

# **Using Mutation Coverage** for Advanced Bug Hunting

#### Vladislav Palfy & Nicolae Tusinschi—OneSpin Solutions



making electronics reliable





# Assessing Quality of Verification

If you don't measure, you don't know

#### When am I done?

Have I written enough stimuli to cover all requirements?
 What part of the design has been exercised by my assertions/covers?
 Have I written good quality checks?
 Which parts of the design have been checked by my checkers?
 Are all specified functions implemented?
 Are all specified functions verified?



**Coverage & Bug Hunting** Two sides of the same coin

- Both coverage and bug hunting are important
- Where coverage is analytical, bugs are anecdotal
- ✤ 100% coverage with bugs in the design is unacceptable
- Extracting coverage should be quick and easy
- Report data must be meaningful



#### **Quantify MDV Overview** Multi-dimensional view—quantity and quality

#### Assessing the *quality* of verification by providing a *quantitative* metric

#### Quantify

- Takes as input a hardware design and a formal test bench
- One push of a button produces a metric-driven sign-off report as output

#### Structural Coverage (Quantity)

Control & Observation Coverage—provides quantitative assessment

#### Functional Coverage (Quality)

✤ Assertion Coverage—provides qualitative assessment



## **Coverage Solution: Provides Meaningful Metrics** Continuous feedback for design and verification

#### Designer Bring Up: Get feedback on the quality of design bring up

- Dead code; reachability
- Redundant code

#### Verification: When quality and quantity both matter

- Metrics should indicate gaps in verification and show you where these are
  - Missing checks
  - Over-constraints
  - Find bugs



# **Quantify Report**

#### **Color-coded highway to sign-off**

|                 | Result      | Meaning                                       |  |  |  |
|-----------------|-------------|-----------------------------------------------|--|--|--|
|                 | Reached     | Reached by an Assertion                       |  |  |  |
| Controllability | Constrained | Unreachable & Unobservable Due to Constraints |  |  |  |
|                 | Dead        | Unreachable and Unobservable                  |  |  |  |
|                 | Uncovered   | Not Reached and Not Observed                  |  |  |  |
| Observability   | Covered     | Observed and Reached                          |  |  |  |
|                 | Unobserved  | Reached and Not Observed                      |  |  |  |



## **Quantify Dashboard View: Important Components**

| Struc  | ctural Coverage Overview      |          |        |              |            |          |              |              |            |  |
|--------|-------------------------------|----------|--------|--------------|------------|----------|--------------|--------------|------------|--|
| Status | s                             | nts      |        |              | Branch     | ies      |              |              |            |  |
| 1      | covered                       | 12       |        | 80.00%       |            | 4        |              | 100.00%      |            |  |
| R      | reached                       | 0        | 0.00%  |              |            | 0        | 0.00%        |              |            |  |
| U      | unknown                       | 0        | 0.00%  |              |            | 0        | 0.00%        |              |            |  |
| 0R     | unobserved                    | 3        | 20.    | .00%         |            | 0        | 0.00%        |              |            |  |
| 0      | uncovered                     | 0        | 0.00%  |              |            | 0        | 0.00%        |              |            |  |
| 0C     | constrained                   | 0        | 0.00%  |              |            | 0        | 0.00%        |              |            |  |
| 0D     | dead                          | 0        | 0.00%  |              |            | 0        | 0.00%        |              |            |  |
| Sum    | quantify targets              | 15       |        |              |            | 4        |              |              |            |  |
| Exclu  | uded Code Overview            |          |        |              |            |          |              |              |            |  |
| Code   | Status                        | Statemer | nts    |              |            | Branches |              |              |            |  |
| Xu     | excluded by user              | 0        | 0.00%  | Ó            |            |          | 0.00%        |              |            |  |
| Xr     | excluded redundant code       | 0        | 0.00%  | 0%           |            | 0        | 0.00%        |              |            |  |
| Xv     | excluded verification code    | 15       |        | 50.00%       |            | 8        | 66.67        | 66.67%       |            |  |
| 0/1/U  | quantify targets              | 15       |        | 50.00%       |            | 4        | 33.33%       | 33.33%       |            |  |
| Sum    | total code                    | 30       |        |              |            | 12       |              |              |            |  |
| Asse   | rtion Coverage                |          |        |              |            |          |              |              |            |  |
| ld     | Property                      | ł        | Kind   | Proof Result | Proof Radi | us       | Cover Result | Cover Radius | Quantified |  |
| 0      | sva/as_empty_from_fullassert  |          | issert | FORMAL_PROOF | infinite   |          | COVER_PASS   | 9            | yes        |  |
| 1      | sva/as full from empty        | a        | assert | FORMAL_PROOF | infinite   | 1        | COVER_PASS   | 1            | yes        |  |
| 2      | sva/u fifo /as ordering check | a        | ssert  | FORMAL_PROOF | infinite   |          | COVER PASS   | 2            | yes        |  |



# **Quantify Dashboard**





# **Quantify in Action**

**FIFO Example** 





# **Requirements for Verification**

| Ordering is correct                                                                                                                 |  |
|-------------------------------------------------------------------------------------------------------------------------------------|--|
| No duplication                                                                                                                      |  |
| No data loss                                                                                                                        |  |
| No data corruption                                                                                                                  |  |
| Empty and full checks                                                                                                               |  |
| <ul> <li>Must be empty at the right time</li> <li>Must be full at the right time</li> <li>If empty, then eventually full</li> </ul> |  |

✤If full, then eventually empty



#### **Quantify on FIFO Example—I** With no checks at all

| Struct | ural Coverage Overview | 1        |         |        |     |         |          |
|--------|------------------------|----------|---------|--------|-----|---------|----------|
| Status |                        | Statemen | IS      | Branch | nes |         |          |
| 1      | covered                | 0        | 0.00%   | 0      | 0.0 | 0%      |          |
| \$     | reached                | 0        | 0.00%   | 0      | 0.0 | 0%      |          |
| U      | unknown                | 0        | 0.00%   | 0      | 0.0 | 0%      |          |
| 0R     | unobserved             | 0        | 0.00%   | 0      | 0.0 | 0%      |          |
| )      | uncovered              | 22       | 100.00% | 7      |     | 100.00% | VERIFICA |
| )C     | constrained            | 0        | 0.00%   | 0      | 0.0 | 0%      |          |
| 0D     | dead                   | 0        | 0.00%   | 0      | 0.0 | 0%      |          |
| Sum    | quantify targets       | 22       |         | 7      |     |         |          |

| Asser | tion Coverage |      |              |              |              |              |            |
|-------|---------------|------|--------------|--------------|--------------|--------------|------------|
| ld    | Property      | Kind | Proof Result | Proof Radius | Cover Result | Cover Radius | Quantified |

| File Status |               |          |        |                                                                  |  |  |  |
|-------------|---------------|----------|--------|------------------------------------------------------------------|--|--|--|
| ld          | File          | Language | Kind   | Full Name                                                        |  |  |  |
| 0           | <u>fifo.v</u> | verilog  | design | /home/onespin/my_labs/fifo_quantify_demo_v2/no_checks/rtl/fifo.v |  |  |  |



## Quantify on FIFO Example—II Design View

| 43 | always @(posedge clk or negedge resetn)                                  |              |
|----|--------------------------------------------------------------------------|--------------|
| 44 | if (!resetn)                                                             | 0            |
| 45 | $w_ack \ll 1'b1;$                                                        | 0            |
| 46 | else if (!full)                                                          | 0            |
| 47 | w_ack <= 1'bl;                                                           | 0            |
| 48 | else if (full)                                                           | 0            |
| 49 | w_ack ⊲= 1'b0;                                                           | 0            |
| 50 |                                                                          |              |
| 51 | assign w_ack_o = w_ack;                                                  | 0            |
| 52 | <pre>assign r_ack_o = empty ? 1'b0 : (full ? 1'b0 : 1'b1);</pre>         | 0            |
| 53 | assign w_hsk = w_valid_i && w_ack_o;                                     | 0            |
| 54 | assign r_hsk = r_valid_i && r_ack_o;                                     | 0            |
| 55 | assign nxt_wptr = wptr + w_hsk;                                          | 0            |
| 56 | assign nxt_rptr = rptr + r_hsk;                                          | 0            |
| 57 | assign nxt_empty = (empty    r_hsk) && !w_hsk && (nxt_rptr == nxt_wptr); | 0            |
| 58 |                                                                          |              |
| 59 | // Registered calculations for empty, wptr and rptr                      |              |
| 60 | always @(posedge clk or negedge resetn)                                  |              |
| 61 | if (!resetn)                                                             | 0            |
| 62 | begin                                                                    |              |
| 63 | empty ⊲= l'bl;                                                           | 0            |
| 64 | wptr <= (DEPTH_BITS(1'b0));                                              | 0            |
| 65 | <pre>rptr == {DEPTH_BITS(1'b0)};</pre>                                   | 0            |
| 66 | end                                                                      |              |
| 67 | else                                                                     | - <b>0</b> / |
| 68 | begin                                                                    |              |
| 69 | empty ⊲= nxt_empty;                                                      | 0            |
| 70 | wptr ⊲= nxt_wptr;                                                        | 0            |
| 71 | rptr <= nxt_rptr;                                                        | 0            |
| 72 | end                                                                      |              |
| 73 | // Write the data on a w_hsk                                             |              |
| 74 | always @(posedge clk)                                                    |              |
| 75 | if (w_hsk)                                                               | 0            |
| 76 | data[wptr]                                                               | 0            |
| 77 | //···· Read the data on a r_hsk                                          |              |
| 78 | always @(posedge clk)                                                    |              |
| 79 | if (r_hsk)                                                               | 0            |
| 80 | data_int <= data[rptr];                                                  | 0            |
| 81 | assign full = !empty && (rptr == wptr);                                  | 0            |
| 82 | assign empty_o = empty;                                                  | 0            |
| 83 | mssign full_o = full;                                                    | 0            |
| 84 | assign data_o = data_int;                                                | 0            |
| 85 | endmodule                                                                |              |



