenfaced with a question of ldquohow to identify good propertiesrdquo fora design It may be tempting to write properties that closelyresemble the implementation
Properties we discussed in this paper can be classified as
(1) Design Centric Design centric properties represent asser-tions added by the RTL designers to characterize whitebox design attributes These properties are typically towardsFSMs localmemories clock synchronization logic and otherhardware-related designs The design should conform to theexpectations of these properties
(2) Assumption Centric Assumption centric properties rep-resent assumptions about the design environment They areused in informal verification to specify assumptions about theinputs The assume directive can inform a verification tool toassume such a condition during the analysis
(3) RequirementVerification Centric Many requirementproperties are best described using a ldquocause-to-effectrdquo stylethat specifies what should happen under a given conditionThis type of properties can be specified by implication
operator For example a handshake can be described as ldquoifrequest is asserted then acknowledge should be assertedwithin 5 cyclesrdquo
In general property expressions are built using sequen-ces other sublevel properties and simple Boolean expres-sions
These individual elements are combined using propertyoperators implication NOT ANDOR and so forth
The property composition operators are listed as follows
Definition 15 (property operator)
119875 = 119877lowast ldquosequencerdquo form lowast
|(119875)lowast ldquoparenthesisrdquo form lowast
|not 119875lowast ldquonegationrdquo form lowast
|(1198751or 1198752)lowast ldquoorrdquo form lowast
|(1198751and 119875
2)lowast ldquoandrdquo form lowast
|(119877|minus gt 119875) |(119877| =gt 119875)lowast ldquoimplicationrdquo form lowast
|disable iff(119887) 119875lowast ldquoresetrdquo form lowast
Note that disable if and only if will not be supportedin this paper Property operators construct properties out ofsequence expressions
541 Implication
Operators The SystemVerilog implication operator supportssequence implication and provides two forms of implicationoverlapped using operator |minus gt and nonoverlapped usingoperator | =gt respectively
The syntax of implication is described as follows
119904119890119902119906119890119899119888119890 119890119909119901119903 | minus gt 119901119903119900119901119890119903119905119910 119890119909119901119903
119904119890119902119906119890119899119888119890 119890119909119901119903 | =gt 119901119903119900119901119890119903119905119910 119890119909119901119903
(17)
The implication operator takes a sequence as its anteced-ent and a property as its consequent Every time the sequencematches the property must hold Note that both the runningof the sequence and the property may span multiple clockcycles and that the sequence may match multiple times
For each successful match of the antecedent sequencethe consequence sequence (right-hand operand) is sepa-rately evaluated beginning at the end point of the matchedantecedent sequence All matches of antecedent sequencerequire a match of the consequence sequence
Moreover if the antecedent sequence (left hand operand)does not succeed implication succeeds vacuously by return-ing true For many protocol related assertions it is importantto specify the sequence of events (the antecedent or cause)that must occur before checking for another sequence (theconsequent or effect) This is because if the antecedent doesnot occur then there is no need to perform any furtherverification In hardware this occurs because the antecedentreflects an expression that when active triggers something tohappen
Journal of Applied Mathematics 11
A property with a consequent sequence behaves as if theconsequent has an implication first-match applied to it
542 NOT
Operator The operator NOT 119901119903119900119901119890119903119905119910 119890119909119901119903 states that theevaluation of the property returns the opposite of the eval-uation of the underlying 119901119903119900119901119890119903119905119910 119890119909119901119903
543 AND
Operator The formula ldquo1198751AND 119875
2rdquo states that the property
is evaluated as true if and only if both 1198751and 1198752are evaluatd
as true
544 OR
Operator The operator ldquo1198751OR 119875
2rdquo states that the property is
evaluated as true if and only if at least one of 1198751and 119875
2is
evaluated as true
545 IF-ELSE
Operator This operator has two valid forms which are listedas follows
(1) IF (119889119894119904119905) 1198751
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as false or 119875
1is evaluated as true
(2) IF (119889119894119904119905) 1198751ELSE 119875
2
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as true and 119875
1is evaluated as true or
119889119894119904119905 is evaluated as false and 1198752is evaluated as true
From previous discussion we have the following propo-sition for property reasoning
Proposition 16 Assume that1198751198751 and119875
2are valid properties
in SVA the following rules are used to construct the correspond-ing verification process Here 119860119904119904119862ℎ119896(119872119900119889119890119897 119875119903119900119901119890119903119905119910)
ture false is a self-defined checking function that can deter-mine whether a given ldquo119875119903119900119901119890119903119905119910rdquo holds or not with respect toa circuit model ldquo119872119900119889119890119897rdquo
(1) 1198751OR 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧) or 119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(2) 1198751AND 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(3) NOT 119875 rArr not119860119904119904119862ℎ119896(119872 ⟦119875⟧)
(4) IF (119889119894119904119905) 1198751
rArr not119860119904119904119862ℎ119896(119872 119889119894119904119905) or 119860119904119904119862ℎ119896(119872
⟦1198751⟧)
(5) IF (119889119894119904119905) 1198751ELSE 119875
2rArr (119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896
(119872 ⟦1198751⟧))or(not119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧))
(6) 119878 | minus gt 119875 rArr if (not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)minus1]))
(7) 119878 |=gt 119875 rArr if(not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)]))
6 Verification Algorithm
In this section we will describe how an assertion is checkedusing Groebner bases approach Firstly we will discussa practical algorithm using Groebner bases for assertionchecking
61 Basic Principle As just mentioned our checking methodis based on algebraic geometry which is the study of thegeometric objects arising as the common zeros of collectionsof polynomials Our aim is to find polynomials whosezeros correspond to pairs of states in which the appropriateassignments are made
We can regard any set of points in 119896119899 as the variety of some
ideal We can then use the ideal or any basis for the ideal as away of encoding the set of points
From Groebner Bases theory [10 12] every nonzero ideal119868 sub 119896[119909
1 119909
119899] has a Groebner basis and the following
proposition evidently holds
Proposition 17 Let 119862 and 119878 be polynomial sets of 119896[1199091
119909119899] and ⟨119866119878⟩ a Groebner basis for ⟨119878⟩ and then we have that
⟨119862⟩ sube ⟨119878⟩ hArr forall119888 isin 119862 119903119890119898119889(119888 119866119878) == 0 holds
Theorem 18 Suppose that 119860(⟦119860⟧ = 1198861 1198862 119886
119903) is a
property to be verified 119879 is the initial preconditions of 119862 and119872 is a system model to be checked Let ⟦119879⟧ and ⟦119872⟧ bethe polynomial set representations for 119879 and 119872 respectivelyconstructed by previous mentioned rules Let 119867 = ⟦119879 cup 119872⟧ =
ℎ1 ℎ2 ℎ
119904 sube 119896[119909
1 119909
119899] 119868 = ⟨119867⟩ (where ⟨119867⟩ denotes
the ideal generated by 119867) and 119866119861119867
= 119892119887119886119904119894119904(119867 ≺) then wehave
( (1 notin 119866119861119867
) and 119903119890119898119889 (119862 119866119861119867
) == 0)
lArrrArr ((1 notin 119866119861119867
) and119903
⋀
119894=0
(119903119890119898119889 (119892119894 119866119861119867
) == 0))
lArrrArr (119872 |= 119860) holds
(18)
Proof (1) The polynomial set ⟦119872⟧ of system model 119872
describes the data-flow relationship that inputs outputs andfunctional transformation should meet The initial condition⟦119872⟧ can be seen as extra constraint applied by users Thereshould not exist contradiction between them that is thepolynomial equations of ⟦119879 cup 119872⟧ must have a commonsolution
ByHilbertrsquos Nullstellensatz theory if we have polynomials⟦119879 cup 119872⟧ = 119891
1 119891
119904 isin 119896[119909
1 119909
119899] we compute a
reducedGroebner basis of the ideal they generatewith respectto any ordering If this basis is 1 the polynomials have nocommon zero in 119896
119899 if the basis is not 1 they must have acommon zero
Therefore (1 notin 119866119861119867
) should hold(2) Evidently by previous proposition it is easy to have
that 119903119890119898119889(119862 119866119861119867
) == 0 should holdThus we have that this theorem holds
12 Journal of Applied Mathematics
Input(1) circuit model 119872(2) initial condition 119879(3) an assertion 119860Output Boolean 119905119903119906119890 or 119891119886119897119904119890BEGIN
lowastStep 1 initialize input signals via testbench lowast(00) 119868119899119894119905119878119894119892119899119886119897119904()(01) M = 0PS
119860= 0 119867 = 0PS
119879= 0
lowastStep 2 build polynomial model lowast(02) M = ⟦119872⟧ = 119861119906119894119897119889PS(119872)
lowastStep 3 build polynomial set for initial condition 119879lowast
(03) 119875119878119879
= ⟦119879⟧ = 119861119906119894119897119889PS(119879)lowastStep 4 build polynomial set for consequentA lowast
(04) 119875119878119860
= ⟦119860⟧ = 119861119906119894119897119889PS(119860)lowastStep 5 calculate the PS
119879cup Mlowast
(05) 119867 = PST cup MlowastStep 6 calculate the Groebner base of ⟨119867⟩
lowast(06) GB
119867= 119892basis(119867 ≺)
lowastStep 7 determine the basis is 1 or not lowast(07) if(1 isin GB
119867)
(08) return 119891119886119897119904119890 lowastStep 8 check every polynomial lowastlowast119860 = 119886
1 1198862 119886
|119860|lowast
(09) 119894 = 1(10) 119908ℎ119894119897119890(119894 le |119860|)
(11) if(119903119890119898119889(⟦119886119894⟧ GB
119867) = 0)
(12) return 119891119886119897119904119890 (13) i++(14) lowast endwhile lowast(15) return 119905119903119906119890 lowast Assertion does hold lowastEND
Algorithm 1 ldquo119860119904119904119862ℎ119896119875119900119897119910119861119906119894119897119889(119872 119879 119860)rdquo
62 Checking Algorithm For simplicity in this section weonly provide the key decision algorithm
Firstly the original system model is transformed into anormal polynomial representation and the assertion as wellThen calculate the hypothesis set and its Groebner basisusing the Buchberger algorithm [18] and their eliminationideals Finally examine the inclusion relationship betweenelimination ideals to determine whether the assertion to bechecked holds or not
From above discussion we have the following processsteps and detailed algorithm description Algorithm 1
For convenience we can derive another version checkingprocedure named ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo which can acceptpolynomial representations as inputs without explicit poly-nomial construction process
Further by applying Theorem 18 and the checking algo-rithm ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo we can easily verify all sup-ported properties written in SVA
7 An Example
In this section we will study a classical circuit to show howSVA properties are verified by polynomial representation andalgebra computation method
Consider the Johnson counter circuit in Figure 3 Johnsoncounters can provide individual digit outputs rather than a
3 2 1
m1m2m3
m4clk
And
Andy
Figure 3 Johnson counter
Table 3 Table of Johnson counter output
Counter (clock) V3(1198983) V2(1198982) V1(1198981)
0 0 0 01 1 0 02 1 1 03 0 1 14 0 0 15 0 0 0
binary or BCD output as shown in Table 3 Notice that eachlegal count may be defined by the location of the last flip-flopto change states and which way it changed state
71 Algebraization of Circuit and Assertion Johnson counterprovides individual digit outputs as shown in Table 3
The polynomial set for Johnson counter circuit in Figure 3can be constructed as follows
119878119890119905adder = 1198911 = 11989831015840minus 1198984 1198912 = 1198982
1015840minus 1198983
1198913 = 11989811015840minus 1198982
1198914 = 1198984 minus (1 minus 1198981) lowast (1 minus 1198982)
1198915 = 119910 minus 1198981 lowast (1 minus 1198982)
(19)
where 11989811015840 denotes the next state of 1198981 For the 119894th cycle we
use 1199091[119894]to denote variable name in current cycle
Similarly another Johnson counter circuit with an erroris shown in Figure 4 the corresponding polynomial set canbe described by
119878119890119905adder = 1198911 1198912 1198913
11989141015840
= 1198984 + 1198981 + 1198982
minus (1 minus 1198981) lowast (1 minus 1198982) 1198915
(20)
Journal of Applied Mathematics 13
3 2 1
m1m2m3
m4clk
Or
Andy
Figure 4 Johnson counter with error
To illustrate the problem clearly we define polynomial setrepresentation 119875119872[119894] for 119894th cycle as follows
119875119872 [119894] = 1198983[119894+1]
minus 1198984[119894]
1198982[119894+1]
minus 1198983[119894]
1198981[119894+1]
minus 1198982[119894]
1198984[119894]
minus (1 minus 1198982[119894]
) lowast (1 minus 1198981[119894]
)
119910 minus 1198981[119894]
lowast (1 minus 1198982[119894]
)
(21)
Support that the circuit will run 6 cycles for verificationtherefore we have 119875119872 = ⋃
5
119894=0119875119872[119894]
For any Boolean variable 119886 we will add an extra con-straint 119886lowast119886minus119886Thus we define the corresponding constraintsset as follows 119862119873119878[119894] = 119888
[119894]lowast 119888[119894]
minus 119888[119894]
119888 isin 1198981 1198982 1198983 1198984
119910In the same manner we have 119862119873119878 = ⋃
5
119894=0119862119873119878[119894]
The sequential property for this counter circuit can bespecified by the following SystemVerilog assertions
property 119869119862119875119860
(1198983 = 0 ampamp 1198982 = 0 ampamp 1198981 = 0)
| =gt 1(1198983 == 1 ampamp 1198982 == 0 ampamp 1198981 == 0)
| =gt 2(1198983 == 1 ampamp 1198982 == 1 ampamp 1198981 == 0)
| =gt 3(1198983 == 0 ampamp 1198982 == 1 ampamp 1198981 ==
1)
endpropertyproperty 1198691198621198751
(119888119897119896)(1198981 == 0)| =gt 2 (1198981 == 0)
endpropertyproperty 1198691198621198752
(119888119897119896)(1198982 == 0)| =gt 2 (1198982 == 1)
endpropertyproperty 1198691198621198753
(119888119897119896)(1198983 == 0)| =gt 2 (1198983 == 1)
endproperty
Table 4 Polynomial forms
Name Precondition Expected consequent
JCPA
1198981[0]
1198982[0]
1198983[0]
cycle 1 1198981[1]
minus 1 1198982[1]
1198983[1]
cycle 2 1198981[2]
minus 1 1198982[2]
minus 1 1198983[2]
cycle 3 1198981[3]
1198982[3]
minus 1 1198983[3]
minus 1
JCP1 1198981[0]
1198981[2]
JCP2 1198982[0]
1198982[2]
minus 1
JCP3 1198983[0]
1198983[2]
minus 1
We will afterwards demonstrate the verification processstep by step
The circuit model to be verified is as shown below
119878119872 = 119875119872 cup 119862119873119878 (22)
The property of this counter can be specified as thefollowing SVA assertion
assert property (1198691198621198751)
assert property (1198691198621198752)
The Algebraization form of the above properties can bemodeled as in Table 4
72 Experiment Using Maple We run this example by usingMaple 13 Before running we manually translated all modelsinto polynomials The experiment is performed on a PC witha 240GHz CPU (intel i5M450) and 1024MB of memoryIt took about 004 seconds and 081MB of memory whenapplying Groebner method
[gtwith(Groebner)[gt 119862119872 = sdot sdot sdot
lowastCircuit Modellowast[gt 119879119863119864119866 = 119905119889119890119892(
1198981[0] 1198982[0] 1198983[0] 1198984[0]
1198981[1] 1198982[1] 1198983[1] 1198984[1]
1198981[2] 1198982[2] 1198983[2] 1198984[2]
1198981[3] 1198982[3] 1198983[3] 1198984[3]
1198981[4] 1198982[4] 1198983[4] 1198984[4]
119910[0] 119910[1] 119910[2] 119910[3]
)
[gt 119862119866119861 = 119861119886119904119894119904(119862119872 119879119863119864119866)
Thus we can have the Groebner basis as follows
[gt [1199101[3]
1199101[2]
1199101[1]
1199101[1]
1198983[4]
1198982[4]
1198981[4]
minus 1 1198984[3] 1198983[3] 1198982[3]
minus 1 1198981[3]
minus 11198984[2] 1198983[2]
minus 1 1198982[2]
minus 1 1198981[2] 1198984[1]
minus 11198983[1]
minus 11198982[1] 1198981[1] 1198984[0]
minus 1 1198983[0] 1198982[0] 1198981[0]
]
[gt 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983[1]
minus 1 119862119866119861 119879119863119864119866)
[gt 119903119890119905 = 0
14 Journal of Applied Mathematics
Table 5 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862119866119861
080M 002 S0
Yes1198982[1]
1 notin 119862119866119861 0
1198983[1]
minus 1 1 notin 119862119866119861 0
11198981[2]
1 notin 119862119866119861
081M 003 S0
Yes1198982[2]
minus 1 1 notin 119862119866119861 0
1198983[2]
minus 1 1 notin 119862119866119861 0
21198981[3]
minus 1 1 notin 119862119866119861
081M 004 S0
Yes1198982[3]
minus 1 1 notin 119862119866119861 0
1198983[3]
1 notin 119862119866119861 0
3 1198981[2]
1 notin 119862119866119861 081M 004 S 0 Yes4 1198982
[2] 1 notin 119862119866119861 081M 004 S 0 Yes
5 1198983[2]
1 notin 119862119866119861 081M 004 S 0 Yes
Table 6 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862GB080M 002 S
0
Yes1198982[1]
1 notin 119862GB 0
1198983[1]
minus 1 1 notin 119862GB 0
11198981[2]
1 notin 119862GB081M 003 S
0
Yes1198982[2]
minus 1 1 notin 119862GB 0
1198983[2]
minus 1 1 notin 119862GB 0
21198981[3]
minus 1 1 notin 119862GB081M 014 S
0
NO1198982[3]
minus 1 1 notin 119862GB 0
1198983[3]
1 notin 119862GB minus1
As shown in maple outputs the given circuit has beenmodeled as polynomial set119862119872 (itsGroebner bases is denotedby 119862119866119861) and assertion expected result as 1198983
[1]minus 1 From
the running result we have 1 notin 119862119866119861 and return valueof 119873119900119903119898119886119897119865119900119903119898 is 0 which means 119862119866119861 is divided with noremainder by 1198983
[1]minus 1
Thus from the previously mentioned verification princi-ples it is easy to conclude that the assertion 1198691198621198751 holds underthis circuit model after 3 cycles
More detailed experiment results for verification of cir-cuit shown in Figure 3 are listed in Table 5
Conversely we check these assertions against the circuitshown in Figure 4 in a similar way More detailed experimentresults are demonstrated in Table 6
From above table when checking 119869119862119875119860 assertion theresult 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983
[3] 119862119866119861 119879119863119864119866) = 0 so that
we can conclude the assertion does not holdTherefore theremust exist unexpected errors in the original circuit
This case is a fairly complete illustration of how thechecking algorithm works
8 Conclusion
In this paper we presented a new method for SVA prop-erties checking by using Groebner bases based symbolicalgebraic approaches To guarantee the feasibility we defined
a constrained subset of SVAs which is powerful enough forpractical purposes
We first introduce a notion of symbolic constant withoutany sequential information for handling local variables inSVAs inspired from STE We then proposed a practical alge-braizationmethod for each sequence operator For sequentialcircuits verification we introduce a parameterized polyno-mial set modeling method based on time frame expansion
Our approach is based on polynomial models construc-tion for both circuit models and SVA assertionsThis methodis to eventually translate a simulation based verificationproblem into a pure algebraic zero set determination problemby a series of proposed steps which can be performed on anygeneral symbolic algebraic tool
Thismethod allows users to deal withmore than one stateand many input combinations every cycle This advantagecomes directly from the fact that many vectors are simulatedat once using symbolic value
In summary in this research by suitable restrictions ofSVA assertions we can guarantee the availability of polyno-mial set representation Based on this polynomial set modelsymbolic simulation can be performed to produce symbolictraces and temporal relationship constraints of signal vari-ables as well We then apply symbolic algebra approach tocheck the zeros set relation between their polynomial sets anddetermine whether the temporal assertion holds or not undercurrent running cycle
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The project is supported by the National Natural ScienceFoundation of China under Grant no 11371003 theNatural Science Foundation of Guangxi under Grantsnos 2011GXNSFA018154 2012GXNSFGA060003 and2013GXNSFAA019342 the Science and TechnologyFoundation of Guangxi under Grant no 10169-1 theScientific Research Project no 201012MS274 from GuangxiEducation Department the Fundamental Research Fundsfor the Central Universities under Grants nos DUT14QY05and HCIC201204 of Guangxi Key Laboratory of HybridComputation and IC Design Analysis Open Fund andthe Baguio scholarship Project of Guangxi The authorswould like to thank their colleagues for participating in theresearch They also appreciate the anonymous reviewers fortheir helpful comments
References
[1] IEEE System Verilog Working Group IEEE Standard forSystemVerilog C Unified Hardware Design Specification andVerification (IEEE Std 1800-2005) IEEE 2005
[2] ldquoIEEE draft standard for system verilogmdashunified hardware de-sign specification and verification languagerdquo IEEE P1800D32011
Journal of Applied Mathematics 15
[3] R Wille G Fey M Messing G Angst L Linhard and RDrechsler ldquoIdentifying a subset of SystemVerilog assertions forefficient bounded model checkingrdquo in Proceedings of the 11thEUROMICRO Conference on Digital System Design Architec-tures Methods and Tools (DSD rsquo08) pp 542ndash549 September2008
[4] L Darringer ldquoApplication of program verification techniques tohardware verificationrdquo in Proceedings of the IEEE-ACM DesignAutomation Conference pp 375ndash381 1979
[5] G S Avrunin ldquoSymbolic model checking using algebraicgeometryrdquo in Proceedings of the 8th International Conference onComputer Aided Verification vol CAV96 pp 26ndash37 SpringerLondon UK 1996
[6] W B Mao and J Z Wu ldquoApplication of Wus method to sym-bolic model checkingrdquo in Proceedings of the 2005 internationalSymposiumon Symbolic andAlgebraic Computation (ISSAC rsquo05)pp 237ndash244 ACM Press Beijing China 2005
[7] J Wu and L Zhao ldquoMulti-valued model checking via groebnerbasis approachrdquo in Proceedings of the 1st Joint IEEEIFIP Sympo-sium on Theoretical Aspects of Software Engineering (TASE rsquo07)pp 35ndash44 IEEE Computer Society Press June 2007
[8] N Zhou J Wu and X Gao ldquoAlgebraic verification method forSEREs properties via Groebner bases approachesrdquo Journal ofAppliedMathematics vol 2013 Article ID 272781 10 pages 2013
[9] X Gao N Zhou J Wu and D Li ldquoWursquos characteristic setmethod for SystemVerilog assertions verificationrdquo Journal ofApplied Mathematics vol 2013 Article ID 740194 14 pages2013
[10] J Little D Cox andD OrsquoShea Ideals Varieties and AlgorithmsSpringer New York NY USA 1992
[11] T Becker andVWeispfenningGrobner Bases AComputationalApproach to Commutative Algebra Springer New York NYUSA 1993
[12] B Buchberger ldquoGroebner bases an algorithmic method inpolynomial ideal theoryrdquo in Multidimensional Systems Theorypp 184ndash232 1985
[13] S B Akers ldquoBinary decision diagramsrdquo IEEE Transactions onComputers C vol 27 no 6 pp 509ndash516 1978
[14] S Hoereth and R Drechsler ldquoFormal verification of word-levelspecificationsrdquo in Proceedings of the Design Automation andTest in Europe Conference and Exhibition pp 52ndash58 MunichGermany 1999
[15] Y M Ryabukhin ldquoBoolean ringrdquo in Encyclopaedia of Mathe-matics Springer Michiel Germany 2001
[16] S Das R Mohanty P Dasgupta and P P Chakrabarti ldquoSynthe-sis of system verilog assertionsrdquo in Proceedings of the Conferenceon Design Automation and Test in Europe Designersrsquo Forum(DATE rsquo06) pp 70ndash75 European Design and AutomationAssociation Leuven Belgium March 2006
[17] C-J Seger and R E Bryant ldquoFormal verification by symbolicevaluation of partially-ordered trajectoriesrdquo Formal Methods inSystem Design vol 6 no 2 pp 147ndash190 1995
[18] D Cox J Little and D OrsquoShea Ideals Varieties and AlgorithmsAn Introduction to Computational Algebraic Geometry andCommutative Algebra Undergraduate Texts in MathematicsSpringer New York 3rd edition 2007
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
2 Journal of Applied Mathematics
many conditions with a single simulation sequence but itcould not handle large circuits due to exponential symbolicexpressions Earlier work in applications of symbolic manip-ulation and algebraic computation has gained significantextensions and improvements In [5] a technique frameworkon Groebner bases demonstrated that computer algebraicgeometry method can be used to perform symbolic modelchecking using an encoding of Boolean sets as the commonzeros of sets of polynomials In [6] a similar technique toframework based Wursquos Method has been further extendedto bit level symbolic model checking In [7] an improvedframework of multivalued model checking via Groebnerbases method was proposed which is based on a canonicalpolynomial representation of the multivalued logics
In our previous work [8] we proposed a method usingGroebner bases to perform SEREs assertion verification forsynchronous digital circuit systems Then we introduced averification solution based on Wursquos method towards Sys-temVerilog assertion checking [9] This paper aims to verifywhether a SVA property holds or not on the traces producedafter several cycles running over a given synchronous sequen-tial circuit It is the follow-upwork of [9] Groebner Bases andWursquos method are the most important methods of computeralgebra Wursquos method of characteristic set is a powerfultheoremproving technique andGroebner Bases allowsmanyimportant properties of the ideal and the associated algebraicvariety to be deduced easily So Groebner Bases method hasa better theoretical guide and the algorithm based on Wursquosmethod is more efficient
Checking SVAs is computationally very complex in gen-eral while for practical purposes a subset is sufficient In thiswork we
(1) define a constrained subset of SVAs(2) perform algebraization of SVA operators for the
constrained subset(3) do translation of SVAs into polynomial set represen-
tations(4) provide a symbolic computation based algebraic algo-
rithm for SVAs verificationOur approach canhandle safety properties that argue over
a bounded number of time steps Local variables in SVAscan be handled as symbolic constant without any temporalinformation Nevertheless liveness properties and infinitesequences in SVAs are excluded
2 Preliminaries
In this section to keep the paper self-contained we willgive the basics of SystemVerilog and algebraic symboliccomputation used throughout this paper
21 SystemVerilog Preliminary SystemVerilog is an IEEE-approved (IEEE 1800-2005) [1] hardware description lan-guage It provides superior capabilities for system architec-ture design and verification
SystemVerilog has combined many of the best features ofboth VHDL and Verilog
Therefore on the one hand VHDL users will recognizemany of the SystemVerilog constructs such as enumeratedtypes records and multidimensional arrays On the otherhand Verilog users can reuse existing designs SystemVerilogis a superset of Verilog so no modification of existing Verilogcode is required
Generally the SystemVerilog language provides threeimportant benefits over Verilog
(1) Explicit design intentmdashSystemVerilog introduces sev-eral constructs that allow designers to explicitly statewhat type of logic should be generated
(2) Conciseness of expressionsmdashSystemVerilog includescommands that allow the users to specify designbehavior more concisely than previously possible
(3) High level design abstractionmdashThe SystemVeriloginterface construct facilitates intermodule communi-cation
Especially SystemVerilog provides special language con-structs and assertions to verify design behavior An assertionis a statement that a specific condition or sequence ofconditions in a design is true If the condition or sequenceis not true the assertion statement will generate an errormessage
Additionally one important capability in SystemVerilogis the ability to define assertions outside of Verilog modulesand then bind them to a specific module or module instanceThis feature allows test engineers to add assertions to existingVerilog models without having to change the model in anyway One of the goals of SystemVerilog assertions is to providea common semantic meaning for assertions so that they canbe used to drive various design and verification tools
In SystemVerilog there are two types of assertions
(1) Immediate Assertions Immediate assertions follow simu-lation event semantics for their execution and are executedlike a statement in a procedural block Immediate assertionsare primarily intended to be used with simulation andevaluate using simulation event-based semantics
(2) Concurrent Assertions Concurrent assertions are basedon clock semantics and use sampled values of variables Alltiming glitches (real or artificial due to delay modeling andtransient behavior within the simulator) are abstracted awayConcurrent assertions can be used in always block or initialblock as a statement or a module as a concurrent block or aninterface block as a concurrent block or a program block asa concurrent block
An example of a property using sequence and formalargument is shown below
property 119905119890119904119905 [(119903119890119902 119888 119886119888119896)]
(119901119900119904119890119889119892119890 119888119897119896)
119903119890119902 |minus gt 119888 1 119886119888119896
endproperty [ 119905119890119904119905]
Journal of Applied Mathematics 3
This property states that signal 119903119890119902 and then signal 119888
become high and signal 119886119888119896 will be high in the next cycleAs illustrated in this example a concurrent assertion
property in SystemVerilog will never be evaluated by itselfexcept when it is invoked by a verification statement There-fore the statement assert property 119905119890119904119905(119886 119887 119888) will causethe checker to perform assertion checking
Basically the verification statement in SVA has threeforms described as follows
(i) assert to specify the property as a checker to ensurethat the property holds for the design
(ii) assume to specify the property as an assumption forthe environment Simulators check that the propertyholds while formal tools use the information togenerate input stimulus The purpose of the assumestatement is to allow properties to be considered asassumptions for formal analysis as well as for dynamicsimulation tools
(iii) cover to monitor the property evaluation for cover-age
When a property is assumed the tools constrain theenvironment so that the property holds In simulationasserted and assumed properties are continuously verified toensure that the design or the testbench never violate them
In some tools the assumptions on the environment canbe used as sequential constraints on the DUT (device undertest) inputs in constrained-random simulation
These proofs are usually subject to other properties thatdescribe the assumed behavior of the environment usingassume property statements
22 Groebner Bases Preliminary Firstly we will recall someof the key notions of Groebner bases theory and symboliccomputation More detailed and elementary introduction tothis subject can be available in books such as those by Littleet al [10] or those by Becker and Weispfenning [11]
We begin by listing some general facts and establishingnotations
Let 119896 be an algebraically closed field and let 119896[1199091 119909
119899]
be the polynomial ring in variables 1199091 1199092 119909
119899with coeffi-
cient in 119896 under addition and multiplication of polynomialThe basic structure of polynomial rings is given in termsof subsets called ideals which is closed under addition andclosed under multiplication by any element of the ring
Here let 119868 sube 119896[1199091 119909
119899] be an ideal As we all know the
following theorem holds
Theorem 1 (Hilbert basis theorem) Every ideal 119868 sub 119896[1199091
119909119899] has a finite generating setThat is 119868 = ⟨119892
1 119892
119905⟩ for some
1198921 119892
119905isin 119868
Then by the Hilbert basis theorem there exist finitelymany polynomials 119891
1 119891
119898such that 119868 = ⟨119891
1 119891
119898⟩ A
polynomial 119891 sube 119896[1199091 119909
119899] defines a map 119891 119896
119899rarr 119896 via
evaluation (1198861 119886
119899) 997891rarr 119891(119886
1 119886
119899)
The set 119881(119868) = 119886 isin 119896119899
| forall119891 isin 119868 119891(119886) = 0 sube 119896119899 is called
the variety associated with 119868
If 1198811
= 119881(1198681) and 119881
2= 119881(119868
2) are the varieties defined
by ideals 1198681and 1198682 then we have 119881
1cap 1198812
= 119881(⟨1198681 1198682⟩) and
1198811cup1198812
= 119881(1198681times1198682) where 119868
1times1198682
= ⟨11989111198912
| 1198911
isin 1198681 1198912
isin 1198682⟩ If
1198681
= ⟨1198911 119891
119903⟩ and 119868
2= ⟨ℎ1 ℎ
119904⟩ then 119868
1times1198682
= ⟨119891119894times119892119895
|
1 le 119894 le 119903 1 le 119895 le 119904⟩Any set of points in 119896
119899 can be regarded as the varietyof some ideal Note that there will be more than one idealdefining a given variety For example the ideals ⟨119909
0⟩ and
⟨1199090 11990911199090
minus 1⟩ both define the variety 119881(1199090)
In order to perform verification we need to be able todetermine when two ideals represent the same set of pointsThat is to say we need a canonical representation for any idealGroebner bases can be used for this purpose
An essential ingredient for defining Groebner bases isa monomial ordering on a polynomial ring 119896[119909
1 119909
119899]
which allows us to pick out a leading term for any polynomial
Definition 2 (monomial ordering) A monomial ordering on119896[1199091 119909
119899] is any relation ≺ on 119885
119899
ge0 or equivalently any
relation on the set of monomials 119909120572 120572 isin 119885
119899
ge0 satisfying
(i) ≺ is a total (or linear) ordering on 119885119899
ge0
(ii) ≺ is a well-orderingThis means that every nonemptysubset of 119885
119899
ge0has a smallest element under ≺
(iii) for all 120574 isin 119885119899
ge0 120572 ≺ 120573 rArr 120572 + 120574 ≺ 120573 + 120574
Examples of monomial ordering include lexicographicorder graded lexicographic order and graded reverse lexico-graphic order
Definition 3 (lexicographic order) Let 120572 = (1205721 120572
119899) and
120573 = (1205731 120573
119899) isin 119885
119899
ge0 We say 120572≺lex120573 if in the vector
difference 120572 minus 120573 isin 119885119899 the leftmost nonzero entry is positive
We will write 119909120572≺lex119909120573 if 120572≺lex120573
Definition 4 (Groebner basis) Fix a monomial order A finitesubset 119866 = 119892
1 119892
119905 of an ideal 119868 is said to be a Groebner
basis (or standard basis) if ⟨119871119879(1198921) 119871119879(119892
119905)⟩ = ⟨119871119879(119868)⟩
Equivalently but more informally a set 1198921 119892
119905 sub 119868
is a Groebner basis of 119868 if and only if the leading term of anyelement of 119868 is divisible by one of the 119871119879(119892
119894)
In [12] Buchberger provided an algorithm for construct-ing a Groebner basis for a given idealThis algorithm can alsobe used to determinewhether a polynomial belongs to a givenideal
A reduced Groebner basis 119866 is a Groebner basis wherethe leading coefficients of polynomials in 119866 are all 1 and nomonomial of an element of 119866 lies in the ideal generated bythe leading terms of other elements of 119866 forall119892 isin 119866 and nomonomial of 119892 is in ⟨119871119879(119866 minus 119892)⟩
The important result is that for a fixed monomial order-ing any nonzero ideal has a unique reduced Groebner basisThe algorithm for finding a Groebner basis can easily beextended to output its reduced Groebner basis Thus we willhave a canonical symbolic representation for any ideal
4 Journal of Applied Mathematics
Inputs
Clock
Synchronous digital circuit
Outputs
FFs
Combinationallogic
Presentstates
Nextstates
Figure 1 Synchronous digital circuits model
Theorem 5 (the elimination theorem) Let 119868 sub 119896[1199091 119909
119899]
be an ideal and let 119866 be a Groebner basis of 119868 with respect tolexicographic order where 119909
1≻ 1199092
≻ sdot sdot sdot ≻ 119909119899 Then for every
0 le 119897 le 119899 the set
119866119897= 119866 cap 119896 [119909
119897+1 119909
119899] (1)
is a Groebner basis of the 119897th elimination ideal 119868119897
Theorem 6 Let 119866 be a Groebner basis for an ideal 119868 sub
119896[1199091 119909
119899] and let 119891 isin 119896[119909
1 119909
119899] Then 119891 isin 119868 if and
only if the remainder on division of 119891 by 119866 is zero denoted by119903119890119898119889(119891 119866) = 0
The property given in Theorem 6 can also be taken asthe definition of a Groebner basis Then we will get anefficient algorithm for solving the idealmembership problemAssuming that we know a Groebner basis 119866 for the idealin question we only need to compute the remainder withrespect to 119866 to determine whether 119891 isin 119868
In this paper we will then use the ideal or any basis forthe ideal as an efficient way of algebraization of system to beverified
3 System Modeling with Polynomial
31 Circuit Representation Model In this section we willsketch the underlying digital system model for simulationused in our work
Most modern circuit design is carried out within the syn-chronous model which simplifies reasoning about behaviorat the cost of strict requirements on clocking
As shown in Figure 1 a classical synchronous design iscomprised of combinatorial logic and blocks of registers witha global clock In a synchronous digital system the clocksignal is often regarded as simple control signal and usedto define a time reference for the movement of data withinthat system Combinational logic performs all the logicalfunctions in the circuit and it typically consists of logic gatesRegisters usually synchronize the circuitrsquos operation to theedges of the clock signal and are the only elements whichhave memory properties
The basic circuit model we used can be abstracted as thefollowing model
Definition 7 (synchronous circuit model) A synchronouscircuit model structure is a tuple
C = clk LAMux FFs IO where
(i) clk is a global synchronous clock signal(ii) L is a set of logical operation units(iii) A is a set of arithmetic operation units(iv) Mux is a set of multiplex units(v) FFs is a set of sequential units(vi) I is a set of primary input signals(vii) O is a set of primary output signals
In the following we will discuss polynomial represen-tation of a given circuit model Firstly let us retrospect theclassical circuit representation model
Traditionally Binary decision diagrams (BDD) [13] thefirst generation decision diagrams technique designed byAkers in 1978 acts as an efficient digital circuit representation(or Boolean functions) Recently the next generation ofdecision diagrams that is word-level decision diagrams(WLDD) [14] has considerably widened its expressivenessfor datapath operations due to processing of data in word-level format
Generally ROBDD or WLDD is mapped into hardwaredescription languages according to the following scheme
119865119906119899119888119905119894119900119899 (119888119894119903119888119906119894119905) lArrrArr 119872119900119889119890119897 119894119899 119877119874119861119863119863 | 119882119871119863119863 119891119900119903119898
(2)
Though the dimension of a decision diagram is exponen-tially bounded by the number of variables decision diagramsbased canonical data structure is very useful in many well-known verification methods
From the viewpoint of abstract symbolic computationthese decision diagrams based on representation for circuitsystems are not suitable any more Thus we will adopt analternative representation form based on polynomial setsinstead of decision diagrams according to the followingscheme
119865119906119899119888119905119894119900119899 (119888119894119903119888119906119894119905) lArrrArr 119885119890119903119900 119878119890119905 (119875119900119897119910119899119900119898119894119886119897 119878119890119905) (3)
As is well known given a monomial order there isprecisely one polynomial representation of a function
For convenience we introduce the following symbols foralgebraic representations
(1) Foranysymbolic (circuit unit signal sequence prop-erty etc) 119891 its algebraic representation form is de-noted by ⟦119891⟧
(2) If a running cycle 119905 is given its algebraic representa-tion form can be denoted by ⟦119891⟧
[119905]
(3) Furthermore if a time range [119898 sdot sdot sdot 119899] is specified itsalgebraic representation form can then be denoted by⟦119891⟧119896
[119905]or ⟦119891⟧
[119898sdotsdotsdot119899]
[119905]
Here 119905 denotes the current time and 119896 = (119899 minus 119898) denotestime steps
Journal of Applied Mathematics 5
Table 1 Polynomial model for arithmetic operation
Arithmetic operation Polynomial representation119910 = 119886 + 119887 ⟦+⟧ = (119910 minus 119886 minus 119887)
119910 = 119886 minus 119887 ⟦minus⟧ = (119910 minus 119886 + 119887)
119910 = 119886 lowast 119887 ⟦lowast⟧ = (119910 minus 119886 lowast 119887)
119910 = 119886119887 ⟦⟧ = (119910 lowast 119887 minus 119886)
Table 2 Polynomial model for logic operation
Arithmetic operation Polynomial representation119910 = NOT 119909 ⟦NOT⟧ = (1 minus 119909 minus 119910)
119910 = 1199091AND 119909
2⟦AND⟧ = (119909
1lowast 1199092
minus 119910)
119910 = 1199091OR 119909
2⟦OR⟧ = (119909
1+ 1199092
minus 1199091
lowast 1199092
minus 119910)
Cycle-based symbolic simulation will be performed onthe system model for verification Intuitively cycle-basedsymbolic simulation is a hybrid approach in the sense that thevalues that are propagated through the network can be eithersymbolic expressions or constant values It assumes that thereexists one unified clock signal in the circuit and all inputs ofthe systems remain unchanged while evaluating their valuesin each simulation cycleThe results of simulation report onlythe final values of the output signals or states in the currentsimulation cycle
The detailed simulation process can be described asfollows Firstly cycle-based symbolic simulation is initializedby setting the state of the circuit to the initial vector Each ofthe primary input signals will be assigned a distinct symbolicor a constant value Then at the end of a simulation step theexpressions representing the next-state functions generallyundergo a parametric transformation based optimizationAfter transformation the newly generated functions are usedas present state for the next state of simulation
32 Arithmetic and Logic Unit Modeling In this paper weonly focus on arithmetic unit for calculating fixed-point oper-ations For any arithmetic unit integer arithmetic operations(addition subtraction multiplication and division) can beconstructed by the polynomials in Table 1
The basic logic operations like ldquoANDrdquo ldquoORrdquo and ldquoNOTrdquocan be modeled by the following forms Their correspondingpolynomial representations [15] are specified as in Table 2
Furthermore we can extend the above rule to othercommon logic operators For example
119910 = 1199091
oplus 1199092
(or 119910 = 1199091XOR 119909
2)
997904rArr ⟦oplus⟧ = (119910 minus (1199091
+ 1199092
minus 1199091
lowast 1199092) lowast (1 minus 119909
1lowast 1199092))
(4)
For all bit level variables 119909119894
(0 le 119894 le 119899) a limitation ⟨119909119894lowast
119909119894minus 119909119894⟩ should be added
33 Branch Unit Modeling Basically multiway branch is animportant control structure in digital system It provides a setof condition bits 119887119894 (0 le 119894 le 119861) a set of target identifiers(0 119879 minus 1) and a mapping from condition bit values to
target identifiers This mapping takes the form of a conditiontree
For any binary signal119909 its value should be limited to 1 0
by adding 119909 lowast 119909 minus 119909
119910 = 119872119906119909 (1199090 1199091 119909
119899 119904)
119894 = 119904 997888rarr 119910 = 119909119894 (0 le 119894 le 119899)
997904rArr ⟦119872119906119909⟧ = ⟨
119910 minus
119899minus1
sum
119894=1
( prod
119895isin01119899minus1119894
((119904 minus 119895)
(119894 minus 119895)))
lowast119909119894
⟩
(5)
with prod119899minus1
119894=0(119904 minus 119894) = 0
34 Sequential Unit Modeling Each flip-flop (FF) in thecircuit can bemodeled as amultiplexerWehave the followingproposition to state this model
Proposition 8 For a 119863 flip-flop (1198631015840 is the next state) withan enable signal 119888 its equivalent combinational formal is 119910
1015840=
119872119906119909(119863 1198631015840 119904) 119894 = 119904 rarr 119910
1015840= 119909119894 (0 le 119894 lt 2 119909
0= 119863 119909
1=
1198631015840) whose polynomial algebraic model can be described as
⟦119865119865119904⟧ =
⟨(1199101015840minus 119863) lowast (119888
1015840minus 1) (119910
1015840minus 1198631015840) lowast 119888 (119910
1015840minus 119863) lowast (119910
1015840minus 1198631015840)⟩
(6)
or
⟨1199101015840minus 119863 lowast (119888
1015840minus 1) minus 119863
1015840lowast 1198881015840⟩ (7)
Proof Let 119863 be the current state and let 1199101015840 denote the next
state of the flip-flop When the signal 1198881015840 value is 0 1199101015840 has the
same value as 119863 so that the FF maintains its present statewhen the signal 119888
1015840 value is 1 1199101015840 takes a new value from the
1198631015840 input (where 119863
1015840 denotes the new value next state of theFF) Therefore we have the 2-value multiway branch modeland its polynomial set representation for FF
Proposition 9 Let 119863 be an FF model (1198631015840 is the next state)without enable signal then its equivalent combinational formalpolynomial algebraic model can be described as (1199101015840 minus 119863)
Proof Straightforward
35 Sequential Unrolling Generally for a sequential circuitC one time frame of a sequential circuit is viewed as a combi-national circuit in which each flip-flop will be converted intotwo corresponding signals a pseudo primary input (PPI) anda pseudo primary output (PPO)
Symbolical simulation of a sequential circuit for 119899 cyclescan be regarded as unrolling the circuit 119899 timesThe unrolledcircuit is still a pure combinational circuit and the 119894th copy ofthe circuit represents the circuit at cycle 119894 Thus the unrolledcircuit contains all the symbolic results from the 119899 cycles
6 Journal of Applied Mathematics
36 Indexed Polynomial Set Representation To illustrate thesequential modeling for a given cycle number clearly wedefine an indexed polynomial set representation for the 119894thcycle
Let 119909119894[119897]
(0 le 119894 le 119903) denote the input signals for the 119897thclock119898119894
[119897](0 le 119894 le 119904) the intermediate signals and 119910119894
[119897](0 le
119894 le 119905) the output signals We then have the following timeframe expansion model for the sequential circuit
119865119872 =
119899
⋃
119894=0
119865119872 [119894] (8)
where 119865119872[119894] = C(1199091[119894]
1198981[119894]
1198981[119894]
1199091[119894+1]
1198981[119894+1]
1199101[119894+1]
) denote the 119894th time frame modelTime frame expansion is achieved by connecting the
PPIs (eg 1199091[119894+1]
from 119865119872[119894 + 1]) of the time frame to thecorresponding PPOs (1199091
[119894+1]from 119865119872[119894]) of the previous
time frame
4 Sequence Depth Calculation
In this subsection we will discuss the important feature ofSVA time range and its signal constraint unrolled model
In SVA for each sequence the earliest time step for theevaluation and the latest time step should be determinedfirstlyThe sequence is then unrolled based on above informa-tion Finally the unrolled sequence will be performed usingalgebraization process
In [3] a time range calculating algorithm is providedHere we will introduce some related definition and specialhandling for our purpose
The following is the syntax definition for time range
41 Time Range
Definition 10 (time range syntax) The syntax of ldquotime rangerdquocan be described as follows
119888119910119888119897119890 119889119890119897119886119910 119888119900119899119904119905 119903119886119899119892119890 119890119909119901119903119890119904119904119894119900119899 =
119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899
| 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 $
Note that 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 is computed at compiletime and must result in an integer value and can only be 0or greater
In this paper we only focus on constant time range caseThus its form can be simplified as
(1) 119886[119898 119899]119887 (119898 119899 isin N and 119899 ge 119898 ge 0)
(2) 1198781[119898 119899]119878
2(119898 119899 isin N and 119899 ge 119898 ge 0)
Here 119886 119887 are signals and 1198781 1198782are sequences
Assume the starting time is cycle 119905 then we have thesequence (1) will start (119899 minus 119898 + 1) sequences of evaluationwhich are
119886 119898119887
119886 (119898 + 1)119887
119886(119899 minus 119898 + 1)119887 respectively
Their corresponding algebraic forms are
⟦119886119898119887⟧[119905]
= ⟦119886119905and 119887119905+1
⟧
⟦119886(119898 + 1)119887⟧[119905]
= ⟦119886119905and 119887119905+2
⟧
⟦119886(119899 minus 119898 + 1)119887⟧[119905]
= ⟦119886119905and 119887119905+119899minus119898+1
⟧
Thenwe have the equivalent form of above representationset as
⟦(119886119905and 119887119905+119898
) or sdot sdot sdot or (119886119905and 119887119905+119899
)⟧ (9)
42 Sequential Depth Calculation The time range of asequential is a time interval during which an operation or aterminal of a sequence has to be considered and is denoted bya closed bounded set of positive integers
119879 = [119897 sdot sdot sdot ℎ] = 119909 | 119897 le 119909 le ℎ (here 119909 119897 ℎ isin N) (10)
Furthermore the maximum of two intervals 1198791and 119879
2is
defined by max(1198791 1198792) = [max(119897
1 1198972) sdot sdot sdotmax(ℎ
1 ℎ2)]
In the samemanner the sum of two time ranges of1198791and
1198792is defined as
1198791
+ 1198792
= [(1198971
+ 1198972) sdot sdot sdot (ℎ
1+ ℎ2)] (11)
Definition 11 (maximum sequential depth) The maximumsequential depth of a SVA expression 119865 or a sequence writtenas 119889119890119901(119865) is defined recursively
(i) 119889119890119901(119886) = [1 sdot sdot sdot 1] if 119886 is a signal
(ii) 119889119890119901(not119886) = [1 sdot sdot sdot 1] if 119886 is a signal
(iii) 119889119890119901(119886119887) = 119889119890119901(119886) + 119889119890119901(119887) if 1198651 1198652are sequences
of SVA
(iv) 119889119890119901(1198651[119898 119899]119865
2) = 119889119890119901(119865
1) + 119889119890119901(119865
2) + [119898 sdot sdot sdot 119899]
if 1198651 1198652are sequences of SVA
(v) 119889119890119901(1198651and 119865
2) = max(119889119890119901(119865
1) 119889119890119901(119865
2)) if119865
11198652are
sequences of SVA
(vi) 119889119890119901(1198651or 1198652) = max(119889119890119901(119865
1) 119889119890119901(119865
2)) if 119865
1 1198652are
sequences of SVA
(vii) 119889119890119901(1198651intersect 119865
2) = 119889119890119901(119865
1) + 119889119890119901(119865
2) minus 1 if 119865
1
1198652are sequences of SVA
(viii) 119889119890119901(119865[119899]) = 119899 lowast 119889119890119901(119865) if 119865 is a sequence of SVA
Journal of Applied Mathematics 7
[23]
e And [46]
[12] [23]
a b c d
[35] [35] [46][46]
[00]
Figure 2 Sequence depth parsing tree
For example the following sequence is used to illustratehow to calculate the sequence depth
sequence
119890 [2 sdot sdot sdot 3] ((119886[1sdot sdot sdot 2]119887) and (119888 [1 sdot sdot sdot 2] 119889))
endsequence
Figure 2 shows the binary parsing tree for calculatingsequence depth of this sequence The box denotes operatorand cycle denotes signal node in the syntax tree
Firstly consider the top layer of the parsing tree andthe sequence [2 sdot sdot sdot 3] Here because the first operand 119890
is a terminal of the sequence thus this operand becomesrelevant at time step 0 only (119879
1st = [0 sdot sdot sdot 0]) Since the intervalhas to be considered the second operand (the subtree ofldquoandrdquo)matches 2 or 3 time steps laterTherefore calculating isrecursively performed with 119879 = [0 sdot sdot sdot 0] + [2 sdot sdot sdot 3] = [2 sdot sdot sdot 3]
for the second operandSimilarly we can have the sequence depth of the whole
sequence and all its subsequences as denoted in the figure
5 SVA to Polynomial Set Translation
As mentioned previously SystemVerilog assertions are anintegral component of SystemVerilog and provide two kindsof assertions immediate assertions and concurrent asser-tions
In this section we only discuss concurrent assertions andtheir temporal layer representation model
Concurrent assertions express functional design intentand can be used to express assumed input behavior expectedoutput behavior and forbidden behavior That is assertionsdefine properties that the design must meet Many prop-erties can be expressed strictly from variables available inthe design while properties are often constructed out ofsequential behaviors
Thus we will firstly discuss the basic algebraizationprocess for the sequential behavior model
51 Algebraization Process Theproperties written in SVAwillbe unrolled and checked against the design for bounded timesteps in our method Note that only a constrained subset ofSVA can be supported by our method (unspecified upperbound time range and first-match operator are excluded)
Firstly we translate the properties described by theconstrained subset of SVA into flat sequences according tothe semantics of each supported operator
Asmentioned in [16] the total set of SVA is divided into 4subgroups namely simple sequence expression (SSE) inter-val sequence expression (ISE) complex sequence expression(CSE) and unbounded sequence expression (USE) Here inour method these groups can only be partly supported
Therefore we define the following sequence expressionsby adding further conditions
(i) Constrained simple sequence expression (CSSE) isformed by Boolean expression repeat operator andcycle delay operator
(ii) Constrained interval sequence expression (CISE) isa super set of CSSE formed by extra time rangeoperators
(iii) Constrained complex sequence expression is a superset of CSSE and CISE containing operators or andintersection
Secondly the unrolled flat sequences will be added totemporal constraints to form proportional formulas withlogical connectives (or and and not)
Finally the resulted proportional formulas will be trans-lated into equivalent polynomial set
Then the verification problem is reduced to proving zeroset inclusion relationship which can be resolved by Groebnerbases approaches
52 Boolean LayerModeling TheBoolean layer of SVA formsan underlying basis for the whole assertion architecturewhich consists of Boolean expressions that hold or do nothold at a given cycle
In this paper we distinguish between signal logic valuesand truth logic values That is for a truth logic statementabout a given property its truth can be evaluated to 119905119903119906119890 or119891119886119897119904119890 But for a signal when primary inputs are symbolicvalues its signal logic value may not be evaluated as ℎ119894119892ℎ or119897119900119908
Therefore we have the following definition for signallogic
Definition 12 (signal logic) In digital circuit systems signallogic (SL for short) is defined as
(i) if a signal119909 is active-high (119867 for short) then its signalvalue is defined as 1
(ii) if a signal 119909 is active-low (119871 for short) then its signalvalue is defined as 0
8 Journal of Applied Mathematics
Definition 13 (symbolic constant) A symbolic constant is arigid Boolean variable that forever holds the same BooleanvalueThe notion of symbolic constant was firstly introducedin STE [17] for two purposes
(1) to encode an arbitrary Boolean constraints among aset of circuit nodes in a parametric form
(2) to encode all possible scalar values for a set of nodes
Assume 119867 denotes a symbolic constant for signal logicand 119867 denotes its negative form if 119867 denotes ℎ119894119892ℎ then 119867
will be 119897119900119908Consider (119903119890119902==119867) and (119886119888119896==119867) as an example
According to our definitions 119903119890119902 and 119886119888119896 are signals belong-ing to signal logic while both (119903119890119902==119867) and (119886119888119896==119867) are oftruth logic
For example assertion (119886[15 0] == 119887[15 0]) is also avalid Boolean expression stating that the 16-bit vectors 119886[15
0] and 119887[15 0] are equalIn SVA the following are valid Boolean expressions
(i) 119886119903119903119886119910119860 == 119886119903119903119886119910119861
(ii) 119886119903119903119886119910119860 = 119886119903119903119886119910119861
(iii) 119886119903119903119886119910119860[119894] gt= 119886119903119903119886119910 119861[119895]
(iv) 119886119903119903119886119910119861[119894][119895+ 2] == 119886119903119903119886119910119860[119896][119898minus 2]
(v) (119886119903119903119886119910119860[119894]amp(119886119903119903119886119910119861[119895])) == 0
Since the state of a signal variable can be viewed as a zeroof a set of polynomials We have the following
(1) For any signal 119909 holds at a given time step 119894 thus thestate of 119909 == 1 (119909 is active-high at cycle 119894) can berepresented by polynomial 119909
[119894]minus 1
(2) Alternatively the state of 119909 == 0 (119909 is active-low atcycle 119894) can be represented by polynomial 119909
[119894]
(3) Symbolically the state of 119909 == 119867 (119909 is active-high 119867
at the 119894th cycle) can be modeled as 119909[119894]
minus 119867
53 Sequence Operator Modeling Temporal assertions definenot only the values of signals but also the relationshipbetween signals over time The sequences are the buildingblocks of temporal assertions and can express a set of linearbehavior lasting for one or more cycles These sequences areusually used to specify and verify interface and bus protocols
A sequence is a regular expression over the Booleanexpressions that concisely specifies a set of linear sequencesThe Boolean expressions must be true at those specific clockticks for the sequence to be true over time
SystemVerilog provides several sequence compositionoperators to combine individual sequences in a variety ofways that enhance code writing and readability which canconstruct sequence expressions from Boolean expressions
In this paper throughout operator [1 $] operator andthe first match operator are not supported by our method
SystemVerilog defines a number of operations that canbe performed on sequences The sequence compositionoperators in SVA are listed as follows
Definition 14 (sequence operator)
119877 = 119887ldquoBoolean expressionrdquo form
| (1 V = 119890) ldquolocal variable samplingrdquo form| (119877) ldquoparenthesisrdquo form| (11987711 119877
2) ldquoconcatenationrdquo form
| (11987710 119877
2) ldquofusionrdquo form
| (1198771or 1198772) ldquoorrdquo form
| (1198771intersect 119877
2) ldquointersectrdquo form
| first match (119877) ldquofirst matchrdquo form| 119877[lowast0] ldquonull repetitionrdquo form| 119877[lowast1 $] ldquounbounded repetitionrdquo form| [lowast] [=] [minus gt] ldquorepetitionrdquo repeater| throughoutspecifying a Boolean expression musthold throughout a sequence| withinspecifying conditions within a sequence
The resulted sequences constructed by operators are thenused in properties for use in assertions and covers
531 Cycle Delay Operator In SystemVerilog the con-struct is referred to as a cycle delay operator
ldquo1rdquo and ldquo0rdquo are concatenation operators the formeris the classical regular expression concatenation the latter isa variant with one-letter overlapping
A 119899 followed by a number 119899 or range specifies the 119899
cycles delay from the current clock cycle to the beginning ofthe sequence that follows
(1) Fixed-length Casesequence fixs
119886119899119887
endsequencerArr ⟦119891119894119909119904⟧ = ⟦119886⟧
119905 ⟦119887⟧119905+119899
(2) Time-range Casesequence 119905119898119904
119886[119898 sdot sdot sdot 119899]119887
endsequencerArr ⟦119905119898119904⟧ = ⟦119886⟧
[119905] ⟦119887⟧119898
[119905] or sdot sdot sdot or ⟦119886⟧
[119905] ⟦119887⟧119899
[119905]
532 Intersect Operator The two operands of intersectoperator are sequences The requirements for match of theintersect operation are as follows
(i) Both operands must match(ii) The lengths of the two matches of the operand
sequences must be the same
Journal of Applied Mathematics 9
1198771intersect 119877
2
1198771starts at the same time as 119877
2 the intersection will
match if 1198771 starting at the same time as 119877
2 matches at the
same time as 1198772matches
Therefore we have
⟦1198771intersect 119877
2⟧ = ⟦119877
1⟧119889119890119901(119877
1)
[119905]and ⟦1198772⟧119889119890119901(119877
2)
[119905] (12)
The sequence length matching intersect operator con-structs a sequence like the and nonlength matching operatorexcept that both sequences must be completed in same cycle
533 and Operator 1198771and 119877
2
This operator states that 1198771starts at the same time as 119877
2
and the sequence expression matches with the later of 1198771and
1198772matching This binary operator and is used when both
operands are expected to match but the end times of theoperand sequences can be different
That is 1198771and 119877
2denotes both 119877
1and 119877
2holds for the
same number cycles Then the matches of 1198771and 119877
2must
satisfy the following
(i) The start point of the match of 1198771must be no earlier
than the start point of the match of 1198772
(ii) The end point of thematch of1198771must be no later than
the end point of the match of 1198772
The sequence nonlength matching and operator con-structs a sequence in which two sequences both hold at thecurrent cycle regardless of whether they are completed in thesame cycle or in different cycles
⟦1198771and 119877
2⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] and ⟦119877
2⟧119895
[119905]) (13)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
534 or Operator 1198771or 1198772
The sequence or operator constructs a sequence in whichone of two alternative sequences hold at the current cycleThus the sequence (1198861119887) or (1198881119889) states that eithersequence 119886 119887 or sequence 119888 119889 would satisfy the assertion
⟦1198771or 1198772⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] or ⟦119877
2⟧119895
[119905]) (14)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
535 Local Variables SystemVerilog provides a feature bywhich variables can be used in assertions The user candeclare variables local to a property This feature is highlyuseful in pipelined designs where the consequent occur-rence might be many cycles later than their correspondingantecedents
