

# **Property Specification Language**

# **Reference Manual**

Version 1.01

April 25, 2003

Copyright<sup>©</sup> 2003 by Accellera. All rights reserved.

No part of this work covered by the copyright hereon may be reproduced or used in any form or by any means -- graphic, electronic, or mechanical, including photocopying, recording, taping, or information storage and retrieval systems --- without the prior approval of Accellera.

Additional copies of this manual may be purchased by contacting Accellera at the address shown below.

#### Notices

The information contained in this manual represents the definition of the Property Specification Language as reviewed and released by Accellera in April 2003.

Accellera reserves the right to make changes to the Property Specification Language and this manual in subsequent revisions and makes no warranties whatsoever with respect to the completeness, accuracy, or applicability of the information in this manual, when used for production design and/or development.

Accellera does not endorse any particular simulator or other CAE tool that is based on the Property Specification Language.

Suggestions for improvements to the Property Specification Language and/or to this manual are welcome. They should be sent to the Property Specification Language email reflector

#### vfv@eda.org

or to the address below.

The current Working Group's website address is

www.eda.org/vfv

Information about Accellera and membership enrollment can be obtained by inquiring at the address below.

- Published as: Property Specification Language Reference Manual Version 1.01, April 25, 2003.
- Published by: Accellera 1370 Trancas Street, #163 Napa, CA 94558 Phone: (707) 251-9977 Fax: (707) 251-9877

Printed in the United States of America.

Verilog<sup>®</sup> is a registered trademark of Cadence Design Systems, Inc.

The following individuals contributed to the creation, editing, and review of *Property Specification Language* 1.0

| Ken Albin             | Motorola, Inc.                                           |                     |
|-----------------------|----------------------------------------------------------|---------------------|
| Thomas L. Anderson    | 0-In Design Automation, Inc.                             |                     |
| Roy Armoni            | Intel, Corp.                                             |                     |
| Shoham Ben-David      | IBM Haifa Research Lab                                   |                     |
| Jayaram Bhasker       | Cadence Design Systems                                   |                     |
| Kuang-Chien (KC) Chen | Verplex Systems, Inc.                                    |                     |
| Edmund M. Clarke      | Department of Computer Science,<br>Carnegie Mellon       |                     |
| Joe Daniels           |                                                          | Technical Editor    |
| Simon Davidmann       | Co-Design Automation, Inc                                |                     |
| Bernard Deadman       | SDV, Inc                                                 |                     |
| Surrendra Dudani      | Synopsys, Inc                                            |                     |
| Cindy Eisner          | IBM Haifa Research Lab                                   |                     |
| E. Allen Emerson      | University of Texas at Austin                            |                     |
| Dana Fisman           | Weizmann Institute of Science,<br>IBM Haifa Research Lab |                     |
| Tom Fitzpatrick       | Co-Design Automation, Inc                                |                     |
| Limor Fix             | Intel, Corp.                                             |                     |
| Peter L. Flake        | Co-Design Automation, Inc.                               |                     |
| Harry Foster          | Verplex Systems, Inc.                                    | Work Group Chair    |
| Daniel Geist          | IBM Haifa Research Lab                                   |                     |
| Vassilios Gerousis    | Infineon Technologies                                    |                     |
| Michael J.C. Gordon   | University of Cambridge                                  |                     |
| John Havlicek         | Motorola, Inc.                                           |                     |
| Richard Ho            | 0-In Design Automation, Inc.                             |                     |
| Yaron Kashai          | Verisity Design, Inc.                                    |                     |
| Joseph Lu             | Sun Microsystems                                         |                     |
| Adriana Maggiore      | TransEDA Technology Ltd                                  |                     |
| Erich Marschner       | Cadence Design Systems                                   | Work Group Co-Chair |
| Anthony McIsaac       | STMicroelectronics, Ltd.                                 |                     |
| Hillel Miller         | Motorola, Inc.                                           |                     |
| Carl Pixley           | Synopsys, Inc.                                           |                     |
| Ambar Sarkar          | Paradigm Works                                           |                     |
| Andrew Seawright      | 0-In Design Automation, Inc.                             |                     |
| Sandeep K. Shukla     | University of California, Irvine                         |                     |
| Michael Siegel        | Infineon Technologies                                    |                     |
| Bassam Tabbara        | Novas Software, Inc.                                     |                     |
| David Van Campenhout  | Verisity Design, Inc.                                    |                     |
| Moshe Y. Vardi        | Rice University                                          |                     |
| Bow-Yaw Wang          | Verplex Systems, Inc.                                    |                     |
| Yaron Wolfsthal       | IBM Haifa Research Lab                                   |                     |
|                       |                                                          |                     |

# Revision history:

| Version 0.1, 1st draft  | 05/10/02 |
|-------------------------|----------|
| Version 0.1, 2nd draft  | 05/17/02 |
| Version 0.7, 1st draft  | 08/14/02 |
| Version 0.7, 2nd draft  | 08/16/02 |
| Version 0.7, 3rd draft  | 08/23/02 |
| Version 0.7, 4th draft  | 08/26/02 |
| Version 0.7, 5th draft  | 08/30/02 |
| Version 0.7, 6th draft  | 09/08/02 |
| Version 0.7, 7th draft  | 09/10/02 |
| Version 0.8, 1st draft  | 09/12/02 |
| Version 0.9, 1st draft  | 01/21/03 |
| Version 0.95, 1st draft | 01/26/03 |
| Version 1.0             | 01/31/03 |
| Version 1.01            | 04/25/03 |

# **Table of Contents**

| 1. | Ove        | view                          |                                       | 1  |  |
|----|------------|-------------------------------|---------------------------------------|----|--|
|    | 1.1        | Scope                         |                                       | 1  |  |
|    | 1.2        | Purpose                       |                                       | 1  |  |
|    |            | 1                             | tion                                  |    |  |
|    |            | 1.2.2 Goals                   |                                       | 1  |  |
|    | 1.3        |                               |                                       |    |  |
|    |            | -                             | nal specification                     |    |  |
|    |            |                               | nal verification                      |    |  |
|    | 1.4        |                               | s standard                            |    |  |
| 2. | Ref        | rences                        |                                       | 7  |  |
| 3. | Def        | nitions                       |                                       | 9  |  |
|    | 3.1        | Terminology                   |                                       |    |  |
|    |            |                               | abbreviations                         |    |  |
|    |            | 5                             |                                       |    |  |
| 4. | Org        | nization                      |                                       |    |  |
|    | 41         | Abstract structu              | ıre                                   | 13 |  |
|    |            |                               |                                       |    |  |
|    |            |                               |                                       |    |  |
|    | 42         |                               | re                                    |    |  |
|    | 1.2        |                               | rds                                   |    |  |
|    |            |                               | DTS                                   |    |  |
|    |            |                               |                                       |    |  |
|    |            |                               | f construct                           |    |  |
|    |            |                               | ents                                  |    |  |
|    | 4.3        |                               |                                       |    |  |
|    |            |                               | itions                                |    |  |
|    |            |                               | ependencies                           |    |  |
|    | 4.4        |                               |                                       |    |  |
|    |            |                               | d vs. unclocked evaluation            |    |  |
|    |            |                               | vs. liveness properties               |    |  |
|    |            |                               | vs. weak operators                    |    |  |
|    |            |                               | vs. branching logic                   |    |  |
|    |            |                               | subset                                |    |  |
|    |            | 1                             | ength versus infinite-length behavior |    |  |
| 5. | Boc        | ean layer                     |                                       | 27 |  |
|    | 5.1        | HDL expression                | ns                                    | 77 |  |
|    | 5.1<br>5.2 | -                             | IIS                                   |    |  |
|    |            | 1                             | DNS                                   |    |  |
|    |            | 5.4 Default clock declaration |                                       |    |  |
|    | 5.4        |                               |                                       |    |  |
| 6. | Ten        | poral layer                   |                                       |    |  |

|       | 6.1 Seque     | ential expressions                                |    |
|-------|---------------|---------------------------------------------------|----|
|       | 6.1.1         | Sequential Extended Regular Expressions (SEREs)   |    |
|       | 6.1.2         | Named sequences                                   |    |
|       | 6.1.3         | Named endpoints                                   |    |
|       | 6.2 Prope     | erties                                            |    |
|       | 6.2.1         | FL properties                                     |    |
|       | 6.2.2         | Optional Branching Extension (OBE) properties     |    |
|       | 6.2.3         | Replicated properties                             |    |
|       | 6.2.4         | Named properties                                  |    |
| 7.    | Verificatio   | on layer                                          |    |
|       | 7.1 Verifi    | ication directives                                |    |
|       | 7.1.1         | assert                                            |    |
|       | 7.1.2         | assume                                            |    |
|       | 7.1.3         | assume_guarantee                                  |    |
|       | 7.1.4         | restrict                                          |    |
|       | 7.1.5         | restrict_guarantee                                |    |
|       | 7.1.6         | cover                                             |    |
|       | 7.1.7         | fairness and strong fairness                      |    |
|       | 7.2 Verifi    | ication units                                     |    |
|       | 7.2.1         | Verification unit binding                         |    |
|       | 7.2.2         | Verification unit inheritance                     |    |
|       | 7.2.3         | Verification unit contents                        |    |
|       | 7.2.4         | Verification unit scoping rules                   |    |
| 8.    | Modeling l    | layer                                             | 85 |
|       | 8.1 The V     | Verilog-flavored modeling layer                   |    |
|       | 8.1.1         | Integer ranges                                    |    |
|       | 8.1.2         | Structures                                        |    |
|       | 8.1.3         | Non-determinism                                   |    |
|       | 8.1.4         | Built-in functions rose(), fell(), next(), prev() |    |
|       | 8.2 Other     | flavors                                           |    |
|       | 8.2.1         | The VHDL-flavored modeling layer                  |    |
|       | 8.2.2         | The GDL-flavored modeling layer                   | 89 |
| Appe  | endix A91     |                                                   |    |
| (norn | native)Syntax | x rule summary                                    |    |
| Appe  | endix B101    |                                                   |    |
| (norn | native)Forma  | al syntax and semantics of the temporal layer     |    |

# 1. Overview

### 1.1 Scope

This document specifies the syntax and semantics for the Accellera Property Specification Language.

#### 1.2 Purpose

#### 1.2.1 Motivation

Ensuring that a design's implementation satisfies its specification is the foundation of hardware verification. Key to the design and verification process is the act of specification. Yet historically, the process of specification has consisted of creating a natural language description of a set of design requirements. This form of specification is both ambiguous and, in many cases, unverifiable due to the lack of a standard machine-executable representation. Furthermore, ensuring that all functional aspects of the specification have been adequately *verified* (that is, covered) is problematic.

The Accellera Property Specification Language (PSL) was developed to address these shortcomings. It gives the design architect a standard means of specifying design properties using a concise syntax with clearly-defined formal semantics. Similarly, it enables the RTL implementer to capture design intent in a verifiable form, while enabling the verification engineer to validate that the implementation satisfies its specification through *dynamic* (that is, simulation) and *static* (that is, formal) verification means. Furthermore, it provides a means to measure the quality of the verification process through the creation of functional coverage models built on formally specified properties. Plus, it provides a standard means for hardware designers and verification engineers to rigorously document the design specification (machine-executable).

#### 1.2.2 Goals

PSL was specifically developed to fulfill the following general hardware functional specification requirements:

- easy to learn, write, and read
- concise syntax
- rigorously well-defined formal semantics
- expressive power, permitting the specification for a large class of real world design properties
- known efficient underlying algorithms in simulation, as well as formal verification

#### 1.3 Usage

PSL is a language for the formal specification of hardware. It is used to describe properties that are required to hold in the design under verification. PSL provides a means to write specifications which are both easy to read and mathematically precise. It is intended to be used for functional specification on the one hand and as input to functional verification tools on the other. Thus, a PSL specification is executable documentation of a hardware design.

#### 1.3.1 Functional specification

PSL can be used to capture requirements regarding the overall behavior of a design, as well as assumptions about 50 the environment in which the design is expected to operate. PSL can also capture internal behavioral requirements and assumptions that arise during the design process. Both enable more effective functional verification and reuse of the design.

55

1

5

10

15

20

25

30

35

40

1 One important use of PSL is for documentation, either in place of or along with an English specification. A PSL specification can describe simple invariants (for example, signals read\_enable and write\_enable are never asserted simultaneously) as well as multi-cycle behavior (for example, correct behavior of an interface with respect to a bus protocol or correct behavior of pipelined operations).

A PSL specification consists of *assertions* regarding *properties* of a design under a set of *assumptions*. A *property* is built from *Boolean expressions*, which describe behavior over one cycle, *sequential expressions*, which describe multi-cycle behavior, and *temporal operators*, which describe relations over time between Boolean expressions and sequences. For example, the Boolean expression

ena || enb

describes a cycle in which one of the signals ena and enb are asserted. The sequential expression

{req;ack;!cancel}

describes a sequence of cycles, such that req is asserted in the first, ack in the second, and cancel deasserted in the third. They can be connected using the temporal operators **always** and **next** to get the property

always {req;ack;!cancel}(next[2] (ena || enb))

which means that following any sequence of {req;ack;!cancel} (i.e., always), either ena or enb is asserted two cycles later (i.e., next[2]). Adding the directive **assert** as follows:

#### 25

30

35

40

45

10

15

20

assert always {req;ack;!cancel}(next[2] (ena || enb));

completes the specification, indicating that this property is expected to hold in the design and that this expectation needs to be verified.

#### 1.3.2 Functional verification

PSL can also be used as input to verification tools, for both verification by simulation, as well as formal verification using a model checker or a theorem prover. Each of these is discussed below.

#### 1.3.2.1 Simulation

A PSL specification can also be used to automatically generate checks of simulations. This can be done, for example, by directly integrating the checks in the simulation tool; by interpreting PSL properties in a testbench automation tool that drives the simulator; by generating HDL monitors that are simulated alongside the design; or by analyzing the traces produced at the end of the simulation.

For instance, the following PSL property:

```
always (req -> next !req)
```

states that signal req is a pulsed signal — if it is high in some cycle, then it is low in the following cycle. Such a property can be easily checked using a simulation checker written in some HDL which has the functionality of the Finite State Machine (FSM) shown in Figure 1.

50



Figure 1—A simple (deterministic) FSM which checks the above property

For properties more complicated than the property shown above, manually writing a corresponding checker is painstaking and error-prone, and maintaining a collection of such checkers for a constantly changing design under development is a time-consuming task. Instead, a PSL specification can be used as input to a tool which automatically generates simulatable checkers.

While all PSL properties can be in principle be checked for finite paths in simulation, the implementation of the checks is often significantly simpler for a subset called the *simple subset* of PSL. Informally, in this subset, composition of temporal properties is restricted to ensure that time *moves forward* from left to right through a property, as it does in a timing diagram. (See Section 4.4.5 for the formal definition of the *simple subset*.) For example, the property

always (a -> next[3] b)

which states that, if a is asserted, then b is asserted three cycles later, belongs to the simple subset, because a appears to the left of b in the property and also appears to the left of b in the timing diagram of any behavior that is not a violation of the property. Figure 2 shows an example of such a timing diagram.

An example of a property that is not in this subset is the property

always ((a & next[3] b) -> c)

which states that, if a is asserted and b is asserted three cycles later, then c is asserted (in the same cycle as a). This property does not belong to the simple subset, because although c appears to the right of a and b in the property, it appears to the left of b in a timing diagram that is not a violation of the property. Figure 3 shows an example of such a timing diagram.

30

35

40

45

50







#### 35 **1.3.2.2 Formal verification**

PSL is an extension of the standard temporal logics LTL and CTL. A specification in the PSL Foundation Language (respectively, the PSL Optional Branching Extension) can be *compiled down* to a formula of pure LTL (respectively, CTL), possibly with some auxiliary HDL code, known as a *satellite*.

#### 40

45

50

#### 1.4 Contents of this standard

The organization of the remainder of this standard is

- Chapter 2 (References) provides references to other applicable standards that are assumed or required for PSL.
- Chapter 3 (Definitions) defines terms used throughout this standard.
- Chapter 4 (Organization) describes the overall organization of the standard.
- Chapter 5 (Boolean layer) defines the Boolean layer.
- Chapter 6 (Temporal layer) defines the temporal layer.
- Chapter 7 (Verification layer) defines the verification layer.
- Chapter 8 (Modeling layer) defines the modeling layer.
- Appendix A (Syntax rule summary) summarizes the PSL syntax rules.

