Professional Documents
Culture Documents
Magellan Ug PDF
Magellan Ug PDF
User Guide
Version C-2009.09
September 2009
Comments?
E-mail your comments about this manual to
magellan-support@synopsys.com.
Copyright Notice and Proprietary Information
Copyright © 2009 Synopsys, Inc. All rights reserved. This software and documentation contain confidential and proprietary
information that is the property of Synopsys, Inc. The software and documentation are furnished under a license agreement and
may be used or copied only in accordance with the terms of the license agreement. No part of the software and documentation may
be reproduced, transmitted, or translated, in any form or by any means, electronic, mechanical, manual, optical, or otherwise, without
prior written permission of Synopsys, Inc., or as expressly provided by the license agreement.
Right to Copy Documentation
The license agreement with Synopsys permits licensee to make copies of the documentation for its internal use only.
Each copy shall include all copyrights, trademarks, service marks, and proprietary rights notices, if any. Licensee must
assign sequential numbers to all copies. These copies shall contain the following legend on the cover page:
“This document is duplicated with the permission of Synopsys, Inc., for the exclusive use of
__________________________________________ and its employees. This is copy number __________.”
Destination Control Statement
All technical data contained in this publication is subject to the export control laws of the United States of America.
Disclosure to nationals of other countries contrary to United States law is prohibited. It is the reader’s responsibility to
determine the applicable regulations and to comply with them.
Disclaimer
SYNOPSYS, INC., AND ITS LICENSORS MAKE NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH
REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Registered Trademarks (®)
Synopsys, AMPS, Arcadia, C Level Design, C2HDL, C2V, C2VHDL, Cadabra, Calaveras Algorithm, CATS, CRITIC,
CSim, Design Compiler, DesignPower, DesignWare, EPIC, Formality, HSIM, HSPICE, Hypermodel, iN-Phase, in-Sync,
Leda, MAST, Meta, Meta-Software, ModelTools, NanoSim, OpenVera, PathMill, Photolynx, Physical Compiler, PowerMill,
PrimeTime, RailMill, RapidScript, Saber, SiVL, SNUG, SolvNet, Superlog, System Compiler, Testify, TetraMAX, TimeMill,
TMA, VCS, Vera, and Virtual Stepper are registered trademarks of Synopsys, Inc.
Trademarks (™)
Active Parasitics, AFGen, Apollo, Apollo II, Apollo-DPII, Apollo-GA, ApolloGAII, Astro, Astro-Rail, Astro-Xtalk, Aurora,
AvanTestchip, AvanWaves, BCView, Behavioral Compiler, BOA, BRT, Cedar, ChipPlanner, Circuit Analysis, Columbia,
Columbia-CE, Comet 3D, Cosmos, CosmosEnterprise, CosmosLE, CosmosScope, CosmosSE, Cyclelink, Davinci, DC
Expert, DC Expert Plus, DC Professional, DC Ultra, DC Ultra Plus, Design Advisor, Design Analyzer, Design Vision,
DesignerHDL, DesignTime, DFM-Workbench, Direct RTL, Direct Silicon Access, Discovery, DW8051, DWPCI,
Dynamic-Macromodeling, Dynamic Model Switcher, ECL Compiler, ECO Compiler, EDAnavigator, Encore, Encore PQ,
Evaccess, ExpressModel, Floorplan Manager, Formal Model Checker, FoundryModel, FPGA Compiler II, FPGA Express,
Frame Compiler, Galaxy, Gatran, HANEX, HDL Advisor, HDL Compiler, Hercules, Hercules-Explorer, Hercules-II,
Hierarchical Optimization Technology, High Performance Option, HotPlace, HSIMplus, HSPICE-Link, iN-Tandem,
Integrator, Interactive Waveform Viewer, i-Virtual Stepper, Jupiter, Jupiter-DP, JupiterXT, JupiterXT-ASIC, JVXtreme,
Liberty, Libra-Passport, Library Compiler, Libra-Visa, Magellan, Mars, Mars-Rail, Mars-Xtalk, Medici, Metacapture,
Metacircuit, Metamanager, Metamixsim, Milkyway, ModelSource, Module Compiler, MS-3200, MS-3400, Nova Product
Family, Nova-ExploreRTL, Nova-Trans, Nova-VeriLint, Nova-VHDLlint, Optimum Silicon, Orion_ec, Parasitic View,
Passport, Planet, Planet-PL, Planet-RTL, Polaris, Polaris-CBS, Polaris-MT, Power Compiler, PowerCODE, PowerGate,
ProFPGA, ProGen, Prospector, Protocol Compiler, PSMGen, Raphael, Raphael-NES, RoadRunner, RTL Analyzer,
Saturn, ScanBand, Schematic Compiler, Scirocco, Scirocco-i, Shadow Debugger, Silicon Blueprint, Silicon Early Access,
SinglePass-SoC, Smart Extraction, SmartLicense, SmartModel Library, Softwire, Source-Level Design, Star, Star-DC,
Star-MS, Star-MTB, Star-Power, Star-Rail, Star-RC, Star-RCXT, Star-Sim, Star-SimXT, Star-Time, Star-XP, SWIFT,
Taurus, TimeSlice, TimeTracker, Timing Annotator, TopoPlace, TopoRoute, Trace-On-Demand, True-Hspice,
TSUPREM-4, TymeWare, VCS Express, VCSi, Venus, Verification Portal, VFormal, VHDL Compiler, VHDL System
Simulator, VirSim, and VMC are trademarks of Synopsys, Inc.
Service Marks (SM)
MAP-in, SVP Café, and TAP-in are service marks of Synopsys, Inc.
SystemC is a trademark of the Open SystemC Initiative and is used under license.
ARM and AMBA are registered trademarks of ARM Limited.
All other product or company names may be trademarks of their respective owners.
Contents
1 Installing and Setting up Magellan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Installing Magellan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Using the Synopsys Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Downloading the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Installing Magellan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Setting up Magellan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Setting up Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configuring Environment and Path Variables . . . . . . . . . . . . . . . . . . . . . 21
Setting up VCS MX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Testing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Checking Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Checking Your Environment and Version of Magellan . . . . . . . . . . . . . . 24
2 Magellan Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
What is Magellan? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Why use Properties/Assertions? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Why use Coverage Goals and High-Coverage Stimulus? . . . . . . . . . . . . . . 27
When to use Magellan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Learning to use Magellan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
In This Chapter
Installing Magellan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Setting up Magellan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Testing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Installing Magellan
Magellan is only available from the Synopsys FTP site. Before you download
Magellan, contact your Synopsys Applications Consultant for specific
download instructions and license keys.
System Requirements
Before installing Magellan, be sure you have the following operating system
and tool versions installed on your workstation:
Solaris™ 2.9 or later (32- or 64-bit)
SUSE Linux Enterprise Server 9 (32-bit)
SUSE Linux Enterprise Server 9 (64-bit)—Verilog only
RHEL v4 (32-bit)
RHEL v4 (64-bit AMD Opteron)
For more information, see “Running 64-bit Magellan” on page 142.
VCS 2006.06-SP2-6 and later
or
VCS MX 2006.06-SP2-6 and later (for VHDL and mixed-language designs)
Vera 2005.06-SP1-3 or later (only needed if you are using Vera biasing)
Debussy, Novas 2006.10v2 and later
Synopsys Common Licensing (SCL) v10.9.x and later
Synopsys common licensing software is available on a separate CD. The
SCL documentation set, available on the SCL CD and on the Synopsys
FTP server (ftp://ftp.synopsys.com), includes the following publications:
Licensing QuickStart
This booklet provides instructions for obtaining an electronic copy of
your license key file and for installing and configuring SCL on UNIX and
Windows NT.
Licensing Installation and Administration Guide
This guide provides information about installation and configuration, key
concepts, examples of license key files, maintenance, and
troubleshooting.
6 Change to the full or base release directory. The release directory name is
provided to you by your Synopsys Applications Consultant or CAE. For
example:
Verilog users:
ftp> cd MG_2006.06-SP2-base
VHDL users:
ftp> cd MG_2006.06-SP2-full
7 Use the get command to download the release tar files and
mg_INSTALL_README.txt file. The actual release file names are provided
by your Synopsys Applications Consultant or CAE. What follows is just an
example that shows the naming conventions. For example:
ftp> get mg_vMG_2006.06-SP2-common.tar
ftp> get mg_vMG_2006.06-SP2-suse64.tar
ftp> get mg_vMG_2006.06-SP2-suse32.tar
ftp> get mg_INSTALL_README.txt
Installing Magellan
Before you can install Magellan, you need to download the software from the
Synopsys FTP site (see ““Downloading the Software” on page 17”).
To install Magellan:
1 Navigate to the directory where you want to install Magellan. Note that
Magellan needs up to 1.7 GB of disk space when installed.
When you are finished with the installation process, set your MG_HOME
environment variable to this location.
Setting up Magellan
Make sure Synopsys Common Licensing (SCL) is installed (see “System
Requirements” on page 16).
Setting up Licensing
Before continuing, make sure you’ve received license keys from your
Synopsys Applications Consultant. To set up licensing:
1 Locate and open the license key file on your license server.
3 To read the new license key information, run the lmreread utility (see the
FLEXlm™ End-User Manual).
4 To check for available licenses, use the lmstat utility. For example, to
check for all active licenses, at the UNIX prompt:
% lmstat -a
Note If you add the -waitlic switch to your mgsh invocation, Magellan waits for a
license if none is currently available instead of exiting. For example:
% mgsh -waitlic
Note To avoid unexpected failures that are difficult to debug, set your stacksize and
datasize limits in the shell to unlimited. If there are hard limits in place, see
your system administrator.
Note If you are using Vera biasing, add $VERA_HOME/bin to your path.
VCS and VCS MX require that you include make in your path. For Solaris,
include /usr/ccs/bin in the path. For Linux, include /usr/bin in the path.
Caution On Solaris, do not set the optional VCS_CC environment variable for VCS to a
3.x version of gcc. This can cause the simulator to crash. VCS uses gcc 2.95.2
by default.
Setting up VCS MX
VCS MX use the synopsys_sim.setup file to configure its environment. This
file maps VHDL design library names to specific host directories, sets search
paths, and assigns values to simulation control variables. Magellan
dynamically creates the synopsys_sim.setup in your working directory and
maps the logical library names to physical paths in this file. If this file already
exists in your working directory, Magellan overwrites it. You should remove
any synopsys_sim.setup file in your home or working directory because it can
augment settings and cause problems.
Checking Licenses
You can check that you have all the licenses required to successfully run
Magellan at any time. Magellan requires its own license and a license for
either VCS or VCS MX. If you are using Vera biasing, you also need a Vera
license. To check licenses:
Note If you add the -waitlic switch to your mgsh invocation, Magellan waits for a
license if none is currently available instead of exiting. For example:
% mgsh -waitlic
The -ID switch produces a report that shows the path to the mgsh executable
you are pointing to, along with the build date and version number of Magellan.
The report also shows information about the host machine and current
settings for environment variables required to run Magellan (see Figure 2).
Magellan Shell
---------------
/remote/release/nightly.Wed/sparcOS5/ctg/bin/mgsh
Environment:
- $SNPSLMD_LICENSE_FILE -> 26585@raz:26585@daman
- $LM_LICENSE_FILE -> **NOT SET**
- $MG_HOME -> /remote/release/nightly.Wed
- $VCS_HOME -> /u/ctg/tools/vcs_latest
- $SYNOPSYS -> **NOT SET**
- $DEBUSSY_HOME -> /u/ctg/tools/Debussy_latest
- $LD_LIBRARY_PATH(ctg) ->
/remote/release/nightly.Wed/sparcOS5/ctg/lib
Note For LD_LIBRARY_PATH, the report shows only the library path that is
required to run Magellan.
In This Chapter
What is Magellan? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Why use Properties/Assertions? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Why use Coverage Goals and High-Coverage Stimulus? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
When to use Magellan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Learning to use Magellan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
What is Magellan?
Magellan is a high-capacity functional verification tool that uses static formal
mathematical techniques and dynamic random simulation to test properties or
assertions that are important to the correct operation of your design. Magellan
can also generate high-coverage stimulus for interesting areas of your design
and tell you what states are reachable and unreachable in these targeted
areas given legal input stimulus. This introduction to the tool covers the
following topics:
Why use Properties/Assertions?
Why use Coverage Goals and High-Coverage Stimulus?
When to use Magellan
Learning to use Magellan
Note A formal proof indicates that for any stimulus sequence of arbitrary length, the
property is always true. A proof is valuable because there is no need to verify
the property in simulation, and you don’t need to worry that you didn’t provide
the exact stimulus needed to expose a bug.
To supplement RTL source code coverage, you can use Magellan’s state
coverage tests to try to exercise all possible behaviors of a small, potentially
problematic area of your design. You define the signals of interest in a
coverage goal. Magellan generates the high-coverage stimulus that can flush
out corner-case bugs. Of the total state space for your coverage goal,
Magellan tells you which of the states are reachable, unreachable, and
unknown, and generates a stimulus trace to hit all reachable goals. You can
save this stimulus and reuse it later for high-value regression tests.
You can also use SVA or OVA cover directives to test functional coverage with
high-coverage stimulus generated by Magellan.
The best time to start thinking about applying Magellan to a design verification
project is before you start RTL coding. A little pre-planning maximizes the
Specification
Lint Checking
Initial Verification of Functional
Correctness with Simulator
Magellan
Verify Properties
Random Simulation
System Integration
System-Level Verification
Note You don't need to be familiar with Magellan’s project file syntax in order to use
the tool effectively. You can use the Magellan GUI (mgui) to develop, run, and
monitor test results in Magellan. The GUI includes a context-sensitive,
embedded, HTML-based help system to help you build, run, and monitor tests
(see “Invoking the Magellan GUI” on page 108). There is also a GUI exercise
in the Verilog quick start and extensive use of the GUI in the mixed-language
quick start that can familiarize you with how to use mgui to develop and run
tests in Magellan.
In This Chapter
Quick Start Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Use Smart Defaults to Test SVA/PSL Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Automatically Extracted Properties (AEPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
SVA Combinational Property Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
SVA Sequential Property Failure and Debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
SVA Assertion-Style Constraint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
SVA Functional Coverage Goal Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
FSM Coverage and Debug Simulation/Synthesis Mismatches . . . . . . . . . . . . . . . . . . . . . . . . . 64
Magellan GUI Debug SVA Property Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Extract Reset State from System-level Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Project Project name and HDL format “Describing the Design” on page 163
Property SVA, PSL, OVA, or RTL properties “Testing Properties” on page 299
% cd /u/me/MG/tutorial/exercises
Directory Contents
1 Open a new file named easy.prj and enter the same command line you use
with VCS to compile your design. Use the -topModule option to identify
the top-level module in your design (des_chip in this example). In
Magellan you use a set_design_info command to define your VCS
command line:
set_design_info -topModule des_chip -vcs { -f
../Rtl/filelist +incdir+../Rtl -sverilog
../Models/mutex.v +define+ASSERT_ON -y
$VCS_HOME/packages/sva +libext+.v
+incdir+$VCS_HOME/packages/sva }
2 Magellan needs to know the names of your clock and reset ports. Use
add_env_port commands to define them. You use the -clock option to
specify the clock period (100 in this example) and the -reset option to
specify the value the reset signal should have at reset (1 in this example).
When you use smart defaults, Magellan uses the opposite value (0 in this
example) for the Random Generation phase that starts when the design
reset is complete:
add_env_port –name clk_st –clock 100
add_env_port –name rst_st –reset 1
4 At the UNIX prompt, start the Magellan shell (called MG shell) and read in
your project file in one step:
% mgsh easy.prj
...
[15] Proven -
des_chip.u_des_core.u_des_unit7.de_d.assert_mutex_inst.
assert_mutex
Before you get started, see “Quick Start Approach” on page 33 and set up
your work area.
With the example design used in this exercise, Magellan finds some full_case
and parallel_case properties to check.
1 At the UNIX prompt, start the Magellan shell (called MG shell). MG shell is
the primary user interface to the tool:
% mgsh
When MG shell is running, the prompt changes to look like this:
mgsh>
2 Using a text editor, open a new file named exercise1.prj and use a
define_project command to set your project name at the top of the file
(exercise1 in this example). The Project module is the container that
creates the project in Magellan.
### Project module ###
define_project exercise1
Note Magellan project files can have any extension you want, but .prj is a
convention that makes it easier to identify your Magellan projects.
3 Add a Design module that describes your design files, include directories,
and top-level module. In this example, we use a define_design
command to define the design (des) and the -topModule option to point
to the top-level module in the design block (des_chip). Once the design is
defined, use a set_design_info -vcs command to point to the design
files and include directories, using the same command-line options you use
with VCS:
### Design module ###
define_design des -topModule des_chip
set_design_info -vcs { -f ../Rtl/filelist
+incdir+../Rtl }
5 Add a Property module that defines the AEPs that you want to test using a
define_aep command. The -allProps switch tells Magellan to test all
property AEPs that it finds in your design, looking for formal proofs or
falsifications.
### Property module ###
define_aep MyAep0 -allProps
6 Add a Session module that defines the Environment and Property modules
to use for the test.
### Session module ###
define_session s1 -env MyEnv
add_session_info s1 -aep MyAep0
7 Save the completed project file (exercise1.prj). When you are done, the file
should look like Example 2.
9 Still at the MG shell prompt, use a run_session command to run the test
by specifying the session that we set up in the project file (s1):
mgsh> run_session s1
10 Magellan builds your design and generates messages telling you about the
various build steps. In this example, you see some warning messages in
the transcript. Don’t worry about them for now. Next, you see a report in the
transcript telling you how many AEPs Magellan found in the example
design:
AEP Summary:
----------------------------------------------
AEP Module: MyAep0, found (104) properties.
----------------------------------------------
12 When you press the Enter key, Magellan prints a brief summary of the test
results for the AEPs found in the design, and returns you to the following
prompt, to tell you that the Session is still alive:
[Clock: 0:06:50] Alive Session: s1
mgsh(alive...)>
13 You can report the results for the AEP properties at any time later in the
session using a list_session_results -long command:
mgsh(alive...)> list_session_results -long
Magellan generates a report on the screen showing you the types of
properties found in separate categories (for example, parallel_case,
full_case) and the status of each property (proven, falsified, or unknown).
For falsified properties, you can use the File and Line numbers to go
back to the source code and correct the errors. Magellan reports the
SimTime in the detailed reports only for falsified properties. You can use
this information to locate a property failure in the waveform viewer. Here is
a sample of the report output that shows results for the first few AEP
properties Magellan found and tested in the session:
AEP Module: MyAep0
Before you get started, see “Quick Start Approach” on page 33 and set up
your work area.
3 Add a Design module that describes your design files, include directories,
and top-level module.
### Design module ###
define_design des -topModule des_chip
set_design_info -vcs { -f ../Rtl/filelist
+incdir+../Rtl -sverilog ../Models/mutex.v
+define+ASSERT_ON -y $VCS_HOME/packages/sva +libext+.v
+incdir+$VCS_HOME/packages/sva }
5 Add a Property module that defines the property that you want to prove or
falsify. Use a define_property -checker command to name the
property (mutex) and tell the tool that we are using the property as a
checker in this test. (The other option is to use a property as a constraint for
a downstream block after you prove it for an upstream block.) Notice how
the two commands in this module both refer to the mutex property. This is
the general rule in Magellan project files. First, you define something, then
you add information to it.
### Property module ###
define_property mutex -checker
add_property_info mutex -scope {*assert_mutex*}
6 Add a Session module that references the property and environment that
you want to use for this test. Notice that in this example we are referring to
the env environment from the Environment module defined earlier. Use an
7 Save the completed project file (exercise2.prj). When you are done, the file
should look like Example 3.
9 Still at the MG shell prompt, use a run_session command to run the test
by specifying the session that we set up in the project file (s2):
mgsh> run_session s2
10 Magellan builds your design and generates messages telling you about the
various build steps. In this example, you see some bounded proof results
(see “About Bounded Proofs” on page 302), followed by formal proofs for
the 16 instances of the mutex property found in the design hierarchy.
When the test run completes, you see the following message:
*** Information: (HVSH-400)
Run (session: s2) finished at time (14:21:51).
Use 'stat -ses' or 'report' command to see results.
>>>> HIT RETURN FOR PROMPT <<<<
When you press the Enter key, Magellan reports the final results for the
mutex property, and returns you to the MG shell prompt. The prompt now
says “alive” to let you know that your MG shell session is still running:
mgsh(alive...)>
11 You can report the results for the mutex property at any time later in the
session using the list_session_results -long command:
mgsh(alive...)> list_session_results -long
Magellan generates the report. There is a separate assertion report for all
16 assertions found in the design hierarchy (O to 15). The following
example shows the first few:
Property Module: mutex
- Instantiation : ../Models/mutex.v:2
- SV Module : Module
- Parent Loc : /vcs/packages/sva/assert_mutex.v:59
...
Before you get started, see “Quick Start Approach” on page 33 and set up
your work area.
3 Add a Design module that describes your design files, include directories,
and top-level module.
### Design module ###
define_design des -topModule des_chip
set_design_info -vcs { -f ../Rtl/filelist
+incdir+../Rtl -sverilog ../Models/pipe_ctrl.v }
5 Add a Property module that defines the property you want to test (prove or
falsify). Use a define_property command to name the property
(pipe_ctrl). The add_property_info -scope command tells
Magellan to test all instances of the assert_pipe_ctrl assertion found
in the design hierarchy.
### Property module ###
define_property pipe_ctrl
add_property_info pipe_ctrl -scope {*assert_pipe_ctrl}
Note We did not use the -checker switch with the define_property command
in this example. This switch is not necessary if you are using an assertion as a
checker, because -checker is the default.
6 Add a Session module that references the property and environment that
you want to use for this test. Notice that in this session, we are referring to
the env environment from the Environment module defined earlier and the
pipe_ctrl property from the Property module defined earlier.
### Session module ###
define_session s3 -env env
add_session_info s3 -prop pipe_ctrl
7 Save the completed project file (exercise3.prj). When you are done, the file
should look like Example 4.
9 Still at the MG shell prompt, use a run_session command to run the test
by specifying the session that we set up in the project file (s3):
mgsh> run_session s3
Magellan builds your design and generates messages telling you about the
various build steps.
10 When the test run completes, you see the following message:
*** Information: (HVSH-400)
Run (session: s3) finished at time (14:21:51).
Use 'stat -ses' or 'report' command to see results.
>>>> HIT RETURN FOR PROMPT <<<<
When you press the Enter key, Magellan reports that the pipe_ctrl
property was falsified (fls) and non-vacuous (vac: 0), and returns you to
the MG shell prompt.
[Clock: 0:00:49] Alive Session: s3
- pipe_ctrl SVA: 1, fls: 1, prv: 0, unk: 0, (vac: 0)
The prompt now says “alive” to let you know that your MG shell session is
still running:
mgsh(alive...)>
11 You can report the results for the pipe_ctrl property at any time later in
the session using a list_session_results -long command:
mgsh(alive...)> list_session_results -long
where dirname is the path name to a directory where you want to store
the test files.
14 When you return to the UNIX prompt, run the test.csh test driver to bring up
the debugger on the trace. The test files are located in
mg_sessionName/test/dirname:
% mg_s3/test/debug_trace/test.csh -dve
15 It takes a while for the debugger to come up. Add the assertion signal
group (assert_pipe_ctrl) to the waveform display and run the
simulation using the run icon (blue arrow facing down). The waveform
display looks similar to Figure 4. The red arrow shows the failure point for
the assert_pipe_ctrl assertion that we defined in the Property module
for this test.
Before you get started, see “Quick Start Approach” on page 33 and set up
your work area.
3 Add a Design module that describes your design files, include directories,
and top-level module.
### Design module ###
define_design des -topModule des_chip
set_design_info -vcs { -f ../Rtl/filelist
+incdir+../Rtl -sverilog ../Models/data_drive_assert.v
../Models/pipe_ctrl.v }
Note You cannot put bind statements inside the module that they are binding (no
self-binding). Move the bind statement outside of the module definition.
5 Add a Property module that defines the property you want to prove or
falsify and the assertion-style constraint you want to use to constrain the
input stimulus.
Use a define_property command to name the property
(pipe_ctrl). The add_property_info -scope
{*assert_pipe_ctrl} command tells Magellan to test all instances
of the assert_pipe_ctrl assertion found in the design hierarchy.
6 Add a Session module that defines the property and environment you want
to use for this test. Notice that in this session, we are referring to two
different properties:
the pipe_ctrl property checker that Magellan attempts to prove or
falsify
the assume property constraint that Magellan uses to constrain the
random input stimulus to the design
### Session module ###
define_session s4 -env env
add_session_info s4 -property pipe_ctrl
add_session_info s4 -property assume
7 Save the completed project file (exercise4.prj). When you are done, the file
should look like Example 5.
9 Still at the MG shell prompt, use a run_session command to run the test
by specifying the session that we set up in the project file (s4):
mgsh> run_session s4
Magellan builds your design and generates messages telling you about the
various build steps.
10 When the test run completes, you see the following message:
*** Information: (HVSH-400)
Run (session: s4) finished at time (14:21:51).
Use 'stat -ses' or 'report' command to see results.
>>>> HIT RETURN FOR PROMPT <<<<
When you press the Enter key, Magellan reports that the pipe_ctrl
property was falsified (fls) and non-vacuous (vac) again, even with the
addition of the constraints:
[Clock: 0:00:16] Alive Session: s4
- pipe_ctrl SVA: 1, fls: 1, prv: 0, unk: 0, (vac: 0)
The prompt now says “alive” to let you know that your MG shell session is
still running:
mgsh(alive...)>
12 When you return to the UNIX prompt, run the dbgSim.csh simulation script
to bring up a debugger on the trace. The debug script is located in the
mg_sessionName/user directory. To run the simulation script and examine
the correctness of the stimulus, type:
% mg_s4/user/dbgSim.csh -dve
13 It takes a while for the debugger to come up. Run the simulation using the
run icon (blue arrow facing down). The waveform viewer looks similar to
Figure 5.