## **FIFO Verification Strategy** Uses symbolic and data abstraction

- Use two symbolic transactions for tracking all possible data values
- Send these symbolic values in a pre-determined order in the FIFO
- Ensure that they come out of the FIFO in the same order
- Use four sampling registers
  - sampled\_in\_d1
  - sampled\_in\_d2
  - sampled\_out\_d1
  - sampled\_out\_d2
- One side constraint
- One main ordering check



```
as_ordering_check:
assert property (
  @(posedge clk) disable iff (!resetn)
      sampled_in_d1 && sampled_in_d2 && !sampled_out_d1
      |-> !sampled_out_d2);
```



# Quantify on FIFO Example—III With just ordering check

|                                          | ural Coverage Overview                                                                                               |                                 |                          |   |                  |                      |   |                           |
|------------------------------------------|----------------------------------------------------------------------------------------------------------------------|---------------------------------|--------------------------|---|------------------|----------------------|---|---------------------------|
| Status                                   |                                                                                                                      | Statemen                        | ts                       |   | Branches         |                      |   |                           |
| 1                                        | covered                                                                                                              | 14                              | 63.64%                   |   | 63.64% de        | sign cov <u>ered</u> |   |                           |
| R                                        | reached                                                                                                              | 0                               | 0.00%                    |   | 0 0              | 0.00%                |   |                           |
| U                                        | unknown                                                                                                              | 0                               | 0.00%                    |   | 0 0              | 0.00%                |   |                           |
| 0R                                       | unobserved                                                                                                           | 7                               | 31.82%                   | 4 | 2                | 28.57%               |   | 31.82% Design Unobserved  |
| 0                                        | uncovered                                                                                                            | 1                               | 4.55%                    |   | 4.55% Desi       | gn Uncovered         |   | J1.02/0 Design Onobserved |
| 0C                                       | constrained                                                                                                          | 0                               | 0.00%                    |   | 0 0              | 0.00%                |   |                           |
| 0D                                       | dead                                                                                                                 | 0                               | 0.00%                    |   | 0                | 0.00%                |   |                           |
| Sum                                      | quantify targets                                                                                                     | 22                              |                          |   | 7                |                      |   |                           |
| Exclud                                   | ded Code Overview                                                                                                    |                                 |                          |   |                  |                      |   | 1                         |
|                                          |                                                                                                                      | Statemen                        | ts                       |   | Branches         |                      |   |                           |
| Code S                                   |                                                                                                                      | Statemen<br>0                   |                          |   |                  | 0.00%                |   |                           |
| Code S<br>Xu                             | tatus                                                                                                                | 100000000000000                 |                          | - | 0                | 0.00%                | - |                           |
| Code S<br>Xu<br>Xr                       | tatus<br>excluded by user                                                                                            | 0                               | 0.00%                    | - | 0                |                      |   |                           |
| Code S<br>Xu<br>Xr                       | tatus<br>excluded by user<br>excluded redundant code                                                                 | 0<br>0                          | 0.00%<br>0.00%           | _ | 0                | 0.00%                |   |                           |
| Code S<br>Xu<br>Xr<br>Xv                 | tatus<br>excluded by user<br>excluded redundant code<br>excluded verification code                                   | 0<br>0<br>14                    | 0.00%<br>0.00%<br>38.89% |   | 0<br>0<br>4      | 0.00%<br>36.36%      |   |                           |
| Code S<br>Xu<br>Xr<br>Xv<br>0/1/U        | tatus<br>excluded by user<br>excluded redundant code<br>excluded verification code<br>quantify targets               | 0<br>0<br>14<br>22              | 0.00%<br>0.00%<br>38.89% |   | 0<br>0<br>4<br>7 | 0.00%<br>36.36%      |   |                           |
| Code S<br>Xu<br>Xr<br>Xv<br>0/1/U<br>Sum | tatus<br>excluded by user<br>excluded redundant code<br>excluded verification code<br>quantify targets               | 0<br>0<br>14<br>22              | 0.00%<br>0.00%<br>38.89% |   | 0<br>0<br>4<br>7 | 0.00%<br>36.36%      |   |                           |
| Code S<br>Xu<br>Xr<br>Xv<br>0/1/U<br>Sum | tatus<br>excluded by user<br>excluded redundant code<br>excluded verification code<br>quantify targets<br>total code | 0<br>0<br>14<br>22<br><b>36</b> | 0.00%<br>0.00%<br>38.89% |   | 0<br>0<br>4<br>7 | 0.00%<br>36.36%      |   |                           |

| fifo s | <u>sva.sv</u> 14              |        |                   | 4            |              |              |            |              |
|--------|-------------------------------|--------|-------------------|--------------|--------------|--------------|------------|--------------|
| Ass    | ertion Coverage               |        |                   |              |              |              |            |              |
| ld     | Property                      | Kind   | Proof Result      | Proof Radius | Cover Result | Cover Radius | Quantified |              |
| 0      | sva/u fifo /as ordering check | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 2            | yes        | Single Check |
| 1      | sva/u fifo /am d1 before d2   | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        | <b>J</b>     |
| 2      | sva/u fifo /am intf full      | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |              |
| 3      | sva/u fifo /am stable d1      | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |              |
| 4      | sva/u fifo /am stable d2      | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |              |

| File Status |               |          |        |                                                                                       |  |  |  |
|-------------|---------------|----------|--------|---------------------------------------------------------------------------------------|--|--|--|
| ld          | File          | Language | Kind   | Full Name                                                                             |  |  |  |
| 0           | <u>fifo.v</u> | verilog  | design | /home/onespin/my_labs/fifo_quantify_demo_v2/Step2_ordering_check_only/rtl/fifo.v      |  |  |  |
| 1           | fifo sva.sv   | verilog  | design | /home/onespin/my_labs/fifo_quantify_demo_v2/Step2_ordering_check_only/sva/fifo_sva.sv |  |  |  |



