1 of 22
Austin TX
September 9, 2015
                                       A copy of these presentation
                                           slides is available at
                                      sutherland-hdl.com/papers.html
    SystemVerilog Assertions and
         Assertion Planning
                     a tutorial on
          Writing SystemVerilog Assertions
        and Planning Where to Use Assertions
                     Stu Sutherland
                    Sutherland HDL, Inc.
 Agenda
     Part 1: A short tutorial on SystemVerilog Assertions
     Part 2: Who should write assertions?
     Part 3: Planning where to use assertions
 The goal of this tutorial is to encourage both verification engineers
and design engineers to take advantage of SystemVerilog Assertions!
   Part One:
A Short Tutorial On
  SystemVerilog
    Assertions
                                                                                  9-4
What Is
An Assertion?
   An assertion is a statement that a certain property must be true
                  0   1   2   3   4   5           Design Specification:
                                          After the request signal is asserted,
            req                           the acknowledge signal must arrive
           ack                                      1 to 3 clocks later
 Assertions are used to:
       Document design intent (e.g.: every request has an acknowledge)
       Verify design meets the specification over simulation time
       Verify design assumptions (e.g.: state value is one-hot)
       Localize where failures occur in the design instead of at the output
       Provide semantics for formal verification
       Describe functional coverage points
       And requires clarifying ambiguities in spec
                                                                                        9-5
Verification Without Assertions
   Before there were special assertion languages like SVA,
    verification checks had to be coded with programming statements
                                   always @(posedge req) begin
          0   1   2   3   4   5      @(posedge clk) ; // synch to clock
                                     fork: watch_for_ack
    req                                parameter N = 3;
    ack                                begin: cycle_counter
                                         repeat (N) @(posedge clk);
          Design Specification:          $display("Assertion Failure", $time);
                                         disable check_ack;    To test for a sequence of
        Each request must be
                                       end // cycle_counter events requires many lines of
    followed by an acknowledge
                                       begin: check_ack       Verilog code (hard to write)
      within 1 to 3 clock cycles
                                         @(posedge ack)
                                         $display("Assertion Success", $time);
 With SVA, this check                   disable cycle_counter;
                                       end // check_ack
    can be done with one             join: watch_for_ack
                                   end
    line of code!
    assert property (@(posedge clock) req |-> ##[1:3] ack) else $error;
Embedded Verification
                                                                                       9-6
Checking and Synthesis
   Checking code written in Verilog must be hidden from Synthesis
     Synthesis cannot distinguish the hardware
      model from the embedded checker code
 if (critical_condition)
    // do true statements          RTL code
 else
 //synthesis translate_off
 if (critical_condition == 0)     checker code
 //synthesis translate_on
                                                                This checking code is
    // do the not true statements     RTL code
                                                               hidden from synthesis,
 //synthesis translate_off
                                                                but it is always active
 else
                                               checker code    in simulation (not easy
    $display("critical_condition is bad");
                                                                to disable for reset or
 //synthesis translate_on
                                                                 for low-power mode)
 SystemVerilog Assertions are easier, and synthesis ignores SVA
 assert (!$isunknown(critical_condition));
                                                  assert is ignored by synthesis and
 if (mode) ... // do true statements
 else      ... // do not true statements           can be disabled during simulation
                                                                                                  9-7
SystemVerilog Has
Two Types of Assertions
   Immediate assertions test for a condition at the current time
        always_comb begin
          assert ($onehot(state)) else $fatal;                generate a fatal error if state