Running functional coverage tests can flush out corner-case bugs and create
high-value regression tests for interesting areas of your design (for example,
state machine control registers, status flags, data path signals, and functional
assertions).
Before you get started, see “Quick Start Approach” on page 33 and set up
your work area.
Add a Design module that describes your design files, include directories,
and top-level module. The ../Models/pipe_ctrl.v SystemVerilog
design file contains the bind that hooks up the cover_pipe_ctrl cover
to the example design.
### Design module ###
define_design des -topModule des_chip
set_design_info -vcs { -f ../Rtl/filelist
+incdir+../Rtl -sverilog ../Models/data_drive_assert.v
../Models/pipe_ctrl.v }
6 Add a Session module that defines the property and environment you want
to use for this test. Notice that in this session, we are referring to a Property
module and a Coverage module. Magellan uses the assume property
constraint to constrain the random input stimulus to the design, and the
cover_pipe_ctrl SVA cover as the coverage goal to test.
### Session module ###
define_session s5 -env env
add_session_info s5 -property assume
add_session_info s5 -coverage cover_pipe_ctrl
7 Save the completed project file (exercise5.prj). When you are done, the file
should look like Example 6.
9 Still at the MG shell prompt, use a run_session command to run the test
by specifying the session that we set up in the project file (s5).
mgsh> run_session s5
Magellan builds your design and generates messages telling you about the
various build steps.
10 When the test run completes, Magellan reports that it reached the
cover_pipe_ctrl SVA cover, and generates the following message:
>>> Running Session: s5
11 When you press the Enter key, Magellan reports that the
cover_pipe_ctrl SVA cover was reached (rch) or covered:
[Clock: 0:00:48] Alive Session: s5
- cover_pipe_ctrl Covers: 1, rch: 1, unr: 0, unk: 0
The prompt now says “alive” to let you know that your MG shell session is
still running:
mgsh(alive...)>
- Random Cycles: 11
- Formal Cycles : 0
- Cover : cover_pipe_ctrl
- Cover Loc : ../Models/pipe_ctrl.v:38
- Scope :
des_chip.u_des_core.u_des_unit0.pipe_ctrl_1
- Instantiation : ../Models/pipe_ctrl.v:42
- SV Module : Module
- Parent Loc : ../Models/pipe_ctrl.v:12
where dirname is the path name to a directory where you want to store
the test files. For example:
mgsh(alive...)> write_session_test cover_pipe_ctrl
15 When you return to the UNIX prompt, run the test.csh test driver to bring up
the debugger on the trace. The test files are located in
mg_sessionName/test/dirname:
% mg_s5/test/cover_pipe_ctrl/test.csh -dve
16 It takes a while for the debugger to comes up. Run the simulation using the
run icon (blue arrow facing down), and review the trace (see Figure 6).
Before you get started, see “Quick Start Approach” on page 33 and set up
your work area.
3 Add a Design module that describes your design files, include directories,
and top-level module.
### Design module ###
define_design des -topModule des_chip
set_design_info -vcs { -f ../Rtl/filelist_bug
+incdir+../Rtl }
5 Add a Coverage module that defines the RTL signals to include in your
coverage goal set. Use a define_coverage command to specify the
coverage goal name (case_coverage). Then use an
add_coverage_info -signals command to define the RTL signals to
include in the coverage goal set. These coverage signals are for a state
machine in the design.
### Coverage module ###
define_coverage case_coverage
add_coverage_info case_coverage -signals {
des_chip.u_des_core.u_des_unit7.dd_decrypt.state[2:0]
des_chip.u_des_core.u_des_unit7.dd_decrypt.ein
des_chip.u_des_core.u_des_unit7.dd_decrypt.i_xfer
}
7 Save the completed project file (exercise6.prj). When you are done, the file
should look like Example 7.
9 Still at the MG shell prompt, use a run_session command to run the test
by specifying the session that we set up in the project file (s6).
mgsh> run_session -compareAlways -compareFullDesign s6
11 When you press the Enter key, the prompt returns and says “paused” to let
you know that your MG shell session has paused so that you can debug
the simulation/synthesis mismatch errors:
mgsh(paused...)>
where dirname is the path name to a directory where you want to store
the test files. For example:
mgsh(paused...)> write_session_test debug
15 When you return to the UNIX prompt, run the test.csh test driver to bring up
the debugger on the trace. The test files are located in
mg_sessionName/test/dirname. Examine the sequentials in the waveform
viewer to see what is causing the mismatches. To run the trace, type:
% mg_s6/test/debug/test.csh -dve
3 From the main menu, choose Edit > Configure/Setup, and select the DVE
radio button at the bottom of the Configure mgui window. Then click the
Done button to dismiss the window.
4 From the main menu, choose File > New Project. The Configure tab at the
top left opens automatically at the correct place to begin defining a new
project: the Project tab.
5 Project Tab. The Project Module Name field is prefilled with a sample
name (myProject), which we can leave as is.
In the File Name field just to the right, type in exercise7.prj and press
the Enter key.
In the System panel immediately below, the Default HDL Format is set
to Verilog. This is the default and that’s what we want for this exercise,
so leave it as is.
In the Design Files tab, the radio button for View Cmd Line is already
selected. Leave that as is, and enter the following VCS command line in
the adjacent window:
-f ../Rtl/filelist +incdir+../Rtl
-sverilog ../Models/pipe_ctrl.v
Then click the Set Command Line button at the lower right of the
window. Magellan updates the MG shell.
right. In the Property Source panel, the SVA/OVA Scope radio button is
already selected. And in the Property Type panel, the Checker radio
button is already selected. Leave these settings as is.
In the Scope Assertion List panel at the bottom of the tab, leave the
“Include” List radio button selected. Then, in the Add/Set scope field,
enter *assert_pipe_ctrl, and click the Add/Set button to the right.
Magellan adds the scope for the assertion to the display above and
updates the MG shell.
10 From the GUI main menu, choose File > Save. Magellan saves the
completed exercise7.prj file in the current working directory. You can later
rerun your tests either from mgui or in batch mode using this project file.
12 Monitor Tab.
After you click the Run/Build button, Magellan displays the Monitor tab.
When the run server starts, the display changes to show you the goals
defined for the test. In this exercise, the goal is the SVA pipe_ctrl
property, which you see displayed in the Property Goals tab. Magellan
falsifies the property (finds a bug) and changes the display to show you
the status (Falsified).
13 Report Tab.
Double-click the Falsified string in the Monitor tab display. Magellan
displays the Report tab, where you can see more information about the
SVA pipe_ctrl property that Magellan falsified.
The Reset State is the value of all sequentials in the design block you are
testing. All formal searches in Magellan begin from the Reset State.
Simulation sequences may return to the Reset State multiple times to try
different random stimulus or to replay error traces calculated by Magellan’s
formal engines. For more information, see “Understanding and Controlling the
Reset State” on page 220.
Before you get started, see “Quick Start Approach” on page 33 and set up
your work area.
2 Add a Design module that describes your design files, include directories,
and top-level module.
### Design module ###
define_design des -topModule des_chip
set_design_info -vcs { -f ../Rtl/filelist
+incdir+../Rtl +define+MEM_RESET }
4 Add a Coverage module that defines some RTL signals in the design to
test.
### Coverage module ###
define_coverage rtl_cover
add_coverage_info rtl_cover -signals {
des_chip.u_des_core.u_des_unit7.dd_decrypt.state[2:0]
}
6 Save the completed project file (exercise8a.prj). When you are done, the
project file for the initial build should look like Example 8.
7 At the UNIX prompt, start MG shell and read in the project file in one step:
% mgsh exercise8a.prj
When the build completes, you see a message similar to the following on
the screen:
*** Information: (HVSH-352)
Build (session: s8a) finished at time (14:26:00 - Jan
28).
Use 'stat -build' command to see results.
>>>> HIT RETURN FOR PROMPT <<<<
Example 9: VCS Simulator Build Script with Reset State Capture Script Call
#$/bin/csh
setenv prjDir ./
setenv srcDir ../Rtl
setenv runDir ./mg_s8a
setenv tbdir ../Models
setenv pliDir `pwd`
unalias rm
/usr/local/bin/rm -rf getDsnStateForMg.v simv csrc
The sample VCS build and run script shown in Example 9 is named
run_vcs_mg_reset.csh. You can find this script in the
$MG_HOME/tutorial/tutorial_verilog/exercises directory. If you are building
a 64-bit simulation executable, use the run_vcs_mg_reset_64.csh
script instead. Note that the -full64 VCS switch is required on 64-bit
platforms.
At the end of Example 9, note the call to the Reset State extraction PLI
script (mgCaptureReset.pl). You also need the +captureState
where:
rst_dir — Optionally, specify the directory name where you want the
generated Reset State files stored. Specifying a directory name here is
recommended because the script generates lots of files in this directory.
The default is the current working directory.
11 The VCS build script takes your platform name as its only required
argument. For 32-bit platforms, the legal values are linux, sparcOS5,
and suse32. For 64-bit platforms, the legal values are amd64, sparc64,
and suse64. For example:
% run_vcs_mg_reset.csh linux
-or-
% run_vcs_mg_reset_64.csh amd64
When the VCS build script completes, you see messages similar to the
following on the screen:
VCS Build Date = Dec 11 2007 21:30:01
Start run at Jan 28 14:26 2008
Simulation starting
getRstStateForMg Using CaptureTime = 100000
Reset deactivated
12 In the output directory (myRst) the PLI script creates a Reset State file
named ResetState.dat. You can now add the custom Reset State specified
in the ResetState.dat file created in the previous step:
set_env_reset env -file ./myRst/ResetState.dat
When you are done revising your Magellan project file, rename the file to
exercise8b.prj. The revised file should look like Example 10.
Example 10: Magellan Project File with Reset State File Specified
13 At the UNIX prompt, start MG shell and read in the revised project file in
one step:
% mgsh exercise8b.prj
When the session run completes, you see messages similar to the
following on the screen:
*** Information: (HVSH-400)
Run (session: s8b) finished at time (14:31:43 - Jan 28).
Use 'list_session', 'stat -ses' or 'report' command to
see results.
When you press the Enter key, Magellan reports summary results for the
rtl_cover coverage goal and returns you to the MG shell prompt.
[Clock: 0:01:06] Alive Session: s8b
- rtl_cover FSM Cov: 8, rch: 5, unr: 3, unk: 0
The prompt now says “alive” to let you know that your MG shell session is
still running:
mgsh(alive...)>
15 You can report detailed results for the rtl_cover goal at any time later in
the session using a list_session_results -long command:
mgsh(alive...)> list_session_results -long
Signals:
- (00)
/des_chip/u_des_core/u_des_unit7/dd_decrypt/state[2]
- (01)
/des_chip/u_des_core/u_des_unit7/dd_decrypt/state[1]
- (02)
/des_chip/u_des_core/u_des_unit7/dd_decrypt/state[0]
Expanded Nets for Coverage Module:
- (00)
des_chip.u_des_core.u_des_unit7.dd_decrypt.state[2]
- (01)
des_chip.u_des_core.u_des_unit7.dd_decrypt.state[1]
- (02)
des_chip.u_des_core.u_des_unit7.dd_decrypt.state[0]
Reached Report (Count: 5)
Bit: 000
012
----------
(RCH 0-- )
(RCH 100 )
Unreachable Report (Count: 3)
Bit: 000
012
----------
(UNR 101 )
(UNR 11- )
Unknown Report (Count: 0)
In This Chapter
Quick Start Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Use Smart Defaults to Test SVA/PSL Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Use Assertions from SVA Checker Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Add Custom SVA/PSL Assertions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Add a Reset Task and an SVA Constraint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Run SVA/PSL Cover Functional Coverage Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Run State Machine Coverage Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Project Project name and HDL format “Describing the Design” on page 163
Property SVA, PSL, OVA, or RTL properties “Testing Properties” on page 299
% cd /u/me/MG/mixed_tutorial/exercises
Directory Contents
1 Open a new file named easy.prj and enter the same command lines you
use with VCS MX to compile your design. In Magellan you use
add_design_info -vhdlan and -vlogan commands to define your
VCS MX command lines. Use a set_design_info -topModule
command to identify the top-level module in the design (see Example 11).
2 Magellan needs to know the names of your clock and reset ports. Use
add_env_port commands to define them. You use the -clock option to
specify the clock period (100 in this example) and the -reset option to
specify the value the reset signal should have at reset (1 in this example).
When you use smart defaults, Magellan uses the opposite value (0 in this
example) for the Random Generation phase that starts when the design
reset is complete:
add_env_port –name clk –clock 100
add_env_port –name rst –reset 1
4 At the UNIX prompt, start the Magellan shell (called MG shell) and read in
your completed project file in one step:
% mgsh easy.prj
[ 0] Proven (Non-vacuous) -
jpeg_top.jpeg0.U_DCT.U_DCT_INPUT.SVA_DCT_READY_FOLLOW_P
ASS
...
Before you get started, see “Quick Start Approach” on page 85 and set up
your work area.
3 From the main menu, select File > New Project and change the File Name
to exercise1.prj. Press Enter to update MG shell. The Top HDL Format field
defaults to Verilog, which is what we are using for this exercise.
4 In the Add/Set Filter field, type ELAB-351 and click the Add/Set button or
press Enter. Magellan adds this message label to the ones that it filters out
from your transcript and log files during the build. Repeat for ELAB-402 and
ELAB-349. You can use this mechanism to filter out any warning or error
messages that you don’t want recorded.
5 Now, create a Design module for the project which specifies the design
files to check. Click the Design tab and change the Top HDL Module name
to jpeg_top. Press Enter to update MG shell. Note that jpeg_top is the
name of the top-level Verilog module that instantiates the JPEG design,
written in VHDL (see Figure 8).
6 In the Design Setup subtab, the Top Module Setup pull-down shows
Verilog (VCS) because we selected Verilog as the Top HDL Format on the
Project tab. Leave the View Command Line radio button selected and enter
the following VCS command in the large window:
-sva_bind ../env/sva_lib_bind.v
7 Click the View Entry Table radio button and leave the Analyze Compiler
pull-down selection showing vlogan. In the text entry field just to the right
enter:
-psl -sverilog ../rtl/jpeg_top.v \
../env/sva_checkers.sva +define+ASSERT_ON -y \
+define+SVA_CHECKER_NO_MESSAGE \
$VCS_HOME/packages/sva +libext+.v \
+incdir+$VCS_HOME/packages/sva
Click the Add/Set button to update MG shell. Magellan displays your vlogan
command in the window on top. Note that we are using the -psl switch
here because there are some PSL assertions in this design environment,
so this is required for compilation. We’ll use them in a later exercise. The
ASSERT_ON compiler directive is needed to turn on assertions in the SVA
standard assertion library. The SVA_CHECKER_NO_MESSAGE compiler
directive filters out checker error messages coming from the SVA standard
assertion library.
8 To specify the VHDL design files, you can set the Analyze Compiler
pull-down menu to vhdlan and enter the commands just as you did for
vlogan in the previous step. But here, we’ll source a Tcl file that contains
the vhdlan commands. At the mgsh> prompt at the bottom of the GUI
window, enter:
mgsh> source design_source.tcl
When you press Enter, Magellan loads the commands and updates the
display in the window above. Sourcing a Tcl file like this is a handy way to
enter long compilation commands that you are using in more than one
Magellan project, as we are here in these Quick Start exercises.
9 Now let’s create the environment around the design. Select the
Environment tab and click the Rename button. Enter env in the small
window that pops up and click OK.
10 In the Setup tab (already selected), select the check box for Search for
SystemVerilog assertions to activate the search.
11 Select the Reset Task tab and enter 20 in the Number of Cycles field. This
specifies the length for the reset sequence to run. Then press Enter.
Magellan updates the MG shell.
13 Next, we’ll define the properties for Magellan to test. Select the Property
tab and then click the Define New button. Enter lib_props in the small
window that pops up and click OK. Magellan updates the display. Notice
that the radio buttons for SVA/OVA scope and the Checker property type
are already selected. These are the defaults and that’s what we want to
use for this exercise.
14 In the Scope Assertion List panel, the Include List radio button is already
selected. Leave that as is and type *LIB_* in the Add/Set Scope text entry
field. You can use wildcard name matching like this to specify which
assertions in your environment you want to test. Click Add/Set to update
MG shell and the display.
16 Click in the Environment Reference field and select env. This is the name
of the environment we set up earlier. In the Add field at the bottom of the
window, select Property Module. Magellan fills in the Name field to the right
with the name of the Property module we set up earlier (lib_props). Click
the Add button to update MG shell and the display above.
17 We now have a complete project file. Let’s save it in case we want to run
the test again later without redefining everything. From the main menu,
select File > Save Project. Magellan saves the project file in the current
working directory with the project name we defined in Step 2
(exercise1.prj). Note that project files can have any extension you want, but
the .prj extension is a Magellan convention that makes it easier to locate
project files later.
18 Now we can run the test. Click the Run tab. Notice that the s_lib_props
Session module that we created earlier is already displayed in the Session
field. If we had defined more than one Session module for this project file,
the pull-down menu would show all of them, and you could choose the one
you want to run.
19 In the Console Log Options subtab, deselect the “Show user simulation
messages in console log” check box. This makes for a cleaner transcript
and a faster run when you have some assertions that fail on every clock
cycle, as there are in this test.
20 In the Run Options tab, Run Normal is already selected. Leave that as is
and click the Run/Build button. While the Run/Build is progressing,
Magellan displays the Monitor tab and shows you the tool’s progress
building the design and testing the properties.
21 To see the test results, select the Report tab. Click the Save button .
Magellan saves the report in HTML format. If you prefer to see a text file
report, type:
mgsh> list_session_results -file report_lib_props
Notice that Magellan proved two of the checkers and falsified two others. In
the next exercise, we’ll show you how to debug falsified properties.
22 From the mgui main menu, select File > Exit. When the Terminate Mgsh
Server window pops up, click the Yes button.
Before you get started, see “Quick Start Approach” on page 85 and set up
your work area.
1 Review the custom SVA and PSL assertions added for this exercise.
3 From the mgui main menu, select File > Open Project and open
exercise2.prj. The GUI loads all the Magellan Tcl commands contained in
the project file and fills up the display. Note that in this exercise we are
using the same Project, Design, and Environment modules that we used in
the first lab (see “Use Assertions from SVA Checker Library” on page 89).
4 But the Property and Session modules are different. Select the different
configuration tabs to see how the project is set up. In particular, look at the
Property tab. Notice that there are two property modules defined for this
project, one that tests the SVA properties (sva_props) and another that
tests the PSL properties (psl_props).
5 Use the Property Module Name pull-down menu to select each property
and review the Scope Assertion List, which determines which assertions in
your design environment are activated for checking. The regular
expression you use can be as simple as *, which means test all. This is
shown with the sva_props property.
6 Select the Run tab. Notice that the s_sva_psl_props session is already
prefilled in the Session module pull-down. In the Console Log Options
subtab, deselect the “Show user simulation messages in console log”
check box. This makes for a cleaner transcript and a faster run when you
have some assertions that fail on every clock cycle, as there are in this test.
7 In the Run Options tab, Run Normal is already selected. Leave that as is
and click the Run/Build button. Magellan displays the Monitor tab so you
can watch the tool’s progress.
9 To debug the falsified properties, select the Run tab again and click the
Debug Testbench button. In the Debug Testbench Setup dialog box that
pops up, DVE is already selected as the debugger. That’s what we’ll use
for this exercise. Click the Filter Debugger Waveform View check box.
Notice that the Failures Only radio button is already selected. We’ll use this
setting so that we see only the falsified assertions in the waveform viewer.
Otherwise, you see all targeted assertions. Click OK to dismiss the dialog
box. The testbench build takes a few minutes.
10 When the DVE waveform viewer comes up, click the run button on the
toolbar and look in the viewer for red arrows that show where
assertions failed (see Figure 9).
11 Exit DVE. Then from the main menu, choose File > Exit to close mgui.
When the Terminate Mgsh Server window pops up, click the Yes button.
12 If you want to replay the test again later, you can. Magellan saves the files
needed to rebuild the testbench in the mg_sessionName/test/mgsh_debug
directory. There is a test.csh test driver in that directory that you can use to
rebuild the test in batch mode. Let’s run the test driver with the -vpd
switch, which causes it to create a VPD file for use in DVE. Use the
following command:
% mg_s_sva_psl_props/test/mgsh_debug/test.csh -vpd
3 From the mgui main menu, select File > Open Project and open
exercise3.prj. Review the information in the Project and Design tabs. Note
that this is the same design used in the first two exercises.
4 To add a custom reset task, select the Environment tab and then the Reset
Task subtab.
5 Select the User Reset Task radio button and enter jpeg_reset_seq in the
Name field. When you press the Tab key, Magellan updates MG shell and
moves the cursor to the next field.
6 In the File field, enter ../env/jpeg_reset.vhd and select vhdl from the
pull-down menu to the right.
7 To add the SVA constraint, first select the Property tab. Click the Define
New button and enter data_constr as the name for the new property in the
small window that pops up.
8 Leave the SVA/OVA scope radio button selected and then select the
Constraint radio button in the Property Type panel.
10 To add this new constraint property to the session, first select the Session
tab. Notice that the two properties we tested in the last exercise are still
displayed in the window (sva_props and psl_props). We’ll test them again
in this exercise, but with the addition of the custom reset task and
assertion-based constraint.
11 In the Add pull-down menu at the bottom of the window, select Property
Module and then choose data_constr from the Name pull-down menu to
the right. Click the Add button on the far right. Magellan updates MG shell
and the display above.
12 Now that we’ve configured our changes to the exercise3 project, let’s save
them so that we can run the project again later without reconfiguring
everything. From the mgui main menu, choose File > Save Project.
Magellan saves the exercise3.prj changes.
13 Select the Run tab and click the Run/Build button. Magellan displays the
Monitor tab so that you can see the tool’s progress. Notice that with the
addition of the SVA constraint, Magellan now proves all of the SVA and
PSL properties used in the test.
14 From the main menu, choose File > Exit to close mgui. When the
Terminate Mgsh Server window pops up, click the Yes button.
15 Let’s use the simulation script that Magellan generates in the user directory
to examine the correctness of the stimulus after the addition of the
constraint we used for this exercise:
% mg_s_constraints/user/dbgSim.csh -dve
3 From the mgui main menu, select File > Open Project and open
exercise4.prj. Click around the configuration tabs to see the information
that was loaded from the project file. Note that this is the same design used
in the last exercise, including the custom reset task and SVA constraint
used for that test.
5 In the Coverage Source panel, the OVA/SVA Scope radio button is already
selected. That’s what we’ll use for this test. In the Add/Set Scope field,
enter *SVA_COV* and click the Add/Set button.
6 Now, define another coverage target, this one is PSL. Click the Define New
button and enter psl_covers. Leave the OVA/SVA Scope radio button
selected. In the Add/Set Scope field, enter *PSL_COV* and click the
Add/Set button.
7 Now let’s add our new coverage targets to a Session module we can run.
Select the Session tab. The s_sva_psl_covers Session module is prefilled
in the Session Module Name pull-down menu. At the bottom of the tab,
select Coverage Module from the Add pull-down menu. Magellan makes
the Coverage modules we just defined available in the Name field. Set the
pull-down menu to sva_covers and click the Add button. Then do the same
thing for psl_covers. When you are done you should see the sva_covers
and psl_covers Coverage modules in the display above, along with the
SVA data_constr Property module we set up in the last exercise.
8 Now that we’ve configured our changes to the exercise4 project, let’s save
the file so that we can run the project again later without reconfiguring
everything. From the mgui main menu, select File > Save Project.
Magellan saves the exercise4.prj changes.
9 Select the Run tab and click the Run/Build button. Magellan displays the
Monitor tab so that you can see the tool’s progress. When the run finishes,
Magellan reaches three of the cover properties and proves that the other
two are uncoverable.
10 Still in the Monitor tab, click the Un-Coverable links to go to the Report tab
and see more information about those coverage goals.
11 To save the test, select the Run tab and click the Save Test button. A small
window pops up prompting you for the name of the directory where your
test files will be stored. At the end of the default path that is displayed,
replace mgsh_debug with trace and click OK.
12 From the mgui main menu, select File > Exit. When the Terminate Mgsh
Server window pops up, click the Yes button.
13 From the UNIX prompt, invoke the test driver script from the directory
where you saved the test:
% mg_s_sva_psl_covers/test/trace/test.csh -dve
14 When the debugger comes up, run the simulation and review the trace.
15 In the middle of the DVE main window, change the pull-down menu to
Cover Properties and double-click a covered property highlighted in green.
DVE brings up the waveform viewer on the cover property (see Figure 12).
From the mgui main menu, select File > Open Project and open
exercise5.prj. Click around the configuration tabs to see the information
that was loaded from the project file. Note that this is the same design used
in the last exercise.
2 To define the RTL signals for the coverage test, select the Coverage tab.
Notice that the data_state_cov Coverage module name is prefilled in the
module name field. Magellan read this data from the exercise5.prj file that
we loaded.
3 Select the RTL radio button in the Coverage Source panel. In the RTL
Signal List panel, add the following signals in the Add/Set Signal text entry
field:
jpeg_top.jpeg0.u_dct.u_dct_buffer_1.data_element_out_1[7:0]
4 Select the Session tab. Notice that the s_data_state_cov Session module
name is prefilled in the module name field. Use the Add pull-down menu to
select Coverage Module. Magellan prefills the name of the Coverage
module we just defined (data_state_cov) in the Name field. Click the Add
button to update MG shell and the display above.
5 Now that we’ve configured our changes to the exercise5 project, let’s save
the file so that we can run the project again later without reconfiguring
everything. From the mgui main menu, choose File > Save Project.
Magellan saves the exercise5.prj changes.
6 Select the Run tab. In the Console Log Options subtab, deselect the “Show
user simulation messages in console log” check box. This makes for a
cleaner transcript and a faster run when you have some assertions that fail
on every clock cycle, as there are in this test.
7 In the Run Options tab, Run Normal is already selected. Leave that as is
and click the Run/Build button. Magellan displays the Monitor tab so that
you can see the tool’s progress.