#### **Quantify on FIFO Example—IV** What's still missing?

| 42         w_ack c = 1'bj         0R           43         else if (full)         0R           44         w_ack c = 1'bj         0R           45         else if (full)         0R           46         w_ack c = 1'bj         0R           47                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 41   | if (!resetn)                                                             | 0R |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|--------------------------------------------------------------------------|----|
| 44     w_ack (* a'bi;     0R       45     else if (vil)     0       46     w_ack (* a'bi;     0       47                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | 42   | w_ack <= 1'b1;                                                           | 0R |
| 46         else if (foll)         0           46         w_ack < 1'bo;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 43   | else if (!full)                                                          | 0R |
| 46       w_akk (> 1'b3;       0         47                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 44   | w_ack <= 1'b1;                                                           | 0R |
| assign w_ack_po = w_ack;         OR           48         assign w_ack_po = wepty ? 1'bo: 1'b1;         0           50         assign m_ack_po = wepty ? 1'bo: 1'b1;         1           51         assign m_hkk = w_alid1 & & w_ack_p;         0R           52         assign m_hkk = w_alid1 & & w_ack_p;         0R           53         assign m_hk = w_alid1 & & w_ack_p;         1           54         assign nxt_mptr = wptr + w_bk;         1           55         assign nxt_mptr = rptr + n hk;         1           56         sign nxt_mptr = wptr + w_bk;         1           56         if (freestr)         1           57         always @(posedge clk or negodge resetn)         1           58         if (freestr)         1           59         begin         1           50         emptr < (DEFH_BITS(1'b0));                                                                                   | 45   | else if (full)                                                           | 0  |
| 48     assign w_ack_o = w_ack;     OR       49     //assign r_ack_o = eepty 7 1 bb : 1 bb ;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | 46   | w_ack <= 1'b0;                                                           | 0  |
| 49       //ssign r_sk_o = empty % 1'b0: 1'b1;       1         50       assign r_sk_o = empty % 1'b0: 1'b1;       1         51       assign r_sk_s = r_valid_i && r_ack_o;       0R         52       assign r_sk_s = r_valid_i && r_ack_o;       1         53       assign nxt_ptr = sptr + r_bk;       1         54       assign nxt_ptr = rptr + r_bk;       1         55       assign nxt_co = cempty, wptr and rptr       1         56       if (lresetm)       1         57       abusys &@(posdeg clk or negedge resetn)       1         58       if (lresetm)       1         59       begin       1         60       eepty c '10;       0R         61       wptr c (DEPH_dITS(1'b0));       1         62       rptr c (DEPH_dITS(1'b0));       1         63       end       1         64       else       1         65       segin       1         66       eepty (rit_back_back_back_back_back_back_back_back | 47   |                                                                          |    |
| 50     assign n_ack_o = empty 7 1'b0 : (full 7 1'b0 : 1'b1);     1       51     assign n_bk = n_walid_i && m_ack_o;     0R       52     assign n_bk = n_walid_i && m_ack_o;     1       53     assign n_bt = mytr + w_bk;     1       54     assign n_t_ptr = mytr + w_bk;     1       55     assign n_t_ptr = nytr + w_bk;     1       56     assign n_t_ptr = mytr + w_bk;     1       57     assign n_t_ptr = coptr + n_bk;     1       58     if (lresetn)     1       59     bgin     1       60     empty << 1'bi;                                                                                                                                                                                                                                                                                                                                                                                              | 48   | assign w_ack_o = w_ack;                                                  | 0R |
| 51     assign w_hsk = w_walid_i && w_ack_o;     0R       62     assign n,hk = r_walid_i && r_ack_o;     1       63     assign n,hk = r_walid_i && r_ack_o;     1       64     assign n,t wptr = wptr + w_hsk;     1       65     assign n,t_eptr = nptr + n_hsk;     1       66     assign n,t_eptr = nptr + n_hsk;     1       67     always @(posedge clk or negedge resetn)     1       68     if (lresetn)     1       69     begin     0R       60     empty <= 1'bi;                                                                                                                                                                                                                                                                                                                                                                                                                                            | 49   | //assign r_ack_o = empty ? 1'b0: 1'b1;                                   |    |
| 52       assign n.hsk = r_valid_i && r_ack_0;       1         53       assign nxt_wptr = uptr + w_hsk;       1         54       assign nxt_wptr = uptr + w_hsk;       1         55       assign nxt_wptr = uptr + w_hsk;       1         56       if (ruset)       1         57       always @(posedge clk on egedge resetn)       1         58       if (resetn)       1         59       begin       0R         60       empty <= 1/bi;                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | 50   | assign r_ack_o = empty ? 1'b0 : (full ? 1'b0 : 1'b1);                    | 1  |
| 33       assign nxt_mptr = wptr + w_hsk;       1         64       assign nxt_mptr = cempty    r_hsk) && ks (nxt_mptr == nxt_mptr);       1         55       assign nxt_mptr = cempty    r_hsk) && ks (nxt_mptr == nxt_mptr);       1         56       // Registered calculations for empty, wptr and mptr       1         57       always @(posedge clk or negedge resetn)       1         58       if (iresetn)       1         59       begin       0         60       empty <= 1'bi;                                                                                                                                                                                                                                                                                                                                                                                                                               | 51   | assign w_hsk = w_valid_i && w_ack_o;                                     | 0R |
| 54       assign nxt_rptr = rptr + n hsk;       1         65       assign nxt_rempty = (empty    r_nsk) && lnyk && (nxt_rptr == nxt_wptr);       1         66                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 52   | assign r_hsk = r_valid_i && r_ack_o;                                     | 1  |
| 55       assign nxt_empty = (empty    r_hsk) && lw_hsk && (nxt_rptr *= nxt_wptr);       1         56       // Registered calculations for empty, wptr and rptr       1         57       always @(posedge clk or negedge resetn)       1         58       if (tresetn)       1         59       begin       0R         60       empty << 1'bi;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 53   | assign nxt_wptr = wptr + w_hsk;                                          | 4  |
| 58       // Registered calculations for empty, wptr and rptr         57       always @(posedge clk or negedge resetn)         58       if (iresetn)       1         59       begin       0R         60       empty <= 1'bl;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | 54   | assign nxt_rptr = rptr + r_hsk;                                          | 1  |
| 57       always @(posedge clk or negedge resetn)       1         58       if (Iresetn)       1         59       begin       0         60       empty <= 1'bi;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 55   | assign nxt_empty = (empty    r_hsk) && lw_hsk && (nxt_rptr == nxt_wptr); | 1  |
| 58       if (!resetn)       1         59       begin       0         60       empty <= 1'bi;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 56   | // Registered calculations for empty, wptr and rptr                      |    |
| 59         begin         00           60         empty <= 1'b1;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | 57   | always @(posedge clk or negedge resetn)                                  |    |
| constraint         OR           empty <= 1'b1;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 58   | if (Iresetn)                                                             | 1  |
| 61         wptr <= (DEPTH_BITS(1'b0));                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 59   | begin                                                                    |    |
| 62         rptr << (DEPTH_BITS(1'b0));                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 60   | empty <= 1'b1;                                                           | 0R |
| 63     end     1       64     else     1       65     begin     1       66     empty <= nxt_empty;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | 61   | wptr <= {DEPTH_BITS(1'b0}};                                              | 1  |
| 64     else     1       65     begin     7       66     empty <= nxt_empty;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | 62   | rptr <= {DEPTH_BITS(1'b0}};                                              | 1  |
| 66         begin         0           66         empty <= nxt_empty;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | 63   | end                                                                      |    |
| 66         empty <= nxt_empty;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 64   | else                                                                     | 1  |
| 67         wptr <= nxt_mptr;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 65   | begin                                                                    |    |
| 68         rptr <= mxt_ptr;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | 66   | <pre>empty &lt;= nxt_empty;</pre>                                        | 1  |
| 69         end                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 67   | wptr <= nxt_wptr;                                                        | 1  |
| 70       // write the data on a w_hsk       1         71       always @(posedge clk)       1         72       if (w_hsk)       1         73       data[wptr] << data_i;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 68   | <pre>rptr &lt;= nxt_rptr;</pre>                                          | 1  |
| 71       always @(posedge clk)       1         72       if (w_hsk)       1         73       data[wptr] < data_i;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | 69   |                                                                          |    |
| 172         if (w_hsk)         1           73         data[wptr] << data i;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | 70   |                                                                          |    |
| 73       data[wptr] <= data_i;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |      |                                                                          |    |
| 74     // Read the data on a r_isk       75     always @(posedge clk)       76     if (r_isk)       77     data_int <= data[rtr];                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |      |                                                                          | 1  |
| 75       always @(posedge clk)         76       if (n_hsk)       1         77       data_int <= data[rptr];                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |      |                                                                          | 1  |
| if (r_hsk)         1           77         data_int <= data[rptr];                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | 74   |                                                                          |    |
| 77     data_it <= data[rptr];                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |      |                                                                          |    |
| 78         assign full = lempty && (rptr == wptr);         1           79         assign empty_o = empty;         OR           80         assign full_o = full;         OR           81         assign data_o = data_int;         1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |      | if (r_hsk)                                                               |    |
| 79         assign empty_o = empty;         OR           80         assign full_o = full;         OR           81         assign data_o = data_int;         1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |      |                                                                          |    |
| 80         assign full_o = full;         OR           81         assign data_o = data_int;         1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | 1000 |                                                                          |    |
| 81 assign data_o = data_int; 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 0.10 |                                                                          |    |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | 80   | assign full_o = full;                                                    | 0R |
| 82 endmodule                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |      | assign data_o = data_int;                                                | 1  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | 82   | endmodule                                                                |    |

#### **Missing coverage**

- Unobserved
- Uncovered



**Quantify on FIFO Example—V** Let's add checks on empty and full

as\_empty\_to\_full: assert property (@(posedge clk) disable iff (!resetn) empty\_o ##1 (push\_i && !pop\_i)[\*FIFO\_DEPTH] |=> full\_o);

as\_full\_to\_empty: assert property (@(posedge clk) disable iff (!resetn) full\_o ##1 (pop\_i && !push\_i)[\*FIFO\_DEPTH] |=> empty\_o);

as empty after reset:

assert property (@(posedge clk) !resetn |=> empty);



#### Quantify on FIFO Example—VI How did we do now?

| Struc  | Internal Coverage Overview |           |        |        |                   |  |  |
|--------|----------------------------|-----------|--------|--------|-------------------|--|--|
| Status |                            | Statement | ts     | Branch | es                |  |  |
| 1      | covered                    | 16        | 72.73% | 72.7   | 3% design covered |  |  |
| R      | reached                    | 0         | 0.00%  | 0      | 0.00%             |  |  |
| U      | unknown                    | 0         | 0.00%  | 0      | 0.00%             |  |  |
| 0R     | unobserved                 | 6         | 27.27% | 3      | 42.86%            |  |  |
| 0      | uncovered                  | 0         | 0.00%  | 0      | 0.00%             |  |  |
| 0C     | constrained                | 0         | 0.00%  | 0      | 0.00%             |  |  |
| 0D     | dead                       | 0         | 0.00%  | 0      | 0.00%             |  |  |
| Sum    | quantify targets           | 22        |        | 7      |                   |  |  |

| Exclu  | Excluded Code Overview     |           |        |          |        |  |  |  |
|--------|----------------------------|-----------|--------|----------|--------|--|--|--|
| Code S | itatus                     | Statement | ts     | Branches |        |  |  |  |
| Xu     | excluded by user           | 0         | 0.00%  | 0        | 0.00%  |  |  |  |
| Xr     | excluded redundant code    | 0         | 0.00%  | 0        | 0.00%  |  |  |  |
| Xv     | excluded verification code | 14        | 38.89% | 4        | 36.36% |  |  |  |
| 0/1/U  | quantify targets           | 22        | 61.11% | 7        | 63.64% |  |  |  |
| Sum    | total code                 | 36        |        | 11       |        |  |  |  |

| Structural Coverage by File |            |          |  |  |  |  |
|-----------------------------|------------|----------|--|--|--|--|
| File                        | Statements | Branches |  |  |  |  |
| fifo.v                      | 22         | 7        |  |  |  |  |
| fifo sva.sv                 | 14         | 4        |  |  |  |  |