          case (state) ... // RTL code                       variable is not a one-hot value
    An immediate assertion is the same as an ifelse statement, but with assertion controls
 Concurrent assertions test for a sequence of events spread over
    multiple clock cycles                0   1   2   3   4   5
                                                                       multi-clock sequences
                                   req                                 can be defined with very
                                                                             concise code
                                   ack
a_reqack: assert property (@(posedge clock) data_ready |-> req ##[1:3] ack)
          else $error;
                                                 concurrent assertions run as a
                                                 background process in parallel
always_ff @(posedge clock)
                                                       with the RTL code
  if (data_ready) req <= 1; ... // RTL code
Concurrent assertions have an extensive set of operators to describe complex design conditions
                                                                                                9-8
Assertion Severity System Tasks
   The assertion messages can be printed with severity levels
       $info ( "message", message_arguments ) ;
          No severity; just print the message                          If a severity level is not
       $warning ( "message", message_arguments ) ; specified, assertion messages
          A run-time warning; software continues execution             default to an error level
       $error ( "message", message_arguments ) ;
          A run-time error severity; software continues execution
       $fatal ( finish_number, "message", message_arguments ) ;
          Terminates execution of the tool
          finish_number is 0, 1 or 2, and controls the information printed by the tool upon exit
           (the same tool controls as with $finish)
                 The user-supplied message is appended to a tool-specific message
                  containing the source file location and simulation time
                 The message is optional; if not specified the tool-specific message
                  will still be printed
          Assertions in a UVM testbench should use the UVM message functions, such as
        uvm_report_warning and uvm_report_error, so that the messages are tracked by UVM
                                                                                          9-9
Assertion Pass/Fail Actions
   Assertions can have both pass and fail actions
assert property (p_req_gnt)                  User-defined pass/fail statements can do
  $info("Handshaking passed in %m");         anything you want
else                                         (Tip: use %m to display the hierarchy path
  $error("Handshaking failed in %m");        to the statement containing message)
       The pass and fail statements can be any procedural statement
         Multiple statements must be grouped with beginend
       The pass action is optional
         If left off, then no action is taken when the assertion passes
       The fail action is also optional
         If left off, then a default, tool-generated message is printed with an
          error message severity level
always @(negedge reset)
  a_fsm_reset: assert (state == LOAD);       No action if pass, default message if fail
                                                                                                9-10
Detecting Glitches
with Assertions
   There are many reasons signals might change more than once
    during a single clock cycle (a potential glitch)
     Combinatorial decoding, clock domain crossing, async reset, 
                               0         1    2    3         4         5         6
                         clk
                     opcode        ADD       SUB       XOR       ROL       ADD
    This glitch within a clock cycle will                    This glitch within a clock cycle
    affect my design functionality  I                         will never be stored in my
             need to detect it.                               registers  I can ignore it.
           You need an                                                          You need a
        immediate assertion!                                               concurrent assertion!
                  Immediate assertions are programming statements that
                   can evaluate values at any time
                  Concurrent assertions are cycle based, and only
                   evaluate values on a clock edge
                                                                                 9-11
Immediate and Concurrent                                    Youre the engineer 
                                                           which of these pros and
Assertion Pros and Cons                                    cons are most important
                                                               in your project?