8 When the run finishes, go to the mgsh> prompt at the bottom of the window
and request a test report:
mgsh > list_session_results -file cov.rpt
9 Use your text editor to view the state coverage report showing the
reachable and unreachable states.
10 From mgui main menu, select File > Exit. When the Terminate Mgsh
Server window pops up, click the Yes button.
In This Chapter
Invoking the Magellan GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Getting Started with MG Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Using Magellan Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Creating a Magellan Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Using Smart Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Writing and Running Control Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Using Magellan Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Invoke the GUI stand-alone and let it automatically start an MG shell for
you in the current directory when you create a new project or open an
existing project. Type mgui at the UNIX prompt:
% mgui
Invoke the GUI stand-alone, and connect to an MG shell you already have
running. From the GUI, click on the button.
When you invoke the GUI, and open a new or existing project, the display
looks like Figure 13. Open the Help tab for information on getting started.
Console View
Monitor activity in MG
shell, enter MG shell
commands, and get
command help
-or-
mgsh> mgui -easy
This is like running a job in the background in UNIX. In this mode, there is no
STDIN client.
This mode prevents anyone from attaching to this MG shell using telnet or
mgui.
Curly braces { } create a literal list of arguments. Tcl does not expand Tcl
$ variables inside curly braces. The variable name is interpreted as a
literal. However, the set_design_info -vcs and add_design_info
-vhdlan commands are customized to expand shell environment
variables inside curly braces. This is makes it easier for you to
cut-and-paste your VCS or VCS MX command lines into a Magellan project
file without modifications. For this to work, the environment variables inside
curly braces must be defined in the shell where you started Magellan.
To create a list of evaluated variables, use the list command in square
brackets. For example, [list $var1 $var2].
The pound sign # comments a line in a Tcl script.
For more information about Tcl, see the Tcl Developer Xchange at
http://www.scriptics.com.
mgsh> history ?
Customizing MG Shell
If you want to set Tcl variables or write your own Tcl procedures and load
them every time you start MG shell, you can put them in a file named
.mgsh_rc. Magellan first looks for this file in the current working directory, and
then in your home directory. If the file exists in both locations, Magellan loads
both. Example 12 shows an .mgsh_rc file that declares a Tcl variable and
includes a few Tcl procedures.
Magellan commands follow naming conventions that help you to know when
to use them. The following list shows the general naming conventions:
define/set commands
Define commands create new modules. For example, define_project
creates a new project.
Set commands add or change module definitions for a module that has
already been created. For example, set_project_info adds or
changes information for an existing project.
add/remove commands
Add commands add new information to a module. For example,
add_design_info adds design files to a Design module.
Remove commands delete information from a module. For example,
remove_design_info deletes design files from a Design module.
get commands
Get commands return values that you can use in a Tcl script or procedure.
The return values are strings, a list of strings, or a nested list of key-value
pairs. When used interactively, these commands may not show readable
output.
For information about the current project, enter the status or
list_session_results command at the MG shell prompt.
Note For information on how to simplify your Magellan project files for some
commonly used tests, see “Using Smart Defaults” on page 120.
To get a description and arguments for all commands that include a string,
use the * wildcard. For example:
mgsh> *prop ?
This command returns all the commands with prop in the name.
To view the man page for a command, type man command_name. For
example:
mgsh> man define_project
Man pages for error messages from the Presto compiler are also available
in Magellan. For example:
mgsh> man VHDL-283
Project
Coverage
Environment
Property
Design
Session
Coverage modules
Once you’ve determined the signals that are most interesting for generating
high-coverage stimulus, you can add coverage goals here, in a Coverage
module (see “Testing RTL Signal Coverage” on page 379).
You can define any number of Coverage modules in a project. Give each
Coverage module a unique name, and then list the appropriate signals and
options for that coverage goal.
Session modules
The Session module is where your environment, coverage goals, and
property checkers come together for a test that you can run (see “Running
a Session” on page 140).
You can define any number of Session modules in a project. Give each
Session module a unique name, and then choose the environment and
tests you want to run in that session.
Write the project file using a text editor, and use the read_project
command to load the project into Magellan.
Store the project file in the project directory (see “Understanding the
Directory Structure” on page 136).
Note In this guide, Magellan project files are described in terms of writing a file and
organizing the commands in the file by modules.
To see some complete Magellan project file examples, refer to the “Verilog
Quick Start” on page 31.
Save the project file frequently. Typically, the file name is the design name
with a .prj extension. This is a Magellan convention.
% mgsh projectName.prj
Note The underbar ( _ ) in all the smart defaults module names is reserved. You
cannot use an underbar as the first character in the name for a custom module
that you create.
There are two different types of SVA/PSL and OVL Property module default
names. This allows you to use one Property module for checkers and another
Property module for constraints. There are also three different types of AEP
modules. You can use all three in the same project file using smart defaults.
You can also create custom project file modules using “define” commands and
combine custom modules and smart default modules in the same project file
(see “Mixing Smart Defaults with Custom Modules” on page 128). Custom
module definitions are required if you want to define multiple Environment
modules or dissimilar Property module types such as SVA and OVL in the
same project file.
When you run Example 13, Magellan tests all SVA/PSL assertions found in
the design. Example 14 shows a project file that is functionally equivalent to
Example 13, but defined in the traditional style.
When you use smart defaults, Magellan automatically searches for SVA/PSL
asserts in your design, but does not automatically search for SVA/PSL
constraints. To use constraints, you need to add the following line:
But perhaps you want to more tightly define which assertions are checked and
add constraints for the test. Maybe you also want to check SVA/PSL covers in
your design. In that case you can specify the goal modules yourself and define
the -scope arguments as needed (see Example 16).
Note As soon as you use an “add” or “set” command to specify any goals (including
SVA/PSL asserts) you are no longer using the default goals. In that case
Magellan tests just the smart default goals you specify.
To specify that some assumes in the design be used as assertions you can
say:
add_property_info -checker -scope { b* } -type assume
Or to exclude some assertions from the set that are tested, you can say:
add_property_info -checker -scope { a* } -type assert \
-exclude { nocheck* }
With this command Magellan creates three separate AEP modules, one for
properties (_MgAep), one for line, condition, and FSM coverage tests (_MgCm),
and one for toggle checks (_MgToggle). For more information on the
available AEP tests, see “Testing Automatically Extracted Properties (AEPs)”
on page 367.
With this command, Magellan creates a smart defaults RTL FSM Coverage
module (_MgFsm).
For example:
% mgsh project.prj
mgsh> run_session
Using Example 17, Magellan creates three separate smart defaults session
modules (aluCheck1, aluCheck2, and aluCheck3). Now you can run
those sessions independently, rather than having Magellan target all the goals
in the same run. For example:
% mgsh project.prj
Note If you use the same three commands shown in Example 17 without the
-session option, Magellan adds all three sets of goals to the default session
module (_MgSession).
To add a goal set to multiple sessions, specify those session names in a list for
the -session switch. For example:
add_coverage_info -scope { *chk* } \
-session {aluCheck1 aluCheck2}
To add a goal to all defined sessions (including the default, _MgSession) use
the -allSessions switch. For example:
add_coverage_info -scope { *chk* } -allSessions
For more information on specifying custom project file modules, see the
appropriate chapters in this manual.
read_project uart.prj
run_session cov -blockmode
list_session_results cov
write_session_test fifo_goalset_test
read_project my_project.prj
set ses_list [get_session_info *]
set f [open results.txt w]
foreach s $ses_list {
puts -nonewline $f "Session: $s"
set res [run_session -blockmode -maxTime 1.0 $s]
if {$res=="@runFinish"} {
set proplist [get_session_info -prop $s]
foreach prop $proplist {
set stat [get_session_run_info $s -prop $prop]
set value [lindex $stat 0]
puts $f " Property: $prop -> $value"
}
} else {
puts $f " Error...!"
}
flush $f
}
close $f
Note how the uart_test.tcl script shown in Example 20 calls another script
named run_goal.tcl using the source command.
read_project uart.prj
if [build_session cov -blockmode] {
echo “Run Test”
source run_goal.tcl
echo “Run Complete”
}
Enter the following telnet command to access the MG shell with the
information from the previous example:
% telnet pixie 5557
>Trying 198.182.45.62...
>Connected to pixie.mynetwork.com.
>Escape character is ‘^]’.
Press the Enter key and you are remotely connected to MG shell.
Tip If you have a portable PC, you can start the MG shell in server mode as a
background process, and telnet to it later from a remote site:
% mgsh project.prj -serverModeOnly -port 6000 &
Then use telnet to connect to the server and start a session run. When you are
ready to change locations, unplug your PC. At the new location, use telnet to
connect to the server and continue.
Magellan starts a shell on the remote server. This shell must be initialized to
use the correct environment or the command will fail. Set the environment
using a .cshrc file on the remote server. Or, if you don’t have access to the
remote server, use the set_option command (see “Configuring
Environment and Path Variables” on page 21).
Note If you are using Rational™ ClearCase™, the view to the project must be
correctly initialized or you need to move the design outside of ClearCase.
Example 21 shows a Tcl script that uses a remote host to do a build or run.
if {$results(-build) == 1} {
set_server -build $host
}
if {$results(-run) == 1} {
set_server -run $host
}
}
define_proc_attributes remote \
-info “sets remote host for build, run, or explore” \
-define args {
{-build “build server” ““ boolean optional }
{-run “run server” ““ boolean optional }
}
In This Chapter
Building a Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Understanding the Directory Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Running a Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Understanding Magellan’s Default Run Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Using Run Modes to Tune Magellan’s Run Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Solver Engine Reporting and Reuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Using Guideposts to Aid Formal Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Distributing Magellan Engines on a Server Farm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Using Breakpoint Options to Control Magellan Runs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Filtering and Reporting Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Building a Session
Before you can successfully build a session, you need to create a project and
define at least the following four modules: Project, Design, Environment, and
Session (see “Understanding the Magellan Project Structure” on page 116).
Each session you define in a Magellan project is built separately. Do not build
one session while another session in the same project is building in another
mgsh process. To build a session:
1 Start MG shell:
% mgsh
If you add the -waitlic switch to your mgsh invocation, Magellan waits
for a license if none is currently available instead of exiting. For example:
% mgsh -waitlic
Note The build_session command has a number of options you can use to build
all or part of the project. For more information, at the MG shell prompt, type
man build_session.
You can also build a session on a remote server (see “Using a Remote
Server” on page 131).
When you build a session, Magellan checks to see if anything has changed
since the last build. Magellan only rebuilds the areas that have changed. To
force a complete rebuild, use the -force switch.
MG Shell
Build Server
Formal Simulation
Build Build
When you build a session, the last step is to prepare the design for the run.
This preparation step reduces the design to the signals included in the
Property and Coverage modules referenced in the session and the transitive
fanin of those signals. This improves Magellan’s performance and increases
the chances that Magellan will prove or falsify properties.
project
directory
... ...
sim
test
user
Note Use a unique working directory for each design. If you put more than one
design in the same project directory, the information in mg_common does not
represent a single design, but a combination of the designs stored in the
project directory.
Also in the project directory, Magellan records every command you enter in
MG shell in the mgsh_commands.log. This is useful for reviewing the
sequence of events. Magellan also stores build messages and every message
issued during a run in the mgsh_messages.log.
The test directory contains test cases generated when you issue the
write_session_test command. Use these files in the simulator for further
design validation.
The sim directory contains all the files the simulator generates during a run.
This includes, for example, waveform dump files.
compile.log
Shows the simulation compile log for the build.
xFile.init
The xFile.init file contains messages about registers that have X values
when the reset sequence finishes.
dbgSim.csh
The dbgSim.csh script invokes the simulator in command-line mode by
default. Add the -dve switch to invoke the Design Visualization
Environment (DVE) GUI. Use the dbgSim.csh script to debug checkers,
constraint models, reset sequences, and so on. See “Using the Simulation
Test Scripts” on page 139.
Depending on your test setup, the user directory may also contain the
following files:
forcedSignals.log
Black box and forced signals report (see “Understanding “forces” in RTL
Simulation Models” on page 181).
latchRemodelWarning.log
Warning messages for unsafe latches found in the design (see
“Remodeling Latches” on page 190).
loops.rpt
Combinational loops report (see “Understanding the Combinational Loops
Report” on page 195).
design_driver.v or design_driver.vhd
Bidirectional port random driver template (see “Using a Template to Write
your own Constraints” on page 198).
2xSystemClock.rpt
Report of conditions that require a 2x system clock (see “2X System Clock
Generation and Reporting” on page 212).
unobservedInputs.log
Report of inputs that cannot affect search results (see “About Waveform
Readability” on page 449).
diagnose.out
Simulation/synthesis mismatch diagnosis report (see “Using Magellan’s
Mismatch Reports” on page 471).
TraceFile.simTime.vcd
VCD trace files (see “Generating VCD Files for Formal Traces” on
page 473).
coi___propName_nonvacuity_n.txt
If the goals in your session do not converge quickly, there is one text file for
each goal in the session, where n equals the goal index number. The files
contain information about the cone of influence for each goal, showing the
sequentials in the cone. You can also generate cone of influence reports
using a report_session -cone command (see “Cone of Influence
Reporting” on page 439).
resetState.diff.n
Reports the registers whose values in a subsequent Reset State don’t
match the values from the initial Reset State (see “Miscompare Warning
Message” on page 252).
To run the simulation test script in the default command-line mode, from the
UNIX prompt, enter:
% mg_sessionName/user/dbgSim.csh
Running a Session
This section explains how to run a session in the following subsections:
“Session Run Basics” on page 140
“Specifying a Debugger for the Run” on page 141
“Running 64-bit Magellan” on page 142
“Managing Memory Resources” on page 142
“Filtering Messages” on page 142
1 Start MG shell:
% mgsh
If you want all dump information for the run in one VPD or FSDB file, use the
-oneDebugFile switch. For example:
If you prefer not to generate waveform files, use the -noDebug switch:
You can also override the default debugger setting using the -fsdb switch for
Debussy/Verdi or -vpd switch for DVE. For example:
If you use the -full64 option and are using Vera biasing, make sure you
also have $VERA_HOME set to a supported 64-bit Vera release.
Filtering Messages
To suppress warning or information messages that you don’t think are
significant, use the add_project_info -msgFilters command.
For example, to filter out messages HVSH-200 and HVSH-201, use the
following command in your project file:
MG Shell
Unreach
Engines
You can combine run_session mode options with breakpoint options in the
same run_session command (see “Using Breakpoint Options to Control
Magellan Runs” on page 156). In addition, you can abbreviate run_session
-mode commands using the shortest unique string from the set of run modes.
If all the properties you test in search-only mode are true, the tool runs
indefinitely unless you limit the run using a break option or the -maxTime
option with your run_session command. For more information on proving
properties and reaching coverage goals, see “Testing Properties” on page 299
and “Testing RTL Signal Coverage” on page 379. You can also use
search-only mode to run guidepost sessions (see “Using Guideposts to Aid
Formal Searches” on page 150).
Note If you use the -compareAlways switch with -mode randomSim in the same
run_session command, Magellan still compares every state at every cycle
beginning at time zero, but does not generate any formal traces.
For example, for each property or coverage goal that converged during the
run, the list_session_results -long command output contains two
additional fields, as shown in Example 23.
In Example 23:
The Solver Engine field tells you which solver engine or algorithm
converged the property or coverage goal.
The Effort Level field tells you how hard the reported solver engine
worked to converge that goal. Possible values for Effort Level include
1 (the default), and 2 through 10.
You can also get summary reports for solver engine performance on your
session using the report_session -stats command. When you run your
session in goal narrowing mode, the report_session -stats output
contains the additional section shown in Example 24.
In Example 24, the most productive combination of solver engine and effort
level was Eng1 at effort level 3, which converged 7 properties (proved 3
and falsified 4).
Be sure to specify a legal solver engine name that maps to a solver engine
name reported by the list_session_results -long (see Example 23 on
page 148) or report_session -stats command (see Example 24 on
page 148). To form a legal solver engine name for the run_session -mode
argument, prepend the word parallel to the reported engine name, as
shown in the following examples:
eng1 or Eng1 maps to parallelEng1
eng2 or Eng2 maps to parallelEng2
...
eng25 or Eng25 maps to parallelEng25
If you specify a solver engine name that is not legal, Magellan issues a
warning message and uses the default engine for that run.
Note Running individual proof engines is not supported in grid mode (see
“Distributing Magellan Engines on a Server Farm” on page 154).
Guideposts give you a way to specify interesting design states that Magellan
can use as starting points for formal searches. For example, to search for a
FIFO overflow condition, it may be useful if the FIFO is full or nearly full before
starting the formal analysis. A potentially useful guidepost is one that is close
to the property in the state space of the design.
For example, to create a guidepost Coverage module that uses SVA covers to
implement guideposts, use a define_coverage -guidePost command.
Example 25: Guideposts Coverage and Session Modules for SVA Covers
For more information on specifying SVA covers, see “Adding SVA/OVA Covers
to the Project File” on page 408.
In Example 25, notice that the Session module also includes a Property
module (p_overflow). This property is the one that Magellan searches for
using the specified guidepost as the starting state for the formal search. To
use guideposts you must run a Session module that specifies both the
Coverage module where the guidepost is defined and the Property module
where the property is defined.
You can use guideposts to aid searches for more than one property at a time.
And you can define more than one guidepost for the properties in that session.
However, Magellan performance is often enhanced when you give the tool
one property and one guidepost in any one session that you run.
For example, to run the guidepost session defined in Example 25, use the
following run_session command:
mgsh> run_session s1 -mode searchOnly
Note When you use search-only run mode, the tool behavior depends on whether
there are any guideposts defined in your project file. If there are no
guideposts, the tool runs the normal search-only mode (see “Run Search
Engines Only Mode” on page 145).
You can run a session that includes guideposts in the default run mode, but in
this case Magellan treats the guideposts as regular coverage goals with no
special significance with regard to aiding property searches.
...
# To use LSF
set_project_info -grid lsf:num -gridOpts { options }
# To use SGE
set_project_info -grid sge:num -gridOpts { options }
The argument to the -grid option takes a string (lsf or sge) to specify the
load sharing software you use. You can optionally specify how many
processors to use with the :num extension. If you don’t include the :num,
Magellan uses a value of 4 by default. The legal values for num are 4, 5, 6, 7,
8, 9, and 15. If you specify 15, Magellan uses some formal engines that are
not part of the normal orchestration, so this may be a good option for
properties that do not converge using other settings.
You can add the -gridOpts option to pass any settings you customarily use
directly to the load sharing software. Make sure these are legal options for the
software you use; Magellan does not check them for correctness. You need to
escape any square brackets in the -gridOpts you specify. For example:
-gridOpts {-R "select\[mem>2000 && (linux || rhel40u4)\]"
-P proj1 -q normal}
You can also specify the same -grid and -gridOpts settings at runtime
using a run_session command. For example, if you are using SGE:
mgsh> run_session sessionName -grid sge \
-gridOpts { options }
Distributed engine options that you specify this way override any settings you
may have in your Magellan project file. With this command, Magellan uses 4
processors (the default) during the run.
If you specify just the -gridOpts, either in the Magellan project file or with a
run_session command, this does not imply a -grid setting. You need to
set the -grid option either in the project file or with the run_session
command to make this work.
Note To distribute Magellan engines on a server farm you must invoke MG shell on
a machine that has dispatch host authority.
Note If you use the -blockMode switch with any of these breakpoint options in the
same run_session command, Magellan respects the command-blocking
feature until the breakpoint condition is met or there are no more unknowns.
You cannot use more than one type of breakpoint option in the same session
run. The syntax for specifying breakpoint options is:
mgsh> run_session sessionName -break breakpointOption
{Rch=n}
Use n to specify the percentage of coverage goal states that must be reached
before Magellan pauses at a breakpoint. For example:
mgsh> run_session sessionName -break {Rch=50}
{Unr=n}
Use n to specify the percentage of coverage goal states that must be
classified as unreachable before Magellan pauses at a breakpoint. For
example:
mgsh> run_session sessionName -break {Unr=10}
{Unk=n}
With this option, Magellan pauses at a breakpoint when the percentage of
coverage goal states classified as unknown falls below n. For example:
mgsh> run_session sessionName -break {Unk=15}
{Dep=n}
Use this option to get a report on bounded proofs when Magellan finds a proof
of n cycles depth on any property in that session. If you have multiple
properties in your session, this breakpoint condition is met when any of them
meets or exceeds the specified number of proof cycles (n). When a property is
proven for n cycles, then it is considered proven for that session. At this point,
Magellan reports the property that met the proof depth requirement and
continues to work on any other properties in that session. For example:
mgsh> run_session sessionName -break {Dep=100}
{Cyc=n}
Specify n number of random simulation cycles for Magellan to run before it
pauses at a breakpoint. Use this option only in conjunction with random
simulation mode (-mode randomSim, see “Run Random Simulation Only
Mode” on page 147) or compare-always mode (-compareAlways, see
“Checking for Mismatches” on page 461).
When you specify the {Cyc=n} breakpoint option and -mode randomSim in
the same run_session command, Magellan pauses at a breakpoint only
when the specified number of random simulation cycles (n) has run.
number of random simulation cycles (n) has run or when there are no
remaining unknowns, whichever comes first. For example:
mgsh> run_session sessionName -mode randomSim -break {Cyc=300}
{P1 | P2 ... }
When you specify this option, Magellan pauses at a breakpoint when any
property used as a checker in either the P1 or P2 property modules is falsified.
Substitute the names of property modules in your project file defined for the
session you are running. You can “or” as many property modules as you want
in this option. If all the properties you test in this mode are true, the tool runs
indefinitely unless you limit the run using the -maxTime option with your
run_session command. For example:
mgsh> run_session sessionName -break {pmod1 | pmod2}
Note The run_session command has a number of other options you can use to
control the test run. For more information, at the MG shell prompt, enter
man run_session.
For example, to report all messages during or after a Magellan session build
or run, use the list_msgs command at the MG shell prompt:
Then add the following line to a Property module in your Magellan project file:
If you want to see just error messages, use the following command:
If you want to see the number of error messages, add the -count switch to
your list_msgs command. For example:
In This Chapter
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Describing the Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Finding Non-Synthesizable Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Managing Non-Synthesizable Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Randomizing X Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Using Partial Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Using Verilog Cross-Module References (XMRs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Remodeling Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Remodeling Latches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Controlling Asynchronous Latches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Evaluating Combinational Feedback Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Working with Bidirectional Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Using DesignWare Components (Verilog only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Initializing Verilog UDPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Working with VHDL and Mixed-language Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
If you are using Verilog, you can use your VCS command line to specify the
design files and options. If you are using VHDL or a mixed-language design,
you can use your VCS MX command lines to specify the design files and
options, as explained in the following sections:
“Specifying Files for Verilog Designs” on page 163
“Specifying Files for VHDL Designs” on page 167
“Specifying Files for Mixed-Language Designs” on page 168
“Overriding Top-Level Verilog Parameters or VHDL Generics” on
page 170
Note For information on building partial designs in Magellan, see “Using Partial
Designs” on page 186.
The following VCS command-line options are not compatible with Magellan,
and should not be used:
+cli+n for n < 4
+acc+n for n < 2
+rad
-q
-o exe_filename
In Example 28, the test module uses a port named bitreq that is defined in
the simple_t.master interface modport.
To use the Example 28 design in Magellan, the project file looks like
Example 29.
Example 29: Magellan Project File for SystemVerilog Interface at Top Level
In Example 29:
the add_env_block command specifies the interface definition name with
the -name option (simple_t) and the interface instance with the
-instance option (bitreq).
the add_env_port command specifies the design port used with the
-name option (test.bitreq) and the interface instance modport to use
with the -interface option (bitreq.master).
This example project (Example 29) runs a simple coverage test on the
bitreq.out_data signal.
You can use wildcards to specify the list of VHDL source files, as shown in the
following examples:
add_design_info -vhdlan { -w first_lib_name *.vhd }
add_design_info -vhdlan { -w second_lib_name t*.vhd }
Note Be careful when using wildcards to specify design files. If more than one entity
with the same name is found, you get a compilation error.
logical library for VHDL design files. If you do not specify a logical library for a
-vhdlan command, the default is WORK.
Note VCS MX supports specific data type mappings for port declarations used in
mixed-language instantiations and performs some data type conversions
automatically. For details, see the VCS MX User Guide located in
$VCS_HOME/doc/UserGuide/vcsmx_ug.pdf.
elaborator options. You do not need to specify the top-level entity with -scs
because Magellan gets that information from the -topModule option in the
same project file command (see Example 32).
To build the design and resolve build errors, you can ignore multiple clocks
and complex reset sequences. Example 33 shows an example environment
module.
If you use a specific time unit for your design, declare it with the
define_env -timeUnits command. The default time unit in Magellan is
100 ps. Specify the clock period in terms of the time unit.
Note If your design is written in VHDL, specify the time unit as 1s, 1ms, 1us, 1ps,
1ns, or 1fs. For example, if delays in the design are in nanoseconds, specify
-timeUnits 1ns in the project file.
When Magellan runs the simulator, it uses the options listed with the VCS or
VCS MX command lines you specify with the define_design or
set_design_info commands in the Design module of your project file. For
the best simulation performance, always use the +notimingcheck option.
Magellan needs to know about the clock and reset ports on your design.
Declare them with the add_env_port command (see Figure 33 on
page 171).
Note If you specify Verilog escaped identifiers with the add_env_port command,
be sure to escape the escape (for example, \\n) if your signal name matches
any of the Tcl backslash substitutions.
Adding a Session
You need a Session module in the project file to build the simulation
environment. A minimal session requires a name and an environment. In the
following example, session cov is created using the env_1 environment.
define_session cov -env env_1
You now have enough information to build the design and resolve any build
errors (see “Building a Session” on page 134).
Verilog:
// synopsys translate_off
...code ignored by synthesis...
// synopsys translate_on
VHDL:
-- synopsys translate_off
...code ignored by synthesis...
-- synopsys translate_on
This tells the synthesis tool to ignore code between the directives. Magellan
also ignores the code between these comments for the Formal build.
However, Magellan’s Simulation build includes this code (see “Understanding
the Build Process” on page 135).
For Magellan to do any meaningful validation, the code inside these directives
must not be a critical part of the design’s functionality. This code should only
monitor the design or check a property, as shown in Example 34.