| Assertion Coverage |                                  |        |                   |              |               |              |            |  |
|--------------------|----------------------------------|--------|-------------------|--------------|---------------|--------------|------------|--|
| ld                 | Property                         | Kind   | Proof Result      | Proof Radius | Cover Result  | Cover Radius | Quantified |  |
| 0                  | sva/u fifo /as empty after reset | assert | FORMAL_PROOF      | infinite     | COVER_PASS    | 1            | yes        |  |
| 1                  | sva/u fifo /as empty to full     | assert | FORMAL_PROOF      | infinite     | COVER_PASS    | 1            | yes        |  |
| 2                  | sva/u fifo /as full to empty     | assert | FORMAL_VACUOUS    | infinite     | COVER_VACUOUS | infinite     | no         |  |
| 3                  | sva/u fifo /as ordering check    | assert | FORMAL_PROOF      | infinite     | COVER_PASS    | 2            | yes        |  |
| 4                  | sva/u fifo /am d1 before d2      | assume | FORMAL_ASSUMPTION | infinite     | N/A           | 0            | N/A        |  |
| 5                  | sva/u fifo /am intf full         | assume | FORMAL_ASSUMPTION | infinite     | N/A           | 0            | N/A        |  |
| 6                  | sva/u fifo /am stable d1         | assume | FORMAL_ASSUMPTION | infinite     | N/A           | 0            | N/A        |  |
| 7                  | sva/u fifo /am stable d2         | assume | FORMAL_ASSUMPTION | infinite     | N/A           | 0            | N/A        |  |

| File | File Status |          |        |                                                                                          |  |  |  |
|------|-------------|----------|--------|------------------------------------------------------------------------------------------|--|--|--|
| ld   | File        | Language | Kind   | Full Name                                                                                |  |  |  |
| 0    | fifo.v      | verilog  | design | /home/onespin/my_labs/fifo_quantify_demo_v2/Step3_with_empty_full_checks/rtl/fifo.v      |  |  |  |
| 1    | fifo sva.sv | verilog  | design | /home/onespin/my_labs/fifo_quantify_demo_v2/Step3_with_empty_full_checks/sva/fifo_sva.sv |  |  |  |

#### Vacuous Failure

#### Problem with debugging unreachables



#### **Quantify on FIFO Example—VII** Where are the missing coverage targets?

| 42 | if (!resetn)                                                             | 0R |
|----|--------------------------------------------------------------------------|----|
| 43 | w_ack <= 1'b1;                                                           | 0R |
| 44 | else if (!full)                                                          | 0R |
| 45 | w_ack <= 1'b1;                                                           | 0R |
| 46 | else if (full)                                                           | 0R |
| 47 | w_ack <= 1'b0;                                                           | 0R |
| 48 |                                                                          |    |
| 49 | assign w_ack_o = w_ack;                                                  | 0R |
| 50 | assign r_ack_o = empty ? 1'b0 : (full ? 1'b0 : 1'b1);                    | 1  |
| 51 | assign w_hsk = w_valid_i && w_ack_o;                                     | 0R |
| 52 | assign r_hsk = r_valid_i && r_ack_o;                                     | 1  |
| 53 | assign nxt_wptr = wptr + w_hsk;                                          | 1  |
| 54 | assign nxt_rptr = rptr + r_hsk;                                          | 1  |
| 55 | assign nxt_empty = (empty    r_hsk) && !w_hsk && (nxt_rptr == nxt_wptr); | 1  |
| 56 | // Registered calculations for empty, wptr and rptr                      |    |
| 57 | always @(posedge clk or negedge resetn)                                  |    |
| 58 | if (Iresetn)                                                             | 1  |
| 59 | begin                                                                    |    |
| 60 | empty <= 1'bl;                                                           | 1  |
| 61 | <pre>wptr &lt;= {DEPTH_BITS{1'b0}};</pre>                                | 1  |
| 62 | <pre>rptr &lt;= {DEPTH_BITS{1'b0}};</pre>                                | 1  |
| 63 | end                                                                      |    |
| 64 | else                                                                     | 1  |
| 65 | begin                                                                    |    |
| 66 | <pre>empty &lt;= nxt_empty;</pre>                                        | 1  |
| 67 | <pre>wptr &lt;= nxt_wptr;</pre>                                          | 1  |
| 68 | <pre>rptr &lt;= nxt_rptr;</pre>                                          | 1. |
| 69 | end                                                                      |    |
| 70 |                                                                          |    |
| 71 | // Write the data on a w_hsk                                             |    |
| 72 | always @(posedge clk)                                                    |    |
| 73 | if (w_hsk)                                                               | 1  |
| 74 | data[wptr] <= data_i;                                                    | 1  |
| 75 |                                                                          |    |
| 76 | // Read the data on a r_hsk                                              |    |
| 77 | always @(posedge clk)                                                    |    |
| 78 | if (r_hsk)                                                               | 1  |
| 79 | data_int <= data[nptn];                                                  | 1  |
| 80 |                                                                          |    |
| 81 | assign full = lempty && (rptr == wptr);                                  | 1  |
| 82 | assign empty_o = empty;                                                  | 0R |
| 83 | assign full_o = full;                                                    | 1  |
| 84 | assign data_o = data_int;                                                | 1  |
| 85 | endmodule                                                                |    |
| -  |                                                                          |    |

#### **Missing coverage**

- Unobserved code
- Cannot observe empty!



#### Quantify on FIFO Example—VIII A closer look

| 42 | if (!resetn)                                         | 0  |
|----|------------------------------------------------------|----|
| 43 | w_ack <= 1'b1;                                       | 0  |
| 44 | else if (!full)                                      | 0R |
| 45 | w_ack <= 1'b1;                                       | 0R |
| 46 | else if (full)                                       | 0R |
| 47 | w_ack <= 1'b0;                                       | 0R |
| 48 |                                                      |    |
| 49 | assign w_ack_o = w_ack;                              | 0R |
| 50 | assign r_ack_o = empty ? 1'b(: (full ? 1'b0 : 1'b1); | 1  |
| 51 | assign w_hsk = w_valid_i && w_ack_o;                 | 0R |

This looks buggy ... Let's go and fix it!



#### **Quantify on FIFO Example—IX** After the bug fix on r\_ack\_o design

| Status |                  | Statement | ts     | Branch | es                 |
|--------|------------------|-----------|--------|--------|--------------------|
| 1      | covered          | 17        | 77.27% | 77.    | 27% design covered |
| R      | reached          | 0         | 0.00%  | 0      | 0.00%              |
| U      | unknown          | 0         | 0.00%  | 0      | 0.00%              |
| 0R     | unobserved       | 5         | 22.73% | 3      | 42.86%             |
| 0      | uncovered        | 0         | 0.00%  | 0      | 0.00%              |
| 0C     | constrained      | 0         | 0.00%  | 0      | 0.00%              |
| 0D     | dead             | 0         | 0.00%  | 0      | 0.00%              |
| Sum    | quantify targets | 22        |        | 7      |                    |

| Exclu       | Excluded Code Overview     |            |        |          |        |  |  |  |
|-------------|----------------------------|------------|--------|----------|--------|--|--|--|
| Code Status |                            | Statements |        | Branches | 5      |  |  |  |
| Xu          | excluded by user           | 0          | 0.00%  | 0        | 0.00%  |  |  |  |
| Xr          | excluded redundant code    | 0          | 0.00%  | 0        | 0.00%  |  |  |  |
| Xv          | excluded verification code | 14         | 38.89% | 4        | 36.36% |  |  |  |
| 0/1/U       | quantify targets           | 22         | 61.11% | 7        | 63.64% |  |  |  |
| Sum         | total code                 | 36         |        | 11       |        |  |  |  |

| Structural Cove | erage by File |          |  |  |
|-----------------|---------------|----------|--|--|
| File            | Statements    | Branches |  |  |
| <u>fifo.v</u>   | 22            | 7        |  |  |
| FF              | 44            |          |  |  |

| Ass | ssertion Coverage                |        |                   |              |              |              |            |  |
|-----|----------------------------------|--------|-------------------|--------------|--------------|--------------|------------|--|
| ld  | Property                         | Kind   | Proof Result      | Proof Radius | Cover Result | Cover Radius | Quantified |  |
| 0   | sva/u fifo /as empty after reset | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 1            | yes        |  |
| 1   | sva/u fifo /as empty to full     | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 1            | yes        |  |
| 2   | sva/u fifo /as full to empty     | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 5            | yes        |  |
| 3   | sva/u fifo /as ordering check    | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 2            | yes        |  |
| 4   | sva/u fifo /am d1 before d2      | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |  |
| 5   | sva/u fifo /am intf full         | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |  |
| 6   | sva/u fifo /am stable d1         | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |  |
| 7   | sva/u fifo /am stable d2         | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |  |

| File | File Status   |          |        |                                                                                                                 |  |  |  |
|------|---------------|----------|--------|-----------------------------------------------------------------------------------------------------------------|--|--|--|
| ld   | File          | Language | Kind   | Full Name                                                                                                       |  |  |  |
| 0    | <u>fifo.v</u> | verilog  | design | /home/onespin/my_labs/fifo_quantify_demo_v2/Step4_ordering_empty_and_full_checks_but_fix_rack_o/rtl/fifo.v      |  |  |  |
| 1    | fifo_sva.sv   | verilog  | design | /home/onespin/my_labs/fifo_quantify_demo_v2/Step4_ordering_empty_and_full_checks_but_fix_rack_o/sva/fifo_sva.sv |  |  |  |

Design coverage increased to 77.27% But still missing 22.73%!