Local variables are optional and local to properties Theycan be initialized assigned (and reassigned) a value operatedon and compared to other expressions
The syntax of a sequence declaration with a local variableis shown below
119904119890119902119906119890119899119888119890 119889119890119888119897119886119903119886119905119894119900119899 =
sequence 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119904119890119902119906119890119899119888119890 119890119909119901119903
endsequence [ 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903]
The property declaration syntax with a local variable canbe illustrated as follows
119901119903119900119901119890119903119905119910 119889119890119888119897119886119903119886119905119894119900119899 =
property 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119901119903119900119901119890119903119905119910 119904119901119890119888
endproperty [ 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903]
The variable identifier declaration syntax of a local vari-able can be illustrated as follows
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899 =
V119886119903 119889119886119905119886 119905119910119901119890 119897119894119904119905 119900119891 V119886119903119894119886119887119897119890 119894119889119890119899119905119894119891119894119890119903119904
The dynamic creation of a variable and its assignment isachieved by using the local variable declaration in a sequenceor property declaration and making an assignment in thesequence
Thus local variables of a sequence (or property) may beset to a value which can be computed from a parameter orother objects (eg arguments constants and objects visibleby the sequence (or property))
For example a property of a pipeline with a fixed latencycan be specified below
property 119897119886119905119890119899119888119910119894119899119905 119909(V119886119897119894119889 119894119899 119909 = 119901 119894119899)|minus gt 3(119901 119900119906119905 == (119909 + 1))
endproperty
This property e is evaluated as followsWhen V119886119897119894119889 119894119899 is true 119909 is assigned the value of 119901 119894119899 If 3
cycles later 119901 119900119906119905 is equal to 119909 + 1 then property 119897119886119905119890119899119888119910 istrue Otherwise the property is false When V119886119897119894119889 119894119899 is falseproperty 119897119886119905119890119899119888119910 is evaluated as true
For the algebraization of SVA properties with localvariables in our method these local variables will be takenas common signal variables (symbolic constant) without anysequential information
Thus we have the polynomial set representation forproperty 119897119886119905119890119899119888119910
⟦119897119886119905119890119899119888119910⟧[119905]
=
(V119886119897119894119889 119894119899[119905]
minus 1)(119909 minus 119901 119894119899
[119905])
(119901 119900119906119905[119905+3]
minus (119909 + 1))
10 Journal of Applied Mathematics
536 Repetition Operators SystemVerilog allows the userto specify repetitions when defining sequences of BooleanexpressionsThe repetition counts can be specified as either arange of constants or a single constant expression
Nonconsecutive repetition specifies finitely many itera-tive matches of the operand Boolean expression with a delayof one or more clock ticks from one match of the operandto the next successive match and no match of the operandstrictly in between The overall repetition sequence matchesat or after the last iterative match of the operand but beforeany later match of the operand
The syntax of repetition operator can be illustrated asfollows
119899119900119899 119888119900119899119904119890119888119906119905119894V119890 119903119890119901 = [= 119888119900119899119904119905 119900119903 119903119886119899119892119890 119890119909119901119903] (15)
The number of iterations of a repetition can be specifiedby exact count
For example a sequence with repetition can be defined as
119886 |=gt 119887 [= 3] 1 119888 (16)
The sequence expects that 2 clock cycles after the validstart signal ldquo119887rdquo will be repeated three times
We have ⟦119877[= 119899]⟧ = ⋁119899
119894=0(⟦119877⟧
119894lowast119889119890119901(119877)
[119905])
54 Property OperatorModeling In general property expres-sions in SVA are built using sequences other sublevel proper-ties and simple Boolean expressions via property operators
In SVA a property that is a sequence is evaluated as trueif and only if there is a nonempty match of the sequenceA sequence that admits an empty match is not allowed as aproperty
The success of assertion-based verification methodologyrelies heavily on the quality of properties describing theintended behavior of the design Since it is a fairly newmethodology verification and design engineers are oftenfaced with a question of ldquohow to identify good propertiesrdquo fora design It may be tempting to write properties that closelyresemble the implementation
Properties we discussed in this paper can be classified as
(1) Design Centric Design centric properties represent asser-tions added by the RTL designers to characterize whitebox design attributes These properties are typically towardsFSMs localmemories clock synchronization logic and otherhardware-related designs The design should conform to theexpectations of these properties
(2) Assumption Centric Assumption centric properties rep-resent assumptions about the design environment They areused in informal verification to specify assumptions about theinputs The assume directive can inform a verification tool toassume such a condition during the analysis
(3) RequirementVerification Centric Many requirementproperties are best described using a ldquocause-to-effectrdquo stylethat specifies what should happen under a given conditionThis type of properties can be specified by implication
operator For example a handshake can be described as ldquoifrequest is asserted then acknowledge should be assertedwithin 5 cyclesrdquo
In general property expressions are built using sequen-ces other sublevel properties and simple Boolean expres-sions
These individual elements are combined using propertyoperators implication NOT ANDOR and so forth
The property composition operators are listed as follows
Definition 15 (property operator)
119875 = 119877lowast ldquosequencerdquo form lowast
|(119875)lowast ldquoparenthesisrdquo form lowast
|not 119875lowast ldquonegationrdquo form lowast
|(1198751or 1198752)lowast ldquoorrdquo form lowast
|(1198751and 119875
2)lowast ldquoandrdquo form lowast
|(119877|minus gt 119875) |(119877| =gt 119875)lowast ldquoimplicationrdquo form lowast
|disable iff(119887) 119875lowast ldquoresetrdquo form lowast
Note that disable if and only if will not be supportedin this paper Property operators construct properties out ofsequence expressions
541 Implication
Operators The SystemVerilog implication operator supportssequence implication and provides two forms of implicationoverlapped using operator |minus gt and nonoverlapped usingoperator | =gt respectively
The syntax of implication is described as follows
119904119890119902119906119890119899119888119890 119890119909119901119903 | minus gt 119901119903119900119901119890119903119905119910 119890119909119901119903
119904119890119902119906119890119899119888119890 119890119909119901119903 | =gt 119901119903119900119901119890119903119905119910 119890119909119901119903
(17)
The implication operator takes a sequence as its anteced-ent and a property as its consequent Every time the sequencematches the property must hold Note that both the runningof the sequence and the property may span multiple clockcycles and that the sequence may match multiple times
For each successful match of the antecedent sequencethe consequence sequence (right-hand operand) is sepa-rately evaluated beginning at the end point of the matchedantecedent sequence All matches of antecedent sequencerequire a match of the consequence sequence
Moreover if the antecedent sequence (left hand operand)does not succeed implication succeeds vacuously by return-ing true For many protocol related assertions it is importantto specify the sequence of events (the antecedent or cause)that must occur before checking for another sequence (theconsequent or effect) This is because if the antecedent doesnot occur then there is no need to perform any furtherverification In hardware this occurs because the antecedentreflects an expression that when active triggers something tohappen
Journal of Applied Mathematics 11
A property with a consequent sequence behaves as if theconsequent has an implication first-match applied to it
542 NOT
Operator The operator NOT 119901119903119900119901119890119903119905119910 119890119909119901119903 states that theevaluation of the property returns the opposite of the eval-uation of the underlying 119901119903119900119901119890119903119905119910 119890119909119901119903
543 AND
Operator The formula ldquo1198751AND 119875
2rdquo states that the property
is evaluated as true if and only if both 1198751and 1198752are evaluatd
as true
544 OR
Operator The operator ldquo1198751OR 119875
2rdquo states that the property is
evaluated as true if and only if at least one of 1198751and 119875
2is
evaluated as true
545 IF-ELSE
Operator This operator has two valid forms which are listedas follows
(1) IF (119889119894119904119905) 1198751
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as false or 119875
1is evaluated as true
(2) IF (119889119894119904119905) 1198751ELSE 119875
2
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as true and 119875
1is evaluated as true or
119889119894119904119905 is evaluated as false and 1198752is evaluated as true
From previous discussion we have the following propo-sition for property reasoning
Proposition 16 Assume that1198751198751 and119875
2are valid properties
in SVA the following rules are used to construct the correspond-ing verification process Here 119860119904119904119862ℎ119896(119872119900119889119890119897 119875119903119900119901119890119903119905119910)
ture false is a self-defined checking function that can deter-mine whether a given ldquo119875119903119900119901119890119903119905119910rdquo holds or not with respect toa circuit model ldquo119872119900119889119890119897rdquo
(1) 1198751OR 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧) or 119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(2) 1198751AND 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(3) NOT 119875 rArr not119860119904119904119862ℎ119896(119872 ⟦119875⟧)
(4) IF (119889119894119904119905) 1198751
rArr not119860119904119904119862ℎ119896(119872 119889119894119904119905) or 119860119904119904119862ℎ119896(119872
⟦1198751⟧)
(5) IF (119889119894119904119905) 1198751ELSE 119875
2rArr (119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896
(119872 ⟦1198751⟧))or(not119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧))
(6) 119878 | minus gt 119875 rArr if (not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)minus1]))
(7) 119878 |=gt 119875 rArr if(not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)]))
6 Verification Algorithm
In this section we will describe how an assertion is checkedusing Groebner bases approach Firstly we will discussa practical algorithm using Groebner bases for assertionchecking
61 Basic Principle As just mentioned our checking methodis based on algebraic geometry which is the study of thegeometric objects arising as the common zeros of collectionsof polynomials Our aim is to find polynomials whosezeros correspond to pairs of states in which the appropriateassignments are made
We can regard any set of points in 119896119899 as the variety of some
ideal We can then use the ideal or any basis for the ideal as away of encoding the set of points
From Groebner Bases theory [10 12] every nonzero ideal119868 sub 119896[119909
1 119909
119899] has a Groebner basis and the following
proposition evidently holds
Proposition 17 Let 119862 and 119878 be polynomial sets of 119896[1199091
119909119899] and ⟨119866119878⟩ a Groebner basis for ⟨119878⟩ and then we have that
⟨119862⟩ sube ⟨119878⟩ hArr forall119888 isin 119862 119903119890119898119889(119888 119866119878) == 0 holds
Theorem 18 Suppose that 119860(⟦119860⟧ = 1198861 1198862 119886
119903) is a
property to be verified 119879 is the initial preconditions of 119862 and119872 is a system model to be checked Let ⟦119879⟧ and ⟦119872⟧ bethe polynomial set representations for 119879 and 119872 respectivelyconstructed by previous mentioned rules Let 119867 = ⟦119879 cup 119872⟧ =
ℎ1 ℎ2 ℎ
119904 sube 119896[119909
1 119909
119899] 119868 = ⟨119867⟩ (where ⟨119867⟩ denotes
the ideal generated by 119867) and 119866119861119867
= 119892119887119886119904119894119904(119867 ≺) then wehave
( (1 notin 119866119861119867
) and 119903119890119898119889 (119862 119866119861119867
) == 0)
lArrrArr ((1 notin 119866119861119867
) and119903
⋀
119894=0
(119903119890119898119889 (119892119894 119866119861119867
) == 0))
lArrrArr (119872 |= 119860) holds
(18)
Proof (1) The polynomial set ⟦119872⟧ of system model 119872
describes the data-flow relationship that inputs outputs andfunctional transformation should meet The initial condition⟦119872⟧ can be seen as extra constraint applied by users Thereshould not exist contradiction between them that is thepolynomial equations of ⟦119879 cup 119872⟧ must have a commonsolution
ByHilbertrsquos Nullstellensatz theory if we have polynomials⟦119879 cup 119872⟧ = 119891
1 119891
119904 isin 119896[119909
1 119909
119899] we compute a
reducedGroebner basis of the ideal they generatewith respectto any ordering If this basis is 1 the polynomials have nocommon zero in 119896
119899 if the basis is not 1 they must have acommon zero
Therefore (1 notin 119866119861119867
) should hold(2) Evidently by previous proposition it is easy to have
that 119903119890119898119889(119862 119866119861119867
) == 0 should holdThus we have that this theorem holds
12 Journal of Applied Mathematics
Input(1) circuit model 119872(2) initial condition 119879(3) an assertion 119860Output Boolean 119905119903119906119890 or 119891119886119897119904119890BEGIN
lowastStep 1 initialize input signals via testbench lowast(00) 119868119899119894119905119878119894119892119899119886119897119904()(01) M = 0PS
119860= 0 119867 = 0PS
119879= 0
lowastStep 2 build polynomial model lowast(02) M = ⟦119872⟧ = 119861119906119894119897119889PS(119872)
lowastStep 3 build polynomial set for initial condition 119879lowast
(03) 119875119878119879
= ⟦119879⟧ = 119861119906119894119897119889PS(119879)lowastStep 4 build polynomial set for consequentA lowast
(04) 119875119878119860
= ⟦119860⟧ = 119861119906119894119897119889PS(119860)lowastStep 5 calculate the PS
119879cup Mlowast
(05) 119867 = PST cup MlowastStep 6 calculate the Groebner base of ⟨119867⟩
lowast(06) GB
119867= 119892basis(119867 ≺)
lowastStep 7 determine the basis is 1 or not lowast(07) if(1 isin GB
119867)
(08) return 119891119886119897119904119890 lowastStep 8 check every polynomial lowastlowast119860 = 119886
1 1198862 119886
|119860|lowast
(09) 119894 = 1(10) 119908ℎ119894119897119890(119894 le |119860|)
(11) if(119903119890119898119889(⟦119886119894⟧ GB
119867) = 0)
(12) return 119891119886119897119904119890 (13) i++(14) lowast endwhile lowast(15) return 119905119903119906119890 lowast Assertion does hold lowastEND
Algorithm 1 ldquo119860119904119904119862ℎ119896119875119900119897119910119861119906119894119897119889(119872 119879 119860)rdquo
62 Checking Algorithm For simplicity in this section weonly provide the key decision algorithm
Firstly the original system model is transformed into anormal polynomial representation and the assertion as wellThen calculate the hypothesis set and its Groebner basisusing the Buchberger algorithm [18] and their eliminationideals Finally examine the inclusion relationship betweenelimination ideals to determine whether the assertion to bechecked holds or not
From above discussion we have the following processsteps and detailed algorithm description Algorithm 1
For convenience we can derive another version checkingprocedure named ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo which can acceptpolynomial representations as inputs without explicit poly-nomial construction process
Further by applying Theorem 18 and the checking algo-rithm ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo we can easily verify all sup-ported properties written in SVA
7 An Example
In this section we will study a classical circuit to show howSVA properties are verified by polynomial representation andalgebra computation method
Consider the Johnson counter circuit in Figure 3 Johnsoncounters can provide individual digit outputs rather than a
3 2 1
m1m2m3
m4clk
And
Andy
Figure 3 Johnson counter
Table 3 Table of Johnson counter output
Counter (clock) V3(1198983) V2(1198982) V1(1198981)
0 0 0 01 1 0 02 1 1 03 0 1 14 0 0 15 0 0 0
binary or BCD output as shown in Table 3 Notice that eachlegal count may be defined by the location of the last flip-flopto change states and which way it changed state
71 Algebraization of Circuit and Assertion Johnson counterprovides individual digit outputs as shown in Table 3
The polynomial set for Johnson counter circuit in Figure 3can be constructed as follows
119878119890119905adder = 1198911 = 11989831015840minus 1198984 1198912 = 1198982
1015840minus 1198983
1198913 = 11989811015840minus 1198982
1198914 = 1198984 minus (1 minus 1198981) lowast (1 minus 1198982)
1198915 = 119910 minus 1198981 lowast (1 minus 1198982)
(19)
where 11989811015840 denotes the next state of 1198981 For the 119894th cycle we
use 1199091[119894]to denote variable name in current cycle
Similarly another Johnson counter circuit with an erroris shown in Figure 4 the corresponding polynomial set canbe described by
119878119890119905adder = 1198911 1198912 1198913
11989141015840
= 1198984 + 1198981 + 1198982
minus (1 minus 1198981) lowast (1 minus 1198982) 1198915
(20)
Journal of Applied Mathematics 13
3 2 1
m1m2m3
m4clk
Or
Andy
Figure 4 Johnson counter with error
To illustrate the problem clearly we define polynomial setrepresentation 119875119872[119894] for 119894th cycle as follows
119875119872 [119894] = 1198983[119894+1]
minus 1198984[119894]
1198982[119894+1]
minus 1198983[119894]
1198981[119894+1]
minus 1198982[119894]
1198984[119894]
minus (1 minus 1198982[119894]
) lowast (1 minus 1198981[119894]
)
119910 minus 1198981[119894]
lowast (1 minus 1198982[119894]
)
(21)
Support that the circuit will run 6 cycles for verificationtherefore we have 119875119872 = ⋃
5
119894=0119875119872[119894]
For any Boolean variable 119886 we will add an extra con-straint 119886lowast119886minus119886Thus we define the corresponding constraintsset as follows 119862119873119878[119894] = 119888
[119894]lowast 119888[119894]
minus 119888[119894]
119888 isin 1198981 1198982 1198983 1198984
119910In the same manner we have 119862119873119878 = ⋃
5
119894=0119862119873119878[119894]
The sequential property for this counter circuit can bespecified by the following SystemVerilog assertions
property 119869119862119875119860
(1198983 = 0 ampamp 1198982 = 0 ampamp 1198981 = 0)
| =gt 1(1198983 == 1 ampamp 1198982 == 0 ampamp 1198981 == 0)
| =gt 2(1198983 == 1 ampamp 1198982 == 1 ampamp 1198981 == 0)
| =gt 3(1198983 == 0 ampamp 1198982 == 1 ampamp 1198981 ==
1)
endpropertyproperty 1198691198621198751
(119888119897119896)(1198981 == 0)| =gt 2 (1198981 == 0)
endpropertyproperty 1198691198621198752
(119888119897119896)(1198982 == 0)| =gt 2 (1198982 == 1)
endpropertyproperty 1198691198621198753
(119888119897119896)(1198983 == 0)| =gt 2 (1198983 == 1)
endproperty
Table 4 Polynomial forms
Name Precondition Expected consequent
JCPA
1198981[0]
1198982[0]
1198983[0]
cycle 1 1198981[1]
minus 1 1198982[1]
1198983[1]
cycle 2 1198981[2]
minus 1 1198982[2]
minus 1 1198983[2]
cycle 3 1198981[3]
1198982[3]
minus 1 1198983[3]
minus 1
JCP1 1198981[0]
1198981[2]
JCP2 1198982[0]
1198982[2]
minus 1
JCP3 1198983[0]
1198983[2]
minus 1
We will afterwards demonstrate the verification processstep by step
The circuit model to be verified is as shown below
119878119872 = 119875119872 cup 119862119873119878 (22)
The property of this counter can be specified as thefollowing SVA assertion
assert property (1198691198621198751)
assert property (1198691198621198752)
The Algebraization form of the above properties can bemodeled as in Table 4
72 Experiment Using Maple We run this example by usingMaple 13 Before running we manually translated all modelsinto polynomials The experiment is performed on a PC witha 240GHz CPU (intel i5M450) and 1024MB of memoryIt took about 004 seconds and 081MB of memory whenapplying Groebner method
[gtwith(Groebner)[gt 119862119872 = sdot sdot sdot
lowastCircuit Modellowast[gt 119879119863119864119866 = 119905119889119890119892(
1198981[0] 1198982[0] 1198983[0] 1198984[0]
1198981[1] 1198982[1] 1198983[1] 1198984[1]
1198981[2] 1198982[2] 1198983[2] 1198984[2]
1198981[3] 1198982[3] 1198983[3] 1198984[3]
1198981[4] 1198982[4] 1198983[4] 1198984[4]
119910[0] 119910[1] 119910[2] 119910[3]
)
[gt 119862119866119861 = 119861119886119904119894119904(119862119872 119879119863119864119866)
Thus we can have the Groebner basis as follows
[gt [1199101[3]
1199101[2]
1199101[1]
1199101[1]
1198983[4]
1198982[4]
1198981[4]
minus 1 1198984[3] 1198983[3] 1198982[3]
minus 1 1198981[3]
minus 11198984[2] 1198983[2]
minus 1 1198982[2]
minus 1 1198981[2] 1198984[1]
minus 11198983[1]
minus 11198982[1] 1198981[1] 1198984[0]
minus 1 1198983[0] 1198982[0] 1198981[0]
]
[gt 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983[1]
minus 1 119862119866119861 119879119863119864119866)
[gt 119903119890119905 = 0
14 Journal of Applied Mathematics
Table 5 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862119866119861
080M 002 S0
Yes1198982[1]
1 notin 119862119866119861 0
1198983[1]
minus 1 1 notin 119862119866119861 0
11198981[2]
1 notin 119862119866119861
081M 003 S0
Yes1198982[2]
minus 1 1 notin 119862119866119861 0
1198983[2]
minus 1 1 notin 119862119866119861 0
21198981[3]
minus 1 1 notin 119862119866119861
081M 004 S0
Yes1198982[3]
minus 1 1 notin 119862119866119861 0
1198983[3]
1 notin 119862119866119861 0
3 1198981[2]
1 notin 119862119866119861 081M 004 S 0 Yes4 1198982
[2] 1 notin 119862119866119861 081M 004 S 0 Yes
5 1198983[2]
1 notin 119862119866119861 081M 004 S 0 Yes
Table 6 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862GB080M 002 S
0
Yes1198982[1]
1 notin 119862GB 0
1198983[1]
minus 1 1 notin 119862GB 0
11198981[2]
1 notin 119862GB081M 003 S
0
Yes1198982[2]
minus 1 1 notin 119862GB 0
1198983[2]
minus 1 1 notin 119862GB 0
21198981[3]
minus 1 1 notin 119862GB081M 014 S
0
NO1198982[3]
minus 1 1 notin 119862GB 0
1198983[3]
1 notin 119862GB minus1
As shown in maple outputs the given circuit has beenmodeled as polynomial set119862119872 (itsGroebner bases is denotedby 119862119866119861) and assertion expected result as 1198983
[1]minus 1 From
the running result we have 1 notin 119862119866119861 and return valueof 119873119900119903119898119886119897119865119900119903119898 is 0 which means 119862119866119861 is divided with noremainder by 1198983
[1]minus 1
Thus from the previously mentioned verification princi-ples it is easy to conclude that the assertion 1198691198621198751 holds underthis circuit model after 3 cycles
More detailed experiment results for verification of cir-cuit shown in Figure 3 are listed in Table 5
Conversely we check these assertions against the circuitshown in Figure 4 in a similar way More detailed experimentresults are demonstrated in Table 6
From above table when checking 119869119862119875119860 assertion theresult 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983
[3] 119862119866119861 119879119863119864119866) = 0 so that
we can conclude the assertion does not holdTherefore theremust exist unexpected errors in the original circuit
This case is a fairly complete illustration of how thechecking algorithm works
8 Conclusion
In this paper we presented a new method for SVA prop-erties checking by using Groebner bases based symbolicalgebraic approaches To guarantee the feasibility we defined
a constrained subset of SVAs which is powerful enough forpractical purposes
We first introduce a notion of symbolic constant withoutany sequential information for handling local variables inSVAs inspired from STE We then proposed a practical alge-braizationmethod for each sequence operator For sequentialcircuits verification we introduce a parameterized polyno-mial set modeling method based on time frame expansion
Our approach is based on polynomial models construc-tion for both circuit models and SVA assertionsThis methodis to eventually translate a simulation based verificationproblem into a pure algebraic zero set determination problemby a series of proposed steps which can be performed on anygeneral symbolic algebraic tool
Thismethod allows users to deal withmore than one stateand many input combinations every cycle This advantagecomes directly from the fact that many vectors are simulatedat once using symbolic value
In summary in this research by suitable restrictions ofSVA assertions we can guarantee the availability of polyno-mial set representation Based on this polynomial set modelsymbolic simulation can be performed to produce symbolictraces and temporal relationship constraints of signal vari-ables as well We then apply symbolic algebra approach tocheck the zeros set relation between their polynomial sets anddetermine whether the temporal assertion holds or not undercurrent running cycle
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The project is supported by the National Natural ScienceFoundation of China under Grant no 11371003 theNatural Science Foundation of Guangxi under Grantsnos 2011GXNSFA018154 2012GXNSFGA060003 and2013GXNSFAA019342 the Science and TechnologyFoundation of Guangxi under Grant no 10169-1 theScientific Research Project no 201012MS274 from GuangxiEducation Department the Fundamental Research Fundsfor the Central Universities under Grants nos DUT14QY05and HCIC201204 of Guangxi Key Laboratory of HybridComputation and IC Design Analysis Open Fund andthe Baguio scholarship Project of Guangxi The authorswould like to thank their colleagues for participating in theresearch They also appreciate the anonymous reviewers fortheir helpful comments
References
[1] IEEE System Verilog Working Group IEEE Standard forSystemVerilog C Unified Hardware Design Specification andVerification (IEEE Std 1800-2005) IEEE 2005
[2] ldquoIEEE draft standard for system verilogmdashunified hardware de-sign specification and verification languagerdquo IEEE P1800D32011
Journal of Applied Mathematics 15
[3] R Wille G Fey M Messing G Angst L Linhard and RDrechsler ldquoIdentifying a subset of SystemVerilog assertions forefficient bounded model checkingrdquo in Proceedings of the 11thEUROMICRO Conference on Digital System Design Architec-tures Methods and Tools (DSD rsquo08) pp 542ndash549 September2008
[4] L Darringer ldquoApplication of program verification techniques tohardware verificationrdquo in Proceedings of the IEEE-ACM DesignAutomation Conference pp 375ndash381 1979
[5] G S Avrunin ldquoSymbolic model checking using algebraicgeometryrdquo in Proceedings of the 8th International Conference onComputer Aided Verification vol CAV96 pp 26ndash37 SpringerLondon UK 1996
[6] W B Mao and J Z Wu ldquoApplication of Wus method to sym-bolic model checkingrdquo in Proceedings of the 2005 internationalSymposiumon Symbolic andAlgebraic Computation (ISSAC rsquo05)pp 237ndash244 ACM Press Beijing China 2005
[7] J Wu and L Zhao ldquoMulti-valued model checking via groebnerbasis approachrdquo in Proceedings of the 1st Joint IEEEIFIP Sympo-sium on Theoretical Aspects of Software Engineering (TASE rsquo07)pp 35ndash44 IEEE Computer Society Press June 2007
[8] N Zhou J Wu and X Gao ldquoAlgebraic verification method forSEREs properties via Groebner bases approachesrdquo Journal ofAppliedMathematics vol 2013 Article ID 272781 10 pages 2013
[9] X Gao N Zhou J Wu and D Li ldquoWursquos characteristic setmethod for SystemVerilog assertions verificationrdquo Journal ofApplied Mathematics vol 2013 Article ID 740194 14 pages2013
[10] J Little D Cox andD OrsquoShea Ideals Varieties and AlgorithmsSpringer New York NY USA 1992
[11] T Becker andVWeispfenningGrobner Bases AComputationalApproach to Commutative Algebra Springer New York NYUSA 1993
[12] B Buchberger ldquoGroebner bases an algorithmic method inpolynomial ideal theoryrdquo in Multidimensional Systems Theorypp 184ndash232 1985
[13] S B Akers ldquoBinary decision diagramsrdquo IEEE Transactions onComputers C vol 27 no 6 pp 509ndash516 1978
[14] S Hoereth and R Drechsler ldquoFormal verification of word-levelspecificationsrdquo in Proceedings of the Design Automation andTest in Europe Conference and Exhibition pp 52ndash58 MunichGermany 1999
[15] Y M Ryabukhin ldquoBoolean ringrdquo in Encyclopaedia of Mathe-matics Springer Michiel Germany 2001
[16] S Das R Mohanty P Dasgupta and P P Chakrabarti ldquoSynthe-sis of system verilog assertionsrdquo in Proceedings of the Conferenceon Design Automation and Test in Europe Designersrsquo Forum(DATE rsquo06) pp 70ndash75 European Design and AutomationAssociation Leuven Belgium March 2006
[17] C-J Seger and R E Bryant ldquoFormal verification by symbolicevaluation of partially-ordered trajectoriesrdquo Formal Methods inSystem Design vol 6 no 2 pp 147ndash190 1995
[18] D Cox J Little and D OrsquoShea Ideals Varieties and AlgorithmsAn Introduction to Computational Algebraic Geometry andCommutative Algebra Undergraduate Texts in MathematicsSpringer New York 3rd edition 2007
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 3
This property states that signal 119903119890119902 and then signal 119888
become high and signal 119886119888119896 will be high in the next cycleAs illustrated in this example a concurrent assertion
property in SystemVerilog will never be evaluated by itselfexcept when it is invoked by a verification statement There-fore the statement assert property 119905119890119904119905(119886 119887 119888) will causethe checker to perform assertion checking
Basically the verification statement in SVA has threeforms described as follows
(i) assert to specify the property as a checker to ensurethat the property holds for the design
(ii) assume to specify the property as an assumption forthe environment Simulators check that the propertyholds while formal tools use the information togenerate input stimulus The purpose of the assumestatement is to allow properties to be considered asassumptions for formal analysis as well as for dynamicsimulation tools
(iii) cover to monitor the property evaluation for cover-age
When a property is assumed the tools constrain theenvironment so that the property holds In simulationasserted and assumed properties are continuously verified toensure that the design or the testbench never violate them
In some tools the assumptions on the environment canbe used as sequential constraints on the DUT (device undertest) inputs in constrained-random simulation
These proofs are usually subject to other properties thatdescribe the assumed behavior of the environment usingassume property statements
22 Groebner Bases Preliminary Firstly we will recall someof the key notions of Groebner bases theory and symboliccomputation More detailed and elementary introduction tothis subject can be available in books such as those by Littleet al [10] or those by Becker and Weispfenning [11]
We begin by listing some general facts and establishingnotations
Let 119896 be an algebraically closed field and let 119896[1199091 119909
119899]
be the polynomial ring in variables 1199091 1199092 119909
119899with coeffi-
cient in 119896 under addition and multiplication of polynomialThe basic structure of polynomial rings is given in termsof subsets called ideals which is closed under addition andclosed under multiplication by any element of the ring
Here let 119868 sube 119896[1199091 119909
119899] be an ideal As we all know the
following theorem holds
Theorem 1 (Hilbert basis theorem) Every ideal 119868 sub 119896[1199091
119909119899] has a finite generating setThat is 119868 = ⟨119892
1 119892
119905⟩ for some
1198921 119892
119905isin 119868
Then by the Hilbert basis theorem there exist finitelymany polynomials 119891
1 119891
119898such that 119868 = ⟨119891
1 119891
119898⟩ A
polynomial 119891 sube 119896[1199091 119909
119899] defines a map 119891 119896
119899rarr 119896 via
evaluation (1198861 119886
119899) 997891rarr 119891(119886
1 119886
119899)
The set 119881(119868) = 119886 isin 119896119899
| forall119891 isin 119868 119891(119886) = 0 sube 119896119899 is called
the variety associated with 119868
If 1198811
= 119881(1198681) and 119881
2= 119881(119868
2) are the varieties defined
by ideals 1198681and 1198682 then we have 119881
1cap 1198812
= 119881(⟨1198681 1198682⟩) and
1198811cup1198812
= 119881(1198681times1198682) where 119868
1times1198682
= ⟨11989111198912
| 1198911
isin 1198681 1198912
isin 1198682⟩ If
1198681
= ⟨1198911 119891
119903⟩ and 119868
2= ⟨ℎ1 ℎ
119904⟩ then 119868
1times1198682
= ⟨119891119894times119892119895
|
1 le 119894 le 119903 1 le 119895 le 119904⟩Any set of points in 119896
119899 can be regarded as the varietyof some ideal Note that there will be more than one idealdefining a given variety For example the ideals ⟨119909
0⟩ and
⟨1199090 11990911199090
minus 1⟩ both define the variety 119881(1199090)
In order to perform verification we need to be able todetermine when two ideals represent the same set of pointsThat is to say we need a canonical representation for any idealGroebner bases can be used for this purpose
An essential ingredient for defining Groebner bases isa monomial ordering on a polynomial ring 119896[119909
1 119909
119899]
which allows us to pick out a leading term for any polynomial
Definition 2 (monomial ordering) A monomial ordering on119896[1199091 119909
119899] is any relation ≺ on 119885
119899
ge0 or equivalently any
relation on the set of monomials 119909120572 120572 isin 119885
119899
ge0 satisfying
(i) ≺ is a total (or linear) ordering on 119885119899
ge0
(ii) ≺ is a well-orderingThis means that every nonemptysubset of 119885
119899
ge0has a smallest element under ≺
(iii) for all 120574 isin 119885119899
ge0 120572 ≺ 120573 rArr 120572 + 120574 ≺ 120573 + 120574
Examples of monomial ordering include lexicographicorder graded lexicographic order and graded reverse lexico-graphic order
Definition 3 (lexicographic order) Let 120572 = (1205721 120572
119899) and
120573 = (1205731 120573
119899) isin 119885
119899
ge0 We say 120572≺lex120573 if in the vector
difference 120572 minus 120573 isin 119885119899 the leftmost nonzero entry is positive
We will write 119909120572≺lex119909120573 if 120572≺lex120573
Definition 4 (Groebner basis) Fix a monomial order A finitesubset 119866 = 119892
1 119892
119905 of an ideal 119868 is said to be a Groebner
basis (or standard basis) if ⟨119871119879(1198921) 119871119879(119892
119905)⟩ = ⟨119871119879(119868)⟩
Equivalently but more informally a set 1198921 119892
119905 sub 119868
is a Groebner basis of 119868 if and only if the leading term of anyelement of 119868 is divisible by one of the 119871119879(119892
119894)
In [12] Buchberger provided an algorithm for construct-ing a Groebner basis for a given idealThis algorithm can alsobe used to determinewhether a polynomial belongs to a givenideal
A reduced Groebner basis 119866 is a Groebner basis wherethe leading coefficients of polynomials in 119866 are all 1 and nomonomial of an element of 119866 lies in the ideal generated bythe leading terms of other elements of 119866 forall119892 isin 119866 and nomonomial of 119892 is in ⟨119871119879(119866 minus 119892)⟩
The important result is that for a fixed monomial order-ing any nonzero ideal has a unique reduced Groebner basisThe algorithm for finding a Groebner basis can easily beextended to output its reduced Groebner basis Thus we willhave a canonical symbolic representation for any ideal
4 Journal of Applied Mathematics
Inputs
Clock
Synchronous digital circuit
Outputs
FFs
Combinationallogic
Presentstates
Nextstates
Figure 1 Synchronous digital circuits model
Theorem 5 (the elimination theorem) Let 119868 sub 119896[1199091 119909
119899]
be an ideal and let 119866 be a Groebner basis of 119868 with respect tolexicographic order where 119909
1≻ 1199092
≻ sdot sdot sdot ≻ 119909119899 Then for every
0 le 119897 le 119899 the set
119866119897= 119866 cap 119896 [119909
119897+1 119909
119899] (1)
is a Groebner basis of the 119897th elimination ideal 119868119897
Theorem 6 Let 119866 be a Groebner basis for an ideal 119868 sub
119896[1199091 119909
119899] and let 119891 isin 119896[119909
1 119909
119899] Then 119891 isin 119868 if and
only if the remainder on division of 119891 by 119866 is zero denoted by119903119890119898119889(119891 119866) = 0
The property given in Theorem 6 can also be taken asthe definition of a Groebner basis Then we will get anefficient algorithm for solving the idealmembership problemAssuming that we know a Groebner basis 119866 for the idealin question we only need to compute the remainder withrespect to 119866 to determine whether 119891 isin 119868
In this paper we will then use the ideal or any basis forthe ideal as an efficient way of algebraization of system to beverified
3 System Modeling with Polynomial
31 Circuit Representation Model In this section we willsketch the underlying digital system model for simulationused in our work
Most modern circuit design is carried out within the syn-chronous model which simplifies reasoning about behaviorat the cost of strict requirements on clocking
As shown in Figure 1 a classical synchronous design iscomprised of combinatorial logic and blocks of registers witha global clock In a synchronous digital system the clocksignal is often regarded as simple control signal and usedto define a time reference for the movement of data withinthat system Combinational logic performs all the logicalfunctions in the circuit and it typically consists of logic gatesRegisters usually synchronize the circuitrsquos operation to theedges of the clock signal and are the only elements whichhave memory properties
The basic circuit model we used can be abstracted as thefollowing model
Definition 7 (synchronous circuit model) A synchronouscircuit model structure is a tuple
C = clk LAMux FFs IO where
(i) clk is a global synchronous clock signal(ii) L is a set of logical operation units(iii) A is a set of arithmetic operation units(iv) Mux is a set of multiplex units(v) FFs is a set of sequential units(vi) I is a set of primary input signals(vii) O is a set of primary output signals
In the following we will discuss polynomial represen-tation of a given circuit model Firstly let us retrospect theclassical circuit representation model
Traditionally Binary decision diagrams (BDD) [13] thefirst generation decision diagrams technique designed byAkers in 1978 acts as an efficient digital circuit representation(or Boolean functions) Recently the next generation ofdecision diagrams that is word-level decision diagrams(WLDD) [14] has considerably widened its expressivenessfor datapath operations due to processing of data in word-level format
Generally ROBDD or WLDD is mapped into hardwaredescription languages according to the following scheme
119865119906119899119888119905119894119900119899 (119888119894119903119888119906119894119905) lArrrArr 119872119900119889119890119897 119894119899 119877119874119861119863119863 | 119882119871119863119863 119891119900119903119898
(2)
Though the dimension of a decision diagram is exponen-tially bounded by the number of variables decision diagramsbased canonical data structure is very useful in many well-known verification methods
From the viewpoint of abstract symbolic computationthese decision diagrams based on representation for circuitsystems are not suitable any more Thus we will adopt analternative representation form based on polynomial setsinstead of decision diagrams according to the followingscheme
119865119906119899119888119905119894119900119899 (119888119894119903119888119906119894119905) lArrrArr 119885119890119903119900 119878119890119905 (119875119900119897119910119899119900119898119894119886119897 119878119890119905) (3)
As is well known given a monomial order there isprecisely one polynomial representation of a function
For convenience we introduce the following symbols foralgebraic representations
(1) Foranysymbolic (circuit unit signal sequence prop-erty etc) 119891 its algebraic representation form is de-noted by ⟦119891⟧
(2) If a running cycle 119905 is given its algebraic representa-tion form can be denoted by ⟦119891⟧
[119905]
(3) Furthermore if a time range [119898 sdot sdot sdot 119899] is specified itsalgebraic representation form can then be denoted by⟦119891⟧119896
[119905]or ⟦119891⟧
[119898sdotsdotsdot119899]
[119905]
Here 119905 denotes the current time and 119896 = (119899 minus 119898) denotestime steps
Journal of Applied Mathematics 5
Table 1 Polynomial model for arithmetic operation
Arithmetic operation Polynomial representation119910 = 119886 + 119887 ⟦+⟧ = (119910 minus 119886 minus 119887)
119910 = 119886 minus 119887 ⟦minus⟧ = (119910 minus 119886 + 119887)
119910 = 119886 lowast 119887 ⟦lowast⟧ = (119910 minus 119886 lowast 119887)
119910 = 119886119887 ⟦⟧ = (119910 lowast 119887 minus 119886)
Table 2 Polynomial model for logic operation
Arithmetic operation Polynomial representation119910 = NOT 119909 ⟦NOT⟧ = (1 minus 119909 minus 119910)
119910 = 1199091AND 119909
2⟦AND⟧ = (119909
1lowast 1199092
minus 119910)
119910 = 1199091OR 119909
2⟦OR⟧ = (119909
1+ 1199092
minus 1199091
lowast 1199092
minus 119910)
Cycle-based symbolic simulation will be performed onthe system model for verification Intuitively cycle-basedsymbolic simulation is a hybrid approach in the sense that thevalues that are propagated through the network can be eithersymbolic expressions or constant values It assumes that thereexists one unified clock signal in the circuit and all inputs ofthe systems remain unchanged while evaluating their valuesin each simulation cycleThe results of simulation report onlythe final values of the output signals or states in the currentsimulation cycle
The detailed simulation process can be described asfollows Firstly cycle-based symbolic simulation is initializedby setting the state of the circuit to the initial vector Each ofthe primary input signals will be assigned a distinct symbolicor a constant value Then at the end of a simulation step theexpressions representing the next-state functions generallyundergo a parametric transformation based optimizationAfter transformation the newly generated functions are usedas present state for the next state of simulation
32 Arithmetic and Logic Unit Modeling In this paper weonly focus on arithmetic unit for calculating fixed-point oper-ations For any arithmetic unit integer arithmetic operations(addition subtraction multiplication and division) can beconstructed by the polynomials in Table 1
The basic logic operations like ldquoANDrdquo ldquoORrdquo and ldquoNOTrdquocan be modeled by the following forms Their correspondingpolynomial representations [15] are specified as in Table 2
Furthermore we can extend the above rule to othercommon logic operators For example
119910 = 1199091
oplus 1199092
(or 119910 = 1199091XOR 119909
2)
997904rArr ⟦oplus⟧ = (119910 minus (1199091
+ 1199092
minus 1199091
lowast 1199092) lowast (1 minus 119909
1lowast 1199092))
(4)
For all bit level variables 119909119894
(0 le 119894 le 119899) a limitation ⟨119909119894lowast
119909119894minus 119909119894⟩ should be added
33 Branch Unit Modeling Basically multiway branch is animportant control structure in digital system It provides a setof condition bits 119887119894 (0 le 119894 le 119861) a set of target identifiers(0 119879 minus 1) and a mapping from condition bit values to
target identifiers This mapping takes the form of a conditiontree
For any binary signal119909 its value should be limited to 1 0
by adding 119909 lowast 119909 minus 119909
119910 = 119872119906119909 (1199090 1199091 119909
119899 119904)
119894 = 119904 997888rarr 119910 = 119909119894 (0 le 119894 le 119899)
997904rArr ⟦119872119906119909⟧ = ⟨
119910 minus
119899minus1
sum
119894=1
( prod
119895isin01119899minus1119894
((119904 minus 119895)
(119894 minus 119895)))
lowast119909119894
⟩
(5)
with prod119899minus1
119894=0(119904 minus 119894) = 0
34 Sequential Unit Modeling Each flip-flop (FF) in thecircuit can bemodeled as amultiplexerWehave the followingproposition to state this model
Proposition 8 For a 119863 flip-flop (1198631015840 is the next state) withan enable signal 119888 its equivalent combinational formal is 119910
1015840=
119872119906119909(119863 1198631015840 119904) 119894 = 119904 rarr 119910
1015840= 119909119894 (0 le 119894 lt 2 119909
0= 119863 119909
1=
1198631015840) whose polynomial algebraic model can be described as
⟦119865119865119904⟧ =
⟨(1199101015840minus 119863) lowast (119888
1015840minus 1) (119910
1015840minus 1198631015840) lowast 119888 (119910
1015840minus 119863) lowast (119910
1015840minus 1198631015840)⟩
(6)
or
⟨1199101015840minus 119863 lowast (119888
1015840minus 1) minus 119863
1015840lowast 1198881015840⟩ (7)
Proof Let 119863 be the current state and let 1199101015840 denote the next
state of the flip-flop When the signal 1198881015840 value is 0 1199101015840 has the
same value as 119863 so that the FF maintains its present statewhen the signal 119888
1015840 value is 1 1199101015840 takes a new value from the
1198631015840 input (where 119863
1015840 denotes the new value next state of theFF) Therefore we have the 2-value multiway branch modeland its polynomial set representation for FF
Proposition 9 Let 119863 be an FF model (1198631015840 is the next state)without enable signal then its equivalent combinational formalpolynomial algebraic model can be described as (1199101015840 minus 119863)
Proof Straightforward
35 Sequential Unrolling Generally for a sequential circuitC one time frame of a sequential circuit is viewed as a combi-national circuit in which each flip-flop will be converted intotwo corresponding signals a pseudo primary input (PPI) anda pseudo primary output (PPO)
Symbolical simulation of a sequential circuit for 119899 cyclescan be regarded as unrolling the circuit 119899 timesThe unrolledcircuit is still a pure combinational circuit and the 119894th copy ofthe circuit represents the circuit at cycle 119894 Thus the unrolledcircuit contains all the symbolic results from the 119899 cycles
6 Journal of Applied Mathematics
36 Indexed Polynomial Set Representation To illustrate thesequential modeling for a given cycle number clearly wedefine an indexed polynomial set representation for the 119894thcycle
Let 119909119894[119897]
(0 le 119894 le 119903) denote the input signals for the 119897thclock119898119894
[119897](0 le 119894 le 119904) the intermediate signals and 119910119894
[119897](0 le
119894 le 119905) the output signals We then have the following timeframe expansion model for the sequential circuit
119865119872 =
119899
⋃
119894=0
119865119872 [119894] (8)
where 119865119872[119894] = C(1199091[119894]
1198981[119894]
1198981[119894]
1199091[119894+1]
1198981[119894+1]
1199101[119894+1]
) denote the 119894th time frame modelTime frame expansion is achieved by connecting the
PPIs (eg 1199091[119894+1]
from 119865119872[119894 + 1]) of the time frame to thecorresponding PPOs (1199091
[119894+1]from 119865119872[119894]) of the previous
time frame
4 Sequence Depth Calculation
In this subsection we will discuss the important feature ofSVA time range and its signal constraint unrolled model
In SVA for each sequence the earliest time step for theevaluation and the latest time step should be determinedfirstlyThe sequence is then unrolled based on above informa-tion Finally the unrolled sequence will be performed usingalgebraization process
In [3] a time range calculating algorithm is providedHere we will introduce some related definition and specialhandling for our purpose
The following is the syntax definition for time range
41 Time Range
Definition 10 (time range syntax) The syntax of ldquotime rangerdquocan be described as follows
119888119910119888119897119890 119889119890119897119886119910 119888119900119899119904119905 119903119886119899119892119890 119890119909119901119903119890119904119904119894119900119899 =
119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899
| 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 $
Note that 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 is computed at compiletime and must result in an integer value and can only be 0or greater
In this paper we only focus on constant time range caseThus its form can be simplified as
(1) 119886[119898 119899]119887 (119898 119899 isin N and 119899 ge 119898 ge 0)
(2) 1198781[119898 119899]119878
2(119898 119899 isin N and 119899 ge 119898 ge 0)
Here 119886 119887 are signals and 1198781 1198782are sequences
Assume the starting time is cycle 119905 then we have thesequence (1) will start (119899 minus 119898 + 1) sequences of evaluationwhich are
119886 119898119887
119886 (119898 + 1)119887
119886(119899 minus 119898 + 1)119887 respectively
Their corresponding algebraic forms are
⟦119886119898119887⟧[119905]
= ⟦119886119905and 119887119905+1
⟧
⟦119886(119898 + 1)119887⟧[119905]
= ⟦119886119905and 119887119905+2
⟧
⟦119886(119899 minus 119898 + 1)119887⟧[119905]
= ⟦119886119905and 119887119905+119899minus119898+1
⟧
Thenwe have the equivalent form of above representationset as
⟦(119886119905and 119887119905+119898
) or sdot sdot sdot or (119886119905and 119887119905+119899
)⟧ (9)
42 Sequential Depth Calculation The time range of asequential is a time interval during which an operation or aterminal of a sequence has to be considered and is denoted bya closed bounded set of positive integers
119879 = [119897 sdot sdot sdot ℎ] = 119909 | 119897 le 119909 le ℎ (here 119909 119897 ℎ isin N) (10)
Furthermore the maximum of two intervals 1198791and 119879
2is
defined by max(1198791 1198792) = [max(119897
1 1198972) sdot sdot sdotmax(ℎ
1 ℎ2)]
In the samemanner the sum of two time ranges of1198791and
1198792is defined as
1198791
+ 1198792
= [(1198971
+ 1198972) sdot sdot sdot (ℎ
1+ ℎ2)] (11)
Definition 11 (maximum sequential depth) The maximumsequential depth of a SVA expression 119865 or a sequence writtenas 119889119890119901(119865) is defined recursively
(i) 119889119890119901(119886) = [1 sdot sdot sdot 1] if 119886 is a signal
(ii) 119889119890119901(not119886) = [1 sdot sdot sdot 1] if 119886 is a signal
(iii) 119889119890119901(119886119887) = 119889119890119901(119886) + 119889119890119901(119887) if 1198651 1198652are sequences
of SVA
(iv) 119889119890119901(1198651[119898 119899]119865
2) = 119889119890119901(119865
1) + 119889119890119901(119865
2) + [119898 sdot sdot sdot 119899]
if 1198651 1198652are sequences of SVA
(v) 119889119890119901(1198651and 119865
2) = max(119889119890119901(119865
1) 119889119890119901(119865
2)) if119865
11198652are
sequences of SVA
(vi) 119889119890119901(1198651or 1198652) = max(119889119890119901(119865
1) 119889119890119901(119865
2)) if 119865
1 1198652are
sequences of SVA
(vii) 119889119890119901(1198651intersect 119865
2) = 119889119890119901(119865
1) + 119889119890119901(119865
2) minus 1 if 119865
1
1198652are sequences of SVA
(viii) 119889119890119901(119865[119899]) = 119899 lowast 119889119890119901(119865) if 119865 is a sequence of SVA
Journal of Applied Mathematics 7
[23]
e And [46]
[12] [23]
a b c d
[35] [35] [46][46]
[00]
Figure 2 Sequence depth parsing tree
For example the following sequence is used to illustratehow to calculate the sequence depth
sequence
119890 [2 sdot sdot sdot 3] ((119886[1sdot sdot sdot 2]119887) and (119888 [1 sdot sdot sdot 2] 119889))
endsequence
Figure 2 shows the binary parsing tree for calculatingsequence depth of this sequence The box denotes operatorand cycle denotes signal node in the syntax tree
Firstly consider the top layer of the parsing tree andthe sequence [2 sdot sdot sdot 3] Here because the first operand 119890
is a terminal of the sequence thus this operand becomesrelevant at time step 0 only (119879
1st = [0 sdot sdot sdot 0]) Since the intervalhas to be considered the second operand (the subtree ofldquoandrdquo)matches 2 or 3 time steps laterTherefore calculating isrecursively performed with 119879 = [0 sdot sdot sdot 0] + [2 sdot sdot sdot 3] = [2 sdot sdot sdot 3]
for the second operandSimilarly we can have the sequence depth of the whole
sequence and all its subsequences as denoted in the figure
5 SVA to Polynomial Set Translation
As mentioned previously SystemVerilog assertions are anintegral component of SystemVerilog and provide two kindsof assertions immediate assertions and concurrent asser-tions
In this section we only discuss concurrent assertions andtheir temporal layer representation model
Concurrent assertions express functional design intentand can be used to express assumed input behavior expectedoutput behavior and forbidden behavior That is assertionsdefine properties that the design must meet Many prop-erties can be expressed strictly from variables available inthe design while properties are often constructed out ofsequential behaviors
Thus we will firstly discuss the basic algebraizationprocess for the sequential behavior model
51 Algebraization Process Theproperties written in SVAwillbe unrolled and checked against the design for bounded timesteps in our method Note that only a constrained subset ofSVA can be supported by our method (unspecified upperbound time range and first-match operator are excluded)
Firstly we translate the properties described by theconstrained subset of SVA into flat sequences according tothe semantics of each supported operator
Asmentioned in [16] the total set of SVA is divided into 4subgroups namely simple sequence expression (SSE) inter-val sequence expression (ISE) complex sequence expression(CSE) and unbounded sequence expression (USE) Here inour method these groups can only be partly supported
Therefore we define the following sequence expressionsby adding further conditions
(i) Constrained simple sequence expression (CSSE) isformed by Boolean expression repeat operator andcycle delay operator
(ii) Constrained interval sequence expression (CISE) isa super set of CSSE formed by extra time rangeoperators
(iii) Constrained complex sequence expression is a superset of CSSE and CISE containing operators or andintersection
Secondly the unrolled flat sequences will be added totemporal constraints to form proportional formulas withlogical connectives (or and and not)
Finally the resulted proportional formulas will be trans-lated into equivalent polynomial set
Then the verification problem is reduced to proving zeroset inclusion relationship which can be resolved by Groebnerbases approaches
52 Boolean LayerModeling TheBoolean layer of SVA formsan underlying basis for the whole assertion architecturewhich consists of Boolean expressions that hold or do nothold at a given cycle
In this paper we distinguish between signal logic valuesand truth logic values That is for a truth logic statementabout a given property its truth can be evaluated to 119905119903119906119890 or119891119886119897119904119890 But for a signal when primary inputs are symbolicvalues its signal logic value may not be evaluated as ℎ119894119892ℎ or119897119900119908
Therefore we have the following definition for signallogic
Definition 12 (signal logic) In digital circuit systems signallogic (SL for short) is defined as
(i) if a signal119909 is active-high (119867 for short) then its signalvalue is defined as 1
(ii) if a signal 119909 is active-low (119871 for short) then its signalvalue is defined as 0
8 Journal of Applied Mathematics
Definition 13 (symbolic constant) A symbolic constant is arigid Boolean variable that forever holds the same BooleanvalueThe notion of symbolic constant was firstly introducedin STE [17] for two purposes
(1) to encode an arbitrary Boolean constraints among aset of circuit nodes in a parametric form
(2) to encode all possible scalar values for a set of nodes
Assume 119867 denotes a symbolic constant for signal logicand 119867 denotes its negative form if 119867 denotes ℎ119894119892ℎ then 119867
will be 119897119900119908Consider (119903119890119902==119867) and (119886119888119896==119867) as an example
According to our definitions 119903119890119902 and 119886119888119896 are signals belong-ing to signal logic while both (119903119890119902==119867) and (119886119888119896==119867) are oftruth logic
For example assertion (119886[15 0] == 119887[15 0]) is also avalid Boolean expression stating that the 16-bit vectors 119886[15
0] and 119887[15 0] are equalIn SVA the following are valid Boolean expressions
(i) 119886119903119903119886119910119860 == 119886119903119903119886119910119861
(ii) 119886119903119903119886119910119860 = 119886119903119903119886119910119861
(iii) 119886119903119903119886119910119860[119894] gt= 119886119903119903119886119910 119861[119895]
(iv) 119886119903119903119886119910119861[119894][119895+ 2] == 119886119903119903119886119910119860[119896][119898minus 2]
(v) (119886119903119903119886119910119860[119894]amp(119886119903119903119886119910119861[119895])) == 0
Since the state of a signal variable can be viewed as a zeroof a set of polynomials We have the following
(1) For any signal 119909 holds at a given time step 119894 thus thestate of 119909 == 1 (119909 is active-high at cycle 119894) can berepresented by polynomial 119909
[119894]minus 1
(2) Alternatively the state of 119909 == 0 (119909 is active-low atcycle 119894) can be represented by polynomial 119909
[119894]
(3) Symbolically the state of 119909 == 119867 (119909 is active-high 119867
at the 119894th cycle) can be modeled as 119909[119894]
minus 119867
53 Sequence Operator Modeling Temporal assertions definenot only the values of signals but also the relationshipbetween signals over time The sequences are the buildingblocks of temporal assertions and can express a set of linearbehavior lasting for one or more cycles These sequences areusually used to specify and verify interface and bus protocols
A sequence is a regular expression over the Booleanexpressions that concisely specifies a set of linear sequencesThe Boolean expressions must be true at those specific clockticks for the sequence to be true over time
SystemVerilog provides several sequence compositionoperators to combine individual sequences in a variety ofways that enhance code writing and readability which canconstruct sequence expressions from Boolean expressions
In this paper throughout operator [1 $] operator andthe first match operator are not supported by our method
SystemVerilog defines a number of operations that canbe performed on sequences The sequence compositionoperators in SVA are listed as follows
Definition 14 (sequence operator)
119877 = 119887ldquoBoolean expressionrdquo form
| (1 V = 119890) ldquolocal variable samplingrdquo form| (119877) ldquoparenthesisrdquo form| (11987711 119877
2) ldquoconcatenationrdquo form
| (11987710 119877
2) ldquofusionrdquo form
| (1198771or 1198772) ldquoorrdquo form
| (1198771intersect 119877
2) ldquointersectrdquo form
| first match (119877) ldquofirst matchrdquo form| 119877[lowast0] ldquonull repetitionrdquo form| 119877[lowast1 $] ldquounbounded repetitionrdquo form| [lowast] [=] [minus gt] ldquorepetitionrdquo repeater| throughoutspecifying a Boolean expression musthold throughout a sequence| withinspecifying conditions within a sequence
The resulted sequences constructed by operators are thenused in properties for use in assertions and covers
531 Cycle Delay Operator In SystemVerilog the con-struct is referred to as a cycle delay operator
ldquo1rdquo and ldquo0rdquo are concatenation operators the formeris the classical regular expression concatenation the latter isa variant with one-letter overlapping
A 119899 followed by a number 119899 or range specifies the 119899
cycles delay from the current clock cycle to the beginning ofthe sequence that follows
(1) Fixed-length Casesequence fixs
119886119899119887
endsequencerArr ⟦119891119894119909119904⟧ = ⟦119886⟧
119905 ⟦119887⟧119905+119899
(2) Time-range Casesequence 119905119898119904
119886[119898 sdot sdot sdot 119899]119887
endsequencerArr ⟦119905119898119904⟧ = ⟦119886⟧
[119905] ⟦119887⟧119898
[119905] or sdot sdot sdot or ⟦119886⟧
[119905] ⟦119887⟧119899
[119905]
532 Intersect Operator The two operands of intersectoperator are sequences The requirements for match of theintersect operation are as follows
(i) Both operands must match(ii) The lengths of the two matches of the operand
sequences must be the same
Journal of Applied Mathematics 9
1198771intersect 119877
2
1198771starts at the same time as 119877
2 the intersection will
match if 1198771 starting at the same time as 119877
2 matches at the
same time as 1198772matches
Therefore we have
⟦1198771intersect 119877
2⟧ = ⟦119877
1⟧119889119890119901(119877
1)
[119905]and ⟦1198772⟧119889119890119901(119877
2)
[119905] (12)
The sequence length matching intersect operator con-structs a sequence like the and nonlength matching operatorexcept that both sequences must be completed in same cycle
533 and Operator 1198771and 119877
2
This operator states that 1198771starts at the same time as 119877
2
and the sequence expression matches with the later of 1198771and
1198772matching This binary operator and is used when both
operands are expected to match but the end times of theoperand sequences can be different
That is 1198771and 119877
2denotes both 119877
1and 119877
2holds for the
same number cycles Then the matches of 1198771and 119877
2must
satisfy the following
(i) The start point of the match of 1198771must be no earlier
than the start point of the match of 1198772
(ii) The end point of thematch of1198771must be no later than
the end point of the match of 1198772
The sequence nonlength matching and operator con-structs a sequence in which two sequences both hold at thecurrent cycle regardless of whether they are completed in thesame cycle or in different cycles
⟦1198771and 119877
2⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] and ⟦119877
2⟧119895
[119905]) (13)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
534 or Operator 1198771or 1198772
The sequence or operator constructs a sequence in whichone of two alternative sequences hold at the current cycleThus the sequence (1198861119887) or (1198881119889) states that eithersequence 119886 119887 or sequence 119888 119889 would satisfy the assertion
⟦1198771or 1198772⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] or ⟦119877
2⟧119895
[119905]) (14)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
535 Local Variables SystemVerilog provides a feature bywhich variables can be used in assertions The user candeclare variables local to a property This feature is highlyuseful in pipelined designs where the consequent occur-rence might be many cycles later than their correspondingantecedents
Local variables are optional and local to properties Theycan be initialized assigned (and reassigned) a value operatedon and compared to other expressions
The syntax of a sequence declaration with a local variableis shown below
119904119890119902119906119890119899119888119890 119889119890119888119897119886119903119886119905119894119900119899 =