// synopsys translate_off
if (‘verbose_over_write & write_2_replace)
$display(“CAM Error: over write!”);
// synopsys translate_on
If the code within translate directives is a functional part of the design, or you
want to use the checker code in Magellan to formally prove a property, see
“Managing Non-Synthesizable Code” on page 176.
ASIC Libraries
ASIC libraries often use non-synthesizable code to describe the behavior of
technology cells. This is only an issue for Magellan if a cell is instantiated in
the design. When a cell is instantiated in the design, Magellan searches for
the component’s code in the ASIC library and includes it in the build.
Rewriting Code
Rewriting the non-synthesizable code ensures that Magellan evaluates a
complete design with all the available environmental information.
If you have not synthesized the design yet, use a synthesis policy checker tool
(such as Leda) to determine if the code is synthesizable.
Make sure the new code is functionally equivalent to the previous description.
You can temporarily add a compiler directive that enables you to switch
between the old and new code and compare the simulation results.
This methodology is valuable for many reasons, a few of which are listed
below:
If timing issues are a concern, you can continue to use the original
non-synthesizable code when you simulate your design. Magellan does not
use timing information. It evaluates the design based on clock cycles.
You can validate whether the remodeled code is functionally equivalent to
the original code.
Use the +define option in VCS to toggle between the two code versions.
This may be a good temporary strategy until you’ve confirmed the
remodeled code is equivalent to the original. You can then remove the
compiler directive and the original non-synthesizable code.
begin
if (~reset_)
rstate[1] <= 0;
else if (state_clr)
rstate[1] <= 0;
else if (stat_mask[1])
rstate[1] <= 1;
end
begin
if (~reset_)
rstate[2] <= 0;
else if (state_clr)
rstate[2] <= 0;
else if (stat_mask[2])
rstate[2] <= 1;
end
‘endif
end
In the Magellan project file, define the MAGELLAN macro along with your
set_design_info -vcs or add_design_info -vhdlan commands.
This macro is used by both the Simulator and Formal builds.
Use this methodology with caution. Black boxes can change verification
results by introducing false negatives for properties specified in other portions
of the design. This is only a problem if the black box has significant outputs
that affect portions of your design where you are trying to prove or falsify
properties.
If you want to create a black box for a specific instance of a module, specify
the full hierarchical path to the instance:
You can also use the wildcard (*) to make Magellan create black boxes for all
modules or entities found in files that match that regular expression. For
example:
add_design_info -blackBoxes {ram_*}
If you specify a black box for a module, entity, or instance that does not exist in
the design (perhaps you did not list the file), Magellan treats the unresolved
cell as an implicit black box for the formal model, but the simulation model fails
to build and you get an error message.
Another more subtle cause of unresolved designs is when the design files
specified for the formal model build differ somehow from the files used for the
simulation model. For example, maybe you have a macro defined using a
compiler option that brings in simulation-only code for the simulation model
build. But this code won’t build for the formal model because it is not
synthesizable. In this case, Magellan issues a warning message about
unlinked cells and creates an implicit black box for the unresolved portion of
the design in the formal model.
Note that large numbers of unconstrained free variables can slow simulation
performance considerably, because Magellan has to force random values into
the simulation model for all those signals to match the formal model. In
extreme cases, where there are many thousands of unconstrained free
variables, it is even possible to mask the effectiveness of the run_session
-maxTime command, because the time required to force the random values is
greater than the maximum time set up for the session.
One way to solve this problem is to attach outputs of black box instances to
constraint model outputs using cross-module references. You can set the
value of a black box output from a generator-style constraint model using a
cross-module reference that you establish with the add_env_connect
command in the Environment module of your project file:
add_env_connect env -connect {mydesign.ila.intsig
myConst.sigB}
Another approach is to specify the values for black box output signals using
add_env_port commands. You can use an add_env_port command to
set instance-specific internal signals to constant or random values, and
specify a different value for reset, as shown in the following examples. Note
that paths to internal signals are case-sensitive and use the dot (.) to
separate different levels in the hierarchy. This applies to both Verilog and
VHDL designs.
To set the value of a black box output or other internal signal to a constant
value:
add_env_port envName -constant 0 -name mydes.ila.intsig
To set the value of a black box output or other internal signal to a constant
value for reset:
add_env_port envName -reset 1 -name mydesign.ila.intsig
You don’t need to set black box outputs to random values because that’s what
the tool feeds them by default. However, this can be a useful technique for
other internal signals. To set the value of an internal signal to random values:
add_env_port envName -random -name mydesign.ila.intsig
This command prints the Black Box and Forced Signals Report on the screen
(see Figure 18). The report is also stored in the user directory after you run a
session:
mg_sessionName/user/forcedSignals.log
Figure 18: Black Box and Forced Signals Report Example (forcedSignals.log)
The Black Box Section of the report contains a list of black boxes that
Magellan identified in the design. You may have created black boxes explicitly
using an add_design_info -blackBoxes command (see “Treating
Non-Synthesizable Code as a Black Box” on page 178) or as a side-effect of
testing a partial design (see “Using Partial Designs” on page 186).
Note If a module shows up as unresolved (U) in the Black Box Section of the report
(see Table 5), that means there is no definition for that module in the design
files specified in your project file.
Table 5 explains how to read the Black Box and Forced Signals Log report.
The fields appear from left to right in the report in the order presented.
This module was black boxed (B), resolved (R) in the design, and user-specified (Y).
Forced Signals <simulation_value> Shows the value used in 0 = logic 0
simulation 1= logic 1
F = free variable
S = driven by
<driving_signal>
These forces on black box output signals for your RTL simulation model
effectively mask off the affected inputs from upstream portions of your design,
as shown in Figure 19.
A
X C
B
If you remove an entire module using the Synopsys translate pragmas, this
effectively black boxes that module from the design.
Randomizing X Values
In normal operation, when Magellan finds signals that are explicitly assigned X
values in the design, it optimizes them away as “don’t cares” in the formal
model. However, these X assignments remain in the RTL model as unknowns.
This can lead to simulation/synthesis mismatches if the X assignments occur
during simulation (see “Detecting Simulation/Synthesis Mismatches” on
page 457).
You can preserve explicit X assignments (don’t cares) in the formal model
build so that they become free inputs which take random values. To run
Magellan with X value randomization, add the -xRandom switch to your
define_design command in the Design module of your project file. For
example:
define_design myDesign -topModule top -xRandom
You can also use a set_design_info command to set this up. Here, the
-xRandom option takes a Boolean argument (1 or 0). For example:
set_design_info -xRandom 1
When you run Magellan using the -xRandom build switch/option, the tool runs
only the formal engines. There is no random simulation or trace replay in the
simulator. Instead, Magellan generates a formal VCD file for any property
falsifications.
To get a report on all don’t cares resulting from explicit X assignments in your
design, use a report_session -xRandom command at the MG shell
prompt after your build completes. For example:
mgsh(alive...)> report_session -xRandom
Note If you do not use the -partialDesign switch and any modules or entities
required to elaborate the design are missing from the source file list, Magellan
issues an error message and stops the build.
When you use the -partialDesign switch for your build, the following
features apply:
Circuit elements that have unresolved module/entity definitions after
synthesis are removed.
The forceSignals.log report shows the instances that were black boxed due
to missing module or entity declarations (see Figure 18 on page 182).
The forcedSignals.log report lists the signals that are now unconstrained
free variables due to missing design instances.
Magellan can handle XMRs as long as they are used only for read access. In
procedural code, you can use XMRs only on the right-hand side of an
expression.
Note The only SystemVerilog data types that are supported with XMRs are bit and
logic.
When Magellan detects XMRs in your design, it issues a message to let you
know that an additional recompilation of the HDL is needed:
*** Information: (HVB-931)
XMR signals detected, HDL database being recompiled.
Remodeling Memory
Most on-chip memories are developed using vendor-specific libraries and
tools. These tools typically provide a behavioral description of the memory for
simulation and a database file for use by the synthesis tool.
library IEEE;
use IEEE.std_logic_1164.all;
use IEEE.std_logic_unsigned.all;
entity memory is
port (
CEN, WEN, OEN, clock : in std_logic;
A : in std_logic_vector (10 downto 0);
D : in std_logic_vector (31 downto 0);
Q : out std_logic_vector (31 downto 0));
end memory;
begin
A_in <= A when (A < 1600) else (others => '0');
Q <= Q_reg when (OEN='0') else (others => 'Z');
mem_proc: process (clock) begin
if (clock'event and clock='1') then
if ((CEN='0') and (WEN='0')) then
-- write to memory
mem(conv_integer(A_in)) <= D;
-- data write through
Q_reg <= D;
elsif ((CEN='0') and (WEN='1')) then
-- read from memory
Q_reg <= mem(conv_integer(A_in));
else
-- Nop
Q_reg <= Q_reg;
end if;
end if;
end process;
end architecture;
Remodeling Latches
To improve its capacity to handle large latch-based design blocks, Magellan
automatically remodels safe latches in the formal model of your design.
Magellan does not alter your RTL during this process.
A safe latch is defined as one in which every sequential feeding into the
combinational logic driving the latch is on a different phase of the clock than
the latch being examined.
With unsafe latches that are driven by the same phase of the same clock, data
can ripple through multiple latches. Unsafe latches can also cause
simulation/synthesis mismatches (see “Detecting Simulation/Synthesis
Mismatches” on page 457).
F: flip-flop
L: latch
Pos: Positive
Neg: Negative
SEQ mdb_dcu_m0_ld_hit_me2a_l_mmin_reg(F,Pos)
SEQ m0_lfsel_com_lft_me2b(L,Neg)
Unsafe
SEQ m0_wordhi_ld_lft_me2b(L,Neg)
With this setting in place, Magellan uses SVA stability constraints under the
hood to stabilize primary inputs that drive asynchronous latches directly. To
turn off automatic stability constraints, set the -stability option to 0 (this is
the default). For example:
set_env_info -stability 0
Because automatic stability constraints are active on both edges of the clock,
it is possible to run into dead-ends if you have another constraint for the same
signal that is active on only one edge of the clock. If you encounter this
problem, revise the conflicting constraint so that it is also active on both edges
of the clock. For more information, see “Avoiding Dead-End States” on
page 292
For example, Magellan can validate the loop shown in Figure 22. The blocks
labelled F and G have only combinational design elements. The feedback nets
are labelled fb.
0
FF .
1
fb
X . 0
Y
1
0 fb
1
G .
mode . .
The design shares F and G so that only one copy of each is needed. The
implied mux ensures that the input X never loops through F and G at the
same time. The output Y is only a function of the current value of X and mode,
not any previous values.
S . y
R
. y’
This set-reset (SR) flip-flop remains in one state indefinitely until it is directed
by an input signal to do otherwise. A signal at the S input sets the flip-flop to
the logic 1 state (y=1). A signal at the R input resets the flip-flop to the logic 0
state.
treatment of the loop is transparent and you can be confident that the loop
does not adversely affect the reported results.
Magellan may also generate traces that do not reach the target state when
they are replayed in the simulator. In this situation, you get replay misses. See
“Responding to Replay Misses” on page 462. You may also see warning
messages about replay assignments to artificial inputs. For example:
*** Warning: (HVSI-041)
Unable to drive:0 to un-bound port: qrz_ac
Following the SCC statement are a series of Node statements. Each Node
statement identifies a structural node in the formal model that is in the SCC.
Some of these nodes can be mapped back to the simulation model. However,
not all nodes can be mapped to the RTL model. The Node statements end
with a summary line indicating the number of nodes, the number of snip
points, and the number of copied nodes.
Following the Nodes are a series of LoopPi statements that identify places
where the SCC was snipped. These nets then become artificial inputs to the
design. The names are relative to the formal model and may or may not map
back to the RTL model. Figure 24 shows part of a loops.rpt file.
SCC: 1
Node:/asyncLoop/f/C2/C0/N0
Node:/asyncLoop/f/C2/N2
Node:/asyncLoop/f/N22
Node:/asyncLoop/f_out<0>
Node:/asyncLoop/g_sel/N1
Node:/asyncLoop/g_sel/N2
Node:/asyncLoop/g_in<0>
...
nNodes=159 nSnip=4 nNew=636
LoopPi:/asyncLoop/__LoopIn_/asyncLoop/f_out<3>
LoopPi:/asyncLoop/__LoopIn_/asyncLoop/f_out<2>
LoopPi:/asyncLoop/__LoopIn_/asyncLoop/g_sel/N5
LoopPi:/asyncLoop/__LoopIn_/asyncLoop/f_out<0>
You can use the forcedSignals.log report that Magellan stores in the
mg_sessionName/user directory after you run a session to review the list of
affected bidirectional ports (see Figure 26).
Magellan creates a random driver template that you can use to create a
constraint model which resolves driver conflicts. Copy the design_driver.v or
design_driver.vhd template file from the mg_sessionName/user directory to
another location so that Magellan doesn’t overwrite it on the next session run,
and modify it to drive Z when the internal driver is enabled.
Example 39 shows the Magellan project file commands to add the template to
your environment. In this Verilog-only design example, mux.v is the design
under test and mux_driver.v contains the random driver template. If you
are testing a mixed-language design, use an add_design_info -vlogan
command instead to specify the random driver template file.
Note Only Foundation Library components shipped with Design Compiler are
supported with this methodology.
std_ulogic
std_ulogic_vector
unsigned
signed
integer
natural
enumeration
records
Enumeration types require special handling when they are part of a coverage
goal set. See “Using VHDL Enumeration Signals in a Goal Set” on page 386.
Magellan does not support top-level configurations. If you have one or more
configurations at the top level, reorganize your code so that they are no longer
required at the top level.
For more information, see the VCS MX Simulation Coding and Modeling Style
Guide located in $VCS_HOME/doc/UserGuide/cmsg.pdf.
Note If you use absolute scopes with $hdl_xmr system tasks or hdl_xmr
procedures, you must append top_design to the start of those absolute
scope names. For example:
top_myDesign.myDesign ...
In This Chapter
Understanding the Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Describing the Environment in the Project File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Defining Clocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Understanding and Controlling the Reset State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Configuring Input and Internal Design Signals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Constraining Input Signals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Biasing Random Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Avoiding Dead-End States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Identifying and Debugging Constraint Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Figure 27 shows the environmental elements that interface with the design in
Magellan.
Magellan
Constrained Assertion-Style
Stimulus Constraint
Generator Assertion-Style
Constraint
Property
Checker
Design Under Test
Property
Reset Generator-Style Checker
Task Constraint
ConstA
Defining Clocks
If your design contains any state-holding elements, you must define the clocks
in your Magellan project file. Use an add_env_port command to specify
each clock input:
add_env_port envName -name clkName -clock period
where:
clkName is a top-level input port on your design or an environment block,
or a hierarchical pathname of an internal clock signal in the design. You can
use wildcard characters in the clkName to assign multiple clocks with a
single command. You can also use part-select notation to chose individual
bits or words of port or signal arrays.
period is an integer that specifies the number of time units for the clock
period. Because Magellan analyzes design behavior in a cycle-based
manner, the exact value of period is usually not critical, but the following
section provides some guidelines and restrictions
Note To select a word within a two-dimensional array, you must specify the full
range definition (for example mem[20][7:0]).
If your design is written in Verilog, Magellan evaluates the clock cycle as the
period multiplied by the time unit. For example, if the clock period is 100, then
the clock cycle is 100 periods times 100 ps long, or 10 ns. The clock period
must be long enough that any #delay statements in the design do not affect
the results. If a #delay statement does affect the results, you may see a
simulation/synthesis mismatch. As a general rule, the sum of all the #delay
statements on any combinational path must not exceed one quarter of the
system clock period.
If your design is written in VHDL, specify the time unit as 1s, 1ms, 1us, 1ps,
1ns, or 1fs. For example, if delays in the design are in nanoseconds you must
specify define_env -timeUnits 1ns in the project file.
In Example 41:
clk1 has a period of 100. You can optionally use this clock as the basis for
any RTL clock generators you write in the constraint model. Because this
clock definition does not use the -waveform option, Magellan gives it a
50-50 duty cycle by default (that is, -waveform {0 50}).
clk2 has a clock period of 200. The rising edge of clk2 occurs at time 0
and the falling edge occurs at time 150. Magellan automatically creates an
RTL clock generator in the constraint model for this clock.
Note how the rise and fall times are specified in curly braces using the
-waveform option. You can specify pairs of rise and fall times in a pattern that
repeats until the end of the clock period (for example, {50 150 200 250
300 350 400 500}). The transition times must be in ascending order.
option in the Environment module of your project file. For example, the
following command specifies the reset sequence length as 40 cycles of clk1:
set_env_reset -refClock clk1 -defaultLen 40
Using Example 42, if your design contains three clocks named clk1, clk2,
and clk3, Magellan picks up all three clocks and sets the clock period to 100
for each of them. Contrast this result to Example 41 on page 208, where
Magellan also picks up three clocks, but they all have different clock periods.
You cannot force clocks to constant values. Consider the following example. If
your design contains the following signals:
ocp_clock
ocpMCmd[3:0]
ocpSCmdAccept
and you use the following commands in the Environment module of your
project file:
add_env_port envName -name ocp* -constant 1
add_env_port envName *clock -clock 100
But Magellan does not tie ocp_clock to a constant value, because the last
match in the project file wins.
This next example may result in multiple signal matches because a wildcard is
used in the specified internal signal name:
add_env_port envName -name dut.submod*.sig1 -clock 100
For these next few examples, suppose sig1 is a 4-bit vector. In this first
example, the LSB of the sig1 vector is specified as a clock with a period of
100.
add_env_port envName -name sig1[0] -clock 100
In this next example, the next bit in the sig1 vector is specified as a clock with
a period of 100, and rise and fall times of 50 and 100, respectively.
add_env_port envName -name sig1[1] -clock 100 \
-waveform {50 100}
In this example, sig1[2] and sig1[3] are each specified as clocks with
clock periods of 200:
add_env_port envName -name sig1[2:3] -clock 200
If you specify a vector name without an index, Magellan creates clocks for
each signal in the vector. For example:
add_env_port envName -name sig1 -clock 100
For most design environments, the system clock and your design clock or
internal generated master design clock are the same (see “Internal Generated
Master Design Clock” on page 214). In these cases, random inputs change at
the falling edges of the system clock, as shown in Figure 28.
System Clock
Design Clock
Random Inputs
1. Latch
SEQ /xfsm/c is a latch.
3. Other primary inputs in the fan-in cone of the clock pin on a flip-flop
SEQ /chip_top/pad_ring/padi/padi_ctl_obs_tdi/obs_launch_1 is clocked
by PI:/chip_top/ccb_jtslow_clk, not the same as
/chip_top/mg_crg/clk_in.
When Magellan uses a system clock that is twice the frequency of the design
clock, random inputs are available at the positive and negative edges of your
System Clock
Design Clock
Random Inputs
Caution Do not tie Magellan’s internal system clock to any signals in your design for
any reason. This causes undesirable side effects that are difficult to debug.
Note For designs with multiple clocks, the internal generated master design clock is
used as a reference for the creation of Magellan’s system clock. For designs
with one clock, the design clock itself is used as a reference for the creation of
Magellan’s system clock.
This is the simple case. Clk2 has a waveform specified as follows in the
Environment module of the project file:
add_env_port env1 -name clk2 -clock 200 -waveform {0 100}
In this example, Clk2 transitions at time 100, 200, 300 ... All clock transitions
are on the positive edge of the clock. Therefore, Magellan uses the clock cycle
for Clk1 (100) as the system clock cycle.
This is the less obvious case. Clk2 has a waveform specified as follows in the
Environment module of the project file:
add_env_port env1 -name clk2 -clock 300 -waveform {0 150}
In this example, Clk2 transitions at time 150, 300, 450 ... At time 150, Clk1 is
on the negative edge, which cannot be used to generate the transition for
Clk2. Therefore, Magellan calculates a system clock of 50.
period also results in a multiple of two. If the system clock is not a multiple of
two, Magellan errors out and issues the following message:
*** Error: (HVB-176)
System clock period '%d' for Magellan must be
divisible by two. Please change the project file to modify
the clock periods.
To solve this problem, adjust the clock period of the fastest clock in your
design so that it is at least 16 and evenly divisible by 4, and adjust the intervals
between all clock transition times so that they are evenly divisible by 4.
Note If you write your own RTL clock generators, do note use the -waveform
option with the add_env_port command. If you use the -waveform option,
Magellan automatically builds the RTL clock generator for that clock.
Clock
Derived
Clock Clocks
clk1
clk2
Constraint
Model Design Under Test
Random
Inputs
The code that generates the derived clocks must be synthesizable RTL. To
reference the file in a Magellan project, use an add_env_block -clock
command (see Example 55 on page 264). You cannot use assertion-style
constraints to create derived clocks. Use generator-style clock dividers (see
“RTL Clock Generator Examples” on page 218).
Example 45: Clock Generator for Two Clocks with Same Frequency
reg clk1;
reg[3:0] count;
t0 Reset State
The Reset State is the value of all storage elements (registers or latches) in
the design. All formal searches begin from the Reset State. Simulation
sequences may return to the Reset State multiple times to try different random
stimulus or to replay error traces calculated by Magellan’s formal engines.
There are several different techniques you can use to establish the Reset
State for the design. Whichever method you use, Magellan captures the Reset
State from the simulation environment at the end of the first reset sequence.
Later, when Magellan needs to return the simulation to the Reset State, it
injects the remembered Reset State back into the simulator. This section
explains how to control the Reset State in the following subsections:
“Controlling the Reset State” on page 222
“Writing Verilog Reset Sequences” on page 227
“Writing VHDL Reset Sequences” on page 228
“Using Tcl-based Reset or Reset from File” on page 230
“Using PLI/VHPI Routines to Extract a Reset File” on page 247
“Handling Uninitialized Registers” on page 250
“Debugging Reset Sequences” on page 251
Reset State
Sampled
The first reset sequence begins at the first falling edge of the system clock.
When Magellan activates the reset sequence again, it may start on any falling
edge of the system clock.
The system clock period may be half the period of the fastest design clock
(see “Understanding Magellan’s System Clock” on page 212). Derived clocks
may be even slower. To be sure that the reset sequence behavior is
repeatable, it is good practice to synchronize it with all clocks by waiting for a
particular edge of the slowest clock in the design.
set_env_reset [options]
t0 AB CDEFG
System
Clock
rst_n
t0 Applies values specified in initial blocks and sets primary input signals to X
by default (only for first reset). If you need primary inputs to have non-X
values at t0, use an add_env_port -reset command, as shown above.
F Generates xFile.init file, which reports Xs in the Reset State. Note that any
remaining Xs are randomized to 1 or 0 in the simulation model and treated
as free variables (“don’t cares”) in the formal model.
G If first reset, remembers this state for later reuse. If not first reset, reinjects
the first Reset State unless -reuse is set to 0.
The default for any X values in state-holding sequentials that remain at the
end of the Reset phase for the formal model is “don’t care.” This helps reduce
the potential for simulation/synthesis mismatches and replay misses. For
more information, see “Handling Uninitialized Registers” on page 250.
Note When design_signal goes high this does not trigger a Magellan simulator
reset. It just means that when Magellan is ready to do a reset according to its
own algorithms, it checks that design_signal. If it is high, the reset
proceeds. If it is low, the reset is delayed until the design_signal goes high.
where N is the number of system clock cycles that the reset signals are
asserted.
Note Magellan only sets registers that are inferred as sequentials during synthesis.
Also, Magellan cannot set values in state-holding UDPs. Therefore, you need
to initialize them to a logic 0 or a logic 1.
If you want to set all primary inputs (and outputs of blackboxed modules) not
specified with add_env_port -reset commands to constant values during
the Reset Phase, use a set_env_reset -defaultVal command. Legal
values include 1, 0, and X. You cannot specify a Z value with this command.
For example:
set_env_reset envName -defaultVal 0
Note If the range specified with add_env_port -reset is less than the range of
the signal_name, Magellan pads using the default value specified with
set_env_reset -defaultVal.
If you extend or replace the default reset sequence, write the reset code in a
separate file and reference that file in your Magellan project. See “Replacing
the Default Reset Sequence” on page 224.
Note The reset task cannot control the values of design inputs after the end of the
reset task. In general, you must use add_env_port -constant commands
in your project file to hold design reset ports to their inactive values. See
“Setting Input Signals to Constants” on page 253.
Because formal verification starts after the reset sequence, reset code is not
part of the Formal build. See “Understanding the Build Process” on page 135.
At the beginning of the reset sequence, Magellan drives each input on the
design, constraint models, and property checkers that is not connected or
assigned a value with a zero value. Example 49 shows a custom reset task
written in Verilog.
task my_reset;
begin
fpu_wrap_reset = 1; // Assert reset
fpu_wrap_resetDone = 0;
// Hold 40 clocks
repeat (40) @(posedge fpu_wrap_MCLK);
@(negedge fpu_wrap_MCLK);
fpu_wrap_reset = 0; // Drop reset
// Wait 2 clocks
repeat (2) @(posedge fpu_wrap_MCLK);
@(negedge fpu_wrap_MCLK);
fpu_wrap_resetDone = 1;
$display("Initialization complete.\n");
end
endtask
After writing your reset sequence and adding it to the project file, verify that
your reset sequence initializes the design correctly (see “Debugging Reset
Sequences” on page 251).
procedure my_reset is
begin
fpu_wrap_reset <= ‘1’;-- Assert Reset
fpu_wrap_resetDone <= ‘0’;
for i in 0 to 39 loop-- Hold 40 clocks
wait until (fpu_wrap_MCLK = ‘1’);
wait until (fpu_wrap_MCLK = ‘0’);
end loop;
fpu_wrap_reset <= ‘0’;-- Release Reset
for i in 0 to 1 loop-- Wait 2 clocks
wait until (fpu_wrap_MCLK = ‘1’);
wait until (fpu_wrap_MCLK = ‘0’);
end loop;
end;
Note Magellan does not support VHDL reset tasks with pure VHDL designs or
designs that contain SVA or PSL.