Still 22.7% design unobserved



## **Quantify on FIFO Example—X**

Let's dig deeper to find out why

| 43 w_ack <= 1'b1; 0R                                                                                   |                 |
|--------------------------------------------------------------------------------------------------------|-----------------|
|                                                                                                        |                 |
| 44 else if (Ifull) OR                                                                                  |                 |
| 45 w_ack <= 1'b1; 0R                                                                                   |                 |
| 46 else if (full) OR                                                                                   |                 |
| $47 \qquad w_ack <= 1'b0; \qquad \qquad OR$                                                            |                 |
| 48                                                                                                     |                 |
| 49 assign w.ack.o = w.ack; OR                                                                          |                 |
| 50 // Let's fix the r_ack o                                                                            |                 |
| 51 assign r ack o = empty ? 1'b0 : 1'b1;                                                               |                 |
| 52 assign w_hsk = w_yalid_i && w_ack_o; OR                                                             |                 |
| 53 assign r hsk = r valid i 88 r ack o;                                                                |                 |
| 54 assign nxt_wptr = wptr + w_hsk; 1                                                                   |                 |
| 55 assign nxt.rptr = rptr + r_hsk; 1                                                                   |                 |
| 56 assign nxt_empty = (empty    r_hsk) && !w_hsk && (nxt_rptr == nxt_wptr); 1                          |                 |
| 57 // Registered calculations for empty, wptr and rptr                                                 |                 |
| 50 Share Of sector all second sector all                                                               |                 |
|                                                                                                        | $na \circ on$   |
| bi always griposeege (ik of negeoge Peseth)<br>59 <b>if (ireseth)</b><br>60 begin<br>11 Missing covera |                 |
| 61 empty <= 1'b1; 1                                                                                    | 0               |
| 61     eepty <                                                                                         | ا م ما <i>د</i> |
| $63$ rptr $\langle \langle 00PH, BITS(1, be) \rangle$ ; 1 W ack and W                                  | NSK             |
| 64 end                                                                                                 |                 |
| 65 else 1                                                                                              |                 |
| 66 begin                                                                                               |                 |
| 67 empty <= nxt_empty; 1                                                                               |                 |
| 68 wptr <= nxt_wptr; 1                                                                                 |                 |
| <sup>69</sup> rptr (* nxt_rptr; 1<br>70 end                                                            | 200             |
|                                                                                                        | JUE             |
| 71 // Write the data on a w_hsk                                                                        |                 |
| 72 always @(posedge clk)                                                                               |                 |
| 73 if (w_hsk) 1                                                                                        |                 |
| 74 data[wptn] <= data_i; 1                                                                             |                 |
| 75 // Read the data on a r_hsk                                                                         |                 |
| 76 always @(posedge clk)                                                                               |                 |
| 77 if (r_hsk) 1                                                                                        |                 |
| 78 data_int <= data[rptr]; 1                                                                           |                 |
| 79 assign full = lempty && (rptr == wptr); 1                                                           |                 |
| 80 assign empty_o = empty; 1                                                                           |                 |
| 81 assign full_o = full; 1                                                                             |                 |
| 82 assign data_o = data_int; 1                                                                         |                 |
| 83 endmodule                                                                                           |                 |



**Quantify on FIFO Example—XI** Let's go add the remainder checks



#### Quantify on FIFO Example—XII How are we doing now?

| Struc  | tural Coverage Overvi | ew        |        |                               |
|--------|-----------------------|-----------|--------|-------------------------------|
| Status |                       | Statement | ts     | Bray hes                      |
| 1      | covered               | 20        | 90.91% | 90.91% design covered         |
| R      | reached               | 0         | 0.00%  | 0.00%                         |
| U      | unknown               | 0         | 0.00%  | 0 0.00%                       |
| OR     | unobserved            | 2         | 9.09%  | Still 9.09% design unobserved |
| 0      | uncovered             | 0         | 0.00%  |                               |
| 0C     | constrained           | 0         | 0.00%  | 0 0.00%                       |
| 0D     | dead                  | 0         | 0.00%  | 0 0.00%                       |
| Sum    | quantify targets      | 22        |        | 7                             |

| Code S | tatus                      | Statemen | ts                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Branches |        |  |
|--------|----------------------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|--------|--|
| Xu     | excluded by user           | 0        | 0.00%                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 0        | 0.00%  |  |
| Xr     | excluded redundant code    | 0        | 0.00%                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 0        | 0.00%  |  |
| Xv     | excluded verification code | 14       | 38.89%                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 4        | 36.36% |  |
| 0/1/U  | quantify targets           | 22       | 61.11%                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 7        | 63.64% |  |
| Sum    | total code                 | 36       | A REAL PROPERTY AND A REAL | 11       |        |  |

| Structural Cove | rage by File |          |
|-----------------|--------------|----------|
| File            | Statements   | Branches |
| fifo.v          | 22           | 7        |
| fifo_sva.sv     | 14           | 4        |

| Id | Property                             | Kind   | Proof Result      | Proof Radius | Cover Result | Cover Radius | Quantified |
|----|--------------------------------------|--------|-------------------|--------------|--------------|--------------|------------|
| 0  | sva/u_fifo_/as_empty_after_reset     | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | - 1          | yes        |
| 1  | sva/u fifo /as empty to full         | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 1            | yes        |
| 2  | sva/u_fifo_/as_full_to_empty         | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 5            | yes        |
| 3  | sva/u_fifo_/as_ordering_check        | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 2            | yes        |
| 4  | sva/u_fifo_/as_rhsk_infinitely_often | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 2            | yes        |
| 5  | sva/u_fifo_/as_whsk_infinitely_often | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 2            | yes        |
| 3  | sva/u_fifo_/am_d1_before_d2          | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |
| 7  | sva/u_fifo_/am_fair_rvalid           | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |
| 8  | sva/u_fifo_/am_fair_wvalid           | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |
| 9  | sva/u_fifo_/am_intf_full             | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |
| 10 | sva/u_fifo_/am_stable_d1             | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |
| 11 | sva/u fifo /am stable d2             | assume | FORMAL ASSUMPTION | infinite     | N/A          | 0            | N/A        |

| File | File Status |          |        |                                                                   |  |  |  |  |  |
|------|-------------|----------|--------|-------------------------------------------------------------------|--|--|--|--|--|
| ld   | File        | Language | Kind   | Full Name                                                         |  |  |  |  |  |
| 0    | fifo.v      | verilog  | design | /home/onespin/my_labs/fifo_quantify_demo_v3/Step5/rtl/fifo.v      |  |  |  |  |  |
| 1    | fifo_sva.sv | verilog  | design | /home/onespin/my_labs/fifo_quantify_demo_v3/Step5/sva/fifo_sva.sv |  |  |  |  |  |

#### Design coverage increased to 90.91%



#### **Quantify on FIFO Example—XIII** So what's going on now?

| 43 | if (!resetn)    | 0R |
|----|-----------------|----|
| 44 | w_ack <= 1'b1;  | 0R |
| 45 | else if (!full) | 1  |
| 46 | w_ack <= 1'b1;  | 1  |
| 47 | else if (full)  | 0R |
| 48 | w_ack <= 1'b0;  | 0R |

In the cycle, if the FIFO is full, then we should not accept another write.

However, we only delay the write in the following cycle.

So it looks like we are allowing the write to a full FIFO!

But ... my proofs should have failed .... Why didn't the ordering proof fail?



#### **Quantify on FIFO Example—XIV** Let's look at the constraints

| 33 |                                                                           |
|----|---------------------------------------------------------------------------|
| 34 | // Interface contraints                                                   |
| 35 | <pre>am_intf_full: assume property (full_o  -&gt; !w_hsk    r_hsk);</pre> |
| 36 |                                                                           |

When the FIFO is full, this constraint forces a read in the same cycle when there is a write.

Let's take this constraint away ... and rerun the proofs.