       Immediate Assertions                       Concurrent Assertions
   Pros:                                    Pros:
     Easy to write  simple syntax            Background task  define it and it
     Close to code being checked               just runs
     Can check asynchronous                   Cycle based  no glitches
      values between clock cycles               between cycles
     Self-documenting code                    Can use binding (see later slide)
   Cons:                                      Works with simulation and formal
     Cannot use binding (later slide)          verification
     Difficult to disable during reset      Cons:
      or low-power                             More difficult to define (and
     Must following good RTL                   debug)
      practices to prevent race                Can be far from code being
      conditions (just like any                 checked
      programming statement)                   Cannot detect glitches
                                                                                        9-12
Concurrent Assertions
are Cycle Based
   A sequence is a series of true/false expressions spread over one
    or more clock cycles
   ## represents a cycle delay
     Specifies the number of clock cycles to wait until the next
      expression in the sequence is evaluated
         The first expression is evaluated immediately
         Subsequent expressions are evaluated at later clock cycles
                                     @(posedge clock) is not a delay, it
     property p_request_grant;
                                    specifies what a cycle is for this property
       @(posedge clock)
       request ##1 grant ##[1:3] !request && !grant;
     endproperty    Delay 1 cycle  Delay for a range of cycles
     ap_request_grant : assert property (p_request_grant); else $fatal;
           request must be followed one clock cycle later by grant
           grant must followed one to three clock cycles later by !request and!grant
                                                                                             9-13
A Concurrent Assertion Gotcha
   Concurrent assertions start a new thread every clock cycle
                      property pReqAck;
                        @(posedge clk)
                        req ##2 ack;
                      endproperty: p_req_ack
                      apReqAck: assert property (pReqAck);
                0ns       10ns           20ns      30ns         40ns
          clk
          req               1             2          3            4
          ack
     apReqAck                             F         SF            F
                  An evaluation thread           New evaluation threads
                    starts at time 10           start at time 20, 30 and 40
           Request is true so the thread        Request is false so each
            continues, and at time 30           of these threads fails at
              this thread succeeds                    those times
       The fix for this gotcha is something called an implication operator (see next page)
                                                                                            9-14
Conditioning Sequences Using
Implication Operators
   A sequence can be conditioned with an implication operator
       If the condition is true, the sequence is evaluated
       If the condition is false, the sequence is not evaluated (a dont care)
   |-> overlapped implication: sequence evaluation starts immediately
        property p_req_ack;                                    clk
                                                           mem_en
          @(posedge clk)
                                                              req
          mem_en |-> req ##2 ack;                             ack
        endproperty: p_req_ack
                                                          overlapped (req ##2 ack)
   |=> non-overlapped implication:
    sequence evaluation starts at the next clock
                                                               clk
        property p_req_ack;                                mem_en
          @(posedge clk)                                      req
          mem_en |=> req ##2 ack;                             ack
        endproperty: p_req_ack
                                                          non-overlapped (req ##2 ack)
    The |=> (non-overlapped implication) is the same as |-> ##1 (overlapped plus 1 cycle)
                                                                         9-15
Implication Terminology
   Antecedent  the expression before the implication operator
     The evaluation only continues if the antecedent is true
   Consequent  the expression after the implication operator
   Vacuous success  if the antecedent is false, the property is
    considered vacuously true
     The check is not of interest, so evaluation is aborted without
      considering it a failure
           antecedent (or cause)  if FALSE, the property succeeds
                vacuously; if TRUE, then the sequence continues
    property p_handshake;
      @(posedge clk)          implication operator
        request |=> acknowledge ##1 data_enable ##2 done;
    endproperty: p_handshake
                                       consequent (or effect)  only
                                      evaluated if antecedent succeeds
                                                                                           9-16
Using Concurrent Assertions
with Zero-delay RTL Models
   In RTL models, most signals change on a clock edge
     RTL models are typically modeled with zero delay
     Register outputs change immediately on the clock edge
          0   10    20    30    40     50
    clk                                     property p_req_ack;
                                              @(posedge clk)
    req                                       req |-> ##2 ack ##1 !ack;
                                            endproperty: p_req_ack
    ack
                                            ap_req_ack: assert property (p_req_ack);
       Is req 0 or 1 at time 10? 0
       What about at time 20?                1
       Is ack 0 or 1 at time 40              1
       At what time does this assertion pass or fail? 50
     Concurrent assertions sample values in a Preponed event region  the assertion always
              sees the value that existed before the clock edge causes any changes
                                                                                                9-17
Quiz: Does This Assertion Match
the Design Specification?
      Given the following assertion:
                 property p_req_ack;                             If there is an ack,
                  @(posedge clk) req |-> ##2 ack;              then req must be true
                 endproperty: p_req_ack                         2 clock cycles later
                 ap_req_ack: assert property (p_req_ack);
      Will this event sequence pass or fail?
 clk
                                              The assertion will pass  it checks that ack
 req         1
                                              is true on the 2nd clock after req; it does not
                           S                     check for when ack transitioned to true
 ack
      Is this a faulty design or a faulty assertion?
