PSL/A Practical Introduction to PSL/Introduction

PSL is a property specification language. It is a means to express properties of a design, and in addition to specify how verification tools should use those properties. For example, a property may be asserted – this specifies that the design in question is expected to behave as described by the property. A property may also be assumed – this specifies that the design in question expects its inputs to behave as described by the property. PSL also provides other directives, for instance a means to specify scenarios that should be covered.

PSL is much more than simply an assertion language. Nevertheless, assertions are at the heart of PSL, and many PSL users will use PSL only for its assertion capabilities. Thus, before we examine the complete language, a few words about what exactly a PSL assertion is are in order. Many programming languages (for example Java) and hardware description languages (for example VHDL) contain assert constructs. An assert construct provides the user with a way to check at run time or at simulation time that a certain condition holds, and to report a warning or an error if it does not. PSL assertions are similar in motivation, but much more extensive in their scope. In addition to simple Boolean conditions, a PSL assertion can contain temporal operators that allow the user to describe relations over time. For example, the PSL assertion assert always (a -> next b); specifies that whenever signal a holds, signal b must hold on the next cycle.

Java and VHDL assertions are designed to be embedded in executable code, and to be checked whenever execution reaches the point at which they appear. PSL assertions, on the other hand, typically stand alone, making a statement about the code without being a part of it. (While some tools support embedded PSL assertions, an embedded assertion is still not part of the code in the sense that there is no way to nest PSL assertions inside of executable statements. Embedded PSL assertions are located near the code they specify, but they are still about the code and not a part of it.)

PSL was designed to be mathematically rigorous, with the result that a PSL specification is both precise and automatically verifiable. Thus, a hardware specification written in PSL is machine readable and can be used as input to verification tools. In addition, PSL was designed to be easy to read and write, thus a PSL specification is human readable and can be used for documentation in order to clarify subtle points of an English specification.

The definitive definition of PSL can be found in IEEE Std 1850-2005. In this book, our goal is to give a more relaxed, user-friendly introduction to the language, as well as an in-depth discussion of its fine points. We do cover the whole of PSL, and for completeness have included as well the BNF and formal semantics as appendices.

The structure of PSL is based on four layers – the Boolean layer, the temporal layer, the verification layer and the modeling layer – and comes in a numbers of flavors, which influence the syntax in a limited way. The four layers of the language are:

• The Boolean layer is composed of Boolean expressions, that is, expressions whose value is either true or false. For example, a is a Boolean expression. PSL interprets a high signal as true, and a low signal as false, independent of whether the signal is active-high or active-low. Thus, if signal a is activehigh, the Boolean expression a has the value true when a is asserted, and false when it is deasserted. And if signal b is active-low, the Boolean expression b has the value false when b is asserted and true when it is deasserted. In the remainder of this book, we will assume that all signals are active-high unless stated otherwise. Of course, it is easy to get the active-low versions of the example properties by switching a with !a and vice versa. The Boolean layer consists of any Boolean expression in the underlying flavor. For example, a && !b is a Boolean expression in the Verilog flavor stating that a holds and b does not, a[31:0]==b[31:0] is a Verilog-flavored Boolean expression stating that the 32-bit vectors a[31:0] and b[31:0] are equal, and addr1[127:0]==128’b0 is a Verilog-flavored Boolean expression stating that the 128-bit vector addr1[127:0] has the value zero.

• The temporal layer consists of temporal properties which describe the relationships between Boolean expressions over time. For example, always (req -> next ack) is a temporal property expressing the fact that whenever (always) signal req is asserted, then (->) at the next cycle (next), signal ack is asserted.

• The verification layer consists of directives which describe how the temporal properties should be used by verification tools. For example, assert always (req -> next ack); is a verification directive that tells the tools to verify that the property always (req -> next ack) holds. Other verification directives include an instruction to assume, rather than verify, that a particular temporal property holds, or to specify coverage criteria. The verification layer also provides a means to group PSL statements into verification units.

vunit example1 {
  assert never (a and b);
}

vunit example1 {
  assert never (a && b);
}

• The modeling layer provides a means to model behavior of design inputs, and to declare and give behavior to auxiliary signals and variables. This part of the modeling layer is simply a subset of the underlying flavor. For instance, the declaration of auxiliary signals in the Verilog flavor follows Verilog syntax.

The five flavors of PSL correspond to the hardware description languages Verilog and VHDL, to the language GDL, the environment description language of the RuleBase model checker, and to SystemVerilog and SystemC. While the flavor has some influence over the syntax – for instance, it affects the syntax of Boolean expressions – the vast majority of the language is the same across flavors.

Figure 1.1 shows a PSL specification in the VHDL and Verilog flavors. In each case, the specification states that signals a and b are mutually exclusive. While a PSL user typically does not spend a lot of time thinking about the boundaries between the various layers, we will point them out in this first example. The Boolean expressions a and b in the VHDL flavor and a && b in the Verilog flavor belong to the Boolean layer and describe the situation in which both signal a and signal b are asserted. The keyword never belongs to the temporal layer and indicates that the Boolean expression is expected to hold in no cycle. Together, the temporal keyword never and the Boolean expressions a and b in the VHDL flavor or a && b in the Verilog flavor form a property. The keyword assert belongs to the verification layer and instructs the verification tool to check that the property holds in the design under test. The keyword vunit also belongs to the verification layer and introduces the name of the verification unit (example1). The modeling layer is not used in this example.

In the remainder of this book we use the Verilog flavor unless stated otherwise. We focus almost exclusively on the temporal layer, which is the heart of the language and makes extensive use of the Boolean layer. Chapter 10 briefly discusses various aspects of the Boolean, modeling and verification layers not covered elsewhere. Throughout, we will assume that ‘true has been defined to be 1’b1 (i.e., a Verilog expression that holds at every cycle) and that ‘false has been defined to be 1’b0 (i.e., a Verilog expression that does not hold at any cycle).