A Community of Verification Professionals

Create an Account	Home | Calendar | Downloads | FAQ | Links | Site Admin | Your Account
Login Nickname Password Security Code: Type Security Code BACKWARD Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name. Modules · Home · Downloads · FAQ · Feedback · Recommend Us · Web Links · Your Account Advertising Who's Online There are currently, 34 guest(s) and 0 member(s) that are online. You are Anonymous user. You can register for free by clicking here    Verification Guild: Forums  Forum FAQ   Search   Usergroups   Profile  Digest    Log in  Verilog X-Bugs: simulation/coverage vs formal verification          Verification Guild Forum Index -> Assertions View previous topic :: View next topic   Author Message MikeTurpin Senior Joined: Jan 06, 2004 Posts: 13 Location: Cambridge, UK Posted: Tue Jan 06, 2004 7:40 am    Post subject: Verilog X-Bugs: simulation/coverage vs formal verification I'd like to raise awareness of problems with X-semantics in Verilog, and begin a discussion here about how this affects validation. The problems include: 1) RTL simulation can optimistically pass tests that could fail netlist sims 2) Code-coverage results can be both optimistic (i.e. claims branch is covered when it's unreachable) and pessimistic results 3) Formal equivalence checkers are not usually set up to detect X-bugs 4) Formal property checking gives more accurate results than RTL sims (e.g. might fail a property that would optimistically pass RTL sims) I presented a paper on these issues at Boston SNUG 2003, which won the Technical Committee award. It can be found on SolveNET and also at: http://www.arm.com/pdfs/Verilog_X_Bugs.pdf In addition to highlighting the problems, my paper also gives some solutions - often involving the use of formal verification. I'd be interested in other people's experience of Verilog X semantics causing verification problems, and on the propsed coding rules in the paper (particularly the recommendation to not use if-statements in combinatorial logic). Back to top alain Junior Joined: Jan 11, 2004 Posts: 5 Posted: Sun Jan 11, 2004 10:24 am    Post subject: Re: Verilog X-Bugs: simulation/coverage vs formal verificati MikeTurpin wrote: I'd be interested in other people's experience of Verilog X semantics causing verification problems, and on the propsed coding rules in the paper (particularly the recommendation to not use if-statements in combinatorial logic). I agree with more than 90% of your recommendations, except that one. Asking designers not to use if statements to code combinatorial logic means the RTL code will be unreadable and full of nested "?" statements. I understand the benefit of using that operator for X-propagation, but I have to place readability of the RTL above that. After all, the ultimate goal is to reduce the likelihood of having bugs in the RTL in the first place and then finding on nasty remaining bugs quickly. Letting RTL designers use whatever language construct is safest goes a long way and nested multi-line if-statements are often more readable. What do you think? Alain Raynaud Technical Director, EVE-USA Back to top JZook Junior Joined: Jan 09, 2004 Posts: 6 Location: Westborough, Massachusetts Posted: Mon Jan 12, 2004 5:44 pm    Post subject: Because of this paper and others, and our own experience, we no longer trust X's in RTL simulations. For reset testing, we wrote a perl script to parse the Verilog RTL files (just one module per file allowed) and add an initial block where all reg's are assigned a random value. The perl script took a couple man-weeks to perfect (because our designers aren't real consistent in how they declare their reg's), but it runs plenty fast, and the initial blocks do not noticeably slow down the simulations. I have heard other people (Duane Galbi in a SNUG a couple years ago, for example) say they did something similar through the PLI, which would probably be harder to get right, but has the advantage of not modifying the RTL. _________________ John Zook Senior Verification Engineer Tilera Corporation Back to top jeffli Senior Joined: Jan 09, 2004 Posts: 32 Posted: Tue Jan 13, 2004 11:56 am    Post subject: X in ISIM You can also get X values in Verilog from Z values. Most gates and expressions in Verilog generate X if any input is Z. Z values can be from explicit Z in constants, certain Verilog gates or undriven nets. These Z values can cause possible X-bugs though it is probably not as likely as the others. mcurry wrote: Many of your solutions are definetly asking for better tools. Initialize all X's to 0s, then initialize all X's to 1s is an excellant case. I'd advocate a third option - initialize all unknowns to RANDOM values too. We designed ISIM (http://www.inclusivesim.com) to do this. We appreciate any warnings and comments about the following ways for this. If "-I1" is specified on the command line, all unknown initial values of registers are 1's in ISIM. If "-I0" is specified, all unknown initial values are 0's. Similarly if "-X1" (or "-X0") is specified on the command line, all explicit X in constants are treated as 1's (or 0's). Undriven nets are treated according to directive `unconnected_drive as defined in Verilog standard. Other Z values are turned into 0's or 1's depending whether the net is wired-AND or wired-OR. The more interesting part is how ISIM handles X and Z if the above options are not specified. ISIM only does 2-state simulation. It treats X values (including unknown initial values of registers), undriven nets and random values (from $random, $dist_chi_square, $dist_erland, $dist_exponential, $dist_normal, $dist_poisson, $dist_t