55

5

|                                                                                                                                     | 10 |
|-------------------------------------------------------------------------------------------------------------------------------------|----|
|                                                                                                                                     | 15 |
|                                                                                                                                     | 20 |
|                                                                                                                                     | 25 |
|                                                                                                                                     | 30 |
|                                                                                                                                     | 35 |
|                                                                                                                                     | 40 |
|                                                                                                                                     | 45 |
| Accellera Property Specification Language is based upon the Sugar 2.0 property specification language. Appendix B presents the for- | 50 |

Appendix B (Formal syntax and semantics of the temporal layer) defines the formal syntax and semantics

Appendix C (Bibliography) provides additional documents, to which reference is made only for informa-

\_\_\_\_

of the temporal layer.<sup>1</sup>

tion or background purposes.

<sup>&</sup>lt;sup>1</sup> The Accellera Property Specification Language is based upon the Sugar 2.0 property specification language. Appendix B presents the formal syntax and semantics of Sugar 2.0, which in turn defines the formal syntax and semantics of the temporal layer of PSL. Specifically, Sugar Extended Regular Expressions (SEREs) define the syntax and semantics of PSL Sequential Extended Regular Expressions (SEREs), the formulas of the Sugar Foundation Language define the syntax and semantics of properties of the PSL Foundation Language, and the formulas of the (Sugar) Optional Branching Extension define the syntax and semantics of properties of the PSL Optional Branching Extension.

#### Overview

| 1  |  |  |  |
|----|--|--|--|
| 5  |  |  |  |
| 10 |  |  |  |
| 15 |  |  |  |
| 20 |  |  |  |
| 25 |  |  |  |
| 30 |  |  |  |
| 35 |  |  |  |
| 40 |  |  |  |
| 45 |  |  |  |
| 50 |  |  |  |
| 55 |  |  |  |

# 2. References

| This standard shall be used in conjunction with the following publications. When any of the following standards is superseded by an approved revision, the revision shall apply. | 5  |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| The IEEE Standard Dictionary of Electrical and Electronics Terms, Sixth Edition.                                                                                                 | 5  |
| IEEE Std 1076-2002, IEEE Standard VHDL Language Reference Manual.                                                                                                                | 10 |
| IEEE Std 1076.6-1999, IEEE Standard for VHDL Register Transfer Level (RTL) Synthesis.                                                                                            | 10 |
| IEEE Std 1364-2001, IEEE Standard for Verilog Hardware Description Language.                                                                                                     |    |
| IEEE P1364.1 (Draft 2.2, April 26,2002), Draft Standard for Verilog Register Transfer Level Synthesis.                                                                           | 15 |
|                                                                                                                                                                                  |    |

#### References

| 1  |  |  |  |
|----|--|--|--|
| 5  |  |  |  |
| 10 |  |  |  |
| 15 |  |  |  |
| 20 |  |  |  |
| 25 |  |  |  |
| 30 |  |  |  |
| 35 |  |  |  |
| 40 |  |  |  |
| 45 |  |  |  |
| 50 |  |  |  |
| 55 |  |  |  |

# 3. Definitions

For the purposes of this standard, the following terms and definitions apply. The *IEEE Standard Dictionary of Electrical and Electronics Terms* [B1] should be referenced for terms not defined in this standard.

#### 3.1 Terminology

This section defines the terms used in this standard.

3.1.1 **assertion:** A statement that a given property is required to hold and a directive to verification tools to verify that it does hold.

3.1.2 **assumption:** A statement that the design is constrained by the given property and a directive to verification tools to consider only paths on which the given property holds.

3.1.3 **behavior:** A path.

3.1.4 Boolean: A Boolean expression.

3.1.5 Boolean expression: An expression that yields a logical value.

3.1.6 **checker:** An auxiliary process (usually constructed as a finite state machine) that monitors simulation of a design and reports errors when asserted properties do not hold. A checker may be represented in the same HDL code as the design or in some other form that can be linked with a simulation of the design.

3.1.7 **completes:** A sequential expression (or property) completes at the last cycle of any design behavior described by that sequential expression (or property).

3.1.8 **computation path:** A succession of states of the design, such that the design can actually transition from each state on the path to its successor.

3.1.9 **constraint:** A condition (usually on the input signals) which limits the set of behavior to be considered. A constraint may represent real requirements (e.g., clocking requirements) on the environment in which the design is used, or it may represent artificial limitations (e.g., mode settings) imposed in order to partition the verification task.

3.1.10 **count:** A number or range.

3.1.11 **coverage:** A measure of the occurrence of certain behavior during (typically dynamic) verification and, therefore, a measure of the completeness of the (dynamic) verification process.

3.1.12 cycle: An evaluation cycle.

3.1.13 **describes:** A Boolean expression, sequential expression, or property describes the set of behavior for which the Boolean expression, sequential expression, or property holds.

3.1.14 **design:** A model of a piece of hardware, described in some hardware description language (HDL). A design typically involves a collection of inputs, outputs, state elements, and combinational functions that compute next state and outputs from current state and inputs.

3.1.15 **design behavior:** A computation path for a given design.

55

1

5

10

15

20

25

30

35

40

45

- 1 3.1.16 **dynamic verification:** A verification process in which a property is checked over individual, finite design behavior that are typically obtained by dynamically exercising the design through a finite number of evaluation cycles. Generally, dynamic verification supports no inference about whether the property holds for a behavior over which the property has not yet been checked.
- 5

3.1.17 **evaluation:** The process of exercising a design by iteratively applying values to its inputs, computing its next state and output values, advancing time, and assigning to the state variables and outputs their next values.

10 3.1.18 **evaluation cycle:** One iteration of the evaluation process. At an evaluation cycle, the state of the design is recomputed (and may change).

3.1.19 **extension:** An extension of a path is a path that starts with precisely the succession of states in the given path.

15

20

- 3.1.20 False: An interpretation of certain values of certain data types in an HDL.
- In the Verilog flavor, the single bit value 1'b0 is interpreted as the logical value *False*. In the VHDL flavor, the values STD.Standard.Boolean'(False), STD.Standard.Bit'('0'), and IEEE.std\_logic\_1164.std\_logic'('0') are all interpreted as the logical value *False*. In the GDL flavor, the Boolean value 'false' and bit value OB are both interpreted as the logical value *False*.
  - 3.1.21 finite range: A range with a finite high bound.
- 25 3.1.22 **formal verification:** A verification process in which analysis of a design and a property yields a logical inference about whether the property holds for all behavior of the design. If a property is declared true by a formal verification tool, no simulation can show it to be false. If the property does not hold for all behavior, then the formal verification process should provide a specific counterexample to the property, if possible.
- 30 3.1.23 holds: A term used to talk about the meaning of a Boolean expression, sequential expression or property. Loosely speaking, a Boolean expression, sequential expression, or property holds in the first cycle of a path iff the path exhibits the behavior described by the Boolean expression, sequential expression, or property. The definition of holds for each form of Boolean expression, sequential expression, or property is given in the appropriate subsection of Chapter 6.
   35

3.1.24 **holds tightly:** A term used to talk about the meaning of a sequential expression (SERE). Sequential expressions are evaluated over finite paths (behavior). Loosely speaking, a sequential expression holds tightly along a finite path iff the path exhibits the behavior described by the sequential expression. The definition of holds tightly for each form of SERE is given in the appropriate subsection of Section 6.1.

40

3.1.25 **liveness property:** A property that specifies an eventuality that is unbounded in time. Loosely speaking, a liveness property claims that "something good" eventually happens. More formally, a liveness property is a property for which any finite path can be extended to a path satisfying the property. For example, the property "whenever signal req is asserted, signal ack is asserted some time in the future" is a liveness property.

45

50

3.1.26 **logic type:** An HDL data type that includes values that are interpreted as logical values. A logic type may include both logical values and metalogical values. Such a logic type usually represents a multi-valued logic.

- 3.1.27 logical value: A value in the set {*True, False*}.
- 3.1.28 metalogical value: A value of a (multi-valued) logic type that is not interpreted as a logical value.
  - 3.1.29 model checking: A type of formal verification.
- 55 3.1.30 monitor: See: checker.

| 3.1.31 <b>number:</b> A non-negative integer value, and a statically computable expression yielding such a value.                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 1  |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| 3.1.32 <b>occurs</b> , <b>occurrence</b> : A Boolean expression is said to "occur" in a cycle if it holds in that cycle. For example, "the next occurrence of the Boolean expression" refers to the next cycle in which the Boolean expression holds.                                                                                                                                                                                                                                                                                                                             | 5  |
| 3.1.33 <b>path:</b> A succession of states of the design, whether or not the design can actually transition from one state on the path to its successor.                                                                                                                                                                                                                                                                                                                                                                                                                          |    |
| 3.1.34 <b>positive count:</b> A positive number or a positive range.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | 10 |
| 3.1.35 <b>positive number:</b> A number that is greater than zero (0).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |    |
| 3.1.36 <b>positive range:</b> A range with a low bound that is greater than zero (0).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | 15 |
| 3.1.37 <b>prefix:</b> A prefix of a given path is a path of which the given path is an extension.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |    |
| 3.1.38 <b>property:</b> A collection of logical and temporal relationships between and among subordinate Boolean expressions, sequential expressions, and other properties that in aggregate represent a set of behavior.                                                                                                                                                                                                                                                                                                                                                         | 20 |
| 3.1.39 <b>range:</b> A series of consecutive numbers, from a low bound to a high bound, inclusive, such that the low bound is less than or equal to the high bound. In particular, this includes the case in which the low bound is equal to the high bound. Also, a pair of statically computable integer expressions specifying such a series of consecutive numbers, where the left expression specifies the low bound of the series, and the right expression specifies the high bound of the series.                                                                         | 25 |
| 3.1.40 <b>required</b> (to hold): A property is required to hold if the design is expected to exhibit behavior that is within the set of behavior described by the property.                                                                                                                                                                                                                                                                                                                                                                                                      | 20 |
| 3.1.41 <b>restriction:</b> A statement that the design is constrained by the given sequential expression and a directive to verification tools to consider only paths on which the given sequential expression holds.                                                                                                                                                                                                                                                                                                                                                             | 30 |
| 3.1.42 <b>safety property:</b> A property that specifies an invariant over the states in a design. The invariant is not necessarily limited to a single cycle, but it is bounded in time. Loosely speaking, a safety property claims that "something bad" does not happen. More formally, a safety property is a property for which any path violating the property has a finite prefix such that every extension of the prefix violates the property. For example, the property, "whenever signal req is asserted, signal ack is asserted within 3 cycles" is a safety property. | 35 |
| 3.1.43 sequence: A sequential expression that is enclosed in curly braces.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 40 |
| 3.1.44 sequential expression: A finite series of terms that represent a set of behavior.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |    |
| 3.1.45 <b>SERE:</b> A sequential expression.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |    |
| 3.1.46 simulation: A type of dynamic verification.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 45 |
| 3.1.47 <b>starts:</b> A sequential expression starts at the first cycle of any behavior for which it holds. In addition, a sequential expression starts at the first cycle of any behavior which is the prefix of a behavior for which it holds. For example, if a holds at cycle 7 and b holds in every cycle from 8 onward, then the sequential expression $\{a; b[*]; c\}$ starts at cycle 7.                                                                                                                                                                                  | 50 |
| 3.1.48 strictly before: Before, and not in the same cycle as.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |    |
| 3.1.49 strong operator: A temporal operator, the (non-negated) use of which creates a liveness property.                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 55 |

1 3.1.50 **terminating condition:** A Boolean expression, the occurrence of which causes a property to complete.

3.1.51 terminating property: A property that, when it holds, causes another property to complete.

5 3.1.52 True: An interpretation of certain values of certain data types in an HDL. In the Verilog flavor, the single bit value 1'b1 is interpreted as the logical value *True*. In the VHDL flavor, the values STD.Standard.Boolean'(True), STD.Standard.Bit'('1'), and IEEE.std\_logic\_1164.std\_logic'('1') are all interpreted as the logical value *True*. In the

GDL flavor, the Boolean value 'true' and bit value 1B are both interpreted as the logical value *True*.

3.1.53 **verification:** The process of confirming that, for a given design and a given set of constraints, a property that is required to hold in that design actually does hold under those constraints.

15 3.1.54 weak operator: A temporal operator, the (non-negated) use of which does not create a liveness property.

#### 3.2 Acronyms and abbreviations

20 This section lists the acronyms and abbreviations used in this standard.

|    | BNF  | extended Backus-Naur Form              |
|----|------|----------------------------------------|
| 25 | cpp  | C pre-processor                        |
|    | CTL  | computation tree logic                 |
|    | EDA  | electronic design automation           |
|    | FL   | Foundation Language                    |
| 30 | FSM  | finite state machine                   |
| 30 | GDL  | General Description Language           |
|    | HDL  | hardware description language          |
|    | iff  | if and only if                         |
|    | LTL  | linear-time temporal logic             |
| 35 | PSL  | Property Specification Language        |
|    | OBE  | Optional Branching Extension           |
|    | RTL  | Register Transfer Level                |
|    | SERE | Sequential Extended Regular Expression |
| 40 | VHDL | VHSIC Hardware Description Language    |

45

10

50

# 4. Organization

#### 4.1 Abstract structure

PSL consists of four layers, which cut the language along the axis of functionality. PSL also comes in three flavors, which cut the language along the axis of HDL compatibility. Each of these is explained in detail in the following sections.

#### 4.1.1 Layers

PSL consists of four layers: Boolean, temporal, verification, and modeling.

#### 4.1.1.1 Boolean layer

This layer is used to build expressions which are, in turn, used by the other layers. Although it contains expressions of many types, it is known as the *Boolean layer* because it is the *supplier* of Boolean expressions to the heart of the language — the temporal layer. Boolean expressions are evaluated in a single evaluation cycle.

#### 4.1.1.2 Temporal layer

This layer is the heart of the language; it is used to describe properties of the design. It is known as the *temporal layer* because, in addition to simple properties, such as "signals a and b are mutually exclusive", it can also describe properties involving complex temporal relations between signals, such as, "if signal c is asserted, then signal d shall be asserted before signal e is asserted, but no more than eight clock cycles later." Temporal expressions are evaluated over a series of evaluation cycles.

#### 4.1.1.3 Verification layer

This layer is used to tell the verification tools what to do with the properties described by the temporal layer. For example, the verification layer contains directives that tell a tool to verify that a property holds or to check that a specified sequence is covered by some test case.

#### 4.1.1.4 Modeling layer

This layer is used to model the behavior of design inputs (for tools, such as formal verification tools, which do not use test cases) and to model auxiliary hardware that is not part of the design, but is needed for verification.

#### 4.1.2 Flavors

PSL comes in three *flavors*: one for each of the hardware description languages Verilog, VHDL, and GDL. The syntax of each flavor conforms to the syntax of the corresponding HDL in a number of specific areas — a given flavor of PSL is compatible with the corresponding HDL's syntax in those areas.

#### 4.1.2.1 Verilog flavor

In this flavor, all expressions of the Boolean layer, as well as modeling layer code, are written in Verilog syntax (see IEEE Std 1364-2001)<sup>2</sup>. The Verilog flavor also has limited influence on the syntax of the temporal layer. For example, ranges of the temporal layer are specified using the Verilog-style syntax i:j.

45

1

5

10

15

20

25

30

40

35

50

<sup>&</sup>lt;sup>2</sup>For more information on references, see Chapter 2.

#### 1 **4.1.2.2 VHDL flavor**

In this flavor, all expressions of the Boolean layer, as well as modeling layer code, are written in VHDL syntax. (See IEEE Std 1076-2002). The VHDL flavor also has some influence on the syntax of the temporal layer. For example, ranges of the temporal layer are specified using the VHDL-style syntax i to j.

#### 4.1.2.3 GDL flavor

10 In this flavor, all expressions of the Boolean layer, as well as modeling layer code, are written in GDL syntax. The GDL flavor also has some influence on the syntax of the temporal layer. For example, ranges of the temporal layer are specified using the GDL-style syntax i..j.

# **4.2 Lexical structure**

This section defines the keywords, operators, macros, and comments used in PSL.

