RE: [sv-ac] Issue 805

From: Eduard Cerny <Eduard.Cerny_at_.....>
Date: Tue Mar 14 2006 - 07:23:58 PST
Hi Dmitry,

my point is that followed_by already existis if you write not(s |-> not
p) and followed_by would just make it clearer. I think it is useful to
have and I would prefer that inferred conditions for covers be done
using followed by, but I can see the issue with having a;ready an
implication in the cover (as you last example showed). I generally
discourage people from using implications in cover statements, but...

ed
 

> -----Original Message-----
> From: Korchemny, Dmitry [mailto:dmitry.korchemny@intel.com] 
> Sent: Tuesday, March 14, 2006 10:01 AM
> To: Eduard Cerny; Doron Bustan
> Cc: sv-ac@eda.org
> Subject: RE: [sv-ac] Issue 805
> 
> Hi Ed,
> 
> Probably I was not clear enough, but I meant that in *** the most
> interesting cases *** in SVA it may be replaced by sequence fusion
> (##0). Sure you cannot always use the sequence fusion for 
> that. But the
> only interesting scenario for the coverage is the sequence fusion,
> therefore I am saying that there is no need for followed_by if we are
> talking about coverage only.
> 
> Thanks,
> Dmitry
> 
> -----Original Message-----
> From: Eduard Cerny [mailto:Eduard.Cerny@synopsys.com] 
> Sent: Tuesday, March 14, 2006 3:22 PM
> To: Korchemny, Dmitry; Doron Bustan
> Cc: sv-ac@eda.org
> Subject: RE: [sv-ac] Issue 805
> 
> Hello Doron, Dmitry,
> 
> I agree with Doron, followed_by as the dual of |-> is needed, because
> ##0 cannot be used with property on the RHS. 
> If a cover property is under a condition it shouuld be converted to
> followed by rather than |->, where the condition is on the LHS. 
> I do not see much of a problem implementing followed_by.  
> Should there be two forms, one overlapping and one non-overlapping?
> 
> ed
> 
> 
> > -----Original Message-----
> > From: owner-sv-ac@eda.org [mailto:owner-sv-ac@eda.org] On 
> > Behalf Of Korchemny, Dmitry
> > Sent: Tuesday, March 14, 2006 8:14 AM
> > To: Doron Bustan
> > Cc: sv-ac@eda.org
> > Subject: RE: [sv-ac] Issue 805
> > 
> > Hi Doron,
> > 
> > I agree with your property coverage generalization with 
> > followed_by, but
> > I see several usability problems with this approach:
> > * Property coverage (A|->B) becomes meaningless. This is problematic
> > because the cover property statement may be located under a 
> > conditional
> > statement, and then it has an implicit enabling condition
> > * The reset condition handling is still problematic
> > * Using followed_by in assertions may be difficult for 
> simulators, and
> > when introduced this operator should be supported 
> everywhere. I think
> > that this operator should be introduced only in case if SVA 
> > is extended
> > with LTL operators (similarly to PSL). Otherwise its 
> applicability is
> > questionable since in the most interesting cases in SVA it may be
> > replaced by sequence fusion (##0)
> > 
> > Therefore I am suggesting defining
> > cover property (disable iff(rst) A |-> B) as assert 
> property (disable
> > iff A |-> not B) where the failures of the latter statement are
> > considered to be cover points of the former one.
> > 
> > See details in Mantis 1383.
> > 
> > Sorry for the late answer.
> > Dmitry  
> > 
> > -----Original Message-----
> > From: Doron Bustan [mailto:dbustan@freescale.com] 
> > Sent: Wednesday, March 01, 2006 12:45 AM
> > To: Korchemny, Dmitry
> > Cc: sv-ac@eda.org
> > Subject: Re: [sv-ac] Issue 805
> > 
> > I suggest that the definition of the semantic of coverage 
> goal be as 
> > follows:
> > 
> > Let 'w' be a computation, and P be a property, then w 
> satisfies cover 
> > property (P)
> > iff for some 0 <= i < |w|, we have that w^{i..}, {} |= P.
> > 
> > Where the |= relation is the one defined in appendix E.3.5.
> > 
> > I agree that sometime people mistakenly write cover 
> properties of the 
> > form R |-> P, when
> > they want to identify a match of R followed by a satisfaction 
> > of P. This
> > 
> > should be written
> > as "not (R |-> not P)". I suggest that we will defined a derived 
> > operator "followed_by"
> > (similar to forespec) such that "R followed_by P" is 
> > equivalent to "not 
> > (R |-> not P)". This
> > will enable a more intuitive form of writing cover properties.
> > 
> > Doron
> > 
> > Korchemny, Dmitry wrote:
> > 
> > > Hi all,
> > >
> > > I would like to understand what the request incentive is: 
> a need in 
> > > proper /cover/ statement semantics definition or a need to 
> > collect a 
> > > richer statistics - how many times the reset signal rose. I 
> > don't have
> > 
> > > anything against reporting reset statistics, except for 
> > minor comments
> > 
> > > given below, but I guess that the main point of the enhancement 
> > > request is the statement semantics and this request is aimed to 
> > > disable pathological coverage reporting. Therefore I 
> would like to 
> > > address mainly the latter issue.
> > >
> > > The semantics of the /cover/ statement is not defined 
> > anywhere in the 
