Adding Debug Enhancements to Assertion Checkers for Hardware Emulation and Silicon Debug

Marc Boulé, Jean-Samuel Chenard and Zeljko Zilic
McGill University
marc.boule@elf.mcgill.ca, {jsamch,zeljko}@macs.ece.mcgill.ca

Abstract—This paper presents techniques that enhance automatically generated hardware assertion checkers to facilitate debugging within the assertion-based verification paradigm. Starting with techniques based on dependency graphs, we construct the algorithms for counting and monitoring the activity of checkers, monitoring assertion completion, as well as introduce the concept of assertion threading. These debugging enhancements offer increased traceability and observability within assertion checkers, as well as the improved metrics relating to the coverage of assertion checkers. The proposed techniques have been successfully incorporated into the MBAC checker generator.

I. INTRODUCTION

Assertion-Based Verification (ABV) has recently gained significant popularity in tackling an enormous task of verifying and tapping out a successful design. ABV leverages the expressive power of temporal languages to insert checkers that monitor any deviation from the specification’s intent. As design size increases, so do the requirements for higher simulation speed and faster regressions. Hardware emulation offers a significant increase in speed, but often at the expense of a more limited observability of the circuit nodes. A methodology based on assertions in the source code must consider the potential use of hardware emulation, therefore the assertions should be amenable to hardware acceleration. Furthermore, when design errors are found during emulation, additional information from the assertion checkers should be used to point to the source of the problem.

This paper enhances previous work on hardware assertion-checker generation [1] to provide further debugging utility of the assertion checkers. The primary context of this work is in the pre-tapeout verification by emulation, however post-layout silicon debug tasks can equally benefit from the proposed methods. Assertion checkers (also called assertion circuits) are circuits responsible for monitoring specific properties that a design should respect. Assertions about the design properties are specified at a higher level of abstraction using assertion languages. Two of the most widely used modern assertion languages are the Property Specification Language (PSL) and the SystemVerilog Assertions (SVA).

This work presents the techniques by which assertion checkers synthesized from PSL are enhanced with several key debug features: hardware coverage monitors, activity tracers, assertion completion and assertion threading. The added circuitry can significantly improve the debugging capabilities of the resulting checkers at the expense of a slight increase in the assertion-circuit size.

II. BACKGROUND: ASSERTION CHECKER GENERATION

Assertions are statements that specify how a given circuit should behave under a variety of circumstances. A checker generator ([1], [2]) is a tool which accepts assertion statements and generates monitor circuits that can be used for in-circuit verification. The debugging enhancements introduced in this paper are implemented in our checker generator called MBAC. Assertion checkers are a must for combining hardware emulation or silicon debug with assertion-based verification, given that assertions are not written in Hardware Description Languages (HDLs), but rather in languages such as PSL. Since the assertion languages are powerful and do not necessarily lend themselves to simple checker circuits, the checker generator’s task is therefore to transform assertions into efficient monitor circuits that detect assertion failures. Coding checkers by hand can be a tedious and error-prone task. In certain cases, a single PSL statement can imply tens or even hundreds of lines of RTL code in the corresponding checker.

A brief overview of assertion-language features is given next for the Property Specification Language [3], although the key ideas presented in this paper apply equally to SVA or other modern assertion languages. PSL is a powerful language built on several layers of description. The Boolean layer consists of the Boolean expressions of the underlying HDL (we use the Verilog “flavor” in this paper). The temporal layer defines temporal sequences, with its own set of operators for constructing complex temporal chains of Boolean expressions. Such statements rely on the clock signal to advance time; PSL syntax uses the semicolon to denote a single clock cycle step. The most general meaning of \( \cdot \) is a concatenation of sequences in time. Repetition of events can be bounded (\([\text{low}; \text{high}]\)) or unbounded (\([\cdot]\), which means \([0; \infty]\)), and can be applied to Boolean expressions or other sequences. As in regular expressions, \([+]\) denotes a repetition of one or more instances.