#### 4.2.1 Keywords

20

5

Keywords in PSL are case-sensitive, regardless of the underlying HDL rules for identifiers. Keywords are reserved words in PSL, so an HDL name that is a PSL keyword cannot be referenced directly, by its simple name, in an HDL expression used in a PSL property. However, such an HDL name can be referenced indirectly, using a hierarchical name or qualified name as allowed by the underlying HDL.

| 30 |                            | 1               |                    |            |
|----|----------------------------|-----------------|--------------------|------------|
|    | Α                          | EG              | next_e             | union      |
|    | AF                         | EX              | next_e!            | until      |
|    | AG                         | endpoint        | next_event         | until!     |
|    | AX                         | eventually!     | next event!        | until!     |
| 25 | abort                      |                 | next event a!      | until      |
| 35 | always                     | F               | next_event_e!      | _          |
|    | and <sup>a</sup><br>assert | fairness        | not <sup>c</sup> – | vmode      |
|    | assume                     | fell            |                    | vprop      |
|    | assume_guarantee           | forall          | or <sup>d</sup>    | vunit      |
|    | assume_guarantee           |                 |                    |            |
| 40 | before                     | G               | property           | W          |
|    | before!                    |                 | prev               | whilenot   |
|    | before!                    | in              | •                  | whilenot!  |
|    | before_                    | inf             | restrict           | whilenot!  |
|    | boolean                    | inherit         | restrict guarantee | whilenot   |
|    |                            | is <sup>b</sup> | rose               | within     |
| 45 | clock                      |                 | 1000               | within!    |
|    | const                      | never           | sequence           | within!    |
|    | cover                      | next            | strong             | within     |
|    | default                    | next!           | Strong             |            |
|    | uciault                    | next.<br>next a | to <sup>e</sup>    | X          |
| 50 | Е                          | next_a          |                    | X<br>X!    |
| 50 | EF                         | III.AL_a.       | U                  | <b>A</b> . |
|    |                            |                 | U                  |            |

#### Table 1—Keywords

<sup>a</sup>and is a keyword only in the VHDL flavor; see the flavor macro AND OP (4.3.2).

<sup>b</sup>is is a keyword only in the VHDL flavor; see the flavor macro DEF\_SYM (4.3.2).

<sup>c</sup>**not** is a keyword only in the VHDL flavor; see the flavor macro NOT OP (4.3.2).

dor is a keyword only in the VHDL flavor; see the flavor macro OR\_OP (4.3.2).

<sup>25</sup> The keywords used in PSL are shown in Table 1.

<sup>e</sup>to is a keyword only in the VHDL flavor; see the flavor macro RANGE SYM (4.3.2).

#### 4.2.2 Operators

Various operators are available in PSL. Each operator has a precedence relative to other operators. In general, operators with a higher relative precedence are associated with their operands before operators with a lower relative precedence. If two operators with the same precedence appear in sequence, then in most cases the operators are associated with their operands in left-to-right order of appearance in the text, except for implication operators, which are associated with their operands in right-to-left order.

| HDL operators                  |                                       | 15 |
|--------------------------------|---------------------------------------|----|
| Clocking operator              | @                                     |    |
| SERE construction operatora    | ; [*] [=] [->]                        | 20 |
| Sequence implication operators | : & &&                                |    |
| FL implication operators       | ->  -> !  =>  => !                    | 25 |
| FL occurence operators         | always never eventually! next*        |    |
|                                | within* whilenot* G F<br>X X! [U] [W] |    |
| Termination operators          | abort until* before*                  | 30 |

#### 4.2.2.1 HDL operators

For a given flavor of PSL, the operators of the underlying HDL have the highest precedence. In particular, this includes logical, relational, and arithmetic operators of the HDL. The HDL's logical operators for negation, conjunction, and disjunction of Boolean values can be used in PSL for negation, conjunction, and disjunction of properties as well. In such applications, those operators have their usual precedence, as if the PSL properties that are operands produced Boolean values of a type appropriate to the logical operators native to the HDL.

#### 4.2.2.2 Foundation Language (FL) operators

#### 4.2.2.2.1 Clocking operator

For any flavor of PSL, the FL operator with the highest precedence after the HDL operators is that used to specify the clock expression which controls when the property is evaluated. The following operator is the unique member of this class:

@ clock event

The clocking operator is left-associative.

#### 4.2.2.2.2 SERE construction operators

For any flavor of PSL, the Foundation Language (FL) operators with the next highest precedence are those used to construct Sequential Extended Regular Expressions (SEREs). These operators are:

30

1

5

10

40

35

45

50

5

10

15

20

25

30

- temporal concatenation ; [\*] consecutive repetition [= ] non-consecutive repetition [-> ] goto repetition SERE construction operators are left-associative. 4.2.2.3 Sequence composition operators For any flavor of PSL, the FL operators with the next highest precedence are those used to compose sequences into longer or more complex descriptions of behavior. These operators are: : sequence fusion sequence disjunction non-length-matching sequence conjunction & length-matching sequence conjunction && Sequence composition operators are left-associative. 4.2.2.2.4 FL implication operators For any flavor of PSL, the FL operators with the next highest precedence are those used to build properties from Boolean expressions, sequences, and subordinate properties through implication. These operators are: |-> weak suffix implication -> ! strong suffix implication weak next suffix implication =>
  - => ! strong next suffix implication
    - logical IF implication - >
    - logical IFF implication <->
- The logical IF and logical IFF implication operators are right-associative. 35

NOTE-The syntax does not allow cascading of suffix implication operators.

#### 4.2.2.2.5 FL occurrence operators

40 For any flavor of PSL, the FL operators with the next highest precedence are those used to specify when a subordinate property must hold, if the parent property is to hold. These operators are:

|    | always               | must hold, globally                                                        |
|----|----------------------|----------------------------------------------------------------------------|
| 45 | never                | must NOT hold, globally                                                    |
|    | eventually!          | must hold at some time in the indefinite future                            |
|    | next* <sup>3</sup>   | must hold at some specified future time or range of future times           |
|    | within* <sup>4</sup> | must hold following completion of a sequence until a termination condition |
| 50 | whilenot*            | must hold from the current cycle until a termination condition             |
|    |                      |                                                                            |

<sup>&</sup>lt;sup>3</sup>The notation next\* represents the operators next, next!, next\_a, next\_a!, next\_e, next\_e!, next\_event, next\_event!, next\_event\_a!, and next\_event\_e!.

<sup>&</sup>lt;sup>4</sup>The notation within\* represents the operators within, within!, within!\_, and within\_. Similarly, whilenot\*, until\*, and before\* each represent the corresponding family of operators.

| FL occurrence operators are left-associative.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 1              |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|
| 4.2.2.2.6 Termination operators                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                |
| For any flavor of PSL, the FL operators with the least precedence are those used to specify when a subordinate property can cease to hold, if the parent property is to hold. These operators are:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 5              |
| <pre>abort must hold, but future obligations may be canceled by a given event<br/>until* must hold up to a given event<br/>before* must hold at some time before a given event</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 10             |
| FL termination operators are left-associative.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |                |
| 4.2.2.7 LTL operators                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 15             |
| PSL also defines the following traditional LTL operators, each of which is equivalent to a corresponding key-<br>word operator:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                |
| X next                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 20             |
| X! next!<br>F eventually!                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                |
| G always                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                |
| [U] until!                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | 25             |
| [W] until                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                |
| In each case, the LTL operator has the same precedence and associativity as its equivalent keyword operator.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                |
| 4.2.2.3 Optional Branching Extension (OBE) operators                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 30             |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 50             |
| 4.2.2.3.1 OBE implication operators                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | 20             |
| <b>4.2.2.3.1 OBE implication operators</b><br>For any flavor of PSL, the Optional Branching Extension (OBE) operators with the highest precedence are those used to build properties from Boolean expressions and subordinate properties through implication. These operators include:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 35             |
| For any flavor of PSL, the Optional Branching Extension (OBE) operators with the highest precedence are those used to build properties from Boolean expressions and subordinate properties through implication. These opera-                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                |
| For any flavor of PSL, the Optional Branching Extension (OBE) operators with the highest precedence are those used to build properties from Boolean expressions and subordinate properties through implication. These operators include:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | 35             |
| For any flavor of PSL, the Optional Branching Extension (OBE) operators with the highest precedence are those used to build properties from Boolean expressions and subordinate properties through implication. These operators include:<br>-> logical IF implication                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                |
| For any flavor of PSL, the Optional Branching Extension (OBE) operators with the highest precedence are those used to build properties from Boolean expressions and subordinate properties through implication. These operators include:<br>-> logical IF implication<br><-> logical IFF implication                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 35<br>40       |
| <ul> <li>For any flavor of PSL, the Optional Branching Extension (OBE) operators with the highest precedence are those used to build properties from Boolean expressions and subordinate properties through implication. These operators include:</li> <li>-&gt; logical IF implication</li> <li>&lt;-&gt; logical IFF implication</li> </ul> <b>4.2.2.3.2 OBE occurrence operators</b> For any flavor of PSL, the OBE operators with the next highest precedence are those used to specify when a sub-                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | 35             |
| <ul> <li>For any flavor of PSL, the Optional Branching Extension (OBE) operators with the highest precedence are those used to build properties from Boolean expressions and subordinate properties through implication. These operators include:</li> <li>-&gt; logical IF implication</li> <li>&lt;-&gt; logical IFF implication</li> </ul> <b>4.2.2.3.2 OBE occurrence operators</b> For any flavor of PSL, the OBE operators with the next highest precedence are those used to specify when a subordinate property must hold, if the parent property is to hold. These operators include the following:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | 35<br>40       |
| For any flavor of PSL, the Optional Branching Extension (OBE) operators with the highest precedence are those used to build properties from Boolean expressions and subordinate properties through implication. These operators include:         ->       logical IF implication         <->       logical IFF implication         A2.2.3.2 OBE occurrence operators         For any flavor of PSL, the OBE operators with the next highest precedence are those used to specify when a subordinate property must hold, if the parent property is to hold. These operators include the following:         AX       on all paths, at the next state on each path         AG       on all paths, at all states on each path         AF       on all paths, at some future state on each path                                                                                                                                                                                                                                  | 35<br>40       |
| For any flavor of PSL, the Optional Branching Extension (OBE) operators with the highest precedence are those used to build properties from Boolean expressions and subordinate properties through implication. These operators include:         ->       logical IF implication         <->       logical IFF implication          ALL          ALL          IFA          OPERATOR          For any flavor of PSL, the OBE operators with the next highest precedence are those used to specify when a subordinate property must hold, if the parent property is to hold. These operators include the following:          AX       on all paths, at the next state on each path          AG       on all paths, at all states on each path          AF       on some path, at the next state on the path | 35<br>40       |
| For any flavor of PSL, the Optional Branching Extension (OBE) operators with the highest precedence are those used to build properties from Boolean expressions and subordinate properties through implication. These operators include:         ->       logical IF implication         <->       logical IFF implication         Attended to a construct the operators with the next highest precedence are those used to specify when a subordinate property must hold, if the parent property is to hold. These operators include the following:         AX       on all paths, at the next state on each path         AG       on all paths, at all states on each path         AF       on all paths, at some future state on each path         EX       on some path, at the next state on the path         EG       on some path, at all states on the path                                                                                                                                                                                                   | 35<br>40<br>45 |
| For any flavor of PSL, the Optional Branching Extension (OBE) operators with the highest precedence are those used to build properties from Boolean expressions and subordinate properties through implication. These operators include:         ->       logical IF implication         <->       logical IFF implication                                                                                                              <                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | 35<br>40<br>45 |
| For any flavor of PSL, the Optional Branching Extension (OBE) operators with the highest precedence are those used to build properties from Boolean expressions and subordinate properties through implication. These operators include:         ->       logical IF implication         <->       logical IFF implication         Attended to a construct the operators with the next highest precedence are those used to specify when a subordinate property must hold, if the parent property is to hold. These operators include the following:         AX       on all paths, at the next state on each path         AG       on all paths, at all states on each path         AF       on all paths, at some future state on each path         EX       on some path, at the next state on the path         EG       on some path, at all states on the path                                                                                                                                                                                                   | 35<br>40<br>45 |

1 The OBE occurrence operators are left-associative.

#### 4.2.3 Macros

5 PSL provides macro-processing capabilities that facilitate the definition of properties. All flavors support cppstyle pre-processing directives (e.g., #define, #ifdef, #else, #include, and #undef). All flavors also support special macros for %for and %if, which can be used to conditionally or iteratively generate PSL statements.

#### 4.2.3.1 The %for construct

The *for* construct replicates a piece of text a number of times, with the possibility of each replication receiving a parameter. The syntax of the *for* construct is as follows:

```
15
```

10

```
%for /var/ in /expr1/ .. /expr2/ do
    ...
%end
```

20

or:

%for /var/ in { /item/, /item/, ... , /item/ } do
 ...
%end

25

In the first case, the text inside the %for-%end pairs will be replicated expr2-expr1+1 times (assuming that expr2>=expr1). In the second case, the text will be replicated according to the number of items in the list. During each replication of the text, the loop variable value is substituted into the text as follows. Suppose the loop variable is called ii. Then the current value of the loop variable can be accessed from the loop body using the following three methods:

The current value of the loop variable can be accessed using simply ii if ii is a separate token in the text. For instance:

```
35
```

30

define aa(2) := 2 > 2; define aa(3) := 3 > 2;

45

40

If ii is part of an identifier, the value of ii can be accessed using %{ii} as follows:

is equivalent to:

5

10

30

40

45

55

| define | aa2 | := | 2 | > | 2; |  |
|--------|-----|----|---|---|----|--|
| define | aa3 | := | 3 | > | 2; |  |

If ii needs to be used as part of an expression, it can be accessed as follows:

| %for | r ii in | 14 do     |      |             |
|------|---------|-----------|------|-------------|
|      | define  | aa%{ii-1} | := % | {ii-1} > 2; |
| %end | d       | . ,       |      |             |

The above is equivalent to:

| define aa0 := $0 > 2;$ |    |
|------------------------|----|
| define aal $:= 1 > 2;$ |    |
| define $aa2 := 2 > 2;$ | 15 |
| define aa3 := $3 > 2;$ |    |

The following operators can be used in pre-processor expressions:

| ! =      | 20                |
|----------|-------------------|
| >        |                   |
| >=       |                   |
| -        |                   |
| /        |                   |
| <u>0</u> | 25                |
|          | ><br>>=<br>-<br>/ |

#### 4.2.4 The %if construct

The %if construct is similar to the #if construct of the cpp pre-processor. However, %if must be used when it is conditioned on variables defined in an encapsulating %for. The syntax of %if is as follows:

| %if /expr/ %then |    |
|------------------|----|
| <pre>%end</pre>  |    |
|                  | 35 |
|                  |    |
| %if /expr/ %then |    |

... %else ... %end

#### 4.2.5 Comments

or:

PSL provides the ability to add comments to PSL specifications. For each flavor, the comment capability is consistent with that provided by the corresponding HDL environment.

| For the Verilog flavor, both the block comment style (/* */) and the trailing comment style (// $$ ) are supported. | 50 |
|---------------------------------------------------------------------------------------------------------------------|----|
| For the VHDL flavor, the trailing comment style ( < <i>eol</i> >) is supported.                                     |    |
| For the GDL flavor, both the block comment style (/* */) and the trailing comment style (                           |    |

<*eol*>) are supported.