sequence 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119904119890119902119906119890119899119888119890 119890119909119901119903
endsequence [ 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903]
The property declaration syntax with a local variable canbe illustrated as follows
119901119903119900119901119890119903119905119910 119889119890119888119897119886119903119886119905119894119900119899 =
property 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119901119903119900119901119890119903119905119910 119904119901119890119888
endproperty [ 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903]
The variable identifier declaration syntax of a local vari-able can be illustrated as follows
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899 =
V119886119903 119889119886119905119886 119905119910119901119890 119897119894119904119905 119900119891 V119886119903119894119886119887119897119890 119894119889119890119899119905119894119891119894119890119903119904
The dynamic creation of a variable and its assignment isachieved by using the local variable declaration in a sequenceor property declaration and making an assignment in thesequence
Thus local variables of a sequence (or property) may beset to a value which can be computed from a parameter orother objects (eg arguments constants and objects visibleby the sequence (or property))
For example a property of a pipeline with a fixed latencycan be specified below
property 119897119886119905119890119899119888119910119894119899119905 119909(V119886119897119894119889 119894119899 119909 = 119901 119894119899)|minus gt 3(119901 119900119906119905 == (119909 + 1))
endproperty
This property e is evaluated as followsWhen V119886119897119894119889 119894119899 is true 119909 is assigned the value of 119901 119894119899 If 3
cycles later 119901 119900119906119905 is equal to 119909 + 1 then property 119897119886119905119890119899119888119910 istrue Otherwise the property is false When V119886119897119894119889 119894119899 is falseproperty 119897119886119905119890119899119888119910 is evaluated as true
For the algebraization of SVA properties with localvariables in our method these local variables will be takenas common signal variables (symbolic constant) without anysequential information
Thus we have the polynomial set representation forproperty 119897119886119905119890119899119888119910
⟦119897119886119905119890119899119888119910⟧[119905]
=
(V119886119897119894119889 119894119899[119905]
minus 1)(119909 minus 119901 119894119899
[119905])
(119901 119900119906119905[119905+3]
minus (119909 + 1))
10 Journal of Applied Mathematics
536 Repetition Operators SystemVerilog allows the userto specify repetitions when defining sequences of BooleanexpressionsThe repetition counts can be specified as either arange of constants or a single constant expression
Nonconsecutive repetition specifies finitely many itera-tive matches of the operand Boolean expression with a delayof one or more clock ticks from one match of the operandto the next successive match and no match of the operandstrictly in between The overall repetition sequence matchesat or after the last iterative match of the operand but beforeany later match of the operand
The syntax of repetition operator can be illustrated asfollows
119899119900119899 119888119900119899119904119890119888119906119905119894V119890 119903119890119901 = [= 119888119900119899119904119905 119900119903 119903119886119899119892119890 119890119909119901119903] (15)
The number of iterations of a repetition can be specifiedby exact count
For example a sequence with repetition can be defined as
119886 |=gt 119887 [= 3] 1 119888 (16)
The sequence expects that 2 clock cycles after the validstart signal ldquo119887rdquo will be repeated three times
We have ⟦119877[= 119899]⟧ = ⋁119899
119894=0(⟦119877⟧
119894lowast119889119890119901(119877)
[119905])
54 Property OperatorModeling In general property expres-sions in SVA are built using sequences other sublevel proper-ties and simple Boolean expressions via property operators
In SVA a property that is a sequence is evaluated as trueif and only if there is a nonempty match of the sequenceA sequence that admits an empty match is not allowed as aproperty
The success of assertion-based verification methodologyrelies heavily on the quality of properties describing theintended behavior of the design Since it is a fairly newmethodology verification and design engineers are oftenfaced with a question of ldquohow to identify good propertiesrdquo fora design It may be tempting to write properties that closelyresemble the implementation
Properties we discussed in this paper can be classified as
(1) Design Centric Design centric properties represent asser-tions added by the RTL designers to characterize whitebox design attributes These properties are typically towardsFSMs localmemories clock synchronization logic and otherhardware-related designs The design should conform to theexpectations of these properties
(2) Assumption Centric Assumption centric properties rep-resent assumptions about the design environment They areused in informal verification to specify assumptions about theinputs The assume directive can inform a verification tool toassume such a condition during the analysis
(3) RequirementVerification Centric Many requirementproperties are best described using a ldquocause-to-effectrdquo stylethat specifies what should happen under a given conditionThis type of properties can be specified by implication
operator For example a handshake can be described as ldquoifrequest is asserted then acknowledge should be assertedwithin 5 cyclesrdquo
In general property expressions are built using sequen-ces other sublevel properties and simple Boolean expres-sions
These individual elements are combined using propertyoperators implication NOT ANDOR and so forth
The property composition operators are listed as follows
Definition 15 (property operator)
119875 = 119877lowast ldquosequencerdquo form lowast
|(119875)lowast ldquoparenthesisrdquo form lowast
|not 119875lowast ldquonegationrdquo form lowast
|(1198751or 1198752)lowast ldquoorrdquo form lowast
|(1198751and 119875
2)lowast ldquoandrdquo form lowast
|(119877|minus gt 119875) |(119877| =gt 119875)lowast ldquoimplicationrdquo form lowast
|disable iff(119887) 119875lowast ldquoresetrdquo form lowast
Note that disable if and only if will not be supportedin this paper Property operators construct properties out ofsequence expressions
541 Implication
Operators The SystemVerilog implication operator supportssequence implication and provides two forms of implicationoverlapped using operator |minus gt and nonoverlapped usingoperator | =gt respectively
The syntax of implication is described as follows
119904119890119902119906119890119899119888119890 119890119909119901119903 | minus gt 119901119903119900119901119890119903119905119910 119890119909119901119903
119904119890119902119906119890119899119888119890 119890119909119901119903 | =gt 119901119903119900119901119890119903119905119910 119890119909119901119903
(17)
The implication operator takes a sequence as its anteced-ent and a property as its consequent Every time the sequencematches the property must hold Note that both the runningof the sequence and the property may span multiple clockcycles and that the sequence may match multiple times
For each successful match of the antecedent sequencethe consequence sequence (right-hand operand) is sepa-rately evaluated beginning at the end point of the matchedantecedent sequence All matches of antecedent sequencerequire a match of the consequence sequence
Moreover if the antecedent sequence (left hand operand)does not succeed implication succeeds vacuously by return-ing true For many protocol related assertions it is importantto specify the sequence of events (the antecedent or cause)that must occur before checking for another sequence (theconsequent or effect) This is because if the antecedent doesnot occur then there is no need to perform any furtherverification In hardware this occurs because the antecedentreflects an expression that when active triggers something tohappen
Journal of Applied Mathematics 11
A property with a consequent sequence behaves as if theconsequent has an implication first-match applied to it
542 NOT
Operator The operator NOT 119901119903119900119901119890119903119905119910 119890119909119901119903 states that theevaluation of the property returns the opposite of the eval-uation of the underlying 119901119903119900119901119890119903119905119910 119890119909119901119903
543 AND
Operator The formula ldquo1198751AND 119875
2rdquo states that the property
is evaluated as true if and only if both 1198751and 1198752are evaluatd
as true
544 OR
Operator The operator ldquo1198751OR 119875
2rdquo states that the property is
evaluated as true if and only if at least one of 1198751and 119875
2is
evaluated as true
545 IF-ELSE
Operator This operator has two valid forms which are listedas follows
(1) IF (119889119894119904119905) 1198751
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as false or 119875
1is evaluated as true
(2) IF (119889119894119904119905) 1198751ELSE 119875
2
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as true and 119875
1is evaluated as true or
119889119894119904119905 is evaluated as false and 1198752is evaluated as true
From previous discussion we have the following propo-sition for property reasoning
Proposition 16 Assume that1198751198751 and119875
2are valid properties
in SVA the following rules are used to construct the correspond-ing verification process Here 119860119904119904119862ℎ119896(119872119900119889119890119897 119875119903119900119901119890119903119905119910)
ture false is a self-defined checking function that can deter-mine whether a given ldquo119875119903119900119901119890119903119905119910rdquo holds or not with respect toa circuit model ldquo119872119900119889119890119897rdquo
(1) 1198751OR 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧) or 119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(2) 1198751AND 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(3) NOT 119875 rArr not119860119904119904119862ℎ119896(119872 ⟦119875⟧)
(4) IF (119889119894119904119905) 1198751
rArr not119860119904119904119862ℎ119896(119872 119889119894119904119905) or 119860119904119904119862ℎ119896(119872
⟦1198751⟧)
(5) IF (119889119894119904119905) 1198751ELSE 119875
2rArr (119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896
(119872 ⟦1198751⟧))or(not119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧))
(6) 119878 | minus gt 119875 rArr if (not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)minus1]))
(7) 119878 |=gt 119875 rArr if(not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)]))
6 Verification Algorithm
In this section we will describe how an assertion is checkedusing Groebner bases approach Firstly we will discussa practical algorithm using Groebner bases for assertionchecking
61 Basic Principle As just mentioned our checking methodis based on algebraic geometry which is the study of thegeometric objects arising as the common zeros of collectionsof polynomials Our aim is to find polynomials whosezeros correspond to pairs of states in which the appropriateassignments are made
We can regard any set of points in 119896119899 as the variety of some
ideal We can then use the ideal or any basis for the ideal as away of encoding the set of points
From Groebner Bases theory [10 12] every nonzero ideal119868 sub 119896[119909
1 119909
119899] has a Groebner basis and the following
proposition evidently holds
Proposition 17 Let 119862 and 119878 be polynomial sets of 119896[1199091
119909119899] and ⟨119866119878⟩ a Groebner basis for ⟨119878⟩ and then we have that
⟨119862⟩ sube ⟨119878⟩ hArr forall119888 isin 119862 119903119890119898119889(119888 119866119878) == 0 holds
Theorem 18 Suppose that 119860(⟦119860⟧ = 1198861 1198862 119886
119903) is a
property to be verified 119879 is the initial preconditions of 119862 and119872 is a system model to be checked Let ⟦119879⟧ and ⟦119872⟧ bethe polynomial set representations for 119879 and 119872 respectivelyconstructed by previous mentioned rules Let 119867 = ⟦119879 cup 119872⟧ =
ℎ1 ℎ2 ℎ
119904 sube 119896[119909
1 119909
119899] 119868 = ⟨119867⟩ (where ⟨119867⟩ denotes
the ideal generated by 119867) and 119866119861119867
= 119892119887119886119904119894119904(119867 ≺) then wehave
( (1 notin 119866119861119867
) and 119903119890119898119889 (119862 119866119861119867
) == 0)
lArrrArr ((1 notin 119866119861119867
) and119903
⋀
119894=0
(119903119890119898119889 (119892119894 119866119861119867
) == 0))
lArrrArr (119872 |= 119860) holds
(18)
Proof (1) The polynomial set ⟦119872⟧ of system model 119872
describes the data-flow relationship that inputs outputs andfunctional transformation should meet The initial condition⟦119872⟧ can be seen as extra constraint applied by users Thereshould not exist contradiction between them that is thepolynomial equations of ⟦119879 cup 119872⟧ must have a commonsolution
ByHilbertrsquos Nullstellensatz theory if we have polynomials⟦119879 cup 119872⟧ = 119891
1 119891
119904 isin 119896[119909
1 119909
119899] we compute a
reducedGroebner basis of the ideal they generatewith respectto any ordering If this basis is 1 the polynomials have nocommon zero in 119896
119899 if the basis is not 1 they must have acommon zero
Therefore (1 notin 119866119861119867
) should hold(2) Evidently by previous proposition it is easy to have
that 119903119890119898119889(119862 119866119861119867
) == 0 should holdThus we have that this theorem holds
12 Journal of Applied Mathematics
Input(1) circuit model 119872(2) initial condition 119879(3) an assertion 119860Output Boolean 119905119903119906119890 or 119891119886119897119904119890BEGIN
lowastStep 1 initialize input signals via testbench lowast(00) 119868119899119894119905119878119894119892119899119886119897119904()(01) M = 0PS
119860= 0 119867 = 0PS
119879= 0
lowastStep 2 build polynomial model lowast(02) M = ⟦119872⟧ = 119861119906119894119897119889PS(119872)
lowastStep 3 build polynomial set for initial condition 119879lowast
(03) 119875119878119879
= ⟦119879⟧ = 119861119906119894119897119889PS(119879)lowastStep 4 build polynomial set for consequentA lowast
(04) 119875119878119860
= ⟦119860⟧ = 119861119906119894119897119889PS(119860)lowastStep 5 calculate the PS
119879cup Mlowast
(05) 119867 = PST cup MlowastStep 6 calculate the Groebner base of ⟨119867⟩
lowast(06) GB
119867= 119892basis(119867 ≺)
lowastStep 7 determine the basis is 1 or not lowast(07) if(1 isin GB
119867)
(08) return 119891119886119897119904119890 lowastStep 8 check every polynomial lowastlowast119860 = 119886
1 1198862 119886
|119860|lowast
(09) 119894 = 1(10) 119908ℎ119894119897119890(119894 le |119860|)
(11) if(119903119890119898119889(⟦119886119894⟧ GB
119867) = 0)
(12) return 119891119886119897119904119890 (13) i++(14) lowast endwhile lowast(15) return 119905119903119906119890 lowast Assertion does hold lowastEND
Algorithm 1 ldquo119860119904119904119862ℎ119896119875119900119897119910119861119906119894119897119889(119872 119879 119860)rdquo
62 Checking Algorithm For simplicity in this section weonly provide the key decision algorithm
Firstly the original system model is transformed into anormal polynomial representation and the assertion as wellThen calculate the hypothesis set and its Groebner basisusing the Buchberger algorithm [18] and their eliminationideals Finally examine the inclusion relationship betweenelimination ideals to determine whether the assertion to bechecked holds or not
From above discussion we have the following processsteps and detailed algorithm description Algorithm 1
For convenience we can derive another version checkingprocedure named ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo which can acceptpolynomial representations as inputs without explicit poly-nomial construction process
Further by applying Theorem 18 and the checking algo-rithm ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo we can easily verify all sup-ported properties written in SVA
7 An Example
In this section we will study a classical circuit to show howSVA properties are verified by polynomial representation andalgebra computation method
Consider the Johnson counter circuit in Figure 3 Johnsoncounters can provide individual digit outputs rather than a
3 2 1
m1m2m3
m4clk
And
Andy
Figure 3 Johnson counter
Table 3 Table of Johnson counter output
Counter (clock) V3(1198983) V2(1198982) V1(1198981)
0 0 0 01 1 0 02 1 1 03 0 1 14 0 0 15 0 0 0
binary or BCD output as shown in Table 3 Notice that eachlegal count may be defined by the location of the last flip-flopto change states and which way it changed state
71 Algebraization of Circuit and Assertion Johnson counterprovides individual digit outputs as shown in Table 3
The polynomial set for Johnson counter circuit in Figure 3can be constructed as follows
119878119890119905adder = 1198911 = 11989831015840minus 1198984 1198912 = 1198982
1015840minus 1198983
1198913 = 11989811015840minus 1198982
1198914 = 1198984 minus (1 minus 1198981) lowast (1 minus 1198982)
1198915 = 119910 minus 1198981 lowast (1 minus 1198982)
(19)
where 11989811015840 denotes the next state of 1198981 For the 119894th cycle we
use 1199091[119894]to denote variable name in current cycle
Similarly another Johnson counter circuit with an erroris shown in Figure 4 the corresponding polynomial set canbe described by
119878119890119905adder = 1198911 1198912 1198913
11989141015840
= 1198984 + 1198981 + 1198982
minus (1 minus 1198981) lowast (1 minus 1198982) 1198915
(20)
Journal of Applied Mathematics 13
3 2 1
m1m2m3
m4clk
Or
Andy
Figure 4 Johnson counter with error
To illustrate the problem clearly we define polynomial setrepresentation 119875119872[119894] for 119894th cycle as follows
119875119872 [119894] = 1198983[119894+1]
minus 1198984[119894]
1198982[119894+1]
minus 1198983[119894]
1198981[119894+1]
minus 1198982[119894]
1198984[119894]
minus (1 minus 1198982[119894]
) lowast (1 minus 1198981[119894]
)
119910 minus 1198981[119894]
lowast (1 minus 1198982[119894]
)
(21)
Support that the circuit will run 6 cycles for verificationtherefore we have 119875119872 = ⋃
5
119894=0119875119872[119894]
For any Boolean variable 119886 we will add an extra con-straint 119886lowast119886minus119886Thus we define the corresponding constraintsset as follows 119862119873119878[119894] = 119888
[119894]lowast 119888[119894]
minus 119888[119894]
119888 isin 1198981 1198982 1198983 1198984
119910In the same manner we have 119862119873119878 = ⋃
5
119894=0119862119873119878[119894]
The sequential property for this counter circuit can bespecified by the following SystemVerilog assertions
property 119869119862119875119860
(1198983 = 0 ampamp 1198982 = 0 ampamp 1198981 = 0)
| =gt 1(1198983 == 1 ampamp 1198982 == 0 ampamp 1198981 == 0)
| =gt 2(1198983 == 1 ampamp 1198982 == 1 ampamp 1198981 == 0)
| =gt 3(1198983 == 0 ampamp 1198982 == 1 ampamp 1198981 ==
1)
endpropertyproperty 1198691198621198751
(119888119897119896)(1198981 == 0)| =gt 2 (1198981 == 0)
endpropertyproperty 1198691198621198752
(119888119897119896)(1198982 == 0)| =gt 2 (1198982 == 1)
endpropertyproperty 1198691198621198753
(119888119897119896)(1198983 == 0)| =gt 2 (1198983 == 1)
endproperty
Table 4 Polynomial forms
Name Precondition Expected consequent
JCPA
1198981[0]
1198982[0]
1198983[0]
cycle 1 1198981[1]
minus 1 1198982[1]
1198983[1]
cycle 2 1198981[2]
minus 1 1198982[2]
minus 1 1198983[2]
cycle 3 1198981[3]
1198982[3]
minus 1 1198983[3]
minus 1
JCP1 1198981[0]
1198981[2]
JCP2 1198982[0]
1198982[2]
minus 1
JCP3 1198983[0]
1198983[2]
minus 1
We will afterwards demonstrate the verification processstep by step
The circuit model to be verified is as shown below
119878119872 = 119875119872 cup 119862119873119878 (22)
The property of this counter can be specified as thefollowing SVA assertion
assert property (1198691198621198751)
assert property (1198691198621198752)
The Algebraization form of the above properties can bemodeled as in Table 4
72 Experiment Using Maple We run this example by usingMaple 13 Before running we manually translated all modelsinto polynomials The experiment is performed on a PC witha 240GHz CPU (intel i5M450) and 1024MB of memoryIt took about 004 seconds and 081MB of memory whenapplying Groebner method
[gtwith(Groebner)[gt 119862119872 = sdot sdot sdot
lowastCircuit Modellowast[gt 119879119863119864119866 = 119905119889119890119892(
1198981[0] 1198982[0] 1198983[0] 1198984[0]
1198981[1] 1198982[1] 1198983[1] 1198984[1]
1198981[2] 1198982[2] 1198983[2] 1198984[2]
1198981[3] 1198982[3] 1198983[3] 1198984[3]
1198981[4] 1198982[4] 1198983[4] 1198984[4]
119910[0] 119910[1] 119910[2] 119910[3]
)
[gt 119862119866119861 = 119861119886119904119894119904(119862119872 119879119863119864119866)
Thus we can have the Groebner basis as follows
[gt [1199101[3]
1199101[2]
1199101[1]
1199101[1]
1198983[4]
1198982[4]
1198981[4]
minus 1 1198984[3] 1198983[3] 1198982[3]
minus 1 1198981[3]
minus 11198984[2] 1198983[2]
minus 1 1198982[2]
minus 1 1198981[2] 1198984[1]
minus 11198983[1]
minus 11198982[1] 1198981[1] 1198984[0]
minus 1 1198983[0] 1198982[0] 1198981[0]
]
[gt 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983[1]
minus 1 119862119866119861 119879119863119864119866)
[gt 119903119890119905 = 0
14 Journal of Applied Mathematics
Table 5 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862119866119861
080M 002 S0
Yes1198982[1]
1 notin 119862119866119861 0
1198983[1]
minus 1 1 notin 119862119866119861 0
11198981[2]
1 notin 119862119866119861
081M 003 S0
Yes1198982[2]
minus 1 1 notin 119862119866119861 0
1198983[2]
minus 1 1 notin 119862119866119861 0
21198981[3]
minus 1 1 notin 119862119866119861
081M 004 S0
Yes1198982[3]
minus 1 1 notin 119862119866119861 0
1198983[3]
1 notin 119862119866119861 0
3 1198981[2]
1 notin 119862119866119861 081M 004 S 0 Yes4 1198982
[2] 1 notin 119862119866119861 081M 004 S 0 Yes
5 1198983[2]
1 notin 119862119866119861 081M 004 S 0 Yes
Table 6 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862GB080M 002 S
0
Yes1198982[1]
1 notin 119862GB 0
1198983[1]
minus 1 1 notin 119862GB 0
11198981[2]
1 notin 119862GB081M 003 S
0
Yes1198982[2]
minus 1 1 notin 119862GB 0
1198983[2]
minus 1 1 notin 119862GB 0
21198981[3]
minus 1 1 notin 119862GB081M 014 S
0
NO1198982[3]
minus 1 1 notin 119862GB 0
1198983[3]
1 notin 119862GB minus1
As shown in maple outputs the given circuit has beenmodeled as polynomial set119862119872 (itsGroebner bases is denotedby 119862119866119861) and assertion expected result as 1198983
[1]minus 1 From
the running result we have 1 notin 119862119866119861 and return valueof 119873119900119903119898119886119897119865119900119903119898 is 0 which means 119862119866119861 is divided with noremainder by 1198983
[1]minus 1
Thus from the previously mentioned verification princi-ples it is easy to conclude that the assertion 1198691198621198751 holds underthis circuit model after 3 cycles
More detailed experiment results for verification of cir-cuit shown in Figure 3 are listed in Table 5
Conversely we check these assertions against the circuitshown in Figure 4 in a similar way More detailed experimentresults are demonstrated in Table 6
From above table when checking 119869119862119875119860 assertion theresult 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983
[3] 119862119866119861 119879119863119864119866) = 0 so that
we can conclude the assertion does not holdTherefore theremust exist unexpected errors in the original circuit
This case is a fairly complete illustration of how thechecking algorithm works
8 Conclusion
In this paper we presented a new method for SVA prop-erties checking by using Groebner bases based symbolicalgebraic approaches To guarantee the feasibility we defined
a constrained subset of SVAs which is powerful enough forpractical purposes
We first introduce a notion of symbolic constant withoutany sequential information for handling local variables inSVAs inspired from STE We then proposed a practical alge-braizationmethod for each sequence operator For sequentialcircuits verification we introduce a parameterized polyno-mial set modeling method based on time frame expansion
Our approach is based on polynomial models construc-tion for both circuit models and SVA assertionsThis methodis to eventually translate a simulation based verificationproblem into a pure algebraic zero set determination problemby a series of proposed steps which can be performed on anygeneral symbolic algebraic tool
Thismethod allows users to deal withmore than one stateand many input combinations every cycle This advantagecomes directly from the fact that many vectors are simulatedat once using symbolic value
In summary in this research by suitable restrictions ofSVA assertions we can guarantee the availability of polyno-mial set representation Based on this polynomial set modelsymbolic simulation can be performed to produce symbolictraces and temporal relationship constraints of signal vari-ables as well We then apply symbolic algebra approach tocheck the zeros set relation between their polynomial sets anddetermine whether the temporal assertion holds or not undercurrent running cycle
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The project is supported by the National Natural ScienceFoundation of China under Grant no 11371003 theNatural Science Foundation of Guangxi under Grantsnos 2011GXNSFA018154 2012GXNSFGA060003 and2013GXNSFAA019342 the Science and TechnologyFoundation of Guangxi under Grant no 10169-1 theScientific Research Project no 201012MS274 from GuangxiEducation Department the Fundamental Research Fundsfor the Central Universities under Grants nos DUT14QY05and HCIC201204 of Guangxi Key Laboratory of HybridComputation and IC Design Analysis Open Fund andthe Baguio scholarship Project of Guangxi The authorswould like to thank their colleagues for participating in theresearch They also appreciate the anonymous reviewers fortheir helpful comments
References
[1] IEEE System Verilog Working Group IEEE Standard forSystemVerilog C Unified Hardware Design Specification andVerification (IEEE Std 1800-2005) IEEE 2005
[2] ldquoIEEE draft standard for system verilogmdashunified hardware de-sign specification and verification languagerdquo IEEE P1800D32011
Journal of Applied Mathematics 15
[3] R Wille G Fey M Messing G Angst L Linhard and RDrechsler ldquoIdentifying a subset of SystemVerilog assertions forefficient bounded model checkingrdquo in Proceedings of the 11thEUROMICRO Conference on Digital System Design Architec-tures Methods and Tools (DSD rsquo08) pp 542ndash549 September2008
[4] L Darringer ldquoApplication of program verification techniques tohardware verificationrdquo in Proceedings of the IEEE-ACM DesignAutomation Conference pp 375ndash381 1979
[5] G S Avrunin ldquoSymbolic model checking using algebraicgeometryrdquo in Proceedings of the 8th International Conference onComputer Aided Verification vol CAV96 pp 26ndash37 SpringerLondon UK 1996
[6] W B Mao and J Z Wu ldquoApplication of Wus method to sym-bolic model checkingrdquo in Proceedings of the 2005 internationalSymposiumon Symbolic andAlgebraic Computation (ISSAC rsquo05)pp 237ndash244 ACM Press Beijing China 2005
[7] J Wu and L Zhao ldquoMulti-valued model checking via groebnerbasis approachrdquo in Proceedings of the 1st Joint IEEEIFIP Sympo-sium on Theoretical Aspects of Software Engineering (TASE rsquo07)pp 35ndash44 IEEE Computer Society Press June 2007
[8] N Zhou J Wu and X Gao ldquoAlgebraic verification method forSEREs properties via Groebner bases approachesrdquo Journal ofAppliedMathematics vol 2013 Article ID 272781 10 pages 2013
[9] X Gao N Zhou J Wu and D Li ldquoWursquos characteristic setmethod for SystemVerilog assertions verificationrdquo Journal ofApplied Mathematics vol 2013 Article ID 740194 14 pages2013
[10] J Little D Cox andD OrsquoShea Ideals Varieties and AlgorithmsSpringer New York NY USA 1992
[11] T Becker andVWeispfenningGrobner Bases AComputationalApproach to Commutative Algebra Springer New York NYUSA 1993
[12] B Buchberger ldquoGroebner bases an algorithmic method inpolynomial ideal theoryrdquo in Multidimensional Systems Theorypp 184ndash232 1985
[13] S B Akers ldquoBinary decision diagramsrdquo IEEE Transactions onComputers C vol 27 no 6 pp 509ndash516 1978
[14] S Hoereth and R Drechsler ldquoFormal verification of word-levelspecificationsrdquo in Proceedings of the Design Automation andTest in Europe Conference and Exhibition pp 52ndash58 MunichGermany 1999
[15] Y M Ryabukhin ldquoBoolean ringrdquo in Encyclopaedia of Mathe-matics Springer Michiel Germany 2001
[16] S Das R Mohanty P Dasgupta and P P Chakrabarti ldquoSynthe-sis of system verilog assertionsrdquo in Proceedings of the Conferenceon Design Automation and Test in Europe Designersrsquo Forum(DATE rsquo06) pp 70ndash75 European Design and AutomationAssociation Leuven Belgium March 2006
[17] C-J Seger and R E Bryant ldquoFormal verification by symbolicevaluation of partially-ordered trajectoriesrdquo Formal Methods inSystem Design vol 6 no 2 pp 147ndash190 1995
[18] D Cox J Little and D OrsquoShea Ideals Varieties and AlgorithmsAn Introduction to Computational Algebraic Geometry andCommutative Algebra Undergraduate Texts in MathematicsSpringer New York 3rd edition 2007
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
4 Journal of Applied Mathematics
Inputs
Clock
Synchronous digital circuit
Outputs
FFs
Combinationallogic
Presentstates
Nextstates
Figure 1 Synchronous digital circuits model
Theorem 5 (the elimination theorem) Let 119868 sub 119896[1199091 119909
119899]
be an ideal and let 119866 be a Groebner basis of 119868 with respect tolexicographic order where 119909
1≻ 1199092
≻ sdot sdot sdot ≻ 119909119899 Then for every
0 le 119897 le 119899 the set
119866119897= 119866 cap 119896 [119909
119897+1 119909
119899] (1)
is a Groebner basis of the 119897th elimination ideal 119868119897
Theorem 6 Let 119866 be a Groebner basis for an ideal 119868 sub
119896[1199091 119909
119899] and let 119891 isin 119896[119909
1 119909
119899] Then 119891 isin 119868 if and
only if the remainder on division of 119891 by 119866 is zero denoted by119903119890119898119889(119891 119866) = 0
The property given in Theorem 6 can also be taken asthe definition of a Groebner basis Then we will get anefficient algorithm for solving the idealmembership problemAssuming that we know a Groebner basis 119866 for the idealin question we only need to compute the remainder withrespect to 119866 to determine whether 119891 isin 119868
In this paper we will then use the ideal or any basis forthe ideal as an efficient way of algebraization of system to beverified
3 System Modeling with Polynomial
31 Circuit Representation Model In this section we willsketch the underlying digital system model for simulationused in our work
Most modern circuit design is carried out within the syn-chronous model which simplifies reasoning about behaviorat the cost of strict requirements on clocking
As shown in Figure 1 a classical synchronous design iscomprised of combinatorial logic and blocks of registers witha global clock In a synchronous digital system the clocksignal is often regarded as simple control signal and usedto define a time reference for the movement of data withinthat system Combinational logic performs all the logicalfunctions in the circuit and it typically consists of logic gatesRegisters usually synchronize the circuitrsquos operation to theedges of the clock signal and are the only elements whichhave memory properties
The basic circuit model we used can be abstracted as thefollowing model
Definition 7 (synchronous circuit model) A synchronouscircuit model structure is a tuple
C = clk LAMux FFs IO where
(i) clk is a global synchronous clock signal(ii) L is a set of logical operation units(iii) A is a set of arithmetic operation units(iv) Mux is a set of multiplex units(v) FFs is a set of sequential units(vi) I is a set of primary input signals(vii) O is a set of primary output signals
In the following we will discuss polynomial represen-tation of a given circuit model Firstly let us retrospect theclassical circuit representation model
Traditionally Binary decision diagrams (BDD) [13] thefirst generation decision diagrams technique designed byAkers in 1978 acts as an efficient digital circuit representation(or Boolean functions) Recently the next generation ofdecision diagrams that is word-level decision diagrams(WLDD) [14] has considerably widened its expressivenessfor datapath operations due to processing of data in word-level format
Generally ROBDD or WLDD is mapped into hardwaredescription languages according to the following scheme
119865119906119899119888119905119894119900119899 (119888119894119903119888119906119894119905) lArrrArr 119872119900119889119890119897 119894119899 119877119874119861119863119863 | 119882119871119863119863 119891119900119903119898
(2)
Though the dimension of a decision diagram is exponen-tially bounded by the number of variables decision diagramsbased canonical data structure is very useful in many well-known verification methods
From the viewpoint of abstract symbolic computationthese decision diagrams based on representation for circuitsystems are not suitable any more Thus we will adopt analternative representation form based on polynomial setsinstead of decision diagrams according to the followingscheme
119865119906119899119888119905119894119900119899 (119888119894119903119888119906119894119905) lArrrArr 119885119890119903119900 119878119890119905 (119875119900119897119910119899119900119898119894119886119897 119878119890119905) (3)
As is well known given a monomial order there isprecisely one polynomial representation of a function
For convenience we introduce the following symbols foralgebraic representations
(1) Foranysymbolic (circuit unit signal sequence prop-erty etc) 119891 its algebraic representation form is de-noted by ⟦119891⟧
(2) If a running cycle 119905 is given its algebraic representa-tion form can be denoted by ⟦119891⟧
[119905]
(3) Furthermore if a time range [119898 sdot sdot sdot 119899] is specified itsalgebraic representation form can then be denoted by⟦119891⟧119896
[119905]or ⟦119891⟧
[119898sdotsdotsdot119899]
[119905]
Here 119905 denotes the current time and 119896 = (119899 minus 119898) denotestime steps
Journal of Applied Mathematics 5
Table 1 Polynomial model for arithmetic operation
Arithmetic operation Polynomial representation119910 = 119886 + 119887 ⟦+⟧ = (119910 minus 119886 minus 119887)
119910 = 119886 minus 119887 ⟦minus⟧ = (119910 minus 119886 + 119887)
119910 = 119886 lowast 119887 ⟦lowast⟧ = (119910 minus 119886 lowast 119887)
119910 = 119886119887 ⟦⟧ = (119910 lowast 119887 minus 119886)
Table 2 Polynomial model for logic operation
Arithmetic operation Polynomial representation119910 = NOT 119909 ⟦NOT⟧ = (1 minus 119909 minus 119910)
119910 = 1199091AND 119909
2⟦AND⟧ = (119909
1lowast 1199092
minus 119910)
119910 = 1199091OR 119909
2⟦OR⟧ = (119909
1+ 1199092
minus 1199091
lowast 1199092
minus 119910)
Cycle-based symbolic simulation will be performed onthe system model for verification Intuitively cycle-basedsymbolic simulation is a hybrid approach in the sense that thevalues that are propagated through the network can be eithersymbolic expressions or constant values It assumes that thereexists one unified clock signal in the circuit and all inputs ofthe systems remain unchanged while evaluating their valuesin each simulation cycleThe results of simulation report onlythe final values of the output signals or states in the currentsimulation cycle
The detailed simulation process can be described asfollows Firstly cycle-based symbolic simulation is initializedby setting the state of the circuit to the initial vector Each ofthe primary input signals will be assigned a distinct symbolicor a constant value Then at the end of a simulation step theexpressions representing the next-state functions generallyundergo a parametric transformation based optimizationAfter transformation the newly generated functions are usedas present state for the next state of simulation
32 Arithmetic and Logic Unit Modeling In this paper weonly focus on arithmetic unit for calculating fixed-point oper-ations For any arithmetic unit integer arithmetic operations(addition subtraction multiplication and division) can beconstructed by the polynomials in Table 1
The basic logic operations like ldquoANDrdquo ldquoORrdquo and ldquoNOTrdquocan be modeled by the following forms Their correspondingpolynomial representations [15] are specified as in Table 2
Furthermore we can extend the above rule to othercommon logic operators For example
119910 = 1199091
oplus 1199092
(or 119910 = 1199091XOR 119909
2)
997904rArr ⟦oplus⟧ = (119910 minus (1199091
+ 1199092
minus 1199091
lowast 1199092) lowast (1 minus 119909
1lowast 1199092))
(4)
For all bit level variables 119909119894
(0 le 119894 le 119899) a limitation ⟨119909119894lowast
119909119894minus 119909119894⟩ should be added
33 Branch Unit Modeling Basically multiway branch is animportant control structure in digital system It provides a setof condition bits 119887119894 (0 le 119894 le 119861) a set of target identifiers(0 119879 minus 1) and a mapping from condition bit values to
target identifiers This mapping takes the form of a conditiontree
For any binary signal119909 its value should be limited to 1 0
by adding 119909 lowast 119909 minus 119909
119910 = 119872119906119909 (1199090 1199091 119909
119899 119904)
119894 = 119904 997888rarr 119910 = 119909119894 (0 le 119894 le 119899)
997904rArr ⟦119872119906119909⟧ = ⟨
119910 minus
119899minus1
sum
119894=1
( prod
119895isin01119899minus1119894
((119904 minus 119895)
(119894 minus 119895)))
lowast119909119894
⟩
(5)
with prod119899minus1
119894=0(119904 minus 119894) = 0
34 Sequential Unit Modeling Each flip-flop (FF) in thecircuit can bemodeled as amultiplexerWehave the followingproposition to state this model
Proposition 8 For a 119863 flip-flop (1198631015840 is the next state) withan enable signal 119888 its equivalent combinational formal is 119910
1015840=
119872119906119909(119863 1198631015840 119904) 119894 = 119904 rarr 119910
1015840= 119909119894 (0 le 119894 lt 2 119909
0= 119863 119909
1=
1198631015840) whose polynomial algebraic model can be described as
⟦119865119865119904⟧ =
⟨(1199101015840minus 119863) lowast (119888
1015840minus 1) (119910
1015840minus 1198631015840) lowast 119888 (119910
1015840minus 119863) lowast (119910
1015840minus 1198631015840)⟩
(6)
or
⟨1199101015840minus 119863 lowast (119888
1015840minus 1) minus 119863
1015840lowast 1198881015840⟩ (7)
Proof Let 119863 be the current state and let 1199101015840 denote the next
state of the flip-flop When the signal 1198881015840 value is 0 1199101015840 has the
same value as 119863 so that the FF maintains its present statewhen the signal 119888
1015840 value is 1 1199101015840 takes a new value from the
1198631015840 input (where 119863
1015840 denotes the new value next state of theFF) Therefore we have the 2-value multiway branch modeland its polynomial set representation for FF
Proposition 9 Let 119863 be an FF model (1198631015840 is the next state)without enable signal then its equivalent combinational formalpolynomial algebraic model can be described as (1199101015840 minus 119863)
Proof Straightforward
35 Sequential Unrolling Generally for a sequential circuitC one time frame of a sequential circuit is viewed as a combi-national circuit in which each flip-flop will be converted intotwo corresponding signals a pseudo primary input (PPI) anda pseudo primary output (PPO)
Symbolical simulation of a sequential circuit for 119899 cyclescan be regarded as unrolling the circuit 119899 timesThe unrolledcircuit is still a pure combinational circuit and the 119894th copy ofthe circuit represents the circuit at cycle 119894 Thus the unrolledcircuit contains all the symbolic results from the 119899 cycles
6 Journal of Applied Mathematics
36 Indexed Polynomial Set Representation To illustrate thesequential modeling for a given cycle number clearly wedefine an indexed polynomial set representation for the 119894thcycle
Let 119909119894[119897]
(0 le 119894 le 119903) denote the input signals for the 119897thclock119898119894
[119897](0 le 119894 le 119904) the intermediate signals and 119910119894
[119897](0 le
119894 le 119905) the output signals We then have the following timeframe expansion model for the sequential circuit
119865119872 =
119899
⋃
119894=0
119865119872 [119894] (8)
where 119865119872[119894] = C(1199091[119894]
1198981[119894]
1198981[119894]
1199091[119894+1]
1198981[119894+1]
1199101[119894+1]
) denote the 119894th time frame modelTime frame expansion is achieved by connecting the
PPIs (eg 1199091[119894+1]
from 119865119872[119894 + 1]) of the time frame to thecorresponding PPOs (1199091
[119894+1]from 119865119872[119894]) of the previous
time frame
4 Sequence Depth Calculation
In this subsection we will discuss the important feature ofSVA time range and its signal constraint unrolled model
In SVA for each sequence the earliest time step for theevaluation and the latest time step should be determinedfirstlyThe sequence is then unrolled based on above informa-tion Finally the unrolled sequence will be performed usingalgebraization process
In [3] a time range calculating algorithm is providedHere we will introduce some related definition and specialhandling for our purpose
The following is the syntax definition for time range
41 Time Range
Definition 10 (time range syntax) The syntax of ldquotime rangerdquocan be described as follows
119888119910119888119897119890 119889119890119897119886119910 119888119900119899119904119905 119903119886119899119892119890 119890119909119901119903119890119904119904119894119900119899 =
119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899
| 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 $
Note that 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 is computed at compiletime and must result in an integer value and can only be 0or greater
In this paper we only focus on constant time range caseThus its form can be simplified as
(1) 119886[119898 119899]119887 (119898 119899 isin N and 119899 ge 119898 ge 0)
(2) 1198781[119898 119899]119878
2(119898 119899 isin N and 119899 ge 119898 ge 0)
Here 119886 119887 are signals and 1198781 1198782are sequences
Assume the starting time is cycle 119905 then we have thesequence (1) will start (119899 minus 119898 + 1) sequences of evaluationwhich are
119886 119898119887
119886 (119898 + 1)119887
119886(119899 minus 119898 + 1)119887 respectively
Their corresponding algebraic forms are
⟦119886119898119887⟧[119905]
= ⟦119886119905and 119887119905+1
⟧
⟦119886(119898 + 1)119887⟧[119905]
= ⟦119886119905and 119887119905+2
⟧
⟦119886(119899 minus 119898 + 1)119887⟧[119905]
= ⟦119886119905and 119887119905+119899minus119898+1
⟧
Thenwe have the equivalent form of above representationset as
⟦(119886119905and 119887119905+119898
) or sdot sdot sdot or (119886119905and 119887119905+119899
)⟧ (9)
42 Sequential Depth Calculation The time range of asequential is a time interval during which an operation or aterminal of a sequence has to be considered and is denoted bya closed bounded set of positive integers
119879 = [119897 sdot sdot sdot ℎ] = 119909 | 119897 le 119909 le ℎ (here 119909 119897 ℎ isin N) (10)
Furthermore the maximum of two intervals 1198791and 119879
2is
defined by max(1198791 1198792) = [max(119897
1 1198972) sdot sdot sdotmax(ℎ
1 ℎ2)]
In the samemanner the sum of two time ranges of1198791and
1198792is defined as
1198791
+ 1198792
= [(1198971
+ 1198972) sdot sdot sdot (ℎ
1+ ℎ2)] (11)
Definition 11 (maximum sequential depth) The maximumsequential depth of a SVA expression 119865 or a sequence writtenas 119889119890119901(119865) is defined recursively
(i) 119889119890119901(119886) = [1 sdot sdot sdot 1] if 119886 is a signal
(ii) 119889119890119901(not119886) = [1 sdot sdot sdot 1] if 119886 is a signal
(iii) 119889119890119901(119886119887) = 119889119890119901(119886) + 119889119890119901(119887) if 1198651 1198652are sequences
of SVA
(iv) 119889119890119901(1198651[119898 119899]119865
2) = 119889119890119901(119865
1) + 119889119890119901(119865
2) + [119898 sdot sdot sdot 119899]
if 1198651 1198652are sequences of SVA
(v) 119889119890119901(1198651and 119865
2) = max(119889119890119901(119865
1) 119889119890119901(119865
2)) if119865
11198652are
sequences of SVA
(vi) 119889119890119901(1198651or 1198652) = max(119889119890119901(119865
1) 119889119890119901(119865
2)) if 119865
1 1198652are
sequences of SVA
(vii) 119889119890119901(1198651intersect 119865
2) = 119889119890119901(119865
1) + 119889119890119901(119865
2) minus 1 if 119865
1
1198652are sequences of SVA
(viii) 119889119890119901(119865[119899]) = 119899 lowast 119889119890119901(119865) if 119865 is a sequence of SVA
Journal of Applied Mathematics 7
[23]
e And [46]
[12] [23]
a b c d
[35] [35] [46][46]
[00]
Figure 2 Sequence depth parsing tree
For example the following sequence is used to illustratehow to calculate the sequence depth
sequence
119890 [2 sdot sdot sdot 3] ((119886[1sdot sdot sdot 2]119887) and (119888 [1 sdot sdot sdot 2] 119889))
endsequence
Figure 2 shows the binary parsing tree for calculatingsequence depth of this sequence The box denotes operatorand cycle denotes signal node in the syntax tree
Firstly consider the top layer of the parsing tree andthe sequence [2 sdot sdot sdot 3] Here because the first operand 119890
is a terminal of the sequence thus this operand becomesrelevant at time step 0 only (119879
1st = [0 sdot sdot sdot 0]) Since the intervalhas to be considered the second operand (the subtree ofldquoandrdquo)matches 2 or 3 time steps laterTherefore calculating isrecursively performed with 119879 = [0 sdot sdot sdot 0] + [2 sdot sdot sdot 3] = [2 sdot sdot sdot 3]
for the second operandSimilarly we can have the sequence depth of the whole
sequence and all its subsequences as denoted in the figure
5 SVA to Polynomial Set Translation
As mentioned previously SystemVerilog assertions are anintegral component of SystemVerilog and provide two kindsof assertions immediate assertions and concurrent asser-tions
In this section we only discuss concurrent assertions andtheir temporal layer representation model
Concurrent assertions express functional design intentand can be used to express assumed input behavior expectedoutput behavior and forbidden behavior That is assertionsdefine properties that the design must meet Many prop-erties can be expressed strictly from variables available inthe design while properties are often constructed out ofsequential behaviors
Thus we will firstly discuss the basic algebraizationprocess for the sequential behavior model
51 Algebraization Process Theproperties written in SVAwillbe unrolled and checked against the design for bounded timesteps in our method Note that only a constrained subset ofSVA can be supported by our method (unspecified upperbound time range and first-match operator are excluded)
Firstly we translate the properties described by theconstrained subset of SVA into flat sequences according tothe semantics of each supported operator
Asmentioned in [16] the total set of SVA is divided into 4subgroups namely simple sequence expression (SSE) inter-val sequence expression (ISE) complex sequence expression(CSE) and unbounded sequence expression (USE) Here inour method these groups can only be partly supported
Therefore we define the following sequence expressionsby adding further conditions
(i) Constrained simple sequence expression (CSSE) isformed by Boolean expression repeat operator andcycle delay operator
(ii) Constrained interval sequence expression (CISE) isa super set of CSSE formed by extra time rangeoperators
(iii) Constrained complex sequence expression is a superset of CSSE and CISE containing operators or andintersection
Secondly the unrolled flat sequences will be added totemporal constraints to form proportional formulas withlogical connectives (or and and not)
Finally the resulted proportional formulas will be trans-lated into equivalent polynomial set
Then the verification problem is reduced to proving zeroset inclusion relationship which can be resolved by Groebnerbases approaches
52 Boolean LayerModeling TheBoolean layer of SVA formsan underlying basis for the whole assertion architecturewhich consists of Boolean expressions that hold or do nothold at a given cycle
In this paper we distinguish between signal logic valuesand truth logic values That is for a truth logic statementabout a given property its truth can be evaluated to 119905119903119906119890 or119891119886119897119904119890 But for a signal when primary inputs are symbolicvalues its signal logic value may not be evaluated as ℎ119894119892ℎ or119897119900119908
Therefore we have the following definition for signallogic
Definition 12 (signal logic) In digital circuit systems signallogic (SL for short) is defined as
(i) if a signal119909 is active-high (119867 for short) then its signalvalue is defined as 1
(ii) if a signal 119909 is active-low (119871 for short) then its signalvalue is defined as 0
8 Journal of Applied Mathematics
Definition 13 (symbolic constant) A symbolic constant is arigid Boolean variable that forever holds the same BooleanvalueThe notion of symbolic constant was firstly introducedin STE [17] for two purposes
(1) to encode an arbitrary Boolean constraints among aset of circuit nodes in a parametric form
(2) to encode all possible scalar values for a set of nodes
Assume 119867 denotes a symbolic constant for signal logicand 119867 denotes its negative form if 119867 denotes ℎ119894119892ℎ then 119867
will be 119897119900119908Consider (119903119890119902==119867) and (119886119888119896==119867) as an example
According to our definitions 119903119890119902 and 119886119888119896 are signals belong-ing to signal logic while both (119903119890119902==119867) and (119886119888119896==119867) are oftruth logic
For example assertion (119886[15 0] == 119887[15 0]) is also avalid Boolean expression stating that the 16-bit vectors 119886[15
0] and 119887[15 0] are equalIn SVA the following are valid Boolean expressions
(i) 119886119903119903119886119910119860 == 119886119903119903119886119910119861
(ii) 119886119903119903119886119910119860 = 119886119903119903119886119910119861
(iii) 119886119903119903119886119910119860[119894] gt= 119886119903119903119886119910 119861[119895]
(iv) 119886119903119903119886119910119861[119894][119895+ 2] == 119886119903119903119886119910119860[119896][119898minus 2]
(v) (119886119903119903119886119910119860[119894]amp(119886119903119903119886119910119861[119895])) == 0
Since the state of a signal variable can be viewed as a zeroof a set of polynomials We have the following
(1) For any signal 119909 holds at a given time step 119894 thus thestate of 119909 == 1 (119909 is active-high at cycle 119894) can berepresented by polynomial 119909
[119894]minus 1
(2) Alternatively the state of 119909 == 0 (119909 is active-low atcycle 119894) can be represented by polynomial 119909
[119894]
(3) Symbolically the state of 119909 == 119867 (119909 is active-high 119867
at the 119894th cycle) can be modeled as 119909[119894]
minus 119867
53 Sequence Operator Modeling Temporal assertions definenot only the values of signals but also the relationshipbetween signals over time The sequences are the buildingblocks of temporal assertions and can express a set of linearbehavior lasting for one or more cycles These sequences areusually used to specify and verify interface and bus protocols
A sequence is a regular expression over the Booleanexpressions that concisely specifies a set of linear sequencesThe Boolean expressions must be true at those specific clockticks for the sequence to be true over time
SystemVerilog provides several sequence compositionoperators to combine individual sequences in a variety ofways that enhance code writing and readability which canconstruct sequence expressions from Boolean expressions
In this paper throughout operator [1 $] operator andthe first match operator are not supported by our method
SystemVerilog defines a number of operations that canbe performed on sequences The sequence compositionoperators in SVA are listed as follows
Definition 14 (sequence operator)
119877 = 119887ldquoBoolean expressionrdquo form
| (1 V = 119890) ldquolocal variable samplingrdquo form| (119877) ldquoparenthesisrdquo form| (11987711 119877
2) ldquoconcatenationrdquo form
| (11987710 119877
2) ldquofusionrdquo form
| (1198771or 1198772) ldquoorrdquo form
| (1198771intersect 119877
2) ldquointersectrdquo form
| first match (119877) ldquofirst matchrdquo form| 119877[lowast0] ldquonull repetitionrdquo form| 119877[lowast1 $] ldquounbounded repetitionrdquo form| [lowast] [=] [minus gt] ldquorepetitionrdquo repeater| throughoutspecifying a Boolean expression musthold throughout a sequence| withinspecifying conditions within a sequence
The resulted sequences constructed by operators are thenused in properties for use in assertions and covers
531 Cycle Delay Operator In SystemVerilog the con-struct is referred to as a cycle delay operator
ldquo1rdquo and ldquo0rdquo are concatenation operators the formeris the classical regular expression concatenation the latter isa variant with one-letter overlapping
A 119899 followed by a number 119899 or range specifies the 119899
cycles delay from the current clock cycle to the beginning ofthe sequence that follows
(1) Fixed-length Casesequence fixs
119886119899119887
endsequencerArr ⟦119891119894119909119904⟧ = ⟦119886⟧
119905 ⟦119887⟧119905+119899
(2) Time-range Casesequence 119905119898119904
119886[119898 sdot sdot sdot 119899]119887
endsequencerArr ⟦119905119898119904⟧ = ⟦119886⟧
[119905] ⟦119887⟧119898
[119905] or sdot sdot sdot or ⟦119886⟧
[119905] ⟦119887⟧119899
[119905]
532 Intersect Operator The two operands of intersectoperator are sequences The requirements for match of theintersect operation are as follows
(i) Both operands must match(ii) The lengths of the two matches of the operand
sequences must be the same
Journal of Applied Mathematics 9
1198771intersect 119877
2
1198771starts at the same time as 119877
2 the intersection will
match if 1198771 starting at the same time as 119877
2 matches at the
same time as 1198772matches
Therefore we have
⟦1198771intersect 119877
2⟧ = ⟦119877
1⟧119889119890119901(119877
1)
[119905]and ⟦1198772⟧119889119890119901(119877
2)
[119905] (12)
The sequence length matching intersect operator con-structs a sequence like the and nonlength matching operatorexcept that both sequences must be completed in same cycle
533 and Operator 1198771and 119877
2
This operator states that 1198771starts at the same time as 119877
2
and the sequence expression matches with the later of 1198771and
1198772matching This binary operator and is used when both
operands are expected to match but the end times of theoperand sequences can be different
That is 1198771and 119877
2denotes both 119877
1and 119877
2holds for the
same number cycles Then the matches of 1198771and 119877
2must
satisfy the following
(i) The start point of the match of 1198771must be no earlier
than the start point of the match of 1198772
(ii) The end point of thematch of1198771must be no later than
the end point of the match of 1198772
The sequence nonlength matching and operator con-structs a sequence in which two sequences both hold at thecurrent cycle regardless of whether they are completed in thesame cycle or in different cycles
⟦1198771and 119877
2⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] and ⟦119877
2⟧119895
[119905]) (13)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
534 or Operator 1198771or 1198772
The sequence or operator constructs a sequence in whichone of two alternative sequences hold at the current cycleThus the sequence (1198861119887) or (1198881119889) states that eithersequence 119886 119887 or sequence 119888 119889 would satisfy the assertion
⟦1198771or 1198772⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] or ⟦119877
2⟧119895
[119905]) (14)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
535 Local Variables SystemVerilog provides a feature bywhich variables can be used in assertions The user candeclare variables local to a property This feature is highlyuseful in pipelined designs where the consequent occur-rence might be many cycles later than their correspondingantecedents
Local variables are optional and local to properties Theycan be initialized assigned (and reassigned) a value operatedon and compared to other expressions
The syntax of a sequence declaration with a local variableis shown below
119904119890119902119906119890119899119888119890 119889119890119888119897119886119903119886119905119894119900119899 =
sequence 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119904119890119902119906119890119899119888119890 119890119909119901119903
endsequence [ 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903]
The property declaration syntax with a local variable canbe illustrated as follows
119901119903119900119901119890119903119905119910 119889119890119888119897119886119903119886119905119894119900119899 =
property 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119901119903119900119901119890119903119905119910 119904119901119890119888
endproperty [ 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903]
The variable identifier declaration syntax of a local vari-able can be illustrated as follows
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899 =
V119886119903 119889119886119905119886 119905119910119901119890 119897119894119904119905 119900119891 V119886119903119894119886119887119897119890 119894119889119890119899119905119894119891119894119890119903119904
The dynamic creation of a variable and its assignment isachieved by using the local variable declaration in a sequenceor property declaration and making an assignment in thesequence
Thus local variables of a sequence (or property) may beset to a value which can be computed from a parameter orother objects (eg arguments constants and objects visibleby the sequence (or property))
For example a property of a pipeline with a fixed latencycan be specified below
property 119897119886119905119890119899119888119910119894119899119905 119909(V119886119897119894119889 119894119899 119909 = 119901 119894119899)|minus gt 3(119901 119900119906119905 == (119909 + 1))
endproperty
This property e is evaluated as followsWhen V119886119897119894119889 119894119899 is true 119909 is assigned the value of 119901 119894119899 If 3
cycles later 119901 119900119906119905 is equal to 119909 + 1 then property 119897119886119905119890119899119888119910 istrue Otherwise the property is false When V119886119897119894119889 119894119899 is falseproperty 119897119886119905119890119899119888119910 is evaluated as true
For the algebraization of SVA properties with localvariables in our method these local variables will be takenas common signal variables (symbolic constant) without anysequential information
Thus we have the polynomial set representation forproperty 119897119886119905119890119899119888119910
⟦119897119886119905119890119899119888119910⟧[119905]
=
(V119886119897119894119889 119894119899[119905]
minus 1)(119909 minus 119901 119894119899
[119905])
(119901 119900119906119905[119905+3]
minus (119909 + 1))
10 Journal of Applied Mathematics
536 Repetition Operators SystemVerilog allows the userto specify repetitions when defining sequences of BooleanexpressionsThe repetition counts can be specified as either arange of constants or a single constant expression
Nonconsecutive repetition specifies finitely many itera-tive matches of the operand Boolean expression with a delayof one or more clock ticks from one match of the operandto the next successive match and no match of the operandstrictly in between The overall repetition sequence matchesat or after the last iterative match of the operand but beforeany later match of the operand
The syntax of repetition operator can be illustrated asfollows
119899119900119899 119888119900119899119904119890119888119906119905119894V119890 119903119890119901 = [= 119888119900119899119904119905 119900119903 119903119886119899119892119890 119890119909119901119903] (15)
The number of iterations of a repetition can be specifiedby exact count
For example a sequence with repetition can be defined as
119886 |=gt 119887 [= 3] 1 119888 (16)
The sequence expects that 2 clock cycles after the validstart signal ldquo119887rdquo will be repeated three times
We have ⟦119877[= 119899]⟧ = ⋁119899
119894=0(⟦119877⟧
119894lowast119889119890119901(119877)
[119905])
54 Property OperatorModeling In general property expres-sions in SVA are built using sequences other sublevel proper-ties and simple Boolean expressions via property operators
In SVA a property that is a sequence is evaluated as trueif and only if there is a nonempty match of the sequenceA sequence that admits an empty match is not allowed as aproperty
The success of assertion-based verification methodologyrelies heavily on the quality of properties describing theintended behavior of the design Since it is a fairly newmethodology verification and design engineers are oftenfaced with a question of ldquohow to identify good propertiesrdquo fora design It may be tempting to write properties that closelyresemble the implementation
Properties we discussed in this paper can be classified as
(1) Design Centric Design centric properties represent asser-tions added by the RTL designers to characterize whitebox design attributes These properties are typically towardsFSMs localmemories clock synchronization logic and otherhardware-related designs The design should conform to theexpectations of these properties
(2) Assumption Centric Assumption centric properties rep-resent assumptions about the design environment They areused in informal verification to specify assumptions about theinputs The assume directive can inform a verification tool toassume such a condition during the analysis
(3) RequirementVerification Centric Many requirementproperties are best described using a ldquocause-to-effectrdquo stylethat specifies what should happen under a given conditionThis type of properties can be specified by implication
operator For example a handshake can be described as ldquoifrequest is asserted then acknowledge should be assertedwithin 5 cyclesrdquo
In general property expressions are built using sequen-ces other sublevel properties and simple Boolean expres-sions
These individual elements are combined using propertyoperators implication NOT ANDOR and so forth
The property composition operators are listed as follows
Definition 15 (property operator)
119875 = 119877lowast ldquosequencerdquo form lowast
|(119875)lowast ldquoparenthesisrdquo form lowast
|not 119875lowast ldquonegationrdquo form lowast
|(1198751or 1198752)lowast ldquoorrdquo form lowast
|(1198751and 119875
2)lowast ldquoandrdquo form lowast
|(119877|minus gt 119875) |(119877| =gt 119875)lowast ldquoimplicationrdquo form lowast
|disable iff(119887) 119875lowast ldquoresetrdquo form lowast
Note that disable if and only if will not be supportedin this paper Property operators construct properties out ofsequence expressions
541 Implication
Operators The SystemVerilog implication operator supportssequence implication and provides two forms of implicationoverlapped using operator |minus gt and nonoverlapped usingoperator | =gt respectively
The syntax of implication is described as follows
119904119890119902119906119890119899119888119890 119890119909119901119903 | minus gt 119901119903119900119901119890119903119905119910 119890119909119901119903