> > > LRM, and there are only several words about property coverage 
> > > collection in the dynamic simulation environment. We need 
> > to define a 
> > > formal semantics for /cover/ statement both to avoid 
> > ambiguity in the 
> > > LRM interpretation, to be confident that the coverage concept is 
> > > always meaningful and to allow cover statement usage by formal 
> > > analysis tools.
> > >
> > > The informal semantics of the /assert/ statement is to make 
> > sure that 
> > > the property is (*always*) correct. When the property is 
> > violated then
> > 
> > > the counter-example is either generated by formal analysis 
> > tools or is
> > 
> > > provided as a simulation trace fragment by dynamic 
> > simulation tools. 
> > > The informal semantics if the /cover/ statement is to make 
> > sure that 
> > > the property is feasible, i.e., it *may be* correct, and 
> the tools 
> > > should provide witness for it: the formal analysis tools should 
> > > generate such a witness, while dynamic simulation tools 
> > should provide
> > 
> > > a trace fragment along with the collected statistics.
> > >
> > > Let's try to define the /cover/ statement semantics 
> > formally. I will 
> > > be using in the sequel the following LTL pseudo-code:
> > >
> > >     * globally says that the property is checked each clock phase
> > >     * eventually means some time in the future
> > >
> > > and will assume all clock events to be fair. I also assume in all 
> > > below examples that the assertions are written outside of 
> > an initial 
> > > block, i.e., implicit /always/ semantics is applicable to them.
> > >
> > > The first attempt would be to define /cover/ /property/ as 
> > /assert/ of
> > 
> > > its negation. Then the assertion counter-example is a coverage 
> > > witness. But this straightforward definition won't reflect our 
> > > intention. Consider the simplest cover statement:
> > >
> > > (always) cover property (@(clk) a); // a is a Boolean expression
> > >
> > > Its pseudo code notation is:
> > >
> > > cover property (@(clk) globally a);
> > >
> > > After negation we get:
> > >
> > > assert property (@(clk) eventually !a);
> > >
> > > I.e., the property is covered if a never holds, this is 
> > apparently not
> > 
> > > our intention: the property is covered when a eventually holds.
> > >
> > > Here is the second take:
> > >
> > > cover property (@(clk) globally p) succeeds iff assert property 
> > > (@(clk) globally not p)) fails
> > >
> > > In the case when p is a Boolean expression, or even a 
> sequence this 
> > > definition works: if at some moment p is high (or the sequence is 
> > > matched), the property is covered.
> > >
> > > But in the common case, when p is a property, the problem 
> persists:
> > >
> > > cover property ((@clk) globally a |=> b) succeeds iff? 
> > assert property
> > 
> > > ((clk) globally a ##1 !b); fails
> > >
> > > Has the property been covered if a never happens? According 
> > to LRM it 
> > > has, but it has been covered vacuously for the antecedent never 
> > > happens. This definition of coverage is problematic: e.g., it is 
> > > always recommended to avoid writing such /cover/ 
> > properties. More than
> > 
> > > that, this LRM definition of coverage is contradictory. 
> The section 
> > > 17.13.5 "Embedding concurrent assertions in procedural 
> code": reads
> > >
> > > Another inference made from the context is the enabling 
> > condition for 
> > > a property. Such derivation takes place when a property is 
> > placed in 
> > > an if...else block or a case block. The enabling condition assumed
> > >
> > > from the context is used as the antecedent of the property.
> > >
> > > *property *r3;
> > >
> > > @(*posedge *mclk)(q != d);
> > >
> > > *endproperty*
> > >
> > > * *
> > >
> > > *always *@(*posedge *mclk) *begin*
> > >
> > > *if *(a) *begin*
> > >
> > > q <= d1;
> > >
> > > r3_p: *assert property *(r3);
> > >
> > > *end*
> > >
> > > *end*
> > >
> > > The above example is equivalent to the following:
> > >
> > > *property *r3;
> > >
> > > @(*posedge *mclk)a |-> (q != d);
> > >
> > > *endproperty*
> > >
> > > r3_p: *assert property *(r3);
> > >
> > > *always *@(*posedge *mclk) *begin*
> > >
> > > *if *(a) *begin*
> > >
> > > q <= d1;
> > >
> > > *end*
> > >
> > > *end*
> > >
> > > According to this definition if we substitute in the 
> above examples 
> > > /assert/ with /cover/, our property will be covered (even though 
> > > vacuously) if a never happened! Such definition of coverage is 
> > > somewhat counter-intuitive.
> > >
> > > Therefore, it seems to me that the acceptable definition of the 
> > > /cover/ statement semantics would be:
> > >
> > > cover property ((@clk) globally disable iff (rst) s |-> p)) 
> > succeeds 
> > > iff assert property ((@clk) globally disable iff (rst) s 
> > |-> *not* p))
> > 
> > > fails
> > >
> > > or in pure SVA:
> > >
> > > cover property ((@clk) disable iff (rst) s |-> p)) succeeds 
> > iff assert
> > 
> > > property ((@clk) disable iff (rst) s |-> *not* p)) fails