#### 1 **4.3 Syntax**

10

15

20

25

30

35

40

45

#### 4.3.1 Conventions

- 5 The formal syntax described in this standard uses the following extended Backus-Naur Form (BNF).
  - a) The initial character of each word in a nonterminal is capitalized. For example:

PSL\_Statement

A nonterminal can be either a single word or multiple words separated by underscores. When a multipleword nonterminal containing underscores is referenced within the text (e.g., in a statement that describes the semantics of the corresponding syntax), the underscores are replaced with spaces.

b) Boldface words are used to denote reserved keywords, operators, and punctuation marks as a required part of the syntax. These words appear in a larger font for distinction. For example:

#### vunit (;

- c) The : : = operator separates the two parts of a BNF syntax definition. The syntax category appears to the left of this operator and the syntax description appears to the right of the operator. For example, item d) shows three options for a *VUnitType*.
  - d) A vertical bar separates alternative items (use one only) unless it appears in boldface, in which case it stands for itself. For example:

VUnitType ::= vunit | vprop | vmode

e) Square brackets enclose optional items unless they appear in boldface, in which case they stand for themselves. For example:

Sequence\_Declaration ::= sequence Name [ ( Formal\_Parameter\_List ) ] DEF\_SYM Sequence ;

indicates (Formal\_Parameter\_List) is an optional syntax item for Sequence\_Declaration, whereas

| SERE [ \* [ Range ] ]

- indicates that (the outer) square brackets are part of the syntax for this SERE, while *Range* is optional.
  - f) Braces enclose a repeated item unless they appear in boldface, in which case they stand for themselves. A repeated item may appear zero or more times; the repetition is equivalent to that given by a left-recursive rule. Thus, the following two rules are equivalent:

Formal\_Parameter\_List ::= Formal\_Parameter { ; Formal\_Parameter } Formal\_Parameter\_List ::= Formal\_Parameter | Formal\_Parameter\_List ; Formal\_Parameter

- g) A comment in a production is preceded by a colon (:) unless it appears in boldface, in which case it stands for itself.
- h) If the name of any category starts with an italicized part, it is equivalent to the category name without the italicized part. The italicized part is intended to convey some semantic information. For example, *vunit* Name is equivalent to Name.
- 50 The main text uses *italicized* type when a term is being defined, and monospace font for examples and references to constants such as 0, 1, or x values.

5

10

15

35

40

45

#### 4.3.2 HDL dependencies

PSL is defined in several flavors, each of which corresponds to a particular hardware description language with which PSL can be used. *Flavor macros* reflect the flavors of PSL in the syntax definition. A flavor macro is similar to a grammar production, in that it defines alternative replacements for a nonterminal in the grammar. A flavor macro is different from a grammar production, in that the alternatives are labeled with an HDL name and in the context of a given HDL, only the alternative labeled with that HDL name can be selected.

The name of each flavor macro is shown in all uppercase. Each flavor macro defines analogous, but possibly different syntax choices allowed for each flavor. The general format is the term Flavor Macro, then the actual *macro name*, followed by the = operator, and, finally, the definition for each of the HDLs.

Example

```
Flavor Macro PATH SYM = Verilog: . / VHDL: : / GDL: /
```

shows the path symbol macro (PATH\_SYM).

PSL also defines a few extensions to Verilog declarations, and one extension to both Verilog and VHDL expressions, as shown in Box 1.

| _ |                                                                                 |    |
|---|---------------------------------------------------------------------------------|----|
|   | Extended_Verilog_Declaration ::=<br>Verilog module or generate item declaration |    |
|   | Extended Verilog Type Declaration                                               | 25 |
|   | Extended_Verilog_Expression ::=                                                 |    |
|   | Verilog_expression                                                              |    |
|   | Verilog_Union_Expression                                                        |    |
|   | Extended_VHDL_Expression ::=                                                    |    |
|   | VHDL_expression                                                                 |    |
|   | VHDL_Union_Expression                                                           | 30 |

Box 1—Flavor macro HDL\_UNIT

#### 4.3.2.1 HDL\_UNIT

At the topmost level, a PSL specification consists of a set of HDL design units and a set of PSL verification units. The Flavor Macro HDL\_UNIT identifies the nonterminals that represent top-level design units in the grammar for each of the respective HDLs, as shown in Box 2.

Flavor Macro HDL\_UNIT = Verilog: Verilog\_module\_declaration / VHDL: VHDL\_design\_unit / GDL: GDL module declaration

Box 2—Flavor macro HDL\_UNIT

#### 4.3.2.2 HDL\_ID and PATH\_SYM

Names declared in PSL shall follow the rules for identifiers in the underlying HDL, hence, the definition of HDL\_ID as a flavor macro. Also, pathnames shall be constructed with the separator character appropriate for the HDL, thus, the definition of PATH\_SYM. Both of these are shown in Box 3.

Box 3—Flavor macros HDL\_ID and PATH\_SYM

5

Flavor Macro HDL\_ID = Verilog: Verilog\_Identifier / VHDL: VHDL\_Identifier / GDL: GDL\_Identifier Flavor Macro PATH\_SYM = Verilog: • / VHDL: • / GDL: /

#### 4.3.2.3 HDL\_DECL and HDL\_STMT

10

PSL verification units may contain certain kinds of HDL declarations and statements. Flavor macros HDL\_DECL and HDL\_STMT connect the PSL syntax with the syntax for declarations and statements in the grammar for each HDL. Both of these are shown in Box 4.

15

Flavor Macro HDL\_DECL = Verilog: Extended\_Verilog\_Declaration / VHDL: VHDL\_declaration / GDL: GDL\_module\_item\_declaration Flavor Macro HDL\_STMT = Verilog: Verilog\_module\_or\_generate\_item / VHDL: VHDL\_concurrent\_statement / GDL: GDL\_module\_item

20

Box 4—Flavor macros HDL\_DECL and HDL\_STMT

#### 4.3.2.4 HDL\_EXPR

Expressions shall be valid expressions in the underlying HDL description. This applies to expressions appearing directly within a temporal layer property, as well as to any sub-expressions of those expressions. The definition of HDL\_EXPR captures this requirement, as shown in Box 5.

30

Flavor Macro HDL\_EXPR = Verilog: Extended\_Verilog\_Expression / VHDL: Extended\_VHDL\_Expression / GDL: GDL\_Expression

Box 5—Flavor macro HDL\_EXPR

# <sup>35</sup> **4.3.2.5 AND\_OP, OR\_OP, and NOT\_OP**

Each flavor of PSL overloads the underlying HDL's symbols for the logical (i.e., Boolean) conjunction, disjunction, and negation operators so the same operators are used for conjunction and disjunction of Boolean expressions and for conjunction, disjunction, and negation of properties. The definitions of AND\_OP, OR\_OP, and NOT OP reflect this overloading, as shown in Box 6.

| Flavor Macro AND_OP =<br>Verilog: && / VHDL: and / GDL: & |
|-----------------------------------------------------------|
| Flavor Macro OR OP =                                      |
| Verilog:    / VHDL: <b>Or</b> / GDL:                      |
| Flavor Macro NOT OP =                                     |
| Verilog: ! / VHDL: <b>not</b> / GDL: !                    |

50

40

45

Box 6—Flavor macros AND\_OP, OR\_OP, and NOT\_OP

1

10

15

20

25

30

40

35

45

50

#### Property Specification Language Reference Manual

#### Flavor Macro LEFT SYM = Verilog: / VHDL: ( / GDL: ( Flavor Macro RIGHT SYM = Verilog: / VHDL: ) / GDL: )

# Box 8—Flavor macro LEFT SYM and RIGHT SYM

Within properties it is possible to specify a range of integer values representing the number of cycles or number of repetitions that are allowed to occur. PSL adopts the general form of range specification from the underlying

Box 7— Flavor macros RANGE\_SYM, MIN\_VAL, and MAX\_VAL

However, unlike HDLs, in which ranges are always finite, a range specification in PSL may have an infinite upper bound. For this reason, the definition of MAX VAL includes the keyword **inf**, representing *infinite*.

In replicated properties, it is possible to specify the replication index Name as a vector of boolean values. PSL allows this specification to take the form of an array reference in the underlying HDL, as reflected in the defini-

HDL, as reflected in the definition of RANGE SYM, MIN VAL, and MAX VAL shown in Box 7.

# 4.3.2.8 DEF\_SYM

Finally, as in the underlying HDL, PSL can declare new named objects. To make the syntax of such declarations consistent with those in the HDL, PSL adopts the symbol used for declarations in the underlying HDL, as reflected in the definition of DEF SYM shown in Box 9.

> Flavor Macro DEF SYM = Verilog: = / VHDL: is / GDL: :=

4.3.2.6 RANGE\_SYM, MIN\_VAL, and MAX\_VAL

4.3.2.7 LEFT\_SYM and RIGHT\_SYM

tion of LEFT SYM and RIGHT SYM shown in Box 8.

Flavor Macro RANGE SYM = Verilog: : / VHDL: to / GDL: ..

Verilog: **0** / VHDL: **0** / GDL: null

Verilog: inf / VHDL: inf / GDL: null

Flavor Macro MIN VAL =

Flavor Macro MAX VAL =

Box 9—Flavor macro DEF\_SYM

# 4.4 Semantics

In this document, the following terms are used to describe the semantics of the language:

- shall indicates a required aspect of the PSL specification and can indicates an optional aspect of the PSL specification.
- In the informal (i.e., English) description of the semantics of the temporal layer, *holds* (or *doesn't hold*) indicates that the design does (or does not) behave in the manner specified by a property.

55

#### 1 4.4.1 Clocked vs. unclocked evaluation

PSL properties can be modified by using a *clock expression* to indicate that time shall be measured in clock cycles of the clock expression. Such a property is a *clocked property*. The meaning of a clocked property is not affected by the granularity of time as seen by the verification tool. Thus, a clocked property shall give the same result for cycle-based and event-based verification.

Properties that are not modified by a clock expression are *unclocked properties*.

PSL does not dictate how time ticks for an unclocked property. Thus, unclocked properties are used to reason about the sequence of signal values as seen by the verification tool being used. For instance, a cycle-based simulator sees a sequence of signal values calculated cycle-by-cycle, while an event-based simulator running on the same design sees a more detailed sequence of signal values.

15

30

35

40

45

5

10

#### 4.4.2 Safety vs. liveness properties

A safety property is a property that specifies an invariant over the states in a design. The invariant is not necessarily limited to a single cycle, but it is bounded in time. Loosely speaking, a safety property claims that "something bad" does not happen. More formally, a safety property is a property for which any path violating the property has a finite prefix such that every extension of the prefix violates the property. For example, the property "whenever signal req is asserted, signal ack is asserted within 3 cycles" is a safety property.

A *liveness property* is a property that specifies an eventuality that is unbounded in time. Loosely speaking, a liveness property claims that "something good" eventually happens. More formally, a liveness property is a property for which any finite path can be extended to a path satisfying the property. For example, the property "whenever signal req is asserted, signal ack is asserted sometime in the future" is a liveness property.

#### 4.4.3 Strong vs. weak operators

Some operators have a terminating condition that comes at an unknown time. For example, the property "busy shall be asserted until done is asserted" is expressed using an operator of the until family, which states that signal busy shall stay asserted until the signal done is asserted. The specific cycle in which signal done is asserted is not specified.

Operators such as these come in both strong and weak forms. The *strong form* requires that the terminating condition eventually occur, while the *weak form* makes no requirements about the terminating condition. For example, the strong and weak forms of "busy shall be asserted until done is asserted" are (busy until! done) and (busy until done), respectively. The former states that busy shall be asserted until done is asserted and that done shall eventually be asserted). The latter states that busy shall be asserted until done is asserted and that if done is never asserted, then busy shall stay asserted forever.

The distinction between weak and strong operators is related to the distinction between safety and liveness properties. A property which uses a non-negated strong operator is a liveness property, while one that contains only non-negated weak operators is a safety property.

#### 4.4.4 Linear vs. branching logic

PSL contains both properties that use linear semantics as well as those that use branching semantics. The former
 are properties of the PSL Foundation Language, while the latter belong to the Optional Branching Extension.
 Properties with *linear semantics* reason about computation paths in a design and can be checked in simulation, as well as in formal verification. Properties with *branching semantics* reason about computation trees and can be checked only in formal verification.

| While the linear semantics of PSL are the ones most used in properties, the branching semantics add important expressive power. For instance, branching semantics are sometimes required to reason about deadlocks.                                                                                                                                                                                                                                                                                                                                    | 1  |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| 4.4.5 Simple subset                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ~  |
| PSL can express properties which cannot be easily evaluated in simulation, although such properties can be addressed by formal verification methods.                                                                                                                                                                                                                                                                                                                                                                                                   | 5  |
| In particular, PSL can express properties that involve branching or parallel behavior, which tend to be more diffi-<br>cult to evaluate in simulation, where time advances monotonically along a single path. The <i>simple subset</i> of PSL<br>is a subset that conforms to the notion of monotonic advancement of time, left to right through the property,<br>which in turn ensures that properties within the subset can be simulated easily. The simple subset of PSL con-<br>tains any PSL FL property meeting all of the following conditions: | 10 |
| — Negation (!) is applied only to Booleans.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 15 |
| <ul> <li>never and eventually! are applied only to Booleans or to SEREs.</li> <li>The left-hand side of a logical and is Boolean.</li> <li>The left-hand side of a logical or is Boolean.</li> </ul>                                                                                                                                                                                                                                                                                                                                                   |    |
| <ul> <li>The left-hand side of a logical implication (-&gt;) is Boolean.</li> <li>Both sides of a logical iff (&lt;-&gt;) operator are Boolean.</li> <li>The right-hand side of a non-overlapping until* operator is Boolean.</li> <li>Both sides of an overlapping until* operator are Boolean.</li> <li>Both sides of a before* operator are Boolean.</li> </ul>                                                                                                                                                                                     | 20 |
| All other operators not mentioned above are supported in the simple subset without restriction. In particular, all of the next_event operators, both weak and strong suffix implication ({} $ ->$ {} and {} $ ->$ {}!), and any application of the within and whilenot operators to a SERE are supported in the simple subset.                                                                                                                                                                                                                         | 25 |
| 4.4.6 Finite-length versus infinite-length behavior                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | 30 |
| The semantics of PSL allow us to decide whether a PSL Foundation Language property holds on a given behav-<br>ior. How the outcome of this problem relates to the design depends on the behavior that was analyzed.                                                                                                                                                                                                                                                                                                                                    |    |
| In dynamic verification only behaviors that are finite in length are considered. Consequently, liveness properties may appear not to hold just because the end of the simulation was reached, rather than because of an error in the design.                                                                                                                                                                                                                                                                                                           | 35 |
| Similarly, a safety property may be satisfied on a finite-length behavior, but that does not imply that it also holds on a (possibly infinite) extension of that behavior.                                                                                                                                                                                                                                                                                                                                                                             | 40 |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |    |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 45 |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |    |

## Organization

| 1  |  |  |  |
|----|--|--|--|
| 5  |  |  |  |
| 10 |  |  |  |
| 15 |  |  |  |
| 20 |  |  |  |
| 25 |  |  |  |
| 30 |  |  |  |
| 35 |  |  |  |
| 40 |  |  |  |
| 45 |  |  |  |
| 50 |  |  |  |
| 55 |  |  |  |

# 5. Boolean layer

The Boolean layer consists of Boolean expressions, shown in Box 10, the syntax and semantics of which are dictated by the flavor of PSL being used. The Boolean layer also includes certain PSL expressions that are of Boolean type.

> Boolean ::= boolean HDL or PSL Expression

#### Box 10—Boolean expression

NOTE—Subexpressions of a Boolean expression may be of any type supported by the corresponding HDL.

#### 5.1 HDL expressions

A Boolean HDL expression, shown in Box 11, is any HDL expression that the HDL allows to be used as the condition of an if statement.

> HDL or PSL Expression ::= HDL\_Expression HDL\_Expression ::= HDL EXPR

#### Box 11—Boolean HDL expression

| Restric | ctions                                                                                                                                                                                                                                                       | 30 |
|---------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
|         | ven flavor of PSL, the value of a Boolean HDL expression is interpreted as a logical value according to the rules that govern interpretation of that expression as the condition of an if statement in that flavor.                                          |    |
| Inform  | nal semantics                                                                                                                                                                                                                                                | 35 |
|         | leaning of an HDL expression in a PSL context is determined by the meanings of the names and operator ols of the HDL expression.                                                                                                                             |    |
| For ea  | ch name in the HDL expression, the meaning of the name is determined as follows.                                                                                                                                                                             | 40 |
| a)      | If the current verification unit contains a (single) declaration of this name, then the object created by that declaration is the meaning of this name.                                                                                                      |    |
| b)      | Otherwise, if the transitive closure with respect to inheritance of all verification units inherited by the current verification unit contains a (single) declaration of this name, then the object created by that declaration is the meaning of this name. | 45 |
| c)      | Otherwise, if the default verification mode contains a (single) declaration of this name, then the object created by that declaration is the meaning of this name.                                                                                           |    |
| d)      | Otherwise, if this name has an unambiguous meaning at the end of the design module or instance associ-<br>ated with the current verification unit, then that meaning is the meaning of this name.                                                            | 50 |

e) Otherwise, this name has no meaning.

For each operator symbol in the HDL expression, the meaning of the operator symbol is determined as follows.