119904119890119902119906119890119899119888119890 119890119909119901119903 | =gt 119901119903119900119901119890119903119905119910 119890119909119901119903
(17)
The implication operator takes a sequence as its anteced-ent and a property as its consequent Every time the sequencematches the property must hold Note that both the runningof the sequence and the property may span multiple clockcycles and that the sequence may match multiple times
For each successful match of the antecedent sequencethe consequence sequence (right-hand operand) is sepa-rately evaluated beginning at the end point of the matchedantecedent sequence All matches of antecedent sequencerequire a match of the consequence sequence
Moreover if the antecedent sequence (left hand operand)does not succeed implication succeeds vacuously by return-ing true For many protocol related assertions it is importantto specify the sequence of events (the antecedent or cause)that must occur before checking for another sequence (theconsequent or effect) This is because if the antecedent doesnot occur then there is no need to perform any furtherverification In hardware this occurs because the antecedentreflects an expression that when active triggers something tohappen
Journal of Applied Mathematics 11
A property with a consequent sequence behaves as if theconsequent has an implication first-match applied to it
542 NOT
Operator The operator NOT 119901119903119900119901119890119903119905119910 119890119909119901119903 states that theevaluation of the property returns the opposite of the eval-uation of the underlying 119901119903119900119901119890119903119905119910 119890119909119901119903
543 AND
Operator The formula ldquo1198751AND 119875
2rdquo states that the property
is evaluated as true if and only if both 1198751and 1198752are evaluatd
as true
544 OR
Operator The operator ldquo1198751OR 119875
2rdquo states that the property is
evaluated as true if and only if at least one of 1198751and 119875
2is
evaluated as true
545 IF-ELSE
Operator This operator has two valid forms which are listedas follows
(1) IF (119889119894119904119905) 1198751
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as false or 119875
1is evaluated as true
(2) IF (119889119894119904119905) 1198751ELSE 119875
2
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as true and 119875
1is evaluated as true or
119889119894119904119905 is evaluated as false and 1198752is evaluated as true
From previous discussion we have the following propo-sition for property reasoning
Proposition 16 Assume that1198751198751 and119875
2are valid properties
in SVA the following rules are used to construct the correspond-ing verification process Here 119860119904119904119862ℎ119896(119872119900119889119890119897 119875119903119900119901119890119903119905119910)
ture false is a self-defined checking function that can deter-mine whether a given ldquo119875119903119900119901119890119903119905119910rdquo holds or not with respect toa circuit model ldquo119872119900119889119890119897rdquo
(1) 1198751OR 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧) or 119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(2) 1198751AND 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(3) NOT 119875 rArr not119860119904119904119862ℎ119896(119872 ⟦119875⟧)
(4) IF (119889119894119904119905) 1198751
rArr not119860119904119904119862ℎ119896(119872 119889119894119904119905) or 119860119904119904119862ℎ119896(119872
⟦1198751⟧)
(5) IF (119889119894119904119905) 1198751ELSE 119875
2rArr (119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896
(119872 ⟦1198751⟧))or(not119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧))
(6) 119878 | minus gt 119875 rArr if (not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)minus1]))
(7) 119878 |=gt 119875 rArr if(not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)]))
6 Verification Algorithm
In this section we will describe how an assertion is checkedusing Groebner bases approach Firstly we will discussa practical algorithm using Groebner bases for assertionchecking
61 Basic Principle As just mentioned our checking methodis based on algebraic geometry which is the study of thegeometric objects arising as the common zeros of collectionsof polynomials Our aim is to find polynomials whosezeros correspond to pairs of states in which the appropriateassignments are made
We can regard any set of points in 119896119899 as the variety of some
ideal We can then use the ideal or any basis for the ideal as away of encoding the set of points
From Groebner Bases theory [10 12] every nonzero ideal119868 sub 119896[119909
1 119909
119899] has a Groebner basis and the following
proposition evidently holds
Proposition 17 Let 119862 and 119878 be polynomial sets of 119896[1199091
119909119899] and ⟨119866119878⟩ a Groebner basis for ⟨119878⟩ and then we have that
⟨119862⟩ sube ⟨119878⟩ hArr forall119888 isin 119862 119903119890119898119889(119888 119866119878) == 0 holds
Theorem 18 Suppose that 119860(⟦119860⟧ = 1198861 1198862 119886
119903) is a
property to be verified 119879 is the initial preconditions of 119862 and119872 is a system model to be checked Let ⟦119879⟧ and ⟦119872⟧ bethe polynomial set representations for 119879 and 119872 respectivelyconstructed by previous mentioned rules Let 119867 = ⟦119879 cup 119872⟧ =
ℎ1 ℎ2 ℎ
119904 sube 119896[119909
1 119909
119899] 119868 = ⟨119867⟩ (where ⟨119867⟩ denotes
the ideal generated by 119867) and 119866119861119867
= 119892119887119886119904119894119904(119867 ≺) then wehave
( (1 notin 119866119861119867
) and 119903119890119898119889 (119862 119866119861119867
) == 0)
lArrrArr ((1 notin 119866119861119867
) and119903
⋀
119894=0
(119903119890119898119889 (119892119894 119866119861119867
) == 0))
lArrrArr (119872 |= 119860) holds
(18)
Proof (1) The polynomial set ⟦119872⟧ of system model 119872
describes the data-flow relationship that inputs outputs andfunctional transformation should meet The initial condition⟦119872⟧ can be seen as extra constraint applied by users Thereshould not exist contradiction between them that is thepolynomial equations of ⟦119879 cup 119872⟧ must have a commonsolution
ByHilbertrsquos Nullstellensatz theory if we have polynomials⟦119879 cup 119872⟧ = 119891
1 119891
119904 isin 119896[119909
1 119909
119899] we compute a
reducedGroebner basis of the ideal they generatewith respectto any ordering If this basis is 1 the polynomials have nocommon zero in 119896
119899 if the basis is not 1 they must have acommon zero
Therefore (1 notin 119866119861119867
) should hold(2) Evidently by previous proposition it is easy to have
that 119903119890119898119889(119862 119866119861119867
) == 0 should holdThus we have that this theorem holds
12 Journal of Applied Mathematics
Input(1) circuit model 119872(2) initial condition 119879(3) an assertion 119860Output Boolean 119905119903119906119890 or 119891119886119897119904119890BEGIN
lowastStep 1 initialize input signals via testbench lowast(00) 119868119899119894119905119878119894119892119899119886119897119904()(01) M = 0PS
119860= 0 119867 = 0PS
119879= 0
lowastStep 2 build polynomial model lowast(02) M = ⟦119872⟧ = 119861119906119894119897119889PS(119872)
lowastStep 3 build polynomial set for initial condition 119879lowast
(03) 119875119878119879
= ⟦119879⟧ = 119861119906119894119897119889PS(119879)lowastStep 4 build polynomial set for consequentA lowast
(04) 119875119878119860
= ⟦119860⟧ = 119861119906119894119897119889PS(119860)lowastStep 5 calculate the PS
119879cup Mlowast
(05) 119867 = PST cup MlowastStep 6 calculate the Groebner base of ⟨119867⟩
lowast(06) GB
119867= 119892basis(119867 ≺)
lowastStep 7 determine the basis is 1 or not lowast(07) if(1 isin GB
119867)
(08) return 119891119886119897119904119890 lowastStep 8 check every polynomial lowastlowast119860 = 119886
1 1198862 119886
|119860|lowast
(09) 119894 = 1(10) 119908ℎ119894119897119890(119894 le |119860|)
(11) if(119903119890119898119889(⟦119886119894⟧ GB
119867) = 0)
(12) return 119891119886119897119904119890 (13) i++(14) lowast endwhile lowast(15) return 119905119903119906119890 lowast Assertion does hold lowastEND
Algorithm 1 ldquo119860119904119904119862ℎ119896119875119900119897119910119861119906119894119897119889(119872 119879 119860)rdquo
62 Checking Algorithm For simplicity in this section weonly provide the key decision algorithm
Firstly the original system model is transformed into anormal polynomial representation and the assertion as wellThen calculate the hypothesis set and its Groebner basisusing the Buchberger algorithm [18] and their eliminationideals Finally examine the inclusion relationship betweenelimination ideals to determine whether the assertion to bechecked holds or not
From above discussion we have the following processsteps and detailed algorithm description Algorithm 1
For convenience we can derive another version checkingprocedure named ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo which can acceptpolynomial representations as inputs without explicit poly-nomial construction process
Further by applying Theorem 18 and the checking algo-rithm ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo we can easily verify all sup-ported properties written in SVA
7 An Example
In this section we will study a classical circuit to show howSVA properties are verified by polynomial representation andalgebra computation method
Consider the Johnson counter circuit in Figure 3 Johnsoncounters can provide individual digit outputs rather than a
3 2 1
m1m2m3
m4clk
And
Andy
Figure 3 Johnson counter
Table 3 Table of Johnson counter output
Counter (clock) V3(1198983) V2(1198982) V1(1198981)
0 0 0 01 1 0 02 1 1 03 0 1 14 0 0 15 0 0 0
binary or BCD output as shown in Table 3 Notice that eachlegal count may be defined by the location of the last flip-flopto change states and which way it changed state
71 Algebraization of Circuit and Assertion Johnson counterprovides individual digit outputs as shown in Table 3
The polynomial set for Johnson counter circuit in Figure 3can be constructed as follows
119878119890119905adder = 1198911 = 11989831015840minus 1198984 1198912 = 1198982
1015840minus 1198983
1198913 = 11989811015840minus 1198982
1198914 = 1198984 minus (1 minus 1198981) lowast (1 minus 1198982)
1198915 = 119910 minus 1198981 lowast (1 minus 1198982)
(19)
where 11989811015840 denotes the next state of 1198981 For the 119894th cycle we
use 1199091[119894]to denote variable name in current cycle
Similarly another Johnson counter circuit with an erroris shown in Figure 4 the corresponding polynomial set canbe described by
119878119890119905adder = 1198911 1198912 1198913
11989141015840
= 1198984 + 1198981 + 1198982
minus (1 minus 1198981) lowast (1 minus 1198982) 1198915
(20)
Journal of Applied Mathematics 13
3 2 1
m1m2m3
m4clk
Or
Andy
Figure 4 Johnson counter with error
To illustrate the problem clearly we define polynomial setrepresentation 119875119872[119894] for 119894th cycle as follows
119875119872 [119894] = 1198983[119894+1]
minus 1198984[119894]
1198982[119894+1]
minus 1198983[119894]
1198981[119894+1]
minus 1198982[119894]
1198984[119894]
minus (1 minus 1198982[119894]
) lowast (1 minus 1198981[119894]
)
119910 minus 1198981[119894]
lowast (1 minus 1198982[119894]
)
(21)
Support that the circuit will run 6 cycles for verificationtherefore we have 119875119872 = ⋃
5
119894=0119875119872[119894]
For any Boolean variable 119886 we will add an extra con-straint 119886lowast119886minus119886Thus we define the corresponding constraintsset as follows 119862119873119878[119894] = 119888
[119894]lowast 119888[119894]
minus 119888[119894]
119888 isin 1198981 1198982 1198983 1198984
119910In the same manner we have 119862119873119878 = ⋃
5
119894=0119862119873119878[119894]
The sequential property for this counter circuit can bespecified by the following SystemVerilog assertions
property 119869119862119875119860
(1198983 = 0 ampamp 1198982 = 0 ampamp 1198981 = 0)
| =gt 1(1198983 == 1 ampamp 1198982 == 0 ampamp 1198981 == 0)
| =gt 2(1198983 == 1 ampamp 1198982 == 1 ampamp 1198981 == 0)
| =gt 3(1198983 == 0 ampamp 1198982 == 1 ampamp 1198981 ==
1)
endpropertyproperty 1198691198621198751
(119888119897119896)(1198981 == 0)| =gt 2 (1198981 == 0)
endpropertyproperty 1198691198621198752
(119888119897119896)(1198982 == 0)| =gt 2 (1198982 == 1)
endpropertyproperty 1198691198621198753
(119888119897119896)(1198983 == 0)| =gt 2 (1198983 == 1)
endproperty
Table 4 Polynomial forms
Name Precondition Expected consequent
JCPA
1198981[0]
1198982[0]
1198983[0]
cycle 1 1198981[1]
minus 1 1198982[1]
1198983[1]
cycle 2 1198981[2]
minus 1 1198982[2]
minus 1 1198983[2]
cycle 3 1198981[3]
1198982[3]
minus 1 1198983[3]
minus 1
JCP1 1198981[0]
1198981[2]
JCP2 1198982[0]
1198982[2]
minus 1
JCP3 1198983[0]
1198983[2]
minus 1
We will afterwards demonstrate the verification processstep by step
The circuit model to be verified is as shown below
119878119872 = 119875119872 cup 119862119873119878 (22)
The property of this counter can be specified as thefollowing SVA assertion
assert property (1198691198621198751)
assert property (1198691198621198752)
The Algebraization form of the above properties can bemodeled as in Table 4
72 Experiment Using Maple We run this example by usingMaple 13 Before running we manually translated all modelsinto polynomials The experiment is performed on a PC witha 240GHz CPU (intel i5M450) and 1024MB of memoryIt took about 004 seconds and 081MB of memory whenapplying Groebner method
[gtwith(Groebner)[gt 119862119872 = sdot sdot sdot
lowastCircuit Modellowast[gt 119879119863119864119866 = 119905119889119890119892(
1198981[0] 1198982[0] 1198983[0] 1198984[0]
1198981[1] 1198982[1] 1198983[1] 1198984[1]
1198981[2] 1198982[2] 1198983[2] 1198984[2]
1198981[3] 1198982[3] 1198983[3] 1198984[3]
1198981[4] 1198982[4] 1198983[4] 1198984[4]
119910[0] 119910[1] 119910[2] 119910[3]
)
[gt 119862119866119861 = 119861119886119904119894119904(119862119872 119879119863119864119866)
Thus we can have the Groebner basis as follows
[gt [1199101[3]
1199101[2]
1199101[1]
1199101[1]
1198983[4]
1198982[4]
1198981[4]
minus 1 1198984[3] 1198983[3] 1198982[3]
minus 1 1198981[3]
minus 11198984[2] 1198983[2]
minus 1 1198982[2]
minus 1 1198981[2] 1198984[1]
minus 11198983[1]
minus 11198982[1] 1198981[1] 1198984[0]
minus 1 1198983[0] 1198982[0] 1198981[0]
]
[gt 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983[1]
minus 1 119862119866119861 119879119863119864119866)
[gt 119903119890119905 = 0
14 Journal of Applied Mathematics
Table 5 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862119866119861
080M 002 S0
Yes1198982[1]
1 notin 119862119866119861 0
1198983[1]
minus 1 1 notin 119862119866119861 0
11198981[2]
1 notin 119862119866119861
081M 003 S0
Yes1198982[2]
minus 1 1 notin 119862119866119861 0
1198983[2]
minus 1 1 notin 119862119866119861 0
21198981[3]
minus 1 1 notin 119862119866119861
081M 004 S0
Yes1198982[3]
minus 1 1 notin 119862119866119861 0
1198983[3]
1 notin 119862119866119861 0
3 1198981[2]
1 notin 119862119866119861 081M 004 S 0 Yes4 1198982
[2] 1 notin 119862119866119861 081M 004 S 0 Yes
5 1198983[2]
1 notin 119862119866119861 081M 004 S 0 Yes
Table 6 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862GB080M 002 S
0
Yes1198982[1]
1 notin 119862GB 0
1198983[1]
minus 1 1 notin 119862GB 0
11198981[2]
1 notin 119862GB081M 003 S
0
Yes1198982[2]
minus 1 1 notin 119862GB 0
1198983[2]
minus 1 1 notin 119862GB 0
21198981[3]
minus 1 1 notin 119862GB081M 014 S
0
NO1198982[3]
minus 1 1 notin 119862GB 0
1198983[3]
1 notin 119862GB minus1
As shown in maple outputs the given circuit has beenmodeled as polynomial set119862119872 (itsGroebner bases is denotedby 119862119866119861) and assertion expected result as 1198983
[1]minus 1 From
the running result we have 1 notin 119862119866119861 and return valueof 119873119900119903119898119886119897119865119900119903119898 is 0 which means 119862119866119861 is divided with noremainder by 1198983
[1]minus 1
Thus from the previously mentioned verification princi-ples it is easy to conclude that the assertion 1198691198621198751 holds underthis circuit model after 3 cycles
More detailed experiment results for verification of cir-cuit shown in Figure 3 are listed in Table 5
Conversely we check these assertions against the circuitshown in Figure 4 in a similar way More detailed experimentresults are demonstrated in Table 6
From above table when checking 119869119862119875119860 assertion theresult 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983
[3] 119862119866119861 119879119863119864119866) = 0 so that
we can conclude the assertion does not holdTherefore theremust exist unexpected errors in the original circuit
This case is a fairly complete illustration of how thechecking algorithm works
8 Conclusion
In this paper we presented a new method for SVA prop-erties checking by using Groebner bases based symbolicalgebraic approaches To guarantee the feasibility we defined
a constrained subset of SVAs which is powerful enough forpractical purposes
We first introduce a notion of symbolic constant withoutany sequential information for handling local variables inSVAs inspired from STE We then proposed a practical alge-braizationmethod for each sequence operator For sequentialcircuits verification we introduce a parameterized polyno-mial set modeling method based on time frame expansion
Our approach is based on polynomial models construc-tion for both circuit models and SVA assertionsThis methodis to eventually translate a simulation based verificationproblem into a pure algebraic zero set determination problemby a series of proposed steps which can be performed on anygeneral symbolic algebraic tool
Thismethod allows users to deal withmore than one stateand many input combinations every cycle This advantagecomes directly from the fact that many vectors are simulatedat once using symbolic value
In summary in this research by suitable restrictions ofSVA assertions we can guarantee the availability of polyno-mial set representation Based on this polynomial set modelsymbolic simulation can be performed to produce symbolictraces and temporal relationship constraints of signal vari-ables as well We then apply symbolic algebra approach tocheck the zeros set relation between their polynomial sets anddetermine whether the temporal assertion holds or not undercurrent running cycle
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The project is supported by the National Natural ScienceFoundation of China under Grant no 11371003 theNatural Science Foundation of Guangxi under Grantsnos 2011GXNSFA018154 2012GXNSFGA060003 and2013GXNSFAA019342 the Science and TechnologyFoundation of Guangxi under Grant no 10169-1 theScientific Research Project no 201012MS274 from GuangxiEducation Department the Fundamental Research Fundsfor the Central Universities under Grants nos DUT14QY05and HCIC201204 of Guangxi Key Laboratory of HybridComputation and IC Design Analysis Open Fund andthe Baguio scholarship Project of Guangxi The authorswould like to thank their colleagues for participating in theresearch They also appreciate the anonymous reviewers fortheir helpful comments
References
[1] IEEE System Verilog Working Group IEEE Standard forSystemVerilog C Unified Hardware Design Specification andVerification (IEEE Std 1800-2005) IEEE 2005
[2] ldquoIEEE draft standard for system verilogmdashunified hardware de-sign specification and verification languagerdquo IEEE P1800D32011
Journal of Applied Mathematics 15
[3] R Wille G Fey M Messing G Angst L Linhard and RDrechsler ldquoIdentifying a subset of SystemVerilog assertions forefficient bounded model checkingrdquo in Proceedings of the 11thEUROMICRO Conference on Digital System Design Architec-tures Methods and Tools (DSD rsquo08) pp 542ndash549 September2008
[4] L Darringer ldquoApplication of program verification techniques tohardware verificationrdquo in Proceedings of the IEEE-ACM DesignAutomation Conference pp 375ndash381 1979
[5] G S Avrunin ldquoSymbolic model checking using algebraicgeometryrdquo in Proceedings of the 8th International Conference onComputer Aided Verification vol CAV96 pp 26ndash37 SpringerLondon UK 1996
[6] W B Mao and J Z Wu ldquoApplication of Wus method to sym-bolic model checkingrdquo in Proceedings of the 2005 internationalSymposiumon Symbolic andAlgebraic Computation (ISSAC rsquo05)pp 237ndash244 ACM Press Beijing China 2005
[7] J Wu and L Zhao ldquoMulti-valued model checking via groebnerbasis approachrdquo in Proceedings of the 1st Joint IEEEIFIP Sympo-sium on Theoretical Aspects of Software Engineering (TASE rsquo07)pp 35ndash44 IEEE Computer Society Press June 2007
[8] N Zhou J Wu and X Gao ldquoAlgebraic verification method forSEREs properties via Groebner bases approachesrdquo Journal ofAppliedMathematics vol 2013 Article ID 272781 10 pages 2013
[9] X Gao N Zhou J Wu and D Li ldquoWursquos characteristic setmethod for SystemVerilog assertions verificationrdquo Journal ofApplied Mathematics vol 2013 Article ID 740194 14 pages2013
[10] J Little D Cox andD OrsquoShea Ideals Varieties and AlgorithmsSpringer New York NY USA 1992
[11] T Becker andVWeispfenningGrobner Bases AComputationalApproach to Commutative Algebra Springer New York NYUSA 1993
[12] B Buchberger ldquoGroebner bases an algorithmic method inpolynomial ideal theoryrdquo in Multidimensional Systems Theorypp 184ndash232 1985
[13] S B Akers ldquoBinary decision diagramsrdquo IEEE Transactions onComputers C vol 27 no 6 pp 509ndash516 1978
[14] S Hoereth and R Drechsler ldquoFormal verification of word-levelspecificationsrdquo in Proceedings of the Design Automation andTest in Europe Conference and Exhibition pp 52ndash58 MunichGermany 1999
[15] Y M Ryabukhin ldquoBoolean ringrdquo in Encyclopaedia of Mathe-matics Springer Michiel Germany 2001
[16] S Das R Mohanty P Dasgupta and P P Chakrabarti ldquoSynthe-sis of system verilog assertionsrdquo in Proceedings of the Conferenceon Design Automation and Test in Europe Designersrsquo Forum(DATE rsquo06) pp 70ndash75 European Design and AutomationAssociation Leuven Belgium March 2006
[17] C-J Seger and R E Bryant ldquoFormal verification by symbolicevaluation of partially-ordered trajectoriesrdquo Formal Methods inSystem Design vol 6 no 2 pp 147ndash190 1995
[18] D Cox J Little and D OrsquoShea Ideals Varieties and AlgorithmsAn Introduction to Computational Algebraic Geometry andCommutative Algebra Undergraduate Texts in MathematicsSpringer New York 3rd edition 2007
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 5
Table 1 Polynomial model for arithmetic operation
Arithmetic operation Polynomial representation119910 = 119886 + 119887 ⟦+⟧ = (119910 minus 119886 minus 119887)
119910 = 119886 minus 119887 ⟦minus⟧ = (119910 minus 119886 + 119887)
119910 = 119886 lowast 119887 ⟦lowast⟧ = (119910 minus 119886 lowast 119887)
119910 = 119886119887 ⟦⟧ = (119910 lowast 119887 minus 119886)
Table 2 Polynomial model for logic operation
Arithmetic operation Polynomial representation119910 = NOT 119909 ⟦NOT⟧ = (1 minus 119909 minus 119910)
119910 = 1199091AND 119909
2⟦AND⟧ = (119909
1lowast 1199092
minus 119910)
119910 = 1199091OR 119909
2⟦OR⟧ = (119909
1+ 1199092
minus 1199091
lowast 1199092
minus 119910)
Cycle-based symbolic simulation will be performed onthe system model for verification Intuitively cycle-basedsymbolic simulation is a hybrid approach in the sense that thevalues that are propagated through the network can be eithersymbolic expressions or constant values It assumes that thereexists one unified clock signal in the circuit and all inputs ofthe systems remain unchanged while evaluating their valuesin each simulation cycleThe results of simulation report onlythe final values of the output signals or states in the currentsimulation cycle
The detailed simulation process can be described asfollows Firstly cycle-based symbolic simulation is initializedby setting the state of the circuit to the initial vector Each ofthe primary input signals will be assigned a distinct symbolicor a constant value Then at the end of a simulation step theexpressions representing the next-state functions generallyundergo a parametric transformation based optimizationAfter transformation the newly generated functions are usedas present state for the next state of simulation
32 Arithmetic and Logic Unit Modeling In this paper weonly focus on arithmetic unit for calculating fixed-point oper-ations For any arithmetic unit integer arithmetic operations(addition subtraction multiplication and division) can beconstructed by the polynomials in Table 1
The basic logic operations like ldquoANDrdquo ldquoORrdquo and ldquoNOTrdquocan be modeled by the following forms Their correspondingpolynomial representations [15] are specified as in Table 2
Furthermore we can extend the above rule to othercommon logic operators For example
119910 = 1199091
oplus 1199092
(or 119910 = 1199091XOR 119909
2)
997904rArr ⟦oplus⟧ = (119910 minus (1199091
+ 1199092
minus 1199091
lowast 1199092) lowast (1 minus 119909
1lowast 1199092))
(4)
For all bit level variables 119909119894
(0 le 119894 le 119899) a limitation ⟨119909119894lowast
119909119894minus 119909119894⟩ should be added
33 Branch Unit Modeling Basically multiway branch is animportant control structure in digital system It provides a setof condition bits 119887119894 (0 le 119894 le 119861) a set of target identifiers(0 119879 minus 1) and a mapping from condition bit values to
target identifiers This mapping takes the form of a conditiontree
For any binary signal119909 its value should be limited to 1 0
by adding 119909 lowast 119909 minus 119909
119910 = 119872119906119909 (1199090 1199091 119909
119899 119904)
119894 = 119904 997888rarr 119910 = 119909119894 (0 le 119894 le 119899)
997904rArr ⟦119872119906119909⟧ = ⟨
119910 minus
119899minus1
sum
119894=1
( prod
119895isin01119899minus1119894
((119904 minus 119895)
(119894 minus 119895)))
lowast119909119894
⟩
(5)
with prod119899minus1
119894=0(119904 minus 119894) = 0
34 Sequential Unit Modeling Each flip-flop (FF) in thecircuit can bemodeled as amultiplexerWehave the followingproposition to state this model
Proposition 8 For a 119863 flip-flop (1198631015840 is the next state) withan enable signal 119888 its equivalent combinational formal is 119910
1015840=
119872119906119909(119863 1198631015840 119904) 119894 = 119904 rarr 119910
1015840= 119909119894 (0 le 119894 lt 2 119909
0= 119863 119909
1=
1198631015840) whose polynomial algebraic model can be described as
⟦119865119865119904⟧ =
⟨(1199101015840minus 119863) lowast (119888
1015840minus 1) (119910
1015840minus 1198631015840) lowast 119888 (119910
1015840minus 119863) lowast (119910
1015840minus 1198631015840)⟩
(6)
or
⟨1199101015840minus 119863 lowast (119888
1015840minus 1) minus 119863
1015840lowast 1198881015840⟩ (7)
Proof Let 119863 be the current state and let 1199101015840 denote the next
state of the flip-flop When the signal 1198881015840 value is 0 1199101015840 has the
same value as 119863 so that the FF maintains its present statewhen the signal 119888
1015840 value is 1 1199101015840 takes a new value from the
1198631015840 input (where 119863
1015840 denotes the new value next state of theFF) Therefore we have the 2-value multiway branch modeland its polynomial set representation for FF
Proposition 9 Let 119863 be an FF model (1198631015840 is the next state)without enable signal then its equivalent combinational formalpolynomial algebraic model can be described as (1199101015840 minus 119863)
Proof Straightforward
35 Sequential Unrolling Generally for a sequential circuitC one time frame of a sequential circuit is viewed as a combi-national circuit in which each flip-flop will be converted intotwo corresponding signals a pseudo primary input (PPI) anda pseudo primary output (PPO)
Symbolical simulation of a sequential circuit for 119899 cyclescan be regarded as unrolling the circuit 119899 timesThe unrolledcircuit is still a pure combinational circuit and the 119894th copy ofthe circuit represents the circuit at cycle 119894 Thus the unrolledcircuit contains all the symbolic results from the 119899 cycles
6 Journal of Applied Mathematics
36 Indexed Polynomial Set Representation To illustrate thesequential modeling for a given cycle number clearly wedefine an indexed polynomial set representation for the 119894thcycle
Let 119909119894[119897]
(0 le 119894 le 119903) denote the input signals for the 119897thclock119898119894
[119897](0 le 119894 le 119904) the intermediate signals and 119910119894
[119897](0 le
119894 le 119905) the output signals We then have the following timeframe expansion model for the sequential circuit
119865119872 =
119899
⋃
119894=0
119865119872 [119894] (8)
where 119865119872[119894] = C(1199091[119894]
1198981[119894]
1198981[119894]
1199091[119894+1]
1198981[119894+1]
1199101[119894+1]
) denote the 119894th time frame modelTime frame expansion is achieved by connecting the
PPIs (eg 1199091[119894+1]
from 119865119872[119894 + 1]) of the time frame to thecorresponding PPOs (1199091
[119894+1]from 119865119872[119894]) of the previous
time frame
4 Sequence Depth Calculation
In this subsection we will discuss the important feature ofSVA time range and its signal constraint unrolled model
In SVA for each sequence the earliest time step for theevaluation and the latest time step should be determinedfirstlyThe sequence is then unrolled based on above informa-tion Finally the unrolled sequence will be performed usingalgebraization process
In [3] a time range calculating algorithm is providedHere we will introduce some related definition and specialhandling for our purpose
The following is the syntax definition for time range
41 Time Range
Definition 10 (time range syntax) The syntax of ldquotime rangerdquocan be described as follows
119888119910119888119897119890 119889119890119897119886119910 119888119900119899119904119905 119903119886119899119892119890 119890119909119901119903119890119904119904119894119900119899 =
119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899
| 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 $
Note that 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 is computed at compiletime and must result in an integer value and can only be 0or greater
In this paper we only focus on constant time range caseThus its form can be simplified as
(1) 119886[119898 119899]119887 (119898 119899 isin N and 119899 ge 119898 ge 0)
(2) 1198781[119898 119899]119878
2(119898 119899 isin N and 119899 ge 119898 ge 0)
Here 119886 119887 are signals and 1198781 1198782are sequences
Assume the starting time is cycle 119905 then we have thesequence (1) will start (119899 minus 119898 + 1) sequences of evaluationwhich are
119886 119898119887
119886 (119898 + 1)119887
119886(119899 minus 119898 + 1)119887 respectively
Their corresponding algebraic forms are
⟦119886119898119887⟧[119905]
= ⟦119886119905and 119887119905+1
⟧
⟦119886(119898 + 1)119887⟧[119905]
= ⟦119886119905and 119887119905+2
⟧
⟦119886(119899 minus 119898 + 1)119887⟧[119905]
= ⟦119886119905and 119887119905+119899minus119898+1
⟧
Thenwe have the equivalent form of above representationset as
⟦(119886119905and 119887119905+119898
) or sdot sdot sdot or (119886119905and 119887119905+119899
)⟧ (9)
42 Sequential Depth Calculation The time range of asequential is a time interval during which an operation or aterminal of a sequence has to be considered and is denoted bya closed bounded set of positive integers
119879 = [119897 sdot sdot sdot ℎ] = 119909 | 119897 le 119909 le ℎ (here 119909 119897 ℎ isin N) (10)
Furthermore the maximum of two intervals 1198791and 119879
2is
defined by max(1198791 1198792) = [max(119897
1 1198972) sdot sdot sdotmax(ℎ
1 ℎ2)]
In the samemanner the sum of two time ranges of1198791and
1198792is defined as
1198791
+ 1198792
= [(1198971
+ 1198972) sdot sdot sdot (ℎ
1+ ℎ2)] (11)
Definition 11 (maximum sequential depth) The maximumsequential depth of a SVA expression 119865 or a sequence writtenas 119889119890119901(119865) is defined recursively
(i) 119889119890119901(119886) = [1 sdot sdot sdot 1] if 119886 is a signal
(ii) 119889119890119901(not119886) = [1 sdot sdot sdot 1] if 119886 is a signal
(iii) 119889119890119901(119886119887) = 119889119890119901(119886) + 119889119890119901(119887) if 1198651 1198652are sequences
of SVA
(iv) 119889119890119901(1198651[119898 119899]119865
2) = 119889119890119901(119865
1) + 119889119890119901(119865
2) + [119898 sdot sdot sdot 119899]
if 1198651 1198652are sequences of SVA
(v) 119889119890119901(1198651and 119865
2) = max(119889119890119901(119865
1) 119889119890119901(119865
2)) if119865
11198652are
sequences of SVA
(vi) 119889119890119901(1198651or 1198652) = max(119889119890119901(119865
1) 119889119890119901(119865
2)) if 119865
1 1198652are
sequences of SVA
(vii) 119889119890119901(1198651intersect 119865
2) = 119889119890119901(119865
1) + 119889119890119901(119865
2) minus 1 if 119865
1
1198652are sequences of SVA
(viii) 119889119890119901(119865[119899]) = 119899 lowast 119889119890119901(119865) if 119865 is a sequence of SVA
Journal of Applied Mathematics 7
[23]
e And [46]
[12] [23]
a b c d
[35] [35] [46][46]
[00]
Figure 2 Sequence depth parsing tree
For example the following sequence is used to illustratehow to calculate the sequence depth
sequence
119890 [2 sdot sdot sdot 3] ((119886[1sdot sdot sdot 2]119887) and (119888 [1 sdot sdot sdot 2] 119889))
endsequence
Figure 2 shows the binary parsing tree for calculatingsequence depth of this sequence The box denotes operatorand cycle denotes signal node in the syntax tree
Firstly consider the top layer of the parsing tree andthe sequence [2 sdot sdot sdot 3] Here because the first operand 119890
is a terminal of the sequence thus this operand becomesrelevant at time step 0 only (119879
1st = [0 sdot sdot sdot 0]) Since the intervalhas to be considered the second operand (the subtree ofldquoandrdquo)matches 2 or 3 time steps laterTherefore calculating isrecursively performed with 119879 = [0 sdot sdot sdot 0] + [2 sdot sdot sdot 3] = [2 sdot sdot sdot 3]
for the second operandSimilarly we can have the sequence depth of the whole
sequence and all its subsequences as denoted in the figure
5 SVA to Polynomial Set Translation
As mentioned previously SystemVerilog assertions are anintegral component of SystemVerilog and provide two kindsof assertions immediate assertions and concurrent asser-tions
In this section we only discuss concurrent assertions andtheir temporal layer representation model
Concurrent assertions express functional design intentand can be used to express assumed input behavior expectedoutput behavior and forbidden behavior That is assertionsdefine properties that the design must meet Many prop-erties can be expressed strictly from variables available inthe design while properties are often constructed out ofsequential behaviors
Thus we will firstly discuss the basic algebraizationprocess for the sequential behavior model
51 Algebraization Process Theproperties written in SVAwillbe unrolled and checked against the design for bounded timesteps in our method Note that only a constrained subset ofSVA can be supported by our method (unspecified upperbound time range and first-match operator are excluded)
Firstly we translate the properties described by theconstrained subset of SVA into flat sequences according tothe semantics of each supported operator
Asmentioned in [16] the total set of SVA is divided into 4subgroups namely simple sequence expression (SSE) inter-val sequence expression (ISE) complex sequence expression(CSE) and unbounded sequence expression (USE) Here inour method these groups can only be partly supported
Therefore we define the following sequence expressionsby adding further conditions
(i) Constrained simple sequence expression (CSSE) isformed by Boolean expression repeat operator andcycle delay operator
(ii) Constrained interval sequence expression (CISE) isa super set of CSSE formed by extra time rangeoperators
(iii) Constrained complex sequence expression is a superset of CSSE and CISE containing operators or andintersection
Secondly the unrolled flat sequences will be added totemporal constraints to form proportional formulas withlogical connectives (or and and not)
Finally the resulted proportional formulas will be trans-lated into equivalent polynomial set
Then the verification problem is reduced to proving zeroset inclusion relationship which can be resolved by Groebnerbases approaches
52 Boolean LayerModeling TheBoolean layer of SVA formsan underlying basis for the whole assertion architecturewhich consists of Boolean expressions that hold or do nothold at a given cycle
In this paper we distinguish between signal logic valuesand truth logic values That is for a truth logic statementabout a given property its truth can be evaluated to 119905119903119906119890 or119891119886119897119904119890 But for a signal when primary inputs are symbolicvalues its signal logic value may not be evaluated as ℎ119894119892ℎ or119897119900119908
Therefore we have the following definition for signallogic
Definition 12 (signal logic) In digital circuit systems signallogic (SL for short) is defined as
(i) if a signal119909 is active-high (119867 for short) then its signalvalue is defined as 1
(ii) if a signal 119909 is active-low (119871 for short) then its signalvalue is defined as 0
8 Journal of Applied Mathematics
Definition 13 (symbolic constant) A symbolic constant is arigid Boolean variable that forever holds the same BooleanvalueThe notion of symbolic constant was firstly introducedin STE [17] for two purposes
(1) to encode an arbitrary Boolean constraints among aset of circuit nodes in a parametric form
(2) to encode all possible scalar values for a set of nodes
Assume 119867 denotes a symbolic constant for signal logicand 119867 denotes its negative form if 119867 denotes ℎ119894119892ℎ then 119867
will be 119897119900119908Consider (119903119890119902==119867) and (119886119888119896==119867) as an example
According to our definitions 119903119890119902 and 119886119888119896 are signals belong-ing to signal logic while both (119903119890119902==119867) and (119886119888119896==119867) are oftruth logic
For example assertion (119886[15 0] == 119887[15 0]) is also avalid Boolean expression stating that the 16-bit vectors 119886[15
0] and 119887[15 0] are equalIn SVA the following are valid Boolean expressions
(i) 119886119903119903119886119910119860 == 119886119903119903119886119910119861
(ii) 119886119903119903119886119910119860 = 119886119903119903119886119910119861
(iii) 119886119903119903119886119910119860[119894] gt= 119886119903119903119886119910 119861[119895]
(iv) 119886119903119903119886119910119861[119894][119895+ 2] == 119886119903119903119886119910119860[119896][119898minus 2]
(v) (119886119903119903119886119910119860[119894]amp(119886119903119903119886119910119861[119895])) == 0
Since the state of a signal variable can be viewed as a zeroof a set of polynomials We have the following
(1) For any signal 119909 holds at a given time step 119894 thus thestate of 119909 == 1 (119909 is active-high at cycle 119894) can berepresented by polynomial 119909
[119894]minus 1
(2) Alternatively the state of 119909 == 0 (119909 is active-low atcycle 119894) can be represented by polynomial 119909
[119894]
(3) Symbolically the state of 119909 == 119867 (119909 is active-high 119867
at the 119894th cycle) can be modeled as 119909[119894]
minus 119867
53 Sequence Operator Modeling Temporal assertions definenot only the values of signals but also the relationshipbetween signals over time The sequences are the buildingblocks of temporal assertions and can express a set of linearbehavior lasting for one or more cycles These sequences areusually used to specify and verify interface and bus protocols
A sequence is a regular expression over the Booleanexpressions that concisely specifies a set of linear sequencesThe Boolean expressions must be true at those specific clockticks for the sequence to be true over time
SystemVerilog provides several sequence compositionoperators to combine individual sequences in a variety ofways that enhance code writing and readability which canconstruct sequence expressions from Boolean expressions
In this paper throughout operator [1 $] operator andthe first match operator are not supported by our method
SystemVerilog defines a number of operations that canbe performed on sequences The sequence compositionoperators in SVA are listed as follows
Definition 14 (sequence operator)
119877 = 119887ldquoBoolean expressionrdquo form
| (1 V = 119890) ldquolocal variable samplingrdquo form| (119877) ldquoparenthesisrdquo form| (11987711 119877
2) ldquoconcatenationrdquo form
| (11987710 119877
2) ldquofusionrdquo form
| (1198771or 1198772) ldquoorrdquo form
| (1198771intersect 119877
2) ldquointersectrdquo form
| first match (119877) ldquofirst matchrdquo form| 119877[lowast0] ldquonull repetitionrdquo form| 119877[lowast1 $] ldquounbounded repetitionrdquo form| [lowast] [=] [minus gt] ldquorepetitionrdquo repeater| throughoutspecifying a Boolean expression musthold throughout a sequence| withinspecifying conditions within a sequence
The resulted sequences constructed by operators are thenused in properties for use in assertions and covers
531 Cycle Delay Operator In SystemVerilog the con-struct is referred to as a cycle delay operator
ldquo1rdquo and ldquo0rdquo are concatenation operators the formeris the classical regular expression concatenation the latter isa variant with one-letter overlapping
A 119899 followed by a number 119899 or range specifies the 119899
cycles delay from the current clock cycle to the beginning ofthe sequence that follows
(1) Fixed-length Casesequence fixs
119886119899119887
endsequencerArr ⟦119891119894119909119904⟧ = ⟦119886⟧
119905 ⟦119887⟧119905+119899
(2) Time-range Casesequence 119905119898119904
119886[119898 sdot sdot sdot 119899]119887
endsequencerArr ⟦119905119898119904⟧ = ⟦119886⟧
[119905] ⟦119887⟧119898
[119905] or sdot sdot sdot or ⟦119886⟧
[119905] ⟦119887⟧119899
[119905]
532 Intersect Operator The two operands of intersectoperator are sequences The requirements for match of theintersect operation are as follows
(i) Both operands must match(ii) The lengths of the two matches of the operand
sequences must be the same
Journal of Applied Mathematics 9
1198771intersect 119877
2
1198771starts at the same time as 119877
2 the intersection will
match if 1198771 starting at the same time as 119877
2 matches at the
same time as 1198772matches
Therefore we have
⟦1198771intersect 119877
2⟧ = ⟦119877
1⟧119889119890119901(119877
1)
[119905]and ⟦1198772⟧119889119890119901(119877
2)
[119905] (12)
The sequence length matching intersect operator con-structs a sequence like the and nonlength matching operatorexcept that both sequences must be completed in same cycle
533 and Operator 1198771and 119877
2
This operator states that 1198771starts at the same time as 119877
2
and the sequence expression matches with the later of 1198771and
1198772matching This binary operator and is used when both
operands are expected to match but the end times of theoperand sequences can be different
That is 1198771and 119877
2denotes both 119877
1and 119877
2holds for the
same number cycles Then the matches of 1198771and 119877
2must
satisfy the following
(i) The start point of the match of 1198771must be no earlier
than the start point of the match of 1198772
(ii) The end point of thematch of1198771must be no later than
the end point of the match of 1198772
The sequence nonlength matching and operator con-structs a sequence in which two sequences both hold at thecurrent cycle regardless of whether they are completed in thesame cycle or in different cycles
⟦1198771and 119877
2⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] and ⟦119877
2⟧119895
[119905]) (13)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
534 or Operator 1198771or 1198772
The sequence or operator constructs a sequence in whichone of two alternative sequences hold at the current cycleThus the sequence (1198861119887) or (1198881119889) states that eithersequence 119886 119887 or sequence 119888 119889 would satisfy the assertion
⟦1198771or 1198772⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] or ⟦119877
2⟧119895
[119905]) (14)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
535 Local Variables SystemVerilog provides a feature bywhich variables can be used in assertions The user candeclare variables local to a property This feature is highlyuseful in pipelined designs where the consequent occur-rence might be many cycles later than their correspondingantecedents
Local variables are optional and local to properties Theycan be initialized assigned (and reassigned) a value operatedon and compared to other expressions
The syntax of a sequence declaration with a local variableis shown below
119904119890119902119906119890119899119888119890 119889119890119888119897119886119903119886119905119894119900119899 =
sequence 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119904119890119902119906119890119899119888119890 119890119909119901119903
endsequence [ 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903]
The property declaration syntax with a local variable canbe illustrated as follows
119901119903119900119901119890119903119905119910 119889119890119888119897119886119903119886119905119894119900119899 =
property 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119901119903119900119901119890119903119905119910 119904119901119890119888
endproperty [ 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903]
The variable identifier declaration syntax of a local vari-able can be illustrated as follows
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899 =
V119886119903 119889119886119905119886 119905119910119901119890 119897119894119904119905 119900119891 V119886119903119894119886119887119897119890 119894119889119890119899119905119894119891119894119890119903119904
The dynamic creation of a variable and its assignment isachieved by using the local variable declaration in a sequenceor property declaration and making an assignment in thesequence
Thus local variables of a sequence (or property) may beset to a value which can be computed from a parameter orother objects (eg arguments constants and objects visibleby the sequence (or property))
For example a property of a pipeline with a fixed latencycan be specified below
property 119897119886119905119890119899119888119910119894119899119905 119909(V119886119897119894119889 119894119899 119909 = 119901 119894119899)|minus gt 3(119901 119900119906119905 == (119909 + 1))
endproperty
This property e is evaluated as followsWhen V119886119897119894119889 119894119899 is true 119909 is assigned the value of 119901 119894119899 If 3
cycles later 119901 119900119906119905 is equal to 119909 + 1 then property 119897119886119905119890119899119888119910 istrue Otherwise the property is false When V119886119897119894119889 119894119899 is falseproperty 119897119886119905119890119899119888119910 is evaluated as true
For the algebraization of SVA properties with localvariables in our method these local variables will be takenas common signal variables (symbolic constant) without anysequential information
Thus we have the polynomial set representation forproperty 119897119886119905119890119899119888119910
⟦119897119886119905119890119899119888119910⟧[119905]
=
(V119886119897119894119889 119894119899[119905]
minus 1)(119909 minus 119901 119894119899
[119905])
(119901 119900119906119905[119905+3]
minus (119909 + 1))
10 Journal of Applied Mathematics
536 Repetition Operators SystemVerilog allows the userto specify repetitions when defining sequences of BooleanexpressionsThe repetition counts can be specified as either arange of constants or a single constant expression
Nonconsecutive repetition specifies finitely many itera-tive matches of the operand Boolean expression with a delayof one or more clock ticks from one match of the operandto the next successive match and no match of the operandstrictly in between The overall repetition sequence matchesat or after the last iterative match of the operand but beforeany later match of the operand
The syntax of repetition operator can be illustrated asfollows
119899119900119899 119888119900119899119904119890119888119906119905119894V119890 119903119890119901 = [= 119888119900119899119904119905 119900119903 119903119886119899119892119890 119890119909119901119903] (15)
The number of iterations of a repetition can be specifiedby exact count
For example a sequence with repetition can be defined as
119886 |=gt 119887 [= 3] 1 119888 (16)
The sequence expects that 2 clock cycles after the validstart signal ldquo119887rdquo will be repeated three times
We have ⟦119877[= 119899]⟧ = ⋁119899
119894=0(⟦119877⟧
119894lowast119889119890119901(119877)
[119905])
54 Property OperatorModeling In general property expres-sions in SVA are built using sequences other sublevel proper-ties and simple Boolean expressions via property operators
In SVA a property that is a sequence is evaluated as trueif and only if there is a nonempty match of the sequenceA sequence that admits an empty match is not allowed as aproperty
The success of assertion-based verification methodologyrelies heavily on the quality of properties describing theintended behavior of the design Since it is a fairly newmethodology verification and design engineers are oftenfaced with a question of ldquohow to identify good propertiesrdquo fora design It may be tempting to write properties that closelyresemble the implementation
Properties we discussed in this paper can be classified as
(1) Design Centric Design centric properties represent asser-tions added by the RTL designers to characterize whitebox design attributes These properties are typically towardsFSMs localmemories clock synchronization logic and otherhardware-related designs The design should conform to theexpectations of these properties
(2) Assumption Centric Assumption centric properties rep-resent assumptions about the design environment They areused in informal verification to specify assumptions about theinputs The assume directive can inform a verification tool toassume such a condition during the analysis
(3) RequirementVerification Centric Many requirementproperties are best described using a ldquocause-to-effectrdquo stylethat specifies what should happen under a given conditionThis type of properties can be specified by implication
operator For example a handshake can be described as ldquoifrequest is asserted then acknowledge should be assertedwithin 5 cyclesrdquo
In general property expressions are built using sequen-ces other sublevel properties and simple Boolean expres-sions
These individual elements are combined using propertyoperators implication NOT ANDOR and so forth
The property composition operators are listed as follows
Definition 15 (property operator)
119875 = 119877lowast ldquosequencerdquo form lowast
|(119875)lowast ldquoparenthesisrdquo form lowast
|not 119875lowast ldquonegationrdquo form lowast
|(1198751or 1198752)lowast ldquoorrdquo form lowast
|(1198751and 119875
2)lowast ldquoandrdquo form lowast
|(119877|minus gt 119875) |(119877| =gt 119875)lowast ldquoimplicationrdquo form lowast
|disable iff(119887) 119875lowast ldquoresetrdquo form lowast
Note that disable if and only if will not be supportedin this paper Property operators construct properties out ofsequence expressions
541 Implication
Operators The SystemVerilog implication operator supportssequence implication and provides two forms of implicationoverlapped using operator |minus gt and nonoverlapped usingoperator | =gt respectively
The syntax of implication is described as follows
119904119890119902119906119890119899119888119890 119890119909119901119903 | minus gt 119901119903119900119901119890119903119905119910 119890119909119901119903
119904119890119902119906119890119899119888119890 119890119909119901119903 | =gt 119901119903119900119901119890119903119905119910 119890119909119901119903
(17)
The implication operator takes a sequence as its anteced-ent and a property as its consequent Every time the sequencematches the property must hold Note that both the runningof the sequence and the property may span multiple clockcycles and that the sequence may match multiple times
For each successful match of the antecedent sequencethe consequence sequence (right-hand operand) is sepa-rately evaluated beginning at the end point of the matchedantecedent sequence All matches of antecedent sequencerequire a match of the consequence sequence
Moreover if the antecedent sequence (left hand operand)does not succeed implication succeeds vacuously by return-ing true For many protocol related assertions it is importantto specify the sequence of events (the antecedent or cause)that must occur before checking for another sequence (theconsequent or effect) This is because if the antecedent doesnot occur then there is no need to perform any furtherverification In hardware this occurs because the antecedentreflects an expression that when active triggers something tohappen
Journal of Applied Mathematics 11
A property with a consequent sequence behaves as if theconsequent has an implication first-match applied to it
542 NOT
Operator The operator NOT 119901119903119900119901119890119903119905119910 119890119909119901119903 states that theevaluation of the property returns the opposite of the eval-uation of the underlying 119901119903119900119901119890119903119905119910 119890119909119901119903
543 AND
Operator The formula ldquo1198751AND 119875
2rdquo states that the property
is evaluated as true if and only if both 1198751and 1198752are evaluatd
as true
544 OR
Operator The operator ldquo1198751OR 119875
2rdquo states that the property is
evaluated as true if and only if at least one of 1198751and 119875
2is
evaluated as true
545 IF-ELSE
Operator This operator has two valid forms which are listedas follows
(1) IF (119889119894119904119905) 1198751
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as false or 119875
1is evaluated as true
(2) IF (119889119894119904119905) 1198751ELSE 119875
2
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as true and 119875
1is evaluated as true or
119889119894119904119905 is evaluated as false and 1198752is evaluated as true
From previous discussion we have the following propo-sition for property reasoning
Proposition 16 Assume that1198751198751 and119875
2are valid properties
in SVA the following rules are used to construct the correspond-ing verification process Here 119860119904119904119862ℎ119896(119872119900119889119890119897 119875119903119900119901119890119903119905119910)
ture false is a self-defined checking function that can deter-mine whether a given ldquo119875119903119900119901119890119903119905119910rdquo holds or not with respect toa circuit model ldquo119872119900119889119890119897rdquo
(1) 1198751OR 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧) or 119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(2) 1198751AND 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(3) NOT 119875 rArr not119860119904119904119862ℎ119896(119872 ⟦119875⟧)
(4) IF (119889119894119904119905) 1198751
rArr not119860119904119904119862ℎ119896(119872 119889119894119904119905) or 119860119904119904119862ℎ119896(119872
⟦1198751⟧)
(5) IF (119889119894119904119905) 1198751ELSE 119875
2rArr (119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896
(119872 ⟦1198751⟧))or(not119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧))
(6) 119878 | minus gt 119875 rArr if (not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)minus1]))
(7) 119878 |=gt 119875 rArr if(not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)]))
6 Verification Algorithm
In this section we will describe how an assertion is checkedusing Groebner bases approach Firstly we will discussa practical algorithm using Groebner bases for assertionchecking
61 Basic Principle As just mentioned our checking methodis based on algebraic geometry which is the study of thegeometric objects arising as the common zeros of collectionsof polynomials Our aim is to find polynomials whosezeros correspond to pairs of states in which the appropriateassignments are made
We can regard any set of points in 119896119899 as the variety of some
ideal We can then use the ideal or any basis for the ideal as away of encoding the set of points
From Groebner Bases theory [10 12] every nonzero ideal119868 sub 119896[119909
1 119909
119899] has a Groebner basis and the following
proposition evidently holds
Proposition 17 Let 119862 and 119878 be polynomial sets of 119896[1199091
119909119899] and ⟨119866119878⟩ a Groebner basis for ⟨119878⟩ and then we have that
⟨119862⟩ sube ⟨119878⟩ hArr forall119888 isin 119862 119903119890119898119889(119888 119866119878) == 0 holds
Theorem 18 Suppose that 119860(⟦119860⟧ = 1198861 1198862 119886
119903) is a
property to be verified 119879 is the initial preconditions of 119862 and119872 is a system model to be checked Let ⟦119879⟧ and ⟦119872⟧ bethe polynomial set representations for 119879 and 119872 respectivelyconstructed by previous mentioned rules Let 119867 = ⟦119879 cup 119872⟧ =
ℎ1 ℎ2 ℎ
119904 sube 119896[119909
1 119909
119899] 119868 = ⟨119867⟩ (where ⟨119867⟩ denotes
the ideal generated by 119867) and 119866119861119867
= 119892119887119886119904119894119904(119867 ≺) then wehave
( (1 notin 119866119861119867
) and 119903119890119898119889 (119862 119866119861119867
) == 0)
lArrrArr ((1 notin 119866119861119867
) and119903
⋀
119894=0
(119903119890119898119889 (119892119894 119866119861119867
) == 0))
lArrrArr (119872 |= 119860) holds
(18)
Proof (1) The polynomial set ⟦119872⟧ of system model 119872
describes the data-flow relationship that inputs outputs andfunctional transformation should meet The initial condition⟦119872⟧ can be seen as extra constraint applied by users Thereshould not exist contradiction between them that is thepolynomial equations of ⟦119879 cup 119872⟧ must have a commonsolution
ByHilbertrsquos Nullstellensatz theory if we have polynomials⟦119879 cup 119872⟧ = 119891
1 119891
119904 isin 119896[119909
1 119909
119899] we compute a
reducedGroebner basis of the ideal they generatewith respectto any ordering If this basis is 1 the polynomials have nocommon zero in 119896
119899 if the basis is not 1 they must have acommon zero
Therefore (1 notin 119866119861119867
) should hold(2) Evidently by previous proposition it is easy to have
that 119903119890119898119889(119862 119866119861119867
) == 0 should holdThus we have that this theorem holds
12 Journal of Applied Mathematics
Input(1) circuit model 119872(2) initial condition 119879(3) an assertion 119860Output Boolean 119905119903119906119890 or 119891119886119897119904119890BEGIN
lowastStep 1 initialize input signals via testbench lowast(00) 119868119899119894119905119878119894119892119899119886119897119904()(01) M = 0PS
119860= 0 119867 = 0PS
119879= 0
lowastStep 2 build polynomial model lowast(02) M = ⟦119872⟧ = 119861119906119894119897119889PS(119872)
lowastStep 3 build polynomial set for initial condition 119879lowast
(03) 119875119878119879
= ⟦119879⟧ = 119861119906119894119897119889PS(119879)lowastStep 4 build polynomial set for consequentA lowast
(04) 119875119878119860
= ⟦119860⟧ = 119861119906119894119897119889PS(119860)lowastStep 5 calculate the PS
119879cup Mlowast
(05) 119867 = PST cup MlowastStep 6 calculate the Groebner base of ⟨119867⟩
lowast(06) GB
119867= 119892basis(119867 ≺)
lowastStep 7 determine the basis is 1 or not lowast(07) if(1 isin GB
119867)
(08) return 119891119886119897119904119890 lowastStep 8 check every polynomial lowastlowast119860 = 119886
1 1198862 119886
|119860|lowast
(09) 119894 = 1(10) 119908ℎ119894119897119890(119894 le |119860|)
(11) if(119903119890119898119889(⟦119886119894⟧ GB
119867) = 0)
(12) return 119891119886119897119904119890 (13) i++(14) lowast endwhile lowast(15) return 119905119903119906119890 lowast Assertion does hold lowastEND
Algorithm 1 ldquo119860119904119904119862ℎ119896119875119900119897119910119861119906119894119897119889(119872 119879 119860)rdquo
62 Checking Algorithm For simplicity in this section weonly provide the key decision algorithm
Firstly the original system model is transformed into anormal polynomial representation and the assertion as wellThen calculate the hypothesis set and its Groebner basisusing the Buchberger algorithm [18] and their eliminationideals Finally examine the inclusion relationship betweenelimination ideals to determine whether the assertion to bechecked holds or not
From above discussion we have the following processsteps and detailed algorithm description Algorithm 1
For convenience we can derive another version checkingprocedure named ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo which can acceptpolynomial representations as inputs without explicit poly-nomial construction process
Further by applying Theorem 18 and the checking algo-rithm ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo we can easily verify all sup-ported properties written in SVA
7 An Example
In this section we will study a classical circuit to show howSVA properties are verified by polynomial representation andalgebra computation method
Consider the Johnson counter circuit in Figure 3 Johnsoncounters can provide individual digit outputs rather than a
3 2 1
m1m2m3
m4clk
And
Andy
Figure 3 Johnson counter
Table 3 Table of Johnson counter output
Counter (clock) V3(1198983) V2(1198982) V1(1198981)
0 0 0 01 1 0 02 1 1 03 0 1 14 0 0 15 0 0 0
binary or BCD output as shown in Table 3 Notice that eachlegal count may be defined by the location of the last flip-flopto change states and which way it changed state
71 Algebraization of Circuit and Assertion Johnson counterprovides individual digit outputs as shown in Table 3
The polynomial set for Johnson counter circuit in Figure 3can be constructed as follows
119878119890119905adder = 1198911 = 11989831015840minus 1198984 1198912 = 1198982
1015840minus 1198983
1198913 = 11989811015840minus 1198982
1198914 = 1198984 minus (1 minus 1198981) lowast (1 minus 1198982)
1198915 = 119910 minus 1198981 lowast (1 minus 1198982)
(19)
where 11989811015840 denotes the next state of 1198981 For the 119894th cycle we
use 1199091[119894]to denote variable name in current cycle
Similarly another Johnson counter circuit with an erroris shown in Figure 4 the corresponding polynomial set canbe described by
119878119890119905adder = 1198911 1198912 1198913
11989141015840
= 1198984 + 1198981 + 1198982
minus (1 minus 1198981) lowast (1 minus 1198982) 1198915
(20)
Journal of Applied Mathematics 13
3 2 1
m1m2m3
m4clk
Or
Andy
Figure 4 Johnson counter with error
To illustrate the problem clearly we define polynomial setrepresentation 119875119872[119894] for 119894th cycle as follows
119875119872 [119894] = 1198983[119894+1]
minus 1198984[119894]
1198982[119894+1]
minus 1198983[119894]
1198981[119894+1]
minus 1198982[119894]
1198984[119894]
minus (1 minus 1198982[119894]
) lowast (1 minus 1198981[119894]
)
119910 minus 1198981[119894]
lowast (1 minus 1198982[119894]
)
(21)
Support that the circuit will run 6 cycles for verificationtherefore we have 119875119872 = ⋃
5
119894=0119875119872[119894]
For any Boolean variable 119886 we will add an extra con-straint 119886lowast119886minus119886Thus we define the corresponding constraintsset as follows 119862119873119878[119894] = 119888
[119894]lowast 119888[119894]
minus 119888[119894]
119888 isin 1198981 1198982 1198983 1198984
119910In the same manner we have 119862119873119878 = ⋃
5
119894=0119862119873119878[119894]
The sequential property for this counter circuit can bespecified by the following SystemVerilog assertions
property 119869119862119875119860