**Example 1:** (PSL Sequences.) If \( b_1 \) is a Boolean expression, the following are valid PSL sequences:

- \( \{b_1; b_2; b_3\} \)
- \( \{b_1; b_2\} \land \{b_3\} \)
- \( \{b_1; b_2; b_3\} \)
- \( \{b_1; b_2; b_3\} \land \{b_3; b_4\} \)
- \( \{b_1[\cdot 1.5]; b_2\} \)
- \( \{b_3; b_4[+]\} \)

The first sequence expresses the fact that the expression \( b_1 \) must be true first, followed by \( b_2 \) asserted in the next cycle, and by \( b_3 \) asserted in the third cycle. Sequence disjunction (\( \cdot \)) and sequence intersection (\( \land \)) correspond to the straightforward OR-ing and AND-ing of independent sequences, while length-matching intersection (\( \cdot \land \cdot \)) requires that the two sequences also be of the same duration. The fusion operator (\( : \)) is a
concatenation for which the last Boolean primitive of the left side must intersect (i.e. both must be true) with the first primitive of the right side argument.

The temporal layer also includes properties which add more expressive power to the use of sequences and Boolean expressions. First, sequences and Boolean expressions are valid properties. The operators never and always indicate properties that either never happen, or happen every clock cycle. The eventually operator creates a liveness property which can only fail at the end of execution if its sequence argument has not occurred. The |>= operator is known as suffix implication: upon detecting the sequence on the left-hand side, the right-hand side has to hold. A violation in the property will cause the assertion to fail. The |=> is a non-overlapped implication, meaning that the property has to hold on the clock cycle that follows the sequence’s occurrence.

Example 2: (PSL Properties.) If bool is a Boolean expression, seq is a sequence and prop is a property, the following are PSL properties:

- never seq
- always bool |=> prop
- eventually! seq
- always seq |=> prop

The |=> operator is known as suffix implication: upon detecting the sequence on the left-hand side, the right-hand side has to hold. A violation in the property will cause the assertion to fail. The |=> is a non-overlapped implication, meaning that the property has to hold on the clock cycle that follows the sequence’s occurrence.

Example 3: (Typical Bus Arbitration Assertion.)

\[
\text{assert always \{REQ & READY\} |=> \{-\text{GNT} \& \sim\text{GNT}\}[0:4] ; \text{GNT} \& \sim\text{BUSY}\};
\]
In this case, the knowledge of the assertion failure will not reveal the exact sequence of events responsible for the failure. For example, if REQ, READY and GNT are all asserted simultaneously, this will be a failure as much as if the GNT was never asserted. Explicit knowledge about the precondition status (in this case “REQ & READY”) is better than having to manually create new markers for precondition signals in the debug environment. In our simple example, the precondition marker is easily created; however PSL does not preclude having a complex sequence as a precondition, which would then become a difficult task to re-create in the debug environment.

IV. ENHANCING ASSERTION CHECKERS FOR DEBUG

In this section we present multiple debugging enhancements that can be compiled into the assertion checker circuits produced by our checker generator. These enhancements increase the observability of signals in assertion circuits, and increase the amount of coverage information provided by the checkers. The methodology flow is illustrated in Figure 1. The MBAC checker generator produces assertion-monitoring circuits from PSL statements and augments these checkers with debug-assist circuitry. Other forms of debug information, such as signal dependencies, can also be sent to the front-end applications. Since major FPGA manufacturers now provide hardware interface tools such as embedded logic analyzers, this allows the integration of our techniques even in the simplest, low-end emulation platforms.

A. Dependency Graphs

When debugging an assertion, the ability to quickly determine which signals and parameters can influence the assertion output is an important aid to pinpointing the cause of an error. An explicit enumeration of the signals that can cause an assertion failure helps shorten the debug cycle in any scenario. As a part of the generated checkers in our tool, all of the signal and true parameter dependencies are listed in annotations for each assertion circuit. From this, a dependency graph is then extracted for failure-cause visualization, or for automatic wave script generation in the emulation environment. When an assertion fails, the signals that are referenced in an assertion can be automatically added to the wave window and/or extracted from an emulator, in order to provide the necessary visibility for debugging. Depending on the current capture setup for the trace buffer, an additional rerun might not be needed upon a failure.

Dependency graphs are particularly useful when complex assertions fail, and even more so when an assertion references other user-declared sequences and/or properties, as permitted by the PSL language [3]. In such cases, an assertion’s signal dependencies can not be quickly identified at first sight. Optimizations performed on the assertion circuit may result in the removal of some dependencies which will simplify the resulting list. This indicates that either the assertion was incorrectly constructed (since it used redundant signals) or that the combination of multiple sub-expressions resulted in a contradiction or tautology with respect to a subset of the input signals or parameters. In either case, the dependency graph helps in identifying the cause of an assertion violation.