        It depends on the design specification!
        Spec 1: A req (request) should be followed two cycles later by ack (acknowledge).
        The ack line can be tied high so that all requests are automatically acknowledged.
        Spec 2: A req (request) should be followed two cycles later by a rising edge of ack
              (acknowledge). The ack is only allowed to be high for one clock cycle.
                                                                                               9-18
Value Change Functions
   Special functions test for a value change between adjacent clock cycles:
    $rose(expression, cycle_definition);
       Returns true if the LSB of the expression changed to 1        These functions evaluate
                                                                        sampled values  they
    $fell(expression, cycle_definition);                             compare the value that was
       Returns true if the LSB of the expression changed to 0        sampled at the beginning
    $changed(expression, cycle_definition);                          of the previous clock cycle
       Returns true if the value of the expression changed            with the value that was
    $stable(expression, cycle_definition);                            sampled at the beginning
       Returns true if the value of the expression did not change    of the current clock cycle
     The cycle_definition is optional and seldom needed (see notes below); It specifies what
     clock to use for sampling the expression (e.g.: $rose(ack, @posedge master_clk) )
         Design Spec: A req (request) should be followed two cycles later by a rising edge
           of ack (acknowledge). The ack is only allowed to be high for one clock cycle.
    property p_req_ack;                                       clk
      @(posedge clk)
      req |-> ##2 $rose(ack) ##1 !ack;                        req
    endproperty: p_req_ack
                                                           ack
    ap_req_ack: assert property (p_req_ack);
                                                                                           9-19
Assertions and Coverage
   Coverage is a metric for evaluating the progress of verification
     Measures the completeness of the verification tests
   SystemVerilog provides two types of coverage
     Functional coverage reports how many times specific values occur
           Uses covergroup definitions
           Checks current values at specific times during simulation
       State coverage reports how many times assertions evaluate
         Uses an assertion cover statement
         Checks for sequences of conditions over multiple clock cycles
                                              Design Specification:                Assertion
            Did I test the FIFO                                                   coverage is
                                      The FIFO almost_full flag is set when
            operating at a nearly                                                  discussed
                                    there are 2 locations remaining in the FIFO
               full condition?                                                      in more
                                    caFifoNearMax: cover sequence                 detail later
                                      (@(posedge clk)                                 in the
                                      almost_full ##1 push ##1 push);                course
  Part Two:
Who Should Write
  Assertions
                                                              9-21
Which Engineer Writes the
Assertions for Your Projects?
                    Once upon a time
Four engineers worked on an important design. Their names were:
Tom Somebody, Dick Everybody, Harry Anybody, and Sally Nobody.
Each engineer was responsible to design and verify a sub block of
the design. Everybody had attended training on SystemVerilog
Assertions, and was sure that Somebody would write assertions to
verify that the full design worked correctly. Anybody could have
written them, but it ended up that Nobody did it.
When the design was implemented in silicon, it did not work
according to the specification.  Everybody blamed Somebody
because Nobody did what Anybody could have done.
                                                                              9-22
Guideline for
Who Writes Assertions!
   Verification engineers should write assertions that verify design
    functionality meets the overall design specification
       The assertion verifies that the designer correctly implemented the
        specification
       Example: The zero flag output of the ALU block should only be set if the
        ALU result output is zero
   Design engineers should write assertions to verify assumptions that
    affect the functionality of a design block
       The assertion documents the designers assumptions
       Example: The ALU block assumes that the A, B and opcode inputs will
        never have a logic X or Z value
                                                                   9-23
Design Engineers
Should Add Assertions to RTL!