After writing a reset sequence and adding it to the project file, verify that it
initializes your design correctly (see “Debugging Reset Sequences” on
page 251).
Referencing Ports
In a VHDL reset file, reference a design port as designTopModule_port.
Reference a port on a constraint or a checker instance as
instanceName_port.
procedure my_reset is
begin
fpu_wrap_reset <= ‘1’;-- Assert Reset
fpu_wrap_resetDone <= ‘0';
wait for simulation_cycle * 40;-- Hold 40 clocks
fpu_wrap_reset <= ‘0’;-- Release Reset
wait for simulation_cycle * 2;-- Wait 2 clocks
end;
Alternatively, you can specify a Reset State using a file that contains Tcl-based
reset commands and point Magellan to this file using a set_env_reset
-scriptFile command in your project file. See “Using Tcl-based Reset” on
page 233.
Using either approach, you set reset values for registers and memories in a
language-correct manner.
Your reset file doesn’t need to specify reset values for all of the state-holding
sequentials in your design. This gives you the flexibility to fill in the blanks
using set_env_reset -value commands. However, keeping most or all of
your reset information in one file can make it easier to manage the Reset State
in Magellan.
The registers and memories in your reset file should be sequentials and
memories inferred from the synthesis process (Magellan ignores them if
they’re not). To create a reset file for Magellan, it is good practice to build your
design first, and then use the output from the analysis phase to identify the
state-holding sequentials for reset. Magellan generates messages during the
build that point you to log files which contain detailed information about the
sequentials in your design, as shown in Figure 34.
Examine the log files from both the Analyze Design and Analyze Environment
phases of the Formal build to locate all of the sequentials inferred in your
design, and add them to your reset file. Each phase generates a separate
information message like the one shown in Figure 34.
S <scopeName>
R <regName> <radix><vecVal>
where:
S <scopeName>
A scope specified as <DUT> means the top-level module or root of the design
(this is the default). Magellan also recognizes <DUT> as a scope in other path
names. You use Verilog format for specifying register names and hierarchy
delimiters, even if your design is in VHDL. For example:
S <DUT> # Current scope is the design root instance
S <DUT>.inst1 # Scope is now inst1 inside the root inst
R bar[7:0] 01101100 # bar[7:0] is in inst1, default
radix is binary
R foo[7:0] h6c #radix is hexadecimal
where:
R <regName> <radix><vecVal>
where:
M <memoryName> <radix> <file_path>
<memoryName> is the name of the memory you want to set up for reset,
followed by the radix and the file_path to the memory file. (The space
between the radix and the file_path is required.) The accepted memory file
formats are Verilog $readmemh and $readmemb for hexadecimal and binary,
respectively (the radix is h or b).
VHDL Style 1
16#FFca23#
2#1111_1110#
-10#23749
VHDL Style 2
B"11111110"
B"1111_1110"
X"FFca23"
O"777"
Verilog
'b11111110
8'b11111110
16'b0011_0101_0001_1111
32'h 12ab_f001
Specifying Memories
For Verilog, specify memories as part selects with respect to rows or down to
the bit-level. For example:
mem_inst.tmp_ram(2), mem_inst.tmp_ram(2)(0)
The default scope for specifying hierarchical path names is always the
top-level module/entity that Magellan automatically generates. When you
specify the reset sequence, use path names relative to this top-level
module/entity.
{\ocp_MCmd }
{\ocp_MCmd\ }
The * matches any sequence of characters and the ? matches any single
character. For example:
mg_force req_rdy.*fsm*.*.* 0
Magellan does not expand wildcards across instance boundaries. Also, note
that Tcl supports more powerful regular expressions using regsub and regexp.
You can use these in your Tcl-based reset file but not paired with
Magellan-specific reset commands (the regular expressions don’t expand
when used that way). However, you can use Tcl regsub and regexp
commands on the list of signal names returned by [mg_show *].
...
...
Because Tcl expression evaluation treats 'X' and 'Z' as strings, you must
handle these separately.
mg_run
Run Magellan for the specified number of edges of either the default clock
(see “mg_refclock” on page 239) or the specified clock. When you use this
command, the simulator stops at the end of the time step when the edge
happens. Any effects from forcing signals are visible in the next time step
(another mg_run command).
Syntax
mg_run number_of_cycles
[-clk clock_name]
[-rising | -falling | -both]
Arguments
number_of_cycles
Name of the clock on whose edges the run is executed. The clock_name
must refer to a clock previously defined in the project file. You cannot define
a clock in the Tcl-based reset file. The clock defaults to a single clock
defined with either add_env_port -clock or set_env_reset
-refClock in the project file. If there are multiple clocks defined in the
project file, specify the default clock using the mg_refclock command or
add it as an argument to the mg_run command.
[-rising | -falling | -both ]
Examples
Run Magellan for 4 cycles of the default clock (both edges):
mg_run 8
mg_refclock
Set the default clock to be used with mg_run commands unless overridden by
an explicit clock_name argument with an mg_run command. If there are
multiple clocks defined in the project file, use this command to specify the
default clock to use with mg_run commands. Note that you cannot use an
mg_force command to force a default clock specified in a Tcl-based reset file.
Syntax
mg_refclock clock_name
Arguments
clock_name
Specify the clock to use as the default clock with mg_run commands. The
clock must be a clock previously defined in the project file (add_env_port
-clock). The clock_name you specify cannot contain wildcards.
Examples
Set the default clock:
mg_refclock ocp_MAddr(0)
mg_force
Force a value onto one or more variables or signals. These forces override
any previous forces and any design drivers. Forced values must be
language-correct. For example, forcing a VHDL Boolean with value 0 is
incorrect; it must be forced to 'true'. Language-specific padding rules apply
if the width of the signal_name is different from the width of the
signal_value. When mg_force completes successfully, it lists the signal
name and the value forced at the output. You cannot use this command to
override the behavior of any clocks specified in the project file using
add_env_port -clock commands.
You can only specify literal values of the appropriate type for a given HDL
object. Integer, real number, enumeration, character, bit, 4-value logic, 9-value
logic, character string, bit vector, logic vector, and array literals are supported.
You can use VHDL or Verilog syntax for literals.
Note Signals that you force but don’t release in a Tcl-based reset sequence are
automatically released at the end of step (B) (see Figure 33 on page 222).
This means that design driver transactions propagate when (B) is over.
U X
W X
L 0
H 1
- X
X 1
Z 0
Syntax
mg_force signal_name signal_value [args]
Arguments
signal_name
Examples
Force all primary inputs (except clock) and outputs of blackboxed modules
to 0 bitwise:
mg_force * 0 -pi
mg_release
Release one or more signals previously forced with an mg_force command.
When mg_release completes successfully, it lists the signal name that was
released. When you release a signal that has an internal driver in the design,
that design driver regains control of the signal.
Syntax
mg_release signal_name signal_value [args]
Arguments
signal_name
Examples
Release all forced primary inputs:
mg_release * -pi
Release all forced signals starting with ocp_:
mg_release ocp_*
Release a hierarchical signal:
mg_release req_rdy.gen_vlg_fsm(2).fsm_vlg.CS
mg_get
Get the current value of the specified signal.
Syntax
mg_get signal_name [radix]
Arguments
signal_name
The name of the signal. This can be a hierarchical name. You cannot use
wildcards in the signal_name.
[radix]
Format specification for the returned value of the signal. Legal values
include:
-bin — binary
-dec — decimal
-oct — octal
-hex — hexadecimal
The default is decimal.
Examples
mg_show
Retrieve a list of design signals matching the specified signal_name and
filters. This command returns signal names in a Tcl list. The returned signal
names are relative to the top-level design module/entity.
Syntax
mg_show signal_name [args]
Arguments
signal_name
Examples
mg_time
Get the current simulation time. This command returns the current simulation
time as a string.
Syntax
mg_time
Example
mg_refclock clock
mg_force reset_n 1'b0
mg_run 20
mg_refclock ocp_clock
mg_force reset_n 1'b0
mg_run 20
mg_force reset_n 1'b1
mg_force ocp_MCmd 3'b101
mg_run 8
set index 0
puts "[mg_get ocp_clock]"
puts "[mg_get counter_inst.count]"
mg_force ocp_MCmd 3'b111
while {[mg_get counter_inst.count -dec] != 10} {
set index [expr $index +1]
}
puts "[mg_get counter_inst.count]"
puts "[mg_get ocp_clock]"
Figure 38 shows a single clock edge protocol for the ARM NWait register
configuration.
# Primary Reset
mg_refclock clk_gn
mg_force reset_n 0
mg_force scli_i 1 -pi
mg_force sdai_i 1 -pi
mg_force arm_a 16'b0011_0101_0001_1111 -pi
mg_force arm_do* 0 -pi
mg_force arm_mas 1 -pi
mg_force arm_nrw 1 -pi
mg_force arm_nmreq 0 -pi
mg_force sim 1 -pi
mg_run 15
mg_force reset_n 1
mg_run 6
# Register Programming
mg_force arm_a 16'b1111_0101_0000_1100 -pi
mg_run 1
mg_force arm_do 0x00000000 -pi
mg_run 1
while {[mg_get arm_nwait] != 1} {
mg_run 2
}
mg_force arm_a16 'b0011_0101_0001_1111 -pi
mg_run 1
1 Use Magellan to build your design. This initial build produces a design.map
file that is a required input to the PLI/VHPI routine in the next step. In your
system-level testbench, add a PLI/VHPI call at precisely the simulation time
at which you want to sample the design state. For example.
Verilog
initial begin
#49000;
$writeResetInjectFileHV("top.dma1.U3",
"/u/mg_design/test/mg_ses3/.temp/env/design.map",
"ResetDir");
end
VHDL
process begin
wait for 49000ns;
work.vhpiTasks.writeResetInjectFileHV("top:dma1:U3",
"/u/mg_design/test/mg_ses3/.temp/env/design.map",
"ResetDir");
wait;
end process;
2 In these examples, the design is deemed to be in the correct state for reset
at time 49000, and the path name to the design in the system-level context
is top.dma1.U3, as shown in the first argument. The second argument is
the full path to the design.map file produced in Step 1. The design.map file
identifies the state-holding registers that need to be extracted for reset.
Use the ResetDir in the third argument to this routine to specify the name
and location of the directory that will contain the output files you’ll use to
specify the Reset State for your design on your next run with Magellan.
3 If you have any memories in your design that are synthesized into
sequentials, you need to identify and extract them for reset. This is
analogous to the way the design.map file identifies state-holding registers.
Follow these steps:
Verilog
Locate the memInit.vh file in the mg_sessionName/.temp/env directory and
copy all of the $defineMemoryBlockHV calls. There is one memory block
call for each memory in your design. Paste these calls into your
system-level testbench right before the reset PLI routine. For example:
initial begin
#49000;
$defineMemoryBlockHV("mem_test.mem_inst.ram", 0);
$writeResetInjectFileHV("top.dma1.U3",
"/u/mg_design/test/mg_ses3/.temp/env/design.map",
"ResetDir");
end
Modify the path names of all the memory instances in these calls so that
they are full path names from the system-level design. You don’t need to
modify the second arguments to these memory block calls. They are just
numerals that increment for each memory block found in your design.
VHDL
Locate the memInit.inc file in the mg_sessionName/sim directory and copy
it to someplace where it won’t get overwritten. Include this file in the system
simulation run. The defineMemoryBlockHV calls are the ones that need to
be there for the system simulation. Modify the path names of all the
memory instances in these calls so that they are full path names from the
elaborated system-level design. Make the defineMemoryBlockHV calls by
including them in an existing VCS MX simulation include file. Or source the
modified memInit.inc file from the VCS MX command line.
When you invoke VCS MX, use the following -vhpi option to call the entry
point function that registers the defineMemoryBlockHV call as a new VCS
MX command:
-vhpi ctgSco:ketchumEntryPoint:ketchum
vhdlan \
$MG_HOME/auxx/ctg/sim/vhdl/include/CTG_vhdltasks.vhd
Include this in the file from which you call out the VHPI routine. For
example:
library IEEE, WORK;
use WORK.vhpiTasks.all;
Then add the new library to your load library path as follows:
% setenv LD_LIBRARY_PATH \
$MG_HOME/sparcOS5/ctg/lib:$LD_LIBRARY_PATH
5 Rerun your system-level simulation with the new PLI/VHPI routine in place.
6 Copy the ResetDir to someplace where it will not get overwritten. This
directory contains one ResetState.dat file for your design and one or more
ResetMemn.dat files, where n starts at 0 and increments for each memory
found in the design (for example, ResetMem2.dat).
7 Open the ResetState.dat file in a text editor and modify register bit values
as needed. If you captured reset information for memories in your design,
this reset file contains includes for those memories, as shown in Figure 39.
Modify the paths to any memory includes as needed.
S <DUT>
R out_sum[7:0] 00000111
R r_in_data[3:0] 1101
R r_addr[2:0] 001
R r_wr_en 0
M <DUT>.mem_inst.ram b ResetDir/ResetMem0.dat
The next time you run Magellan, it uses the Reset State specified in this file
to reset your design.
Magellan reports on X values in the Reset State with a message during the
build phase. It also logs the uninitialized registers in the xFile.init file located in
the mg_sessionName/user directory. If the sequential is a bit of memory,
Magellan writes the memory name into the file once rather than logging each
bit of the memory. Review the contents of the xFile.init to make sure that only
the elements you expected to be uninitialized show a logic X.
After each reset, Magellan randomly sets any Reset State X values to 0 or 1
individually for the simulation model. The formal model treats Reset State X
values as free variables (“don’t care”).
includes the simulation time for the original Reset State and the subsequent
Reset State. If you don’t consider these miscompares to be significant, you
can turn off reset state comparisons. Use the following command:
run_session sessionName -noCompareReset
If Magellan finds miscompares between the initial Reset State and any
subsequent Reset State, it issues a warning message and generates a
resetState.diff file (see Example 40). In this case, you can use the miscompare
information to figure out why your reset sequence didn’t work as expected.
The value of the port may not be constant in the reset task, but once the
Random Generation phase begins, Magellan holds the port to the constant
value.
To set a portion of a vector port to a constant value, specify the bits using an
add_env_port command. The other bits of the vector receive random values
during the Random Generation phase. The following example assigns a
constant to the 16 least significant bits of the vector port busB:
add_env_port envNname -name busB[15:0] -constant 16’h1FFF
Note When you set primary inputs to constant values using an add_env_port
-constant command, the RTL simulation model and the formal model both
build with the constant value you specify. During the Formal build, sequential
registers that are held at constant values may be pruned or optimized away if
there is no way they can change their state in the design.
When you use wildcards, you can also filter the list of matches by signal type
using the -type option, which takes the following values:
pi — primary inputs only. This is the default.
po — primary outputs only.
pio — primary inouts only.
sig — internal signals only.
var — internal VHDL variables only.
all — all the above.
You can use one or more of these options with the same command. The filter
options do not work if there are no wildcards in the signal name you specify
with add_env_port -name.
The following examples show how to specify multiple -type options with the
same command:
add_env_port MyEnv -name e* -type "pi po" -constant 0
These next examples show how to use wildcards to specify internal signal
values:
add_env_port MyEnv -name FIFO.gen_mem_*.memcore.* \
-constant 1 -type all
Note If you are setting internal signals to constant values, see also “Setting Internal
Signals to Constants” on page 257.
When you use wildcards with add_env_port -name, the following features
apply:
Magellan matches signal names based on language-specific
case-sensitivity rules.
If there is more than one add_env_port -name command entered for the
same signal, Magellan uses the last command entered.
implies:
mmr_address[5:0] tied to 6'b000001
If the specified range is less than the vector width, Magellan ignores the
left-most bits. For example:
If the design contains signal mmr_address[5:0]
add_env_port envName -name mmr_* \
-constant 10'b1111_1011_11
implies:
mmr_address[5:0] tied to 6'b1011_11
For MDAs, the syntax is mem[row][lindex:rindex]. For example, to
set the first row in the following Verilog memory:
reg [63:0] sp.sequence [0:15]
If the signal name you specify does not exist in the design or the specified
range is not present, Magellan issues an error message.
Note You cannot specify constants for VHDL records, enumerated types, or
user-defined types. Magellan expects the value specified with the
add_env_port -constant option to be an explicit number. SystemVerilog
structures and interfaces are also not supported.
translates to mmr_address[0]
and:
add_env_port envName -name mmr_address
translates to mmr_address[5:0]
translates to sp.sequence[7][63:0]
and:
add_env_port envName -name sp.sequence[7:9][20:0]
translates to sp.sequence[7][20:0]
translates to sp.sequence[8][20:0]
translates to sp.sequence[9][20:0]
and:
add_env_port envName -name sp.sequence[7:9][0]
translates to sp.sequence[7][0]
translates to sp.sequence[8][0]
translates to sp.sequence[9][0]
and:
add_env_port envName -name sp.sequence[7:8]
translates to sp.sequence[7][63:0]
translates to sp.sequence[8][63:0]
and:
add_env_port envName -name sp.sequence
translates to sp.sequence[0][63:0]
translates to sp.sequence[1][63:0]
...
translates to sp.sequence[15][63:0]
To unambiguously force an internal signal, you need to specify the point in the
design hierarchy closest to the signal driver. This kind of force in Magellan
works just like a force in VCS; it affects only downstream portions of the
design logic. Figure 41 shows a design diagram to illustrate how this works.
In Figure 41, if we assume that the rst signal is in instances A,B,C,D, and E,
Table 8 explains how the forces work.
A
B
E
D C
rst
To set a portion of an internal vector to a constant value, specify the bits using
an add_env_port command. The following example assigns a constant to
the 16 least significant bits of internal design signal des.busB.
For example, let’s assume the design has three levels of hierarchy and d_top
is the top level of the design. It contains a signal named rstInt that you want
module d_top(..);
wire rstInt;
...
misc d_misc(...);
endmodule
module misc(...);
...
myflop _rst(.d(rstIn), .clk(clk), .q(rstOut) ...
endmodule
For the design shown in Example 52, you can use the following commands in
the Environment module of your project file to force the rstInt signal as close
as possible to the signal driver:
add_env_port envName -name d_top.d_misc._rst.q -reset 1
add_env_port envName -name d_top.d_misc._rst.q -constant 0
Instead of:
Example 53: Making Constraint Model Input Signals Receive Random Values
Note Constraints are not used during the Reset phase. The Reset phase is entirely
user-directed, and does not use random stimulus.
Generator-style Constraints
Generator-style constraints accept random inputs and design outputs and
generate legal inputs to the design. Generator-style constraints must be
written in synthesizable RTL.
Assertion-style Constraints
An assertion-style constraint is a logical assertion about the correctness of the
input stimulus—a piece of verification code that monitors the inputs to the
design for compliance with a property. The checker signals a warning if the
inputs violate the assertion. Assertion-style constraints must be written in
synthesizable SVA, PSL, OVA, or RTL.
Note You can reuse property checkers written to check for correct outputs on one
block in a large design as constraints for adjacent blocks where the same
signals are inputs.
With over-constrained inputs, some legal input sequences are not applied to
the design, as shown in Figure 42. In this situation it is possible to miss
defects that would have been detected with a full set of legal inputs. It is also
possible that a property proven with this environment will not be proven with a
Illegal
Inputs
Legal Over-constrained
Inputs Inputs
Illegal
Inputs
Legal Under-constrained
Inputs Inputs
Illegal
inputs
Over- and
Legal Under-constrained
inputs Inputs
Connecting Constraints
Most inputs to the constraint model are randomly generated input signals from
Magellan. Constraint model output ports automatically connect to the design’s
input ports if their names are the same.
For Magellan to automatically connect signals, the signal names must match
exactly. For example, signal a on the constraint connects automatically to
signal a on the design, and signal a[0:0] on the constraint connects to
signal a[0:0] on the design. However, Magellan does not connect signal a
on the constraint to signal a[0:0] on the design, and signal a[0:1] does not
connect to a[1:0].
If you are reusing a constraint model whose port names don’t match the
design’s port names, you have two options:
Change the constraint port names to match the design’s port names.
Use cross-module references (XMRs) to tie the constraint to the design
(see “Using Cross-Module References” on page 271).
assign A = rand_A;
assign B = (A) ? 1’b0 : rand_B;
endmodule
For information on specifying design files for Magellan, see “Describing the
Design” on page 163.
1 Add the constraint file to the Design module along with your design files. In
this example, mux.v is the design we are checking and
simple_constraint.v contains the constraint. For example:
### Design module ###
define_design des -topModule mux
set_design_info -vcs { simple_constraint.v mux.v }
4 Create a Session module that references the Environment module and the
Property module. In this example, we also create a Coverage module for a
signal in the design so that Magellan has something to check, and specify
that in the Session module as well. For example:
### Session module ###
define_session session_1 -env env1
add_session_info session_1 -property { prop1}
add_session_info session_1 -coverage { cov1 }
Example 57 shows a completed example project file for adding the Verilog
assertion-style constraint shown in Example 56 on page 265.
library IEEE;
use IEEE.std_logic_1164.all;
use IEEE.std_logic_unsigned.all;
entity simpleConstraint is
port (
A : in std_logic;
B : in std_logic;
fail: out std_logic);
end simpleConstraint;
1 Add the constraint file to the Design module along with your design files. In
this example, mutex.vhd is the design we are checking and
assert_constraint.vhdl contains the constraint. For example:
### Design module ###
define_design my_design -topModule mutex
add_design_info -vhdlan { assert_constraint.vhdl
mutex.vhd }
names in the constraint model to the design if the port names don’t match
using an add_env_connect command (see “Connecting Constraints” on
page 263). For example:
### Environment module ###
define_env env1 -timeUnits 1ns
add_env_block env1 -name simpleConstraint \
-instance Constr0
add_env_connect env1 -connect {
mutex.a Constr0.A
mutex.b Constr0.B
}
4 Create a Session module that references the Environment module and the
Property module. In this example, we also create a property for an RTL
signal in the design so that Magellan has something to check, and specify
that in the Session module as well. For example:
### Session module ###
define_session s1 -env env1
add_session_info s1 -property {c1 p1}
Example 59 shows a completed example project file for adding the VHDL
assertion-style constraint shown in Example 58 on page 268.
define_property p1
add_property_info p1 -signals { mutex.fail 1 }
You can also use XMRs to connect design signals to OVAs using bind
expressions. You cannot connect them directly because Verilog XMRs are not
synthesizable. For information on binding OVAs to your design, see “Writing
and Binding OVAs to Designs in Magellan” on page 329.
constraint model instance u1 to a series of input ports on the cpu, where cpu
is the module name of the design under test.
define_env env_1
add_env_connect env_1 -connect {
u1.portK cpu.sigB
u1.portL cpu.sigC
u1.portM cpu.sigD
}
XMRs are not synthesizable, so you cannot use them directly within the
constraint model. Instead, create a port on the constraint model and connect it
to the top level of the design using an XMR in the project file.
XMRs are unidirectional. The internal design signal drives the input port on the
constraint model. For example, in Example 61, the designZ.modA.sigB
signal drives the constraint model’s portK input port on the driver0
instance. The signal path for sigB starts with the top-level module name and
descends through the instance path until you reach the signal.
You can drive this internal signal from an environment constraint block, as
shown in Example 62.
Note In this case, the right-side signal of the connect statement must be an output
port of an instance in the environment.
If Magellan reports dead-end states, replay the simulation and pay close
attention to the output signals of the constraint properties (see “Avoiding
Dead-End States” on page 292).
The mismatch between the models can be caused by an error in the design or
the initial state of the design. One common cause is unknown (X) values
propagating from the design into a constraint assertion. If you get this
message, try running your session with the -compareAlways switch to
check for mismatches:
mgsh (alive ...)> run_session -compareAlways
Correct the source of the mismatch and then try your run again. For more
information, see “Diagnosing Mismatches” on page 465.
Constraint Examples
The constraints you need depend on your design. This section shows a variety
of common generator- and assertion-style constraints you can copy and
modify for your design.
Example 64 shows the constraint from Example 63, but written in SVA instead
of Verilog RTL.
library IEEE;
use IEEE.std_logic_1164.all;
use IEEE.std_logic_unsigned.all;
entity simpleConstraint is
port (rand_A : in std_logic;
rand_B: in std_logic;
A : out std_logic;
B : out std_logic);
end simpleConstraint;
library IEEE;
use IEEE.std_logic_1164.all;
use IEEE.std_logic_unsigned.all;
entity simpleConstraint is
port (
A : in std_logic;
B : in std_logic;
fail : out std_logic);
end simpleConstraint;
Example 68 shows the constraint from Example 67, but in SVA instead of
Verilog.
Handshaking
Example 69 shows a handshake constraint that asserts the data_valid
signal until the design acknowledges the data. This type of constraint requires
a simple state machine to hold the data constant until the input is
acknowledged.
reg data_valid;
reg [7:0] data;
reg state; // Two state machine
Packet Generator
Example 71 shows a packet generator model. This state machine generates a
random length sequence of bytes with sop (start of packet) and eop (end of
packet) signals. The packet length is between 8 and 255 bytes.
library IEEE;
use IEEE.std_logic_1164.all;
use IEEE.std_logic_unsigned.all;
entity myConstraint is
port ( clk:in std_logic; reset:in std_logic;
rand_data:in std_logic_vector(7 downto 0);
rand_gap:in std_logic;
sop:out std_logic; eop:out std_logic;
data:out std_logic_vector(7 downto 0) );
constant state0 : std_logic := ‘0’;
constant state1 : std_logic := ‘1’;
end entity;
begin
initial_count <= rand_data when (rand_data > 8)
else “00001000”;
Example 72 shows the constraint from Example 71, but in SVA instead of
VHDL.
logic[7:0] counter;
always @(posedge clk)
counter <= reset? 0 : (sop==1 ? (data-1) : (counter!=0 ?
(counter-1) : 0));
When Magellan generates random inputs, in any one cycle there is a 50%
probability of the signal being high and a 50% probability of the signal being
low. For example, if a restart input on a design is not biased, there is a 50%
chance of it being asserted in any one cycle. If a desired behavior only triggers
when there are at least 100 cycles between restart assertions, there is an
extremely low probability of that occurring if the restart signal is not biased.