B. Monitoring Activity

Sequences are expressed internally as automata before being converted to the checker hardware. Monitoring the activity of a sequence can be a quick way of knowing whether the input stimulus is actually exercising a portion of an assertion. Using the appropriate compilation option, our tool generates activity signals for each sequence sub-circuit. This activity signal is formed by conjoining all of the state signals in a given sequence automaton, such that when a sequence automaton has at least one active state, the activity signal is asserted. An example of activity signals is visible in Figure 2 for the following assertion.

Example 4: (Test Assertion for Activity Signals.)

\[
\text{assert always} \{ \{a,b\} | \Rightarrow \{c[0:1];d\}\};
\]

Here, the activity signals for both sequences are visible, along with the assertion signal (out_mbac), and the assertion as interpreted by Modelsim (gold1). As can be observed, the union of both activity signals coincides with Modelsim’s activity indication. Since MBAC’s assertion signal is registered, it is asserted on the clock cycle following Modelsim’s failure marker (downward triangle). Monitoring activity signals eases debugging by improving observability in assertion circuits. For example, if no activity was ever detected on the right side of a temporal implication, this indicates that the implication is vacuously true [11]; the pre-condition never occurred and thus never triggered the consequent (right side). Monitoring activity for Boolean terminals can also be performed, as required in the property \(a \Rightarrow next b\), for example.

C. Monitoring Assertion Completion

In order to gauge the effectiveness of a testbench, assertions must be exercised reasonably often in order to be meaningful. After-all, assertions that do not trigger because they were not exercised are not very useful for verification. Conversely, assertions that are extensively exercised but never trigger offer more assurance that the design is operating properly.

Assertions can alternatively be compiled in completion mode, whereby the result signal indicates when the assertion completed successfully. The completion mode has no effect.

---

![Fig. 1. Hardware PSL Checker with Debugging Enhancements](image-url)
reset. The PSL abort indicates the initial state, which is the only active state upon triggered when the assertion fails. The highlighted state s1

Fig. 4. In this case, the result signal (or final state) is assertion is normally compiled as the automaton shown in

For a given start condition, only the first completion is identi-

D. Counting Activity

MBAC includes options to automatically create counters on assert and cover statements for counting activity. Counting assertion failures is straightforward, however counting the cover directive requires particular modifications. In dynamic verification, the cover operator is usually rewritten as follows:

cover seq → assert eventually! seq

This approach is not compatible with counters (and in general is not useful for debugging) because eventually! is a liveness property and thus triggers only at the end of execution. In order to count occurrences for coverage metrics, a plain detection (or matching) automaton is instead built for the sequence, and a counter is used to count the number of times the sequence occurs. The cover signal then triggers only at the end-of-execution if the counter is at zero. If no counters are desired, a one-bit counter is implicitly used. The counters are built to saturate at their final count and do not roll-over. The counters are also initialized by a reset of the assertion checker circuit, typically the reset of the Device Under Verification (DUV).

Counters can be used with completion mode from Subsection IV-C to construct more detailed coverage metrics for a given testbench. Knowing how many times an assertion completed successfully can be just as useful as knowing how many times an assertion failed. For example, if a pre-determined number of a certain type of bus transaction is initiated by a testbench, and an assertion that is responsible for catching a faulty sequence never fails, we may deduce that this particular transaction type is working properly. For added sanity checking, the assertion could be compiled in completion mode with a counter, and at the end of the testbench, this count value should correspond to the number of bus transactions that were exercised. In the example, the assertion may have passed because a different kind of transfer was erroneously issued. Completion mode provides a confirmation that if an assertion never failed, it was not because of a lack of stimulus. Counters and completion of assertions are implemented in simulators such as Modelsim, it is therefore natural that these features be also incorporated into assertion circuits.

E. Hardware Assertion Threading

When users want to more closely observe which start condition caused a failure, our checker generator has the ability to instantiate many copies of sequence circuits, and alternately dispatch preconditions into succeeding circuits. This allows a violation condition to be extracted from the other pipelined signals in the assertion circuit. The assertion threading tries to separate the parallel activity to help identify the root cause of the sequence of events leading to the failure of an assertion. Threading applies to PSL sequences, which are the typical means for specifying complex temporal chains of events.