55

50

1

5

10

15

20

5

10

- For the Verilog and GDL flavors, this operator symbol has the same meaning as the corresponding operator symbol in the HDL.
  - For the VHDL flavor, if this operator symbol has an unambiguous meaning at the end of the design unit or component instance associated with the current verification unit, then that meaning is the meaning of this operator symbol.
  - Otherwise, this operator symbol has no meaning.

It is an error if more than one declaration of a given name appears in the current verification unit, or in the transitive closure of all inherited verification units, or in the default verification mode.

See 7.2 for an explanation of verification units and modes.

# 15 **5.2 PSL expressions**

PSL defines a collection of predefined functions that return Boolean values. These predefined functions are described in 8.1.4.

20 PSL also defines a special variable called an *endpoint*, which signals the completion of a sequence. Endpoint declarations and instantiations are described in 6.1.3.1 and 6.1.3.2, respectively.

#### 5.3 Clock expressions

<sup>25</sup> Booleans (either Boolean HDL expressions, or PSL expressions) can be used as clock expressions, which indicate when other Boolean expressions are evaluated.

In the Verilog flavor, any expression that Verilog allows to be used as the condition in an *if* statement can be used as a clock expression. In addition, any Verilog *event expression* allowed by the modeling layer can be used as a clock expression.

In the VHDL flavor, any expression that VHDL allows to be used as the condition in an if statement can be used as a clock expression.

<sup>35</sup> In the GDL flavor, any expression that GDL allows to be used as the condition in an *if* statement can be used as a clock expression.

#### 5.4 Default clock declaration

40

30

A *default clock declaration*, shown in Box 12, specifies a clock expression for directives that have an outermost property or sequence that has no explicit clock expression.

45 PSL\_Declaration ::= Clock\_Declaration Clock\_Declaration ::= **default clock** DEF SYM Boolean ;

50

#### Box 12—Default clock declaration

Restrictions

At most one default clock declaration shall appear in a given verification unit.

| <pre>biparbile semantis:</pre> If on outermost property of an assert, assume, or assume_guarantee directive has no explicit clock declaration, if one science, or cover directive has no explicit clock declaration, if one clock expression for the property is given by the applicable default clock declaration, if one exists; otherwise the clock expression for that sequence is determined by the applicable default clock declaration. <pre> 10 11 12 13 14 15 15 15 15 16 16 16 17 16 17 16 17 16 17 17 17 17 17 17 17 17 17 17 17 17 17</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                                                                                                                                                      | 1  |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| <pre>expression, then the clock expression for that property is given by the applicable default clock declaration, if one<br/>exists, otherwise the clock expression for the property is the expression True.</pre> 10<br>explicit clock expression, then the clock expression for that sequence is determined by the applicable default<br>clock declaration, if one exists; otherwise the clock expression for the sequence is the expression True.<br>The applicable default clock declaration is determined as follows.<br>15<br>16<br>17<br>17<br>18<br>19<br>19<br>10<br>10<br>10<br>10<br>10<br>10<br>10<br>10<br>10<br>10                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | Informal semantics                                                                                                                                   |    |
| <pre>explicit clock expression, then the clock expression for that sequence is determined by the applicable default<br/>clock declaration, if one exists; otherwise the clock expression for the sequence is the expression True.</pre> 15 a) If the current verification unit contains a (single) default clock declaration, then that is the applicable<br>default clock declaration. b) Otherwise, if the transitive closure with respect to inheritance of all verification units inherited by the<br>current verification unit contains a (single) default clock declaration, then that is the applicable default<br>clock declaration. c) Otherwise, if the default verification mode contains a (single) default clock declaration, then that is the<br>applicable default clock declaration. d) Otherwise, no applicable default clock declaration appears in the current verification unit, or in the transitive<br>closure of all inherited verification units, or in the default verification mode. Example     default clock = (posedge clk1);     assert always (req -> next ack);     cover {req; ack; !req; !ack}     is equivalent to     assert always (req -> next ack) @(posedge clk1);     cover {req; ack; !req; !ack} @(posedge clk1);     assert always (req -> next ack) @(posedge clk1);     assert always (req is ack; !req; !ack} @(posedge clk1);     assert always (req is ack; !req; !ack} @(posedge clk1);     assert always (req is ack; !req; !ack} @(posedge clk1); | expression, then the clock expression for that property is given by the applicable default clock declaration, if one                                 | 5  |
| <ul> <li>a) If the current verification unit contains a (single) default clock declaration, then that is the applicable default clock declaration.</li> <li>b) Otherwise, if the transitive closure with respect to inheritance of all verification units inherited by the current verification unit contains a (single) default clock declaration, then that is the applicable default clock declaration.</li> <li>c) Otherwise, if the default verification mode contains a (single) default clock declaration, then that is the applicable default clock declaration.</li> <li>d) Otherwise, no applicable default clock declaration exists.</li> <li>It is an error if more than one default clock declaration appears in the current verification unit, or in the transitive closure of all inherited verification units, or in the default verification mode.</li> <li><i>Example</i></li> <li>default clock = (posedge clk1);</li> <li>assert always (req -&gt; next ack);</li> <li>cover {req; ack; !req; !ack} @(posedge clk1);</li> <li>assert always (req -&gt; next ack) @(posedge clk1);</li> <li>cover {req; ack; !req; !ack} @(posedge clk1);</li> <li>40</li> </ul>                                                                                                                                                                                                                                                                                                                   | explicit clock expression, then the clock expression for that sequence is determined by the applicable default                                       | 10 |
| <ul> <li>a) If the current verification unit contains a (single) default clock declaration, then that is the applicable default clock declaration.</li> <li>b) Otherwise, if the transitive closure with respect to inheritance of all verification units inherited by the current verification unit contains a (single) default clock declaration, then that is the applicable default clock declaration.</li> <li>c) Otherwise, if the default verification mode contains a (single) default clock declaration, then that is the applicable default clock declaration.</li> <li>d) Otherwise, no applicable default clock declaration exists.</li> <li>It is an error if more than one default clock declaration appears in the current verification unit, or in the transitive closure of all inherited verification units, or in the default verification mode.</li> <li><i>Example</i></li> <li>default clock = (posedge clk1);</li> <li>assert always (req -&gt; next ack);<br/>cover {req; ack; !req; !ack};</li> <li>is equivalent to</li> <li>assert always (req -&gt; next ack) @(posedge clk1);<br/>cover {req; ack; !req; !ack} @(posedge clk1);</li> <li>40</li> </ul>                                                                                                                                                                                                                                                                                                                   | The applicable default clock declaration is determined as follows.                                                                                   | 15 |
| <ul> <li>current verification unit contains a (single) default clock declaration, then that is the applicable default clock declaration.</li> <li>20</li> <li>C) Otherwise, if the default verification mode contains a (single) default clock declaration, then that is the applicable default clock declaration.</li> <li>d) Otherwise, no applicable default clock declaration exists.</li> <li>It is an error if more than one default clock declaration appears in the current verification unit, or in the transitive closure of all inherited verification units, or in the default verification mode.</li> <li><i>Example</i></li> <li>default clock = (posedge clk1);</li> <li>assert always (req -&gt; next ack);</li> <li>cover {req; ack; !req; !ack} @(posedge clk1);</li> <li>is equivalent to</li> <li>assert always (req -&gt; next ack) @(posedge clk1);</li> <li>cover {req; ack; !req; !ack} @(posedge clk1);</li> <li>40</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | default clock declaration.                                                                                                                           | 15 |
| <ul> <li>c) Otherwise, if the default verification mode contains a (single) default clock declaration, then that is the applicable default clock declaration.</li> <li>d) Otherwise, no applicable default clock declaration exists.</li> <li>It is an error if more than one default clock declaration appears in the current verification unit, or in the transitive closure of all inherited verification units, or in the default verification mode.</li> <li><i>Example</i> <ul> <li>default clock = (posedge clk1);</li> <li>assert always (req -&gt; next ack);</li> <li>cover {req; ack; !req; !ack};</li> </ul> </li> <li>is equivalent to <ul> <li>assert always (req -&gt; next ack) @(posedge clk1);</li> <li>cover {req; ack; !req; !ack} @(posedge clk1);</li> </ul> </li> <li>40</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | current verification unit contains a (single) default clock declaration, then that is the applicable default                                         | 20 |
| <pre>closure of all inherited verification units, or in the default verification mode. Example     default clock = (posedge clk1); 30     assert always (req -&gt; next ack);     cover {req; ack; !req; !ack}; is equivalent to 35     assert always (req -&gt; next ack) @(posedge clk1);     cover {req; ack; !req; !ack} @(posedge clk1);     40</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | c) Otherwise, if the default verification mode contains a (single) default clock declaration, then that is the applicable default clock declaration. | 20 |
| <pre>default clock = (posedge clk1);   assert always (req -&gt; next ack);   cover {req; ack; !req; !ack}; is equivalent to    assert always (req -&gt; next ack) @(posedge clk1);   cover {req; ack; !req; !ack} @(posedge clk1);   40</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                                                      | 25 |
| <pre>assert always (req -&gt; next ack);<br/>cover {req; ack; !req; !ack};<br/>is equivalent to<br/>assert always (req -&gt; next ack) @(posedge clk1);<br/>cover {req; ack; !req; !ack} @(posedge clk1);<br/>40</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | Example                                                                                                                                              |    |
| <pre>cover {req; ack; !req; !ack}; is equivalent to assert always (req -&gt; next ack) @(posedge clk1); cover {req; ack; !req; !ack} @(posedge clk1); 40</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | <pre>default clock = (posedge clk1);</pre>                                                                                                           | 30 |
| assert always (req -> next ack) @(posedge clk1);<br>cover {req; ack; !req; !ack} @(posedge clk1);<br>40                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                                                                                                                                                      |    |
| <pre>cover {req; ack; !req; !ack} @(posedge clk1); 40</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | is equivalent to                                                                                                                                     | 35 |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                                                                                                      |    |
| 45                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                                                                                                                      | 40 |
| 45                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                                                                                                                      |    |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                                                                                                      | 45 |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                                                                                                      |    |
| 50                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                                                                                                                      | 50 |

| 1  |  |  |  |
|----|--|--|--|
| 5  |  |  |  |
| 10 |  |  |  |
| 15 |  |  |  |
| 20 |  |  |  |
| 25 |  |  |  |
| 30 |  |  |  |
| 35 |  |  |  |
| 40 |  |  |  |
| 45 |  |  |  |
| 50 |  |  |  |
| 55 |  |  |  |

| 6. Temporal layer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | 1  |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| The temporal layer is used to define properties, which describe behavior over time. Properties can describe the behavior of the design or the behavior of the external environment.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 5  |
| A property is built from three types of building blocks:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | 5  |
| <ul> <li>Boolean expressions</li> <li>sequences (which are themselves built from Boolean expressions)</li> <li>subordinate properties</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 10 |
| Boolean expressions are part of the Boolean layer; they are described in Section 5. Sequential expressions are described in 6.1 and properties in 6.2.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 15 |
| Some terms used in this section and their definitions are:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | 15 |
| <i>holds tightly</i> : The term used to talk about the meaning of a sequential expression (SERE). Sequential expressions are evaluated over finite paths (behaviors). The definition of holds tightly captures the meaning of a SERE by determining the finite paths that "match" the SERE. The meaning of a SERE depends on the operators and sub-SEREs that constitute the SERE. Thus, the definition of holds tightly is given in the sub-sections of Section 6.1; for each SERE operator, the sub-section describing that operator defines the finite paths on which a SERE that combines other SEREs using that operator holds tightly, given the meaning of these subordinate SEREs.                                                                                                                                                                                                                                     | 20 |
| For example, $\{a;b;c\}$ holds tightly on a path iff the path is of length three, where 'a' is true in the first cycle, 'b' is true in the second and 'c' is true in the third. The SERE $\{a[*];b\}$ holds tightly on a path iff 'b' is true in the last cycle of the path, and 'a' is true in all preceding cycles.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 25 |
| <i>holds</i> : The term used to talk about the meaning of a Boolean expression, sequential expression, or property. A Boolean expression, sequential expression, or property is evaluated over the first cycle of a finite or infinite path. The definition of holds captures the meaning of a Boolean expression, sequential expressions or property by determining the paths (starting at the current cycle) that "obey" them. The meaning of a property depends on the operators and subordinate properties that constitute the property. Thus, the definition of holds is given in the subsections of Section 6.2; for each operator it is defined, in the sub-section describing that operator, which are the                                                                                                                                                                                                             | 30 |
| paths the composed property holds on (at their first state).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | 35 |
| For example, a Boolean expression 'p' holds in the first cycle of a path iff 'p' evaluates to <i>True</i> in the first cycle. A SERE holds on the first cycle of a path iff it holds tightly on a prefix of that path. The sequential expression $\{a;b;c\}$ holds on a first cycle of a path iff 'a' holds on the first cycle, 'b' holds on the second cycle and 'c' holds on the third. Note that the path itself may be of length more than 3. The sequential expression $\{a[*];b\}$ holds in the first cycle of a path iff: 1) the path contains a cycle in which 'b' holds, and 2) 'a' holds in all cycles before that cycle. It is not necessary that the cycle in which 'b' holds is the last cycle of the path (contrary to the requirement for $\{a[*];b\}$ to hold tightly on a path). Finally, the property 'always p' holds in a first cycle of a path iff 'p' holds in that cycle and in every subsequent cycle. | 40 |
| <i>describes</i> : A Boolean expression, sequential expression, or property describes the set of behavior for which the Boolean expression, sequential expression, or property holds.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 45 |
| <i>occurs</i> : A Boolean expression is said to "occur" in a cycle if it holds in that cycle. For example, "the next occurrence of the Boolean expression" refers to the next cycle in which the Boolean expression holds.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | 50 |
| <i>starts</i> : A sequential expression starts at the first cycle of any behavior for which it holds. In addition, a sequential expression starts at the first cycle of any behavior which is the prefix of a behavior for which it holds. For example, if a holds at cycle 7 and b holds at every cycle from 8 onward, then the sequential expression $\{a;b[*];c\}$ starts at cycle 7.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | 55 |

- 1 *completes*: A sequential expression completes at the last cycle of any design behavior on which it holds tightly. For example, if a holds at cycle 3, b holds at cycle 4, and c holds at cycle 5, then the sequence {a;b;c} completes at cycle 5. Similarly, given the behavior {a;b;c}, the property a before c completes when c occurs.
- 5 NOTE—A sequence that holds eventually completes, while a sequence that starts may or may not complete.

terminating condition: A Boolean expression, the occurrence of which causes a property to complete.

10 *terminating property*: A property that, when it holds, causes another property to complete.

NOTE—These terms are used to describe the semantics of the temporal layer as precisely as possible. In any case where the English description is ambiguous or seems to contradict the formal semantics provided in Appendix B, the formal semantics take precedence.

#### 15

### 6.1 Sequential expressions

### 6.1.1 Sequential Extended Regular Expressions (SEREs)

20 Sequential Extended Regular Expressions (*SEREs*), shown in Box 13, describe single- or multi-cycle behavior built from a series of Boolean expressions.

| 25 | SERE ::=<br>Boolean<br>  Sequence<br>Sequence ::=<br>{ SERE }                                                                                                                                         |
|----|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 30 | Box 13—SEREs and Sequences                                                                                                                                                                            |
|    | The most basic SERE is a Boolean expression. A Sequence (a SERE enclosed in curly braces) is also a SERE Both are sequential expressions.                                                             |
| 35 | More complex sequential expressions are built from Boolean expressions using various SERE construction and sequence composition operators. These operators are described in the sections that follow. |
|    | NOTES                                                                                                                                                                                                 |
| 40 | 1—A sequential expression is not a property on its own; it is a building block of a property.                                                                                                         |
| 10 | 2—SEREs are grouped using curly braces ( $\{\}$ ), as opposed to Boolean expressions which are grouped using parenthese (()).                                                                         |
| 45 | 3—A Sequence can also be an instance of a Sequence declaration; see Sections 6.1.2.1 and 6.1.2.2.                                                                                                     |
| 45 |                                                                                                                                                                                                       |
| 50 |                                                                                                                                                                                                       |

### 6.1.1.1 SERE construction

### 6.1.1.1.1 Clocked SERE (@)

The SERE clock operator ((a)), shown in Box 14, provides a way to clock a SERE.