   RTL models assume inputs and other values are valid
     Input ports are connected (no floating input values)
     Control signals are never a logic X
     State machine encoding is a legal value
     Data values are within an expected range
     Parameter redefinitions meet design requirements
   These assumptions can be should be verified using assertions
     Most of these can be done with simple 1-line assertions
                                  The paper
            Who Put Assertions In My RTL Code? And Why
                   has examples of these types of assertions
                (available to download from sutherland-hdl.com)
                                                                               9-24
Verification Engineers Can Bind
Assertions to Design Blocks
   SystemVerilog assertions can be defined in a separate file and:
     Bound to all instances of a design module or interface
     Bound to a specific instance of a design module or interface
                                   Binding allows verification engineers to
                                    add assertions to a design without
                                    modifying the design files
                                   Binding allows updating assertions
                                    without affecting RTL code time-stamps
                                    (which could trigger unnecessary
                                    synthesis runs)
                                   Binding can also be used to bind in
                                    coverage and other functionality
                                   NOTE: Only concurrent assertions can be
                                      directly bound into other modules
When To Embed Assertions,
When To Bind In Assertions
Sutherland HDL recommends1
 Design engineers should embed assertions into the RTL code
     Validate all assumptions (e.g. control inputs are connected)
     Trap invalid data values where they first show up
     Embedded assertions should be written at the same time the RTL
      code is being developed!
   Verification engineers should add bound-in assertions
     Verify the design functionality matches the specification
     Verify that corner cases work as expected (e.g.: FIFO full)
     Verify coverage of critical data points
     By using binding:
       There is no need to check out and modify the RTL model files
       Adding assertions not affect RTL file time stamps
         1There   can be exceptions to this guideline  you get paid the big money to figure
                   out which way of specifying assertions is best for your projects!
                                                                             9-26
Embedded versus Bound
Assertions  Pros and Cons
          Assertion Binding                  Assertions Embedded in RTL
   Pros:                                   Pros:
     Do not need RTL file access             Close to the code being verified
      permissions to add assertions           Can use both concurrent and
     Adding assertions does not               immediate assertions
      impact RTL file time-stamps             Document designers
   Cons:                                      assumptions and intentions
     Assertions can be far from the          Assertion errors originate from
      code being checked                       same file as the failure
     RTL engineers must edit               Cons:
      multiple files to add assertions        Adding/modifying an assertion
      while the RTL modes is being             could trigger automated
      developed                                regression or synthesis scripts
     Cannot (easily) use immediate
      assertions
                                                                       9-27
SystemVerilog Design Constructs
with Built-in Assertion Behavior
 Some SystemVerilog constructs have built-in assertion-like
    checking!
   always_comb / always_ff
     Allows tools to check that procedural code matches intent
     Check that procedural block variables are not written to elsewhere
   unique case / unique ifelse
     Check that decision statements are fully specified
     Check that decision branches are mutually exclusive
   enum Enumerated variables
     Check that assignments are within the legal set of values
     Check that two or more labels (e.g. state names) do not
      have the same value
        By using these constructs, designers get the advantages
        of self-checking code, without writing assertion statements!
  Part Three:
Planning Where to
 Use Assertions
                                                                                            9-29
Developing An
Assertions Test Plan
   Part of a Verification Test Plan is an Assertions Test Plan
       Specifies what functionality needs to be verified with assertions
       What type of assertion is needed for each test
         Immediate or concurrent? Invariant, sequential or eventuality?
       Where the assertion should be placed
         Embedded in the design?                          Assertion Based Verification
         At the system interconnect level?               should take advantage of all of
         Bound into the design?                                these capabilities
       Which team is responsible for writing each assertion
         The verification team?
         The design team?
        The Assertions Test Plan should be developed before any design code is written!
                                                                                                  9-30
Case Study:
Assertions for a Small DSP
   A small Digital Signal Processor (DSP) design is used in this
    presentation to illustrate how to use SystemVerilog Assertions
   The DSP contains              clock_gen                                        register
       A clock generator and
        reset synchronizer         ram                 register
                                                                    pc
       A state machine                                                             alu
       Several registers
    
                                                                  decoder
                                               controller
        A program counter                                                            status_reg
       Combinatorial decoder and ALU
       Program and data memories                                  ram
       A tri-state data bus
                                                                            iobuf         iobuf
   The DSP has many places where assertions can be  and
    should be used!