(1198983 = 0 ampamp 1198982 = 0 ampamp 1198981 = 0)
| =gt 1(1198983 == 1 ampamp 1198982 == 0 ampamp 1198981 == 0)
| =gt 2(1198983 == 1 ampamp 1198982 == 1 ampamp 1198981 == 0)
| =gt 3(1198983 == 0 ampamp 1198982 == 1 ampamp 1198981 ==
1)
endpropertyproperty 1198691198621198751
(119888119897119896)(1198981 == 0)| =gt 2 (1198981 == 0)
endpropertyproperty 1198691198621198752
(119888119897119896)(1198982 == 0)| =gt 2 (1198982 == 1)
endpropertyproperty 1198691198621198753
(119888119897119896)(1198983 == 0)| =gt 2 (1198983 == 1)
endproperty
Table 4 Polynomial forms
Name Precondition Expected consequent
JCPA
1198981[0]
1198982[0]
1198983[0]
cycle 1 1198981[1]
minus 1 1198982[1]
1198983[1]
cycle 2 1198981[2]
minus 1 1198982[2]
minus 1 1198983[2]
cycle 3 1198981[3]
1198982[3]
minus 1 1198983[3]
minus 1
JCP1 1198981[0]
1198981[2]
JCP2 1198982[0]
1198982[2]
minus 1
JCP3 1198983[0]
1198983[2]
minus 1
We will afterwards demonstrate the verification processstep by step
The circuit model to be verified is as shown below
119878119872 = 119875119872 cup 119862119873119878 (22)
The property of this counter can be specified as thefollowing SVA assertion
assert property (1198691198621198751)
assert property (1198691198621198752)
The Algebraization form of the above properties can bemodeled as in Table 4
72 Experiment Using Maple We run this example by usingMaple 13 Before running we manually translated all modelsinto polynomials The experiment is performed on a PC witha 240GHz CPU (intel i5M450) and 1024MB of memoryIt took about 004 seconds and 081MB of memory whenapplying Groebner method
[gtwith(Groebner)[gt 119862119872 = sdot sdot sdot
lowastCircuit Modellowast[gt 119879119863119864119866 = 119905119889119890119892(
1198981[0] 1198982[0] 1198983[0] 1198984[0]
1198981[1] 1198982[1] 1198983[1] 1198984[1]
1198981[2] 1198982[2] 1198983[2] 1198984[2]
1198981[3] 1198982[3] 1198983[3] 1198984[3]
1198981[4] 1198982[4] 1198983[4] 1198984[4]
119910[0] 119910[1] 119910[2] 119910[3]
)
[gt 119862119866119861 = 119861119886119904119894119904(119862119872 119879119863119864119866)
Thus we can have the Groebner basis as follows
[gt [1199101[3]
1199101[2]
1199101[1]
1199101[1]
1198983[4]
1198982[4]
1198981[4]
minus 1 1198984[3] 1198983[3] 1198982[3]
minus 1 1198981[3]
minus 11198984[2] 1198983[2]
minus 1 1198982[2]
minus 1 1198981[2] 1198984[1]
minus 11198983[1]
minus 11198982[1] 1198981[1] 1198984[0]
minus 1 1198983[0] 1198982[0] 1198981[0]
]
[gt 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983[1]
minus 1 119862119866119861 119879119863119864119866)
[gt 119903119890119905 = 0
14 Journal of Applied Mathematics
Table 5 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862119866119861
080M 002 S0
Yes1198982[1]
1 notin 119862119866119861 0
1198983[1]
minus 1 1 notin 119862119866119861 0
11198981[2]
1 notin 119862119866119861
081M 003 S0
Yes1198982[2]
minus 1 1 notin 119862119866119861 0
1198983[2]
minus 1 1 notin 119862119866119861 0
21198981[3]
minus 1 1 notin 119862119866119861
081M 004 S0
Yes1198982[3]
minus 1 1 notin 119862119866119861 0
1198983[3]
1 notin 119862119866119861 0
3 1198981[2]
1 notin 119862119866119861 081M 004 S 0 Yes4 1198982
[2] 1 notin 119862119866119861 081M 004 S 0 Yes
5 1198983[2]
1 notin 119862119866119861 081M 004 S 0 Yes
Table 6 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862GB080M 002 S
0
Yes1198982[1]
1 notin 119862GB 0
1198983[1]
minus 1 1 notin 119862GB 0
11198981[2]
1 notin 119862GB081M 003 S
0
Yes1198982[2]
minus 1 1 notin 119862GB 0
1198983[2]
minus 1 1 notin 119862GB 0
21198981[3]
minus 1 1 notin 119862GB081M 014 S
0
NO1198982[3]
minus 1 1 notin 119862GB 0
1198983[3]
1 notin 119862GB minus1
As shown in maple outputs the given circuit has beenmodeled as polynomial set119862119872 (itsGroebner bases is denotedby 119862119866119861) and assertion expected result as 1198983
[1]minus 1 From
the running result we have 1 notin 119862119866119861 and return valueof 119873119900119903119898119886119897119865119900119903119898 is 0 which means 119862119866119861 is divided with noremainder by 1198983
[1]minus 1
Thus from the previously mentioned verification princi-ples it is easy to conclude that the assertion 1198691198621198751 holds underthis circuit model after 3 cycles
More detailed experiment results for verification of cir-cuit shown in Figure 3 are listed in Table 5
Conversely we check these assertions against the circuitshown in Figure 4 in a similar way More detailed experimentresults are demonstrated in Table 6
From above table when checking 119869119862119875119860 assertion theresult 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983
[3] 119862119866119861 119879119863119864119866) = 0 so that
we can conclude the assertion does not holdTherefore theremust exist unexpected errors in the original circuit
This case is a fairly complete illustration of how thechecking algorithm works
8 Conclusion
In this paper we presented a new method for SVA prop-erties checking by using Groebner bases based symbolicalgebraic approaches To guarantee the feasibility we defined
a constrained subset of SVAs which is powerful enough forpractical purposes
We first introduce a notion of symbolic constant withoutany sequential information for handling local variables inSVAs inspired from STE We then proposed a practical alge-braizationmethod for each sequence operator For sequentialcircuits verification we introduce a parameterized polyno-mial set modeling method based on time frame expansion
Our approach is based on polynomial models construc-tion for both circuit models and SVA assertionsThis methodis to eventually translate a simulation based verificationproblem into a pure algebraic zero set determination problemby a series of proposed steps which can be performed on anygeneral symbolic algebraic tool
Thismethod allows users to deal withmore than one stateand many input combinations every cycle This advantagecomes directly from the fact that many vectors are simulatedat once using symbolic value
In summary in this research by suitable restrictions ofSVA assertions we can guarantee the availability of polyno-mial set representation Based on this polynomial set modelsymbolic simulation can be performed to produce symbolictraces and temporal relationship constraints of signal vari-ables as well We then apply symbolic algebra approach tocheck the zeros set relation between their polynomial sets anddetermine whether the temporal assertion holds or not undercurrent running cycle
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The project is supported by the National Natural ScienceFoundation of China under Grant no 11371003 theNatural Science Foundation of Guangxi under Grantsnos 2011GXNSFA018154 2012GXNSFGA060003 and2013GXNSFAA019342 the Science and TechnologyFoundation of Guangxi under Grant no 10169-1 theScientific Research Project no 201012MS274 from GuangxiEducation Department the Fundamental Research Fundsfor the Central Universities under Grants nos DUT14QY05and HCIC201204 of Guangxi Key Laboratory of HybridComputation and IC Design Analysis Open Fund andthe Baguio scholarship Project of Guangxi The authorswould like to thank their colleagues for participating in theresearch They also appreciate the anonymous reviewers fortheir helpful comments
References
[1] IEEE System Verilog Working Group IEEE Standard forSystemVerilog C Unified Hardware Design Specification andVerification (IEEE Std 1800-2005) IEEE 2005
[2] ldquoIEEE draft standard for system verilogmdashunified hardware de-sign specification and verification languagerdquo IEEE P1800D32011
Journal of Applied Mathematics 15
[3] R Wille G Fey M Messing G Angst L Linhard and RDrechsler ldquoIdentifying a subset of SystemVerilog assertions forefficient bounded model checkingrdquo in Proceedings of the 11thEUROMICRO Conference on Digital System Design Architec-tures Methods and Tools (DSD rsquo08) pp 542ndash549 September2008
[4] L Darringer ldquoApplication of program verification techniques tohardware verificationrdquo in Proceedings of the IEEE-ACM DesignAutomation Conference pp 375ndash381 1979
[5] G S Avrunin ldquoSymbolic model checking using algebraicgeometryrdquo in Proceedings of the 8th International Conference onComputer Aided Verification vol CAV96 pp 26ndash37 SpringerLondon UK 1996
[6] W B Mao and J Z Wu ldquoApplication of Wus method to sym-bolic model checkingrdquo in Proceedings of the 2005 internationalSymposiumon Symbolic andAlgebraic Computation (ISSAC rsquo05)pp 237ndash244 ACM Press Beijing China 2005
[7] J Wu and L Zhao ldquoMulti-valued model checking via groebnerbasis approachrdquo in Proceedings of the 1st Joint IEEEIFIP Sympo-sium on Theoretical Aspects of Software Engineering (TASE rsquo07)pp 35ndash44 IEEE Computer Society Press June 2007
[8] N Zhou J Wu and X Gao ldquoAlgebraic verification method forSEREs properties via Groebner bases approachesrdquo Journal ofAppliedMathematics vol 2013 Article ID 272781 10 pages 2013
[9] X Gao N Zhou J Wu and D Li ldquoWursquos characteristic setmethod for SystemVerilog assertions verificationrdquo Journal ofApplied Mathematics vol 2013 Article ID 740194 14 pages2013
[10] J Little D Cox andD OrsquoShea Ideals Varieties and AlgorithmsSpringer New York NY USA 1992
[11] T Becker andVWeispfenningGrobner Bases AComputationalApproach to Commutative Algebra Springer New York NYUSA 1993
[12] B Buchberger ldquoGroebner bases an algorithmic method inpolynomial ideal theoryrdquo in Multidimensional Systems Theorypp 184ndash232 1985
[13] S B Akers ldquoBinary decision diagramsrdquo IEEE Transactions onComputers C vol 27 no 6 pp 509ndash516 1978
[14] S Hoereth and R Drechsler ldquoFormal verification of word-levelspecificationsrdquo in Proceedings of the Design Automation andTest in Europe Conference and Exhibition pp 52ndash58 MunichGermany 1999
[15] Y M Ryabukhin ldquoBoolean ringrdquo in Encyclopaedia of Mathe-matics Springer Michiel Germany 2001
[16] S Das R Mohanty P Dasgupta and P P Chakrabarti ldquoSynthe-sis of system verilog assertionsrdquo in Proceedings of the Conferenceon Design Automation and Test in Europe Designersrsquo Forum(DATE rsquo06) pp 70ndash75 European Design and AutomationAssociation Leuven Belgium March 2006
[17] C-J Seger and R E Bryant ldquoFormal verification by symbolicevaluation of partially-ordered trajectoriesrdquo Formal Methods inSystem Design vol 6 no 2 pp 147ndash190 1995
[18] D Cox J Little and D OrsquoShea Ideals Varieties and AlgorithmsAn Introduction to Computational Algebraic Geometry andCommutative Algebra Undergraduate Texts in MathematicsSpringer New York 3rd edition 2007
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
6 Journal of Applied Mathematics
36 Indexed Polynomial Set Representation To illustrate thesequential modeling for a given cycle number clearly wedefine an indexed polynomial set representation for the 119894thcycle
Let 119909119894[119897]
(0 le 119894 le 119903) denote the input signals for the 119897thclock119898119894
[119897](0 le 119894 le 119904) the intermediate signals and 119910119894
[119897](0 le
119894 le 119905) the output signals We then have the following timeframe expansion model for the sequential circuit
119865119872 =
119899
⋃
119894=0
119865119872 [119894] (8)
where 119865119872[119894] = C(1199091[119894]
1198981[119894]
1198981[119894]
1199091[119894+1]
1198981[119894+1]
1199101[119894+1]
) denote the 119894th time frame modelTime frame expansion is achieved by connecting the
PPIs (eg 1199091[119894+1]
from 119865119872[119894 + 1]) of the time frame to thecorresponding PPOs (1199091
[119894+1]from 119865119872[119894]) of the previous
time frame
4 Sequence Depth Calculation
In this subsection we will discuss the important feature ofSVA time range and its signal constraint unrolled model
In SVA for each sequence the earliest time step for theevaluation and the latest time step should be determinedfirstlyThe sequence is then unrolled based on above informa-tion Finally the unrolled sequence will be performed usingalgebraization process
In [3] a time range calculating algorithm is providedHere we will introduce some related definition and specialhandling for our purpose
The following is the syntax definition for time range
41 Time Range
Definition 10 (time range syntax) The syntax of ldquotime rangerdquocan be described as follows
119888119910119888119897119890 119889119890119897119886119910 119888119900119899119904119905 119903119886119899119892119890 119890119909119901119903119890119904119904119894119900119899 =
119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899
| 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 $
Note that 119888119900119899119904119905119886119899119905 119890119909119901119903119890119904119904119894119900119899 is computed at compiletime and must result in an integer value and can only be 0or greater
In this paper we only focus on constant time range caseThus its form can be simplified as
(1) 119886[119898 119899]119887 (119898 119899 isin N and 119899 ge 119898 ge 0)
(2) 1198781[119898 119899]119878
2(119898 119899 isin N and 119899 ge 119898 ge 0)
Here 119886 119887 are signals and 1198781 1198782are sequences
Assume the starting time is cycle 119905 then we have thesequence (1) will start (119899 minus 119898 + 1) sequences of evaluationwhich are
119886 119898119887
119886 (119898 + 1)119887
119886(119899 minus 119898 + 1)119887 respectively
Their corresponding algebraic forms are
⟦119886119898119887⟧[119905]
= ⟦119886119905and 119887119905+1
⟧
⟦119886(119898 + 1)119887⟧[119905]
= ⟦119886119905and 119887119905+2
⟧
⟦119886(119899 minus 119898 + 1)119887⟧[119905]
= ⟦119886119905and 119887119905+119899minus119898+1
⟧
Thenwe have the equivalent form of above representationset as
⟦(119886119905and 119887119905+119898
) or sdot sdot sdot or (119886119905and 119887119905+119899
)⟧ (9)
42 Sequential Depth Calculation The time range of asequential is a time interval during which an operation or aterminal of a sequence has to be considered and is denoted bya closed bounded set of positive integers
119879 = [119897 sdot sdot sdot ℎ] = 119909 | 119897 le 119909 le ℎ (here 119909 119897 ℎ isin N) (10)
Furthermore the maximum of two intervals 1198791and 119879
2is
defined by max(1198791 1198792) = [max(119897
1 1198972) sdot sdot sdotmax(ℎ
1 ℎ2)]
In the samemanner the sum of two time ranges of1198791and
1198792is defined as
1198791
+ 1198792
= [(1198971
+ 1198972) sdot sdot sdot (ℎ
1+ ℎ2)] (11)
Definition 11 (maximum sequential depth) The maximumsequential depth of a SVA expression 119865 or a sequence writtenas 119889119890119901(119865) is defined recursively
(i) 119889119890119901(119886) = [1 sdot sdot sdot 1] if 119886 is a signal
(ii) 119889119890119901(not119886) = [1 sdot sdot sdot 1] if 119886 is a signal
(iii) 119889119890119901(119886119887) = 119889119890119901(119886) + 119889119890119901(119887) if 1198651 1198652are sequences
of SVA
(iv) 119889119890119901(1198651[119898 119899]119865
2) = 119889119890119901(119865
1) + 119889119890119901(119865
2) + [119898 sdot sdot sdot 119899]
if 1198651 1198652are sequences of SVA
(v) 119889119890119901(1198651and 119865
2) = max(119889119890119901(119865
1) 119889119890119901(119865
2)) if119865
11198652are
sequences of SVA
(vi) 119889119890119901(1198651or 1198652) = max(119889119890119901(119865
1) 119889119890119901(119865
2)) if 119865
1 1198652are
sequences of SVA
(vii) 119889119890119901(1198651intersect 119865
2) = 119889119890119901(119865
1) + 119889119890119901(119865
2) minus 1 if 119865
1
1198652are sequences of SVA
(viii) 119889119890119901(119865[119899]) = 119899 lowast 119889119890119901(119865) if 119865 is a sequence of SVA
Journal of Applied Mathematics 7
[23]
e And [46]
[12] [23]
a b c d
[35] [35] [46][46]
[00]
Figure 2 Sequence depth parsing tree
For example the following sequence is used to illustratehow to calculate the sequence depth
sequence
119890 [2 sdot sdot sdot 3] ((119886[1sdot sdot sdot 2]119887) and (119888 [1 sdot sdot sdot 2] 119889))
endsequence
Figure 2 shows the binary parsing tree for calculatingsequence depth of this sequence The box denotes operatorand cycle denotes signal node in the syntax tree
Firstly consider the top layer of the parsing tree andthe sequence [2 sdot sdot sdot 3] Here because the first operand 119890
is a terminal of the sequence thus this operand becomesrelevant at time step 0 only (119879
1st = [0 sdot sdot sdot 0]) Since the intervalhas to be considered the second operand (the subtree ofldquoandrdquo)matches 2 or 3 time steps laterTherefore calculating isrecursively performed with 119879 = [0 sdot sdot sdot 0] + [2 sdot sdot sdot 3] = [2 sdot sdot sdot 3]
for the second operandSimilarly we can have the sequence depth of the whole
sequence and all its subsequences as denoted in the figure
5 SVA to Polynomial Set Translation
As mentioned previously SystemVerilog assertions are anintegral component of SystemVerilog and provide two kindsof assertions immediate assertions and concurrent asser-tions
In this section we only discuss concurrent assertions andtheir temporal layer representation model
Concurrent assertions express functional design intentand can be used to express assumed input behavior expectedoutput behavior and forbidden behavior That is assertionsdefine properties that the design must meet Many prop-erties can be expressed strictly from variables available inthe design while properties are often constructed out ofsequential behaviors
Thus we will firstly discuss the basic algebraizationprocess for the sequential behavior model
51 Algebraization Process Theproperties written in SVAwillbe unrolled and checked against the design for bounded timesteps in our method Note that only a constrained subset ofSVA can be supported by our method (unspecified upperbound time range and first-match operator are excluded)
Firstly we translate the properties described by theconstrained subset of SVA into flat sequences according tothe semantics of each supported operator
Asmentioned in [16] the total set of SVA is divided into 4subgroups namely simple sequence expression (SSE) inter-val sequence expression (ISE) complex sequence expression(CSE) and unbounded sequence expression (USE) Here inour method these groups can only be partly supported
Therefore we define the following sequence expressionsby adding further conditions
(i) Constrained simple sequence expression (CSSE) isformed by Boolean expression repeat operator andcycle delay operator
(ii) Constrained interval sequence expression (CISE) isa super set of CSSE formed by extra time rangeoperators
(iii) Constrained complex sequence expression is a superset of CSSE and CISE containing operators or andintersection
Secondly the unrolled flat sequences will be added totemporal constraints to form proportional formulas withlogical connectives (or and and not)
Finally the resulted proportional formulas will be trans-lated into equivalent polynomial set
Then the verification problem is reduced to proving zeroset inclusion relationship which can be resolved by Groebnerbases approaches
52 Boolean LayerModeling TheBoolean layer of SVA formsan underlying basis for the whole assertion architecturewhich consists of Boolean expressions that hold or do nothold at a given cycle
In this paper we distinguish between signal logic valuesand truth logic values That is for a truth logic statementabout a given property its truth can be evaluated to 119905119903119906119890 or119891119886119897119904119890 But for a signal when primary inputs are symbolicvalues its signal logic value may not be evaluated as ℎ119894119892ℎ or119897119900119908
Therefore we have the following definition for signallogic
Definition 12 (signal logic) In digital circuit systems signallogic (SL for short) is defined as
(i) if a signal119909 is active-high (119867 for short) then its signalvalue is defined as 1
(ii) if a signal 119909 is active-low (119871 for short) then its signalvalue is defined as 0
8 Journal of Applied Mathematics
Definition 13 (symbolic constant) A symbolic constant is arigid Boolean variable that forever holds the same BooleanvalueThe notion of symbolic constant was firstly introducedin STE [17] for two purposes
(1) to encode an arbitrary Boolean constraints among aset of circuit nodes in a parametric form
(2) to encode all possible scalar values for a set of nodes
Assume 119867 denotes a symbolic constant for signal logicand 119867 denotes its negative form if 119867 denotes ℎ119894119892ℎ then 119867
will be 119897119900119908Consider (119903119890119902==119867) and (119886119888119896==119867) as an example
According to our definitions 119903119890119902 and 119886119888119896 are signals belong-ing to signal logic while both (119903119890119902==119867) and (119886119888119896==119867) are oftruth logic
For example assertion (119886[15 0] == 119887[15 0]) is also avalid Boolean expression stating that the 16-bit vectors 119886[15
0] and 119887[15 0] are equalIn SVA the following are valid Boolean expressions
(i) 119886119903119903119886119910119860 == 119886119903119903119886119910119861
(ii) 119886119903119903119886119910119860 = 119886119903119903119886119910119861
(iii) 119886119903119903119886119910119860[119894] gt= 119886119903119903119886119910 119861[119895]
(iv) 119886119903119903119886119910119861[119894][119895+ 2] == 119886119903119903119886119910119860[119896][119898minus 2]
(v) (119886119903119903119886119910119860[119894]amp(119886119903119903119886119910119861[119895])) == 0
Since the state of a signal variable can be viewed as a zeroof a set of polynomials We have the following
(1) For any signal 119909 holds at a given time step 119894 thus thestate of 119909 == 1 (119909 is active-high at cycle 119894) can berepresented by polynomial 119909
[119894]minus 1
(2) Alternatively the state of 119909 == 0 (119909 is active-low atcycle 119894) can be represented by polynomial 119909
[119894]
(3) Symbolically the state of 119909 == 119867 (119909 is active-high 119867
at the 119894th cycle) can be modeled as 119909[119894]
minus 119867
53 Sequence Operator Modeling Temporal assertions definenot only the values of signals but also the relationshipbetween signals over time The sequences are the buildingblocks of temporal assertions and can express a set of linearbehavior lasting for one or more cycles These sequences areusually used to specify and verify interface and bus protocols
A sequence is a regular expression over the Booleanexpressions that concisely specifies a set of linear sequencesThe Boolean expressions must be true at those specific clockticks for the sequence to be true over time
SystemVerilog provides several sequence compositionoperators to combine individual sequences in a variety ofways that enhance code writing and readability which canconstruct sequence expressions from Boolean expressions
In this paper throughout operator [1 $] operator andthe first match operator are not supported by our method
SystemVerilog defines a number of operations that canbe performed on sequences The sequence compositionoperators in SVA are listed as follows
Definition 14 (sequence operator)
119877 = 119887ldquoBoolean expressionrdquo form
| (1 V = 119890) ldquolocal variable samplingrdquo form| (119877) ldquoparenthesisrdquo form| (11987711 119877
2) ldquoconcatenationrdquo form
| (11987710 119877
2) ldquofusionrdquo form
| (1198771or 1198772) ldquoorrdquo form
| (1198771intersect 119877
2) ldquointersectrdquo form
| first match (119877) ldquofirst matchrdquo form| 119877[lowast0] ldquonull repetitionrdquo form| 119877[lowast1 $] ldquounbounded repetitionrdquo form| [lowast] [=] [minus gt] ldquorepetitionrdquo repeater| throughoutspecifying a Boolean expression musthold throughout a sequence| withinspecifying conditions within a sequence
The resulted sequences constructed by operators are thenused in properties for use in assertions and covers
531 Cycle Delay Operator In SystemVerilog the con-struct is referred to as a cycle delay operator
ldquo1rdquo and ldquo0rdquo are concatenation operators the formeris the classical regular expression concatenation the latter isa variant with one-letter overlapping
A 119899 followed by a number 119899 or range specifies the 119899
cycles delay from the current clock cycle to the beginning ofthe sequence that follows
(1) Fixed-length Casesequence fixs
119886119899119887
endsequencerArr ⟦119891119894119909119904⟧ = ⟦119886⟧
119905 ⟦119887⟧119905+119899
(2) Time-range Casesequence 119905119898119904
119886[119898 sdot sdot sdot 119899]119887
endsequencerArr ⟦119905119898119904⟧ = ⟦119886⟧
[119905] ⟦119887⟧119898
[119905] or sdot sdot sdot or ⟦119886⟧
[119905] ⟦119887⟧119899
[119905]
532 Intersect Operator The two operands of intersectoperator are sequences The requirements for match of theintersect operation are as follows
(i) Both operands must match(ii) The lengths of the two matches of the operand
sequences must be the same
Journal of Applied Mathematics 9
1198771intersect 119877
2
1198771starts at the same time as 119877
2 the intersection will
match if 1198771 starting at the same time as 119877
2 matches at the
same time as 1198772matches
Therefore we have
⟦1198771intersect 119877
2⟧ = ⟦119877
1⟧119889119890119901(119877
1)
[119905]and ⟦1198772⟧119889119890119901(119877
2)
[119905] (12)
The sequence length matching intersect operator con-structs a sequence like the and nonlength matching operatorexcept that both sequences must be completed in same cycle
533 and Operator 1198771and 119877
2
This operator states that 1198771starts at the same time as 119877
2
and the sequence expression matches with the later of 1198771and
1198772matching This binary operator and is used when both
operands are expected to match but the end times of theoperand sequences can be different
That is 1198771and 119877
2denotes both 119877
1and 119877
2holds for the
same number cycles Then the matches of 1198771and 119877
2must
satisfy the following
(i) The start point of the match of 1198771must be no earlier
than the start point of the match of 1198772
(ii) The end point of thematch of1198771must be no later than
the end point of the match of 1198772
The sequence nonlength matching and operator con-structs a sequence in which two sequences both hold at thecurrent cycle regardless of whether they are completed in thesame cycle or in different cycles
⟦1198771and 119877
2⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] and ⟦119877
2⟧119895
[119905]) (13)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
534 or Operator 1198771or 1198772
The sequence or operator constructs a sequence in whichone of two alternative sequences hold at the current cycleThus the sequence (1198861119887) or (1198881119889) states that eithersequence 119886 119887 or sequence 119888 119889 would satisfy the assertion
⟦1198771or 1198772⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] or ⟦119877
2⟧119895
[119905]) (14)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
535 Local Variables SystemVerilog provides a feature bywhich variables can be used in assertions The user candeclare variables local to a property This feature is highlyuseful in pipelined designs where the consequent occur-rence might be many cycles later than their correspondingantecedents
Local variables are optional and local to properties Theycan be initialized assigned (and reassigned) a value operatedon and compared to other expressions
The syntax of a sequence declaration with a local variableis shown below
119904119890119902119906119890119899119888119890 119889119890119888119897119886119903119886119905119894119900119899 =
sequence 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119904119890119902119906119890119899119888119890 119890119909119901119903
endsequence [ 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903]
The property declaration syntax with a local variable canbe illustrated as follows
119901119903119900119901119890119903119905119910 119889119890119888119897119886119903119886119905119894119900119899 =
property 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119901119903119900119901119890119903119905119910 119904119901119890119888
endproperty [ 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903]
The variable identifier declaration syntax of a local vari-able can be illustrated as follows
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899 =
V119886119903 119889119886119905119886 119905119910119901119890 119897119894119904119905 119900119891 V119886119903119894119886119887119897119890 119894119889119890119899119905119894119891119894119890119903119904
The dynamic creation of a variable and its assignment isachieved by using the local variable declaration in a sequenceor property declaration and making an assignment in thesequence
Thus local variables of a sequence (or property) may beset to a value which can be computed from a parameter orother objects (eg arguments constants and objects visibleby the sequence (or property))
For example a property of a pipeline with a fixed latencycan be specified below
property 119897119886119905119890119899119888119910119894119899119905 119909(V119886119897119894119889 119894119899 119909 = 119901 119894119899)|minus gt 3(119901 119900119906119905 == (119909 + 1))
endproperty
This property e is evaluated as followsWhen V119886119897119894119889 119894119899 is true 119909 is assigned the value of 119901 119894119899 If 3
cycles later 119901 119900119906119905 is equal to 119909 + 1 then property 119897119886119905119890119899119888119910 istrue Otherwise the property is false When V119886119897119894119889 119894119899 is falseproperty 119897119886119905119890119899119888119910 is evaluated as true
For the algebraization of SVA properties with localvariables in our method these local variables will be takenas common signal variables (symbolic constant) without anysequential information
Thus we have the polynomial set representation forproperty 119897119886119905119890119899119888119910
⟦119897119886119905119890119899119888119910⟧[119905]
=
(V119886119897119894119889 119894119899[119905]
minus 1)(119909 minus 119901 119894119899
[119905])
(119901 119900119906119905[119905+3]
minus (119909 + 1))
10 Journal of Applied Mathematics
536 Repetition Operators SystemVerilog allows the userto specify repetitions when defining sequences of BooleanexpressionsThe repetition counts can be specified as either arange of constants or a single constant expression
Nonconsecutive repetition specifies finitely many itera-tive matches of the operand Boolean expression with a delayof one or more clock ticks from one match of the operandto the next successive match and no match of the operandstrictly in between The overall repetition sequence matchesat or after the last iterative match of the operand but beforeany later match of the operand
The syntax of repetition operator can be illustrated asfollows
119899119900119899 119888119900119899119904119890119888119906119905119894V119890 119903119890119901 = [= 119888119900119899119904119905 119900119903 119903119886119899119892119890 119890119909119901119903] (15)
The number of iterations of a repetition can be specifiedby exact count
For example a sequence with repetition can be defined as
119886 |=gt 119887 [= 3] 1 119888 (16)
The sequence expects that 2 clock cycles after the validstart signal ldquo119887rdquo will be repeated three times
We have ⟦119877[= 119899]⟧ = ⋁119899
119894=0(⟦119877⟧
119894lowast119889119890119901(119877)
[119905])
54 Property OperatorModeling In general property expres-sions in SVA are built using sequences other sublevel proper-ties and simple Boolean expressions via property operators
In SVA a property that is a sequence is evaluated as trueif and only if there is a nonempty match of the sequenceA sequence that admits an empty match is not allowed as aproperty
The success of assertion-based verification methodologyrelies heavily on the quality of properties describing theintended behavior of the design Since it is a fairly newmethodology verification and design engineers are oftenfaced with a question of ldquohow to identify good propertiesrdquo fora design It may be tempting to write properties that closelyresemble the implementation
Properties we discussed in this paper can be classified as
(1) Design Centric Design centric properties represent asser-tions added by the RTL designers to characterize whitebox design attributes These properties are typically towardsFSMs localmemories clock synchronization logic and otherhardware-related designs The design should conform to theexpectations of these properties
(2) Assumption Centric Assumption centric properties rep-resent assumptions about the design environment They areused in informal verification to specify assumptions about theinputs The assume directive can inform a verification tool toassume such a condition during the analysis
(3) RequirementVerification Centric Many requirementproperties are best described using a ldquocause-to-effectrdquo stylethat specifies what should happen under a given conditionThis type of properties can be specified by implication
operator For example a handshake can be described as ldquoifrequest is asserted then acknowledge should be assertedwithin 5 cyclesrdquo
In general property expressions are built using sequen-ces other sublevel properties and simple Boolean expres-sions
These individual elements are combined using propertyoperators implication NOT ANDOR and so forth
The property composition operators are listed as follows
Definition 15 (property operator)
119875 = 119877lowast ldquosequencerdquo form lowast
|(119875)lowast ldquoparenthesisrdquo form lowast
|not 119875lowast ldquonegationrdquo form lowast
|(1198751or 1198752)lowast ldquoorrdquo form lowast
|(1198751and 119875
2)lowast ldquoandrdquo form lowast
|(119877|minus gt 119875) |(119877| =gt 119875)lowast ldquoimplicationrdquo form lowast
|disable iff(119887) 119875lowast ldquoresetrdquo form lowast
Note that disable if and only if will not be supportedin this paper Property operators construct properties out ofsequence expressions
541 Implication
Operators The SystemVerilog implication operator supportssequence implication and provides two forms of implicationoverlapped using operator |minus gt and nonoverlapped usingoperator | =gt respectively
The syntax of implication is described as follows
119904119890119902119906119890119899119888119890 119890119909119901119903 | minus gt 119901119903119900119901119890119903119905119910 119890119909119901119903
119904119890119902119906119890119899119888119890 119890119909119901119903 | =gt 119901119903119900119901119890119903119905119910 119890119909119901119903
(17)
The implication operator takes a sequence as its anteced-ent and a property as its consequent Every time the sequencematches the property must hold Note that both the runningof the sequence and the property may span multiple clockcycles and that the sequence may match multiple times
For each successful match of the antecedent sequencethe consequence sequence (right-hand operand) is sepa-rately evaluated beginning at the end point of the matchedantecedent sequence All matches of antecedent sequencerequire a match of the consequence sequence
Moreover if the antecedent sequence (left hand operand)does not succeed implication succeeds vacuously by return-ing true For many protocol related assertions it is importantto specify the sequence of events (the antecedent or cause)that must occur before checking for another sequence (theconsequent or effect) This is because if the antecedent doesnot occur then there is no need to perform any furtherverification In hardware this occurs because the antecedentreflects an expression that when active triggers something tohappen
Journal of Applied Mathematics 11
A property with a consequent sequence behaves as if theconsequent has an implication first-match applied to it
542 NOT
Operator The operator NOT 119901119903119900119901119890119903119905119910 119890119909119901119903 states that theevaluation of the property returns the opposite of the eval-uation of the underlying 119901119903119900119901119890119903119905119910 119890119909119901119903
543 AND
Operator The formula ldquo1198751AND 119875
2rdquo states that the property
is evaluated as true if and only if both 1198751and 1198752are evaluatd
as true
544 OR
Operator The operator ldquo1198751OR 119875
2rdquo states that the property is
evaluated as true if and only if at least one of 1198751and 119875
2is
evaluated as true
545 IF-ELSE
Operator This operator has two valid forms which are listedas follows
(1) IF (119889119894119904119905) 1198751
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as false or 119875
1is evaluated as true
(2) IF (119889119894119904119905) 1198751ELSE 119875
2
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as true and 119875
1is evaluated as true or
119889119894119904119905 is evaluated as false and 1198752is evaluated as true
From previous discussion we have the following propo-sition for property reasoning
Proposition 16 Assume that1198751198751 and119875
2are valid properties
in SVA the following rules are used to construct the correspond-ing verification process Here 119860119904119904119862ℎ119896(119872119900119889119890119897 119875119903119900119901119890119903119905119910)
ture false is a self-defined checking function that can deter-mine whether a given ldquo119875119903119900119901119890119903119905119910rdquo holds or not with respect toa circuit model ldquo119872119900119889119890119897rdquo
(1) 1198751OR 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧) or 119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(2) 1198751AND 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(3) NOT 119875 rArr not119860119904119904119862ℎ119896(119872 ⟦119875⟧)
(4) IF (119889119894119904119905) 1198751
rArr not119860119904119904119862ℎ119896(119872 119889119894119904119905) or 119860119904119904119862ℎ119896(119872
⟦1198751⟧)
(5) IF (119889119894119904119905) 1198751ELSE 119875
2rArr (119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896
(119872 ⟦1198751⟧))or(not119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧))
(6) 119878 | minus gt 119875 rArr if (not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)minus1]))
(7) 119878 |=gt 119875 rArr if(not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)]))
6 Verification Algorithm
In this section we will describe how an assertion is checkedusing Groebner bases approach Firstly we will discussa practical algorithm using Groebner bases for assertionchecking
61 Basic Principle As just mentioned our checking methodis based on algebraic geometry which is the study of thegeometric objects arising as the common zeros of collectionsof polynomials Our aim is to find polynomials whosezeros correspond to pairs of states in which the appropriateassignments are made
We can regard any set of points in 119896119899 as the variety of some
ideal We can then use the ideal or any basis for the ideal as away of encoding the set of points
From Groebner Bases theory [10 12] every nonzero ideal119868 sub 119896[119909
1 119909
119899] has a Groebner basis and the following
proposition evidently holds
Proposition 17 Let 119862 and 119878 be polynomial sets of 119896[1199091
119909119899] and ⟨119866119878⟩ a Groebner basis for ⟨119878⟩ and then we have that
⟨119862⟩ sube ⟨119878⟩ hArr forall119888 isin 119862 119903119890119898119889(119888 119866119878) == 0 holds
Theorem 18 Suppose that 119860(⟦119860⟧ = 1198861 1198862 119886
119903) is a
property to be verified 119879 is the initial preconditions of 119862 and119872 is a system model to be checked Let ⟦119879⟧ and ⟦119872⟧ bethe polynomial set representations for 119879 and 119872 respectivelyconstructed by previous mentioned rules Let 119867 = ⟦119879 cup 119872⟧ =
ℎ1 ℎ2 ℎ
119904 sube 119896[119909
1 119909
119899] 119868 = ⟨119867⟩ (where ⟨119867⟩ denotes
the ideal generated by 119867) and 119866119861119867
= 119892119887119886119904119894119904(119867 ≺) then wehave
( (1 notin 119866119861119867
) and 119903119890119898119889 (119862 119866119861119867
) == 0)
lArrrArr ((1 notin 119866119861119867
) and119903
⋀
119894=0
(119903119890119898119889 (119892119894 119866119861119867
) == 0))
lArrrArr (119872 |= 119860) holds
(18)
Proof (1) The polynomial set ⟦119872⟧ of system model 119872
describes the data-flow relationship that inputs outputs andfunctional transformation should meet The initial condition⟦119872⟧ can be seen as extra constraint applied by users Thereshould not exist contradiction between them that is thepolynomial equations of ⟦119879 cup 119872⟧ must have a commonsolution
ByHilbertrsquos Nullstellensatz theory if we have polynomials⟦119879 cup 119872⟧ = 119891
1 119891
119904 isin 119896[119909
1 119909
119899] we compute a
reducedGroebner basis of the ideal they generatewith respectto any ordering If this basis is 1 the polynomials have nocommon zero in 119896
119899 if the basis is not 1 they must have acommon zero
Therefore (1 notin 119866119861119867
) should hold(2) Evidently by previous proposition it is easy to have
that 119903119890119898119889(119862 119866119861119867
) == 0 should holdThus we have that this theorem holds
12 Journal of Applied Mathematics
Input(1) circuit model 119872(2) initial condition 119879(3) an assertion 119860Output Boolean 119905119903119906119890 or 119891119886119897119904119890BEGIN
lowastStep 1 initialize input signals via testbench lowast(00) 119868119899119894119905119878119894119892119899119886119897119904()(01) M = 0PS
119860= 0 119867 = 0PS
119879= 0
lowastStep 2 build polynomial model lowast(02) M = ⟦119872⟧ = 119861119906119894119897119889PS(119872)
lowastStep 3 build polynomial set for initial condition 119879lowast
(03) 119875119878119879
= ⟦119879⟧ = 119861119906119894119897119889PS(119879)lowastStep 4 build polynomial set for consequentA lowast
(04) 119875119878119860
= ⟦119860⟧ = 119861119906119894119897119889PS(119860)lowastStep 5 calculate the PS
119879cup Mlowast
(05) 119867 = PST cup MlowastStep 6 calculate the Groebner base of ⟨119867⟩
lowast(06) GB
119867= 119892basis(119867 ≺)
lowastStep 7 determine the basis is 1 or not lowast(07) if(1 isin GB
119867)
(08) return 119891119886119897119904119890 lowastStep 8 check every polynomial lowastlowast119860 = 119886
1 1198862 119886
|119860|lowast
(09) 119894 = 1(10) 119908ℎ119894119897119890(119894 le |119860|)
(11) if(119903119890119898119889(⟦119886119894⟧ GB
119867) = 0)
(12) return 119891119886119897119904119890 (13) i++(14) lowast endwhile lowast(15) return 119905119903119906119890 lowast Assertion does hold lowastEND
Algorithm 1 ldquo119860119904119904119862ℎ119896119875119900119897119910119861119906119894119897119889(119872 119879 119860)rdquo
62 Checking Algorithm For simplicity in this section weonly provide the key decision algorithm
Firstly the original system model is transformed into anormal polynomial representation and the assertion as wellThen calculate the hypothesis set and its Groebner basisusing the Buchberger algorithm [18] and their eliminationideals Finally examine the inclusion relationship betweenelimination ideals to determine whether the assertion to bechecked holds or not
From above discussion we have the following processsteps and detailed algorithm description Algorithm 1
For convenience we can derive another version checkingprocedure named ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo which can acceptpolynomial representations as inputs without explicit poly-nomial construction process
Further by applying Theorem 18 and the checking algo-rithm ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo we can easily verify all sup-ported properties written in SVA
7 An Example
In this section we will study a classical circuit to show howSVA properties are verified by polynomial representation andalgebra computation method
Consider the Johnson counter circuit in Figure 3 Johnsoncounters can provide individual digit outputs rather than a
3 2 1
m1m2m3
m4clk
And
Andy
Figure 3 Johnson counter
Table 3 Table of Johnson counter output
Counter (clock) V3(1198983) V2(1198982) V1(1198981)
0 0 0 01 1 0 02 1 1 03 0 1 14 0 0 15 0 0 0
binary or BCD output as shown in Table 3 Notice that eachlegal count may be defined by the location of the last flip-flopto change states and which way it changed state
71 Algebraization of Circuit and Assertion Johnson counterprovides individual digit outputs as shown in Table 3
The polynomial set for Johnson counter circuit in Figure 3can be constructed as follows
119878119890119905adder = 1198911 = 11989831015840minus 1198984 1198912 = 1198982
1015840minus 1198983
1198913 = 11989811015840minus 1198982
1198914 = 1198984 minus (1 minus 1198981) lowast (1 minus 1198982)
1198915 = 119910 minus 1198981 lowast (1 minus 1198982)
(19)
where 11989811015840 denotes the next state of 1198981 For the 119894th cycle we
use 1199091[119894]to denote variable name in current cycle
Similarly another Johnson counter circuit with an erroris shown in Figure 4 the corresponding polynomial set canbe described by
119878119890119905adder = 1198911 1198912 1198913
11989141015840
= 1198984 + 1198981 + 1198982
minus (1 minus 1198981) lowast (1 minus 1198982) 1198915
(20)
Journal of Applied Mathematics 13
3 2 1
m1m2m3
m4clk
Or
Andy
Figure 4 Johnson counter with error
To illustrate the problem clearly we define polynomial setrepresentation 119875119872[119894] for 119894th cycle as follows
119875119872 [119894] = 1198983[119894+1]
minus 1198984[119894]
1198982[119894+1]
minus 1198983[119894]
1198981[119894+1]
minus 1198982[119894]
1198984[119894]
minus (1 minus 1198982[119894]
) lowast (1 minus 1198981[119894]
)
119910 minus 1198981[119894]
lowast (1 minus 1198982[119894]
)
(21)
Support that the circuit will run 6 cycles for verificationtherefore we have 119875119872 = ⋃
5
119894=0119875119872[119894]
For any Boolean variable 119886 we will add an extra con-straint 119886lowast119886minus119886Thus we define the corresponding constraintsset as follows 119862119873119878[119894] = 119888
[119894]lowast 119888[119894]
minus 119888[119894]
119888 isin 1198981 1198982 1198983 1198984
119910In the same manner we have 119862119873119878 = ⋃
5
119894=0119862119873119878[119894]
The sequential property for this counter circuit can bespecified by the following SystemVerilog assertions
property 119869119862119875119860
(1198983 = 0 ampamp 1198982 = 0 ampamp 1198981 = 0)
| =gt 1(1198983 == 1 ampamp 1198982 == 0 ampamp 1198981 == 0)
| =gt 2(1198983 == 1 ampamp 1198982 == 1 ampamp 1198981 == 0)
| =gt 3(1198983 == 0 ampamp 1198982 == 1 ampamp 1198981 ==
1)
endpropertyproperty 1198691198621198751
(119888119897119896)(1198981 == 0)| =gt 2 (1198981 == 0)
endpropertyproperty 1198691198621198752
(119888119897119896)(1198982 == 0)| =gt 2 (1198982 == 1)
endpropertyproperty 1198691198621198753
(119888119897119896)(1198983 == 0)| =gt 2 (1198983 == 1)
endproperty
Table 4 Polynomial forms
Name Precondition Expected consequent
JCPA
1198981[0]
1198982[0]
1198983[0]
cycle 1 1198981[1]
minus 1 1198982[1]
1198983[1]
cycle 2 1198981[2]
minus 1 1198982[2]
minus 1 1198983[2]
cycle 3 1198981[3]
1198982[3]
minus 1 1198983[3]
minus 1
JCP1 1198981[0]
1198981[2]
JCP2 1198982[0]
1198982[2]
minus 1
JCP3 1198983[0]
1198983[2]
minus 1
We will afterwards demonstrate the verification processstep by step
The circuit model to be verified is as shown below
119878119872 = 119875119872 cup 119862119873119878 (22)
The property of this counter can be specified as thefollowing SVA assertion
assert property (1198691198621198751)
assert property (1198691198621198752)
The Algebraization form of the above properties can bemodeled as in Table 4
72 Experiment Using Maple We run this example by usingMaple 13 Before running we manually translated all modelsinto polynomials The experiment is performed on a PC witha 240GHz CPU (intel i5M450) and 1024MB of memoryIt took about 004 seconds and 081MB of memory whenapplying Groebner method
[gtwith(Groebner)[gt 119862119872 = sdot sdot sdot
lowastCircuit Modellowast[gt 119879119863119864119866 = 119905119889119890119892(
1198981[0] 1198982[0] 1198983[0] 1198984[0]
1198981[1] 1198982[1] 1198983[1] 1198984[1]
1198981[2] 1198982[2] 1198983[2] 1198984[2]
1198981[3] 1198982[3] 1198983[3] 1198984[3]
1198981[4] 1198982[4] 1198983[4] 1198984[4]
119910[0] 119910[1] 119910[2] 119910[3]
)
[gt 119862119866119861 = 119861119886119904119894119904(119862119872 119879119863119864119866)
Thus we can have the Groebner basis as follows
[gt [1199101[3]
1199101[2]
1199101[1]
1199101[1]
1198983[4]
1198982[4]
1198981[4]
minus 1 1198984[3] 1198983[3] 1198982[3]
minus 1 1198981[3]
minus 11198984[2] 1198983[2]
minus 1 1198982[2]
minus 1 1198981[2] 1198984[1]
minus 11198983[1]
minus 11198982[1] 1198981[1] 1198984[0]
minus 1 1198983[0] 1198982[0] 1198981[0]
]
[gt 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983[1]
minus 1 119862119866119861 119879119863119864119866)
[gt 119903119890119905 = 0
14 Journal of Applied Mathematics
Table 5 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862119866119861
080M 002 S0
Yes1198982[1]
1 notin 119862119866119861 0
1198983[1]
minus 1 1 notin 119862119866119861 0
11198981[2]
1 notin 119862119866119861
081M 003 S0
Yes1198982[2]
minus 1 1 notin 119862119866119861 0
1198983[2]
minus 1 1 notin 119862119866119861 0
21198981[3]
minus 1 1 notin 119862119866119861
081M 004 S0
Yes1198982[3]
minus 1 1 notin 119862119866119861 0
1198983[3]
1 notin 119862119866119861 0
3 1198981[2]
1 notin 119862119866119861 081M 004 S 0 Yes4 1198982
[2] 1 notin 119862119866119861 081M 004 S 0 Yes
5 1198983[2]
1 notin 119862119866119861 081M 004 S 0 Yes
Table 6 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862GB080M 002 S
0
Yes1198982[1]
1 notin 119862GB 0
1198983[1]
minus 1 1 notin 119862GB 0
11198981[2]
1 notin 119862GB081M 003 S
0
Yes1198982[2]
minus 1 1 notin 119862GB 0
1198983[2]
minus 1 1 notin 119862GB 0
21198981[3]
minus 1 1 notin 119862GB081M 014 S
0
NO1198982[3]
minus 1 1 notin 119862GB 0
1198983[3]
1 notin 119862GB minus1
As shown in maple outputs the given circuit has beenmodeled as polynomial set119862119872 (itsGroebner bases is denotedby 119862119866119861) and assertion expected result as 1198983
[1]minus 1 From
the running result we have 1 notin 119862119866119861 and return valueof 119873119900119903119898119886119897119865119900119903119898 is 0 which means 119862119866119861 is divided with noremainder by 1198983
[1]minus 1
Thus from the previously mentioned verification princi-ples it is easy to conclude that the assertion 1198691198621198751 holds underthis circuit model after 3 cycles
More detailed experiment results for verification of cir-cuit shown in Figure 3 are listed in Table 5
Conversely we check these assertions against the circuitshown in Figure 4 in a similar way More detailed experimentresults are demonstrated in Table 6
From above table when checking 119869119862119875119860 assertion theresult 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983
[3] 119862119866119861 119879119863119864119866) = 0 so that
we can conclude the assertion does not holdTherefore theremust exist unexpected errors in the original circuit
This case is a fairly complete illustration of how thechecking algorithm works
8 Conclusion
In this paper we presented a new method for SVA prop-erties checking by using Groebner bases based symbolicalgebraic approaches To guarantee the feasibility we defined
a constrained subset of SVAs which is powerful enough forpractical purposes
We first introduce a notion of symbolic constant withoutany sequential information for handling local variables inSVAs inspired from STE We then proposed a practical alge-braizationmethod for each sequence operator For sequentialcircuits verification we introduce a parameterized polyno-mial set modeling method based on time frame expansion
Our approach is based on polynomial models construc-tion for both circuit models and SVA assertionsThis methodis to eventually translate a simulation based verificationproblem into a pure algebraic zero set determination problemby a series of proposed steps which can be performed on anygeneral symbolic algebraic tool
Thismethod allows users to deal withmore than one stateand many input combinations every cycle This advantagecomes directly from the fact that many vectors are simulatedat once using symbolic value
In summary in this research by suitable restrictions ofSVA assertions we can guarantee the availability of polyno-mial set representation Based on this polynomial set modelsymbolic simulation can be performed to produce symbolictraces and temporal relationship constraints of signal vari-ables as well We then apply symbolic algebra approach tocheck the zeros set relation between their polynomial sets anddetermine whether the temporal assertion holds or not undercurrent running cycle
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The project is supported by the National Natural ScienceFoundation of China under Grant no 11371003 theNatural Science Foundation of Guangxi under Grantsnos 2011GXNSFA018154 2012GXNSFGA060003 and2013GXNSFAA019342 the Science and TechnologyFoundation of Guangxi under Grant no 10169-1 theScientific Research Project no 201012MS274 from GuangxiEducation Department the Fundamental Research Fundsfor the Central Universities under Grants nos DUT14QY05and HCIC201204 of Guangxi Key Laboratory of HybridComputation and IC Design Analysis Open Fund andthe Baguio scholarship Project of Guangxi The authorswould like to thank their colleagues for participating in theresearch They also appreciate the anonymous reviewers fortheir helpful comments
References
[1] IEEE System Verilog Working Group IEEE Standard forSystemVerilog C Unified Hardware Design Specification andVerification (IEEE Std 1800-2005) IEEE 2005
[2] ldquoIEEE draft standard for system verilogmdashunified hardware de-sign specification and verification languagerdquo IEEE P1800D32011
Journal of Applied Mathematics 15
[3] R Wille G Fey M Messing G Angst L Linhard and RDrechsler ldquoIdentifying a subset of SystemVerilog assertions forefficient bounded model checkingrdquo in Proceedings of the 11thEUROMICRO Conference on Digital System Design Architec-tures Methods and Tools (DSD rsquo08) pp 542ndash549 September2008
[4] L Darringer ldquoApplication of program verification techniques tohardware verificationrdquo in Proceedings of the IEEE-ACM DesignAutomation Conference pp 375ndash381 1979
[5] G S Avrunin ldquoSymbolic model checking using algebraicgeometryrdquo in Proceedings of the 8th International Conference onComputer Aided Verification vol CAV96 pp 26ndash37 SpringerLondon UK 1996
[6] W B Mao and J Z Wu ldquoApplication of Wus method to sym-bolic model checkingrdquo in Proceedings of the 2005 internationalSymposiumon Symbolic andAlgebraic Computation (ISSAC rsquo05)pp 237ndash244 ACM Press Beijing China 2005
[7] J Wu and L Zhao ldquoMulti-valued model checking via groebnerbasis approachrdquo in Proceedings of the 1st Joint IEEEIFIP Sympo-sium on Theoretical Aspects of Software Engineering (TASE rsquo07)pp 35ndash44 IEEE Computer Society Press June 2007
[8] N Zhou J Wu and X Gao ldquoAlgebraic verification method forSEREs properties via Groebner bases approachesrdquo Journal ofAppliedMathematics vol 2013 Article ID 272781 10 pages 2013
[9] X Gao N Zhou J Wu and D Li ldquoWursquos characteristic setmethod for SystemVerilog assertions verificationrdquo Journal ofApplied Mathematics vol 2013 Article ID 740194 14 pages2013
[10] J Little D Cox andD OrsquoShea Ideals Varieties and AlgorithmsSpringer New York NY USA 1992
[11] T Becker andVWeispfenningGrobner Bases AComputationalApproach to Commutative Algebra Springer New York NYUSA 1993
[12] B Buchberger ldquoGroebner bases an algorithmic method inpolynomial ideal theoryrdquo in Multidimensional Systems Theorypp 184ndash232 1985
[13] S B Akers ldquoBinary decision diagramsrdquo IEEE Transactions onComputers C vol 27 no 6 pp 509ndash516 1978
[14] S Hoereth and R Drechsler ldquoFormal verification of word-levelspecificationsrdquo in Proceedings of the Design Automation andTest in Europe Conference and Exhibition pp 52ndash58 MunichGermany 1999
[15] Y M Ryabukhin ldquoBoolean ringrdquo in Encyclopaedia of Mathe-matics Springer Michiel Germany 2001
[16] S Das R Mohanty P Dasgupta and P P Chakrabarti ldquoSynthe-sis of system verilog assertionsrdquo in Proceedings of the Conferenceon Design Automation and Test in Europe Designersrsquo Forum(DATE rsquo06) pp 70ndash75 European Design and AutomationAssociation Leuven Belgium March 2006
[17] C-J Seger and R E Bryant ldquoFormal verification by symbolicevaluation of partially-ordered trajectoriesrdquo Formal Methods inSystem Design vol 6 no 2 pp 147ndash190 1995
[18] D Cox J Little and D OrsquoShea Ideals Varieties and AlgorithmsAn Introduction to Computational Algebraic Geometry andCommutative Algebra Undergraduate Texts in MathematicsSpringer New York 3rd edition 2007
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 7
[23]
e And [46]
[12] [23]
a b c d
[35] [35] [46][46]
[00]
Figure 2 Sequence depth parsing tree
For example the following sequence is used to illustratehow to calculate the sequence depth
sequence
119890 [2 sdot sdot sdot 3] ((119886[1sdot sdot sdot 2]119887) and (119888 [1 sdot sdot sdot 2] 119889))
endsequence
Figure 2 shows the binary parsing tree for calculatingsequence depth of this sequence The box denotes operatorand cycle denotes signal node in the syntax tree
Firstly consider the top layer of the parsing tree andthe sequence [2 sdot sdot sdot 3] Here because the first operand 119890
is a terminal of the sequence thus this operand becomesrelevant at time step 0 only (119879
1st = [0 sdot sdot sdot 0]) Since the intervalhas to be considered the second operand (the subtree ofldquoandrdquo)matches 2 or 3 time steps laterTherefore calculating isrecursively performed with 119879 = [0 sdot sdot sdot 0] + [2 sdot sdot sdot 3] = [2 sdot sdot sdot 3]
for the second operandSimilarly we can have the sequence depth of the whole
sequence and all its subsequences as denoted in the figure
5 SVA to Polynomial Set Translation
As mentioned previously SystemVerilog assertions are anintegral component of SystemVerilog and provide two kindsof assertions immediate assertions and concurrent asser-tions
In this section we only discuss concurrent assertions andtheir temporal layer representation model
Concurrent assertions express functional design intentand can be used to express assumed input behavior expectedoutput behavior and forbidden behavior That is assertionsdefine properties that the design must meet Many prop-erties can be expressed strictly from variables available inthe design while properties are often constructed out ofsequential behaviors
Thus we will firstly discuss the basic algebraizationprocess for the sequential behavior model
51 Algebraization Process Theproperties written in SVAwillbe unrolled and checked against the design for bounded timesteps in our method Note that only a constrained subset ofSVA can be supported by our method (unspecified upperbound time range and first-match operator are excluded)
Firstly we translate the properties described by theconstrained subset of SVA into flat sequences according tothe semantics of each supported operator
Asmentioned in [16] the total set of SVA is divided into 4subgroups namely simple sequence expression (SSE) inter-val sequence expression (ISE) complex sequence expression(CSE) and unbounded sequence expression (USE) Here inour method these groups can only be partly supported
Therefore we define the following sequence expressionsby adding further conditions
(i) Constrained simple sequence expression (CSSE) isformed by Boolean expression repeat operator andcycle delay operator
(ii) Constrained interval sequence expression (CISE) isa super set of CSSE formed by extra time rangeoperators
(iii) Constrained complex sequence expression is a superset of CSSE and CISE containing operators or andintersection
Secondly the unrolled flat sequences will be added totemporal constraints to form proportional formulas withlogical connectives (or and and not)
Finally the resulted proportional formulas will be trans-lated into equivalent polynomial set
Then the verification problem is reduced to proving zeroset inclusion relationship which can be resolved by Groebnerbases approaches
52 Boolean LayerModeling TheBoolean layer of SVA formsan underlying basis for the whole assertion architecturewhich consists of Boolean expressions that hold or do nothold at a given cycle
In this paper we distinguish between signal logic valuesand truth logic values That is for a truth logic statementabout a given property its truth can be evaluated to 119905119903119906119890 or119891119886119897119904119890 But for a signal when primary inputs are symbolicvalues its signal logic value may not be evaluated as ℎ119894119892ℎ or119897119900119908
Therefore we have the following definition for signallogic
Definition 12 (signal logic) In digital circuit systems signallogic (SL for short) is defined as
(i) if a signal119909 is active-high (119867 for short) then its signalvalue is defined as 1
(ii) if a signal 119909 is active-low (119871 for short) then its signalvalue is defined as 0
8 Journal of Applied Mathematics
Definition 13 (symbolic constant) A symbolic constant is arigid Boolean variable that forever holds the same BooleanvalueThe notion of symbolic constant was firstly introducedin STE [17] for two purposes
(1) to encode an arbitrary Boolean constraints among aset of circuit nodes in a parametric form
(2) to encode all possible scalar values for a set of nodes
Assume 119867 denotes a symbolic constant for signal logicand 119867 denotes its negative form if 119867 denotes ℎ119894119892ℎ then 119867
will be 119897119900119908Consider (119903119890119902==119867) and (119886119888119896==119867) as an example
According to our definitions 119903119890119902 and 119886119888119896 are signals belong-ing to signal logic while both (119903119890119902==119867) and (119886119888119896==119867) are oftruth logic
For example assertion (119886[15 0] == 119887[15 0]) is also avalid Boolean expression stating that the 16-bit vectors 119886[15
0] and 119887[15 0] are equalIn SVA the following are valid Boolean expressions
(i) 119886119903119903119886119910119860 == 119886119903119903119886119910119861
(ii) 119886119903119903119886119910119860 = 119886119903119903119886119910119861
(iii) 119886119903119903119886119910119860[119894] gt= 119886119903119903119886119910 119861[119895]
(iv) 119886119903119903119886119910119861[119894][119895+ 2] == 119886119903119903119886119910119860[119896][119898minus 2]
(v) (119886119903119903119886119910119860[119894]amp(119886119903119903119886119910119861[119895])) == 0
Since the state of a signal variable can be viewed as a zeroof a set of polynomials We have the following
(1) For any signal 119909 holds at a given time step 119894 thus thestate of 119909 == 1 (119909 is active-high at cycle 119894) can berepresented by polynomial 119909
[119894]minus 1
(2) Alternatively the state of 119909 == 0 (119909 is active-low atcycle 119894) can be represented by polynomial 119909
[119894]
(3) Symbolically the state of 119909 == 119867 (119909 is active-high 119867
at the 119894th cycle) can be modeled as 119909[119894]
minus 119867
53 Sequence Operator Modeling Temporal assertions definenot only the values of signals but also the relationshipbetween signals over time The sequences are the buildingblocks of temporal assertions and can express a set of linearbehavior lasting for one or more cycles These sequences areusually used to specify and verify interface and bus protocols