When the restart signal is biased so that it only has a tenth of a percent
(0.1%) probability of being asserted, then the desired behavior has a much
better chance of triggering during the simulation run.
0 000
0 001
0 010
0 011
0 100
0 101
0 110
0 111
1 101
So, out of every 100 cycles, the valid signal is active 11 times.
If we extrapolate this example to a larger data bus (200 bits wide), the
distribution of states where valid is active becomes:
(1/((2**200)+1))*100 %
which is much less. In this case it can appear that the constraint solver is
taking the easy route by keeping valid inactive, but it is actually honoring
the constraints on that signal.
To improve the probability of valid being active, you can bias the signal
so that the probability of valid being active is high (for example, use Vera
biasing to make valid active approximately 80% of the time).
constraint bias_ports {
cktA_write_counter_reset dist {0 := 999, 1 := 1};
cktA_read_counter_reset dist {0 := 90, 1 := 10};
cktA_pixel_read dist {0:18 :/ 35, 19:255 :/ 65};
}
For more information on the dist command, see the Vera User Guide.
All possible values of each signal must have a non-zero probability. If an input
must never have a particular value, write a synthesizable constraint model to
restrict its value.
To include the bias file in the project, add the following command to the
Environment module:
add_env_inline envName -bias -format vera -file bias.vr
To specify different solve order files for separate interfaces (for example), use
multiple solve order files. For example:
The file format for order_file_name is one or more entries of the following
form:
You can specify a solve order for a bus in the natural way. For example:
solve sbs6_state_vld[7:0] before sbs7_state_vld[7:0];
Example 1 (Basic)
With this example, the constraint solver assigns values to i1 and i2, and then
to j1, j2, k1, and k2. This is because the SystemVerilog 3.1a LRM says that
variables not explicitly ordered are solved together with the last ordered
variables.
Example 2 (Loop)
This is illegal in SystemVerilog 3.1a. When Magellan detects loops like this it
generates an error message followed by multiple information messages that
list the signals in the loop.
Example 3 (Splitting)
With this example, the constraint solver first solves for i1 and j1, then solves
for k1 and the rest. This is the same as:
Example 4 (Transitivity)
Design Defects
If the design contains defects that affect the behavior of outputs that connect
to the constraints, dead-end states may appear when the design behavior
diverges from normal operation.
In this example, the a1 assertion runs into a dead-end state because it is not
controlled by a primary input. Example 75 shows the corrected constraint.
In Example 76, when X is asserted, Y is asserted two cycles later. Two more
cycles later, Z is overconstrained, causing a dead-end state. Clearly, Y should
not be asserted two cycles after X is asserted. Magellan generates debug
messages to alert you to conditions like this. You can prevent dead-end states
of this kind by adding the missing constraint, as shown in Example 77.
Simulation/Synthesis Mismatches
Dead-end states can be caused by simulation/synthesis mismatches (see
“Detecting Simulation/Synthesis Mismatches” on page 457). For example, if
you use:
where sigA is an asynchronous signal (that is, neither the flip-flop nor reset
signal is defined in the Magellan project file), you encounter dead-end states
because of the resulting simulation/synthesis mismatch.
If an X value propagates to the output of an assertion, you may also see “BAD
value(X)” warning messages. BAD value(1) and BAD value(0) warning
messages are also indications of simulation/synthesis mismatch problems.To
solve this problem, debug the error and remove the Xs.
Note You can use Magellan’s compile-time linting and runtime debug messages to
help diagnose and fix problems with constraints that can lead to incorrect
verification results.
Compile-Time Linting
Magellan generates compile-time linting messages that identify constraints
prone to dead-end states. For example:
Warning: Deadend state possible because constraint xyz
is not always controlled by DUT inputs. (HVB-430)
Information: (HVSI-406)
Constraint contributing to deadead: cu3232af.TC2.TP03
Information: (HVSI-407)
Overconstrained input: cu3232af_devsel_in_n
Note Dead-end state debug messages only examine the dead-end state itself. This
means that debug messages may not refer to the constraints that contributed
to the dead-end state in earlier cycles.
Dead-end state avoidance can be useful, but it is off by default because it also
has the potential to mask unresolved problems with your constraints that
would otherwise be reported by the compile-time linting or runtime messages.
With this command, Magellan searches the entire state space of the
constraints for conflicts that would cause dead-end states, and generates the
additional constraints needed to avoid them. This mode is thorough, but can
also be expensive in terms of wall clock time and memory consumption. You
can limit the number of states that Magellan examines using the following
command:
set_session_info sessionName -lookahead n
where n equals the maximum number of cycles that Magellan examines while
searching for dead-end state conditions. Use this command only after
dead-end-state avoidance has been enabled; otherwise you get an error. This
command should only be used when runtime without it is not acceptable. If
your temporal assertions are bounded to a certain number of clock cycles by
definition, you can safely set the -lookahead limit to an integer just beyond
that cycle boundary. However, if you have cascading assertions that depend
on one another, you need to add the cycle delays in all the related assertions
to develop a -lookahead limit that is effective. Otherwise, there is no
guarantee that dead-end states will be avoided in the entire state space of the
design when you limit the lookahead.
In this situation, the circuit never leaves the Reset State because the
constraints cannot be solved, and you are guaranteed to encounter dead-ends
during random simulation. To obtain meaningful results from Magellan you
must first debug your constraints (see “Avoiding Dead-End States” on
page 292 and “Causes of Dead-End States” on page 288).
Note If Magellan hits a resource limit during the analysis, dead-end state avoidance
is aborted and no partial information is saved.
The error message in Example 78 shows the simulation time when Magellan
encountered a dead-end state (12426). The information messages that follow
show the two assertion-based constraints contributing to the dead-end and the
input signal where there was a problem.
Debugging Constraints
You can use a view_session_results -deadend command to analyze
dead-ends in the debugger. For the -deadend option, specify the simulation
time shown in the error message (see Example 78). DVE is the default
debugger. If you want to use Debussy or Verdi instead, see “Setting a Default
Debugger” on page 445.
Determine the root cause of the dead-end and modify the design code or
constraint before trying your run again. For example, the following command
brings up the debugger on the dead-end shown in Example 78.
mgsh(running...)> view_session_results -deadend 12426
When the waveform viewer comes up, look in the viewer for red arrows
that show where constraints failed (see Figure 45).
In This Chapter
Understanding Properties and Property Checkers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Choosing Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Using SVAs with Verilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Using SVAs with VHDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Using OVA Checkers and Constraints (Verilog only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Using Property Specification Language (PSL) Assertions . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Using OVL Checkers and Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Using Verilog and VHDL Checkers and Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Specifying Which Assertions are Checked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Debugging Property Checkers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
While looking for proofs, Magellan may also discover property violations.
Magellan generates a sequence of stimulus vectors that drives the design
from the Reset State to a state where the checker signaled a violation of the
property. The stimulus may not be the only sequence that violates the
property, and it may not be the shortest sequence. The stimulus enables you
to use standard RTL debugging techniques in the simulator. When debugging
violations, remember that property violations can be caused by errors in the
checker or the constraints, as well as by defects in the design.
There are cases where Magellan finds neither a proof nor a violation for a
particular property. This is generally a result of capacity limitations in the
formal analysis engines. Even when this occurs, the effort to write property
checkers and properly constrain the design’s inputs still provides value. If you
select the checker inputs as a coverage goal and generate stimulus that
thoroughly exercises those signals, you can be reasonably confident that the
property is true even though you could not find a proof. See “Testing RTL
Signal Coverage” on page 379.
With random value testing, you also want to know how many times various
actions occurred. In a PCI burst test, how many times did an abnormal
termination occur? How many times were each of several states active? Was
every type of control packet received while the buffer was full? Assertions
provide a concise declarative method to describe sequences of events, or
properties, such as these and test for their occurrence. You can write
assertions that range from very simple to extremely complex logical and
conditional combinations. You can also specify precise timing or a range of
acceptable times for sequences of events.
Note For many designs that can retain state indefinitely, a bounded proof has
limited value. It does not guarantee that there is no error the way an
unbounded proof does.
You can use bounded proof results as one progress indicator for bug hunting,
but not for finding formal proofs. That’s because bounded proofs apply only to
the initial state of the design. If Magellan reports that it has reached a bounded
proof of 100 cycles, that does not mean that the formal engines cannot search
more deeply into the design state space. Magellan’s dynamic-formal
technology runs formal searches from deep states many thousands of cycles
away from the Reset State. These searches are often the key to finding
difficult, corner-case bugs, but Magellan cannot report bounded proof results
from these deep-state searches. So in many cases, bounded proof results
stop increasing long before the tool reports a final proof or falsification. A
much better progress indicator for formal proofs is state coverage measured
on signals at or near the inputs to the property checker. For more information,
see “Coverage Testing Overview” on page 380.
Choosing Properties
Choosing the properties you want to prove is important. The chance of
success for proving or disproving a property is partly driven by how you define
the property.
Properties that clearly describe measurable states in the design are more
likely to result in proofs or violations. Properties that are general statements of
correctness are more difficult to prove.
Here are a few examples of design elements that often result in provable
property definitions:
Bus protocol
FIFO overflow
One-hot bus
Case statement
Illegal state detection
Here are some examples of properties that are more difficult to prove:
Global correctness of a large circuit
Large arithmetic data paths, such as a multiplier or an encryption circuit
Long duration properties, such as “The Req signal is followed by an Ack
signal within 10,000 cycles”
Note SVA immediate assertions in procedural always blocks may trigger in the
simulator at any time during an evaluation cycle, but Magellan’s cycle-based
fail state sampling for all types of assertions occurs only once per timestep.
This can result in immediate assertions that fail in the simulator but get proven
in the Magellan formal model. Glitches like this can also result in
simulation/synthesis mismatches (see “Detecting Simulation/Synthesis
Mismatches” on page 457).
For SVAs with local variables, the RTL translation process begins with checks
for global limitations:
If any of the global limitations are not met, Magellan generates an error
message, and stops processing. The error message explains the limitation,
as shown in the following example:
Error: unsupported assignment to local variable 'i' in
negated automaton
Note An automaton is a finite state machine created by the assertion compiler and
used in the formal proof search process. When you see an error message
about a degenerate or negated automaton, you must modify the assertion in
order to use it with Magellan. Note that a degenerate automaton is a finite
state machine with only one state.
When you see warning messages like this, consider modifying the
assertion so that a more efficient formal model can be generated. For
example, given the warning message above, if you can modify the
assertion so that the expression is bit-separable, Magellan creates a more
efficient formal model.
Global Limitations
SVAs with local variables that violate any of the following global limitations
cause Magellan to generate an error message and stop processing. If any
assertion in a Magellan session causes a violation based on these limitations,
the tool stops building and does not generate any RTL.
No local variable assignments in the consequent of an implication.
property p1; //Not supported (assignment in consequent)
logic [2:0] x;
@(posedge clk)
endproperty
logic x;
@(posedge clk)
endproperty
Simplest Translation
If all of the general restrictions are met, Magellan first tries its simplest
translation scheme; this generally creates the most efficient RTL
representation. For this to work, there must be a bounded depth between the
local variable assignment and the reference.
property p4; // OK
logic [127:0] x;
endproperty
logic [2:0] x;
@(posedge clk)
endproperty
Note Magellan could have translated the p5 assertion with the Simplest Translation
technique if it were not for the loop (the sequential depth of the property
cannot be known at compile time).
logic [2:0] x;
endproperty
Note Property p5a cannot be translated with this technique because of the
non-separable operation (^x == parity). However, this property is
supported using the Most Complex Translation technique.
reports an error and stops. The following coding styles cause this final
translation attempt to fail.
No local variable vectors wider than 10 bits.
property p6; // Not supported (too many values)
logic [127:0] x;
@(posedge clk)
endproperty
Note If you can convert the loop in p6 into a bounded range, Magellan can translate
this assertion using the Simplest Translation technique. If that isn’t possible,
but you can rewrite the compare so that it is separable, Magellan can translate
this assertion using the Moderately Complex Translation technique. There is
no limitation on the bit width of local variable vectors with either of these
techniques.
logic [2:0] x;
@(posedge clk)
(start, x = 0) ##1
endproperty
int v_count;
@ (posedge clk)
endproperty
Note Magellan supports use of the sv_pragma compiler directive inside comments
for assertions only. You cannot put any code that needs to be synthesized
inside such comments, including assignments used by your assertions,
because it is not part of the formal model build. You can use binds for such
code instead (see “Bind the SVA” on page 318).
If you write your own assertions that are not formal-compatible and use them
in Magellan, you need to wrap them inside SVA_CHECKER_FORMAL
compiler directives (see Figure 79). Magellan automatically sets the
SVA_CHECKER_FORMAL compiler directive when it processes assertions.
Put only assertion sequences inside the else block. Variable declarations and
other logic used within the assertions must be outside of the else block.
`ifdef SVA_CHECKER_FORMAL
`else
`endif /* SVA_CHECKER_FORMAL*/
endproperty
When you use the -svaIsUnk0 switch, Magellan sets the return value of
the $isunknown system function to 0 in the formal model, where
unknowns don’t exist.
If you use the past operator, add a delay (##n) to avoid referencing
uninitialized values (X) of the past operator. For example:
property keep_stable;
##2(data==$past(data,2));
endproperty
Note $fell(A) is equivalent to $past(A) && ~A, so all the cautions about using past
values for either checks or constraints apply.
Do not try to verify behavior during the reset sequence. The Magellan
formal proof engines do not start until after the reset sequence completes.
For example, do not use reset ##1 !reset in the antecedent of
implication operators as follows:
a1 : assert property(@(posedge clk) reset ##1 !reset
|-> (a==8'd30));
Because the formal proof engines start after the reset sequence, Magellan
does not see the reset ##1 !reset, and the result is a vacuous proof.
However you can use the following code to detect the end of the reset
sequence:
a2 : assert property(@(posedge clk) $past(reset) &&
!reset |-> (a==8'd30));
When reset deasserts, $past(reset) still remembers the reset value 1;
now the formal proof engines can see $past(reset) && !reset.
endproperty
rst
clk rdy
start Design dout
req
din
To solve this problem, break the assertion into two separate assertions:
one for the req input to use as a constraint and one for the rdy output to
use as a checker:
// Constraint for req input
property p1;
endproperty
property p2;
endproperty
a1: assert property(p1);
a2: assert property(p2);
@(posedge clk)
endproperty
The problem here is that this assertion tries to constrain the values already
generated in the past; this causes dead-end states in Magellan. To solve
this problem, use primary inputs in constraint assertions so that the primary
inputs can be controlled in order to satisfy the conditions of the assertion.
Avoid using a large delay and repetition range:
property prop;
endproperty
else begin
end
assert_implication end_bit
(uart_clk,1'b1,v_bit_count==160,uart_XMIT_dataH);
module bindings;
endmodule
prop_2xmits:
Note The assert_driven assertion from the SVA standard assertion library is not
compatible with formal analysis. Also, assert_never,
assert_no_contention, assert_one_hot, assert_one_cold, and
assert_zero_one_hot contain both formal-compatible assertions and
non-formal-compatible assertions. Magellan ignores the
non-formal-compatible assertions.
4 To filter out error messages from checkers in the SVA library that fail in the
simulator during a Magellan run, add the SVA_CHECKER_NO_MESSAGE
compiler directive to your VCS command line in the Magellan project file
(see Example 83).
You only need to use the add_env_info -svaCompOpts line in your project
file if you have compiler options specific to the SVA compiler that you don’t
want Magellan to pass to VCS or the Formal build.
If you use different file name extensions for Verilog 95, Verilog 2001, and
SystemVerilog source files, you can also:
use the VCS +systemverilogext+ext option to specify the file name
extension (ext) for SystemVerilog source files. If you use the
+systemverilogext+ext option to enable compilation of SystemVerilog
files that do not use the .sv extension, you need to add another option
(+systemverilogext+.sv) to enable compilation of internal files used
The rest of the project file syntax for using SVA assertions is in the Property
module, and works similarly for SVAs and OVAs. You add SVA assertions to
the project data using the add_property_info -scope command in the
Property module. You can select SVA assertions (single or multiple) by name,
and specify whether to use them as checkers or constraints (see “Specifying
Which Assertions are Checked” on page 360 and “Specifying Assertions as
Checkers or Constraints” on page 360).
You can then optionally filter this initial set of asserts/assumes using an
add_property_info -type command. For example, if you want to only
target the SVAs in your environment that use the assert keyword and use
them as checkers, the Property module in your project file would look like
Example 84.
If you want to only target the SVAs in your environment that use the assume
keyword and use them as constraints, your project file would look like
Example 85.
Note For information on writing SVAs for VHDL and mixed-language designs, see
the VCS MX/VCS MXi User Guide, version 2006.06 and up
($VCS_HOME/doc/UserGuide/vcsmx_ug.pdf).
For details on current limitations and unsupported SVA constructs, see the
VCS MX/VCS MXi Release Notes, version 2006.06 and up
($VCS_HOME/doc/VCSMXReleaseNotes.pdf).
In addition, when using SVAs with VHDL and mixed-language designs, you
cannot use local variables in the SVAs.
library IEEE;
use IEEE.std_logic_1164.all;
use IEEE.std_logic_unsigned.all;
use IEEE.std_logic_arith.all;
entity check_counter is
generic (width : integer := 16);
port (resetn : in std_logic;
clk : in std_logic;
count_end : in std_logic;
count_start : in std_logic;
count_active : in std_logic;
request_in : in std_logic;
accum : in std_logic_vector(width - 1 downto 0));
end entity;
architecture checker of check_counter is
signal precounter : std_logic_vector(width - 1 downto 0);
begin
P1 : process
begin
wait until (clk'event and clk = '1');
if (resetn = '0') then
precounter <= (others => '0');
else
if (count_start = '1') then
precounter <= (others => '0');
else
if (count_active = '1') then
precounter <= precounter + 1;
else
if (count_end = '1') then
precounter <= accum;
end if;
end if;
end if;
end if;
end process;
end architecture;
In Example 88, the VHDL entity for the bind is MY_VHDL and the module in the
SystemVerilog file that contains the SVAs is RTL_SVA..
As with other VHDL designs in Magellan, you specify the top-level entity with
the define_design -topModule command (see Example 89). However,
with this flow, Magellan automatically determines the language, so you don’t
specify the format with the define_project command as you do with other
project files.
Note Before you start testing OVA assertions with Magellan, use the
-ova_lint_magellan switch with VCS to check your OVA assertions for
compatibility with Magellan’s formal analysis.
For detailed information on writing and binding OpenVera Assertions, see the
OpenVera Language Reference Manual: Assertions (in the
$VCS_HOME/doc/UserGuide directory).
unit ref_req_ctl (
logic clk,
logic rst_n,
logic auto_refresh_en,
logic ref_req);
endunit
To add assertions that are compatible with Magellan’s formal and dynamic
formal analysis, avoid the OVA constructs shown in Table 9.
SimTime Clock The OVA compiler requires assert a1: check (e1);
that all events be clocked event e1: e2 #2 e3;
by a signal in the design. assert a2: forbid(e4 #5 e5);
Simulation-time clocking is
not supported.
Posedge and The OVA compiler does not assert a1: check (e1);
Negedge recognize transitions to or clock posedge clk {
Semantics from an X state when event e1: req #[3..5] ack;
}
evaluating posedge and
negedge operators.
‘ifdef SNPS_OVA_FORMAL
‘else
‘endif
endunit
To use OVAs from the standard unit library, create a separate OVA file that
contains your OVA bind statements and point to this .ova file using an
add_env_block command in the Environment module of your project file
(see Example 92).
Note For information on OVA bind syntax, see the OpenVera Language Reference
Manual: Assertions ($VCS_HOME/doc/UserGuide/ova_lrm.pdf).
Example 92 shows a complete project file for using OVAs from the standard
unit library.
Example 92: Project File for Using OVAs from Standard Unit Library
With this project file, you need a separate OVA file named assert.ova that
contains the bind to the OVA unit in the standard checker library that you want
to use (see Example 93). This example uses the assert_range unit.
There are two commands that you use in your project file to control processing
of OVAs (see Example 94):
Add external OVA files to your project using an add_env_block
command. You don’t need to add this command if you are only using
assertions from the OVA standard assertion library, because Magellan
finds them automatically.
Enable inline and external OVA checking using a define_env -ova
command.
The rest of the project file syntax for using OVA assertions is in the Property
module, and works the same way for inline and external OVAs. You select
OVA assertions for checking using an add_property_info command in the
Property module. You can select OVA assertions for checking (single or
multiple) by name (see “Assertion Naming in Magellan” on page 361).
To use OVA include files, add the +incdir option to the VCS or command
line you specify in the Design module of your project file:
Example 96: Project File Snippet for Selecting OVA Assertions in Template
Instances
Or, to test all assertions in the mg_ova_mutex unit, use the following
command in the Property module of your project file:
add_property_info prop_t0 -ovaPath {mg_ova_mutex.*}
module myModuleName(<port_list_here>)
endmodule
The ova and bind keywords that you see in this example must be present for
Magellan to recognize and include the inlined OVA assertion.
Note OVA binds work in Magellan the same as they do in VCS. For information on
writing and binding OVA assertions, see the OpenVera Language Reference
Manual: Assertions located in the $VCS_HOME/doc/UserGuide directory.
To enable inline OVA checking, add the -ova switch to your define_env
command in the Environment module of your project file. Although you cannot
bind inline OVAs to specific instances of the module in which they appear, you
can use the add_property_info -scope or -ovaPath commands to
select where the inlined OVAs are checked by Magellan.
Note that the inline approach has the advantage of being self-documenting,
but is not as portable as keeping binds or assertions in separate .ova files.
Then you need to add the -ova_exp_param switch to the VCS command
line you specify in the Design module of your project file:
set_design_info -vcs {other_vcs_command_line_options
-ova_exp_param}
Note When you use the -ova_exp_param switch, you must keep the OVA
instantiation all on one line in your file. You cannot break the instantiation
across multiple lines in a multi-line comment.
To test whether the -ova_exp_param switch is necessary, you can build the
design in Magellan first without the switch. If you get an error similar to the
following example, add the switch and rebuild the design:
Error: ova compile, ova-00701
/d/tests/BUILD/5754/miss_oh.v:[1035]:
An error has occurred while compiling assertions.
Unit parameter value expected to be constant integer.
Magellan supports PSL vunits and inline PSL assertions in Verilog and VHDL
designs. See:
“Using PSL Assertions with Verilog” on page 342
“Using PSL Assertions with VHDL” on page 345
If you write your own assertions that are not formal-compatible and use them
in Magellan, you need to wrap them inside SVA_CHECKER_FORMAL
compiler directives (see Example 98). Magellan automatically sets the
SVA_CHECKER_FORMAL compiler directive when it processes assertions.
Put only assertion sequences inside the else block. Variable declarations and
other logic used within the assertions must be outside of the else block.
`ifdef SVA_CHECKER_FORMAL
`else
`endif /* SVA_CHECKER_FORMAL*/
If you use PSL compiler options that you want to pass to the assertion
compiler but do not to the simulator build, specify those options using an
add_env_info -svaCompOpts command in the Environment module in
your project file.
Note You can use SVA options and features with your PSL. All compile-time and
runtime options for SVA do comparable things for PSL.
endmodule
library IEEE;
use IEEE.std_logic_1164.all;
use IEEE.std_logic_unsigned.all;
use IEEE.std_logic_arith.all;
entity check_counter is
generic (width : integer := 16);
port (resetn : in std_logic;
clk : in std_logic;
count_end : in std_logic;
count_start : in std_logic;
count_active : in std_logic;
request_in : in std_logic;
accum : in std_logic_vector(width - 1 downto 0));
end entity;
vunit VU1(ENT){
default clock is rising_edge(clk);
property inchk_1 is always( internalFail.f1 = '0' );
pslchk_inline_1: assert inchk_1;
}
vunit VU2(ENT){
default clock is rising_edge(clk);
property inchk_2 is always( internalFail.f1 = '1' );
pslchk_inline_2: assert inchk_2;
}
http://www.accellera.org/activities/ovl
To use the OVL v2.1 SVAs with Magellan, define the following macros in the
VCS command line you specify with the set_design_info -vcs command
in the Design module of your Magellan project file (see Example 105).
OVL_SYNTHESIS
OVL_SVA
OVL_GATING_OFF
OVL_ASSERT_ON
OVL_XCHECK_OFF
If you want to activate coverage assertions in these libraries, you also must
define the OVL_COVER_ON and OVL_COVERGROUP_OFF macros.
1 Instantiate, bind, or inline OVL v2.1 SVA assertions in your design just like
any other SVAs. Be sure to use the Magellan-compatible OVL SVA
assertion files located in the $MG_HOME/ovl-sva directory.
4 In the Property module of your Magellan project file, you can use the
add_property_info -scope command’s wildcarding feature to pick up
all assertions that match a simple pattern. For more information, see “Using
Wildcards to Activate OVLs” on page 353.
Note Magellan does not support using the ovl_memory_async and ovl_valid_id
libraries in the OVL v2.1 SVA library as constraints.
1 Instantiate OVL assertions in your design just like any other design
modules. Be sure to use the Magellan-compatible OVL assertion files
located in the $MG_HOME/ovl directory.
1 Instantiate OVL assertions in your design just like any other design
entities/architectures. Be sure to use the Magellan-compatible OVL
assertion files located in the $MG_HOME/ovl-vhdl directory.
Note In addition to the wildcard (*), you can also use the question mark (?) to
match a single occurrence of any character. These are the only pattern
matches that are supported with the add_property_info -scope
command for OVL Property modules.
Note You can reuse property checkers written to check for correct outputs on one
block in a large design as constraints for adjacent blocks where the same
signals are inputs (see “Constraining Input Signals” on page 260).
If you want to override default values for parameters in your Verilog code or
generics in your VHDL code, use an add_env_block -parameters
command (see Example 58 on page 268).
For VHDL checkers, keep them external to the design so that they are not
synthesized as part of the final circuit implementation (see “Adding External
Checkers to the Project File” on page 357).
For Verilog checkers, consider whether you want to instantiate them directly in
the design or keep them external to the design and connect them using the
Magellan project file. Table 10 describes the tradeoffs between these two
alternatives.