> > >
> > > Such semantics solves also the reset problem: when the reset 
> > > expression is true, the assertion cannot fail, and therefore the 
> > > original property cannot be covered. Therefore it looks to 
> > me that the
> > 
> > > reset being high is not a coverage event, and should not be 
> > reported 
> > > as such.
> > >
> > > Below is the summary.
> > >
> > > Suggestion:
> > >
> > > ========
> > >
> > > I suggest defining the /cover property/ semantics as:
> > >
> > > cover property ((@clk) disable iff (rst) s |-> p)) succeeds 
> > iff assert
> > 
> > > property ((@clk) disable iff (rst) s |-> *not* p)) fails
> > >
> > > The /cover /statement reports coverage when the corresponding 
> > > assertion fails for any property of the form s|->p, where s is a 
> > > sequence and p is a property. The formal definition is:
> > >
> > > For the property of the form A |-> B (when A |=> B is 
> > considered to be
> > 
> > > A|-> ##1 B)
> > >
> > > cover property ((@clk) disable iff (rst) A |-> B)) succeeds 
> > iff assert
> > 
> > > property ((@clk) disable iff (rst) A |-> *not* B)) fails
> > >
> > > Otherwise
> > >
> > > cover property ((@clk) disable iff (rst) B)) succeeds iff assert 
> > > property ((@clk) disable iff (rst) *not* B)) fails
> > >
> > > If the /cover/ statement is located inside a conditional 
> statement, 
> > > the inferred condition is automatically taken into account. E.g.,
> > >
> > > If a property
> > >
> > > cover property (a); has an inferred enabling condition en, the
> > equivalence
> > >
> > > cover property (a) succeeds iff assert property(not a) 
> > fails is still 
> > > valid, since both statements are actually
> > >
> > > cover property (en |-> a) succeeds iff assert property(en 
> |-> not a)
> > fails
> > >
> > > Discussion:
> > >
> > > ========
> > >
> > >    1. I suggest adding a specification of /cover/ statement 
> > for formal
> > >       analysis tools: a /cover/ statement is equivalent to a
> > >       corresponding /assert/ statement, but the generated
> > >       counter-example should be called witness and the tool should
> > >       report success. If the corresponding assertion 
> > passes, the tool
> > >       should report the coverage failure.
> > >    2. The coverage action statement should be executed 
> each time the
> > >       property is covered (like else in the assertion). 
> According to
> > >       the proposed definition the action statement won't 
> > execute when
> > >       reset is high or a triggering condition was not met.
> > >    3. "Number of times succeeded" means the number of 
> times the dual
> > >       assertion fails
> > >    4. "Number of times the property failed" is not quite 
> clear. Does
> > >       it mean that /cover property(p)/ fails when /assert property
> > >       (p)/ fails?
> > >    5. "Number of times succeeded because of vacuity" is no longer
> > >       valid. The accurate statement would be number of 
> > times triggered
> > >       (I would even say attempted, but it probably has another
> > >       meaning). Should we report this number when the 
> antecedent is
> > >       trivial (always true)?
> > >    6. The definition of sequence coverage should be refined 
> > (if it is
> > >       needed at all). Do we have a case of sequence 
> > coverage when B is
> > >       a sequence (in the above definition)? But in this case the
> > >       number of times triggered is still relevant.
> > >    7. "Number of time matched" for sequences is not clear 
> - does it
> > >       coincide with the number of times succeeded? (see 
> > previous item)
> > >    8. If wanted, the information about reset signal can also be
> > >       collected (this is the actual content of #805), but 
> instead of
> > >       "Number of times succeeded because of disabling" it 
> should be
> > >       something like "Number of times the reset rose"
> > >    9. All stated above is applicable to the corresponding 
> > vpi calls as
> > >       well.
> > >   10. The case of a cover property inside an initial block is
> > >       syntactically identical. Semantic difference is that the
> > >       implicit /globally/ operator should be dropped in 
> > both /assert/
> > >       and /cover/ statements.
> > >   11. Completely different observation: adding more and more
> > >       requirements to the data to be collected will 
> > negatively affect
> > >       the simulation performance, and the standard should give the
> > >       user means to control the reporting level.
> > >
> > > General Disclaimer:
> > >
> > > ==============
> > >
> > > Since I don't always have enough time to collect the 
> feedback from 
> > > other Intel people, my position in some cases may change 
> when this 
> > > feedback becomes available. I won't add this disclaimer to my 
> > > subsequent messages, but it always remains valid.
> > >
> > > Thanks,
> > >
> > > Dmitry
> > >
> > 
> > 
> 
Received on Tue Mar 14 07:24:06 2006

This archive was generated by hypermail 2.1.8 : Tue Mar 14 2006 - 07:24:10 PST