An example scenario where assertion threading is useful is in the verification of highly pipelined circuits, where temporally complex sequences are used in assertions. In such cases, it is highly desirable to partition sequences into different threads in order to separate a failure sequence from other sequences. Assertion threading achieves the effect of creating multiple deterministic state machines, which are more natural to hardware designers and intuitive for debugging.

Figure 5 illustrates the mechanisms used to implement assertion threading. The hardware dispatcher redirects the precondition signal to the multiple sequence-checker units in
a round robin sequence. The tokens indicate the progress through the sequence automata. In the example, hardware thread #2 has identified a failure. The knowledge of the current state of the hardware dispatcher (pointing to thread #1), indicates that the assertion was triggered two valid preconditions before the failure. Therefore, the assertion failure can be pinpointed to that particular precondition or any modulo–3 preconditions before the failure. The precondition typically corresponds to the result of the left-side of a temporal implication, whereas the right side is the consequent. Some tradeoff is required between an accurate location of the source of the failure and hardware resources, as will be shown in Section V.

In assertion threading, entire failure-detection sequence-automata are replicated. Since a single automaton will detect all sequence failures, replicating the automaton and sending tokens into different copies ensures that no failure will be missed. The dispatcher uses a logical rotation of a one-hot encoded register such that at each clock cycle a precondition is guaranteed to be passed to one of the hardware threads. If a token enters a thread for which a previous token is still being processed, identifying the precise cause of a failure becomes more difficult; however, no failures will be missed. In such cases, all that must be done is to increase the number of hardware threads in order to properly isolate a sequence. To complete the threading, the sequence output is a disjunction of the threaded automata outputs. Threading also applies to sequences in the left side of a temporal implication. In such cases, normal detection sequence automata (as opposed to failure detection) are replicated. Seen from the sub-circuit boundary, a multi-threaded sub-circuit’s behavior is identical to that of a non-threaded sub-circuit.

V. EXPERIMENTAL RESULTS

The effects of assertion threading, assertion completion and activity monitors are explored by synthesizing the assertion circuits produced by our checker generator using ISE 6.2.03i from Xilinx, for a XC2V1500–6 FPGA. The dependency graphs from Section IV-A do not influence the circuits generated by the checker generator, while the assertion and coverage counters from Section IV-D contribute a hardware overhead that is easily determined a priori. The number of flip-flops (FF) and four-input lookup tables (LUT) required by a circuit is of primary interest, given that assertion circuits are targeted towards hardware emulation and silicon debug. Since speed may also be an issue, the maximum operating frequency for the worst clk-to-clk path is reported. The assertions used in this section were created during the development of MBAC to exercise the checker generator as thoroughly as possible. Typical assertions, such as those used for verifying bus protocols, span few clock cycles and do not showcase the strength of our checker generator because they are easily handled.

A. Assertion Completion and Activity Monitoring

The activity monitors introduced in Section IV-B are used to observe when sequences are undertaking a matching or a failure detection. An activity signal is composed of the disjunction of state signals from all of the states in a given automaton. Table I shows the resource usage of example assertions with and without the addition of sequence-activity monitors. As can be noticed, the maximum operating frequency is virtually not affected, and in some cases, an additional flip-flop is required. The effect of the OR gate required for the state-signal disjunction is visible in the LUT metric. Further benchmarking shows the efficiency of our checker generator, compared to the FoCs checker generator from IBM [2], [12].

As described in Section IV-C, assertions can also be compiled in completion mode as opposed to the typical failure mode. Table II shows hardware metrics for a set of example assertions compiled in normal mode and in completion mode. From the table, it can be observed that a completion-mode assertion utilizes an equal or smaller amount of resources.

B. Assertion Threading

As explained in Section IV-E, assertion threading replicates sequence circuits in order for the failure conditions to be isolated from other preconditions. This was shown to ease the debugging process considerably, particularly when temporally complex assertions are used. Table III shows how the resource utilization scales as a function of the number of hardware threads. Because 8-way threading is only useful for sequences that span at least 8 clock cycles, the assertions used must have a certain amount of temporal complexity for the results to be meaningful. From the table, it can be observed that resource utilization scales linearly with the number of hardware threads.