SERE ::= SERE (a) clock\_Boolean

#### Box 14—SERE clock operator

The first operand is the SERE to be clocked. The second operand is a Boolean expression with which to clock the SERE.

Restrictions

None.

#### Informal semantics

For unclocked SERE A and Boolean CLK:

A@CLK holds on a given path *iff* (if and only if) A holds on the path obtained by extracting from the given 25 path exactly those cycles in which CLK holds.

NOTE—When clocks are nested, the inner clock takes precedence over the outer clock. That is, the SERE {a;b@clk2;c}@clk is equivalent to the SERE {a@clk; b@clk2; c@clk}, with the outer clock applied to only the unclocked sub-SEREs. In particular, there is no conjunction of nested clocks involved.

NOTE—There is only one form of a clocked sere. In contrast, a distinction between weak and strong clocks is made for a clocked property (see Section 6.2.1.1).

#### Examples

Example 1

Consider the following behavior of Booleans a, b, and clk, where "time" is at the granularity observed by the verification tool:

| tir | ne | 0 | 1 | 2 | 3 | 4 |
|-----|----|---|---|---|---|---|
| cl} | k  | 0 | 1 | 0 | 1 | 0 |
| а   |    | 0 | 1 | 1 | 0 | 0 |
| b   |    | 0 | 0 | 0 | 1 | 0 |

The unclocked SERE {a;b} holds tightly from time 2 to time 3. It does not hold tightly over any other interval of the given behavior.

The clocked SERE  $\{a;b\}$ @clk holds tightly from time 0 to time 3, and also from time 1 to time 3. It does not hold tightly over any other interval of the given behavior.

55

50

1

5

10

15

20

30

35

### 1 Example 2

5

10

20

25

Consider the following behavior of Booleans a, b, c, clk1, and clk2, where "time" is at the granularity observed by the verification tool:

| time | e 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
|------|-----|---|---|---|---|---|---|---|
| clk1 | . 0 | 1 | 0 | 1 | 0 | 1 | 0 | 1 |
| a    | 0   | 1 | 1 | 0 | 0 | 0 | 0 | 0 |
| b    | 0   | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| C    | 0   | 0 | 0 | 0 | 1 | 0 | 1 | 0 |
| clk2 | 1   | 0 | 0 | 1 | 0 | 0 | 1 | 0 |

15 The unclocked SERE {{a;b};c} holds tightly from time 2 to time 4. It does not hold tightly over any other interval of the given behavior.

The multiply-clocked SERE  $\{\{a;b\}@clk1;c\}@clk2$  holds tightly from time 0 to time 6. It does not hold tightly over any other interval of the given behavior.

The singly-clocked SEREs  $\{\{a;b\};c\}$  (a) and  $\{\{a;b\};c\}$  (c) (a) not hold tightly over any interval of the given behavior.

### 6.1.1.1.2 SERE concatenation (;)

The *SERE concatenation* operator (;), shown in Box 15, constructs a SERE that is the concatenation of two other SEREs.

| SERE ; SERE | 30 | SERE ::=<br>SERE ; SERE |
|-------------|----|-------------------------|
|-------------|----|-------------------------|

### Box 15—SERE concatenation operator

<sup>35</sup> The right operand is a SERE that is concatenated after the left operand.

Restrictions

None.

40

45

Informal semantics

For SEREs A and B:

A; B holds on a path iff there is a future cycle *n*, such that A holds tightly on the path up to and including the  $n^{\text{th}}$  cycle and B holds tightly on the path starting at the  $n+1^{\text{th}}$  cycle.

# <sup>50</sup> 6.1.1.1.3 Repetition operators

The repetition operators ([]) describe succinctly repeated concatenation of the same SERE. There are three kinds of repetition, each of which is detailed in the following subsections.

25

30

35

40

45

55

# 6.1.1.1.4 SERE consecutive repetition ([\* ])

The *SERE consecutive repetition* operator (**[\***]), shown in Box 16, constructs repeated consecutive concatenation of the same SERE.



### Box 16—SERE consecutive repetition operator

The first operand is a SERE to be repeated. The second operand gives the Count (a number or range) of repetitions.

If the Count is a number, then the SERE describes exactly that number of repetitions.

Otherwise, if the Count is a range, then the SERE describes describes any number of repetitions such that the number falls within the specified range. If the high value of the range (HighBound) is not specified (or is specified as inf), the SERE describes at least as many repetitions as the low value of the range. If the low value of the range (LowBound) is not specified (or is specified as 0), the SERE describes at most as many repetitions as the high value of the range. If neither of the range values is specified, the SERE describes any number of repetitions, including zero, i.e., the empty path is also described.

When there is no SERE operand and only a Count, the resulting SERE describes any path whose length is described by the second operand as above.

The notation + is a shortcut for a repetition of one or more times.

### Restrictions

If the SERE contains a Count, and the Count is a Number, then the Number shall be statically computable. If the SERE contains a Count, and the Count is a Range, then each bound of the Range shall be statically computable, and the low bound of the Range shall be less than or equal to the high bound of the Range.

### Informal semantics

For SERE A and numbers n and m:

- A [\*n] holds tightly on a path iff the path can be partitioned into n parts, where A holds tightly on each part.
- A [\*n:m] holds tightly on a path iff the path can be partitioned into between n and m parts, inclusive, where A holds tightly on each part.
- A [\*0:m] holds tightly on a path iff the path is empty or the path can be partitioned into m or less parts, where A holds tightly on each part.

10

15

40

50

55

- 1 A[\*n:inf] holds tightly on a path iff the path can be partitioned into at least n parts, where A holds tightly on each part.
  - A[\*0:inf] holds tightly on a path iff the path is empty or the path can be partitioned into some number of parts, where A holds tightly on each part.
  - A [\*] holds tightly on a path iff the path is empty or the path can be partitioned into some number of parts, where A holds tightly on each part.
    - A [+] holds tightly on a path iff the path can be partitioned into some number of parts, where A holds tightly on each part.
  - [\*n] holds tightly on a path iff the path is of length n.
    - [\*n:m] holds tightly on a path iff the length of the path is between n and m, inclusive.
    - [\*0:m] holds tightly on a path iff it is the empty path or the length of the path is m or less.
    - [\*n:inf] holds tightly on a path iff the length of the path is at least n.
    - [\*0:inf] holds tightly on any path (including the empty path).
    - [\*] holds tightly on any path (including the empty path).
- [+] holds tightly on any path of length at least one.

### 20 6.1.1.1.5 SERE non-consecutive repetition ([= ])

The SERE non-consecutive repetition operator ([=]), shown in Box 17, constructs repeated (possibly non-consecutive) concatenation of a Boolean expression.

| 25 | SERE ::=                     |
|----|------------------------------|
|    | Boolean [ = Count ]          |
|    | Count ::=                    |
|    | Number                       |
|    | Range                        |
| 30 | Range ::=                    |
| 50 | LowBound RANGE SYM HighBound |
|    | LowBound ::=                 |
|    | Number   MIN VAL             |
|    | HighBound ::=                |
|    | Number   MAX_VAL             |
| 35 |                              |

### Box 17—SERE non-consecutive repetition operator

The first operand is a Boolean expression to be repeated. The second operand gives the Count (a number or range) of repetitions.

If the Count is a number, then the SERE describes exactly that number of repetitions.

- Otherwise, if the Count is a range, then the SERE describes any number of repetitions such that the number falls within the specified range. If the high value of the range (HighBound) is not specified (or is specified as inf), the SERE describes at least as many repetitions as the low value of the range. If the low value of the range (Low-Bound) is not specified (or is specified as 0), the SERE describes at most as many repetitions as the high value of the range. If neither of the range values is specified, the SERE describes any number of repetitions, including zero, i.e., the empty path is also described.
  - Restrictions

If the SERE contains a Count, and the Count is a Number, then the Number shall be statically computable. If the SERE contains a Count, and the Count is a Range, then each bound of the Range shall be statically computable, and the low bound of the Range shall be less than or equal to the high bound of the Range.

| Informal semantics                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | 1  |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| For Boolean A and numbers n and m:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |    |
| <ul> <li>A [=n] holds tightly on a path iff A occurs exactly n times along the path.</li> <li>A [=n:m] holds tightly on a path iff A occurs between n and m times, inclusive, along the path.</li> <li>A [=0:m] holds tightly on a path iff A occurs m times or less along the path.</li> <li>A [=n:inf] holds tightly on a path iff A occurs at least n times along the path.</li> </ul>                                                                                                                                                                                                                                                                    | 5  |
| <ul> <li>A [=0:inf] holds tightly on a path iff A occurs any number of times along the path, i.e., A[=0:inf] holds tightly on any path.</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | 10 |
| 6.1.1.1.6 SERE goto repetition ([-> ])                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | 15 |
| The <i>SERE goto repetition</i> operator ( $[->]$ ), shown in Box 18, constructs repeated (possibly non-consecutive) concatenation of a Boolean expression, such that the Boolean expression holds on the last cycle of the path.                                                                                                                                                                                                                                                                                                                                                                                                                            |    |
| SERE ::=<br>Boolean [ -> [ positive_Count ] ]<br>Count ::=<br>Number                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 20 |
| Range<br>Range ::=<br>LowBound RANGE_SYM HighBound<br>LowBound ::=<br>Number   MIN_VAL                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | 25 |
| HighBound ::=<br>Number   MAX_VAL                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |    |
| Box 18—SERE goto repetition operator                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 30 |
| The first operand is a Boolean expression to be repeated. The second operand gives the Count (a non-zero number or a non-zero range) of repetitions.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 35 |
| If the Count is a number, then the SERE describes exactly that number of repetitions.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |    |
| Otherwise, if the Count is a range, then the SERE describes any number of repetitions such that the number falls within the specified range. If the high value of the range (HighBound) is not specified (or is specified as inf), the SERE describes at least as many repetitions as the low value of the range. If the low value of the range (Low-Bound) is not specified, the SERE describes at most as many repetitions as the high value of the range. If neither of the range values is specified, the SERE describes exactly one repetition, i.e., behavior in which the Boolean expression holds exactly once (only at the last cycle on the path). | 40 |
| Restrictions                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 45 |

If the SERE contains a Count, it shall be a statically computable, positive Count (i.e., indicating at least one repetition). If the Count is a Range, then each bound of the Range shall be statically computable, and the low bound of the Range shall be positive and less than or equal to the high bound of the Range.

50

### 1 Informal semantics

5

15

30

40

For Boolean A and numbers n and m:

- A [->n] holds tightly on a path iff A occurs exactly n times along the path and the last cycle at which it occurs is the last cycle of the path.
  - A[->n:m] holds tightly on a path iff A occurs between n and m times, inclusive, along the path, and the last cycle at which it occurs is the last cycle of the path.
- 10 A [->1:m] holds tightly on a path iff A occurs m times or less along the path and the last cycle at which it occurs is the last cycle of the path.
  - A[->n:inf] holds tightly on a path iff A occurs at least n times along the path and the last cycle at which it occurs is the last cycle of the path.
  - A[->1:inf] holds tightly on a path iff A occurs one or more times along the path and the last cycle at which it occurs is the last cycle of the path.
    - A [->] holds tightly on a path iff A occurs in the last cycle of the path and in no cycle before that.

### 20 6.1.1.2 Sequence composition

### 6.1.1.2.1 Sequence fusion (:)

The *sequence fusion* operator (:), shown in Box 19, constructs a SERE in which two sequences overlap by one cycle. That is, the second sequence starts at the cycle in which the first sequence completes.

| SERE ::=<br>Sequence : Sequence |
|---------------------------------|
| Sequence ::=<br>{ SERE }        |

#### Box 19—Sequence fusion operator

35 The operands of : are both sequences, i.e., brace-enclosed SEREs.

Restrictions

None.

Informal semantics

For sequences A and B:

45 A: B holds tightly on a path iff there is a future cycle n, such that A holds tightly on the path up to and including the  $n^{\text{th}}$  cycle and B holds tightly on the path starting at the  $n^{\text{th}}$  cycle.

50

| 6.1.1.2.2 Sequence or ( )                                                                                                                                                                                                       | 1  |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| The <i>sequence or</i> operator ( ), shown in Box 20, constructs a SERE in which one of two alternative sequences hold at the current cycle.                                                                                    | 5  |
| SERE ::=<br>Sequence   Sequence                                                                                                                                                                                                 | 5  |
| Box 20—Sequence or operator                                                                                                                                                                                                     | 10 |
| The operands of   are both Sequences, i.e., brace-enclosed SEREs.                                                                                                                                                               |    |
| Restrictions                                                                                                                                                                                                                    | 15 |
| None.                                                                                                                                                                                                                           |    |
| Informal semantics                                                                                                                                                                                                              | 20 |
| For sequences A and B:                                                                                                                                                                                                          | 20 |
| $A \mid B$ holds tightly on a path iff at least one of A or B holds tightly on the path.                                                                                                                                        |    |
|                                                                                                                                                                                                                                 | 25 |
| 6.1.1.2.3 Sequence non-length-matching and (&)                                                                                                                                                                                  |    |
| The sequence non-length-matching and operator ( $\&$ ), shown in Box 21, constructs a SERE in which two sequences both hold at the current cycle, regardless of whether they complete in the same cycle or in different cycles. | 30 |
| SERE ::=<br>Sequence & Sequence                                                                                                                                                                                                 | 35 |
| Box 21—Sequence non-length-matching and operator                                                                                                                                                                                |    |
| The operands of & are both Sequences, i.e., brace-enclosed SEREs.                                                                                                                                                               | 40 |
| Restrictions                                                                                                                                                                                                                    | 10 |
| None.                                                                                                                                                                                                                           |    |
| Informal semantics                                                                                                                                                                                                              | 45 |
| For sequences A and B:                                                                                                                                                                                                          |    |
| A&B holds tightly on a path iff either A holds tightly on the path and B holds tightly on a prefix of the path or B holds tightly on the path and A holds tightly on a prefix of the path.                                      | 50 |
|                                                                                                                                                                                                                                 | 55 |

### 1 6.1.1.2.4 Sequence length-matching and (&&)

The sequence length-matching and operator (&&), shown in Box 22, constructs a SERE in which two sequences both hold at the current cycle, and furthermore both complete in the same cycle.

5

SERE ::= Sequence & & Sequence

10

### Box 22—Sequence length-matching and operator

The operands of && are both Sequences, i.e., brace-enclosed SEREs.

15 Restrictions

None.

Informal semantics 20

For sequences A and B:

A&&B holds tightly on a path iff A and B both hold tightly on the path.

25

### 6.1.2 Named sequences

A given sequence may describe behavior that can occur in different contexts (i.e., in conjunction with other behavior). In such a case, it is convenient to be able to define the sequence once and refer to the single definition in each context in which the sequence applies. Declaration and instantiation of *named sequences* provide this capability.

### 6.1.2.1 Sequence declaration

A *sequence declaration*, shown in Box 23, defines a sequence and gives it a name. A sequence declaration can also specify a list of formal parameters that can be referenced within the sequence.

40

45

35

| PSL_Declaration ::=                                            |
|----------------------------------------------------------------|
| Sequence Declaration                                           |
| Sequence_Declaration ::=                                       |
| sequence Name [ ( Formal_Parameter_List ) ] DEF_SYM Sequence ; |
| Formal Parameter_List ::=                                      |
| Formal_Parameter { ; Formal_Parameter }                        |
| Formal_Parameter ::=                                           |
| sequence_ParamKind Name { , Name }                             |
| sequence_ParamKind ::=                                         |
| const   boolean   sequence                                     |

50

55

## Box 23—Sequence declaration

### Restrictions

The Name of a declared sequence shall not be the same as the name of any other PSL declaration. Formal parameters of a sequence declaration are limited to parameter kinds const, boolean, and sequence.

5

10

15

20

25

30

35

40

45

50

55

Examples

```
sequence BusArb (boolean br, bg; const n) = { br; (br && !bg)[0:n];
br && bg };
```

The named sequence BusArb represents a generic bus arbitration sequence involving formal parameters br (bus request) and bg (bus grant), as well as a parameter n that specifies the maximum delay in receiving the bus grant.

```
sequence ReadCycle (sequence ba; boolean bb, ar, dr) = { ba; \{bb[*]\} \&\&
\{ar[->]; dr[->]\}; !bb };
```

The named sequence ReadCycle represents a generic read operation involving a bus arbitration sequence and Boolean conditions bb (bus busy), ar (address ready), and dr (data ready).