                                                                                                              9-31
Assertions Test                                                a [15:0]         b [15:0]
Plan: ALU                                       opcode [2:0]              alu
                                                          result [15:0] xbit zbit
                   Functionality to Verify                                Assertion Type      Assigned To
The a, b and opcode inputs never have any bits that are X or Z                  immediate       design team
All opcode values are decoded                                                   unique case     design team
The zbit output must be set whenever result output is 0                         concurrent    verification team
   What other assertions are needed? (Answering this question is part of the final project)
module alu (...);
  always_comb begin
    ai_a_never_x: assert (!$isunknown(a)); Check that inputs meet design assumptions
    ...
    unique case (opcode)   unique verifies that all opcode values that occur are decoded
      ... // decode operations
    endcase                                   Be careful with using unique case  it
  end                                                  also affects synthesis!
module assertions (...); // to be bound to dsp top-level netlist
  property p_zbit_set_on_zero (clk);
                                                     On any cycle that alu_out
    @(posedge clk) (alu_out == 0) |-> zbit;
  endproperty
                                                      is zero, zbit must be set
  p_zbit_set_on_zero: assert property (p_zbit_set_on_zero(sys_clk));
                                                                                                          9-32
Exercise:
Assertions Test Plan for the ALU
                           a [15:0]         b [15:0]
                                                                       ASSIGNMENT:
                                                              Plan some assertions for the DSP
            opcode [2:0]              alu                     blocks on this page and the next 3
                                                             pages. We will then discuss the test
                      result [15:0] xbit zbit
                                                                    plan ideas as a class
   A combinational logic Arithmetic Logic Unit, that can perform 8
    different types of operations (see notes section, below)
                     Functionality to Verify                            Assertion Type     Assigned To
The a, b and opcode inputs never have any bits that are X or Z             immediate        design team
All opcode values are decoded                                             unique case       design team
After reset, result should never have an X or Z value                      concurrent     verification team
zbit must be set if result is 0; and cleared if result is not 0            concurrent     verification team
xbit is set for Add operations if a + b is greater than (2**16)-1          concurrent     verification team
xbit is set for Multiply operation if a * b is greater than (2**16)-1      concurrent     verification team
xbit is set for Subtract operations if a is less than b                    concurrent     verification team
xbit is never set for non arithmetic operations                            concurrent     verification team
                                                                                                       9-33
Exercise:
Assertions Test Plan for the RAM
                                                 ram
                                                 4k x 16
                                addr [11:0]                     data [15:0]
                                       rdN
                                      wrN
   A 4K by 16-bit asynchronous RAM with a bi-directional data port
     Reading from the RAM occurs whenever rdN is low
     Writing into the RAM occurs whenever wrN is low
     Behavior is undefined if rdN and wrN are low at the same time
                   Functionality to Verify                           Assertion Type    Assigned To
!rdN (read) and !wrN (write) are mutually exclusive                       immediate      design team
addr never has X or Z bits when wrN is low (writing into RAM)             immediate      design team
data never has X or Z bits when wrN is low (writing into RAM)             immediate      design team
addr never has X or Z bits when rdN is low (reading from RAM)             immediate      design team
data never has X or Z bits when rdN is low (reading from RAM)             concurrent   verification team
                                                                                                          9-34
Exercise: Assertions Test Plan
for the Program Counter
                                       load
                                         inc         pc
                                   d [11:0]                 cnt [11:0]
                                           clk   >
                                                     rstN
   The Program Counter is a sequential logic 12-bit counter
     rstN is asynchronous  the counter is reset to zero
     Counter loads with the value of the d input on the positive edge of
      clk, when load is high
     Counter increments on the positive edge of clk, when inc is high
                     Functionality to Verify                             Assertion Type   Assigned To