#### Quantify on FIFO Example—XV What happens to proofs now? Two asserts failed

| Proof State     | us: mixed Validity: up to date                         |   |                                                                                                                  |                                                                      |                         |
|-----------------|--------------------------------------------------------|---|------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------|-------------------------|
| nstance 🛛 🛆     | Name                                                   | 1 | Proof Status                                                                                                     | Nitness Statu:                                                       | Validity                |
| ∄ [top]         | !                                                      | - | ! <any statu:="" td="" •<=""><td>! <any !<="" -="" st="" td=""><td><any validity=""></any></td></any></td></any> | ! <any !<="" -="" st="" td=""><td><any validity=""></any></td></any> | <any validity=""></any> |
|                 | Assertions                                             |   |                                                                                                                  |                                                                      |                         |
|                 | sva/u_fifo_/as_empty_after_reset                       |   | hold                                                                                                             | pass (1)                                                             | up_to_date              |
|                 | sva/u_fifo_/as_empty_to_full                           |   | fail (1)                                                                                                         | pass (1)                                                             | up_to_date              |
|                 | sva/u_fifo_/as_full_to_empty                           |   | hold                                                                                                             | pass (5)                                                             | up_to_date              |
|                 | -sva/u_fifo_/as_ordering_check                         |   | fail (8)                                                                                                         | pass (2)                                                             | up_to_date              |
|                 | -sva/u_fifo_/as_rhsk_infinitely_often                  |   | hold                                                                                                             | pass (2)                                                             | up_to_date              |
|                 | sva/u_fifo_/as_whsk_infinitely_often     ⊕-Constraints |   | hold                                                                                                             | pass (2)                                                             | up_to_date              |
|                 | 1                                                      |   |                                                                                                                  |                                                                      |                         |
| L1 items total, | 11 selected by filter                                  |   |                                                                                                                  |                                                                      |                         |
|                 | lessages IIII Progress                                 |   |                                                                                                                  | Shell                                                                |                         |



## **Quantify on FIFO Example—XVI** Let's look at the failing ordering property

|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |                                                                                           |                   |         |                | Wav | eform Viewer:    | sva/u_fifo_/a    | _ordering_ch | neck           |       |                |                  |                |       |                            |          | <br>×             |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|-------------------|---------|----------------|-----|------------------|------------------|--------------|----------------|-------|----------------|------------------|----------------|-------|----------------------------|----------|-------------------|
| File Edit Signals View                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                           |                   |         |                |     |                  |                  |              |                |       |                |                  |                |       |                            |          |                   |
| 🖬 🔍 🔜 🖬 🍻 🐰                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | h & X                                                                                     | $  \land \land  $ |         | Q & 2          | ]   |                  |                  |              |                |       |                |                  |                |       |                            |          |                   |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 0 1                                                                                       | 2 3<br>t##-8      | 4 5     | 6 7 8<br>t##-7 | 9 1 | 0 11 12<br>t##-6 | 13 14 15<br>t##- | 16 17<br>5   | 18 19<br>t##-4 | 20 21 | 22 23<br>t##-3 | 24 25            | 26 27<br>t##-2 | 28 29 | 30 <mark>3</mark> .<br>t## | <br>33 3 | 5 36<br><b>#0</b> |
| -© clk         0           - resetn         1           - u_fifo_/sampled_out_d2         0           - u_fifo_/sampled_in_d1         1           - u_fifo_/sampled_in_d2         1           - u_fifo_/sampled_out_d1         0           - u_fifo_/resetn         1           E- Related signals         0           - r_hsk         0           - full_0         0           B- data         {0, 0, 3, 3           E- u_fifo_/d1         3           E- u_fifo_/d2         1 | <br> | {0, 0, 0, 0       | D}<br>0 |                |     |                  | 3, 0}            |              |                | 1     |                | (i(0, 0, 3, i))) | 1}             |       |                            |          |                   |



#### **Quantify on FIFO Example—XVII** What does our coverage look like?

| Status |                  | Statemen | ts     |   | Branche | es               |
|--------|------------------|----------|--------|---|---------|------------------|
| 1      | covered          | 14       | 63.64% |   | 3       | 42.86%           |
| R      | reached          | 0        | 0.00%  |   | 0       | 0.00%            |
| U      | unknown          | 0        | 0.00%  | 4 | 0       | 0.00%            |
| 0R     | unobserved       | 8        | 36.36% |   | 2       | 6.36% unobserved |
| 0      | uncovered        | 0        | 0.00%  |   |         |                  |
| 0C     | constrained      | 0        | 0.00%  |   | 0       | 0.00%            |
| 0D     | dead             | 0        | 0.00%  |   | 0       | 0.00%            |
| Sum    | quantify targets | 22       |        |   | 7       |                  |

| Exclu  | ded Code Overview          |          |        |          |        |
|--------|----------------------------|----------|--------|----------|--------|
| Code S | Status                     | Statemen | ts     | Branches | 3      |
| Xu     | excluded by user           | 0        | 0.00%  | 0        | 0.00%  |
| Xr     | excluded redundant code    | 0        | 0.00%  | 0        | 0.00%  |
| Xv     | excluded verification code | 14       | 38.89% | 4        | 36.36% |
| 0/1/U  | quantify targets           | 22       | 61.11% | 7        | 63.64% |
| Sum    | total code                 | 36       |        | 11       |        |

| Structural Cover | rage by File |          |
|------------------|--------------|----------|
| File             | Statements   | Branches |
| fifo.v           | 22           | 7        |
| fifo_sva.sv      | 14           | 4        |

#### Coverage reduced..... from 90.91% to 63.64%

| d )<br>) | Property<br>sva/u_fifo_/as_empty_after_reset |     | 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 |                   |              |              |              |            |
|----------|----------------------------------------------|-----|-----------------------------------------|-------------------|--------------|--------------|--------------|------------|
| 0<br>1   | sva/u_fifo_/as_empty_after_reset             |     | Kind                                    | Proof Result      | Proof Radius | Cover Result | Cover Radius | Quantified |
| 1        |                                              | 1   | assert                                  | FORMAL_PROOF      | infinite     | COVER_PASS   | 1            | yes        |
|          | sva/u_fifo_/as_empty_to_full                 |     | assert                                  | FORMAL_NONE       | 0            | COVER_PASS   | 1            | witness    |
| 2        | sva/u_fifo_/as_full_to_empty                 |     | assert                                  | FORMAL_PROOF      | infinite     | COVER PASS   | 5            | yes        |
| 3        | sva/u_fifo_/as_ordering_check                |     | assert                                  | FORMAL_NONE       | 0            |              | NO           | PROOF      |
| 4        | sva/u_fifo_/as_rhsk_infinitely_ofte          | en  | assert                                  | FORMAL_PROOF      | infinite     | COVER_PASS   | 2            | yes        |
| 5        | sva/u_fifo_/as_whsk_infinitely_off           | ten | assert                                  | FORMAL_PROOF      | infinite     | COVER_PASS   | 2            | yes        |
| 6        | sva/u_fifo_/am_d1_before_d2                  |     | assume                                  | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |
| 7        | sva/u_fifo_/am_fair_rvalid                   |     | assume                                  | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |
| 8        | sva/u_fifo_/am_fair_wvalid                   |     | assume                                  | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |
| 9        | sva/u_fifo_/am_stable_d1                     |     | assume                                  | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |
| 10       | sva/u_fifo_/am_stable_d2                     |     | assume                                  | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |



# Quantify on FIFO Example—XVIII

Fix the bug, prove, then Quantify





#### **Quantify on FIFO Example—XVIII** Let's fix the design and rerun proofs and Quantify

| 40 | assign w_ack_o = full ? 1'b0 : 1'b1;                                     | 1 |
|----|--------------------------------------------------------------------------|---|
| 41 | assign r_ack_o = empty ? 1'b0 : 1'b1;                                    | 1 |
| 42 | assign w_hsk = w_valid_i && w_ack_o;                                     | 1 |
| 43 | assign r_hsk = r_valid_i && r_ack_o;                                     | 1 |
| 44 | assign nxt_wptr = wptr + w_hsk;                                          | 1 |
| 45 | assign nxt_nptr = nptr + n_hsk;                                          | 1 |
| 46 | assign nxt_empty = (empty    r_hsk) && !w_hsk && (nxt_rptr == nxt_wptr); | 1 |
| 47 |                                                                          |   |
| 48 | // Registered calculations for empty, wptr and rptr                      |   |
| 49 | always @(posedge clk or negedge resetn)                                  |   |
| 50 | if (!resetn)                                                             | 1 |
| 51 | begin                                                                    |   |
| 52 | <pre>empty &lt;= 1'b1;</pre>                                             | 1 |
| 53 | <pre>wptr &lt;= {DEPTH_BITS{1'b0}};</pre>                                | 1 |
| 54 | <pre>rptr &lt;= {DEPTH_BITS{1'b0}};</pre>                                | 1 |
| 55 | end                                                                      |   |
| 56 | else                                                                     | 1 |
| 57 | begin                                                                    |   |
| 58 | <pre>empty &lt;= nxt_empty;</pre>                                        | 1 |
| 59 | <pre>wptr &lt;= nxt_wptr;</pre>                                          | 1 |
| 60 | <pre>rptr &lt;= nxt_rptr;</pre>                                          | 1 |
| 61 | end                                                                      |   |
| 62 |                                                                          |   |
| 63 | // Write the data on a w_hsk                                             |   |
| 64 | always @(posedge clk)                                                    |   |
| 65 | if (w_hsk)                                                               | 1 |
| 66 | data[wptr] <= data_i;                                                    | 1 |
| 67 |                                                                          |   |
| 68 | // Read the data on a r_hsk                                              |   |
| 69 | always @(posedge clk)                                                    |   |
| 70 | if (r_hsk)                                                               | 1 |
| 71 | data_int <= data[rptr];                                                  | 1 |
| 72 |                                                                          |   |
| 73 | assign full = lempty && (nptr == wptr);                                  | 1 |
| 74 | assign empty_o = empty;                                                  | 1 |
| 75 | assign full_o = full;                                                    | 1 |
| 76 | assign data_o = data_int;                                                | 1 |
| 77 | endmodule                                                                |   |

100% covered!