A sequence is a regular expression over the Booleanexpressions that concisely specifies a set of linear sequencesThe Boolean expressions must be true at those specific clockticks for the sequence to be true over time
SystemVerilog provides several sequence compositionoperators to combine individual sequences in a variety ofways that enhance code writing and readability which canconstruct sequence expressions from Boolean expressions
In this paper throughout operator [1 $] operator andthe first match operator are not supported by our method
SystemVerilog defines a number of operations that canbe performed on sequences The sequence compositionoperators in SVA are listed as follows
Definition 14 (sequence operator)
119877 = 119887ldquoBoolean expressionrdquo form
| (1 V = 119890) ldquolocal variable samplingrdquo form| (119877) ldquoparenthesisrdquo form| (11987711 119877
2) ldquoconcatenationrdquo form
| (11987710 119877
2) ldquofusionrdquo form
| (1198771or 1198772) ldquoorrdquo form
| (1198771intersect 119877
2) ldquointersectrdquo form
| first match (119877) ldquofirst matchrdquo form| 119877[lowast0] ldquonull repetitionrdquo form| 119877[lowast1 $] ldquounbounded repetitionrdquo form| [lowast] [=] [minus gt] ldquorepetitionrdquo repeater| throughoutspecifying a Boolean expression musthold throughout a sequence| withinspecifying conditions within a sequence
The resulted sequences constructed by operators are thenused in properties for use in assertions and covers
531 Cycle Delay Operator In SystemVerilog the con-struct is referred to as a cycle delay operator
ldquo1rdquo and ldquo0rdquo are concatenation operators the formeris the classical regular expression concatenation the latter isa variant with one-letter overlapping
A 119899 followed by a number 119899 or range specifies the 119899
cycles delay from the current clock cycle to the beginning ofthe sequence that follows
(1) Fixed-length Casesequence fixs
119886119899119887
endsequencerArr ⟦119891119894119909119904⟧ = ⟦119886⟧
119905 ⟦119887⟧119905+119899
(2) Time-range Casesequence 119905119898119904
119886[119898 sdot sdot sdot 119899]119887
endsequencerArr ⟦119905119898119904⟧ = ⟦119886⟧
[119905] ⟦119887⟧119898
[119905] or sdot sdot sdot or ⟦119886⟧
[119905] ⟦119887⟧119899
[119905]
532 Intersect Operator The two operands of intersectoperator are sequences The requirements for match of theintersect operation are as follows
(i) Both operands must match(ii) The lengths of the two matches of the operand
sequences must be the same
Journal of Applied Mathematics 9
1198771intersect 119877
2
1198771starts at the same time as 119877
2 the intersection will
match if 1198771 starting at the same time as 119877
2 matches at the
same time as 1198772matches
Therefore we have
⟦1198771intersect 119877
2⟧ = ⟦119877
1⟧119889119890119901(119877
1)
[119905]and ⟦1198772⟧119889119890119901(119877
2)
[119905] (12)
The sequence length matching intersect operator con-structs a sequence like the and nonlength matching operatorexcept that both sequences must be completed in same cycle
533 and Operator 1198771and 119877
2
This operator states that 1198771starts at the same time as 119877
2
and the sequence expression matches with the later of 1198771and
1198772matching This binary operator and is used when both
operands are expected to match but the end times of theoperand sequences can be different
That is 1198771and 119877
2denotes both 119877
1and 119877
2holds for the
same number cycles Then the matches of 1198771and 119877
2must
satisfy the following
(i) The start point of the match of 1198771must be no earlier
than the start point of the match of 1198772
(ii) The end point of thematch of1198771must be no later than
the end point of the match of 1198772
The sequence nonlength matching and operator con-structs a sequence in which two sequences both hold at thecurrent cycle regardless of whether they are completed in thesame cycle or in different cycles
⟦1198771and 119877
2⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] and ⟦119877
2⟧119895
[119905]) (13)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
534 or Operator 1198771or 1198772
The sequence or operator constructs a sequence in whichone of two alternative sequences hold at the current cycleThus the sequence (1198861119887) or (1198881119889) states that eithersequence 119886 119887 or sequence 119888 119889 would satisfy the assertion
⟦1198771or 1198772⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] or ⟦119877
2⟧119895
[119905]) (14)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
535 Local Variables SystemVerilog provides a feature bywhich variables can be used in assertions The user candeclare variables local to a property This feature is highlyuseful in pipelined designs where the consequent occur-rence might be many cycles later than their correspondingantecedents
Local variables are optional and local to properties Theycan be initialized assigned (and reassigned) a value operatedon and compared to other expressions
The syntax of a sequence declaration with a local variableis shown below
119904119890119902119906119890119899119888119890 119889119890119888119897119886119903119886119905119894119900119899 =
sequence 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119904119890119902119906119890119899119888119890 119890119909119901119903
endsequence [ 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903]
The property declaration syntax with a local variable canbe illustrated as follows
119901119903119900119901119890119903119905119910 119889119890119888119897119886119903119886119905119894119900119899 =
property 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119901119903119900119901119890119903119905119910 119904119901119890119888
endproperty [ 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903]
The variable identifier declaration syntax of a local vari-able can be illustrated as follows
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899 =
V119886119903 119889119886119905119886 119905119910119901119890 119897119894119904119905 119900119891 V119886119903119894119886119887119897119890 119894119889119890119899119905119894119891119894119890119903119904
The dynamic creation of a variable and its assignment isachieved by using the local variable declaration in a sequenceor property declaration and making an assignment in thesequence
Thus local variables of a sequence (or property) may beset to a value which can be computed from a parameter orother objects (eg arguments constants and objects visibleby the sequence (or property))
For example a property of a pipeline with a fixed latencycan be specified below
property 119897119886119905119890119899119888119910119894119899119905 119909(V119886119897119894119889 119894119899 119909 = 119901 119894119899)|minus gt 3(119901 119900119906119905 == (119909 + 1))
endproperty
This property e is evaluated as followsWhen V119886119897119894119889 119894119899 is true 119909 is assigned the value of 119901 119894119899 If 3
cycles later 119901 119900119906119905 is equal to 119909 + 1 then property 119897119886119905119890119899119888119910 istrue Otherwise the property is false When V119886119897119894119889 119894119899 is falseproperty 119897119886119905119890119899119888119910 is evaluated as true
For the algebraization of SVA properties with localvariables in our method these local variables will be takenas common signal variables (symbolic constant) without anysequential information
Thus we have the polynomial set representation forproperty 119897119886119905119890119899119888119910
⟦119897119886119905119890119899119888119910⟧[119905]
=
(V119886119897119894119889 119894119899[119905]
minus 1)(119909 minus 119901 119894119899
[119905])
(119901 119900119906119905[119905+3]
minus (119909 + 1))
10 Journal of Applied Mathematics
536 Repetition Operators SystemVerilog allows the userto specify repetitions when defining sequences of BooleanexpressionsThe repetition counts can be specified as either arange of constants or a single constant expression
Nonconsecutive repetition specifies finitely many itera-tive matches of the operand Boolean expression with a delayof one or more clock ticks from one match of the operandto the next successive match and no match of the operandstrictly in between The overall repetition sequence matchesat or after the last iterative match of the operand but beforeany later match of the operand
The syntax of repetition operator can be illustrated asfollows
119899119900119899 119888119900119899119904119890119888119906119905119894V119890 119903119890119901 = [= 119888119900119899119904119905 119900119903 119903119886119899119892119890 119890119909119901119903] (15)
The number of iterations of a repetition can be specifiedby exact count
For example a sequence with repetition can be defined as
119886 |=gt 119887 [= 3] 1 119888 (16)
The sequence expects that 2 clock cycles after the validstart signal ldquo119887rdquo will be repeated three times
We have ⟦119877[= 119899]⟧ = ⋁119899
119894=0(⟦119877⟧
119894lowast119889119890119901(119877)
[119905])
54 Property OperatorModeling In general property expres-sions in SVA are built using sequences other sublevel proper-ties and simple Boolean expressions via property operators
In SVA a property that is a sequence is evaluated as trueif and only if there is a nonempty match of the sequenceA sequence that admits an empty match is not allowed as aproperty
The success of assertion-based verification methodologyrelies heavily on the quality of properties describing theintended behavior of the design Since it is a fairly newmethodology verification and design engineers are oftenfaced with a question of ldquohow to identify good propertiesrdquo fora design It may be tempting to write properties that closelyresemble the implementation
Properties we discussed in this paper can be classified as
(1) Design Centric Design centric properties represent asser-tions added by the RTL designers to characterize whitebox design attributes These properties are typically towardsFSMs localmemories clock synchronization logic and otherhardware-related designs The design should conform to theexpectations of these properties
(2) Assumption Centric Assumption centric properties rep-resent assumptions about the design environment They areused in informal verification to specify assumptions about theinputs The assume directive can inform a verification tool toassume such a condition during the analysis
(3) RequirementVerification Centric Many requirementproperties are best described using a ldquocause-to-effectrdquo stylethat specifies what should happen under a given conditionThis type of properties can be specified by implication
operator For example a handshake can be described as ldquoifrequest is asserted then acknowledge should be assertedwithin 5 cyclesrdquo
In general property expressions are built using sequen-ces other sublevel properties and simple Boolean expres-sions
These individual elements are combined using propertyoperators implication NOT ANDOR and so forth
The property composition operators are listed as follows
Definition 15 (property operator)
119875 = 119877lowast ldquosequencerdquo form lowast
|(119875)lowast ldquoparenthesisrdquo form lowast
|not 119875lowast ldquonegationrdquo form lowast
|(1198751or 1198752)lowast ldquoorrdquo form lowast
|(1198751and 119875
2)lowast ldquoandrdquo form lowast
|(119877|minus gt 119875) |(119877| =gt 119875)lowast ldquoimplicationrdquo form lowast
|disable iff(119887) 119875lowast ldquoresetrdquo form lowast
Note that disable if and only if will not be supportedin this paper Property operators construct properties out ofsequence expressions
541 Implication
Operators The SystemVerilog implication operator supportssequence implication and provides two forms of implicationoverlapped using operator |minus gt and nonoverlapped usingoperator | =gt respectively
The syntax of implication is described as follows
119904119890119902119906119890119899119888119890 119890119909119901119903 | minus gt 119901119903119900119901119890119903119905119910 119890119909119901119903
119904119890119902119906119890119899119888119890 119890119909119901119903 | =gt 119901119903119900119901119890119903119905119910 119890119909119901119903
(17)
The implication operator takes a sequence as its anteced-ent and a property as its consequent Every time the sequencematches the property must hold Note that both the runningof the sequence and the property may span multiple clockcycles and that the sequence may match multiple times
For each successful match of the antecedent sequencethe consequence sequence (right-hand operand) is sepa-rately evaluated beginning at the end point of the matchedantecedent sequence All matches of antecedent sequencerequire a match of the consequence sequence
Moreover if the antecedent sequence (left hand operand)does not succeed implication succeeds vacuously by return-ing true For many protocol related assertions it is importantto specify the sequence of events (the antecedent or cause)that must occur before checking for another sequence (theconsequent or effect) This is because if the antecedent doesnot occur then there is no need to perform any furtherverification In hardware this occurs because the antecedentreflects an expression that when active triggers something tohappen
Journal of Applied Mathematics 11
A property with a consequent sequence behaves as if theconsequent has an implication first-match applied to it
542 NOT
Operator The operator NOT 119901119903119900119901119890119903119905119910 119890119909119901119903 states that theevaluation of the property returns the opposite of the eval-uation of the underlying 119901119903119900119901119890119903119905119910 119890119909119901119903
543 AND
Operator The formula ldquo1198751AND 119875
2rdquo states that the property
is evaluated as true if and only if both 1198751and 1198752are evaluatd
as true
544 OR
Operator The operator ldquo1198751OR 119875
2rdquo states that the property is
evaluated as true if and only if at least one of 1198751and 119875
2is
evaluated as true
545 IF-ELSE
Operator This operator has two valid forms which are listedas follows
(1) IF (119889119894119904119905) 1198751
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as false or 119875
1is evaluated as true
(2) IF (119889119894119904119905) 1198751ELSE 119875
2
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as true and 119875
1is evaluated as true or
119889119894119904119905 is evaluated as false and 1198752is evaluated as true
From previous discussion we have the following propo-sition for property reasoning
Proposition 16 Assume that1198751198751 and119875
2are valid properties
in SVA the following rules are used to construct the correspond-ing verification process Here 119860119904119904119862ℎ119896(119872119900119889119890119897 119875119903119900119901119890119903119905119910)
ture false is a self-defined checking function that can deter-mine whether a given ldquo119875119903119900119901119890119903119905119910rdquo holds or not with respect toa circuit model ldquo119872119900119889119890119897rdquo
(1) 1198751OR 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧) or 119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(2) 1198751AND 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(3) NOT 119875 rArr not119860119904119904119862ℎ119896(119872 ⟦119875⟧)
(4) IF (119889119894119904119905) 1198751
rArr not119860119904119904119862ℎ119896(119872 119889119894119904119905) or 119860119904119904119862ℎ119896(119872
⟦1198751⟧)
(5) IF (119889119894119904119905) 1198751ELSE 119875
2rArr (119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896
(119872 ⟦1198751⟧))or(not119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧))
(6) 119878 | minus gt 119875 rArr if (not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)minus1]))
(7) 119878 |=gt 119875 rArr if(not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)]))
6 Verification Algorithm
In this section we will describe how an assertion is checkedusing Groebner bases approach Firstly we will discussa practical algorithm using Groebner bases for assertionchecking
61 Basic Principle As just mentioned our checking methodis based on algebraic geometry which is the study of thegeometric objects arising as the common zeros of collectionsof polynomials Our aim is to find polynomials whosezeros correspond to pairs of states in which the appropriateassignments are made
We can regard any set of points in 119896119899 as the variety of some
ideal We can then use the ideal or any basis for the ideal as away of encoding the set of points
From Groebner Bases theory [10 12] every nonzero ideal119868 sub 119896[119909
1 119909
119899] has a Groebner basis and the following
proposition evidently holds
Proposition 17 Let 119862 and 119878 be polynomial sets of 119896[1199091
119909119899] and ⟨119866119878⟩ a Groebner basis for ⟨119878⟩ and then we have that
⟨119862⟩ sube ⟨119878⟩ hArr forall119888 isin 119862 119903119890119898119889(119888 119866119878) == 0 holds
Theorem 18 Suppose that 119860(⟦119860⟧ = 1198861 1198862 119886
119903) is a
property to be verified 119879 is the initial preconditions of 119862 and119872 is a system model to be checked Let ⟦119879⟧ and ⟦119872⟧ bethe polynomial set representations for 119879 and 119872 respectivelyconstructed by previous mentioned rules Let 119867 = ⟦119879 cup 119872⟧ =
ℎ1 ℎ2 ℎ
119904 sube 119896[119909
1 119909
119899] 119868 = ⟨119867⟩ (where ⟨119867⟩ denotes
the ideal generated by 119867) and 119866119861119867
= 119892119887119886119904119894119904(119867 ≺) then wehave
( (1 notin 119866119861119867
) and 119903119890119898119889 (119862 119866119861119867
) == 0)
lArrrArr ((1 notin 119866119861119867
) and119903
⋀
119894=0
(119903119890119898119889 (119892119894 119866119861119867
) == 0))
lArrrArr (119872 |= 119860) holds
(18)
Proof (1) The polynomial set ⟦119872⟧ of system model 119872
describes the data-flow relationship that inputs outputs andfunctional transformation should meet The initial condition⟦119872⟧ can be seen as extra constraint applied by users Thereshould not exist contradiction between them that is thepolynomial equations of ⟦119879 cup 119872⟧ must have a commonsolution
ByHilbertrsquos Nullstellensatz theory if we have polynomials⟦119879 cup 119872⟧ = 119891
1 119891
119904 isin 119896[119909
1 119909
119899] we compute a
reducedGroebner basis of the ideal they generatewith respectto any ordering If this basis is 1 the polynomials have nocommon zero in 119896
119899 if the basis is not 1 they must have acommon zero
Therefore (1 notin 119866119861119867
) should hold(2) Evidently by previous proposition it is easy to have
that 119903119890119898119889(119862 119866119861119867
) == 0 should holdThus we have that this theorem holds
12 Journal of Applied Mathematics
Input(1) circuit model 119872(2) initial condition 119879(3) an assertion 119860Output Boolean 119905119903119906119890 or 119891119886119897119904119890BEGIN
lowastStep 1 initialize input signals via testbench lowast(00) 119868119899119894119905119878119894119892119899119886119897119904()(01) M = 0PS
119860= 0 119867 = 0PS
119879= 0
lowastStep 2 build polynomial model lowast(02) M = ⟦119872⟧ = 119861119906119894119897119889PS(119872)
lowastStep 3 build polynomial set for initial condition 119879lowast
(03) 119875119878119879
= ⟦119879⟧ = 119861119906119894119897119889PS(119879)lowastStep 4 build polynomial set for consequentA lowast
(04) 119875119878119860
= ⟦119860⟧ = 119861119906119894119897119889PS(119860)lowastStep 5 calculate the PS
119879cup Mlowast
(05) 119867 = PST cup MlowastStep 6 calculate the Groebner base of ⟨119867⟩
lowast(06) GB
119867= 119892basis(119867 ≺)
lowastStep 7 determine the basis is 1 or not lowast(07) if(1 isin GB
119867)
(08) return 119891119886119897119904119890 lowastStep 8 check every polynomial lowastlowast119860 = 119886
1 1198862 119886
|119860|lowast
(09) 119894 = 1(10) 119908ℎ119894119897119890(119894 le |119860|)
(11) if(119903119890119898119889(⟦119886119894⟧ GB
119867) = 0)
(12) return 119891119886119897119904119890 (13) i++(14) lowast endwhile lowast(15) return 119905119903119906119890 lowast Assertion does hold lowastEND
Algorithm 1 ldquo119860119904119904119862ℎ119896119875119900119897119910119861119906119894119897119889(119872 119879 119860)rdquo
62 Checking Algorithm For simplicity in this section weonly provide the key decision algorithm
Firstly the original system model is transformed into anormal polynomial representation and the assertion as wellThen calculate the hypothesis set and its Groebner basisusing the Buchberger algorithm [18] and their eliminationideals Finally examine the inclusion relationship betweenelimination ideals to determine whether the assertion to bechecked holds or not
From above discussion we have the following processsteps and detailed algorithm description Algorithm 1
For convenience we can derive another version checkingprocedure named ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo which can acceptpolynomial representations as inputs without explicit poly-nomial construction process
Further by applying Theorem 18 and the checking algo-rithm ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo we can easily verify all sup-ported properties written in SVA
7 An Example
In this section we will study a classical circuit to show howSVA properties are verified by polynomial representation andalgebra computation method
Consider the Johnson counter circuit in Figure 3 Johnsoncounters can provide individual digit outputs rather than a
3 2 1
m1m2m3
m4clk
And
Andy
Figure 3 Johnson counter
Table 3 Table of Johnson counter output
Counter (clock) V3(1198983) V2(1198982) V1(1198981)
0 0 0 01 1 0 02 1 1 03 0 1 14 0 0 15 0 0 0
binary or BCD output as shown in Table 3 Notice that eachlegal count may be defined by the location of the last flip-flopto change states and which way it changed state
71 Algebraization of Circuit and Assertion Johnson counterprovides individual digit outputs as shown in Table 3
The polynomial set for Johnson counter circuit in Figure 3can be constructed as follows
119878119890119905adder = 1198911 = 11989831015840minus 1198984 1198912 = 1198982
1015840minus 1198983
1198913 = 11989811015840minus 1198982
1198914 = 1198984 minus (1 minus 1198981) lowast (1 minus 1198982)
1198915 = 119910 minus 1198981 lowast (1 minus 1198982)
(19)
where 11989811015840 denotes the next state of 1198981 For the 119894th cycle we
use 1199091[119894]to denote variable name in current cycle
Similarly another Johnson counter circuit with an erroris shown in Figure 4 the corresponding polynomial set canbe described by
119878119890119905adder = 1198911 1198912 1198913
11989141015840
= 1198984 + 1198981 + 1198982
minus (1 minus 1198981) lowast (1 minus 1198982) 1198915
(20)
Journal of Applied Mathematics 13
3 2 1
m1m2m3
m4clk
Or
Andy
Figure 4 Johnson counter with error
To illustrate the problem clearly we define polynomial setrepresentation 119875119872[119894] for 119894th cycle as follows
119875119872 [119894] = 1198983[119894+1]
minus 1198984[119894]
1198982[119894+1]
minus 1198983[119894]
1198981[119894+1]
minus 1198982[119894]
1198984[119894]
minus (1 minus 1198982[119894]
) lowast (1 minus 1198981[119894]
)
119910 minus 1198981[119894]
lowast (1 minus 1198982[119894]
)
(21)
Support that the circuit will run 6 cycles for verificationtherefore we have 119875119872 = ⋃
5
119894=0119875119872[119894]
For any Boolean variable 119886 we will add an extra con-straint 119886lowast119886minus119886Thus we define the corresponding constraintsset as follows 119862119873119878[119894] = 119888
[119894]lowast 119888[119894]
minus 119888[119894]
119888 isin 1198981 1198982 1198983 1198984
119910In the same manner we have 119862119873119878 = ⋃
5
119894=0119862119873119878[119894]
The sequential property for this counter circuit can bespecified by the following SystemVerilog assertions
property 119869119862119875119860
(1198983 = 0 ampamp 1198982 = 0 ampamp 1198981 = 0)
| =gt 1(1198983 == 1 ampamp 1198982 == 0 ampamp 1198981 == 0)
| =gt 2(1198983 == 1 ampamp 1198982 == 1 ampamp 1198981 == 0)
| =gt 3(1198983 == 0 ampamp 1198982 == 1 ampamp 1198981 ==
1)
endpropertyproperty 1198691198621198751
(119888119897119896)(1198981 == 0)| =gt 2 (1198981 == 0)
endpropertyproperty 1198691198621198752
(119888119897119896)(1198982 == 0)| =gt 2 (1198982 == 1)
endpropertyproperty 1198691198621198753
(119888119897119896)(1198983 == 0)| =gt 2 (1198983 == 1)
endproperty
Table 4 Polynomial forms
Name Precondition Expected consequent
JCPA
1198981[0]
1198982[0]
1198983[0]
cycle 1 1198981[1]
minus 1 1198982[1]
1198983[1]
cycle 2 1198981[2]
minus 1 1198982[2]
minus 1 1198983[2]
cycle 3 1198981[3]
1198982[3]
minus 1 1198983[3]
minus 1
JCP1 1198981[0]
1198981[2]
JCP2 1198982[0]
1198982[2]
minus 1
JCP3 1198983[0]
1198983[2]
minus 1
We will afterwards demonstrate the verification processstep by step
The circuit model to be verified is as shown below
119878119872 = 119875119872 cup 119862119873119878 (22)
The property of this counter can be specified as thefollowing SVA assertion
assert property (1198691198621198751)
assert property (1198691198621198752)
The Algebraization form of the above properties can bemodeled as in Table 4
72 Experiment Using Maple We run this example by usingMaple 13 Before running we manually translated all modelsinto polynomials The experiment is performed on a PC witha 240GHz CPU (intel i5M450) and 1024MB of memoryIt took about 004 seconds and 081MB of memory whenapplying Groebner method
[gtwith(Groebner)[gt 119862119872 = sdot sdot sdot
lowastCircuit Modellowast[gt 119879119863119864119866 = 119905119889119890119892(
1198981[0] 1198982[0] 1198983[0] 1198984[0]
1198981[1] 1198982[1] 1198983[1] 1198984[1]
1198981[2] 1198982[2] 1198983[2] 1198984[2]
1198981[3] 1198982[3] 1198983[3] 1198984[3]
1198981[4] 1198982[4] 1198983[4] 1198984[4]
119910[0] 119910[1] 119910[2] 119910[3]
)
[gt 119862119866119861 = 119861119886119904119894119904(119862119872 119879119863119864119866)
Thus we can have the Groebner basis as follows
[gt [1199101[3]
1199101[2]
1199101[1]
1199101[1]
1198983[4]
1198982[4]
1198981[4]
minus 1 1198984[3] 1198983[3] 1198982[3]
minus 1 1198981[3]
minus 11198984[2] 1198983[2]
minus 1 1198982[2]
minus 1 1198981[2] 1198984[1]
minus 11198983[1]
minus 11198982[1] 1198981[1] 1198984[0]
minus 1 1198983[0] 1198982[0] 1198981[0]
]
[gt 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983[1]
minus 1 119862119866119861 119879119863119864119866)
[gt 119903119890119905 = 0
14 Journal of Applied Mathematics
Table 5 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862119866119861
080M 002 S0
Yes1198982[1]
1 notin 119862119866119861 0
1198983[1]
minus 1 1 notin 119862119866119861 0
11198981[2]
1 notin 119862119866119861
081M 003 S0
Yes1198982[2]
minus 1 1 notin 119862119866119861 0
1198983[2]
minus 1 1 notin 119862119866119861 0
21198981[3]
minus 1 1 notin 119862119866119861
081M 004 S0
Yes1198982[3]
minus 1 1 notin 119862119866119861 0
1198983[3]
1 notin 119862119866119861 0
3 1198981[2]
1 notin 119862119866119861 081M 004 S 0 Yes4 1198982
[2] 1 notin 119862119866119861 081M 004 S 0 Yes
5 1198983[2]
1 notin 119862119866119861 081M 004 S 0 Yes
Table 6 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862GB080M 002 S
0
Yes1198982[1]
1 notin 119862GB 0
1198983[1]
minus 1 1 notin 119862GB 0
11198981[2]
1 notin 119862GB081M 003 S
0
Yes1198982[2]
minus 1 1 notin 119862GB 0
1198983[2]
minus 1 1 notin 119862GB 0
21198981[3]
minus 1 1 notin 119862GB081M 014 S
0
NO1198982[3]
minus 1 1 notin 119862GB 0
1198983[3]
1 notin 119862GB minus1
As shown in maple outputs the given circuit has beenmodeled as polynomial set119862119872 (itsGroebner bases is denotedby 119862119866119861) and assertion expected result as 1198983
[1]minus 1 From
the running result we have 1 notin 119862119866119861 and return valueof 119873119900119903119898119886119897119865119900119903119898 is 0 which means 119862119866119861 is divided with noremainder by 1198983
[1]minus 1
Thus from the previously mentioned verification princi-ples it is easy to conclude that the assertion 1198691198621198751 holds underthis circuit model after 3 cycles
More detailed experiment results for verification of cir-cuit shown in Figure 3 are listed in Table 5
Conversely we check these assertions against the circuitshown in Figure 4 in a similar way More detailed experimentresults are demonstrated in Table 6
From above table when checking 119869119862119875119860 assertion theresult 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983
[3] 119862119866119861 119879119863119864119866) = 0 so that
we can conclude the assertion does not holdTherefore theremust exist unexpected errors in the original circuit
This case is a fairly complete illustration of how thechecking algorithm works
8 Conclusion
In this paper we presented a new method for SVA prop-erties checking by using Groebner bases based symbolicalgebraic approaches To guarantee the feasibility we defined
a constrained subset of SVAs which is powerful enough forpractical purposes
We first introduce a notion of symbolic constant withoutany sequential information for handling local variables inSVAs inspired from STE We then proposed a practical alge-braizationmethod for each sequence operator For sequentialcircuits verification we introduce a parameterized polyno-mial set modeling method based on time frame expansion
Our approach is based on polynomial models construc-tion for both circuit models and SVA assertionsThis methodis to eventually translate a simulation based verificationproblem into a pure algebraic zero set determination problemby a series of proposed steps which can be performed on anygeneral symbolic algebraic tool
Thismethod allows users to deal withmore than one stateand many input combinations every cycle This advantagecomes directly from the fact that many vectors are simulatedat once using symbolic value
In summary in this research by suitable restrictions ofSVA assertions we can guarantee the availability of polyno-mial set representation Based on this polynomial set modelsymbolic simulation can be performed to produce symbolictraces and temporal relationship constraints of signal vari-ables as well We then apply symbolic algebra approach tocheck the zeros set relation between their polynomial sets anddetermine whether the temporal assertion holds or not undercurrent running cycle
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The project is supported by the National Natural ScienceFoundation of China under Grant no 11371003 theNatural Science Foundation of Guangxi under Grantsnos 2011GXNSFA018154 2012GXNSFGA060003 and2013GXNSFAA019342 the Science and TechnologyFoundation of Guangxi under Grant no 10169-1 theScientific Research Project no 201012MS274 from GuangxiEducation Department the Fundamental Research Fundsfor the Central Universities under Grants nos DUT14QY05and HCIC201204 of Guangxi Key Laboratory of HybridComputation and IC Design Analysis Open Fund andthe Baguio scholarship Project of Guangxi The authorswould like to thank their colleagues for participating in theresearch They also appreciate the anonymous reviewers fortheir helpful comments
References
[1] IEEE System Verilog Working Group IEEE Standard forSystemVerilog C Unified Hardware Design Specification andVerification (IEEE Std 1800-2005) IEEE 2005
[2] ldquoIEEE draft standard for system verilogmdashunified hardware de-sign specification and verification languagerdquo IEEE P1800D32011
Journal of Applied Mathematics 15
[3] R Wille G Fey M Messing G Angst L Linhard and RDrechsler ldquoIdentifying a subset of SystemVerilog assertions forefficient bounded model checkingrdquo in Proceedings of the 11thEUROMICRO Conference on Digital System Design Architec-tures Methods and Tools (DSD rsquo08) pp 542ndash549 September2008
[4] L Darringer ldquoApplication of program verification techniques tohardware verificationrdquo in Proceedings of the IEEE-ACM DesignAutomation Conference pp 375ndash381 1979
[5] G S Avrunin ldquoSymbolic model checking using algebraicgeometryrdquo in Proceedings of the 8th International Conference onComputer Aided Verification vol CAV96 pp 26ndash37 SpringerLondon UK 1996
[6] W B Mao and J Z Wu ldquoApplication of Wus method to sym-bolic model checkingrdquo in Proceedings of the 2005 internationalSymposiumon Symbolic andAlgebraic Computation (ISSAC rsquo05)pp 237ndash244 ACM Press Beijing China 2005
[7] J Wu and L Zhao ldquoMulti-valued model checking via groebnerbasis approachrdquo in Proceedings of the 1st Joint IEEEIFIP Sympo-sium on Theoretical Aspects of Software Engineering (TASE rsquo07)pp 35ndash44 IEEE Computer Society Press June 2007
[8] N Zhou J Wu and X Gao ldquoAlgebraic verification method forSEREs properties via Groebner bases approachesrdquo Journal ofAppliedMathematics vol 2013 Article ID 272781 10 pages 2013
[9] X Gao N Zhou J Wu and D Li ldquoWursquos characteristic setmethod for SystemVerilog assertions verificationrdquo Journal ofApplied Mathematics vol 2013 Article ID 740194 14 pages2013
[10] J Little D Cox andD OrsquoShea Ideals Varieties and AlgorithmsSpringer New York NY USA 1992
[11] T Becker andVWeispfenningGrobner Bases AComputationalApproach to Commutative Algebra Springer New York NYUSA 1993
[12] B Buchberger ldquoGroebner bases an algorithmic method inpolynomial ideal theoryrdquo in Multidimensional Systems Theorypp 184ndash232 1985
[13] S B Akers ldquoBinary decision diagramsrdquo IEEE Transactions onComputers C vol 27 no 6 pp 509ndash516 1978
[14] S Hoereth and R Drechsler ldquoFormal verification of word-levelspecificationsrdquo in Proceedings of the Design Automation andTest in Europe Conference and Exhibition pp 52ndash58 MunichGermany 1999
[15] Y M Ryabukhin ldquoBoolean ringrdquo in Encyclopaedia of Mathe-matics Springer Michiel Germany 2001
[16] S Das R Mohanty P Dasgupta and P P Chakrabarti ldquoSynthe-sis of system verilog assertionsrdquo in Proceedings of the Conferenceon Design Automation and Test in Europe Designersrsquo Forum(DATE rsquo06) pp 70ndash75 European Design and AutomationAssociation Leuven Belgium March 2006
[17] C-J Seger and R E Bryant ldquoFormal verification by symbolicevaluation of partially-ordered trajectoriesrdquo Formal Methods inSystem Design vol 6 no 2 pp 147ndash190 1995
[18] D Cox J Little and D OrsquoShea Ideals Varieties and AlgorithmsAn Introduction to Computational Algebraic Geometry andCommutative Algebra Undergraduate Texts in MathematicsSpringer New York 3rd edition 2007
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
8 Journal of Applied Mathematics
Definition 13 (symbolic constant) A symbolic constant is arigid Boolean variable that forever holds the same BooleanvalueThe notion of symbolic constant was firstly introducedin STE [17] for two purposes
(1) to encode an arbitrary Boolean constraints among aset of circuit nodes in a parametric form
(2) to encode all possible scalar values for a set of nodes
Assume 119867 denotes a symbolic constant for signal logicand 119867 denotes its negative form if 119867 denotes ℎ119894119892ℎ then 119867
will be 119897119900119908Consider (119903119890119902==119867) and (119886119888119896==119867) as an example
According to our definitions 119903119890119902 and 119886119888119896 are signals belong-ing to signal logic while both (119903119890119902==119867) and (119886119888119896==119867) are oftruth logic
For example assertion (119886[15 0] == 119887[15 0]) is also avalid Boolean expression stating that the 16-bit vectors 119886[15
0] and 119887[15 0] are equalIn SVA the following are valid Boolean expressions
(i) 119886119903119903119886119910119860 == 119886119903119903119886119910119861
(ii) 119886119903119903119886119910119860 = 119886119903119903119886119910119861
(iii) 119886119903119903119886119910119860[119894] gt= 119886119903119903119886119910 119861[119895]
(iv) 119886119903119903119886119910119861[119894][119895+ 2] == 119886119903119903119886119910119860[119896][119898minus 2]
(v) (119886119903119903119886119910119860[119894]amp(119886119903119903119886119910119861[119895])) == 0
Since the state of a signal variable can be viewed as a zeroof a set of polynomials We have the following
(1) For any signal 119909 holds at a given time step 119894 thus thestate of 119909 == 1 (119909 is active-high at cycle 119894) can berepresented by polynomial 119909
[119894]minus 1
(2) Alternatively the state of 119909 == 0 (119909 is active-low atcycle 119894) can be represented by polynomial 119909
[119894]
(3) Symbolically the state of 119909 == 119867 (119909 is active-high 119867
at the 119894th cycle) can be modeled as 119909[119894]
minus 119867
53 Sequence Operator Modeling Temporal assertions definenot only the values of signals but also the relationshipbetween signals over time The sequences are the buildingblocks of temporal assertions and can express a set of linearbehavior lasting for one or more cycles These sequences areusually used to specify and verify interface and bus protocols
A sequence is a regular expression over the Booleanexpressions that concisely specifies a set of linear sequencesThe Boolean expressions must be true at those specific clockticks for the sequence to be true over time
SystemVerilog provides several sequence compositionoperators to combine individual sequences in a variety ofways that enhance code writing and readability which canconstruct sequence expressions from Boolean expressions
In this paper throughout operator [1 $] operator andthe first match operator are not supported by our method
SystemVerilog defines a number of operations that canbe performed on sequences The sequence compositionoperators in SVA are listed as follows
Definition 14 (sequence operator)
119877 = 119887ldquoBoolean expressionrdquo form
| (1 V = 119890) ldquolocal variable samplingrdquo form| (119877) ldquoparenthesisrdquo form| (11987711 119877
2) ldquoconcatenationrdquo form
| (11987710 119877
2) ldquofusionrdquo form
| (1198771or 1198772) ldquoorrdquo form
| (1198771intersect 119877
2) ldquointersectrdquo form
| first match (119877) ldquofirst matchrdquo form| 119877[lowast0] ldquonull repetitionrdquo form| 119877[lowast1 $] ldquounbounded repetitionrdquo form| [lowast] [=] [minus gt] ldquorepetitionrdquo repeater| throughoutspecifying a Boolean expression musthold throughout a sequence| withinspecifying conditions within a sequence
The resulted sequences constructed by operators are thenused in properties for use in assertions and covers
531 Cycle Delay Operator In SystemVerilog the con-struct is referred to as a cycle delay operator
ldquo1rdquo and ldquo0rdquo are concatenation operators the formeris the classical regular expression concatenation the latter isa variant with one-letter overlapping
A 119899 followed by a number 119899 or range specifies the 119899
cycles delay from the current clock cycle to the beginning ofthe sequence that follows
(1) Fixed-length Casesequence fixs
119886119899119887
endsequencerArr ⟦119891119894119909119904⟧ = ⟦119886⟧
119905 ⟦119887⟧119905+119899
(2) Time-range Casesequence 119905119898119904
119886[119898 sdot sdot sdot 119899]119887
endsequencerArr ⟦119905119898119904⟧ = ⟦119886⟧
[119905] ⟦119887⟧119898
[119905] or sdot sdot sdot or ⟦119886⟧
[119905] ⟦119887⟧119899
[119905]
532 Intersect Operator The two operands of intersectoperator are sequences The requirements for match of theintersect operation are as follows
(i) Both operands must match(ii) The lengths of the two matches of the operand
sequences must be the same
Journal of Applied Mathematics 9
1198771intersect 119877
2
1198771starts at the same time as 119877
2 the intersection will
match if 1198771 starting at the same time as 119877
2 matches at the
same time as 1198772matches
Therefore we have
⟦1198771intersect 119877
2⟧ = ⟦119877
1⟧119889119890119901(119877
1)
[119905]and ⟦1198772⟧119889119890119901(119877
2)
[119905] (12)
The sequence length matching intersect operator con-structs a sequence like the and nonlength matching operatorexcept that both sequences must be completed in same cycle
533 and Operator 1198771and 119877
2
This operator states that 1198771starts at the same time as 119877
2
and the sequence expression matches with the later of 1198771and
1198772matching This binary operator and is used when both
operands are expected to match but the end times of theoperand sequences can be different
That is 1198771and 119877
2denotes both 119877
1and 119877
2holds for the
same number cycles Then the matches of 1198771and 119877
2must
satisfy the following
(i) The start point of the match of 1198771must be no earlier
than the start point of the match of 1198772
(ii) The end point of thematch of1198771must be no later than
the end point of the match of 1198772
The sequence nonlength matching and operator con-structs a sequence in which two sequences both hold at thecurrent cycle regardless of whether they are completed in thesame cycle or in different cycles
⟦1198771and 119877
2⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] and ⟦119877
2⟧119895
[119905]) (13)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
534 or Operator 1198771or 1198772
The sequence or operator constructs a sequence in whichone of two alternative sequences hold at the current cycleThus the sequence (1198861119887) or (1198881119889) states that eithersequence 119886 119887 or sequence 119888 119889 would satisfy the assertion
⟦1198771or 1198772⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] or ⟦119877
2⟧119895
[119905]) (14)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
535 Local Variables SystemVerilog provides a feature bywhich variables can be used in assertions The user candeclare variables local to a property This feature is highlyuseful in pipelined designs where the consequent occur-rence might be many cycles later than their correspondingantecedents
Local variables are optional and local to properties Theycan be initialized assigned (and reassigned) a value operatedon and compared to other expressions
The syntax of a sequence declaration with a local variableis shown below
119904119890119902119906119890119899119888119890 119889119890119888119897119886119903119886119905119894119900119899 =
sequence 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119904119890119902119906119890119899119888119890 119890119909119901119903
endsequence [ 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903]
The property declaration syntax with a local variable canbe illustrated as follows
119901119903119900119901119890119903119905119910 119889119890119888119897119886119903119886119905119894119900119899 =
property 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119901119903119900119901119890119903119905119910 119904119901119890119888
endproperty [ 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903]
The variable identifier declaration syntax of a local vari-able can be illustrated as follows
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899 =
V119886119903 119889119886119905119886 119905119910119901119890 119897119894119904119905 119900119891 V119886119903119894119886119887119897119890 119894119889119890119899119905119894119891119894119890119903119904
The dynamic creation of a variable and its assignment isachieved by using the local variable declaration in a sequenceor property declaration and making an assignment in thesequence
Thus local variables of a sequence (or property) may beset to a value which can be computed from a parameter orother objects (eg arguments constants and objects visibleby the sequence (or property))
For example a property of a pipeline with a fixed latencycan be specified below
property 119897119886119905119890119899119888119910119894119899119905 119909(V119886119897119894119889 119894119899 119909 = 119901 119894119899)|minus gt 3(119901 119900119906119905 == (119909 + 1))
endproperty
This property e is evaluated as followsWhen V119886119897119894119889 119894119899 is true 119909 is assigned the value of 119901 119894119899 If 3
cycles later 119901 119900119906119905 is equal to 119909 + 1 then property 119897119886119905119890119899119888119910 istrue Otherwise the property is false When V119886119897119894119889 119894119899 is falseproperty 119897119886119905119890119899119888119910 is evaluated as true
For the algebraization of SVA properties with localvariables in our method these local variables will be takenas common signal variables (symbolic constant) without anysequential information
Thus we have the polynomial set representation forproperty 119897119886119905119890119899119888119910
⟦119897119886119905119890119899119888119910⟧[119905]
=
(V119886119897119894119889 119894119899[119905]
minus 1)(119909 minus 119901 119894119899
[119905])
(119901 119900119906119905[119905+3]
minus (119909 + 1))
10 Journal of Applied Mathematics
536 Repetition Operators SystemVerilog allows the userto specify repetitions when defining sequences of BooleanexpressionsThe repetition counts can be specified as either arange of constants or a single constant expression
Nonconsecutive repetition specifies finitely many itera-tive matches of the operand Boolean expression with a delayof one or more clock ticks from one match of the operandto the next successive match and no match of the operandstrictly in between The overall repetition sequence matchesat or after the last iterative match of the operand but beforeany later match of the operand
The syntax of repetition operator can be illustrated asfollows
119899119900119899 119888119900119899119904119890119888119906119905119894V119890 119903119890119901 = [= 119888119900119899119904119905 119900119903 119903119886119899119892119890 119890119909119901119903] (15)
The number of iterations of a repetition can be specifiedby exact count
For example a sequence with repetition can be defined as
119886 |=gt 119887 [= 3] 1 119888 (16)
The sequence expects that 2 clock cycles after the validstart signal ldquo119887rdquo will be repeated three times
We have ⟦119877[= 119899]⟧ = ⋁119899
119894=0(⟦119877⟧
119894lowast119889119890119901(119877)
[119905])
54 Property OperatorModeling In general property expres-sions in SVA are built using sequences other sublevel proper-ties and simple Boolean expressions via property operators
In SVA a property that is a sequence is evaluated as trueif and only if there is a nonempty match of the sequenceA sequence that admits an empty match is not allowed as aproperty
The success of assertion-based verification methodologyrelies heavily on the quality of properties describing theintended behavior of the design Since it is a fairly newmethodology verification and design engineers are oftenfaced with a question of ldquohow to identify good propertiesrdquo fora design It may be tempting to write properties that closelyresemble the implementation
Properties we discussed in this paper can be classified as
(1) Design Centric Design centric properties represent asser-tions added by the RTL designers to characterize whitebox design attributes These properties are typically towardsFSMs localmemories clock synchronization logic and otherhardware-related designs The design should conform to theexpectations of these properties
(2) Assumption Centric Assumption centric properties rep-resent assumptions about the design environment They areused in informal verification to specify assumptions about theinputs The assume directive can inform a verification tool toassume such a condition during the analysis
(3) RequirementVerification Centric Many requirementproperties are best described using a ldquocause-to-effectrdquo stylethat specifies what should happen under a given conditionThis type of properties can be specified by implication
operator For example a handshake can be described as ldquoifrequest is asserted then acknowledge should be assertedwithin 5 cyclesrdquo
In general property expressions are built using sequen-ces other sublevel properties and simple Boolean expres-sions
These individual elements are combined using propertyoperators implication NOT ANDOR and so forth
The property composition operators are listed as follows
Definition 15 (property operator)
119875 = 119877lowast ldquosequencerdquo form lowast
|(119875)lowast ldquoparenthesisrdquo form lowast
|not 119875lowast ldquonegationrdquo form lowast
|(1198751or 1198752)lowast ldquoorrdquo form lowast
|(1198751and 119875
2)lowast ldquoandrdquo form lowast
|(119877|minus gt 119875) |(119877| =gt 119875)lowast ldquoimplicationrdquo form lowast
|disable iff(119887) 119875lowast ldquoresetrdquo form lowast
Note that disable if and only if will not be supportedin this paper Property operators construct properties out ofsequence expressions
541 Implication
Operators The SystemVerilog implication operator supportssequence implication and provides two forms of implicationoverlapped using operator |minus gt and nonoverlapped usingoperator | =gt respectively
The syntax of implication is described as follows
119904119890119902119906119890119899119888119890 119890119909119901119903 | minus gt 119901119903119900119901119890119903119905119910 119890119909119901119903
119904119890119902119906119890119899119888119890 119890119909119901119903 | =gt 119901119903119900119901119890119903119905119910 119890119909119901119903
(17)
The implication operator takes a sequence as its anteced-ent and a property as its consequent Every time the sequencematches the property must hold Note that both the runningof the sequence and the property may span multiple clockcycles and that the sequence may match multiple times
For each successful match of the antecedent sequencethe consequence sequence (right-hand operand) is sepa-rately evaluated beginning at the end point of the matchedantecedent sequence All matches of antecedent sequencerequire a match of the consequence sequence
Moreover if the antecedent sequence (left hand operand)does not succeed implication succeeds vacuously by return-ing true For many protocol related assertions it is importantto specify the sequence of events (the antecedent or cause)that must occur before checking for another sequence (theconsequent or effect) This is because if the antecedent doesnot occur then there is no need to perform any furtherverification In hardware this occurs because the antecedentreflects an expression that when active triggers something tohappen
Journal of Applied Mathematics 11
A property with a consequent sequence behaves as if theconsequent has an implication first-match applied to it
542 NOT
Operator The operator NOT 119901119903119900119901119890119903119905119910 119890119909119901119903 states that theevaluation of the property returns the opposite of the eval-uation of the underlying 119901119903119900119901119890119903119905119910 119890119909119901119903
543 AND
Operator The formula ldquo1198751AND 119875
2rdquo states that the property
is evaluated as true if and only if both 1198751and 1198752are evaluatd
as true
544 OR
Operator The operator ldquo1198751OR 119875
2rdquo states that the property is
evaluated as true if and only if at least one of 1198751and 119875
2is
evaluated as true
545 IF-ELSE
Operator This operator has two valid forms which are listedas follows
(1) IF (119889119894119904119905) 1198751
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as false or 119875
1is evaluated as true
(2) IF (119889119894119904119905) 1198751ELSE 119875
2
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as true and 119875
1is evaluated as true or
119889119894119904119905 is evaluated as false and 1198752is evaluated as true
From previous discussion we have the following propo-sition for property reasoning
Proposition 16 Assume that1198751198751 and119875
2are valid properties
in SVA the following rules are used to construct the correspond-ing verification process Here 119860119904119904119862ℎ119896(119872119900119889119890119897 119875119903119900119901119890119903119905119910)
ture false is a self-defined checking function that can deter-mine whether a given ldquo119875119903119900119901119890119903119905119910rdquo holds or not with respect toa circuit model ldquo119872119900119889119890119897rdquo
(1) 1198751OR 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧) or 119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(2) 1198751AND 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(3) NOT 119875 rArr not119860119904119904119862ℎ119896(119872 ⟦119875⟧)
(4) IF (119889119894119904119905) 1198751
rArr not119860119904119904119862ℎ119896(119872 119889119894119904119905) or 119860119904119904119862ℎ119896(119872
⟦1198751⟧)
(5) IF (119889119894119904119905) 1198751ELSE 119875
2rArr (119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896
(119872 ⟦1198751⟧))or(not119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧))
(6) 119878 | minus gt 119875 rArr if (not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)minus1]))
(7) 119878 |=gt 119875 rArr if(not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)]))
6 Verification Algorithm
In this section we will describe how an assertion is checkedusing Groebner bases approach Firstly we will discussa practical algorithm using Groebner bases for assertionchecking
61 Basic Principle As just mentioned our checking methodis based on algebraic geometry which is the study of thegeometric objects arising as the common zeros of collectionsof polynomials Our aim is to find polynomials whosezeros correspond to pairs of states in which the appropriateassignments are made
We can regard any set of points in 119896119899 as the variety of some
ideal We can then use the ideal or any basis for the ideal as away of encoding the set of points
From Groebner Bases theory [10 12] every nonzero ideal119868 sub 119896[119909
1 119909
119899] has a Groebner basis and the following
proposition evidently holds
Proposition 17 Let 119862 and 119878 be polynomial sets of 119896[1199091
119909119899] and ⟨119866119878⟩ a Groebner basis for ⟨119878⟩ and then we have that
⟨119862⟩ sube ⟨119878⟩ hArr forall119888 isin 119862 119903119890119898119889(119888 119866119878) == 0 holds
Theorem 18 Suppose that 119860(⟦119860⟧ = 1198861 1198862 119886
119903) is a
property to be verified 119879 is the initial preconditions of 119862 and119872 is a system model to be checked Let ⟦119879⟧ and ⟦119872⟧ bethe polynomial set representations for 119879 and 119872 respectivelyconstructed by previous mentioned rules Let 119867 = ⟦119879 cup 119872⟧ =
ℎ1 ℎ2 ℎ
119904 sube 119896[119909
1 119909
119899] 119868 = ⟨119867⟩ (where ⟨119867⟩ denotes
the ideal generated by 119867) and 119866119861119867
= 119892119887119886119904119894119904(119867 ≺) then wehave
( (1 notin 119866119861119867
) and 119903119890119898119889 (119862 119866119861119867
) == 0)
lArrrArr ((1 notin 119866119861119867
) and119903
⋀
119894=0
(119903119890119898119889 (119892119894 119866119861119867
) == 0))
lArrrArr (119872 |= 119860) holds
(18)
Proof (1) The polynomial set ⟦119872⟧ of system model 119872
describes the data-flow relationship that inputs outputs andfunctional transformation should meet The initial condition⟦119872⟧ can be seen as extra constraint applied by users Thereshould not exist contradiction between them that is thepolynomial equations of ⟦119879 cup 119872⟧ must have a commonsolution
ByHilbertrsquos Nullstellensatz theory if we have polynomials⟦119879 cup 119872⟧ = 119891
1 119891
119904 isin 119896[119909
1 119909
119899] we compute a
reducedGroebner basis of the ideal they generatewith respectto any ordering If this basis is 1 the polynomials have nocommon zero in 119896
119899 if the basis is not 1 they must have acommon zero
Therefore (1 notin 119866119861119867
) should hold(2) Evidently by previous proposition it is easy to have
that 119903119890119898119889(119862 119866119861119867
) == 0 should holdThus we have that this theorem holds
12 Journal of Applied Mathematics
Input(1) circuit model 119872(2) initial condition 119879(3) an assertion 119860Output Boolean 119905119903119906119890 or 119891119886119897119904119890BEGIN
lowastStep 1 initialize input signals via testbench lowast(00) 119868119899119894119905119878119894119892119899119886119897119904()(01) M = 0PS
119860= 0 119867 = 0PS
119879= 0
lowastStep 2 build polynomial model lowast(02) M = ⟦119872⟧ = 119861119906119894119897119889PS(119872)
lowastStep 3 build polynomial set for initial condition 119879lowast
(03) 119875119878119879
= ⟦119879⟧ = 119861119906119894119897119889PS(119879)lowastStep 4 build polynomial set for consequentA lowast
(04) 119875119878119860
= ⟦119860⟧ = 119861119906119894119897119889PS(119860)lowastStep 5 calculate the PS
119879cup Mlowast
(05) 119867 = PST cup MlowastStep 6 calculate the Groebner base of ⟨119867⟩
lowast(06) GB
119867= 119892basis(119867 ≺)
lowastStep 7 determine the basis is 1 or not lowast(07) if(1 isin GB
119867)
(08) return 119891119886119897119904119890 lowastStep 8 check every polynomial lowastlowast119860 = 119886
1 1198862 119886
|119860|lowast
(09) 119894 = 1(10) 119908ℎ119894119897119890(119894 le |119860|)
(11) if(119903119890119898119889(⟦119886119894⟧ GB
119867) = 0)
(12) return 119891119886119897119904119890 (13) i++(14) lowast endwhile lowast(15) return 119905119903119906119890 lowast Assertion does hold lowastEND
Algorithm 1 ldquo119860119904119904119862ℎ119896119875119900119897119910119861119906119894119897119889(119872 119879 119860)rdquo
62 Checking Algorithm For simplicity in this section weonly provide the key decision algorithm
Firstly the original system model is transformed into anormal polynomial representation and the assertion as wellThen calculate the hypothesis set and its Groebner basisusing the Buchberger algorithm [18] and their eliminationideals Finally examine the inclusion relationship betweenelimination ideals to determine whether the assertion to bechecked holds or not
From above discussion we have the following processsteps and detailed algorithm description Algorithm 1
For convenience we can derive another version checkingprocedure named ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo which can acceptpolynomial representations as inputs without explicit poly-nomial construction process
Further by applying Theorem 18 and the checking algo-rithm ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo we can easily verify all sup-ported properties written in SVA
7 An Example
In this section we will study a classical circuit to show howSVA properties are verified by polynomial representation andalgebra computation method
Consider the Johnson counter circuit in Figure 3 Johnsoncounters can provide individual digit outputs rather than a
3 2 1
m1m2m3
m4clk
And
Andy
Figure 3 Johnson counter
Table 3 Table of Johnson counter output
Counter (clock) V3(1198983) V2(1198982) V1(1198981)
0 0 0 01 1 0 02 1 1 03 0 1 14 0 0 15 0 0 0
binary or BCD output as shown in Table 3 Notice that eachlegal count may be defined by the location of the last flip-flopto change states and which way it changed state
71 Algebraization of Circuit and Assertion Johnson counterprovides individual digit outputs as shown in Table 3
The polynomial set for Johnson counter circuit in Figure 3can be constructed as follows
119878119890119905adder = 1198911 = 11989831015840minus 1198984 1198912 = 1198982
1015840minus 1198983
1198913 = 11989811015840minus 1198982
1198914 = 1198984 minus (1 minus 1198981) lowast (1 minus 1198982)
1198915 = 119910 minus 1198981 lowast (1 minus 1198982)
(19)
where 11989811015840 denotes the next state of 1198981 For the 119894th cycle we
use 1199091[119894]to denote variable name in current cycle
Similarly another Johnson counter circuit with an erroris shown in Figure 4 the corresponding polynomial set canbe described by
119878119890119905adder = 1198911 1198912 1198913
11989141015840
= 1198984 + 1198981 + 1198982
minus (1 minus 1198981) lowast (1 minus 1198982) 1198915
(20)
Journal of Applied Mathematics 13
3 2 1
m1m2m3
m4clk
Or
Andy
Figure 4 Johnson counter with error
To illustrate the problem clearly we define polynomial setrepresentation 119875119872[119894] for 119894th cycle as follows
119875119872 [119894] = 1198983[119894+1]
minus 1198984[119894]
1198982[119894+1]
minus 1198983[119894]
1198981[119894+1]
minus 1198982[119894]
1198984[119894]
minus (1 minus 1198982[119894]
) lowast (1 minus 1198981[119894]
)
119910 minus 1198981[119894]
lowast (1 minus 1198982[119894]
)
(21)
Support that the circuit will run 6 cycles for verificationtherefore we have 119875119872 = ⋃
5
119894=0119875119872[119894]
For any Boolean variable 119886 we will add an extra con-straint 119886lowast119886minus119886Thus we define the corresponding constraintsset as follows 119862119873119878[119894] = 119888
[119894]lowast 119888[119894]
minus 119888[119894]
119888 isin 1198981 1198982 1198983 1198984
119910In the same manner we have 119862119873119878 = ⋃
5
119894=0119862119873119878[119894]
The sequential property for this counter circuit can bespecified by the following SystemVerilog assertions
property 119869119862119875119860
(1198983 = 0 ampamp 1198982 = 0 ampamp 1198981 = 0)
| =gt 1(1198983 == 1 ampamp 1198982 == 0 ampamp 1198981 == 0)
| =gt 2(1198983 == 1 ampamp 1198982 == 1 ampamp 1198981 == 0)
| =gt 3(1198983 == 0 ampamp 1198982 == 1 ampamp 1198981 ==
1)
endpropertyproperty 1198691198621198751
(119888119897119896)(1198981 == 0)| =gt 2 (1198981 == 0)
endpropertyproperty 1198691198621198752
(119888119897119896)(1198982 == 0)| =gt 2 (1198982 == 1)
endpropertyproperty 1198691198621198753
(119888119897119896)(1198983 == 0)| =gt 2 (1198983 == 1)
endproperty
Table 4 Polynomial forms
Name Precondition Expected consequent
JCPA
1198981[0]
1198982[0]
1198983[0]
cycle 1 1198981[1]
minus 1 1198982[1]
1198983[1]
cycle 2 1198981[2]
minus 1 1198982[2]
minus 1 1198983[2]
cycle 3 1198981[3]
1198982[3]
minus 1 1198983[3]
minus 1
JCP1 1198981[0]
1198981[2]
JCP2 1198982[0]
1198982[2]
minus 1
JCP3 1198983[0]
1198983[2]
minus 1
We will afterwards demonstrate the verification processstep by step
The circuit model to be verified is as shown below
119878119872 = 119875119872 cup 119862119873119878 (22)
The property of this counter can be specified as thefollowing SVA assertion
assert property (1198691198621198751)
assert property (1198691198621198752)
The Algebraization form of the above properties can bemodeled as in Table 4
72 Experiment Using Maple We run this example by usingMaple 13 Before running we manually translated all modelsinto polynomials The experiment is performed on a PC witha 240GHz CPU (intel i5M450) and 1024MB of memoryIt took about 004 seconds and 081MB of memory whenapplying Groebner method
[gtwith(Groebner)[gt 119862119872 = sdot sdot sdot
lowastCircuit Modellowast[gt 119879119863119864119866 = 119905119889119890119892(
1198981[0] 1198982[0] 1198983[0] 1198984[0]
1198981[1] 1198982[1] 1198983[1] 1198984[1]
1198981[2] 1198982[2] 1198983[2] 1198984[2]
1198981[3] 1198982[3] 1198983[3] 1198984[3]
1198981[4] 1198982[4] 1198983[4] 1198984[4]
119910[0] 119910[1] 119910[2] 119910[3]
)
[gt 119862119866119861 = 119861119886119904119894119904(119862119872 119879119863119864119866)
Thus we can have the Groebner basis as follows
[gt [1199101[3]
1199101[2]
1199101[1]
1199101[1]
1198983[4]
1198982[4]
1198981[4]
minus 1 1198984[3] 1198983[3] 1198982[3]
minus 1 1198981[3]
minus 11198984[2] 1198983[2]
minus 1 1198982[2]
minus 1 1198981[2] 1198984[1]
minus 11198983[1]
minus 11198982[1] 1198981[1] 1198984[0]
minus 1 1198983[0] 1198982[0] 1198981[0]
]
[gt 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983[1]
minus 1 119862119866119861 119879119863119864119866)
[gt 119903119890119905 = 0
14 Journal of Applied Mathematics
Table 5 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862119866119861
080M 002 S0
Yes1198982[1]
1 notin 119862119866119861 0
1198983[1]
minus 1 1 notin 119862119866119861 0
11198981[2]
1 notin 119862119866119861