VI. CONCLUSION

In this paper we have presented techniques that facilitate debugging within the ABV framework, either in the emulation or in the silicon debug stages. By selecting various compilation options, debugging is enhanced by providing better observability, traceability and coverage metrics in the assertion checkers generated by MBAC. While providing an increased ability to determine the causes of errors, the hardware overhead is modest. These improvements are particularly well suited for the complex temporal sequences of modern assertion languages.
### Table I

<table>
<thead>
<tr>
<th>Assertion</th>
<th>FoCs</th>
<th>MBAC</th>
<th>MBAC + Act.Mon.</th>
</tr>
</thead>
<tbody>
<tr>
<td>Bus arbitration assertion from Example 3</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>assert always (a:b) =&gt; {c[*0:1];d}; (Example 4)</td>
<td>6</td>
<td>10</td>
<td>487</td>
</tr>
<tr>
<td>assert always (a) =&gt; {c[*0:1];d}[e]; (Example 5)</td>
<td>3</td>
<td>4</td>
<td>622</td>
</tr>
<tr>
<td>assert never (a:d;[b:a]*2:4;c:d);</td>
<td>25</td>
<td>24</td>
<td>622</td>
</tr>
<tr>
<td>assert always (a) =&gt; {c;d;[b:*2:4];c:d};</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>assert always (a) =&gt; {b;c[*0:2]}</td>
<td>7</td>
<td>12</td>
<td>355</td>
</tr>
<tr>
<td>assert never {b:*2:4} &amp; [b;{e-&gt;2:3};d];</td>
<td>43</td>
<td>51</td>
<td>422</td>
</tr>
<tr>
<td>assert always (a) =&gt; {{c;[2:2];d}[+]} &amp; {b;{e-&gt;2:3};d};</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>assert always (a) =&gt; {{b;c[*0:2];d}[+]} &amp; {b;[e-&gt;2:3];d};</td>
<td>44</td>
<td>127</td>
<td>269</td>
</tr>
<tr>
<td>assert always (a) =&gt; {{b;c[*0:2];d}[+]} &amp; {b;[e-&gt;2:3];d};</td>
<td>35</td>
<td>112</td>
<td>258</td>
</tr>
</tbody>
</table>

### Table II

<table>
<thead>
<tr>
<th>Assertion</th>
<th>Normal</th>
<th>Assertion Completion</th>
</tr>
</thead>
<tbody>
<tr>
<td>Bus Arbitration Assertion from Example 3</td>
<td></td>
<td></td>
</tr>
<tr>
<td>assert always (a:b) =&gt; {c[*0:1];d}; (Example 4)</td>
<td>6</td>
<td>10</td>
</tr>
<tr>
<td>assert always (a) =&gt; {c[*0:1];d}[e]; (Example 5)</td>
<td>3</td>
<td>4</td>
</tr>
<tr>
<td>assert never (a:d;[b:a]*2:4;c:d);</td>
<td>25</td>
<td>24</td>
</tr>
<tr>
<td>assert always (a) =&gt; {c;d;[b:*2:4];c:d};</td>
<td></td>
<td></td>
</tr>
<tr>
<td>assert always (a) =&gt; {b;c[*0:2]}</td>
<td>7</td>
<td>12</td>
</tr>
<tr>
<td>assert never {b:*2:4} &amp; [b;{e-&gt;2:3};d];</td>
<td>43</td>
<td>51</td>
</tr>
<tr>
<td>assert always (a) =&gt; {{c;[2:2];d}[+]} &amp; {b;{e-&gt;2:3};d};</td>
<td></td>
<td></td>
</tr>
<tr>
<td>assert always (a) =&gt; {{b;c[*0:2];d}[+]} &amp; {b;[e-&gt;2:3];d};</td>
<td>44</td>
<td>127</td>
</tr>
<tr>
<td>assert always (a) =&gt; {{b;c[*0:2];d}[+]} &amp; {b;[e-&gt;2:3];d};</td>
<td>35</td>
<td>112</td>
</tr>
</tbody>
</table>

### Table III

<table>
<thead>
<tr>
<th>Assertion</th>
<th>FoCs</th>
<th>MBAC</th>
<th>MBAC + Act.Mon.</th>
</tr>
</thead>
<tbody>
<tr>
<td>Example 3</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>A1</td>
<td>12</td>
<td>12</td>
<td>487</td>
</tr>
<tr>
<td>A2</td>
<td>15</td>
<td>21</td>
<td>378</td>
</tr>
<tr>
<td>A3</td>
<td>26</td>
<td>76</td>
<td>278</td>
</tr>
<tr>
<td>A4</td>
<td>35</td>
<td>112</td>
<td>258</td>
</tr>
</tbody>
</table>

### References