#### **Quantify on FIFO Example—XIX** What happened to our constraint?

| Suuc   | tural Coverage Overvi | iew ( |         |        |         |  |
|--------|-----------------------|-------|---------|--------|---------|--|
| Status | Status                |       | 'S      | Branch | es      |  |
| 1      | covered               | 19    | 100.00% | 4      | 100.00% |  |
| R      | reached               | 0     | 0.00%   | 0      | 0.00%   |  |
| U      | unknown               | 0     | 0.00%   | 0      | 0.00%   |  |
| 0R     | unobserved            | 0     | 0.00%   | 0      | 0.00%   |  |
| 0      | uncovered             | 0     | 0.00%   | 0      | 0.00%   |  |
| 0C     | constrained           | 0     | 0.00%   | 0      | 0.00%   |  |
| 0D     | dead                  | 0     | 0.00%   | 0      | 0.00%   |  |
| Sum    | quantify targets      | 19    |         | 4      |         |  |

| Exclu  | ded Code Overview          |          |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |        |        |
|--------|----------------------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|--------|
| Code S | Status                     | Statemen | ts                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Branch | es     |
| Xu     | excluded by user           | 0        | 0.00%                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 0      | 0.00%  |
| Xr     | excluded redundant code    | 0        | 0.00%                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 0      | 0.00%  |
| Xv     | excluded verification code | 14       | 42.42%                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 4      | 50.00% |
| 0/1/U  | quantify targets           | 19       | 57.58%                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 4      | 50.00% |
| Sum    | total code                 | 33       | and the second s | 8      |        |

| Structural Cove | rage by File |          |
|-----------------|--------------|----------|
| File            | Statements   | Branches |
| <u>fifo.v</u>   | 19           | 4        |
| fifo sva.sv     | 14           | 4        |

| Ass | ertion Coverage                      |        |                   |              |              |              |            |
|-----|--------------------------------------|--------|-------------------|--------------|--------------|--------------|------------|
| Id  | Property                             | Kind   | Proof Result      | Proof Radius | Cover Result | Cover Radius | Quantified |
| 0   | sva/u_fifo_/as_empty_after_reset     | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 1            | yes        |
| 1   | sva/u_fifo_/as_empty_to_full         | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 1            | yes        |
| 2   | sva/u_fifo_/as_full_to_empty         | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 5            | yes        |
| 3   | sva/u_fifo_/as_intf_empty            | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 1            | yes        |
| 4   | sva/u_fifo_/as_intf_full             | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 5            | yes        |
| 5   | sva/u_fifo_/as_ordering_check        | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 2            | yes        |
| 6   | sva/u_fifo_/as_rhsk_infinitely_often | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 2            | yes        |
| 7   | sva/u_fifo_/as_whsk_infinitely_often | assert | FORMAL_PROOF      | infinite     | COVER_PASS   | 2            | yes        |
| 8   | sva/u_fifo_/am_d1_before_d2          | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |
| 9   | sva/u_fifo_/am_fair_rvalid           | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |
| 10  | sva/u_fifo_/am_fair_wvalid           | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |
| 11  | sva/u_fifo_/am_stable_d1             | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |
| 12  | sva/u_fifo_/am_stable_d2             | assume | FORMAL_ASSUMPTION | infinite     | N/A          | 0            | N/A        |



#### **Quantify on FIFO Example—XX** What happened to our constraint? It became a check!

| Status      | ral Coverage Overview Statements                                                                                                            | Branches                     |                   |              |              |              |
|-------------|---------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|-------------------|--------------|--------------|--------------|
| 1           | covered 19 100.00%                                                                                                                          | 4                            | 100.00%           |              |              |              |
| Ass         | ertion Coverage                                                                                                                             |                              |                   |              |              |              |
| ld          | Property                                                                                                                                    | Kind                         | Proof Result      | Proof Radius | Cover Result | Cover Radius |
| 0           | sva/u_fifo_/as_empty_after_reset                                                                                                            | assert                       | FORMAL_PROOF      | infinite     | COVER_PASS   | 1            |
| 1           | sva/u_fifo_/as_empty_to_full                                                                                                                | assert                       | FORMAL_PROOF      | infinite     | COVER_PASS   | 1            |
| 2           | sva/u_fifo_/as_full_to_empty                                                                                                                | assert                       | FORMAL_PROOF      | infinite     | COVER_PASS   | 5            |
| 3           | <u>sva/u_fifo_/as_intf_empty</u>                                                                                                            | assert                       | FORMAL_PROOF      | infinite     | COVER_PASS   | 1            |
| 4           | <u>sva/u_fifo_/as_intf_full</u>                                                                                                             | assert                       | FORMAL_PROOF      | infinite     | COVER_PASS   | 5            |
| 5           | sva/u_fifo_/as_ordering_check                                                                                                               | assert                       | FORMAL_PROOF      | infinite     | COVER_PASS   | 2            |
| 6           | sva/u_fifo_/as_rhsk_infinitely_often                                                                                                        | assert                       | FORMAL_PROOF      | infinite     | COVER_PASS   | 2            |
| 7           | sva/u_fifo_/as_whsk_infinitely_often                                                                                                        | assert                       | FORMAL_PROOF      | infinite     | COVER_PASS   | 2            |
| 8           | <u>sva/u_fifo_/am_d1_before_d2</u>                                                                                                          | assume                       | FORMAL_ASSUMPTION | infinite     | N/A          | 0            |
| 9           | <u>sva/u_fifo_/am_fair_rvalid</u>                                                                                                           | assume                       | FORMAL_ASSUMPTION | infinite     | N/A          | 0            |
| 10          | <u>sva/u_fifo_/am_fair_wvalid</u>                                                                                                           | assume                       | FORMAL_ASSUMPTION | infinite     | N/A          | 0            |
| 11          | <u>sva/u_fifo_/am_stable_d1</u>                                                                                                             | assume                       | FORMAL_ASSUMPTION | infinite     | N/A          | 0            |
| 12          | <u>sva/u_fifo_/am_stable_d2</u>                                                                                                             | assume                       | FORMAL_ASSUMPTION | infinite     | N/A          | 0            |
|             | va/u_fifo_/am_d1_before_d2 assume FORMAL_ASSUMPTION<br>va/u_fifo_/am_fair_rvalid assume FORMAL_ASSUMPTION                                   | infinite N/A<br>infinite N/A | 0 N/A<br>0 N/A    |              |              |              |
| 10 <u>s</u> | va/u_fifo_/am_fair_wvalid assume FORMAL_ASSUMPTION                                                                                          | infinite N/A<br>infinite N/A | 0 N/A<br>0 N/A    |              |              |              |
|             | va/u_fifo_/am_stable_d1         assume         FORMAL_ASSUMPTION           va/u_fifo_/am_stable_d2         assume         FORMAL_ASSUMPTION | infinite N/A                 | 0 N/A<br>0 N/A    |              |              |              |



#### Quantify on FIFO Example—XXI We discover additional requirements on this design

| Status                                   | Iral Coverage Overview Statements                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | Branches                                                     |                                           |              |              |              |  |
|------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|-------------------------------------------|--------------|--------------|--------------|--|
| Assertion Coverage                       |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                              |                                           |              |              |              |  |
| ld                                       | Property                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Kind                                                         | Proof Result                              | Proof Radius | Cover Result | Cover Radius |  |
| 0                                        | sva/u_fifo_/as_empty_after_reset                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | assert                                                       | FORMAL_PROOF                              | infinite     | COVER_PASS   | 1            |  |
| 1                                        | sva/u_fifo_/as_empty_to_full                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | assert                                                       | FORMAL_PROOF                              | infinite     | COVER_PASS   | 1            |  |
| 2                                        | sva/u_fifo_/as_full_to_empty                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | assert                                                       | FORMAL_PROOF                              | infinite     | COVER_PASS   | 5            |  |
| 3                                        | sva/u_fifo_/as_intf_empty                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | assert                                                       | FORMAL_PROOF                              | infinite     | COVER_PASS   | 1            |  |
| 4                                        | <u>sva/u_fifo_/as_intf_full</u>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | assert                                                       | FORMAL_PROOF                              | infinite     | COVER_PASS   | 5            |  |
| 5                                        | sva/u_fifo_/as_ordering_check                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | assert                                                       | FORMAL_PROOF                              | infinite     | COVER_PASS   | 2            |  |
| 3                                        | 4 / Inte                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | erface                                                       | Checks                                    |              |              |              |  |
| 3                                        | 5 as_intf_em                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | pty:                                                         | assert proper                             | ty (empty    | /_o  -> !r   | _hsk);       |  |
| 3                                        | 6 as_intf_fu                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | 11:                                                          | assert proper                             | ty (full_    | _o  -> !w    | _hsk);       |  |
| 9 <u>s</u><br>10 <u>s</u><br>11 <u>s</u> | Valu         tito         /am_d1         before_d2         assume         FORMAL_ASSUMPTION           valu         fifo_/am_fair_tvalid         assume         FORMAL_ASSUMPTION           valu         fifo_/am_fair_tvalid         assume         FORMAL_ASSUMPTION           valu         fifo_/am_fair_tvalid         assume         FORMAL_ASSUMPTION           valu         fifo_/am_stable_d1         assume         FORMAL_ASSUMPTION           valu         fifo_/am_stable_d2         assume         FORMAL_ASSUMPTION | infinite N/A<br>infinite N/A<br>infinite N/A<br>infinite N/A | 0 N/A<br>0 N/A<br>0 N/A<br>0 N/A<br>0 N/A |              |              |              |  |



## **Recap of What We Showed—I** Using coverage for bug hunting

- Without any test bench: Everything uncovered
- Single Ordering Check: Quantify reports 63.64% of design coverage
- We spotted missing checks on empty and full
- We add these checks, Prove -> RTL bug found!
- Fix, Prove, then Quantify
- Still unobserved design -> need to write more checks
- Wrote more checks, re-ran proofs -> expected to see 100% coverage but had 90.91%
- An over-constraint in the test bench was masking another RTL bug!