NOTE—There is no requirement to use formal parameters in a sequence declaration. A declared sequence may refer directly to signals in the design as well as to formal parameters.

#### 6.1.2.2 Sequence instantiation

A *sequence instantiation*, shown in Box 24, creates an instance of a named sequence and provides actual parameters for formal parameters (if any) of the named sequence.

| Sequence ::=                                              | ] |
|-----------------------------------------------------------|---|
| sequence_Name [ ( Actual_Parameter_List ) ]               |   |
| Actual_Parameter_List ::=                                 |   |
| sequence_Actual_Parameter { , sequence_Actual_Parameter } |   |
| sequence Actual Parameter ::=                             |   |
| Number   Boolean   Sequence                               |   |

#### Box 24—Sequence instantiation

Restrictions

For each formal parameter of the named sequence *sequence\_Name*, the sequence instantiation shall provide a corresponding actual parameter. For a const formal parameter, the actual parameter shall be a statically evaluable integer expression. For a boolean formal parameter, the actual parameter shall be a Boolean expression. For a sequence formal parameter, the actual parameter shall be a Sequence.

#### Informal semantics

An instance of a named sequence describes the behavior that is described by the sequence obtained from the named sequence by replacing each formal parameter in the named sequence with the corresponding actual parameter from the sequence instantiation.

#### Examples

Given the declarations for the sequences BusArb and ReadCycle in 6.1.2.1,

BusArb (breq, back, 3)

#### is equivalent to

{ breq; (breq && !back) [0:3]; breq && back }

#### 1 and

```
ReadCycle(BusArb(breq, back, 5), breq, ardy, drdy)
```

```
5 is equivalent to
```

```
{ { breq; (breq && !back)[0:5]; breq && back }; {breq[*]} && {ardy[->];
drdy[->]}; !breq }
```

#### 10

### 6.1.3 Named endpoints

An *endpoint* is a special kind of Boolean-valued variable that indicates when an associated sequence completes.

### 15 **6.1.3.1 Endpoint declaration**

An *endpoint declaration*, shown in Box 25, defines an endpoint for a given sequence and gives the endpoint a name. An endpoint declaration can also specify a list of formal parameters that can be referenced within the sequence.

20

35

40

45

|    | PSL Declaration ::=                                            |
|----|----------------------------------------------------------------|
|    | Endpoint Declaration                                           |
|    | Endpoint Declaration ::=                                       |
|    | endpoint Name [ ( Formal_Parameter_List ) ] DEF_SYM Sequence ; |
| 25 | Formal Parameter List ::=                                      |
|    | Formal Parameter { ; Formal Parameter }                        |
|    | Formal Parameter ::=                                           |
|    | sequence ParamKind Name {, Name }                              |
|    | sequence ParamKind ::=                                         |
|    | const   boolean   sequence                                     |
| 30 |                                                                |

Box 25—Endpoint declaration

#### Restrictions

The Name of an endpoint shall not be the same as the name of any other PSL declaration. Formal parameters of an endpoint declaration are limited to parameter kinds const, boolean, and sequence.

#### Example

```
endpoint ActiveLowReset (boolean rb, clk; const n) = { rb!=1'b1[*n:inf];
rb==1'b1 } @(posedge clk);
```

The endpoint ActiveLowReset represents a generic reset sequence in which the reset signal is asserted (set to 0) for at least n cycles of the relevant clock before being released (set to 1).

NOTE—There is no requirement to use formal parameters in an endpoint declaration. The sequence in an endpoint declaration may refer directly to signals in the design as well as to formal parameters.

50

### 6.1.3.2 Endpoint instantiation

An *endpoint instantiation*, shown in Box 26, creates an instance of a named endpoint and provides actual parameters for formal parameters (if any) of the named endpoint.

Boolean ::= boolean\_HDL\_or\_PSL\_Expression boolean\_HDL\_or\_PSL\_Expression ::= endpoint\_Name [ (Actual\_Parameter\_List ) ] Actual\_Parameter\_List ::= sequence\_Actual\_Parameter { , sequence\_Actual\_Parameter } sequence\_Actual\_Parameter ::= Number | Boolean | Sequence

#### Box 26—Endpoint instantiation

#### Restrictions

For each formal parameter of the named endpoint *endpoint\_Name*, the endpoint instantiation shall provide a 20 corresponding actual parameter. For a const formal parameter, the actual parameter shall be a statically evaluable integer expression. For a boolean formal parameter, the actual parameter shall be a Boolean expression. For a sequence formal parameter, the actual parameter shall be a Sequence.

#### Informal semantics

An instance of a named endpoint has the value *True* in any evaluation cycle that is the last cycle of a behavior on which the associated sequence, modified by replacing each formal parameter in the named sequence with the corresponding actual parameter from the sequence instantiation, holds tightly.

#### Examples

Given the declaration for the endpoint ActiveLowReset in 6.1.3.1,

```
ActiveLowReset (res, mclk, 3)
```

is *True* each time res has the value 1'b1 at the rising edge of mclk, provided that res did not have the value 1'b1 at the three immediately preceding rising edges of mclk; it is *False* otherwise.

### **6.2 Properties**

*Properties* express temporal relationships among Boolean expressions, sequential expressions, and subordinate properties. Various operators are defined to express various temporal relationships.

Some operators occur in families. A *family of operators* is a group of operators which are related. A family of operators usually share a common prefix, which is the name of the family, and optional suffixes which include, for example, the strings !, \_, and !\_. For instance, the until family of operators include the operators until !, until, until !\_, and until\_.

50

55

1

5

10

15

30

25

40

45

### 1 6.2.1 FL properties

*FL Properties*, shown in Box 27, describe single- or multi-cycle behavior built from Boolean expressions, sequential expressions, and subordinate properties.

5

10

15

| FL_Property ::=<br>Boolean<br>  (FL_Property) |
|-----------------------------------------------|
|-----------------------------------------------|

### Box 27—FL properties

The most basic FL Property is a Boolean expression. An FL Property enclosed in parentheses is also an FL property.

More complex FL properties are built from Boolean expressions, sequential expressions, and subordinate properties using various temporal operators.

20 NOTE—Like Boolean expressions, FL properties are grouped using parentheses (()), as opposed to SEREs which are grouped using curly braces ({}).

### 6.2.1.1 Clocked FL properties

25 The *FL clock operator* operator (*(a)*), shown in Box 28, provides a way to clock an FL Property.

| FL Property ::=                                                    |  |
|--------------------------------------------------------------------|--|
| FL_Property (a) clock_Boolean<br>  FL_Property (a) clock_Boolean ! |  |
| FL_Property (a) clock_Boolean !                                    |  |

30

35

40

### Box 28—FL property clock operator

The first operand is the FL Property to be clocked. The second operand is a Boolean expression with which to clock the FL Property.

Restrictions

None.

Informal semantics

For FL property A and Boolean CLK:

- A@CLK holds on a given path iff A holds on the path obtained by extracting from the given path exactly those cycles in which CLK holds, or if CLK never holds on that path. A@CLK! holds on a given path iff CLK holds at least once on the given path, and A holds on the path obtained by extracting from the given path exactly those cycles in which CLK holds.
- 50 NOTE—When clocks are nested, the outer clock causes alignment before the inner clock is considered. For example, (A@CLK\_A)@CLK\_B holds on a given path iff, starting at the first cycle of the given path in which CLK\_B holds, A holds on the path obtained by extracting from the given path those cycles in which CLK\_A holds.

NOTE—A distinction between weak and strong clocks is made for a clocked property. In contrast, there is only one form of a clocked SERE (see Section 6.1.1.1.1), although it is syntactically similar to the weak clocking of properties.

| Example 1                                                                                                                                                                                                                                                                                                                                                               | 1  |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| Consider the following behavior of Booleans a, b, and clk, where "time" is at the granularity observed by the verification tool:                                                                                                                                                                                                                                        |    |
| time 0 1 2 3 4 5 6 7 8 9                                                                                                                                                                                                                                                                                                                                                | 5  |
| clk 0 1 0 1 0 1 0 1 0 1<br>a 0 0 0 1 1 1 0 0 0 0<br>b 0 0 0 0 1 0 1 1 0                                                                                                                                                                                                                                                                                                 | 10 |
| The unclocked FL Property                                                                                                                                                                                                                                                                                                                                               |    |
| (a until! b)                                                                                                                                                                                                                                                                                                                                                            | 15 |
| holds at times 5, 7, and 8, because b holds at each of those times. The property also holds at times 3 and 4, because a holds at those times and continues to hold until b holds at time 5. It does not hold at any other time of the given behavior.                                                                                                                   | 20 |
| The clocked FL Property                                                                                                                                                                                                                                                                                                                                                 | 20 |
| (a until! b)                                                                                                                                                                                                                                                                                                                                                            |    |
| @clk holds at times 2, 3, 4, 5, 6, and 7. It does not hold at any other time of the given behavior.                                                                                                                                                                                                                                                                     | 25 |
| Example 2                                                                                                                                                                                                                                                                                                                                                               |    |
| Consider the following behavior of Booleans a, b, c, clk1, and clk2, where "time" is at the granularity observed by the verification tool:                                                                                                                                                                                                                              | 30 |
| time 0 1 2 3 4 5 6 7 8 9                                                                                                                                                                                                                                                                                                                                                |    |
| clk1       0       1       0       1       0       1       0       1         a       0       0       1       1       1       0       0       0         b       0       0       0       1       1       1       0         c       1       0       0       1       1       0       0       0         clk2       1       0       0       1       0       0       1       1 | 35 |
| The unclocked FL Property                                                                                                                                                                                                                                                                                                                                               | 40 |
| (c && next! (a until! b))                                                                                                                                                                                                                                                                                                                                               |    |
| holds at time 6. It does not hold at any other time of the given behavior.                                                                                                                                                                                                                                                                                              |    |
| The singly-clocked FL Property                                                                                                                                                                                                                                                                                                                                          | 45 |
| (c && next! (a until! b))@clk1                                                                                                                                                                                                                                                                                                                                          |    |
| holds at times 4 and 5. It does not hold at any other time of the given behavior.                                                                                                                                                                                                                                                                                       | 50 |
| The singly-clocked FL Property                                                                                                                                                                                                                                                                                                                                          |    |
| (a until! b)@clk2                                                                                                                                                                                                                                                                                                                                                       | 55 |
|                                                                                                                                                                                                                                                                                                                                                                         | 55 |

1 does not hold at any time of the given behavior.

The multiply-clocked FL Property

(c && next! (a until! b)@clk1)@clk2

holds at time 0. It does not hold at any other time of the given behavior.

#### 10 6.2.1.2 Simple FL properties

#### 6.2.1.2.1 always

The **always** operator, shown in Box 29, specifies that an FL property or a sequence holds at all times, starting from the present.

20

25

15

5

FL Property ::= always FL Property always Sequence

# Box 29—always operator

The operand of the always operator is an FL Property or Sequence.

Restrictions

None.

30

#### Informal semantics

An always property holds in the current cycle of a given path iff the FL Property or Sequence that is the oper-35 and holds at the current cycle and all subsequent cycles.

NOTE-If the operand (FL property or sequence) is temporal (i.e., spans more than one cycle), then the always operator defines a property that describes overlapping occurrences of the behavior described by the operand. For example, the property always  $\{a, b, c\}$  describes any behavior in which  $\{a, b, c\}$  holds in every cycle, thus any behavior in which a holds in the first and every subsequent cycle, b holds in the second and every subsequent cycle, and c holds in the third and every subsequent cycle.

### 6.2.1.2.2 never

45

40

The **never** operator, shown in Box 30, specifies that an FL property or a sequence never holds.

FL\_Property ::= never FL Property never Sequence

50

#### Box 30—never operator

The operand of the never operator is an FL Property or a Sequence.

| Restrictions                                                                                                                                                                              | 1  |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| Within the simple subset (see Section 4.4.5), the operand of a never property is restricted to be a Boolean expression or a SERE.                                                         | -  |
| Informal semantics                                                                                                                                                                        | 5  |
| A never property holds in the current cycle of a given path iff the FL Property or Sequence that is the operand does not hold at the current cycle and does not hold at any future cycle. | 10 |
| 6.2.1.2.3 eventually!                                                                                                                                                                     | 15 |
| The <b>eventually!</b> operator, shown in Box 31, specifies that an FL property or a Sequence holds at the current cycle or at some future cycle.                                         | 15 |
| FL_Property ::=<br>eventually! FL_Property<br>  eventually! Sequence                                                                                                                      | 20 |
| Box 31—eventually! operator                                                                                                                                                               |    |
| The operand of the eventually! operator is an FL Property or a Sequence.                                                                                                                  | 25 |
| Restrictions                                                                                                                                                                              |    |
| Within the simple subset (see Section 4.4.5), the operand of an eventually! property is restricted to be a Boolean or a SERE.                                                             | 30 |
| Informal semantics                                                                                                                                                                        |    |
| An eventually! property holds in the current cycle of a given path iff the FL Property or Sequence that is the operand holds at the current cycle or at some future cycle.                | 35 |
| 6.2.1.2.4 next                                                                                                                                                                            |    |
| The <b>next</b> family of operators, shown in Box 32, specify that an FL property holds at some next cycle.                                                                               | 40 |
| FL_Property ::=<br>next! (FL_Property)<br>  next (FL_Property)<br>  next! [Number] (FL_Property)<br>  next [Number] (FL_Property)                                                         | 45 |
| Box 32—next operators                                                                                                                                                                     |    |
| The FL Drements that is the anomal of the second is a memory in a memory that holds at some most evaluations in                                                                           | 50 |

The FL Property that is the operand of the next! or next operator is a property that holds at some next cycle. If present, the Number indicates at which next cycle the property holds, that is, for number *i*, the property holds at the  $i^{th}$  next cycle. If the Number operand is omitted, the property holds at the very next cycle.

- 1 The next! operator is a strong operator, thus it specifies that there is a next cycle (and so does not hold at the last cycle, no matter what the operand). Similarly, next! [i] specifies that there are at least *i* next cycles.
- The next operator is a weak operator, thus it does not specifies that there is a next cycle, only that if there is, the property that is the operand holds. Thus, a weak next property holds at the last cycle of a finite behavior, no matter what the operand. Similarly, next [i] does not specify that there are at least *i* next cycles.
  - NOTE—The Number may be 0. That is, next [0] (f) is allowed, which says that f holds at the current cycle.

20

25

Restrictions

If a property contains a Number, then the Number shall be statically computable.

- 15 Informal semantics
  - A next! property holds in the current cycle of a given path iff:
    - 1) there is a next cycle and
    - 2) the FL property that is the operand holds at the next cycle.
  - A next property holds in the current cycle of a given path iff:
    - 1) there is not a next cycle or
    - 2) the FL property that is the operand holds at the next cycle.
  - A next! [i] property holds in the current cycle of a given path iff:
    - 1) there is an  $i^{th}$  next cycle and
    - 2) the FL property that is the operand holds at the  $i^{\text{th}}$  next cycle.
      - A next [i] property holds in the current cycle of a given path iff:
      - 1) there is not an  $i^{\text{th}}$  next cycle or
      - 2) the FL property that is the operand holds at the  $i^{\text{th}}$  next cycle.
- 30 NOTE—The formula next (f) is equivalent to the formula next [1] (f).

### 6.2.1.3 Extended next FL properties

### 6.2.1.3.1 next\_a

The **next\_a** family of operators, shown in Box 33, specify that an FL property holds at all cycles of a range of future cycles.

40

35

| FL Property ::=                                                                                             |  |
|-------------------------------------------------------------------------------------------------------------|--|
| <b>next_a!</b> [ <i>finite_</i> Range] (FL_Property)<br><b>next_a</b> [ <i>finite_</i> Range] (FL_Property) |  |
| <b>next_a</b> [ <i>finite</i> _Range] (FL_Property)                                                         |  |

#### 45

### Box 33—next\_a operators

The FL Property that is the operand of the next\_a! or next\_a operator is a property that holds at all cycles between the  $i^{th}$  and  $j^{th}$  next cycles, inclusive, where i and j are the low and high bounds, respectively, of the finite Range.

The next\_a! operator is a strong operator, thus it specifies that there is a  $j^{th}$  next cycle, where j is the high bound of the Range.