When checkers are in the design ... When checkers are external to the design ...
Connections between the design and the Each checker input is connected with a
checker are obvious. hardcoded path in the project file.
The design is modified and you need to make The design is not modified.
sure that checkers are not included in the
design implementation.
Changes to the checker require the entire Changes to the checker do not require the
design to be rebuilt by Magellan. design to be rebuilt, thus reducing the build
time.
You can easily instantiate the checker Each time you reuse the checker, you must
multiple times throughout the design. add the connections for each input in the
project file.
The project file requires only a few lines for The project file may require many lines for
each Property module. each Property module.
‘ifdef MAGELLAN
mutex chk0 (.a (i_xfer), .b (o_xfer), .fail ());
‘endif
Use the ‘ifdef MAGELLAN compiler directive to exclude the checker from
later being synthesized along with your design after it has been completely
verified. Define the +define+MAGELLAN macro in the command line you
pass to VCS with the set_design_info -vcs command in the Magellan
project file. Do not use the // synopsys translate_off directive to
exclude the checker code from synthesis. Magellan ignores the code wrapped
in this directive.
You can use Verilog cross-module references (XMRs) in your checker module
instantiations to read signal values (see Example 112). However, you cannot
use XMRs to write to signals in Magellan. XMR reads must be to signals
outside the scope of where the XMR is defined.
‘ifdef MAGELLAN
mutex chk0 (.a (A.i_xfer), .b (o_xfer), .fail ());
‘endif
To verify a property checker, create a Property module in the project file. You
can have as many Property modules as you want in the project file. To add a
property checker that is instantiated in the design, name the checker and add
the output signal value description.
Example 113 shows the Property module for the mutex checker shown in
Example 111. The checker indicates a violation when the fail signal is high.
The signal path starts with the top-level module name and descends through
the design hierarchy until you reach the output signal. In Example 113, the top
module name is des_chip and the fail signal name is fail with a hot value
of 1.
// synopsys translate_off
always @(fail) begin
if (fail == 1’b1)
$display (“Error: mutex checker failure: %m”);
end
// synopsys translate_on
endmodule
Example 115 shows the same checker from Example 114 written in VHDL.
library IEEE;
use IEEE.std_logic_1164.all;
use IEEE.std_logic_unsigned.all;
entity mutex is
port (a : in std_logic;
b : in std_logic;
fail: out std_logic );
end entity;
begin
fail <= fail_mutex;
fail_mutex <= a and b;
-- synopsys translate_off
check_mutex: process (fail_mutex)
begin
assert (fail_mutex=‘1’) report
“Error: mutex checker failure” severity warning;
end process;
-- synopsys translate_on
end architecture;
Note For Magellan to automatically connect signals, the signal names must match
exactly. For example, signal a on the checker connects automatically to
signal a on the design, and signal a[0:0] on the checker connects to signal
a[0:0] on the design. However, Magellan does not connect signal a on the
checker to signal a[0:0] on the design, and signal a[0:1] does not connect
to a[1:0].
If the checker’s input signal names do not match the design’s output signal
names, use an add_env_connect command to make the connection (see
Example 116).
-exclude option, you must also specify the -scope this applies to in the
same add_property_info command (see Example 117).
In this example, the good module is defined in the rainy.v file and the
better module is defined in the asserts.sv file. Each of those files contain
assertions bound to the top module. Assertions defined in the top module
are used as checkers, as specified by the wildcard used as a glob pattern with
the add_property_info -scope command, but the good and better
assertions bound to the top module are excluded from the check and used as
constraints for the test.
Note If you use the assert and assume keywords to specify the intended usage,
you can also filter them so that the assumes are used as constraints and the
asserts as checkers (see “Filtering Asserts and Assumes” on page 322).
to select SVA, PSL, or OVL. Use the -ovaPath option if the name you are
specifying starts with an OVA unit.
For example, if you have an assertion named mutex defined in an OVA unit
bind instance named OvaUnitBind1, which is bound to a module
instantiated in the top level of your design hierarchy, one name for that
assertion is:
top.U1.OvaUnitBind1.mutex
The same mutex assertion has another named associated with it that starts
with the OVA unit name:
OvaUnit.mutex
This name does not point to a unique instance of an OVA assertion. Instead it
references every instantiation of module A, which may include multiple
instances of the mutex assertion.
Note Observe the naming convention used by Magellan for assertion names, where
the OVA unit instance and assertion appear as though they are part of the
HDL design hierarchy, and the Verilog path separator character (.) is used to
separate different levels in the hierarchy. Magellan uses this same naming
convention for locating SVA, PSL, OVA, and OVL in both Verilog and VHDL
designs.
Example 118 shows a snippet from the Environment and Property modules for
the assertion shown in Example 90 on page 330. Using this example, the
chk_ref_req assertion from the ref_req_ctl unit in the assert.ova file
is the assertion that Magellan checks. The -scope option takes a list of one or
more hierarchical paths, so you can use this method to select as many or as
few assertions in the hierarchy as you want. Of course, you may want to limit
the number of assertions that you check in any one run of Magellan. You can
create multiple property modules like the one shown in this example that
reference the same Environment module, and then run the different property
modules in separate sessions.
Example 118: Project File Snippet for Single Instance of OVA Assertion
module in the project file. Example 119 shows Environment and Property
modules for the assertion shown in Example 90 on page 330.
Example 119: Project File Snippet for all Instances of an OVA Assertion
Using this example, the chk_ref_req assertion from the ref_req_ctl unit
in the assert.ova file is the assertion that Magellan checks.
*top.\[abc\]
If the property name contains square brackets for an index and you want
Magellan to treat it as a literal instead of a character class, you need to add
more escapes. For example:
*dut.testgen\\\\[2\\\\].p3
If there are no * or ? regular expressions in the property name and all the
characters between square brackets are integers, Magellan treats the entire
string as a literal and attempts to match it exactly. For example, xyz[10]
matches the bit select xyz[10] and nothing else. In this case, you don’t need
to add backslashes to escape the square brackets.
To ensure that the checker traps illegal behavior, introduce a defect in the
design and confirm that the checker detects it.
In This Chapter
Using AEP Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Testing all AEP Property Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Testing all AEP Coverage Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Limiting the Scope of AEP Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Note Magellan only tests the subset of AEP goals that can be targeted formally. For
example, Magellan cannot formally test coverage goals for asynchronous
design behavior, but may reach many of these goals in the simulator as a
side-effect while testing synchronous coverage goals.
Note Magellan also used the AEP mechanism to implement code coverage tests.
For more information, see “Testing Code Coverage” on page 391.
Multiply-driven Buses
Magellan can verify for any bus in the design with multiple tristate drivers that
there is only one active driver at a time. Magellan finds the property false if two
or more drivers are active at the same time, even if the value is the same and
there is no bus conflict. To test multiply-driven buses in your design, use a
define_aep -multiDriver command in an AEP module in your project
file (see Example 126).
Floating Buses
Magellan can verify for any bus in the design with multiple tristate drivers that
there is at least one driver active at all times. To test for floating buses in your
design, use a define_aep -floatingBus command in an AEP module in
your project file (see Example 127).
Toggle Coverage
You can use Magellan to find inferred sequentials (flip-flops or latches) that
never change state (toggle). Note that Magellan only checks for toggling of
scalar and vector sequentials; it does not check memories or other
multidimensional arrays. To test toggle coverage in your design, use a
define_aep -toggle command in an AEP module in your project file (see
Example 129). You cannot combine toggle checks with any other type of AEP
tests in the same AEP module.
Magellan does not create toggle coverage goals for sequentials that contain X
values after the reset sequence completes. If you have any such sequentials
in your design, Magellan issues an information message similar to the
following:
You can see a list of these sequentials in the xFile.init report in the
mg_sessionName/user directory when the reset sequence completes.
If you want to run toggle checks on such sequentials, make them not-X in the
reset state using a set_env_reset command in the Environment module of
your project file. For example:
set_env_reset env_1 -value 0 -apply before
Example 132: AEP Module That Analyzes One Module in the Design
Note The add_aep_source command has a number of options that you can use
to analyze portions of your design. For a complete list, type
man add_aep_source at the MG shell prompt.
You can add as many individual coverage goals as you want using this
methodology, one for each add_aep_source command. Follow these steps:
3 Add the signals that you want to target using add_aep_source -signal
commands, either in the same AEP module you used for the first Magellan
build, or a new AEP module. If you use a new AEP module, you must
include the same set_aep_config -extractOpts and -covInput
commands that were used in the first build. Use one add_aep_source
-signal command for each signal you want to target. The
add_aep_source -signal command does not accept a list of signals.
4 Add the AEP module to a session and run the session. Example 134 shows
an AEP module that targets a single line coverage goal.
Note For information on the -cm_hier file format, see the VCS/VCSi User Guide
($VCS_HOME/doc/UserGuide/vcs.pdf).
In This Chapter
Coverage Testing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Selecting RTL Coverage Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Defining RTL Coverage Goal Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Adding RTL Coverage Goals to the Project File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Generating Stimulus for a Coverage Goal Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Detecting Deadlock/Livelock Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
The first aspect concerns coverage of the specification. The second aspect
concerns coverage of the state space of possible inputs to the design.
A common way to measure the completeness of the stimulus used to drive the
circuit is to measure coverage on the circuit implementation. There are several
different metrics for measuring circuit coverage, each with strengths and
weaknesses.
While Magellan generates stimulus to hit the reachable states for the set of
signals, it also calculates which states are unreachable. Identifying the
unreachable states enables you to quantify the completeness of the coverage
for the reachable states. For example, a goal set of 8 signals has 256 potential
states. If a stimulus sequence only hits 16 states, you might be concerned
about its effectiveness because you have only hit 6% of the states. However, if
Magellan’s analysis indicates that 238 of the states are unreachable, you
know that 89% of the reachable states have been hit. You can focus your time
on reaching the remaining states with longer Magellan runs or more directed
tests.
In the best case, Magellan classifies all potential goal states as reached or
unreachable, and provides a stimulus sequence to hit all the states classified
as reached. However, due to limitations in formal engine capacity, there are
cases where some states remain unclassified. In this case, you may be able to
design a directed test to hit the remaining states, or observe that they are
actually unreachable.
The maximum number of signals you can include in a Coverage module is 52,
although a more practical limit is around 24.
If cross-state analysis is not important for a goal set, it may be practical to split
a large Coverage module into two or more Coverage modules and then
reference them from one session. As a simple example, if you have six signals
in a Coverage module, there are 64 (26) different states that Magellan
analyzes. If you divide the signal set into two Coverage modules, each with
three signals, and you run them in the same session, Magellan only has to
analyze 16 states (23+23).
Large goal sets that have many reached states generate stimulus files that
can take an extremely long time to run in the simulator. Magellan attempts to
compress the runtime of the stimulus file by removing simulation cycles from
the stimulus trace that did not cause any additional states to be reached.
Each signal identifier starts with the top-level module name and descends
through the instance hierarchy until it reaches the signal.
Example 136 shows three Coverage modules. Coverage modules cov_a and
cov_b identify each state machine separately. Coverage module cov_ab
combines the two state machines.
You can also use Magellan AEP to test FSM state and transition coverage
targets extracted by VCS using the simulator’s coverage methodology. For
more information, see “Testing Code Coverage” on page 391.
library IEEE;
use IEEE.std_logic_1164.all;
use IEEE.std_logic_unsigned.all;
entity encoded is
port (
A : in std_logic_vector(7 downto 0);
B : in std_logic_vector(7 downto 0);
C : in std_logic_vector(7 downto 0);
D : in std_logic_vector(7 downto 0);
subout : out std_logic);
end encoded;
The nine literals require four bits to encode. Magellan classifies the unused
states as unreachable. In Example 138, the positional values 9 through 15 are
unreachable. Example 139 shows the coverage goal set for the enumeration
signal.
To generate stimulus, read the project into MG shell and then run the session.
If necessary, Magellan automatically rebuilds the design.
For example, Magellan can detect deadlock conditions where two FSMs get
stuck in a state that they cannot get out of. Magellan can also detect livelock
conditions where there are multiple FSMs that are advancing from one state to
another, but in a circle that they cannot get out of. Livelock looks alive
because of the state transitions, but the subset of the design where this occurs
is stuck. Deadlock and livelock are both indicators of potential bugs in the
design. They can occur in multiple places in the state space for your coverage
goal set.
When you run either of these sessions (Example 141 or Example 142),
Magellan attempts to classify all the states in the coverage goal set, and
determines if there are any deadlock or livelock states that are not
unreachable.
In This Chapter
Code Coverage Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Using the Automated Flow for Line and Condition Coverage . . . . . . . . . . . . . . . . . . . . . . . . . 395
Specifying Code Coverage Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Using an Input Coverage Database to Focus Magellan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Identifying Intentionally Unreachable Lines (Verilog only) . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Code Coverage Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Code Coverage Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Using the VCS Uniform Report Generator Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Note To test line and condition coverage in Magellan, you need two additional
licenses: VT_VCS_BETA_Features or VT_UnifiedCoverage, and
VT_SVDesign.
find bugs. If you get high coverage on the design with no mismatches
detected, you can consider the verification to be complete. You can apply this
same completion metric when you have assertions that are too complex for
formal proofs.
Reference
BFM Model
A
B
Y
?
Comparator
Design
Magellan
Under Test
Constraints Pin-level
Coverage
Trans-level
Metrics
To get valid coverage results from a Magellan run, the constraints must be
both complete and accurate. In the system-level testbench environment,
blocks are “constrained” by other RTL blocks and by the testbench itself. At
the block level in Magellan, constraints are represented by assume properties
or synthesizable transaction generators. It can be difficult to ensure that the
constraints are equivalent in both environments, yet failure to do so may result
in over- or under-approximation of the coverage obtained. For more
information on constraint validation techniques, see “Constraining Input
Signals” on page 260.
When you run each session with a different random simulation seed number,
Magellan hits different goals faster in each run. When all the parallel runs
complete, use the URG coverage reporting tool to merge the coverage
databases from each individual run into one coverage database file. Then
feed the merged coverage database file to Magellan using a
set_aep_config -covInput command in the AEP module of your project
file. With the database of “easy” coverage goals in place, run Magellan again
in normal mode to target just the coverage goals that are still unknown in the
input coverage database.
Note For information on using the URG coverage reporting tool to merge the
coverage databases from parallel runs with Magellan, see the Uniform Report
Generator User Guide.
Now Magellan only needs to instrument and target the lines or conditions that
are still uncovered following the initial random simulation run. This gives the
best overall performance by allowing Magellan to focus on fewer targets with
unknown coverability. To use the automated coverage flow, follow these steps:
1 Create an AEP module in your Magellan project file that specifies line
and/or condition coverage tests (see Example 143).
2 Magellan runs the initial random simulation for 3 minutes by default. While
this is a good heuristic for many designs, you may want to run the initial
random simulation longer or shorter. If so, you can specify the time using a
set_session_info -covSimTime command. The -covSimTime
option expects input in terms of hours. For example, to change the time that
random simulation runs at the start of the automated flow to 6 minutes, add
the following command to the Session module of your project file (0.1 x 60
minutes = 6 minutes):
set_session_info s1 -covSimTime 0.1
Note Simulator messages from the initial random simulation run do not appear in
the transcript or the mgsh_message.log file. Instead, these messages are
stored in the mg_sessionName/sim/covSim.log file.
3 When your project file is complete, run your session with the -covSim
switch. This switch is required to run the automated coverage flow. If you
omit the -covSim switch, Magellan runs the code coverage tests, but does
not use the automated flow (see “Specifying Code Coverage Tests” on
page 397).
mgsh> run_session s1 -covSim
4 When your run completes, you can write out your results using a
list_session_results command:
mgsh(alive...)> list_session_results s1
This report shows coverage results from the session run. It does not
include coverage results from the initial random simulation run.
5 You can also generate VCS Uniform Report Generator (URG) reports using
a write_session_test -urg command:
mgsh(alive...)> write_session_test -urg
This report shows merged coverage results from the initial random
simulation run and the session run.
These options are equivalent to using -cm line, -cm cond, and -cm fsm
on the VCS or VCS MX command line to enable coverage. You can add any
other valid simulator line, condition, or FSM coverage options to the extract
step using a set_aep_config -extractOpts command (see
Example 144). Line, condition, and FSM coverage goals that you test in any
one session must be in the same AEP module. Also, line, condition, and FSM
coverage tests cannot be combined with other types of AEP tests in the same
AEP module.
Note Code coverage testing for -fsmState is not supported for VHDL designs.
The recommended flow for code coverage testing in Magellan is to first run the
tool in random simulation mode (see “Using the Automated Flow for Line and
Condition Coverage” on page 395).
Instrumenting and testing line, condition, and FSM coverage goals can be
expensive in terms of tool performance due to the large number of coverage
goals that are created. You can limit the number of coverage goals
instrumented for formal testing using simulator coverage (-cm) switches such
Example 144: AEP Module for Line, Condition, and FSM Coverage
Note For information on the -cm_hier file format, see the VCS/VCSi User Guide
($VCS_HOME/doc/UserGuide/vcs.pdf).
If the maximum number of goals is exceeded, the build fails and Magellan
generates an error message similar to the following:
At this point you need to change the -maxGoals setting or use another
method to limit the number of extracted goals (for example, -cm_hier) before
trying your run again.
You can use code coverage run mode for line, condition, and FSM coverage
tests. This mode is optimized to converge faster on large numbers of
reachable goals. See “Run Code Coverage Mode” on page 147.
Example 145: AEP for Line, Condition, and FSM Coverage with Input Database
The input coverage database can be from a standalone run with the simulator
(simv.cm) or a previous session with Magellan (design.exe.cm). Use a
set_aep_config -covInput command to specify the path to the input
coverage database. The co1verage database from a previous run with
Magellan is located in mg_sessionName/sim/design.exe.cm. Or, if you use a
write_session_test command to write out a trace and then run the
test.csh script, the resulting coverage database is located in the test directory
you specified as an argument to the write_session_test command, or
the default location:
mg_sessionName/test/testbench/design.exe.cm
If you are using an input coverage database from a standalone run with the
simulator, add the -covDUT option to specify the instance_path_name to
the design module in the input database instance hierarchy. Because the
testbench structure used for generating coverage information in the simulator
is probably different than the one used by Magellan, the tool needs to be able
to map coverage items between the different testbench environments. For
Note You cannot use the -covDUT option to specify part of the hierarchy in the
design to test. Use the set_aep_config -extractOpts command with
the -cm_hier option to do that (see Example 144 on page 398).
When you use Magellan to test line coverage in your design, you can report on
the status of intentionally unreachable lines. Currently, Magellan defines
intentionally unreachable lines of code as Verilog basic blocks that contain
explicit X assignments (see Example 148).
Note Using the -modLineIntent switch does not automatically imply line
coverage. You need to first specify line coverage testing as shown in the
example above, using a define_aep -line command.
...
...
For line coverage target [7] Magellan found a conflict. The designer’s intent
was that the line would be unreachable, but Magellan reached it, as the report
shows. Magellan only shows the Intent part of the report if there was a
conflict between the designer intent and the test results. Magellan always
shows the LineIntent line even if there was no conflict between the
designer intent and the test results.
There are two types of test results that indicate problems with the design for
reported lines in the coverage report:
Intention was unreachable, but Magellan reached it.
Intention was reachable, but Magellan did not reach it.
You can filter the line coverage report to show just lines that were intentionally
reachable or unreachable using the lineIntent reach or lineIntent
unreach key-value pairs.
Here, the report is empty because there were no lines in the sample design
(see Example 148) that met the filtering settings (all lines were reached).
Note that the database can contain other coverage items and metrics that do
not apply to Magellan. However, unified coverage tools handle this
transparently.Figure 49 shows the high-level flow.
Note For information on using the URG reporting tool, see the Unified Coverage
Reporting User Guide.
Directed/Random Tests
VCS/Vera
Merged
Magellan Coverage
Database
URG
design.exe.cm
mg_sessionName/sim/dut.exe.cm
where:
dut is the name of the top-level module in the design you are testing.
You can specify a different name for the data using a set_aep_config
-covTest command in the AEP module of your Magellan project file. For
example, to name your tests myTest, use the following command:
set_aep_config myAep -covTest myTest
Now, if you use the VCS Uniform Report Generator (URG) tool to report
coverage results after your run completes, you see two tests in the database:
a test named myTest, which contains information about all lines of code
reached (or covered) during the Magellan run.
a second test named myTest_mgunr, which contains information about all
line or condition coverage targets that Magellan proved unreachable during
the run.
in addition, if you specified intentional unreachable reporting (see
“Configuring the Test” on page 401) Magellan uses the coverage exclude
file mechanism to record lines that are proven unreachable (as intended by
the coder). If you want to ignore these intentional unreachable lines in your
coverage reporting you can find the exclude information saved in a file
named:
mg_sessionName/user/myTest_mgunr.el
where:
With this command, Magellan generates the reports in the default location
(mg_sessionName/sim/urgReport). You can specify a different name and
location for the report directory by supplying the optional dirname argument to
the write_session_test command.
For information on reporting coverage results from both VCS and Magellan,
see “Code Coverage Flow” on page 404.
Note For more information on using the Unified Report Generator tool, see the
Uniform Report Generator User Guide.
In This Chapter
Testing SVA/OVA Cover Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Functional Coverage Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Functional Coverage Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Using the Functional Coverage Database to Focus Magellan . . . . . . . . . . . . . . . . . . . . . . . . 413
Reusing Magellan Functional Coverage Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Saving Functional Coverage Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
When you run a session that includes such coverage goals, Magellan tells you
if each cover is covered (reachable) or uncoverable (not an event that can
happen given legal input stimulus to the design).
You can name each cover object explicitly or use the wildcarding feature to
pick up all SVA/OVA cover objects that match a pattern. The names of the
cover objects that you specify must match the names used in the cover
declarations in your SVAs/OVAs. The wildcarding feature works the same way
with SVA/OVA covers as it does with SVA/OVA assertions and constraints
(see “Assertion Naming in Magellan” on page 361).
Note that the database can contain other coverage items and metrics that do
not apply to Magellan. However, unified coverage tools handle this
transparently. Figure 50 shows the high-level flow.
Directed/Random Tests
VCS/Vera
Merged
Magellan Coverage
Database
Formal Tests
fcovReport
Reach_DB
UnReach_DB
Note For information on merging functional coverage data and using the fcovReport
tool, see the VCS/VCSi User Guide.
databases, even if some of the results conflict. You can debug the causes and
obtain more consistent results in a later run with the tool (see “Saving
Functional Coverage Databases” on page 414). If you merge inconsistent data
back into the unified coverage database, it is highlighted in the reports
generated by the VCS fcovReport tool.
Magellan classifies asserts, covers, and line and condition coverage goals that
are not yet reached or proven unreachable as unknown.
Note For information on using VCS to build a functional coverage database, see the
VCS/VCSi User Guide.
Example 151: Session Module for Functional Coverage Using Unified Coverage
Database Input
Example 152: Session Module Reusing Coverage Info From Same Session
If you want to save coverage data for input to a Magellan run that references a
different Session module, you need to first export the coverage data (see
“Saving Functional Coverage Databases” on page 414).
where:
-covOutput specifies the basePath to use when writing the database files:
basePath_unr.db (unreachable coverage information)
basePath_rch.db (reached coverage information)
top_DesignName.DesignName
For compatibility with the VCS test environment, Magellan can replace this
instance_path_name with a name that is meaningful for the VCS testbench
you are using. For example, if you have a coverage signal named
instanceA.coverB in the design, and:
the design instance in the VCS environment is testbench.UUTWrap.DUT
the design instance in the Magellan environment is top_myMod.MyMod
you can map your Magellan coverage results back into the VCS testbench
environment using the following command at the MG shell prompt:
testbench.UUTWrap.DUT.instanceA.coverB
This chapter explains how to use Magellan commands to generate reports for AEP, property,
and coverage tests, and how to debug property failures or see how coverage goals were
reached. The chapter also explains how to get special-case reports such as bounded proof
and cone of influence, and how to access test results and create custom reports using
Magellan commands inside Tcl scripts.
In This Chapter
Reporting Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Automatically Generated Transcripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Detailed Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Summary Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Accessing Session Results in Tcl Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Bounded Proof Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Vacuous Proof Reporting (SVA/PSL only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Witness Trace Reporting (SVA/PSL only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Cone of Influence Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Assertion Cone of Influence Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Debugging Property Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Reporting Overview
When you test AEPs, properties, or coverage goals, Magellan automatically
generates transcripts on the screen with updated results as your session runs.
(see “Automatically Generated Transcripts” on page 419).
After the build phase completes, you can generate reports at any time during
or after a run using the list_session_results command (see “Detailed
Reporting” on page 421).
You can also use the list_session_results command inside Tcl scripts
that you write to produce custom reports (see “Accessing Session Results in
Tcl Scripts” on page 432).
Note The Magellan GUI (mgui) provides an easy-to-use way to report test results
and debug property failures. For information on getting started with mgui, see
“Invoking the Magellan GUI” on page 108.
In this example, Magellan found progressively deeper bounded proofs for all
16 instances of the SVA specified in the mutex Property module and
concluded by proving them all, as shown in the summary information for the
results printed when you press the Return key after a session run completes.
Transcripts for coverage goals are slightly different, as shown in Figure 52. In
this example, Magellan is running a session (s1) which tests the set1 AEP
Detailed Reporting
Any time after your build completes, you can use a list_session_results
command at the MG shell prompt to see detailed information about the goals
Magellan found or tested in your design (see Table 12).
The list_session_results output follows the same basic format for all
property goal types and SVA/PSL covers. Each goal in the list is assigned an
index number (ID) starting with 0 and gets a separate report section with
details on the results or status of the test. Index numbers are generated for
each module that you test in a Magellan session. If you test more than one
module in a session, you need the module name and ID number to uniquely
identify a goal. Right next to the ID for each goal in the
list_session_results output Magellan shows the goal status. The
list_session_results command generates a one-line report for each
goal in the session by default. If you want to see a more detailed report, add
the -long switch.
In this example, the error trace for the falsified property consisted of 9 cycles
of random simulation (r=9) and 0 cycles of formally-generated stimulus
(f=0).