## **Recap of What We Showed—II**

#### Bugs in your design indicate you do not have 100% coverage

- All proofs marked as proven, AND no property was marked unreachable, AND we had checks on all design statements, AND yet the coverage was not 100%
- Missing coverage forced us to think
- Tool gave hints on where the gaps were
- This allowed us to unearth bugs in design and over-constraints in TB
- We fixed the RTL bug
- Constraints are not required, as design is guaranteed to have the behavior
- In fact, we prove this on the design by proving these two additional assertions
- Overall, we find bugs, remove bad constraints, find more bugs, and enrich our test bench with more good quality checks



## **Verification of I<sup>2</sup>C Serial Protocol**

Case Study: Coverage's Role in the Verification Process



## **Systematic Verification Flow**

Requirement tracing and coverage are of paramount importance





## **Getting the Big Picture of Verification**

Integrated view of verification planning: formal and simulation





#### **Motivation** How do we verify IP blocks implementing off-chip serial protocols?

#### Typically used to connect a number of ICs at relatively low data rates

• I<sup>2</sup>C, SPI, UART, CAN, etc.

#### What would be an ideal approach?

- Verify protocol compliance at the interfaces binding a VIP checker
- · Make use of a scoreboard to check data integrity

#### What is the challenge?

- Even slow SoCs are running at frequencies starting in the range of 10MHz, while I<sup>2</sup>C standard-mode speed is up to 100kHz
  - Do the math: The formal tool needs to check for many cycles in order to prove that a single byte is transferred correctly.



#### I<sup>2</sup>C Bus Protocol What is I<sup>2</sup>C about?





## **Coverage's Role in the Verification Process** Verification concerns: What needs to be verified?





## **Coverage's Role in the Verification Process** What is the very first step?

| Let's analyze the design.                                                                                                                              |                                                   | Language: Verilog                                                                          |                                                                                       |                                                                              |  |
|--------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------|--------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------|------------------------------------------------------------------------------|--|
|                                                                                                                                                        | Primary input signals: 8 (17 bits)                |                                                                                            |                                                                                       |                                                                              |  |
|                                                                                                                                                        |                                                   | Primary o                                                                                  | utput signals:                                                                        | 3 (10 bits)                                                                  |  |
| Let's do an automatic inspection. Why?                                                                                                                 | Primary inout signals: 2 (2 bits)                 |                                                                                            |                                                                                       |                                                                              |  |
|                                                                                                                                                        | State bits (flops): 128                           |                                                                                            |                                                                                       |                                                                              |  |
| <ul> <li>Signal domain violation</li> </ul>                                                                                                            | Assignments: 258 (1034 bits)                      |                                                                                            |                                                                                       |                                                                              |  |
| Dead code                                                                                                                                              | Code branches: 116                                |                                                                                            |                                                                                       |                                                                              |  |
| <ul> <li>Unreachable FSM states</li> </ul>                                                                                                             | <b>FSMs:</b> 2                                    |                                                                                            |                                                                                       |                                                                              |  |
| <ul> <li>Signal toggling</li> </ul>                                                                                                                    | Adders: 0                                         |                                                                                            |                                                                                       |                                                                              |  |
| Validate regulta. Are failing abacks avec                                                                                                              | Multipliers: 0                                    |                                                                                            |                                                                                       |                                                                              |  |
| Validate results: Are failing checks expe                                                                                                              | Primary clocks: 1                                 |                                                                                            |                                                                                       |                                                                              |  |
| <pre>full_case checks: parallel_case checks: resolution_x checks: signal_domain checks: init checks: fsm checks: dead_code checks: stick checks:</pre> | 2  <br>3  <br>2  <br>128  <br>2  <br>134  <br>108 | 2 hold,<br>3 hold,<br>0 hold,<br>0 hold,<br>118 hold,<br>2 hold,<br>134 hold,<br>106 hold, | 0 fail,<br>0 fail,<br>2 fail,<br>2 fail,<br>10 fail,<br>0 fail,<br>0 fail,<br>2 fail, | 0 open<br>0 open<br>0 open<br>0 open<br>0 open<br>0 open<br>0 open<br>0 open |  |





## What Was Achieved? Quantify MDV

| (201-0)     | tural Coverage Overvie                     | STOR THE PARTY AND |        | Dranabaa        |        |
|-------------|--------------------------------------------|--------------------|--------|-----------------|--------|
| Status<br>1 | covered                                    | Statements<br>246  | 96.85% | Branches<br>111 | 99,11% |
| R           | reached                                    | 8                  | 3.15%  | 0               | 0.00%  |
| υ           | unknown                                    | 0                  | 0.00%  | 1               | 0.89%  |
| 0R          | unobserved                                 | 0                  | 0.00%  | 0               | 0.00%  |
| 0           | uncovered                                  | 0                  | 0.00%  | 0               | 0.00%  |
| 0C          | constrained                                | 0                  | 0.00%  | 0               | 0.00%  |
| 0D          | dead                                       | 0                  | 0.00%  | 0               | 0.00%  |
| Sum         | quantify targets                           | 254                |        | 112             |        |
| truct       | quantify targets<br>tural Coverage by File |                    |        |                 |        |
| File Staten |                                            | Staton             | nents  | Branche         | es     |
| File        |                                            | Juten              | Torito | 10000000000     |        |





## Quantify in Action

Spotting over-constrained code—I



core\_cmd <= `I2C\_CMD\_STOP;</pre>

end



## Quantify in Action

Spotting over-constrained code—II





#### **Coverage's Role in the Verification Process** Assertion effort vs. coverage



Coverage vs. Effort



## Summary

## What is the motivation?

- Off-chip serial protocols are everywhere, therefore we need to verify protocol compliance and data integrity
- Verifying serial protocols with formal is challenging

## Why does the approach matter?

- Having a well-defined verification approach helps in achieving great results
- Coverage increases confidence and helps us to easily identify overconstrained, not exercised code
- Collecting regression data over time gives a clear view on where effort is being expended and how things are progressing



## **Quantify: Scalable and Automated**

- Push-button solution
- Unique patented technology
- Much more accurate than cone analysis
- Used by multiple customers on their most critical IP

| Design           | #Code Lines | #Assertions | Runtime |
|------------------|-------------|-------------|---------|
| FIFO             | 321         | 30          | 100s    |
| FSM-DDR2-Read    | 839         | 6           | 106s    |
| vCore-Processor  | 295         | 8           | 204s    |
| Arithmetic Block | 383         | 2           | 257s    |

| Design      | #Code Lines | #Assertions | Real example at Infineon:                                                |
|-------------|-------------|-------------|--------------------------------------------------------------------------|
| IFX-Aurix-1 | 25563       | 85          | Quantify identified verification holes and guided assertion development. |
| IFX-Aurix-2 | 27374       | 157         | New assertions detected critical bugs.                                   |
| IFX-Aurix-3 | 57253       | 253         | Quantify now used to provide management metrics on all designs!          |

http://testandverification.com/DVClub/18\_Nov\_2013/Infineon-HolgerBusch.pdf



## **Quantification of Formal in ISO 26262** Coverage for safety-critical domains



## Problem

- Quantitative assessment of formal verification environment needed
- Example: Qualify verification environment for safety functions

## Solution

- Use observation coverage to identify coverage holes
- Integrate coverage results with simulation coverage

## **Customer Case Study:**

"Formal Safety Verification with Qualified Property Sets" Holger Busch at DAC'14 in Accelerating Productivity Through Formal and Static Methods (Session 38.3)



## **Quantify and Other Coverage Solutions** Why Quantify is a superior coverage tool

| Cone of Influence                                                                                                                                                                                                                            | Proof Core                                                                                                                                                                                                                                                                   |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <ul> <li>Good to spot big gaps quickly</li> <li>Can get false optimism</li> <li>Can hide bugs in the design</li> </ul>                                                                                                                       | <ul> <li>Result depends on selected proof engine</li> <li>More abstract engines produce pessimism</li> <li>Engine dependent results are confusing</li> </ul>                                                                                                                 |
| Mutation                                                                                                                                                                                                                                     | Quantify                                                                                                                                                                                                                                                                     |
| <ul> <li>Overall high run time—one fault at a time</li> <li>Some mutations can cause vacuity</li> <li>Intrusive—mutation applied on RTL</li> <li>Too many iterative compile and runs</li> <li>Covering all locations is expensive</li> </ul> | <ul> <li>Fast execution—multiple faults processed at once</li> <li>Not intrusive—alters the design model, <i>not</i> RTL</li> <li>Just-right level of abstraction</li> <li>Allows better observability</li> <li>Report is meaningful and linked to design browser</li> </ul> |



### **Summary** Continuous feedback for design and verification

## Designer Bring Up

- What can you know about your design without any verification effort?
  - Reachability analysis—find design bugs as you bring up design
  - Redundant code—find wasted area in your design

## Verification Quality and Metrics

- ✤ Metrics indicate gaps in verification and show you where these gaps are
- Quantify tells you where checks are missing
- More checks allow you to identify hidden bugs
- Identify accidental over-constraints; focus on verification
- Push-button, quick to run, easy to read, view linked to design browser
- Single metric provides overall quality



# Thank you!



# **Questions?**