load and inc (increment) are mutually exclusive                             immediate       design team
If load is high, d never has X or Z bits                                    immediate       design team
If load, then, after clk to cnt delay, cnt has the value of d              concurrent     verification team
If inc, then, after clk to cnt delay, cnt has incremented by 1             concurrent     verification team
If !load and !inc, then cnt does not change                                concurrent     verification team
                                                                                                       9-35
Exercise: Assertions Test Plan
for the Controller
                                                            load_s
                           instruction [3:0]   controller   load_b
                                                            load_f
                                 exception                  load_pc
                                                            inc_pc
                                 zero_flag                  set_br
                                 branching                  rslt_oeN (low true)
                                                            dout_oeN (low true)
                                        clk    >            dmem_rdN (low true)
                                                            dmem_wrN (low true)
                                       rstN                 halt
   The controller is a 1-hot finite state machine that sets the control
    lines for the various DSP blocks
     rstN is asynchronous  the controller resets to the RESET state
                    Functionality to Verify                           Assertion Type   Assigned To
The instruction input never has X or Z bits                               immediate      design team
At a positive edge of clk, state is always 1-hot                          concurrent   verification team
If in DECODE state, then the prior state was RESET or STORE               concurrent   verification team
If in LOAD state, then the prior state was DECODE                         concurrent   verification team
If in STORE state, then the prior state was LOAD                          concurrent   verification team
                                                                                  9-36
Assertion Test Plan
Considerations
   Some things to think about when developing an Assertions Test
    Plan include
   It takes time to write the assertions test plan
       It is not a trivial task, but it is critical to successfully using SVA!
   The assertion test plan helps identify similar assertions
     Can write an assertion once, and use it in several places
   Assertions should not just duplicate the RTL code
     Engineers need to learn to think differently
   Which assertions should be disabled for reset or lower-power mode?
     False assertion failures can occur if they are not disabled
   The test plan needs to be flexible
     Some times the responsibility for which team should write the
      assertion needs to change
                                                                              9-37
More Assertion Test Plan
Considerations
   Assertions may require different design partitioning
     Example: The DSP ALU block is difficult to check with concurrent
      assertions because it is pure combinational logic (no clock)
         Better design partitioning would put the ALU and its input and output
          registers into one design block
   Enumerated type definitions should be defined globally
     Example: If the DSP state machine uses a local enumerated variable
      for the state names, then assertions written external to the state
      machine cannot access those enumerated names
   Enumerated types should have explicit values defined for each label
     After synthesis, labels disappear and only logic values exist
     Assertions become invalid if the label does not have an explicit value
                              Do It!
                                                                        9-38
Summary
   SystemVerilog Assertions really do work!
     An effective way to verify many aspects of design functionality
     Find errors that functional verification might miss
   Verification Engineers should bind in assertions that validate the
    RTL code matches the design specification
   RTL Design Engineers should embed assertions that validate
    assumptions directly into RTL code as the code is being written
   There are big advantages to RTL designers specifying assertions
     Validate design requirements work as specified
     Validate assumptions on which the RTL model depends
     Localize where functional problem occurred
     Clarify specification ambiguities
                                                              9-39
Question?            A copy of these presentation slides
                                is available at
Comments?            sutherland-hdl.com/papers.html
                    Once upon a time
Four engineers worked on an important design. Their names were:
Tom Somebody, Dick Everybody, Harry Anybody, and Sally Nobody.
Each engineer was responsible to design and verify a sub block of
the design.     Everybody had attended Sutherland HDLs
SystemVerilog Assertions training, and was sure that Somebody
would write assertions to verify that the full design worked
correctly. Anybody could have written them, but it ended up that
Nobody did it.
When the design was implemented in silicon, it did not work
according to the specification.  Everybody blamed Somebody
because Nobody did what Anybody could have done.