081M 003 S0
Yes1198982[2]
minus 1 1 notin 119862119866119861 0
1198983[2]
minus 1 1 notin 119862119866119861 0
21198981[3]
minus 1 1 notin 119862119866119861
081M 004 S0
Yes1198982[3]
minus 1 1 notin 119862119866119861 0
1198983[3]
1 notin 119862119866119861 0
3 1198981[2]
1 notin 119862119866119861 081M 004 S 0 Yes4 1198982
[2] 1 notin 119862119866119861 081M 004 S 0 Yes
5 1198983[2]
1 notin 119862119866119861 081M 004 S 0 Yes
Table 6 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862GB080M 002 S
0
Yes1198982[1]
1 notin 119862GB 0
1198983[1]
minus 1 1 notin 119862GB 0
11198981[2]
1 notin 119862GB081M 003 S
0
Yes1198982[2]
minus 1 1 notin 119862GB 0
1198983[2]
minus 1 1 notin 119862GB 0
21198981[3]
minus 1 1 notin 119862GB081M 014 S
0
NO1198982[3]
minus 1 1 notin 119862GB 0
1198983[3]
1 notin 119862GB minus1
As shown in maple outputs the given circuit has beenmodeled as polynomial set119862119872 (itsGroebner bases is denotedby 119862119866119861) and assertion expected result as 1198983
[1]minus 1 From
the running result we have 1 notin 119862119866119861 and return valueof 119873119900119903119898119886119897119865119900119903119898 is 0 which means 119862119866119861 is divided with noremainder by 1198983
[1]minus 1
Thus from the previously mentioned verification princi-ples it is easy to conclude that the assertion 1198691198621198751 holds underthis circuit model after 3 cycles
More detailed experiment results for verification of cir-cuit shown in Figure 3 are listed in Table 5
Conversely we check these assertions against the circuitshown in Figure 4 in a similar way More detailed experimentresults are demonstrated in Table 6
From above table when checking 119869119862119875119860 assertion theresult 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983
[3] 119862119866119861 119879119863119864119866) = 0 so that
we can conclude the assertion does not holdTherefore theremust exist unexpected errors in the original circuit
This case is a fairly complete illustration of how thechecking algorithm works
8 Conclusion
In this paper we presented a new method for SVA prop-erties checking by using Groebner bases based symbolicalgebraic approaches To guarantee the feasibility we defined
a constrained subset of SVAs which is powerful enough forpractical purposes
We first introduce a notion of symbolic constant withoutany sequential information for handling local variables inSVAs inspired from STE We then proposed a practical alge-braizationmethod for each sequence operator For sequentialcircuits verification we introduce a parameterized polyno-mial set modeling method based on time frame expansion
Our approach is based on polynomial models construc-tion for both circuit models and SVA assertionsThis methodis to eventually translate a simulation based verificationproblem into a pure algebraic zero set determination problemby a series of proposed steps which can be performed on anygeneral symbolic algebraic tool
Thismethod allows users to deal withmore than one stateand many input combinations every cycle This advantagecomes directly from the fact that many vectors are simulatedat once using symbolic value
In summary in this research by suitable restrictions ofSVA assertions we can guarantee the availability of polyno-mial set representation Based on this polynomial set modelsymbolic simulation can be performed to produce symbolictraces and temporal relationship constraints of signal vari-ables as well We then apply symbolic algebra approach tocheck the zeros set relation between their polynomial sets anddetermine whether the temporal assertion holds or not undercurrent running cycle
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The project is supported by the National Natural ScienceFoundation of China under Grant no 11371003 theNatural Science Foundation of Guangxi under Grantsnos 2011GXNSFA018154 2012GXNSFGA060003 and2013GXNSFAA019342 the Science and TechnologyFoundation of Guangxi under Grant no 10169-1 theScientific Research Project no 201012MS274 from GuangxiEducation Department the Fundamental Research Fundsfor the Central Universities under Grants nos DUT14QY05and HCIC201204 of Guangxi Key Laboratory of HybridComputation and IC Design Analysis Open Fund andthe Baguio scholarship Project of Guangxi The authorswould like to thank their colleagues for participating in theresearch They also appreciate the anonymous reviewers fortheir helpful comments
References
[1] IEEE System Verilog Working Group IEEE Standard forSystemVerilog C Unified Hardware Design Specification andVerification (IEEE Std 1800-2005) IEEE 2005
[2] ldquoIEEE draft standard for system verilogmdashunified hardware de-sign specification and verification languagerdquo IEEE P1800D32011
Journal of Applied Mathematics 15
[3] R Wille G Fey M Messing G Angst L Linhard and RDrechsler ldquoIdentifying a subset of SystemVerilog assertions forefficient bounded model checkingrdquo in Proceedings of the 11thEUROMICRO Conference on Digital System Design Architec-tures Methods and Tools (DSD rsquo08) pp 542ndash549 September2008
[4] L Darringer ldquoApplication of program verification techniques tohardware verificationrdquo in Proceedings of the IEEE-ACM DesignAutomation Conference pp 375ndash381 1979
[5] G S Avrunin ldquoSymbolic model checking using algebraicgeometryrdquo in Proceedings of the 8th International Conference onComputer Aided Verification vol CAV96 pp 26ndash37 SpringerLondon UK 1996
[6] W B Mao and J Z Wu ldquoApplication of Wus method to sym-bolic model checkingrdquo in Proceedings of the 2005 internationalSymposiumon Symbolic andAlgebraic Computation (ISSAC rsquo05)pp 237ndash244 ACM Press Beijing China 2005
[7] J Wu and L Zhao ldquoMulti-valued model checking via groebnerbasis approachrdquo in Proceedings of the 1st Joint IEEEIFIP Sympo-sium on Theoretical Aspects of Software Engineering (TASE rsquo07)pp 35ndash44 IEEE Computer Society Press June 2007
[8] N Zhou J Wu and X Gao ldquoAlgebraic verification method forSEREs properties via Groebner bases approachesrdquo Journal ofAppliedMathematics vol 2013 Article ID 272781 10 pages 2013
[9] X Gao N Zhou J Wu and D Li ldquoWursquos characteristic setmethod for SystemVerilog assertions verificationrdquo Journal ofApplied Mathematics vol 2013 Article ID 740194 14 pages2013
[10] J Little D Cox andD OrsquoShea Ideals Varieties and AlgorithmsSpringer New York NY USA 1992
[11] T Becker andVWeispfenningGrobner Bases AComputationalApproach to Commutative Algebra Springer New York NYUSA 1993
[12] B Buchberger ldquoGroebner bases an algorithmic method inpolynomial ideal theoryrdquo in Multidimensional Systems Theorypp 184ndash232 1985
[13] S B Akers ldquoBinary decision diagramsrdquo IEEE Transactions onComputers C vol 27 no 6 pp 509ndash516 1978
[14] S Hoereth and R Drechsler ldquoFormal verification of word-levelspecificationsrdquo in Proceedings of the Design Automation andTest in Europe Conference and Exhibition pp 52ndash58 MunichGermany 1999
[15] Y M Ryabukhin ldquoBoolean ringrdquo in Encyclopaedia of Mathe-matics Springer Michiel Germany 2001
[16] S Das R Mohanty P Dasgupta and P P Chakrabarti ldquoSynthe-sis of system verilog assertionsrdquo in Proceedings of the Conferenceon Design Automation and Test in Europe Designersrsquo Forum(DATE rsquo06) pp 70ndash75 European Design and AutomationAssociation Leuven Belgium March 2006
[17] C-J Seger and R E Bryant ldquoFormal verification by symbolicevaluation of partially-ordered trajectoriesrdquo Formal Methods inSystem Design vol 6 no 2 pp 147ndash190 1995
[18] D Cox J Little and D OrsquoShea Ideals Varieties and AlgorithmsAn Introduction to Computational Algebraic Geometry andCommutative Algebra Undergraduate Texts in MathematicsSpringer New York 3rd edition 2007
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 9
1198771intersect 119877
2
1198771starts at the same time as 119877
2 the intersection will
match if 1198771 starting at the same time as 119877
2 matches at the
same time as 1198772matches
Therefore we have
⟦1198771intersect 119877
2⟧ = ⟦119877
1⟧119889119890119901(119877
1)
[119905]and ⟦1198772⟧119889119890119901(119877
2)
[119905] (12)
The sequence length matching intersect operator con-structs a sequence like the and nonlength matching operatorexcept that both sequences must be completed in same cycle
533 and Operator 1198771and 119877
2
This operator states that 1198771starts at the same time as 119877
2
and the sequence expression matches with the later of 1198771and
1198772matching This binary operator and is used when both
operands are expected to match but the end times of theoperand sequences can be different
That is 1198771and 119877
2denotes both 119877
1and 119877
2holds for the
same number cycles Then the matches of 1198771and 119877
2must
satisfy the following
(i) The start point of the match of 1198771must be no earlier
than the start point of the match of 1198772
(ii) The end point of thematch of1198771must be no later than
the end point of the match of 1198772
The sequence nonlength matching and operator con-structs a sequence in which two sequences both hold at thecurrent cycle regardless of whether they are completed in thesame cycle or in different cycles
⟦1198771and 119877
2⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] and ⟦119877
2⟧119895
[119905]) (13)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
534 or Operator 1198771or 1198772
The sequence or operator constructs a sequence in whichone of two alternative sequences hold at the current cycleThus the sequence (1198861119887) or (1198881119889) states that eithersequence 119886 119887 or sequence 119888 119889 would satisfy the assertion
⟦1198771or 1198772⟧ 997904rArr
ℎ1
⋁
119894=1198971
ℎ2
⋁
119895=1198972
(⟦1198771⟧119894
[119905] or ⟦119877
2⟧119895
[119905]) (14)
Here 119897119894= 119889119890119901(119877
119894) sdot 119897 ℎ
119894= 119889119890119901(119877
119894) sdot ℎ and 0 lt 119894 le 2
535 Local Variables SystemVerilog provides a feature bywhich variables can be used in assertions The user candeclare variables local to a property This feature is highlyuseful in pipelined designs where the consequent occur-rence might be many cycles later than their correspondingantecedents
Local variables are optional and local to properties Theycan be initialized assigned (and reassigned) a value operatedon and compared to other expressions
The syntax of a sequence declaration with a local variableis shown below
119904119890119902119906119890119899119888119890 119889119890119888119897119886119903119886119905119894119900119899 =
sequence 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119904119890119902119906119890119899119888119890 119890119909119901119903
endsequence [ 119904119890119902119906119890119899119888119890 119894119889119890119899119905119894119891119894119890119903]
The property declaration syntax with a local variable canbe illustrated as follows
119901119903119900119901119890119903119905119910 119889119890119888119897119886119903119886119905119894119900119899 =
property 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903[([119905119891 119901119900119903119905 119897119894119904119905])]
119886119904119904119890119903119905119894119900119899V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899
119901119903119900119901119890119903119905119910 119904119901119890119888
endproperty [ 119901119903119900119901119890119903119905119910 119894119889119890119899119905119894119891119894119890119903]
The variable identifier declaration syntax of a local vari-able can be illustrated as follows
119886119904119904119890119903119905119894119900119899 V119886119903119894119886119887119897119890 119889119890119888119897119886119903119886119905119894119900119899 =
V119886119903 119889119886119905119886 119905119910119901119890 119897119894119904119905 119900119891 V119886119903119894119886119887119897119890 119894119889119890119899119905119894119891119894119890119903119904
The dynamic creation of a variable and its assignment isachieved by using the local variable declaration in a sequenceor property declaration and making an assignment in thesequence
Thus local variables of a sequence (or property) may beset to a value which can be computed from a parameter orother objects (eg arguments constants and objects visibleby the sequence (or property))
For example a property of a pipeline with a fixed latencycan be specified below
property 119897119886119905119890119899119888119910119894119899119905 119909(V119886119897119894119889 119894119899 119909 = 119901 119894119899)|minus gt 3(119901 119900119906119905 == (119909 + 1))
endproperty
This property e is evaluated as followsWhen V119886119897119894119889 119894119899 is true 119909 is assigned the value of 119901 119894119899 If 3
cycles later 119901 119900119906119905 is equal to 119909 + 1 then property 119897119886119905119890119899119888119910 istrue Otherwise the property is false When V119886119897119894119889 119894119899 is falseproperty 119897119886119905119890119899119888119910 is evaluated as true
For the algebraization of SVA properties with localvariables in our method these local variables will be takenas common signal variables (symbolic constant) without anysequential information
Thus we have the polynomial set representation forproperty 119897119886119905119890119899119888119910
⟦119897119886119905119890119899119888119910⟧[119905]
=
(V119886119897119894119889 119894119899[119905]
minus 1)(119909 minus 119901 119894119899
[119905])
(119901 119900119906119905[119905+3]
minus (119909 + 1))
10 Journal of Applied Mathematics
536 Repetition Operators SystemVerilog allows the userto specify repetitions when defining sequences of BooleanexpressionsThe repetition counts can be specified as either arange of constants or a single constant expression
Nonconsecutive repetition specifies finitely many itera-tive matches of the operand Boolean expression with a delayof one or more clock ticks from one match of the operandto the next successive match and no match of the operandstrictly in between The overall repetition sequence matchesat or after the last iterative match of the operand but beforeany later match of the operand
The syntax of repetition operator can be illustrated asfollows
119899119900119899 119888119900119899119904119890119888119906119905119894V119890 119903119890119901 = [= 119888119900119899119904119905 119900119903 119903119886119899119892119890 119890119909119901119903] (15)
The number of iterations of a repetition can be specifiedby exact count
For example a sequence with repetition can be defined as
119886 |=gt 119887 [= 3] 1 119888 (16)
The sequence expects that 2 clock cycles after the validstart signal ldquo119887rdquo will be repeated three times
We have ⟦119877[= 119899]⟧ = ⋁119899
119894=0(⟦119877⟧
119894lowast119889119890119901(119877)
[119905])
54 Property OperatorModeling In general property expres-sions in SVA are built using sequences other sublevel proper-ties and simple Boolean expressions via property operators
In SVA a property that is a sequence is evaluated as trueif and only if there is a nonempty match of the sequenceA sequence that admits an empty match is not allowed as aproperty
The success of assertion-based verification methodologyrelies heavily on the quality of properties describing theintended behavior of the design Since it is a fairly newmethodology verification and design engineers are oftenfaced with a question of ldquohow to identify good propertiesrdquo fora design It may be tempting to write properties that closelyresemble the implementation
Properties we discussed in this paper can be classified as
(1) Design Centric Design centric properties represent asser-tions added by the RTL designers to characterize whitebox design attributes These properties are typically towardsFSMs localmemories clock synchronization logic and otherhardware-related designs The design should conform to theexpectations of these properties
(2) Assumption Centric Assumption centric properties rep-resent assumptions about the design environment They areused in informal verification to specify assumptions about theinputs The assume directive can inform a verification tool toassume such a condition during the analysis
(3) RequirementVerification Centric Many requirementproperties are best described using a ldquocause-to-effectrdquo stylethat specifies what should happen under a given conditionThis type of properties can be specified by implication
operator For example a handshake can be described as ldquoifrequest is asserted then acknowledge should be assertedwithin 5 cyclesrdquo
In general property expressions are built using sequen-ces other sublevel properties and simple Boolean expres-sions
These individual elements are combined using propertyoperators implication NOT ANDOR and so forth
The property composition operators are listed as follows
Definition 15 (property operator)
119875 = 119877lowast ldquosequencerdquo form lowast
|(119875)lowast ldquoparenthesisrdquo form lowast
|not 119875lowast ldquonegationrdquo form lowast
|(1198751or 1198752)lowast ldquoorrdquo form lowast
|(1198751and 119875
2)lowast ldquoandrdquo form lowast
|(119877|minus gt 119875) |(119877| =gt 119875)lowast ldquoimplicationrdquo form lowast
|disable iff(119887) 119875lowast ldquoresetrdquo form lowast
Note that disable if and only if will not be supportedin this paper Property operators construct properties out ofsequence expressions
541 Implication
Operators The SystemVerilog implication operator supportssequence implication and provides two forms of implicationoverlapped using operator |minus gt and nonoverlapped usingoperator | =gt respectively
The syntax of implication is described as follows
119904119890119902119906119890119899119888119890 119890119909119901119903 | minus gt 119901119903119900119901119890119903119905119910 119890119909119901119903
119904119890119902119906119890119899119888119890 119890119909119901119903 | =gt 119901119903119900119901119890119903119905119910 119890119909119901119903
(17)
The implication operator takes a sequence as its anteced-ent and a property as its consequent Every time the sequencematches the property must hold Note that both the runningof the sequence and the property may span multiple clockcycles and that the sequence may match multiple times
For each successful match of the antecedent sequencethe consequence sequence (right-hand operand) is sepa-rately evaluated beginning at the end point of the matchedantecedent sequence All matches of antecedent sequencerequire a match of the consequence sequence
Moreover if the antecedent sequence (left hand operand)does not succeed implication succeeds vacuously by return-ing true For many protocol related assertions it is importantto specify the sequence of events (the antecedent or cause)that must occur before checking for another sequence (theconsequent or effect) This is because if the antecedent doesnot occur then there is no need to perform any furtherverification In hardware this occurs because the antecedentreflects an expression that when active triggers something tohappen
Journal of Applied Mathematics 11
A property with a consequent sequence behaves as if theconsequent has an implication first-match applied to it
542 NOT
Operator The operator NOT 119901119903119900119901119890119903119905119910 119890119909119901119903 states that theevaluation of the property returns the opposite of the eval-uation of the underlying 119901119903119900119901119890119903119905119910 119890119909119901119903
543 AND
Operator The formula ldquo1198751AND 119875
2rdquo states that the property
is evaluated as true if and only if both 1198751and 1198752are evaluatd
as true
544 OR
Operator The operator ldquo1198751OR 119875
2rdquo states that the property is
evaluated as true if and only if at least one of 1198751and 119875
2is
evaluated as true
545 IF-ELSE
Operator This operator has two valid forms which are listedas follows
(1) IF (119889119894119904119905) 1198751
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as false or 119875
1is evaluated as true
(2) IF (119889119894119904119905) 1198751ELSE 119875
2
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as true and 119875
1is evaluated as true or
119889119894119904119905 is evaluated as false and 1198752is evaluated as true
From previous discussion we have the following propo-sition for property reasoning
Proposition 16 Assume that1198751198751 and119875
2are valid properties
in SVA the following rules are used to construct the correspond-ing verification process Here 119860119904119904119862ℎ119896(119872119900119889119890119897 119875119903119900119901119890119903119905119910)
ture false is a self-defined checking function that can deter-mine whether a given ldquo119875119903119900119901119890119903119905119910rdquo holds or not with respect toa circuit model ldquo119872119900119889119890119897rdquo
(1) 1198751OR 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧) or 119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(2) 1198751AND 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(3) NOT 119875 rArr not119860119904119904119862ℎ119896(119872 ⟦119875⟧)
(4) IF (119889119894119904119905) 1198751
rArr not119860119904119904119862ℎ119896(119872 119889119894119904119905) or 119860119904119904119862ℎ119896(119872
⟦1198751⟧)
(5) IF (119889119894119904119905) 1198751ELSE 119875
2rArr (119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896
(119872 ⟦1198751⟧))or(not119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧))
(6) 119878 | minus gt 119875 rArr if (not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)minus1]))
(7) 119878 |=gt 119875 rArr if(not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)]))
6 Verification Algorithm
In this section we will describe how an assertion is checkedusing Groebner bases approach Firstly we will discussa practical algorithm using Groebner bases for assertionchecking
61 Basic Principle As just mentioned our checking methodis based on algebraic geometry which is the study of thegeometric objects arising as the common zeros of collectionsof polynomials Our aim is to find polynomials whosezeros correspond to pairs of states in which the appropriateassignments are made
We can regard any set of points in 119896119899 as the variety of some
ideal We can then use the ideal or any basis for the ideal as away of encoding the set of points
From Groebner Bases theory [10 12] every nonzero ideal119868 sub 119896[119909
1 119909
119899] has a Groebner basis and the following
proposition evidently holds
Proposition 17 Let 119862 and 119878 be polynomial sets of 119896[1199091
119909119899] and ⟨119866119878⟩ a Groebner basis for ⟨119878⟩ and then we have that
⟨119862⟩ sube ⟨119878⟩ hArr forall119888 isin 119862 119903119890119898119889(119888 119866119878) == 0 holds
Theorem 18 Suppose that 119860(⟦119860⟧ = 1198861 1198862 119886
119903) is a
property to be verified 119879 is the initial preconditions of 119862 and119872 is a system model to be checked Let ⟦119879⟧ and ⟦119872⟧ bethe polynomial set representations for 119879 and 119872 respectivelyconstructed by previous mentioned rules Let 119867 = ⟦119879 cup 119872⟧ =
ℎ1 ℎ2 ℎ
119904 sube 119896[119909
1 119909
119899] 119868 = ⟨119867⟩ (where ⟨119867⟩ denotes
the ideal generated by 119867) and 119866119861119867
= 119892119887119886119904119894119904(119867 ≺) then wehave
( (1 notin 119866119861119867
) and 119903119890119898119889 (119862 119866119861119867
) == 0)
lArrrArr ((1 notin 119866119861119867
) and119903
⋀
119894=0
(119903119890119898119889 (119892119894 119866119861119867
) == 0))
lArrrArr (119872 |= 119860) holds
(18)
Proof (1) The polynomial set ⟦119872⟧ of system model 119872
describes the data-flow relationship that inputs outputs andfunctional transformation should meet The initial condition⟦119872⟧ can be seen as extra constraint applied by users Thereshould not exist contradiction between them that is thepolynomial equations of ⟦119879 cup 119872⟧ must have a commonsolution
ByHilbertrsquos Nullstellensatz theory if we have polynomials⟦119879 cup 119872⟧ = 119891
1 119891
119904 isin 119896[119909
1 119909
119899] we compute a
reducedGroebner basis of the ideal they generatewith respectto any ordering If this basis is 1 the polynomials have nocommon zero in 119896
119899 if the basis is not 1 they must have acommon zero
Therefore (1 notin 119866119861119867
) should hold(2) Evidently by previous proposition it is easy to have
that 119903119890119898119889(119862 119866119861119867
) == 0 should holdThus we have that this theorem holds
12 Journal of Applied Mathematics
Input(1) circuit model 119872(2) initial condition 119879(3) an assertion 119860Output Boolean 119905119903119906119890 or 119891119886119897119904119890BEGIN
lowastStep 1 initialize input signals via testbench lowast(00) 119868119899119894119905119878119894119892119899119886119897119904()(01) M = 0PS
119860= 0 119867 = 0PS
119879= 0
lowastStep 2 build polynomial model lowast(02) M = ⟦119872⟧ = 119861119906119894119897119889PS(119872)
lowastStep 3 build polynomial set for initial condition 119879lowast
(03) 119875119878119879
= ⟦119879⟧ = 119861119906119894119897119889PS(119879)lowastStep 4 build polynomial set for consequentA lowast
(04) 119875119878119860
= ⟦119860⟧ = 119861119906119894119897119889PS(119860)lowastStep 5 calculate the PS
119879cup Mlowast
(05) 119867 = PST cup MlowastStep 6 calculate the Groebner base of ⟨119867⟩
lowast(06) GB
119867= 119892basis(119867 ≺)
lowastStep 7 determine the basis is 1 or not lowast(07) if(1 isin GB
119867)
(08) return 119891119886119897119904119890 lowastStep 8 check every polynomial lowastlowast119860 = 119886
1 1198862 119886
|119860|lowast
(09) 119894 = 1(10) 119908ℎ119894119897119890(119894 le |119860|)
(11) if(119903119890119898119889(⟦119886119894⟧ GB
119867) = 0)
(12) return 119891119886119897119904119890 (13) i++(14) lowast endwhile lowast(15) return 119905119903119906119890 lowast Assertion does hold lowastEND
Algorithm 1 ldquo119860119904119904119862ℎ119896119875119900119897119910119861119906119894119897119889(119872 119879 119860)rdquo
62 Checking Algorithm For simplicity in this section weonly provide the key decision algorithm
Firstly the original system model is transformed into anormal polynomial representation and the assertion as wellThen calculate the hypothesis set and its Groebner basisusing the Buchberger algorithm [18] and their eliminationideals Finally examine the inclusion relationship betweenelimination ideals to determine whether the assertion to bechecked holds or not
From above discussion we have the following processsteps and detailed algorithm description Algorithm 1
For convenience we can derive another version checkingprocedure named ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo which can acceptpolynomial representations as inputs without explicit poly-nomial construction process
Further by applying Theorem 18 and the checking algo-rithm ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo we can easily verify all sup-ported properties written in SVA
7 An Example
In this section we will study a classical circuit to show howSVA properties are verified by polynomial representation andalgebra computation method
Consider the Johnson counter circuit in Figure 3 Johnsoncounters can provide individual digit outputs rather than a
3 2 1
m1m2m3
m4clk
And
Andy
Figure 3 Johnson counter
Table 3 Table of Johnson counter output
Counter (clock) V3(1198983) V2(1198982) V1(1198981)
0 0 0 01 1 0 02 1 1 03 0 1 14 0 0 15 0 0 0
binary or BCD output as shown in Table 3 Notice that eachlegal count may be defined by the location of the last flip-flopto change states and which way it changed state
71 Algebraization of Circuit and Assertion Johnson counterprovides individual digit outputs as shown in Table 3
The polynomial set for Johnson counter circuit in Figure 3can be constructed as follows
119878119890119905adder = 1198911 = 11989831015840minus 1198984 1198912 = 1198982
1015840minus 1198983
1198913 = 11989811015840minus 1198982
1198914 = 1198984 minus (1 minus 1198981) lowast (1 minus 1198982)
1198915 = 119910 minus 1198981 lowast (1 minus 1198982)
(19)
where 11989811015840 denotes the next state of 1198981 For the 119894th cycle we
use 1199091[119894]to denote variable name in current cycle
Similarly another Johnson counter circuit with an erroris shown in Figure 4 the corresponding polynomial set canbe described by
119878119890119905adder = 1198911 1198912 1198913
11989141015840
= 1198984 + 1198981 + 1198982
minus (1 minus 1198981) lowast (1 minus 1198982) 1198915
(20)
Journal of Applied Mathematics 13
3 2 1
m1m2m3
m4clk
Or
Andy
Figure 4 Johnson counter with error
To illustrate the problem clearly we define polynomial setrepresentation 119875119872[119894] for 119894th cycle as follows
119875119872 [119894] = 1198983[119894+1]
minus 1198984[119894]
1198982[119894+1]
minus 1198983[119894]
1198981[119894+1]
minus 1198982[119894]
1198984[119894]
minus (1 minus 1198982[119894]
) lowast (1 minus 1198981[119894]
)
119910 minus 1198981[119894]
lowast (1 minus 1198982[119894]
)
(21)
Support that the circuit will run 6 cycles for verificationtherefore we have 119875119872 = ⋃
5
119894=0119875119872[119894]
For any Boolean variable 119886 we will add an extra con-straint 119886lowast119886minus119886Thus we define the corresponding constraintsset as follows 119862119873119878[119894] = 119888
[119894]lowast 119888[119894]
minus 119888[119894]
119888 isin 1198981 1198982 1198983 1198984
119910In the same manner we have 119862119873119878 = ⋃
5
119894=0119862119873119878[119894]
The sequential property for this counter circuit can bespecified by the following SystemVerilog assertions
property 119869119862119875119860
(1198983 = 0 ampamp 1198982 = 0 ampamp 1198981 = 0)
| =gt 1(1198983 == 1 ampamp 1198982 == 0 ampamp 1198981 == 0)
| =gt 2(1198983 == 1 ampamp 1198982 == 1 ampamp 1198981 == 0)
| =gt 3(1198983 == 0 ampamp 1198982 == 1 ampamp 1198981 ==
1)
endpropertyproperty 1198691198621198751
(119888119897119896)(1198981 == 0)| =gt 2 (1198981 == 0)
endpropertyproperty 1198691198621198752
(119888119897119896)(1198982 == 0)| =gt 2 (1198982 == 1)
endpropertyproperty 1198691198621198753
(119888119897119896)(1198983 == 0)| =gt 2 (1198983 == 1)
endproperty
Table 4 Polynomial forms
Name Precondition Expected consequent
JCPA
1198981[0]
1198982[0]
1198983[0]
cycle 1 1198981[1]
minus 1 1198982[1]
1198983[1]
cycle 2 1198981[2]
minus 1 1198982[2]
minus 1 1198983[2]
cycle 3 1198981[3]
1198982[3]
minus 1 1198983[3]
minus 1
JCP1 1198981[0]
1198981[2]
JCP2 1198982[0]
1198982[2]
minus 1
JCP3 1198983[0]
1198983[2]
minus 1
We will afterwards demonstrate the verification processstep by step
The circuit model to be verified is as shown below
119878119872 = 119875119872 cup 119862119873119878 (22)
The property of this counter can be specified as thefollowing SVA assertion
assert property (1198691198621198751)
assert property (1198691198621198752)
The Algebraization form of the above properties can bemodeled as in Table 4
72 Experiment Using Maple We run this example by usingMaple 13 Before running we manually translated all modelsinto polynomials The experiment is performed on a PC witha 240GHz CPU (intel i5M450) and 1024MB of memoryIt took about 004 seconds and 081MB of memory whenapplying Groebner method
[gtwith(Groebner)[gt 119862119872 = sdot sdot sdot
lowastCircuit Modellowast[gt 119879119863119864119866 = 119905119889119890119892(
1198981[0] 1198982[0] 1198983[0] 1198984[0]
1198981[1] 1198982[1] 1198983[1] 1198984[1]
1198981[2] 1198982[2] 1198983[2] 1198984[2]
1198981[3] 1198982[3] 1198983[3] 1198984[3]
1198981[4] 1198982[4] 1198983[4] 1198984[4]
119910[0] 119910[1] 119910[2] 119910[3]
)
[gt 119862119866119861 = 119861119886119904119894119904(119862119872 119879119863119864119866)
Thus we can have the Groebner basis as follows
[gt [1199101[3]
1199101[2]
1199101[1]
1199101[1]
1198983[4]
1198982[4]
1198981[4]
minus 1 1198984[3] 1198983[3] 1198982[3]
minus 1 1198981[3]
minus 11198984[2] 1198983[2]
minus 1 1198982[2]
minus 1 1198981[2] 1198984[1]
minus 11198983[1]
minus 11198982[1] 1198981[1] 1198984[0]
minus 1 1198983[0] 1198982[0] 1198981[0]
]
[gt 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983[1]
minus 1 119862119866119861 119879119863119864119866)
[gt 119903119890119905 = 0
14 Journal of Applied Mathematics
Table 5 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862119866119861
080M 002 S0
Yes1198982[1]
1 notin 119862119866119861 0
1198983[1]
minus 1 1 notin 119862119866119861 0
11198981[2]
1 notin 119862119866119861
081M 003 S0
Yes1198982[2]
minus 1 1 notin 119862119866119861 0
1198983[2]
minus 1 1 notin 119862119866119861 0
21198981[3]
minus 1 1 notin 119862119866119861
081M 004 S0
Yes1198982[3]
minus 1 1 notin 119862119866119861 0
1198983[3]
1 notin 119862119866119861 0
3 1198981[2]
1 notin 119862119866119861 081M 004 S 0 Yes4 1198982
[2] 1 notin 119862119866119861 081M 004 S 0 Yes
5 1198983[2]
1 notin 119862119866119861 081M 004 S 0 Yes
Table 6 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862GB080M 002 S
0
Yes1198982[1]
1 notin 119862GB 0
1198983[1]
minus 1 1 notin 119862GB 0
11198981[2]
1 notin 119862GB081M 003 S
0
Yes1198982[2]
minus 1 1 notin 119862GB 0
1198983[2]
minus 1 1 notin 119862GB 0
21198981[3]
minus 1 1 notin 119862GB081M 014 S
0
NO1198982[3]
minus 1 1 notin 119862GB 0
1198983[3]
1 notin 119862GB minus1
As shown in maple outputs the given circuit has beenmodeled as polynomial set119862119872 (itsGroebner bases is denotedby 119862119866119861) and assertion expected result as 1198983
[1]minus 1 From
the running result we have 1 notin 119862119866119861 and return valueof 119873119900119903119898119886119897119865119900119903119898 is 0 which means 119862119866119861 is divided with noremainder by 1198983
[1]minus 1
Thus from the previously mentioned verification princi-ples it is easy to conclude that the assertion 1198691198621198751 holds underthis circuit model after 3 cycles
More detailed experiment results for verification of cir-cuit shown in Figure 3 are listed in Table 5
Conversely we check these assertions against the circuitshown in Figure 4 in a similar way More detailed experimentresults are demonstrated in Table 6
From above table when checking 119869119862119875119860 assertion theresult 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983
[3] 119862119866119861 119879119863119864119866) = 0 so that
we can conclude the assertion does not holdTherefore theremust exist unexpected errors in the original circuit
This case is a fairly complete illustration of how thechecking algorithm works
8 Conclusion
In this paper we presented a new method for SVA prop-erties checking by using Groebner bases based symbolicalgebraic approaches To guarantee the feasibility we defined
a constrained subset of SVAs which is powerful enough forpractical purposes
We first introduce a notion of symbolic constant withoutany sequential information for handling local variables inSVAs inspired from STE We then proposed a practical alge-braizationmethod for each sequence operator For sequentialcircuits verification we introduce a parameterized polyno-mial set modeling method based on time frame expansion
Our approach is based on polynomial models construc-tion for both circuit models and SVA assertionsThis methodis to eventually translate a simulation based verificationproblem into a pure algebraic zero set determination problemby a series of proposed steps which can be performed on anygeneral symbolic algebraic tool
Thismethod allows users to deal withmore than one stateand many input combinations every cycle This advantagecomes directly from the fact that many vectors are simulatedat once using symbolic value
In summary in this research by suitable restrictions ofSVA assertions we can guarantee the availability of polyno-mial set representation Based on this polynomial set modelsymbolic simulation can be performed to produce symbolictraces and temporal relationship constraints of signal vari-ables as well We then apply symbolic algebra approach tocheck the zeros set relation between their polynomial sets anddetermine whether the temporal assertion holds or not undercurrent running cycle
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The project is supported by the National Natural ScienceFoundation of China under Grant no 11371003 theNatural Science Foundation of Guangxi under Grantsnos 2011GXNSFA018154 2012GXNSFGA060003 and2013GXNSFAA019342 the Science and TechnologyFoundation of Guangxi under Grant no 10169-1 theScientific Research Project no 201012MS274 from GuangxiEducation Department the Fundamental Research Fundsfor the Central Universities under Grants nos DUT14QY05and HCIC201204 of Guangxi Key Laboratory of HybridComputation and IC Design Analysis Open Fund andthe Baguio scholarship Project of Guangxi The authorswould like to thank their colleagues for participating in theresearch They also appreciate the anonymous reviewers fortheir helpful comments
References
[1] IEEE System Verilog Working Group IEEE Standard forSystemVerilog C Unified Hardware Design Specification andVerification (IEEE Std 1800-2005) IEEE 2005
[2] ldquoIEEE draft standard for system verilogmdashunified hardware de-sign specification and verification languagerdquo IEEE P1800D32011
Journal of Applied Mathematics 15
[3] R Wille G Fey M Messing G Angst L Linhard and RDrechsler ldquoIdentifying a subset of SystemVerilog assertions forefficient bounded model checkingrdquo in Proceedings of the 11thEUROMICRO Conference on Digital System Design Architec-tures Methods and Tools (DSD rsquo08) pp 542ndash549 September2008
[4] L Darringer ldquoApplication of program verification techniques tohardware verificationrdquo in Proceedings of the IEEE-ACM DesignAutomation Conference pp 375ndash381 1979
[5] G S Avrunin ldquoSymbolic model checking using algebraicgeometryrdquo in Proceedings of the 8th International Conference onComputer Aided Verification vol CAV96 pp 26ndash37 SpringerLondon UK 1996
[6] W B Mao and J Z Wu ldquoApplication of Wus method to sym-bolic model checkingrdquo in Proceedings of the 2005 internationalSymposiumon Symbolic andAlgebraic Computation (ISSAC rsquo05)pp 237ndash244 ACM Press Beijing China 2005
[7] J Wu and L Zhao ldquoMulti-valued model checking via groebnerbasis approachrdquo in Proceedings of the 1st Joint IEEEIFIP Sympo-sium on Theoretical Aspects of Software Engineering (TASE rsquo07)pp 35ndash44 IEEE Computer Society Press June 2007
[8] N Zhou J Wu and X Gao ldquoAlgebraic verification method forSEREs properties via Groebner bases approachesrdquo Journal ofAppliedMathematics vol 2013 Article ID 272781 10 pages 2013
[9] X Gao N Zhou J Wu and D Li ldquoWursquos characteristic setmethod for SystemVerilog assertions verificationrdquo Journal ofApplied Mathematics vol 2013 Article ID 740194 14 pages2013
[10] J Little D Cox andD OrsquoShea Ideals Varieties and AlgorithmsSpringer New York NY USA 1992
[11] T Becker andVWeispfenningGrobner Bases AComputationalApproach to Commutative Algebra Springer New York NYUSA 1993
[12] B Buchberger ldquoGroebner bases an algorithmic method inpolynomial ideal theoryrdquo in Multidimensional Systems Theorypp 184ndash232 1985
[13] S B Akers ldquoBinary decision diagramsrdquo IEEE Transactions onComputers C vol 27 no 6 pp 509ndash516 1978
[14] S Hoereth and R Drechsler ldquoFormal verification of word-levelspecificationsrdquo in Proceedings of the Design Automation andTest in Europe Conference and Exhibition pp 52ndash58 MunichGermany 1999
[15] Y M Ryabukhin ldquoBoolean ringrdquo in Encyclopaedia of Mathe-matics Springer Michiel Germany 2001
[16] S Das R Mohanty P Dasgupta and P P Chakrabarti ldquoSynthe-sis of system verilog assertionsrdquo in Proceedings of the Conferenceon Design Automation and Test in Europe Designersrsquo Forum(DATE rsquo06) pp 70ndash75 European Design and AutomationAssociation Leuven Belgium March 2006
[17] C-J Seger and R E Bryant ldquoFormal verification by symbolicevaluation of partially-ordered trajectoriesrdquo Formal Methods inSystem Design vol 6 no 2 pp 147ndash190 1995
[18] D Cox J Little and D OrsquoShea Ideals Varieties and AlgorithmsAn Introduction to Computational Algebraic Geometry andCommutative Algebra Undergraduate Texts in MathematicsSpringer New York 3rd edition 2007
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
10 Journal of Applied Mathematics
536 Repetition Operators SystemVerilog allows the userto specify repetitions when defining sequences of BooleanexpressionsThe repetition counts can be specified as either arange of constants or a single constant expression
Nonconsecutive repetition specifies finitely many itera-tive matches of the operand Boolean expression with a delayof one or more clock ticks from one match of the operandto the next successive match and no match of the operandstrictly in between The overall repetition sequence matchesat or after the last iterative match of the operand but beforeany later match of the operand
The syntax of repetition operator can be illustrated asfollows
119899119900119899 119888119900119899119904119890119888119906119905119894V119890 119903119890119901 = [= 119888119900119899119904119905 119900119903 119903119886119899119892119890 119890119909119901119903] (15)
The number of iterations of a repetition can be specifiedby exact count
For example a sequence with repetition can be defined as
119886 |=gt 119887 [= 3] 1 119888 (16)
The sequence expects that 2 clock cycles after the validstart signal ldquo119887rdquo will be repeated three times
We have ⟦119877[= 119899]⟧ = ⋁119899
119894=0(⟦119877⟧
119894lowast119889119890119901(119877)
[119905])
54 Property OperatorModeling In general property expres-sions in SVA are built using sequences other sublevel proper-ties and simple Boolean expressions via property operators
In SVA a property that is a sequence is evaluated as trueif and only if there is a nonempty match of the sequenceA sequence that admits an empty match is not allowed as aproperty
The success of assertion-based verification methodologyrelies heavily on the quality of properties describing theintended behavior of the design Since it is a fairly newmethodology verification and design engineers are oftenfaced with a question of ldquohow to identify good propertiesrdquo fora design It may be tempting to write properties that closelyresemble the implementation
Properties we discussed in this paper can be classified as
(1) Design Centric Design centric properties represent asser-tions added by the RTL designers to characterize whitebox design attributes These properties are typically towardsFSMs localmemories clock synchronization logic and otherhardware-related designs The design should conform to theexpectations of these properties
(2) Assumption Centric Assumption centric properties rep-resent assumptions about the design environment They areused in informal verification to specify assumptions about theinputs The assume directive can inform a verification tool toassume such a condition during the analysis
(3) RequirementVerification Centric Many requirementproperties are best described using a ldquocause-to-effectrdquo stylethat specifies what should happen under a given conditionThis type of properties can be specified by implication
operator For example a handshake can be described as ldquoifrequest is asserted then acknowledge should be assertedwithin 5 cyclesrdquo
In general property expressions are built using sequen-ces other sublevel properties and simple Boolean expres-sions
These individual elements are combined using propertyoperators implication NOT ANDOR and so forth
The property composition operators are listed as follows
Definition 15 (property operator)
119875 = 119877lowast ldquosequencerdquo form lowast
|(119875)lowast ldquoparenthesisrdquo form lowast
|not 119875lowast ldquonegationrdquo form lowast
|(1198751or 1198752)lowast ldquoorrdquo form lowast
|(1198751and 119875
2)lowast ldquoandrdquo form lowast
|(119877|minus gt 119875) |(119877| =gt 119875)lowast ldquoimplicationrdquo form lowast
|disable iff(119887) 119875lowast ldquoresetrdquo form lowast
Note that disable if and only if will not be supportedin this paper Property operators construct properties out ofsequence expressions
541 Implication
Operators The SystemVerilog implication operator supportssequence implication and provides two forms of implicationoverlapped using operator |minus gt and nonoverlapped usingoperator | =gt respectively
The syntax of implication is described as follows
119904119890119902119906119890119899119888119890 119890119909119901119903 | minus gt 119901119903119900119901119890119903119905119910 119890119909119901119903
119904119890119902119906119890119899119888119890 119890119909119901119903 | =gt 119901119903119900119901119890119903119905119910 119890119909119901119903
(17)
The implication operator takes a sequence as its anteced-ent and a property as its consequent Every time the sequencematches the property must hold Note that both the runningof the sequence and the property may span multiple clockcycles and that the sequence may match multiple times
For each successful match of the antecedent sequencethe consequence sequence (right-hand operand) is sepa-rately evaluated beginning at the end point of the matchedantecedent sequence All matches of antecedent sequencerequire a match of the consequence sequence
Moreover if the antecedent sequence (left hand operand)does not succeed implication succeeds vacuously by return-ing true For many protocol related assertions it is importantto specify the sequence of events (the antecedent or cause)that must occur before checking for another sequence (theconsequent or effect) This is because if the antecedent doesnot occur then there is no need to perform any furtherverification In hardware this occurs because the antecedentreflects an expression that when active triggers something tohappen
Journal of Applied Mathematics 11
A property with a consequent sequence behaves as if theconsequent has an implication first-match applied to it
542 NOT
Operator The operator NOT 119901119903119900119901119890119903119905119910 119890119909119901119903 states that theevaluation of the property returns the opposite of the eval-uation of the underlying 119901119903119900119901119890119903119905119910 119890119909119901119903
543 AND
Operator The formula ldquo1198751AND 119875
2rdquo states that the property
is evaluated as true if and only if both 1198751and 1198752are evaluatd
as true
544 OR
Operator The operator ldquo1198751OR 119875
2rdquo states that the property is
evaluated as true if and only if at least one of 1198751and 119875
2is
evaluated as true
545 IF-ELSE
Operator This operator has two valid forms which are listedas follows
(1) IF (119889119894119904119905) 1198751
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as false or 119875
1is evaluated as true
(2) IF (119889119894119904119905) 1198751ELSE 119875
2
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as true and 119875
1is evaluated as true or
119889119894119904119905 is evaluated as false and 1198752is evaluated as true
From previous discussion we have the following propo-sition for property reasoning
Proposition 16 Assume that1198751198751 and119875
2are valid properties
in SVA the following rules are used to construct the correspond-ing verification process Here 119860119904119904119862ℎ119896(119872119900119889119890119897 119875119903119900119901119890119903119905119910)
ture false is a self-defined checking function that can deter-mine whether a given ldquo119875119903119900119901119890119903119905119910rdquo holds or not with respect toa circuit model ldquo119872119900119889119890119897rdquo
(1) 1198751OR 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧) or 119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(2) 1198751AND 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(3) NOT 119875 rArr not119860119904119904119862ℎ119896(119872 ⟦119875⟧)
(4) IF (119889119894119904119905) 1198751
rArr not119860119904119904119862ℎ119896(119872 119889119894119904119905) or 119860119904119904119862ℎ119896(119872
⟦1198751⟧)
(5) IF (119889119894119904119905) 1198751ELSE 119875
2rArr (119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896
(119872 ⟦1198751⟧))or(not119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧))
(6) 119878 | minus gt 119875 rArr if (not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)minus1]))
(7) 119878 |=gt 119875 rArr if(not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)]))
6 Verification Algorithm
In this section we will describe how an assertion is checkedusing Groebner bases approach Firstly we will discussa practical algorithm using Groebner bases for assertionchecking
61 Basic Principle As just mentioned our checking methodis based on algebraic geometry which is the study of thegeometric objects arising as the common zeros of collectionsof polynomials Our aim is to find polynomials whosezeros correspond to pairs of states in which the appropriateassignments are made
We can regard any set of points in 119896119899 as the variety of some
ideal We can then use the ideal or any basis for the ideal as away of encoding the set of points
From Groebner Bases theory [10 12] every nonzero ideal119868 sub 119896[119909
1 119909
119899] has a Groebner basis and the following
proposition evidently holds
Proposition 17 Let 119862 and 119878 be polynomial sets of 119896[1199091
119909119899] and ⟨119866119878⟩ a Groebner basis for ⟨119878⟩ and then we have that
⟨119862⟩ sube ⟨119878⟩ hArr forall119888 isin 119862 119903119890119898119889(119888 119866119878) == 0 holds
Theorem 18 Suppose that 119860(⟦119860⟧ = 1198861 1198862 119886
119903) is a
property to be verified 119879 is the initial preconditions of 119862 and119872 is a system model to be checked Let ⟦119879⟧ and ⟦119872⟧ bethe polynomial set representations for 119879 and 119872 respectivelyconstructed by previous mentioned rules Let 119867 = ⟦119879 cup 119872⟧ =
ℎ1 ℎ2 ℎ
119904 sube 119896[119909
1 119909
119899] 119868 = ⟨119867⟩ (where ⟨119867⟩ denotes
the ideal generated by 119867) and 119866119861119867
= 119892119887119886119904119894119904(119867 ≺) then wehave
( (1 notin 119866119861119867
) and 119903119890119898119889 (119862 119866119861119867
) == 0)
lArrrArr ((1 notin 119866119861119867
) and119903
⋀
119894=0
(119903119890119898119889 (119892119894 119866119861119867
) == 0))
lArrrArr (119872 |= 119860) holds
(18)
Proof (1) The polynomial set ⟦119872⟧ of system model 119872
describes the data-flow relationship that inputs outputs andfunctional transformation should meet The initial condition⟦119872⟧ can be seen as extra constraint applied by users Thereshould not exist contradiction between them that is thepolynomial equations of ⟦119879 cup 119872⟧ must have a commonsolution
ByHilbertrsquos Nullstellensatz theory if we have polynomials⟦119879 cup 119872⟧ = 119891
1 119891
119904 isin 119896[119909
1 119909
119899] we compute a
reducedGroebner basis of the ideal they generatewith respectto any ordering If this basis is 1 the polynomials have nocommon zero in 119896
119899 if the basis is not 1 they must have acommon zero
Therefore (1 notin 119866119861119867
) should hold(2) Evidently by previous proposition it is easy to have
that 119903119890119898119889(119862 119866119861119867
) == 0 should holdThus we have that this theorem holds
12 Journal of Applied Mathematics
Input(1) circuit model 119872(2) initial condition 119879(3) an assertion 119860Output Boolean 119905119903119906119890 or 119891119886119897119904119890BEGIN
lowastStep 1 initialize input signals via testbench lowast(00) 119868119899119894119905119878119894119892119899119886119897119904()(01) M = 0PS
119860= 0 119867 = 0PS
119879= 0
lowastStep 2 build polynomial model lowast(02) M = ⟦119872⟧ = 119861119906119894119897119889PS(119872)
lowastStep 3 build polynomial set for initial condition 119879lowast
(03) 119875119878119879
= ⟦119879⟧ = 119861119906119894119897119889PS(119879)lowastStep 4 build polynomial set for consequentA lowast
(04) 119875119878119860
= ⟦119860⟧ = 119861119906119894119897119889PS(119860)lowastStep 5 calculate the PS
119879cup Mlowast
(05) 119867 = PST cup MlowastStep 6 calculate the Groebner base of ⟨119867⟩
lowast(06) GB
119867= 119892basis(119867 ≺)
lowastStep 7 determine the basis is 1 or not lowast(07) if(1 isin GB
119867)
(08) return 119891119886119897119904119890 lowastStep 8 check every polynomial lowastlowast119860 = 119886
1 1198862 119886
|119860|lowast
(09) 119894 = 1(10) 119908ℎ119894119897119890(119894 le |119860|)
(11) if(119903119890119898119889(⟦119886119894⟧ GB
119867) = 0)
(12) return 119891119886119897119904119890 (13) i++(14) lowast endwhile lowast(15) return 119905119903119906119890 lowast Assertion does hold lowastEND
Algorithm 1 ldquo119860119904119904119862ℎ119896119875119900119897119910119861119906119894119897119889(119872 119879 119860)rdquo
62 Checking Algorithm For simplicity in this section weonly provide the key decision algorithm
Firstly the original system model is transformed into anormal polynomial representation and the assertion as wellThen calculate the hypothesis set and its Groebner basisusing the Buchberger algorithm [18] and their eliminationideals Finally examine the inclusion relationship betweenelimination ideals to determine whether the assertion to bechecked holds or not
From above discussion we have the following processsteps and detailed algorithm description Algorithm 1
For convenience we can derive another version checkingprocedure named ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo which can acceptpolynomial representations as inputs without explicit poly-nomial construction process
Further by applying Theorem 18 and the checking algo-rithm ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo we can easily verify all sup-ported properties written in SVA
7 An Example
In this section we will study a classical circuit to show howSVA properties are verified by polynomial representation andalgebra computation method
Consider the Johnson counter circuit in Figure 3 Johnsoncounters can provide individual digit outputs rather than a
3 2 1
m1m2m3
m4clk
And
Andy
Figure 3 Johnson counter
Table 3 Table of Johnson counter output
Counter (clock) V3(1198983) V2(1198982) V1(1198981)
0 0 0 01 1 0 02 1 1 03 0 1 14 0 0 15 0 0 0
binary or BCD output as shown in Table 3 Notice that eachlegal count may be defined by the location of the last flip-flopto change states and which way it changed state
71 Algebraization of Circuit and Assertion Johnson counterprovides individual digit outputs as shown in Table 3
The polynomial set for Johnson counter circuit in Figure 3can be constructed as follows
119878119890119905adder = 1198911 = 11989831015840minus 1198984 1198912 = 1198982
1015840minus 1198983
1198913 = 11989811015840minus 1198982
1198914 = 1198984 minus (1 minus 1198981) lowast (1 minus 1198982)
1198915 = 119910 minus 1198981 lowast (1 minus 1198982)
(19)
where 11989811015840 denotes the next state of 1198981 For the 119894th cycle we
use 1199091[119894]to denote variable name in current cycle
Similarly another Johnson counter circuit with an erroris shown in Figure 4 the corresponding polynomial set canbe described by
119878119890119905adder = 1198911 1198912 1198913
11989141015840
= 1198984 + 1198981 + 1198982
minus (1 minus 1198981) lowast (1 minus 1198982) 1198915
(20)
Journal of Applied Mathematics 13
3 2 1
m1m2m3
m4clk
Or
Andy
Figure 4 Johnson counter with error
To illustrate the problem clearly we define polynomial setrepresentation 119875119872[119894] for 119894th cycle as follows
119875119872 [119894] = 1198983[119894+1]
minus 1198984[119894]
1198982[119894+1]
minus 1198983[119894]
1198981[119894+1]
minus 1198982[119894]
1198984[119894]
minus (1 minus 1198982[119894]
) lowast (1 minus 1198981[119894]
)
119910 minus 1198981[119894]
lowast (1 minus 1198982[119894]
)
(21)
Support that the circuit will run 6 cycles for verificationtherefore we have 119875119872 = ⋃
5
119894=0119875119872[119894]
For any Boolean variable 119886 we will add an extra con-straint 119886lowast119886minus119886Thus we define the corresponding constraintsset as follows 119862119873119878[119894] = 119888
[119894]lowast 119888[119894]
minus 119888[119894]
119888 isin 1198981 1198982 1198983 1198984
119910In the same manner we have 119862119873119878 = ⋃
5
119894=0119862119873119878[119894]
The sequential property for this counter circuit can bespecified by the following SystemVerilog assertions
property 119869119862119875119860
(1198983 = 0 ampamp 1198982 = 0 ampamp 1198981 = 0)
| =gt 1(1198983 == 1 ampamp 1198982 == 0 ampamp 1198981 == 0)
| =gt 2(1198983 == 1 ampamp 1198982 == 1 ampamp 1198981 == 0)
| =gt 3(1198983 == 0 ampamp 1198982 == 1 ampamp 1198981 ==
1)
endpropertyproperty 1198691198621198751
(119888119897119896)(1198981 == 0)| =gt 2 (1198981 == 0)
endpropertyproperty 1198691198621198752
(119888119897119896)(1198982 == 0)| =gt 2 (1198982 == 1)
endpropertyproperty 1198691198621198753
(119888119897119896)(1198983 == 0)| =gt 2 (1198983 == 1)
endproperty
Table 4 Polynomial forms
Name Precondition Expected consequent
JCPA
1198981[0]
1198982[0]
1198983[0]
cycle 1 1198981[1]
minus 1 1198982[1]
1198983[1]
cycle 2 1198981[2]
minus 1 1198982[2]
minus 1 1198983[2]
cycle 3 1198981[3]
1198982[3]
minus 1 1198983[3]
minus 1
JCP1 1198981[0]
1198981[2]
JCP2 1198982[0]
1198982[2]
minus 1
JCP3 1198983[0]
1198983[2]
minus 1
We will afterwards demonstrate the verification processstep by step
The circuit model to be verified is as shown below
119878119872 = 119875119872 cup 119862119873119878 (22)
The property of this counter can be specified as thefollowing SVA assertion
assert property (1198691198621198751)
assert property (1198691198621198752)
The Algebraization form of the above properties can bemodeled as in Table 4
72 Experiment Using Maple We run this example by usingMaple 13 Before running we manually translated all modelsinto polynomials The experiment is performed on a PC witha 240GHz CPU (intel i5M450) and 1024MB of memoryIt took about 004 seconds and 081MB of memory whenapplying Groebner method
[gtwith(Groebner)[gt 119862119872 = sdot sdot sdot
lowastCircuit Modellowast[gt 119879119863119864119866 = 119905119889119890119892(
1198981[0] 1198982[0] 1198983[0] 1198984[0]
1198981[1] 1198982[1] 1198983[1] 1198984[1]
1198981[2] 1198982[2] 1198983[2] 1198984[2]
1198981[3] 1198982[3] 1198983[3] 1198984[3]
1198981[4] 1198982[4] 1198983[4] 1198984[4]
119910[0] 119910[1] 119910[2] 119910[3]
)
[gt 119862119866119861 = 119861119886119904119894119904(119862119872 119879119863119864119866)
Thus we can have the Groebner basis as follows
[gt [1199101[3]
1199101[2]
1199101[1]
1199101[1]
1198983[4]
1198982[4]
1198981[4]
minus 1 1198984[3] 1198983[3] 1198982[3]
minus 1 1198981[3]
minus 11198984[2] 1198983[2]
minus 1 1198982[2]
minus 1 1198981[2] 1198984[1]
minus 11198983[1]
minus 11198982[1] 1198981[1] 1198984[0]
minus 1 1198983[0] 1198982[0] 1198981[0]
]
[gt 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983[1]
minus 1 119862119866119861 119879119863119864119866)
[gt 119903119890119905 = 0
14 Journal of Applied Mathematics
Table 5 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862119866119861
080M 002 S0
Yes1198982[1]
1 notin 119862119866119861 0
1198983[1]
minus 1 1 notin 119862119866119861 0
11198981[2]
1 notin 119862119866119861
081M 003 S0
Yes1198982[2]
minus 1 1 notin 119862119866119861 0
1198983[2]
minus 1 1 notin 119862119866119861 0
21198981[3]
minus 1 1 notin 119862119866119861
081M 004 S0
Yes1198982[3]
minus 1 1 notin 119862119866119861 0
1198983[3]
1 notin 119862119866119861 0
3 1198981[2]
1 notin 119862119866119861 081M 004 S 0 Yes4 1198982
[2] 1 notin 119862119866119861 081M 004 S 0 Yes
5 1198983[2]
1 notin 119862119866119861 081M 004 S 0 Yes
Table 6 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862GB080M 002 S
0
Yes1198982[1]
1 notin 119862GB 0
1198983[1]
minus 1 1 notin 119862GB 0
11198981[2]
1 notin 119862GB081M 003 S
0
Yes1198982[2]
minus 1 1 notin 119862GB 0
1198983[2]
minus 1 1 notin 119862GB 0
21198981[3]
minus 1 1 notin 119862GB081M 014 S
0
NO1198982[3]
minus 1 1 notin 119862GB 0
1198983[3]
1 notin 119862GB minus1
As shown in maple outputs the given circuit has beenmodeled as polynomial set119862119872 (itsGroebner bases is denotedby 119862119866119861) and assertion expected result as 1198983
[1]minus 1 From
the running result we have 1 notin 119862119866119861 and return valueof 119873119900119903119898119886119897119865119900119903119898 is 0 which means 119862119866119861 is divided with noremainder by 1198983
[1]minus 1
Thus from the previously mentioned verification princi-ples it is easy to conclude that the assertion 1198691198621198751 holds underthis circuit model after 3 cycles
More detailed experiment results for verification of cir-cuit shown in Figure 3 are listed in Table 5
Conversely we check these assertions against the circuitshown in Figure 4 in a similar way More detailed experimentresults are demonstrated in Table 6
From above table when checking 119869119862119875119860 assertion theresult 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983
[3] 119862119866119861 119879119863119864119866) = 0 so that
we can conclude the assertion does not holdTherefore theremust exist unexpected errors in the original circuit
This case is a fairly complete illustration of how thechecking algorithm works
8 Conclusion
In this paper we presented a new method for SVA prop-erties checking by using Groebner bases based symbolicalgebraic approaches To guarantee the feasibility we defined
a constrained subset of SVAs which is powerful enough forpractical purposes
We first introduce a notion of symbolic constant withoutany sequential information for handling local variables inSVAs inspired from STE We then proposed a practical alge-braizationmethod for each sequence operator For sequentialcircuits verification we introduce a parameterized polyno-mial set modeling method based on time frame expansion
Our approach is based on polynomial models construc-tion for both circuit models and SVA assertionsThis methodis to eventually translate a simulation based verificationproblem into a pure algebraic zero set determination problemby a series of proposed steps which can be performed on anygeneral symbolic algebraic tool
Thismethod allows users to deal withmore than one stateand many input combinations every cycle This advantagecomes directly from the fact that many vectors are simulatedat once using symbolic value
In summary in this research by suitable restrictions ofSVA assertions we can guarantee the availability of polyno-mial set representation Based on this polynomial set modelsymbolic simulation can be performed to produce symbolictraces and temporal relationship constraints of signal vari-ables as well We then apply symbolic algebra approach tocheck the zeros set relation between their polynomial sets anddetermine whether the temporal assertion holds or not undercurrent running cycle
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The project is supported by the National Natural ScienceFoundation of China under Grant no 11371003 theNatural Science Foundation of Guangxi under Grantsnos 2011GXNSFA018154 2012GXNSFGA060003 and2013GXNSFAA019342 the Science and TechnologyFoundation of Guangxi under Grant no 10169-1 theScientific Research Project no 201012MS274 from GuangxiEducation Department the Fundamental Research Fundsfor the Central Universities under Grants nos DUT14QY05and HCIC201204 of Guangxi Key Laboratory of HybridComputation and IC Design Analysis Open Fund andthe Baguio scholarship Project of Guangxi The authorswould like to thank their colleagues for participating in theresearch They also appreciate the anonymous reviewers fortheir helpful comments