or $dist_uniform) all as wildcards (see the next paragraph). An undriven net is treated as different wildcards for different time slots. The amazing part is that ISIM tries all different value permutations of all these wildcards automatically. It is smart enough to consider equivalent permutations when some wildcards are really don't-cares. It is also smart enough to know that some wildcards are don't-cares if and only if some other wildcards have certain values. These 2 conditions happen everywhere if you consider how often 0 is fed to AND and 1 is fed to OR. Therefore, ISIM can sometimes process millions of these wildcards quickly. Imagine how this amazing feature can change verification if these wildcards are used wisely in testbenches! Last edited by jeffli on Tue Jan 13, 2004 10:24 pm; edited 1 time in total Back to top MikeTurpin Senior Joined: Jan 06, 2004 Posts: 13 Location: Cambridge, UK Posted: Tue Jan 13, 2004 2:17 pm    Post subject: I was hoping for a reaction to my "avoid if statements" rule, it's also proved controversial at ARM. I agree completely with the comments: a) if statements are more readable b) don't use nested ternary ?'s For (a), if-statements may be intuitive and easily understood by engineers but are dangerous as EDA tools often take a different interpretation of the semantics. For (b), why not rewrite nested if statements as a case statement (or possibly casez) as this is priority encoded? I've now rewritten several nested if statements as case (sometimes with single ?'s in the assignments) and this can be more readable (or easier to spot problems/redundancies). My RTL coding rule is meant as "avoid using if's" but if you do use them you need to: - be aware of the issues - reset all DFFs - add X-checking assertions - run automatic formal proofs So, if-statements could mean a whole bunch more work. If you have a control block, then all DFFs should be reset and you could have X-checking assertions on the I/O to protect any if-statements. Not all X's are evil though - some are good (X-propagation is better than optimistic termination). I think that mcurry's code could have a following case default (providing that all 2-state values of "blah" are covered by a case-item) so that X's can be trapped by the default and propagated onto each output. This could still be concise and achieve the desired effect of not having to specify every output on every case-item. You can also do the all X's -> 1's, 0's or random by using initreg in VCS. Back to top MikeTurpin Senior Joined: Jan 06, 2004 Posts: 13 Location: Cambridge, UK Posted: Wed Jan 14, 2004 11:48 am    Post subject: mcurry wrote: Good to see Jeffli's note on the behaviour of ISIM, and your note on initreg in VCS. I may need to check these out. Actually, the +initreg switch in VCS is just for setting registers to all 0's, all 1's or random. This is good for 2-state simulations. There's also a +2state switch in VCS (although this is limited as it always treats case expressions as 4-state). Neither of these VCS switches will set X-assignments. There's no "xassign" switch in VCS, I did this step myself with a sed script. Apologies for the confusion. Back to top srini Senior Joined: Jan 23, 2004 Posts: 430 Location: Bengaluru, India Posted: Sat Jan 24, 2004 7:44 am    Post subject: Re: Verilog X-Bugs: simulation/coverage vs formal verificati MikeTurpin wrote: I'd like to raise awareness of problems with X-semantics in Verilog, and begin a discussion here about how this affects validation. I read through your excellent paper twice and as Verification engineer I liked it a lot. In fact (as I just mentioned in one of my earlier posts in this forum today) I wasted almost 5 hours (2 engineers, so effectively 10 man hours!!) just b'cos we didn't use the assert_no_x_when_vld (or similar name) assertion at appropriate place. This is one area where I believe assertions have an immediate role to play (of-course they can do much more than this). Mike - you have mentioned that the 2 assertions you developed will be part of OVL, do you know by when? Is it possible for you to share it in this forum? Currently I developed one on my own, using XOR & === as I don't need them to by synthesis compatible (anyway I have synthesis on/off around them). If any one is interested, please let me know. Thanks, Srinivasan Back to top MikeTurpin Senior Joined: Jan 06, 2004 Posts: 13 Location: Cambridge, UK Posted: Sun Jan 25, 2004 11:16 am    Post subject: Re: Verilog X-Bugs: simulation/coverage vs formal verificati Hi Srinivasan, srini wrote: Mike - you have mentioned that the 2 assertions you developed will be part of OVL, do you know by when? Is it possible for you to share it in this forum? I'm not sure when these will become part of the OVL library, so for now I just posted the Verilog for both of them on the OVL website: www.verificationlib.org Follow the links: Discussion > Open Library Discussion Back to top Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First         Verification Guild Forum Index -> Assertions All times are GMT - 5 Hours Page 1 of 1   Jump to: Select a forum Main----------------MainEDA NewsCommunity Services Networking----------------Looking for a jobLooking for candidates Archives----------------AssertionsCoverageFormalSimulationDesignMiscellaneous Test----------------Test  You can post new topics in this forum You can reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum Forums ©

Verification Guild © 2006 Janick Bergeron
Web site engine's code is Copyright © 2003 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.287 Seconds