You may also get a trace length report which shows that only
formally-generated stimulus was used to falsify a property. For example:
[ 1] Falsified (Non-vacuous) (Cycles r=0,f=20)
In this example, the error trace for the falsified property consisted of 0 cycles
of random simulation (r=0) and 20 cycles of formally-generated stimulus
(f=20).
The third possibility is that Magellan used a combination of random and formal
stimulus to falsify the property. For example:
[ 2] Falsified (Non-vacuous) (Cycles r=21,f=56)
In this example, the error trace for the falsified property consisted of 21 cycles
of random simulation (r=21) and 56 cycles of formally-generated stimulus
(f=56).
Magellan reports the SimTime in the detailed reports only for falsified AEP
properties. You can use this information to locate a property failure in the
waveform viewer. The Signal names in the AEP property list show Magellan
instrumented signal names for most of the AEP property types. The Signal
names for toggle coverage, multiply-driven buses, and floating buses
reference the actual signal names in your design. AEP property lists for toggle
coverage, multiply-driven buses, and floating buses do not show File and
Line numbers.
Each property goal found in the design is given an ID and an index number,
followed by the status (reached, unreachable, or unknown). Magellan
reports the SimTime in the detailed reports only for falsified properties. You
can use this information to locate a property failure in the waveform viewer.
...
Each code coverag goal found in the design is given an index number,
followed by the status (reached, unreachable, or unknown). Magellan
reports the SimTime in the detailed reports only for reached coverage goals.
You can use this information to locate a reached coverage goal in the
waveform viewer.
For line and condition coverage tests, the File and Line names refer to the
places in your design where Magellan found the line or condition coverage
goals to test. For condition coverage goals, the Cond lines show the
expressions that were tested.
The coverage report shows the signals that were tested and displays results
for reached, unreachable, and unknown coverage goals in the form of a
compressed truth table, where a dash means both values (0 and 1) are
included.
For example, if you are testing an AEP line and condition coverage module,
you can use the -state reached or unreachable options to filter the
report to just those categories as follows:
mgsh(alive...)> list_session_results -state unreachable
Magellan prints a short header at the top of the report that shows the session
name for the AEP module, followed by the filtered report. In this case, the tool
reports only on line and condition coverage goals that are unreachable.
For assertion properties like SVAs, you might want to filter your results to see
just the goals that are proven or falsified. In that case, you could use a
command like this:
mgsh(alive...)> list_session_results -state proven
Or perhaps your run has been going for some time without completing and
you want to see a report for the SVAs that are still unknown, so that you can
separate them out and test them in a separate session with the tool. In that
case, you could use the following command:
mgsh(alive...)> list_session_results -state unknown
You must enclose the two arguments to the -filter option in curly braces.
For example, to see a report for all the AEP line coverage tests on always
blocks, you can use the following command:
mgsh(alive..)> list_session_results -filter {line ALWAYS}
If you ran both line and condition checks in the same session, you can use the
-type option to show results just for that type. For example:
mgsh(alive..)> list_session_results -type aepCondition
Note For information on all list_session_results options, see the man page
(at the MG shell prompt, type man list_session_results).
Summary Reporting
You can report summary test results any time after the build completes using a
list_session_results -summary command. The example in Figure 57
shows a summary report for an AEP line and condition coverage test defined
in an AEP module named set1.
In this example, the associative array includes the following key-value pairs:
type is the key and aep is the value for the module type.
name is the key and set1 is the value for the name of the aep module.
idxList is the key and 0, 1, 2 ... n are the index numbers for all the
AEP line and condition coverage goals found in the design for the set1
AEP module.
To get all the AEP module names defined in a session, loop through all the
AEP signals in each module, and report the signal names and statuses for the
coverage goals, you can use a Tcl script like the one shown in Example 155.
For this to work, you must read in the project file where the specified Session
module is defined and then source the Tcl script at the MG shell prompt:
% mgsh project.prj
dut.testgen[2].p3
and you want to add all instances of this property to a Magellan project file
using the add_property_info -scope command, use four backslashes in
front of each square bracket:
*dut.testgen\\\\[2\\\\].p3
Magellan calculates bounded proof depths by counting from the Reset State
(see Figure 32 on page 221). Magellan samples the Reset State at the
1/4-cycle point of the system clock, and applies the first set of inputs to the
formal model on the next falling edge. Just before the next rising edge of the
clock, Magellan samples net values. If Magellan can prove that it is impossible
to cause the assertion to fail with the design in the Reset State and legal
values applied to input signals, it reports a bounded proof of depth zero. If
Magellan could violate the property from that state, the error trace would have
a length of zero cycles.
On the next rising edge of the system clock, the design advances to the first
state following the Reset State. If Magellan can prove that there are no legal
input values applied at both the first and second falling edges that can cause
the assertion to fail, it reports a bounded proof depth of one. And so on for
subsequent cycles.
Note that the system clock can be twice as fast as the design clock in some
cases (see “Understanding Magellan’s System Clock” on page 212). Magellan
reports bounded proof depths in terms of the system clock, not the design
clock.
To get the best possible bounded proof results in the shortest time, run
Magellan in bounded proof mode, as shown in the following example:
mgsh> run_session -mode boundedProof sessionName
The status of the vacuity property doesn’t matter if the related property is
falsified and there is no replay miss when you run the trace in the simulator.
Note If you use disable iff in your SVAs, it is possible to get vacuous proofs
even when the antecedent to the implication operator is reachable, because
the disable iff expression becomes part of the antecedent for vacuity
checking.
While there may be multiple input sequences that can make a property true,
Magellan reports the first witness trace that it finds. Generally, this result is
repeatable unless you change your design or add or modify the properties you
are testing in a Magellan session.
For example, in Figure 61 Magellan reports that a witness trace caused the
assertion to succeed at simulation time 599 for a property that was also
proven.
In this next example (Figure 62), Magellan reports that it was unable to
generate a witness trace for a property that was proven. Because the proof is
non-vacuous, we know that the antecedent of the implication operator for this
SVA was reachable. This means that the witness trace was unreachable
because the consequent of the implication was unreachable. This kind of
result is most likely caused by an over-constrained design that leads to
dead-end states (see “Avoiding Dead-End States” on page 288). It can also be
caused by an assertion error or a bug in the design.
Note Cone of influence reports are on the unoptimized design, so you don’t see the
effect of constant propagation for signals set to constants in your Magellan
project file.
Note You cannot generate reports for design_signals in the same command
that reports on properties or coverage goals. Use separate calls.
To generate a cone of influence report for all goal sets (including checker and
constraint properties as well as coverage goals and properties) use a
report_session -cone {} command with an empty list, as shown in the
following example:
mgsh(alive...)> report_session -cone {}
Magellan generates cone of influence reports on the screen, unless you add
the -file path_to_report_file option, in which case the report is
generated in the file name and location you specify.
The first section of the report lists the registers in the cone of influence along
with their sequential distances (seq_distance=n) from the property
(mutex[0] in this example). The second section of the report lists the primary
inputs in the fanin cone for the property. At the end of the report for each
property, Magellan prints a summary of the number of primary inputs and
sequentials.
To generate a cone of influence report that shows the primary inputs and
registers that are not in the transitive fanin cone of specified properties,
coverage goals, or design signals in your session, use a report_session
-uncovered -cone command, as shown in the following example:
mgsh(alive...)> report_session -uncovered -cone \
property | coverage_goal | design_signal
To generate a cone of influence report that shows the primary inputs and
sequentials for registers that are not in the transitive fanin cone of any
properties or coverage goals in your session, use a report_session
Run the show_coi command any time after reading in your Magellan project
file (using a read_project command). In order to report on assertion COI,
Magellan first builds a design netlist. Iterative analysis is supported (Magellan
rebuilds the design when needed due to changes in the project state).
For example, to see the COI for all assertions used as checkers in your
design:
Running the above command on the Verilog tutorial design shipped with the
tool generates a report that looks like Example 157. Because the
des_chip.assert_mutex assertion is bound to a module that is
instantiated 16 times in this design, you get one COI report for each instance.
(See “SVA Combinational Property Proof” on page 41.)
--------------------------------------------------
Coi Report For
Goal:des_chip.u_des_core.u_des_unit0.dd_d.assert_mutex_
inst.assert_mutex
--------------------------------------------------
# Constraints: 0
# Inputs: 21
# Sequentials: 225
# Combinationals: 3856 ...
The show_coi command has the following switches and options, which you
can use to customize the report:
Add the -detail switch to break down the reported nodes into design,
glue logic, and automaton nodes (automatons are created by the assertion
compiler).
Assertion COI analysis normally includes the logic of the assertion, the
design, and any constraints that may be relevant. Use the -isolate
switch to remove the contribution from constraints. Relevant constraints are
those that could possibly control design signals in the COI as determined
by a structural analysis.
Use the -type option to filter the results. Filtering options include:
pi (primary inputs only)
seq (sequentials only)
comb (combinationals only)
constraint (relevant constraints only). Constraint relevance takes
into account multiple clocks and the clock tree.
all (all of the above). This is the default.
Use the -enumerate switch to print node names. The reported names are
not bit-blasted. When you don’t use this switch, the show_coi command
produces a summary report by default.
For example:
This command produces a detailed report that lists the design primary inputs
and sequentials, glue logic sequentials, and automaton sequentials in each
assertion COI without taking into account constraint relevance.
This setting has higher precedence than the setting in a Magellan project
file.
You can override the default debugger when you run a command by
specifying the appropriate switch. For example, if your default debugger is
Debussy, you can use Verdi instead by adding the -verdi switch to the
command:
mgsh(alive...)> view_session_results -verdi
Controlling Dumping
During a session run, Magellan generates VPD or FSDB files for DVE or
Debussy/Verdi, respectively (see “Setting a Default Debugger” on page 445).
By default, Magellan includes all debug data from the top level of the design
on down, including multidimensional array (MDA) data if you enable its
generation using a define_session -dumpMda command in the Session
module of your Magellan project file. Depending on the design you are testing,
this global dumping can be expensive in terms of disk space usage and slower
tool performance. You can refine and control Magellan’s dumping behavior
using a custom Tcl procedure in a file named mg_dump.tcl in the same
directory where you keep your Magellan project file. For example, you might
want to limit the portions of the design hierarchy for which data is dumped. For
more information on how to control waveform dumping see the VCS/VCSi
User Guide ($VCS_HOME/doc/UserGuide/vcs.pdf).
You can either create the Tcl procedure file yourself or copy and modify the
mg_dump.tcl file that Magellan creates in the mg_sessionName/.temp/script
directory during a session run.
When you run a Magellan session, the tool looks first in the project directory
for a user-specified mg_dump.tcl file. If no dump control file is present,
Magellan creates a new mg_dump.tcl file in the mg_sessionName/.temp/script
directory, overwriting any mg_dump.tcl file that may be left over from a
previous run of the same session.
The mg_dump.tcl file includes Tcl procedures for both DVE and
Debussy/Verdi users (see Example 158).
Note that for DVE users. the proc mg_dump_vpd line must be present. For
Debussy/Verdi users, the proc mg_dump_fsdb line must be present.
Magellan uses the mg_dump.tcl file to create VDP or FSDB files during a
session run. You can change the default dumping behavior by supplying your
own mg_dump.tcl file that redefines the Tcl procedures shown in
Example 158. When Magellan calls one of these Tcl procedures, the tool
passes in the vpdfile or fsdbfile name and design name. Add the
desired UCLI dump commands to the procedure. Magellan passes the dump
commands you specify directly to the simulator and does not check them for
correctness, so make sure they are legal commands for the debugger you are
using.
Make sure you have the correct debugger specified for viewing the VPD or
FSDB file. If you need to override the default debugger, add the -dve,
-debussy, or -verdi switch. See “Setting a Default Debugger” on page 445.
You can also use MGUI to view the waveforms for the failure. Just type mgui
at the MG shell prompt:
mgsh(running ...)> mgui
The GUI comes up with your current session information already displayed in
the Report tab. You can then click on the results in the Report tab or go to the
Monitor tab to view the results in your selected debugger.
where dirname is the path name where you want to store the test files. If the
directory does not exist, Magellan creates it. If the directory already exists,
Magellan replaces any existing files with the new test files. If you do not
specify a dirname, Magellan puts the test files in the
mg_sessionName/test/testbench directory by default.
To replay the stimulus file, enter test.csh at the UNIX prompt. For example:
% ./dirname/test.csh
The test.csh script is the driver for the test, which runs in batch mode by
default. To run and then invoke the debugger on the test, add the -dve,
-debussy, or -verdi switch to your test.csh command, depending on
the tool you are using.
If you use the -debussy or -verdi switch, make sure you have
$DEBUSSY_HOME or $VERDI_HOME set to the location of your Debussy or
Verdi installation.
Note The test.csh script does not track changes in dependencies from previous
invocations. If you change any of your design files or the switches used with
test.csh, you must do a test.csh -clean before rerunning the test. For
more information on test.csh script options, see the man page (type man
test.csh at the MG shell prompt).
% cp -r ./dirname /u/julius
When you run the test.csh test driver script from the new location, Magellan
reuses the VCS command line specified in your Magellan project file with the
set_design_info -vcs command. If the design files for the test are in a
different location relative to the original project directory, specify the new
container directory for the design files using the -srcDir option to the
test.csh command. For example:
% /u/julius/dirname/test.csh -srcDir mySrcDir
If your Magellan project file uses absolute paths to the design source files
used in the test, do not use the -srcDir option. The absolute paths continue
to work in the new test directory location as long as you run test.csh on the
same network where the original test was run.
Otherwise, specify the -srcDir so that test.csh knows where to find the
directory from which the design source files are referenced in this new
location.
The waveform viewer displays the system clock, system reset, user-specified
design clock, and inputs to the module that caused the assertion to fail.
2 Do not change the default ModelSim path name separator from a slash /.
initial
begin
#1000 $vcdpluson;
#5000 $vcdplusoff;
end
2 In the Magellan project file, add the -PP compile-time VCS option to the
command line you specify using set_design_info in the Design
module.
3 When the session that references this environment finishes, use the
following command to view the results:
% vcs -RPP +vpdfile+vcdplus_filename.vpd
The file that VCS creates is named vcdplus.vpd. To create the file with a
different name, use the VCS +vpdfile+filename runtime option. For
more information, see the VCS/VCSi User Guide.
command, see the VCS MX/VCS MXi User Guide,. Example 160 shows
the contents of a dump.cmd file.
cd top_netSignal
dump -vpd -o vcsmx.dump -deep *
2 Replay the stimulus file using the test.csh script and the -vpd switch:
% test.csh -vpd
The test.csh script creates a VPD file in the current working directory.
In This Chapter
Understanding Mismatch Detection in Magellan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Checking for Mismatches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Responding to Replay Misses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Responding to Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Responding to Unknowns on Goal Signals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Diagnosing Mismatches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Generating VCD Files for Formal Traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Note Mismatches can occur not only in the design, but also in assertion-style
constraints in the test environment, because Magellan creates formal and RTL
simulation models of constraints too. For more information, see
“Simulation/Synthesis Mismatches with Constraints” on page 274.
Magellan depends on the simulation model and the formal model behaving the
same. Undetected mismatches may cause Magellan to miss defects, report
inconclusive or contradictory results, or generate errors. It is difficult to know if
Magellan is missing defects or reporting inconclusive results because of a
mismatch in the simulation and formal models. As a result, it is a good idea to
use Magellan’s compare functionality to discover mismatches early in the
validation process.
When you run a session for the first time, check for mismatches for at least a
few minutes using a run_session -compareAlways command (see
“Checking for Mismatches” on page 461). Many mismatches are detected
within the first few cycles of simulation.
Repeat this process for each new session you run. Magellan only checks the
target area of the design and the transitive fanin referenced by the coverage
signals and property checkers in the Session module. You should also repeat
this process if you make changes to the design or environment. Interaction
between the design and constraint models in your environment can also
produce mismatches.
If you don’t find any mismatches, proceed with the property or coverage goal
search. If you see subsequent messages indicating a replay miss, run the
session with a run_session -compareReplay command (see
“Responding to Replay Misses” on page 462).
Figure 67 shows the compare cycle. Given that the clock period is T, at t=0 the
system clock rises. At T/4, Magellan samples the circuit state and stores the
information for later comparison. At T/2, Magellan applies stimulus to the
primary inputs of the design. Magellan repeats this process for each clock
cycle during the compare.
System Clock
Drive Drive
Inputs Inputs
I1 I2
Sample Sample
Nets Nets
At one tick before T, Magellan records all the net values in the design.
Magellan uses this information only if it detects a mismatch.
At one quarter cycle into the second clock period, Magellan downloads the
previous state (S1), the previous inputs (I1), and the current state (S2) from the
simulator. The formal engine reads in the previous state (S1), applies the
inputs (I1), and computes the next state (N). Magellan compares the current
state (S2) from the simulator and the computed state (N) from the formal
engine.
If the comparison passes, Magellan continues with the next cycle and repeats
the process. If the comparison fails, Magellan saves the state information that
identified the mismatch, generates a series of reports, issues an error, and
pauses the run. At this point, you can write out a test to debug the problem or
continue the run (see “Responding to Replay Misses” on page 462).
Responding to Conflicts
Conflicts occur when Magellan’s formal engines report a goal as unreachable
(for example, prove a property), but the simulator reaches the goal (for
example, falsifies the same property). This can occur in case statements
where the case-guard is not initialized or the case statement is a casez or a
casex. When Magellan detects a conflict, it issues a message similar to the
following:
*** Warning: (HVUT-019)
Property:aep1 Bit:/cases/full_case/outval
Specified(0) both Reached and Ignore
Debugging Conflicts
When you see this type of problem, run the Session module again using the
-compareAlways switch to determine the cause of the conflicting results:
When a goal signal goes to an unknown value (X) in simulation after it has
been classified by the formal engines, you see a different error message
similar to the following:
*** Error: (HVUT-077)
Signal:rlm.chkr3.ova_one_hot of goal:One_hot_check prop X
transition conflicts with rlm.chkr3.ova_one_hot
classification
Diagnosing Mismatches
Magellan uses well-established synthesis techniques to produce the formal
model. There are a variety of HDL coding constructs that can lead to
mismatches between the simulation and formal models. The following
sections explain how to identify some of these constructs and locate the
problems.
There are several techniques you can use to find the cause of the mismatch:
Examine the source code where the registers are assigned. Look for
questionable coding styles that could cause the mismatch.
When Magellan pauses, use a write_session_test command to save
the stimulus, and then run the test.csh script with the -nocompress
switch to debug the mismatch in the simulator. You need the
-nocompress switch in order to see all simulation cycles and find the time
step where the mismatch occurred.
Use the vector and diagnosis files that Magellan generates to help identify
the source of the problem (see “Using Magellan’s Mismatch Reports” on
page 471).
Blocking Assignments
Blocking assignments that cause race conditions can also cause
simulation/synthesis mismatches. This is because the evaluation order for
simulation and formal models can differ. The simulator evaluates all blocking
commands first, and then executes non-blocking assignments at the end of
the cycle. The formal model has no concept of blocking and non-blocking
assignments and evaluates them simultaneously.
reg [Size-1:0] Q;
always @(posedge C)
Q = (D + 1’b1);// blocking assignment
endmodule
Example 162 shows the corrected regx module. To correct the mismatch,
replace the blocking assignment with a non-blocking assignment.
reg [Size-1:0] Q;
always @(posedge C)
Q <= (D + 1’b1);// non-blocking assignment
endmodule
But this kind of mismatch can be caused by a problem with a sequential in the
fanin net. Sometimes the root cause is a 0-delay race between clock and data
on a latch, where the formal model resolves the race one way and the
simulation model resolves it the other way. In this case Magellan does not
report the sequential causing the mismatch because the race behavior
happens in the same timestep where the clock happens. Because formal
analysis cannot change the values of sequentials more than once per
evaluation cycle, Magellan needs a minimum setup time of 1 timestep. You
can fix problems like this by putting a #1 delay on the clock instead of a
delta-cycle delay. Put the modified code inside ‘ifdef
MAGELLAN_MISMATCH_FIX or something similar and define that macro in the
VCS command line you specify in the Design module of your Magellan project
file.
Note The diagnose.out report record shown above can also be caused by blocking
assignments (see “Blocking Assignments” on page 465).
Example 164 shows the corrected test module. To correct the mismatch,
complete the sensitivity list.
X Values
X assignments can cause mismatches and replay misses if they are in a part
of the design critical to a coverage or property goal or are in the reset
sequence. X and Z values propagate differently in the simulation model and
the formal model. For the best results, initialize values to a known state.
Figure 68 shows two models of a multiplexer: the simulation model and the
gate-level formal model.
a
a 0
y
b 1
y
b
Q Q .
Simulation Model Formal Model
In the simulation model, if both data inputs, a and b, are set to a logic 1, and
the selector, Q, is an X, the y output is a logic 1. However, with these same
inputs, in the formal model the y output is a logic X. This difference in the y
output may result in a simulation/synthesis mismatch.
Magellan logs messages about X values in the download state. Magellan also
logs when a property signal or a signal in a coverage goal transitions to an X in
the simulator. To view this information, use a report_session -xinfo
command.
Note Magellan cannot change X values in state-holding UDPs. Therefore, you need
to reset them to a logic 0 or 1.
The diagnose.out file begins with a header line that shows the simulation time
when the mismatch was detected, The rest of the file is formatted as a
sequence of data blocks, where each block is a failing register or output,
followed by nets in the transitive fanin for that register which were also
mismatches.
-or-
where:
RTL_Name is a sequential or output name in Verilog or VHDL format.
The top of the hierarchy is the design’s top module or the instance name
of the checker or constraint model.
SynVal is the logic value computed by the formal engine.
SimVal is the simulation value for the sequential or output.
LogicVal is 1, 0, or X.
where RTL_Name is a failing net driver, in Verilog or VHDL format. The top of
the hierarchy is the design’s top module or the instance name of the checker
or constraint model.
Sequential:top_ytgz_dma2ocn_top.ytgz_dma2ocn_top.ytcz.y
tcr.ytce.rq_done_reg.i000.L2[5]
(SynVal:1 SimVal:0)
Fanin
Mismatch:top_ytgz_dma2ocn_top.ytgz_dma2ocn_top.ytcz.ytc
r.ytce.rq_done_reg.i000.L1[5]
SynVal:1 SimVal:0
Output:top_test_mismatch.test_mismatch.mem_[0]
(SynVal:0 SimVal:1)
Note Formal VCD traces are only long enough to show where a goal was met or a
property falsified in the formal model. They are not simulation results like you
get when you use a write_session_test command after a completed
Magellan run.
When you view the waveforms generated by these VCD files in the simulator,
keep in mind that the RTL simulation model for your design and the formal
gate-level model are different, even if you take care to remove
synthesis/simulation mismatches. For example, there may be nets that exist
only in the formal model. And the formal model only looks at signals in the
transitive fanin of properties or coverage goals defined in that session. This
process is known as pruning or circuit abstraction. Finally, Magellan uses a
system clock to drive the formal model to enable formal analysis of designs
with complicated clocking schemes (for example, derived or gated clocks). In
such cases, Magellan's system clock is represented explicitly in the VCD file.
Bounded proof. A proof which indicates that for any stimulus of N cycles
from the Reset State, the property is always true. See also Proof.
Checker. A piece of verification code that monitors the design for compliance
with a property. The checker asserts an output signal if the design behavior
violates the property.
Classified state. A state or value of one or more goal signals that Magellan
identifies as reached or unreachable. For reached states, Magellan provides a
stimulus sequence to reach the states. For unreachable states, no legal inputs
can reach the states. Magellan labels states that it has not yet classified as
unknown.
Compressed truth table. A truth table format reporting a set of binary values
that represent reached, unreachable, and unknown states.
Each signal in the compressed truth table is identified with a particular bit
position. The dashes in a bit position indicate both bit values are included. For
example, the Reached report indicates the following six states were reached:
0000
001- (reached both 0010 and 0011)
10-0 (reached both 1010 and 1000)
1100
Formal build. A process called by the Build server. The Formal build runs the
front-end of the synthesis compiler to create a gate-level model of the design.
Functional coverage. The fraction of all possible behaviors that the design
can exhibit when exposed to stimulus that may be encountered in actual
usage. Complete functional coverage is defined as the exercise of all specified
behaviors that the design can exhibit when exposed to stimulus that may be
encountered in actual usage.
Goal set. A group of signals you want to target (as defined in a Coverage
module).
Project. The project is a container for all the definitions Magellan needs to
evaluate your design and run tests. Each Magellan invocation operates on
one project at a time.
Project file. A Tcl script of data commands specifying all the project
information.
Proof. A proof indicates that for any stimulus sequence of arbitrary length, the
property is always true. See also Bounded proof.
Property. A logical assertion about the behavior of the design. Properties are
typically fragments of the complete design specification. For example, “The
FIFO will never overflow” or “The bus will be granted within 30 clock cycles of
a request.”
Reachability engine. A process called by the Run server which tries to find
stimulus traces that reach new states of the target goal set or property.
Run server. The Magellan process that searches for property proofs and
violations, and generates coverage stimulus. The Run server starts up
multiple processes that concurrently validate the design, including the
simulator, reachability engines, and unreachability engines.
Safety property. A property that specifies a subset of safe states for the
design and requires that the design never leave this subset of safe states. All
possible error traces of a safety property have a finite length.
Session module. A section of a Magellan project that defines a test run with
an environment and one or more coverage goals or property checkers. You
can define any number of Session modules in a project.
Simulation build. A process called by the Build server. The Simulation build
process runs the simulator.
Synthesis policy checker. A tool that evaluates the code in the design to
ensure that it conforms to synthesis rules. Policy checker tools provide an
early evaluation of the code without the expense of running the code through
the full synthesis process.
property 454
regressions 415
-urg 406
-urgSes 406
X
x randomization 185
X values 250–251, 469, 470
-xAssign 370
xFile.init file 137, 222, 231, 250, 374
-xinfo 470
XMR 263, 271
in checker instantiation 356
in procedural code 187
with SystemVerilog 187
-xRandom 185