References
[1] IEEE System Verilog Working Group IEEE Standard forSystemVerilog C Unified Hardware Design Specification andVerification (IEEE Std 1800-2005) IEEE 2005
[2] ldquoIEEE draft standard for system verilogmdashunified hardware de-sign specification and verification languagerdquo IEEE P1800D32011
Journal of Applied Mathematics 15
[3] R Wille G Fey M Messing G Angst L Linhard and RDrechsler ldquoIdentifying a subset of SystemVerilog assertions forefficient bounded model checkingrdquo in Proceedings of the 11thEUROMICRO Conference on Digital System Design Architec-tures Methods and Tools (DSD rsquo08) pp 542ndash549 September2008
[4] L Darringer ldquoApplication of program verification techniques tohardware verificationrdquo in Proceedings of the IEEE-ACM DesignAutomation Conference pp 375ndash381 1979
[5] G S Avrunin ldquoSymbolic model checking using algebraicgeometryrdquo in Proceedings of the 8th International Conference onComputer Aided Verification vol CAV96 pp 26ndash37 SpringerLondon UK 1996
[6] W B Mao and J Z Wu ldquoApplication of Wus method to sym-bolic model checkingrdquo in Proceedings of the 2005 internationalSymposiumon Symbolic andAlgebraic Computation (ISSAC rsquo05)pp 237ndash244 ACM Press Beijing China 2005
[7] J Wu and L Zhao ldquoMulti-valued model checking via groebnerbasis approachrdquo in Proceedings of the 1st Joint IEEEIFIP Sympo-sium on Theoretical Aspects of Software Engineering (TASE rsquo07)pp 35ndash44 IEEE Computer Society Press June 2007
[8] N Zhou J Wu and X Gao ldquoAlgebraic verification method forSEREs properties via Groebner bases approachesrdquo Journal ofAppliedMathematics vol 2013 Article ID 272781 10 pages 2013
[9] X Gao N Zhou J Wu and D Li ldquoWursquos characteristic setmethod for SystemVerilog assertions verificationrdquo Journal ofApplied Mathematics vol 2013 Article ID 740194 14 pages2013
[10] J Little D Cox andD OrsquoShea Ideals Varieties and AlgorithmsSpringer New York NY USA 1992
[11] T Becker andVWeispfenningGrobner Bases AComputationalApproach to Commutative Algebra Springer New York NYUSA 1993
[12] B Buchberger ldquoGroebner bases an algorithmic method inpolynomial ideal theoryrdquo in Multidimensional Systems Theorypp 184ndash232 1985
[13] S B Akers ldquoBinary decision diagramsrdquo IEEE Transactions onComputers C vol 27 no 6 pp 509ndash516 1978
[14] S Hoereth and R Drechsler ldquoFormal verification of word-levelspecificationsrdquo in Proceedings of the Design Automation andTest in Europe Conference and Exhibition pp 52ndash58 MunichGermany 1999
[15] Y M Ryabukhin ldquoBoolean ringrdquo in Encyclopaedia of Mathe-matics Springer Michiel Germany 2001
[16] S Das R Mohanty P Dasgupta and P P Chakrabarti ldquoSynthe-sis of system verilog assertionsrdquo in Proceedings of the Conferenceon Design Automation and Test in Europe Designersrsquo Forum(DATE rsquo06) pp 70ndash75 European Design and AutomationAssociation Leuven Belgium March 2006
[17] C-J Seger and R E Bryant ldquoFormal verification by symbolicevaluation of partially-ordered trajectoriesrdquo Formal Methods inSystem Design vol 6 no 2 pp 147ndash190 1995
[18] D Cox J Little and D OrsquoShea Ideals Varieties and AlgorithmsAn Introduction to Computational Algebraic Geometry andCommutative Algebra Undergraduate Texts in MathematicsSpringer New York 3rd edition 2007
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 11
A property with a consequent sequence behaves as if theconsequent has an implication first-match applied to it
542 NOT
Operator The operator NOT 119901119903119900119901119890119903119905119910 119890119909119901119903 states that theevaluation of the property returns the opposite of the eval-uation of the underlying 119901119903119900119901119890119903119905119910 119890119909119901119903
543 AND
Operator The formula ldquo1198751AND 119875
2rdquo states that the property
is evaluated as true if and only if both 1198751and 1198752are evaluatd
as true
544 OR
Operator The operator ldquo1198751OR 119875
2rdquo states that the property is
evaluated as true if and only if at least one of 1198751and 119875
2is
evaluated as true
545 IF-ELSE
Operator This operator has two valid forms which are listedas follows
(1) IF (119889119894119904119905) 1198751
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as false or 119875
1is evaluated as true
(2) IF (119889119894119904119905) 1198751ELSE 119875
2
A property of this form is evaluated as true if and only ifeither 119889119894119904119905 is evaluated as true and 119875
1is evaluated as true or
119889119894119904119905 is evaluated as false and 1198752is evaluated as true
From previous discussion we have the following propo-sition for property reasoning
Proposition 16 Assume that1198751198751 and119875
2are valid properties
in SVA the following rules are used to construct the correspond-ing verification process Here 119860119904119904119862ℎ119896(119872119900119889119890119897 119875119903119900119901119890119903119905119910)
ture false is a self-defined checking function that can deter-mine whether a given ldquo119875119903119900119901119890119903119905119910rdquo holds or not with respect toa circuit model ldquo119872119900119889119890119897rdquo
(1) 1198751OR 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧) or 119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(2) 1198751AND 119875
2rArr 119860119904119904119862ℎ119896(119872 ⟦119875
1⟧)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧)
(3) NOT 119875 rArr not119860119904119904119862ℎ119896(119872 ⟦119875⟧)
(4) IF (119889119894119904119905) 1198751
rArr not119860119904119904119862ℎ119896(119872 119889119894119904119905) or 119860119904119904119862ℎ119896(119872
⟦1198751⟧)
(5) IF (119889119894119904119905) 1198751ELSE 119875
2rArr (119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896
(119872 ⟦1198751⟧))or(not119860119904119904119862ℎ119896(119872 119889119894119904119905)and119860119904119904119862ℎ119896(119872 ⟦119875
2⟧))
(6) 119878 | minus gt 119875 rArr if (not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)minus1]))
(7) 119878 |=gt 119875 rArr if(not119860119904119904119862ℎ119896(119872 ⟦119878⟧))119903119890119905119906119903119899 true else(119860119904119904119862ℎ119896(119872 ⟦119878⟧
[119905]) and 119860119904119904119862ℎ119896(119872 ⟦119875⟧
dep(119875)[119905+dep(119878)]))
6 Verification Algorithm
In this section we will describe how an assertion is checkedusing Groebner bases approach Firstly we will discussa practical algorithm using Groebner bases for assertionchecking
61 Basic Principle As just mentioned our checking methodis based on algebraic geometry which is the study of thegeometric objects arising as the common zeros of collectionsof polynomials Our aim is to find polynomials whosezeros correspond to pairs of states in which the appropriateassignments are made
We can regard any set of points in 119896119899 as the variety of some
ideal We can then use the ideal or any basis for the ideal as away of encoding the set of points
From Groebner Bases theory [10 12] every nonzero ideal119868 sub 119896[119909
1 119909
119899] has a Groebner basis and the following
proposition evidently holds
Proposition 17 Let 119862 and 119878 be polynomial sets of 119896[1199091
119909119899] and ⟨119866119878⟩ a Groebner basis for ⟨119878⟩ and then we have that
⟨119862⟩ sube ⟨119878⟩ hArr forall119888 isin 119862 119903119890119898119889(119888 119866119878) == 0 holds
Theorem 18 Suppose that 119860(⟦119860⟧ = 1198861 1198862 119886
119903) is a
property to be verified 119879 is the initial preconditions of 119862 and119872 is a system model to be checked Let ⟦119879⟧ and ⟦119872⟧ bethe polynomial set representations for 119879 and 119872 respectivelyconstructed by previous mentioned rules Let 119867 = ⟦119879 cup 119872⟧ =
ℎ1 ℎ2 ℎ
119904 sube 119896[119909
1 119909
119899] 119868 = ⟨119867⟩ (where ⟨119867⟩ denotes
the ideal generated by 119867) and 119866119861119867
= 119892119887119886119904119894119904(119867 ≺) then wehave
( (1 notin 119866119861119867
) and 119903119890119898119889 (119862 119866119861119867
) == 0)
lArrrArr ((1 notin 119866119861119867
) and119903
⋀
119894=0
(119903119890119898119889 (119892119894 119866119861119867
) == 0))
lArrrArr (119872 |= 119860) holds
(18)
Proof (1) The polynomial set ⟦119872⟧ of system model 119872
describes the data-flow relationship that inputs outputs andfunctional transformation should meet The initial condition⟦119872⟧ can be seen as extra constraint applied by users Thereshould not exist contradiction between them that is thepolynomial equations of ⟦119879 cup 119872⟧ must have a commonsolution
ByHilbertrsquos Nullstellensatz theory if we have polynomials⟦119879 cup 119872⟧ = 119891
1 119891
119904 isin 119896[119909
1 119909
119899] we compute a
reducedGroebner basis of the ideal they generatewith respectto any ordering If this basis is 1 the polynomials have nocommon zero in 119896
119899 if the basis is not 1 they must have acommon zero
Therefore (1 notin 119866119861119867
) should hold(2) Evidently by previous proposition it is easy to have
that 119903119890119898119889(119862 119866119861119867
) == 0 should holdThus we have that this theorem holds
12 Journal of Applied Mathematics
Input(1) circuit model 119872(2) initial condition 119879(3) an assertion 119860Output Boolean 119905119903119906119890 or 119891119886119897119904119890BEGIN
lowastStep 1 initialize input signals via testbench lowast(00) 119868119899119894119905119878119894119892119899119886119897119904()(01) M = 0PS
119860= 0 119867 = 0PS
119879= 0
lowastStep 2 build polynomial model lowast(02) M = ⟦119872⟧ = 119861119906119894119897119889PS(119872)
lowastStep 3 build polynomial set for initial condition 119879lowast
(03) 119875119878119879
= ⟦119879⟧ = 119861119906119894119897119889PS(119879)lowastStep 4 build polynomial set for consequentA lowast
(04) 119875119878119860
= ⟦119860⟧ = 119861119906119894119897119889PS(119860)lowastStep 5 calculate the PS
119879cup Mlowast
(05) 119867 = PST cup MlowastStep 6 calculate the Groebner base of ⟨119867⟩
lowast(06) GB
119867= 119892basis(119867 ≺)
lowastStep 7 determine the basis is 1 or not lowast(07) if(1 isin GB
119867)
(08) return 119891119886119897119904119890 lowastStep 8 check every polynomial lowastlowast119860 = 119886
1 1198862 119886
|119860|lowast
(09) 119894 = 1(10) 119908ℎ119894119897119890(119894 le |119860|)
(11) if(119903119890119898119889(⟦119886119894⟧ GB
119867) = 0)
(12) return 119891119886119897119904119890 (13) i++(14) lowast endwhile lowast(15) return 119905119903119906119890 lowast Assertion does hold lowastEND
Algorithm 1 ldquo119860119904119904119862ℎ119896119875119900119897119910119861119906119894119897119889(119872 119879 119860)rdquo
62 Checking Algorithm For simplicity in this section weonly provide the key decision algorithm
Firstly the original system model is transformed into anormal polynomial representation and the assertion as wellThen calculate the hypothesis set and its Groebner basisusing the Buchberger algorithm [18] and their eliminationideals Finally examine the inclusion relationship betweenelimination ideals to determine whether the assertion to bechecked holds or not
From above discussion we have the following processsteps and detailed algorithm description Algorithm 1
For convenience we can derive another version checkingprocedure named ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo which can acceptpolynomial representations as inputs without explicit poly-nomial construction process
Further by applying Theorem 18 and the checking algo-rithm ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo we can easily verify all sup-ported properties written in SVA
7 An Example
In this section we will study a classical circuit to show howSVA properties are verified by polynomial representation andalgebra computation method
Consider the Johnson counter circuit in Figure 3 Johnsoncounters can provide individual digit outputs rather than a
3 2 1
m1m2m3
m4clk
And
Andy
Figure 3 Johnson counter
Table 3 Table of Johnson counter output
Counter (clock) V3(1198983) V2(1198982) V1(1198981)
0 0 0 01 1 0 02 1 1 03 0 1 14 0 0 15 0 0 0
binary or BCD output as shown in Table 3 Notice that eachlegal count may be defined by the location of the last flip-flopto change states and which way it changed state
71 Algebraization of Circuit and Assertion Johnson counterprovides individual digit outputs as shown in Table 3
The polynomial set for Johnson counter circuit in Figure 3can be constructed as follows
119878119890119905adder = 1198911 = 11989831015840minus 1198984 1198912 = 1198982
1015840minus 1198983
1198913 = 11989811015840minus 1198982
1198914 = 1198984 minus (1 minus 1198981) lowast (1 minus 1198982)
1198915 = 119910 minus 1198981 lowast (1 minus 1198982)
(19)
where 11989811015840 denotes the next state of 1198981 For the 119894th cycle we
use 1199091[119894]to denote variable name in current cycle
Similarly another Johnson counter circuit with an erroris shown in Figure 4 the corresponding polynomial set canbe described by
119878119890119905adder = 1198911 1198912 1198913
11989141015840
= 1198984 + 1198981 + 1198982
minus (1 minus 1198981) lowast (1 minus 1198982) 1198915
(20)
Journal of Applied Mathematics 13
3 2 1
m1m2m3
m4clk
Or
Andy
Figure 4 Johnson counter with error
To illustrate the problem clearly we define polynomial setrepresentation 119875119872[119894] for 119894th cycle as follows
119875119872 [119894] = 1198983[119894+1]
minus 1198984[119894]
1198982[119894+1]
minus 1198983[119894]
1198981[119894+1]
minus 1198982[119894]
1198984[119894]
minus (1 minus 1198982[119894]
) lowast (1 minus 1198981[119894]
)
119910 minus 1198981[119894]
lowast (1 minus 1198982[119894]
)
(21)
Support that the circuit will run 6 cycles for verificationtherefore we have 119875119872 = ⋃
5
119894=0119875119872[119894]
For any Boolean variable 119886 we will add an extra con-straint 119886lowast119886minus119886Thus we define the corresponding constraintsset as follows 119862119873119878[119894] = 119888
[119894]lowast 119888[119894]
minus 119888[119894]
119888 isin 1198981 1198982 1198983 1198984
119910In the same manner we have 119862119873119878 = ⋃
5
119894=0119862119873119878[119894]
The sequential property for this counter circuit can bespecified by the following SystemVerilog assertions
property 119869119862119875119860
(1198983 = 0 ampamp 1198982 = 0 ampamp 1198981 = 0)
| =gt 1(1198983 == 1 ampamp 1198982 == 0 ampamp 1198981 == 0)
| =gt 2(1198983 == 1 ampamp 1198982 == 1 ampamp 1198981 == 0)
| =gt 3(1198983 == 0 ampamp 1198982 == 1 ampamp 1198981 ==
1)
endpropertyproperty 1198691198621198751
(119888119897119896)(1198981 == 0)| =gt 2 (1198981 == 0)
endpropertyproperty 1198691198621198752
(119888119897119896)(1198982 == 0)| =gt 2 (1198982 == 1)
endpropertyproperty 1198691198621198753
(119888119897119896)(1198983 == 0)| =gt 2 (1198983 == 1)
endproperty
Table 4 Polynomial forms
Name Precondition Expected consequent
JCPA
1198981[0]
1198982[0]
1198983[0]
cycle 1 1198981[1]
minus 1 1198982[1]
1198983[1]
cycle 2 1198981[2]
minus 1 1198982[2]
minus 1 1198983[2]
cycle 3 1198981[3]
1198982[3]
minus 1 1198983[3]
minus 1
JCP1 1198981[0]
1198981[2]
JCP2 1198982[0]
1198982[2]
minus 1
JCP3 1198983[0]
1198983[2]
minus 1
We will afterwards demonstrate the verification processstep by step
The circuit model to be verified is as shown below
119878119872 = 119875119872 cup 119862119873119878 (22)
The property of this counter can be specified as thefollowing SVA assertion
assert property (1198691198621198751)
assert property (1198691198621198752)
The Algebraization form of the above properties can bemodeled as in Table 4
72 Experiment Using Maple We run this example by usingMaple 13 Before running we manually translated all modelsinto polynomials The experiment is performed on a PC witha 240GHz CPU (intel i5M450) and 1024MB of memoryIt took about 004 seconds and 081MB of memory whenapplying Groebner method
[gtwith(Groebner)[gt 119862119872 = sdot sdot sdot
lowastCircuit Modellowast[gt 119879119863119864119866 = 119905119889119890119892(
1198981[0] 1198982[0] 1198983[0] 1198984[0]
1198981[1] 1198982[1] 1198983[1] 1198984[1]
1198981[2] 1198982[2] 1198983[2] 1198984[2]
1198981[3] 1198982[3] 1198983[3] 1198984[3]
1198981[4] 1198982[4] 1198983[4] 1198984[4]
119910[0] 119910[1] 119910[2] 119910[3]
)
[gt 119862119866119861 = 119861119886119904119894119904(119862119872 119879119863119864119866)
Thus we can have the Groebner basis as follows
[gt [1199101[3]
1199101[2]
1199101[1]
1199101[1]
1198983[4]
1198982[4]
1198981[4]
minus 1 1198984[3] 1198983[3] 1198982[3]
minus 1 1198981[3]
minus 11198984[2] 1198983[2]
minus 1 1198982[2]
minus 1 1198981[2] 1198984[1]
minus 11198983[1]
minus 11198982[1] 1198981[1] 1198984[0]
minus 1 1198983[0] 1198982[0] 1198981[0]
]
[gt 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983[1]
minus 1 119862119866119861 119879119863119864119866)
[gt 119903119890119905 = 0
14 Journal of Applied Mathematics
Table 5 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862119866119861
080M 002 S0
Yes1198982[1]
1 notin 119862119866119861 0
1198983[1]
minus 1 1 notin 119862119866119861 0
11198981[2]
1 notin 119862119866119861
081M 003 S0
Yes1198982[2]
minus 1 1 notin 119862119866119861 0
1198983[2]
minus 1 1 notin 119862119866119861 0
21198981[3]
minus 1 1 notin 119862119866119861
081M 004 S0
Yes1198982[3]
minus 1 1 notin 119862119866119861 0
1198983[3]
1 notin 119862119866119861 0
3 1198981[2]
1 notin 119862119866119861 081M 004 S 0 Yes4 1198982
[2] 1 notin 119862119866119861 081M 004 S 0 Yes
5 1198983[2]
1 notin 119862119866119861 081M 004 S 0 Yes
Table 6 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862GB080M 002 S
0
Yes1198982[1]
1 notin 119862GB 0
1198983[1]
minus 1 1 notin 119862GB 0
11198981[2]
1 notin 119862GB081M 003 S
0
Yes1198982[2]
minus 1 1 notin 119862GB 0
1198983[2]
minus 1 1 notin 119862GB 0
21198981[3]
minus 1 1 notin 119862GB081M 014 S
0
NO1198982[3]
minus 1 1 notin 119862GB 0
1198983[3]
1 notin 119862GB minus1
As shown in maple outputs the given circuit has beenmodeled as polynomial set119862119872 (itsGroebner bases is denotedby 119862119866119861) and assertion expected result as 1198983
[1]minus 1 From
the running result we have 1 notin 119862119866119861 and return valueof 119873119900119903119898119886119897119865119900119903119898 is 0 which means 119862119866119861 is divided with noremainder by 1198983
[1]minus 1
Thus from the previously mentioned verification princi-ples it is easy to conclude that the assertion 1198691198621198751 holds underthis circuit model after 3 cycles
More detailed experiment results for verification of cir-cuit shown in Figure 3 are listed in Table 5
Conversely we check these assertions against the circuitshown in Figure 4 in a similar way More detailed experimentresults are demonstrated in Table 6
From above table when checking 119869119862119875119860 assertion theresult 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983
[3] 119862119866119861 119879119863119864119866) = 0 so that
we can conclude the assertion does not holdTherefore theremust exist unexpected errors in the original circuit
This case is a fairly complete illustration of how thechecking algorithm works
8 Conclusion
In this paper we presented a new method for SVA prop-erties checking by using Groebner bases based symbolicalgebraic approaches To guarantee the feasibility we defined
a constrained subset of SVAs which is powerful enough forpractical purposes
We first introduce a notion of symbolic constant withoutany sequential information for handling local variables inSVAs inspired from STE We then proposed a practical alge-braizationmethod for each sequence operator For sequentialcircuits verification we introduce a parameterized polyno-mial set modeling method based on time frame expansion
Our approach is based on polynomial models construc-tion for both circuit models and SVA assertionsThis methodis to eventually translate a simulation based verificationproblem into a pure algebraic zero set determination problemby a series of proposed steps which can be performed on anygeneral symbolic algebraic tool
Thismethod allows users to deal withmore than one stateand many input combinations every cycle This advantagecomes directly from the fact that many vectors are simulatedat once using symbolic value
In summary in this research by suitable restrictions ofSVA assertions we can guarantee the availability of polyno-mial set representation Based on this polynomial set modelsymbolic simulation can be performed to produce symbolictraces and temporal relationship constraints of signal vari-ables as well We then apply symbolic algebra approach tocheck the zeros set relation between their polynomial sets anddetermine whether the temporal assertion holds or not undercurrent running cycle
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The project is supported by the National Natural ScienceFoundation of China under Grant no 11371003 theNatural Science Foundation of Guangxi under Grantsnos 2011GXNSFA018154 2012GXNSFGA060003 and2013GXNSFAA019342 the Science and TechnologyFoundation of Guangxi under Grant no 10169-1 theScientific Research Project no 201012MS274 from GuangxiEducation Department the Fundamental Research Fundsfor the Central Universities under Grants nos DUT14QY05and HCIC201204 of Guangxi Key Laboratory of HybridComputation and IC Design Analysis Open Fund andthe Baguio scholarship Project of Guangxi The authorswould like to thank their colleagues for participating in theresearch They also appreciate the anonymous reviewers fortheir helpful comments
References
[1] IEEE System Verilog Working Group IEEE Standard forSystemVerilog C Unified Hardware Design Specification andVerification (IEEE Std 1800-2005) IEEE 2005
[2] ldquoIEEE draft standard for system verilogmdashunified hardware de-sign specification and verification languagerdquo IEEE P1800D32011
Journal of Applied Mathematics 15
[3] R Wille G Fey M Messing G Angst L Linhard and RDrechsler ldquoIdentifying a subset of SystemVerilog assertions forefficient bounded model checkingrdquo in Proceedings of the 11thEUROMICRO Conference on Digital System Design Architec-tures Methods and Tools (DSD rsquo08) pp 542ndash549 September2008
[4] L Darringer ldquoApplication of program verification techniques tohardware verificationrdquo in Proceedings of the IEEE-ACM DesignAutomation Conference pp 375ndash381 1979
[5] G S Avrunin ldquoSymbolic model checking using algebraicgeometryrdquo in Proceedings of the 8th International Conference onComputer Aided Verification vol CAV96 pp 26ndash37 SpringerLondon UK 1996
[6] W B Mao and J Z Wu ldquoApplication of Wus method to sym-bolic model checkingrdquo in Proceedings of the 2005 internationalSymposiumon Symbolic andAlgebraic Computation (ISSAC rsquo05)pp 237ndash244 ACM Press Beijing China 2005
[7] J Wu and L Zhao ldquoMulti-valued model checking via groebnerbasis approachrdquo in Proceedings of the 1st Joint IEEEIFIP Sympo-sium on Theoretical Aspects of Software Engineering (TASE rsquo07)pp 35ndash44 IEEE Computer Society Press June 2007
[8] N Zhou J Wu and X Gao ldquoAlgebraic verification method forSEREs properties via Groebner bases approachesrdquo Journal ofAppliedMathematics vol 2013 Article ID 272781 10 pages 2013
[9] X Gao N Zhou J Wu and D Li ldquoWursquos characteristic setmethod for SystemVerilog assertions verificationrdquo Journal ofApplied Mathematics vol 2013 Article ID 740194 14 pages2013
[10] J Little D Cox andD OrsquoShea Ideals Varieties and AlgorithmsSpringer New York NY USA 1992
[11] T Becker andVWeispfenningGrobner Bases AComputationalApproach to Commutative Algebra Springer New York NYUSA 1993
[12] B Buchberger ldquoGroebner bases an algorithmic method inpolynomial ideal theoryrdquo in Multidimensional Systems Theorypp 184ndash232 1985
[13] S B Akers ldquoBinary decision diagramsrdquo IEEE Transactions onComputers C vol 27 no 6 pp 509ndash516 1978
[14] S Hoereth and R Drechsler ldquoFormal verification of word-levelspecificationsrdquo in Proceedings of the Design Automation andTest in Europe Conference and Exhibition pp 52ndash58 MunichGermany 1999
[15] Y M Ryabukhin ldquoBoolean ringrdquo in Encyclopaedia of Mathe-matics Springer Michiel Germany 2001
[16] S Das R Mohanty P Dasgupta and P P Chakrabarti ldquoSynthe-sis of system verilog assertionsrdquo in Proceedings of the Conferenceon Design Automation and Test in Europe Designersrsquo Forum(DATE rsquo06) pp 70ndash75 European Design and AutomationAssociation Leuven Belgium March 2006
[17] C-J Seger and R E Bryant ldquoFormal verification by symbolicevaluation of partially-ordered trajectoriesrdquo Formal Methods inSystem Design vol 6 no 2 pp 147ndash190 1995
[18] D Cox J Little and D OrsquoShea Ideals Varieties and AlgorithmsAn Introduction to Computational Algebraic Geometry andCommutative Algebra Undergraduate Texts in MathematicsSpringer New York 3rd edition 2007
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
12 Journal of Applied Mathematics
Input(1) circuit model 119872(2) initial condition 119879(3) an assertion 119860Output Boolean 119905119903119906119890 or 119891119886119897119904119890BEGIN
lowastStep 1 initialize input signals via testbench lowast(00) 119868119899119894119905119878119894119892119899119886119897119904()(01) M = 0PS
119860= 0 119867 = 0PS
119879= 0
lowastStep 2 build polynomial model lowast(02) M = ⟦119872⟧ = 119861119906119894119897119889PS(119872)
lowastStep 3 build polynomial set for initial condition 119879lowast
(03) 119875119878119879
= ⟦119879⟧ = 119861119906119894119897119889PS(119879)lowastStep 4 build polynomial set for consequentA lowast
(04) 119875119878119860
= ⟦119860⟧ = 119861119906119894119897119889PS(119860)lowastStep 5 calculate the PS
119879cup Mlowast
(05) 119867 = PST cup MlowastStep 6 calculate the Groebner base of ⟨119867⟩
lowast(06) GB
119867= 119892basis(119867 ≺)
lowastStep 7 determine the basis is 1 or not lowast(07) if(1 isin GB
119867)
(08) return 119891119886119897119904119890 lowastStep 8 check every polynomial lowastlowast119860 = 119886
1 1198862 119886
|119860|lowast
(09) 119894 = 1(10) 119908ℎ119894119897119890(119894 le |119860|)
(11) if(119903119890119898119889(⟦119886119894⟧ GB
119867) = 0)
(12) return 119891119886119897119904119890 (13) i++(14) lowast endwhile lowast(15) return 119905119903119906119890 lowast Assertion does hold lowastEND
Algorithm 1 ldquo119860119904119904119862ℎ119896119875119900119897119910119861119906119894119897119889(119872 119879 119860)rdquo
62 Checking Algorithm For simplicity in this section weonly provide the key decision algorithm
Firstly the original system model is transformed into anormal polynomial representation and the assertion as wellThen calculate the hypothesis set and its Groebner basisusing the Buchberger algorithm [18] and their eliminationideals Finally examine the inclusion relationship betweenelimination ideals to determine whether the assertion to bechecked holds or not
From above discussion we have the following processsteps and detailed algorithm description Algorithm 1
For convenience we can derive another version checkingprocedure named ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo which can acceptpolynomial representations as inputs without explicit poly-nomial construction process
Further by applying Theorem 18 and the checking algo-rithm ldquo119860119904119904119862ℎ119896(⟦119872⟧ ⟦119860⟧)rdquo we can easily verify all sup-ported properties written in SVA
7 An Example
In this section we will study a classical circuit to show howSVA properties are verified by polynomial representation andalgebra computation method
Consider the Johnson counter circuit in Figure 3 Johnsoncounters can provide individual digit outputs rather than a
3 2 1
m1m2m3
m4clk
And
Andy
Figure 3 Johnson counter
Table 3 Table of Johnson counter output
Counter (clock) V3(1198983) V2(1198982) V1(1198981)
0 0 0 01 1 0 02 1 1 03 0 1 14 0 0 15 0 0 0
binary or BCD output as shown in Table 3 Notice that eachlegal count may be defined by the location of the last flip-flopto change states and which way it changed state
71 Algebraization of Circuit and Assertion Johnson counterprovides individual digit outputs as shown in Table 3
The polynomial set for Johnson counter circuit in Figure 3can be constructed as follows
119878119890119905adder = 1198911 = 11989831015840minus 1198984 1198912 = 1198982
1015840minus 1198983
1198913 = 11989811015840minus 1198982
1198914 = 1198984 minus (1 minus 1198981) lowast (1 minus 1198982)
1198915 = 119910 minus 1198981 lowast (1 minus 1198982)
(19)
where 11989811015840 denotes the next state of 1198981 For the 119894th cycle we
use 1199091[119894]to denote variable name in current cycle
Similarly another Johnson counter circuit with an erroris shown in Figure 4 the corresponding polynomial set canbe described by
119878119890119905adder = 1198911 1198912 1198913
11989141015840
= 1198984 + 1198981 + 1198982
minus (1 minus 1198981) lowast (1 minus 1198982) 1198915
(20)
Journal of Applied Mathematics 13
3 2 1
m1m2m3
m4clk
Or
Andy
Figure 4 Johnson counter with error
To illustrate the problem clearly we define polynomial setrepresentation 119875119872[119894] for 119894th cycle as follows
119875119872 [119894] = 1198983[119894+1]
minus 1198984[119894]
1198982[119894+1]
minus 1198983[119894]
1198981[119894+1]
minus 1198982[119894]
1198984[119894]
minus (1 minus 1198982[119894]
) lowast (1 minus 1198981[119894]
)
119910 minus 1198981[119894]
lowast (1 minus 1198982[119894]
)
(21)
Support that the circuit will run 6 cycles for verificationtherefore we have 119875119872 = ⋃
5
119894=0119875119872[119894]
For any Boolean variable 119886 we will add an extra con-straint 119886lowast119886minus119886Thus we define the corresponding constraintsset as follows 119862119873119878[119894] = 119888
[119894]lowast 119888[119894]
minus 119888[119894]
119888 isin 1198981 1198982 1198983 1198984
119910In the same manner we have 119862119873119878 = ⋃
5
119894=0119862119873119878[119894]
The sequential property for this counter circuit can bespecified by the following SystemVerilog assertions
property 119869119862119875119860
(1198983 = 0 ampamp 1198982 = 0 ampamp 1198981 = 0)
| =gt 1(1198983 == 1 ampamp 1198982 == 0 ampamp 1198981 == 0)
| =gt 2(1198983 == 1 ampamp 1198982 == 1 ampamp 1198981 == 0)
| =gt 3(1198983 == 0 ampamp 1198982 == 1 ampamp 1198981 ==
1)
endpropertyproperty 1198691198621198751
(119888119897119896)(1198981 == 0)| =gt 2 (1198981 == 0)
endpropertyproperty 1198691198621198752
(119888119897119896)(1198982 == 0)| =gt 2 (1198982 == 1)
endpropertyproperty 1198691198621198753
(119888119897119896)(1198983 == 0)| =gt 2 (1198983 == 1)
endproperty
Table 4 Polynomial forms
Name Precondition Expected consequent
JCPA
1198981[0]
1198982[0]
1198983[0]
cycle 1 1198981[1]
minus 1 1198982[1]
1198983[1]
cycle 2 1198981[2]
minus 1 1198982[2]
minus 1 1198983[2]
cycle 3 1198981[3]
1198982[3]
minus 1 1198983[3]
minus 1
JCP1 1198981[0]
1198981[2]
JCP2 1198982[0]
1198982[2]
minus 1
JCP3 1198983[0]
1198983[2]
minus 1
We will afterwards demonstrate the verification processstep by step
The circuit model to be verified is as shown below
119878119872 = 119875119872 cup 119862119873119878 (22)
The property of this counter can be specified as thefollowing SVA assertion
assert property (1198691198621198751)
assert property (1198691198621198752)
The Algebraization form of the above properties can bemodeled as in Table 4
72 Experiment Using Maple We run this example by usingMaple 13 Before running we manually translated all modelsinto polynomials The experiment is performed on a PC witha 240GHz CPU (intel i5M450) and 1024MB of memoryIt took about 004 seconds and 081MB of memory whenapplying Groebner method
[gtwith(Groebner)[gt 119862119872 = sdot sdot sdot
lowastCircuit Modellowast[gt 119879119863119864119866 = 119905119889119890119892(
1198981[0] 1198982[0] 1198983[0] 1198984[0]
1198981[1] 1198982[1] 1198983[1] 1198984[1]
1198981[2] 1198982[2] 1198983[2] 1198984[2]
1198981[3] 1198982[3] 1198983[3] 1198984[3]
1198981[4] 1198982[4] 1198983[4] 1198984[4]
119910[0] 119910[1] 119910[2] 119910[3]
)
[gt 119862119866119861 = 119861119886119904119894119904(119862119872 119879119863119864119866)
Thus we can have the Groebner basis as follows
[gt [1199101[3]
1199101[2]
1199101[1]
1199101[1]
1198983[4]
1198982[4]
1198981[4]
minus 1 1198984[3] 1198983[3] 1198982[3]
minus 1 1198981[3]
minus 11198984[2] 1198983[2]
minus 1 1198982[2]
minus 1 1198981[2] 1198984[1]
minus 11198983[1]
minus 11198982[1] 1198981[1] 1198984[0]
minus 1 1198983[0] 1198982[0] 1198981[0]
]
[gt 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983[1]
minus 1 119862119866119861 119879119863119864119866)
[gt 119903119890119905 = 0
14 Journal of Applied Mathematics
Table 5 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862119866119861
080M 002 S0
Yes1198982[1]
1 notin 119862119866119861 0
1198983[1]
minus 1 1 notin 119862119866119861 0
11198981[2]
1 notin 119862119866119861
081M 003 S0
Yes1198982[2]
minus 1 1 notin 119862119866119861 0
1198983[2]
minus 1 1 notin 119862119866119861 0
21198981[3]
minus 1 1 notin 119862119866119861
081M 004 S0
Yes1198982[3]
minus 1 1 notin 119862119866119861 0
1198983[3]
1 notin 119862119866119861 0
3 1198981[2]
1 notin 119862119866119861 081M 004 S 0 Yes4 1198982
[2] 1 notin 119862119866119861 081M 004 S 0 Yes
5 1198983[2]
1 notin 119862119866119861 081M 004 S 0 Yes
Table 6 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862GB080M 002 S
0
Yes1198982[1]
1 notin 119862GB 0
1198983[1]
minus 1 1 notin 119862GB 0
11198981[2]
1 notin 119862GB081M 003 S
0
Yes1198982[2]
minus 1 1 notin 119862GB 0
1198983[2]
minus 1 1 notin 119862GB 0
21198981[3]
minus 1 1 notin 119862GB081M 014 S
0
NO1198982[3]
minus 1 1 notin 119862GB 0
1198983[3]
1 notin 119862GB minus1
As shown in maple outputs the given circuit has beenmodeled as polynomial set119862119872 (itsGroebner bases is denotedby 119862119866119861) and assertion expected result as 1198983
[1]minus 1 From
the running result we have 1 notin 119862119866119861 and return valueof 119873119900119903119898119886119897119865119900119903119898 is 0 which means 119862119866119861 is divided with noremainder by 1198983
[1]minus 1
Thus from the previously mentioned verification princi-ples it is easy to conclude that the assertion 1198691198621198751 holds underthis circuit model after 3 cycles
More detailed experiment results for verification of cir-cuit shown in Figure 3 are listed in Table 5
Conversely we check these assertions against the circuitshown in Figure 4 in a similar way More detailed experimentresults are demonstrated in Table 6
From above table when checking 119869119862119875119860 assertion theresult 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983
[3] 119862119866119861 119879119863119864119866) = 0 so that
we can conclude the assertion does not holdTherefore theremust exist unexpected errors in the original circuit
This case is a fairly complete illustration of how thechecking algorithm works
8 Conclusion
In this paper we presented a new method for SVA prop-erties checking by using Groebner bases based symbolicalgebraic approaches To guarantee the feasibility we defined
a constrained subset of SVAs which is powerful enough forpractical purposes
We first introduce a notion of symbolic constant withoutany sequential information for handling local variables inSVAs inspired from STE We then proposed a practical alge-braizationmethod for each sequence operator For sequentialcircuits verification we introduce a parameterized polyno-mial set modeling method based on time frame expansion
Our approach is based on polynomial models construc-tion for both circuit models and SVA assertionsThis methodis to eventually translate a simulation based verificationproblem into a pure algebraic zero set determination problemby a series of proposed steps which can be performed on anygeneral symbolic algebraic tool
Thismethod allows users to deal withmore than one stateand many input combinations every cycle This advantagecomes directly from the fact that many vectors are simulatedat once using symbolic value
In summary in this research by suitable restrictions ofSVA assertions we can guarantee the availability of polyno-mial set representation Based on this polynomial set modelsymbolic simulation can be performed to produce symbolictraces and temporal relationship constraints of signal vari-ables as well We then apply symbolic algebra approach tocheck the zeros set relation between their polynomial sets anddetermine whether the temporal assertion holds or not undercurrent running cycle
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The project is supported by the National Natural ScienceFoundation of China under Grant no 11371003 theNatural Science Foundation of Guangxi under Grantsnos 2011GXNSFA018154 2012GXNSFGA060003 and2013GXNSFAA019342 the Science and TechnologyFoundation of Guangxi under Grant no 10169-1 theScientific Research Project no 201012MS274 from GuangxiEducation Department the Fundamental Research Fundsfor the Central Universities under Grants nos DUT14QY05and HCIC201204 of Guangxi Key Laboratory of HybridComputation and IC Design Analysis Open Fund andthe Baguio scholarship Project of Guangxi The authorswould like to thank their colleagues for participating in theresearch They also appreciate the anonymous reviewers fortheir helpful comments
References
[1] IEEE System Verilog Working Group IEEE Standard forSystemVerilog C Unified Hardware Design Specification andVerification (IEEE Std 1800-2005) IEEE 2005
[2] ldquoIEEE draft standard for system verilogmdashunified hardware de-sign specification and verification languagerdquo IEEE P1800D32011
Journal of Applied Mathematics 15
[3] R Wille G Fey M Messing G Angst L Linhard and RDrechsler ldquoIdentifying a subset of SystemVerilog assertions forefficient bounded model checkingrdquo in Proceedings of the 11thEUROMICRO Conference on Digital System Design Architec-tures Methods and Tools (DSD rsquo08) pp 542ndash549 September2008
[4] L Darringer ldquoApplication of program verification techniques tohardware verificationrdquo in Proceedings of the IEEE-ACM DesignAutomation Conference pp 375ndash381 1979
[5] G S Avrunin ldquoSymbolic model checking using algebraicgeometryrdquo in Proceedings of the 8th International Conference onComputer Aided Verification vol CAV96 pp 26ndash37 SpringerLondon UK 1996
[6] W B Mao and J Z Wu ldquoApplication of Wus method to sym-bolic model checkingrdquo in Proceedings of the 2005 internationalSymposiumon Symbolic andAlgebraic Computation (ISSAC rsquo05)pp 237ndash244 ACM Press Beijing China 2005
[7] J Wu and L Zhao ldquoMulti-valued model checking via groebnerbasis approachrdquo in Proceedings of the 1st Joint IEEEIFIP Sympo-sium on Theoretical Aspects of Software Engineering (TASE rsquo07)pp 35ndash44 IEEE Computer Society Press June 2007
[8] N Zhou J Wu and X Gao ldquoAlgebraic verification method forSEREs properties via Groebner bases approachesrdquo Journal ofAppliedMathematics vol 2013 Article ID 272781 10 pages 2013
[9] X Gao N Zhou J Wu and D Li ldquoWursquos characteristic setmethod for SystemVerilog assertions verificationrdquo Journal ofApplied Mathematics vol 2013 Article ID 740194 14 pages2013
[10] J Little D Cox andD OrsquoShea Ideals Varieties and AlgorithmsSpringer New York NY USA 1992
[11] T Becker andVWeispfenningGrobner Bases AComputationalApproach to Commutative Algebra Springer New York NYUSA 1993
[12] B Buchberger ldquoGroebner bases an algorithmic method inpolynomial ideal theoryrdquo in Multidimensional Systems Theorypp 184ndash232 1985
[13] S B Akers ldquoBinary decision diagramsrdquo IEEE Transactions onComputers C vol 27 no 6 pp 509ndash516 1978
[14] S Hoereth and R Drechsler ldquoFormal verification of word-levelspecificationsrdquo in Proceedings of the Design Automation andTest in Europe Conference and Exhibition pp 52ndash58 MunichGermany 1999
[15] Y M Ryabukhin ldquoBoolean ringrdquo in Encyclopaedia of Mathe-matics Springer Michiel Germany 2001
[16] S Das R Mohanty P Dasgupta and P P Chakrabarti ldquoSynthe-sis of system verilog assertionsrdquo in Proceedings of the Conferenceon Design Automation and Test in Europe Designersrsquo Forum(DATE rsquo06) pp 70ndash75 European Design and AutomationAssociation Leuven Belgium March 2006
[17] C-J Seger and R E Bryant ldquoFormal verification by symbolicevaluation of partially-ordered trajectoriesrdquo Formal Methods inSystem Design vol 6 no 2 pp 147ndash190 1995
[18] D Cox J Little and D OrsquoShea Ideals Varieties and AlgorithmsAn Introduction to Computational Algebraic Geometry andCommutative Algebra Undergraduate Texts in MathematicsSpringer New York 3rd edition 2007
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 13
3 2 1
m1m2m3
m4clk
Or
Andy
Figure 4 Johnson counter with error
To illustrate the problem clearly we define polynomial setrepresentation 119875119872[119894] for 119894th cycle as follows
119875119872 [119894] = 1198983[119894+1]
minus 1198984[119894]
1198982[119894+1]
minus 1198983[119894]
1198981[119894+1]
minus 1198982[119894]
1198984[119894]
minus (1 minus 1198982[119894]
) lowast (1 minus 1198981[119894]
)
119910 minus 1198981[119894]
lowast (1 minus 1198982[119894]
)
(21)
Support that the circuit will run 6 cycles for verificationtherefore we have 119875119872 = ⋃
5
119894=0119875119872[119894]
For any Boolean variable 119886 we will add an extra con-straint 119886lowast119886minus119886Thus we define the corresponding constraintsset as follows 119862119873119878[119894] = 119888
[119894]lowast 119888[119894]
minus 119888[119894]
119888 isin 1198981 1198982 1198983 1198984
119910In the same manner we have 119862119873119878 = ⋃
5
119894=0119862119873119878[119894]
The sequential property for this counter circuit can bespecified by the following SystemVerilog assertions
property 119869119862119875119860
(1198983 = 0 ampamp 1198982 = 0 ampamp 1198981 = 0)
| =gt 1(1198983 == 1 ampamp 1198982 == 0 ampamp 1198981 == 0)
| =gt 2(1198983 == 1 ampamp 1198982 == 1 ampamp 1198981 == 0)
| =gt 3(1198983 == 0 ampamp 1198982 == 1 ampamp 1198981 ==
1)
endpropertyproperty 1198691198621198751
(119888119897119896)(1198981 == 0)| =gt 2 (1198981 == 0)
endpropertyproperty 1198691198621198752
(119888119897119896)(1198982 == 0)| =gt 2 (1198982 == 1)
endpropertyproperty 1198691198621198753
(119888119897119896)(1198983 == 0)| =gt 2 (1198983 == 1)
endproperty
Table 4 Polynomial forms
Name Precondition Expected consequent
JCPA
1198981[0]
1198982[0]
1198983[0]
cycle 1 1198981[1]
minus 1 1198982[1]
1198983[1]
cycle 2 1198981[2]
minus 1 1198982[2]
minus 1 1198983[2]
cycle 3 1198981[3]
1198982[3]
minus 1 1198983[3]
minus 1
JCP1 1198981[0]
1198981[2]
JCP2 1198982[0]
1198982[2]
minus 1
JCP3 1198983[0]
1198983[2]
minus 1
We will afterwards demonstrate the verification processstep by step
The circuit model to be verified is as shown below
119878119872 = 119875119872 cup 119862119873119878 (22)
The property of this counter can be specified as thefollowing SVA assertion
assert property (1198691198621198751)
assert property (1198691198621198752)
The Algebraization form of the above properties can bemodeled as in Table 4
72 Experiment Using Maple We run this example by usingMaple 13 Before running we manually translated all modelsinto polynomials The experiment is performed on a PC witha 240GHz CPU (intel i5M450) and 1024MB of memoryIt took about 004 seconds and 081MB of memory whenapplying Groebner method
[gtwith(Groebner)[gt 119862119872 = sdot sdot sdot
lowastCircuit Modellowast[gt 119879119863119864119866 = 119905119889119890119892(
1198981[0] 1198982[0] 1198983[0] 1198984[0]
1198981[1] 1198982[1] 1198983[1] 1198984[1]
1198981[2] 1198982[2] 1198983[2] 1198984[2]
1198981[3] 1198982[3] 1198983[3] 1198984[3]
1198981[4] 1198982[4] 1198983[4] 1198984[4]
119910[0] 119910[1] 119910[2] 119910[3]
)
[gt 119862119866119861 = 119861119886119904119894119904(119862119872 119879119863119864119866)
Thus we can have the Groebner basis as follows
[gt [1199101[3]
1199101[2]
1199101[1]
1199101[1]
1198983[4]
1198982[4]
1198981[4]
minus 1 1198984[3] 1198983[3] 1198982[3]
minus 1 1198981[3]
minus 11198984[2] 1198983[2]
minus 1 1198982[2]
minus 1 1198981[2] 1198984[1]
minus 11198983[1]
minus 11198982[1] 1198981[1] 1198984[0]
minus 1 1198983[0] 1198982[0] 1198981[0]
]
[gt 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983[1]
minus 1 119862119866119861 119879119863119864119866)
[gt 119903119890119905 = 0
14 Journal of Applied Mathematics
Table 5 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862119866119861
080M 002 S0
Yes1198982[1]
1 notin 119862119866119861 0
1198983[1]
minus 1 1 notin 119862119866119861 0
11198981[2]
1 notin 119862119866119861
081M 003 S0
Yes1198982[2]
minus 1 1 notin 119862119866119861 0
1198983[2]
minus 1 1 notin 119862119866119861 0
21198981[3]
minus 1 1 notin 119862119866119861
081M 004 S0
Yes1198982[3]
minus 1 1 notin 119862119866119861 0
1198983[3]
1 notin 119862119866119861 0
3 1198981[2]
1 notin 119862119866119861 081M 004 S 0 Yes4 1198982
[2] 1 notin 119862119866119861 081M 004 S 0 Yes
5 1198983[2]
1 notin 119862119866119861 081M 004 S 0 Yes
Table 6 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862GB080M 002 S
0
Yes1198982[1]
1 notin 119862GB 0
1198983[1]
minus 1 1 notin 119862GB 0
11198981[2]
1 notin 119862GB081M 003 S
0
Yes1198982[2]
minus 1 1 notin 119862GB 0
1198983[2]
minus 1 1 notin 119862GB 0
21198981[3]
minus 1 1 notin 119862GB081M 014 S
0
NO1198982[3]
minus 1 1 notin 119862GB 0
1198983[3]
1 notin 119862GB minus1
As shown in maple outputs the given circuit has beenmodeled as polynomial set119862119872 (itsGroebner bases is denotedby 119862119866119861) and assertion expected result as 1198983
[1]minus 1 From
the running result we have 1 notin 119862119866119861 and return valueof 119873119900119903119898119886119897119865119900119903119898 is 0 which means 119862119866119861 is divided with noremainder by 1198983
[1]minus 1
Thus from the previously mentioned verification princi-ples it is easy to conclude that the assertion 1198691198621198751 holds underthis circuit model after 3 cycles
More detailed experiment results for verification of cir-cuit shown in Figure 3 are listed in Table 5
Conversely we check these assertions against the circuitshown in Figure 4 in a similar way More detailed experimentresults are demonstrated in Table 6
From above table when checking 119869119862119875119860 assertion theresult 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983
[3] 119862119866119861 119879119863119864119866) = 0 so that
we can conclude the assertion does not holdTherefore theremust exist unexpected errors in the original circuit
This case is a fairly complete illustration of how thechecking algorithm works
8 Conclusion
In this paper we presented a new method for SVA prop-erties checking by using Groebner bases based symbolicalgebraic approaches To guarantee the feasibility we defined
a constrained subset of SVAs which is powerful enough forpractical purposes
We first introduce a notion of symbolic constant withoutany sequential information for handling local variables inSVAs inspired from STE We then proposed a practical alge-braizationmethod for each sequence operator For sequentialcircuits verification we introduce a parameterized polyno-mial set modeling method based on time frame expansion
Our approach is based on polynomial models construc-tion for both circuit models and SVA assertionsThis methodis to eventually translate a simulation based verificationproblem into a pure algebraic zero set determination problemby a series of proposed steps which can be performed on anygeneral symbolic algebraic tool
Thismethod allows users to deal withmore than one stateand many input combinations every cycle This advantagecomes directly from the fact that many vectors are simulatedat once using symbolic value
In summary in this research by suitable restrictions ofSVA assertions we can guarantee the availability of polyno-mial set representation Based on this polynomial set modelsymbolic simulation can be performed to produce symbolictraces and temporal relationship constraints of signal vari-ables as well We then apply symbolic algebra approach tocheck the zeros set relation between their polynomial sets anddetermine whether the temporal assertion holds or not undercurrent running cycle
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The project is supported by the National Natural ScienceFoundation of China under Grant no 11371003 theNatural Science Foundation of Guangxi under Grantsnos 2011GXNSFA018154 2012GXNSFGA060003 and2013GXNSFAA019342 the Science and TechnologyFoundation of Guangxi under Grant no 10169-1 theScientific Research Project no 201012MS274 from GuangxiEducation Department the Fundamental Research Fundsfor the Central Universities under Grants nos DUT14QY05and HCIC201204 of Guangxi Key Laboratory of HybridComputation and IC Design Analysis Open Fund andthe Baguio scholarship Project of Guangxi The authorswould like to thank their colleagues for participating in theresearch They also appreciate the anonymous reviewers fortheir helpful comments
References
[1] IEEE System Verilog Working Group IEEE Standard forSystemVerilog C Unified Hardware Design Specification andVerification (IEEE Std 1800-2005) IEEE 2005
[2] ldquoIEEE draft standard for system verilogmdashunified hardware de-sign specification and verification languagerdquo IEEE P1800D32011
Journal of Applied Mathematics 15
[3] R Wille G Fey M Messing G Angst L Linhard and RDrechsler ldquoIdentifying a subset of SystemVerilog assertions forefficient bounded model checkingrdquo in Proceedings of the 11thEUROMICRO Conference on Digital System Design Architec-tures Methods and Tools (DSD rsquo08) pp 542ndash549 September2008
[4] L Darringer ldquoApplication of program verification techniques tohardware verificationrdquo in Proceedings of the IEEE-ACM DesignAutomation Conference pp 375ndash381 1979
[5] G S Avrunin ldquoSymbolic model checking using algebraicgeometryrdquo in Proceedings of the 8th International Conference onComputer Aided Verification vol CAV96 pp 26ndash37 SpringerLondon UK 1996
[6] W B Mao and J Z Wu ldquoApplication of Wus method to sym-bolic model checkingrdquo in Proceedings of the 2005 internationalSymposiumon Symbolic andAlgebraic Computation (ISSAC rsquo05)pp 237ndash244 ACM Press Beijing China 2005
[7] J Wu and L Zhao ldquoMulti-valued model checking via groebnerbasis approachrdquo in Proceedings of the 1st Joint IEEEIFIP Sympo-sium on Theoretical Aspects of Software Engineering (TASE rsquo07)pp 35ndash44 IEEE Computer Society Press June 2007
[8] N Zhou J Wu and X Gao ldquoAlgebraic verification method forSEREs properties via Groebner bases approachesrdquo Journal ofAppliedMathematics vol 2013 Article ID 272781 10 pages 2013
[9] X Gao N Zhou J Wu and D Li ldquoWursquos characteristic setmethod for SystemVerilog assertions verificationrdquo Journal ofApplied Mathematics vol 2013 Article ID 740194 14 pages2013
[10] J Little D Cox andD OrsquoShea Ideals Varieties and AlgorithmsSpringer New York NY USA 1992
[11] T Becker andVWeispfenningGrobner Bases AComputationalApproach to Commutative Algebra Springer New York NYUSA 1993
[12] B Buchberger ldquoGroebner bases an algorithmic method inpolynomial ideal theoryrdquo in Multidimensional Systems Theorypp 184ndash232 1985
[13] S B Akers ldquoBinary decision diagramsrdquo IEEE Transactions onComputers C vol 27 no 6 pp 509ndash516 1978
[14] S Hoereth and R Drechsler ldquoFormal verification of word-levelspecificationsrdquo in Proceedings of the Design Automation andTest in Europe Conference and Exhibition pp 52ndash58 MunichGermany 1999
[15] Y M Ryabukhin ldquoBoolean ringrdquo in Encyclopaedia of Mathe-matics Springer Michiel Germany 2001
[16] S Das R Mohanty P Dasgupta and P P Chakrabarti ldquoSynthe-sis of system verilog assertionsrdquo in Proceedings of the Conferenceon Design Automation and Test in Europe Designersrsquo Forum(DATE rsquo06) pp 70ndash75 European Design and AutomationAssociation Leuven Belgium March 2006
[17] C-J Seger and R E Bryant ldquoFormal verification by symbolicevaluation of partially-ordered trajectoriesrdquo Formal Methods inSystem Design vol 6 no 2 pp 147ndash190 1995
[18] D Cox J Little and D OrsquoShea Ideals Varieties and AlgorithmsAn Introduction to Computational Algebraic Geometry andCommutative Algebra Undergraduate Texts in MathematicsSpringer New York 3rd edition 2007
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
14 Journal of Applied Mathematics
Table 5 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862119866119861
080M 002 S0
Yes1198982[1]
1 notin 119862119866119861 0
1198983[1]
minus 1 1 notin 119862119866119861 0
11198981[2]
1 notin 119862119866119861
081M 003 S0
Yes1198982[2]
minus 1 1 notin 119862119866119861 0
1198983[2]
minus 1 1 notin 119862119866119861 0
21198981[3]
minus 1 1 notin 119862119866119861
081M 004 S0
Yes1198982[3]
minus 1 1 notin 119862119866119861 0
1198983[3]
1 notin 119862119866119861 0
3 1198981[2]
1 notin 119862119866119861 081M 004 S 0 Yes4 1198982
[2] 1 notin 119862119866119861 081M 004 S 0 Yes
5 1198983[2]
1 notin 119862119866119861 081M 004 S 0 Yes
Table 6 Computation result table
Number Polynomial GBase Mem Time Return Result
01198981[1]
1 notin 119862GB080M 002 S
0
Yes1198982[1]
1 notin 119862GB 0
1198983[1]
minus 1 1 notin 119862GB 0
11198981[2]
1 notin 119862GB081M 003 S
0
Yes1198982[2]
minus 1 1 notin 119862GB 0
1198983[2]
minus 1 1 notin 119862GB 0
21198981[3]
minus 1 1 notin 119862GB081M 014 S
0
NO1198982[3]
minus 1 1 notin 119862GB 0
1198983[3]
1 notin 119862GB minus1
As shown in maple outputs the given circuit has beenmodeled as polynomial set119862119872 (itsGroebner bases is denotedby 119862119866119861) and assertion expected result as 1198983
[1]minus 1 From
the running result we have 1 notin 119862119866119861 and return valueof 119873119900119903119898119886119897119865119900119903119898 is 0 which means 119862119866119861 is divided with noremainder by 1198983
[1]minus 1
Thus from the previously mentioned verification princi-ples it is easy to conclude that the assertion 1198691198621198751 holds underthis circuit model after 3 cycles
More detailed experiment results for verification of cir-cuit shown in Figure 3 are listed in Table 5
Conversely we check these assertions against the circuitshown in Figure 4 in a similar way More detailed experimentresults are demonstrated in Table 6
From above table when checking 119869119862119875119860 assertion theresult 119903119890119905 = 119873119900119903119898119886119897119865119900119903119898(1198983
[3] 119862119866119861 119879119863119864119866) = 0 so that
we can conclude the assertion does not holdTherefore theremust exist unexpected errors in the original circuit
This case is a fairly complete illustration of how thechecking algorithm works
8 Conclusion
In this paper we presented a new method for SVA prop-erties checking by using Groebner bases based symbolicalgebraic approaches To guarantee the feasibility we defined
a constrained subset of SVAs which is powerful enough forpractical purposes
We first introduce a notion of symbolic constant withoutany sequential information for handling local variables inSVAs inspired from STE We then proposed a practical alge-braizationmethod for each sequence operator For sequentialcircuits verification we introduce a parameterized polyno-mial set modeling method based on time frame expansion
Our approach is based on polynomial models construc-tion for both circuit models and SVA assertionsThis methodis to eventually translate a simulation based verificationproblem into a pure algebraic zero set determination problemby a series of proposed steps which can be performed on anygeneral symbolic algebraic tool
Thismethod allows users to deal withmore than one stateand many input combinations every cycle This advantagecomes directly from the fact that many vectors are simulatedat once using symbolic value
In summary in this research by suitable restrictions ofSVA assertions we can guarantee the availability of polyno-mial set representation Based on this polynomial set modelsymbolic simulation can be performed to produce symbolictraces and temporal relationship constraints of signal vari-ables as well We then apply symbolic algebra approach tocheck the zeros set relation between their polynomial sets anddetermine whether the temporal assertion holds or not undercurrent running cycle
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
The project is supported by the National Natural ScienceFoundation of China under Grant no 11371003 theNatural Science Foundation of Guangxi under Grantsnos 2011GXNSFA018154 2012GXNSFGA060003 and2013GXNSFAA019342 the Science and TechnologyFoundation of Guangxi under Grant no 10169-1 theScientific Research Project no 201012MS274 from GuangxiEducation Department the Fundamental Research Fundsfor the Central Universities under Grants nos DUT14QY05and HCIC201204 of Guangxi Key Laboratory of HybridComputation and IC Design Analysis Open Fund andthe Baguio scholarship Project of Guangxi The authorswould like to thank their colleagues for participating in theresearch They also appreciate the anonymous reviewers fortheir helpful comments
References
[1] IEEE System Verilog Working Group IEEE Standard forSystemVerilog C Unified Hardware Design Specification andVerification (IEEE Std 1800-2005) IEEE 2005
[2] ldquoIEEE draft standard for system verilogmdashunified hardware de-sign specification and verification languagerdquo IEEE P1800D32011
Journal of Applied Mathematics 15
[3] R Wille G Fey M Messing G Angst L Linhard and RDrechsler ldquoIdentifying a subset of SystemVerilog assertions forefficient bounded model checkingrdquo in Proceedings of the 11thEUROMICRO Conference on Digital System Design Architec-tures Methods and Tools (DSD rsquo08) pp 542ndash549 September2008
[4] L Darringer ldquoApplication of program verification techniques tohardware verificationrdquo in Proceedings of the IEEE-ACM DesignAutomation Conference pp 375ndash381 1979
[5] G S Avrunin ldquoSymbolic model checking using algebraicgeometryrdquo in Proceedings of the 8th International Conference onComputer Aided Verification vol CAV96 pp 26ndash37 SpringerLondon UK 1996
[6] W B Mao and J Z Wu ldquoApplication of Wus method to sym-bolic model checkingrdquo in Proceedings of the 2005 internationalSymposiumon Symbolic andAlgebraic Computation (ISSAC rsquo05)pp 237ndash244 ACM Press Beijing China 2005
[7] J Wu and L Zhao ldquoMulti-valued model checking via groebnerbasis approachrdquo in Proceedings of the 1st Joint IEEEIFIP Sympo-sium on Theoretical Aspects of Software Engineering (TASE rsquo07)pp 35ndash44 IEEE Computer Society Press June 2007
[8] N Zhou J Wu and X Gao ldquoAlgebraic verification method forSEREs properties via Groebner bases approachesrdquo Journal ofAppliedMathematics vol 2013 Article ID 272781 10 pages 2013
[9] X Gao N Zhou J Wu and D Li ldquoWursquos characteristic setmethod for SystemVerilog assertions verificationrdquo Journal ofApplied Mathematics vol 2013 Article ID 740194 14 pages2013
[10] J Little D Cox andD OrsquoShea Ideals Varieties and AlgorithmsSpringer New York NY USA 1992
[11] T Becker andVWeispfenningGrobner Bases AComputationalApproach to Commutative Algebra Springer New York NYUSA 1993
[12] B Buchberger ldquoGroebner bases an algorithmic method inpolynomial ideal theoryrdquo in Multidimensional Systems Theorypp 184ndash232 1985
[13] S B Akers ldquoBinary decision diagramsrdquo IEEE Transactions onComputers C vol 27 no 6 pp 509ndash516 1978
[14] S Hoereth and R Drechsler ldquoFormal verification of word-levelspecificationsrdquo in Proceedings of the Design Automation andTest in Europe Conference and Exhibition pp 52ndash58 MunichGermany 1999
[15] Y M Ryabukhin ldquoBoolean ringrdquo in Encyclopaedia of Mathe-matics Springer Michiel Germany 2001
[16] S Das R Mohanty P Dasgupta and P P Chakrabarti ldquoSynthe-sis of system verilog assertionsrdquo in Proceedings of the Conferenceon Design Automation and Test in Europe Designersrsquo Forum(DATE rsquo06) pp 70ndash75 European Design and AutomationAssociation Leuven Belgium March 2006
[17] C-J Seger and R E Bryant ldquoFormal verification by symbolicevaluation of partially-ordered trajectoriesrdquo Formal Methods inSystem Design vol 6 no 2 pp 147ndash190 1995
[18] D Cox J Little and D OrsquoShea Ideals Varieties and AlgorithmsAn Introduction to Computational Algebraic Geometry andCommutative Algebra Undergraduate Texts in MathematicsSpringer New York 3rd edition 2007
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 15
[3] R Wille G Fey M Messing G Angst L Linhard and RDrechsler ldquoIdentifying a subset of SystemVerilog assertions forefficient bounded model checkingrdquo in Proceedings of the 11thEUROMICRO Conference on Digital System Design Architec-tures Methods and Tools (DSD rsquo08) pp 542ndash549 September2008
[4] L Darringer ldquoApplication of program verification techniques tohardware verificationrdquo in Proceedings of the IEEE-ACM DesignAutomation Conference pp 375ndash381 1979
[5] G S Avrunin ldquoSymbolic model checking using algebraicgeometryrdquo in Proceedings of the 8th International Conference onComputer Aided Verification vol CAV96 pp 26ndash37 SpringerLondon UK 1996
[6] W B Mao and J Z Wu ldquoApplication of Wus method to sym-bolic model checkingrdquo in Proceedings of the 2005 internationalSymposiumon Symbolic andAlgebraic Computation (ISSAC rsquo05)pp 237ndash244 ACM Press Beijing China 2005
[7] J Wu and L Zhao ldquoMulti-valued model checking via groebnerbasis approachrdquo in Proceedings of the 1st Joint IEEEIFIP Sympo-sium on Theoretical Aspects of Software Engineering (TASE rsquo07)pp 35ndash44 IEEE Computer Society Press June 2007
[8] N Zhou J Wu and X Gao ldquoAlgebraic verification method forSEREs properties via Groebner bases approachesrdquo Journal ofAppliedMathematics vol 2013 Article ID 272781 10 pages 2013
[9] X Gao N Zhou J Wu and D Li ldquoWursquos characteristic setmethod for SystemVerilog assertions verificationrdquo Journal ofApplied Mathematics vol 2013 Article ID 740194 14 pages2013
[10] J Little D Cox andD OrsquoShea Ideals Varieties and AlgorithmsSpringer New York NY USA 1992
[11] T Becker andVWeispfenningGrobner Bases AComputationalApproach to Commutative Algebra Springer New York NYUSA 1993
[12] B Buchberger ldquoGroebner bases an algorithmic method inpolynomial ideal theoryrdquo in Multidimensional Systems Theorypp 184ndash232 1985
[13] S B Akers ldquoBinary decision diagramsrdquo IEEE Transactions onComputers C vol 27 no 6 pp 509ndash516 1978
[14] S Hoereth and R Drechsler ldquoFormal verification of word-levelspecificationsrdquo in Proceedings of the Design Automation andTest in Europe Conference and Exhibition pp 52ndash58 MunichGermany 1999
[15] Y M Ryabukhin ldquoBoolean ringrdquo in Encyclopaedia of Mathe-matics Springer Michiel Germany 2001
[16] S Das R Mohanty P Dasgupta and P P Chakrabarti ldquoSynthe-sis of system verilog assertionsrdquo in Proceedings of the Conferenceon Design Automation and Test in Europe Designersrsquo Forum(DATE rsquo06) pp 70ndash75 European Design and AutomationAssociation Leuven Belgium March 2006
[17] C-J Seger and R E Bryant ldquoFormal verification by symbolicevaluation of partially-ordered trajectoriesrdquo Formal Methods inSystem Design vol 6 no 2 pp 147ndash190 1995
[18] D Cox J Little and D OrsquoShea Ideals Varieties and AlgorithmsAn Introduction to Computational Algebraic Geometry andCommutative Algebra Undergraduate Texts in MathematicsSpringer New York 3rd edition 2007
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