55

5

10

15

25

35

40

45

— A next\_a![i:j] property holds in the current cycle of a given path iff:

- 1) there is a  $j^{\text{th}}$  next cycle and
- 2) the FL Property that is the operand holds at all cycles between the  $i^{th}$  and  $j^{th}$  next cycle, inclusive.

The next a operator is a weak operator, thus it does not specify that any of the  $i^{th}$  through  $j^{th}$  next cycles neces-

If a next\_a or next\_a! property contains a Range, then the Range shall be a finite Range, each bound of the Range shall be statically computable, and the left bound of the Range shall be less than or equal to the right

— A next\_a[i:j] property holds in the current cycle of a given path iff the FL Property that is the operand holds at all cycles between the *i*<sup>th</sup> and *j*<sup>th</sup> next cycle, inclusive. (If not all those cycles exist, then the FL Property that is the operand holds on as many as do exist).

NOTE—The left bound of the Range may be 0. For example,  $next_a[0:n](f)$  is allowed, which says that f holds starting in the current cycle, and for *n* cycles following the current cycle. 20

### 6.2.1.3.2 next\_e

sarily exist.

Restrictions

bound of the Range.

Informal semantics

The **next\_e** family of operators, shown in Box 34, specify that an FL property holds at least once within some range of future cycles.

| FL_Property ::=                                                                                             | 30 |
|-------------------------------------------------------------------------------------------------------------|----|
| <b>next_e!</b> [ <i>finite</i> _Range] (FL_Property)<br><b>next_e</b> [ <i>finite</i> _Range] (FL_Property) |    |

### Box 34—next\_e operators

The FL Property that is the operand of the next\_e! or next\_e operator is a property that holds at least once between the  $i^{th}$  and  $j^{th}$  next cycle, inclusive, where *i* and *j* are the low and high bounds, respectively, of the finite Range.

The next\_e! operator is a strong operator, thus it specifies that there are enough cycles so the FL property that is the operand has a chance to hold.

The next\_e operator is a weak operator, thus it does not specify that there are enough cycles so the FL property that is the operand has a chance to hold.

### Restrictions

If a next\_e or next\_e! property contains a Range, then the Range shall be a finite Range, each bound of the Range shall be statically computable, and the left bound of the Range shall be less than or equal to the right bound of the Range.

### 1 Informal semantics

5

10

15

20

- A next\_e![i..j] property holds in the current cycle of a given path iff there is some cycle between the  $i^{th}$  and  $j^{th}$  next cycle, inclusive, where the FL Property that is the operand holds.
- A next e[i...j] property holds in the current cycle of a given path iff
  - 1) there are less than j next cycles following the current cycle, or
  - 2) there is some cycle between the  $i^{\text{th}}$  and  $j^{\text{th}}$  next cycle, inclusive, where the FL Property that is the operand holds.

NOTE—The left bound of the Range may be 0. For example,  $next_e[0:n](f)$  is allowed, which says that f holds either in the current cycle or in one of the *n* cycles following the current cycle.

# 6.2.1.3.3 next\_event

The **next\_event** family of operators, shown in Box 35, specify that an FL property holds at the next occurrence of a Boolean expression. The next occurrence of the Boolean expression includes an occurrence at the current cycle.

|    | FL Property ::=                                                       |
|----|-----------------------------------------------------------------------|
|    | <b>next event!</b> (Boolean) (FL_Property)                            |
|    | <b>next_event</b> (Boolean) (FL_Property)                             |
| 25 | <b>next_event!</b> (Boolean) [ <i>positive_Number</i> ] (FL_Property) |
| 25 | <b>next_event</b> (Boolean) [positive_Number] (FL_Property)           |

### Box 35—next\_event operators

- <sup>30</sup> The rightmost operand of the next\_event! or next\_event operator is an FL Property that holds at the next occurrence of the leftmost operand. If the FL Property includes a Number, then the property holds at the  $i^{\text{th}}$  occurrence of the leftmost operand (where *i* is the value of the Number), rather than at the very next occurrence.
- 35 The next\_event! operator is a strong operator, thus it specifies that there is a next occurrence of the leftmost operand. Similarly, next\_event! [i] specifies that there are at least *i* occurrences.

The next\_event operator is a weak operator, thus it does not specify that there is a next occurrence of the leftmost operand. Similarly, next\_event[i] does not specify that there are at least *i* next occurrences.

40 *Restrictions* 

If a next\_event or next\_event! property contains a Number, then the Number shall be a statically computable, positive Number.

# 45 Informal semantics

- A next\_event! property holds in the current cycle of a given path iff:
  - 1) the Boolean expression and the FL Property that are the operands both hold at the current cycle, or at some future cycle, and
  - 2) the Boolean expression holds at some future cycle, and the FL property that is the operand holds at the next cycle in which the Boolean expression holds.

55

|         | A next event property holds in the current cycle of a given path iff:                                                                        | 1  |
|---------|----------------------------------------------------------------------------------------------------------------------------------------------|----|
|         | 1) the Boolean expression that is the operand does not hold at the current cycle, nor does it hold at any                                    |    |
|         | future cycle; or                                                                                                                             |    |
|         | 2) the Boolean expression that is the operand holds at the current cycle or at some future cycle, and the                                    |    |
|         | FL property that is the operand holds at the next cycle in which the Boolean expression holds.                                               | 5  |
|         | A next_event! [i] property holds in the current cycle of a given path iff:                                                                   |    |
|         | 1) the Boolean expression that is the operand holds at least <i>i</i> times, starting at the current cycle, and                              |    |
|         | 2) the FL property that is the operand holds at the $i^{th}$ occurrence of the Boolean expression.                                           |    |
|         | A next_event[i] property holds in the current cycle of a given path iff:                                                                     | 10 |
|         | 1) the Boolean expression that is the operand does not hold at least <i>i</i> times, starting at the current cycle,                          |    |
|         | or                                                                                                                                           |    |
|         | 2) the Boolean expression that is the operand holds at least <i>i</i> times, starting at the current cycle, and the                          |    |
|         | FL property that is the operand holds at the <i>i</i> <sup>th</sup> occurrence of the Boolean expression.                                    |    |
|         |                                                                                                                                              | 15 |
|         | -The formula next_event(true)(f) is equivalent to the formula next[0](f). Similarly, if p holds in the                                       |    |
|         | cycle, then next_event(p)(f) is equivalent to next_event(true)(f) and therefore to next[0](f).<br>r, none of these is equivalent to next(f). |    |
|         |                                                                                                                                              | 20 |
|         |                                                                                                                                              | 20 |
| 6.2.1.3 | a.4 next_event_a                                                                                                                             |    |

The **next event a** family of operators, shown in Box 36, specify that an FL property holds at a range of the next occurrences of a Boolean expression. The next occurrences of the Boolean expression include an occurrence at the current cycle.

> FL Property ::= **next\_event\_a!** (Boolean) [*finite\_positive\_*Range] (FL\_Property) | **next\_event\_a** (Boolean) [*finite\_positive\_*Range] (FL\_Property)

# Box 36—next event a operators

The rightmost operand of the next event a! or next event a operator is an FL Property that holds at the specified Range of next occurrences of the Boolean expression that is the leftmost operand. The FL Property that is the rightmost operand holds on the *i*<sup>th</sup> through *j*<sup>th</sup> occurrences (inclusive) of the Boolean expression, where *i* and *j* are the low and high bounds, respectively, of the Range.

The next event a! operator is a strong operator, thus it specifies that there are at least *j* occurrences of the leftmost operand.

The next event a operator is a weak operator, thus it does not specify that there are j occurrences of the leftmost operand.

### Restrictions

If a next event a or next event a! property contains a Range, then the Range shall be a finite, positive Range, each bound of the Range shall be statically computable, and the left bound of the Range shall be less than or equal to the right bound of the Range.

50

55

25

30

35

40

### 1 Informal semantics

- A next\_event\_a![i..j] property holds in the current cycle of a given path iff:
  - 1) the Boolean expression that is the operand holds at least *j* times, starting at the current cycle, and
    - 2) the FL property that is the operand holds at the  $i^{th}$  through  $j^{th}$  occurrences, inclusive, of the Boolean expression.
- A next\_event\_a[i..j] property holds in a given cycle of a given path iff the FL property that is the operand holds at the *i*<sup>th</sup> through *j*<sup>th</sup> occurrences, inclusive, of the Boolean expression, starting at the current cycle. If there are less than *j* occurrences of the Boolean expression, then the FL property that is the operand holds on all of them, starting from the *i*<sup>th</sup> occurrence.

### 15 **6.2.1.3.5 next\_event\_e**

The **next\_event\_e** family of operators, shown in Box 37, specify that an FL property holds at least once during a range of next occurrences of a Boolean expression. The next occurrences of the Boolean expression include an occurrence at the current cycle.

20

5

10

FL\_Property ::=
 next\_event\_e! ( Boolean ) [ finite\_positive\_Range ] ( FL\_Property )
 | next\_event\_e ( Boolean ) [ finite\_positive\_Range ] ( FL\_Property )

#### 25

30

35

40

### Box 37—next\_event\_e operators

The rightmost operand of the next\_event\_e! or next\_event\_e operator is an FL Property that holds at least once during the specified Range of next occurrences of the Boolean expression that is the leftmost operand. The FL Property that is the rightmost operand holds on one of the  $i^{th}$  through  $j^{th}$  occurrences (inclusive) of the Boolean expression, where *i* and *j* are the low and high bounds, respectively, of the Range.

The next\_event\_e! operator is a strong operator, thus it specifies that there are enough cycles so that the FL Property has a chance to hold.

The next\_event\_e operator is a weak operator, thus it does not specify that there are enough cycles so that the FL Property has a chance to hold.

Restrictions

If a next\_event\_e or next\_event\_e! property contains a Range, then the Range shall be a finite, positive Range, each bound of the Range shall be statically computable, and the left bound of the Range shall be less than or equal to the right bound of the Range.

- 45 Informal semantics
  - A next\_event\_e![i..j] property holds in the current cycle of a given path iff there is some cycle during the *i*<sup>th</sup> through *j*<sup>th</sup> next occurrences of the Boolean expression at which the FL Property that is the operand holds.
  - A next\_event\_e[i..j] property holds in the current cycle of a given path iff:
    - 1) there are less than *j* next occurrences of the Boolean expression or
    - 2) there is some cycle during the  $i^{\text{th}}$  through  $j^{\text{th}}$  next occurrences of the Boolean expression at which the FL Property that is the operand holds.

55

50

Property Specification Language Reference Manual

| 6.2.1.4 Compound FL properties                                                                                                                                                                                                                                                              | 1  |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| 6.2.1.4.1 abort                                                                                                                                                                                                                                                                             |    |
| The <b>abort</b> operator, shown in Box 38, specifies a condition that removes any obligation for a given FL property to hold.                                                                                                                                                              | 5  |
| FL_Property ::=<br>FL_Property <b>abort</b> Boolean                                                                                                                                                                                                                                         | 0  |
| Box 38—abort operator                                                                                                                                                                                                                                                                       |    |
| The left operand of the abort operator is the FL Property to be aborted. The right operand of the abort oper-<br>ator is the Boolean condition which causes the abort to occur.                                                                                                             | 5  |
| Restrictions                                                                                                                                                                                                                                                                                |    |
| None. 2                                                                                                                                                                                                                                                                                     | 20 |
| Informal semantics                                                                                                                                                                                                                                                                          |    |
| An abort property holds in the current cycle of a given path iff:                                                                                                                                                                                                                           | 15 |
| <ul> <li>the FL Property that is the left operand holds, or</li> <li>the series of cycles starting from the current cycle and ending with the cycle in which the Boolean condition that is the right operand holds does not contradict the FL Property that is the left operand.</li> </ul> | 25 |
| Example 3                                                                                                                                                                                                                                                                                   | 80 |
| Using abort to model an asynchronous interrupt: "A request is always followed by an acknowledge, unless a cancellation occurs."                                                                                                                                                             |    |
| always ((req -> eventually! ack) abort cancel); 3                                                                                                                                                                                                                                           | 85 |
| 6.2.1.4.2 before                                                                                                                                                                                                                                                                            |    |
| The <b>before</b> family of operators, shown in Box 39, specify that one FL property holds before a second FL property holds.                                                                                                                                                               | 10 |
| FL_Property ::=         FL_Property before! FL_Property           FL_Property before! FL_Property           FL_Property before FL_Property         4                                                                                                                                        | 15 |

### Box 39—before operators

The left operand of the before family of operators is an FL Property that holds before the FL Property which is the right operand holds.

The before! and before! operators are strong operators, thus they specify that the left FL Property eventually holds.

50

- 1 The before and before\_ operators are weak operators, thus they do not specify that the left FL Property eventually holds.
- The before! and before operators are non-inclusive operators, that is, they specify that the left operand holds strictly before the right operand holds.

The before!\_ and before\_ operators are inclusive operators, that is, they specify that the left operand holds before or at the same cycle as the right operand holds.

#### Restrictions

10

15

20

25

30

35

40

Within the simple subset (see Section 4.4.5), each operand of a before property is restricted to be a Boolean expression.

#### Informal semantics

- A before! property holds in the current cycle of a given path iff:
  - 1) the FL Property that is the left operand holds at the current cycle or at some future cycle and
  - 2) the FL Property that is the left operand holds strictly before the FL Property that is the right operand holds, or the right operand never holds.
- A before! property holds in the current cycle of a given path iff:
  - 1) the FL Property that is the left operand holds at the current cycle or at some future cycle and
  - 2) the FL Property that is the left operand holds before or at the same cycle as the FL Property that is the right operand, or the right operand never holds.
- A before property holds in the current cycle of a given path iff:
  - 1) neither the FL Property that is the left operand nor the FL Property that is the right operand ever hold in any future cycle; or
  - 2) the FL Property that is the left operand holds strictly before the FL Property that is the right operand holds.
- A before\_ property holds in the current cycle of a given path iff:
  - 1) neither the FL Property that is the left operand nor the FL Property that is the right operand ever hold in any future cycle; or
- 2) the FL Property that is the left operand holds before or at the same cycle as the FL Property that is the right operand.

### 6.2.1.4.3 until

The **until** family of operators, shown in Box 40, specify that one FL property holds until a second FL property holds.

|     | - |
|-----|---|
| - 4 | 5 |

| FL Property ::=                        |
|----------------------------------------|
| FL_Property <b>until!</b> FL_Property  |
| FL_Property <b>until!_</b> FL_Property |
| FL_Property <b>until</b> FL_Property   |
| FL_Property <b>until_</b> FL_Property  |

#### 50

#### Box 40—until operators

The left operand of the until family of operators is an FL Property that holds until the FL Property that is the right operand holds. The right operand is called the "terminating property".

| The until! and until! _ operators are strong operators, thus they specify that the terminating property even-<br>tually holds.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | 1   |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----|
| The until and until_ operators are weak operators, thus they do not specify that the terminating property eventually holds (and if it does not eventually hold, then the FL Property that is the left operand holds forever).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | 5   |
| The until! and until operators are non-inclusive operators, that is, they specify that the left operand holds up to, but not necessarily including, the cycle in which the right operand holds.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 10  |
| The until!_ and until_ operators are inclusive operators, that is, they specify that the left operand holds up to and including the cycle in which the right operand holds.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 10  |
| Restrictions                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 1.5 |
| Within the simple subset (see Section 4.4.5), the right operand of an until! or until property is restricted to be a Boolean expression, and both the left and right operands of an until!_ or until_ property are restricted to be a Boolean expression.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | 15  |
| Informal semantics                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 20  |
| <ul> <li>An until! property holds in the current cycle of a given path iff: <ol> <li>the FL Property that is the right operand holds at the current cycle or at some future cycle; and</li> <li>the FL Property that is the left operand holds at all cycles up to, but not necessarily including, the earliest cycle at which the FL Property that is the right operand holds.</li> </ol> </li> <li>An until!_ property holds in the current cycle of a given path iff: <ol> <li>the FL Property that is the right operand holds at the current cycle or at some future cycle and</li> <li>the FL Property that is the right operand holds at the current cycle or at some future cycle and</li> <li>the FL Property that is the left operand holds at all cycles up to and including the earliest cycle at which the FL Property that is the right operand holds.</li> </ol> </li> </ul> | 25  |
| <ul> <li>An until property holds in the current cycle of a given path iff:</li> <li>1) the FL Property that is the left operand holds forever; or</li> <li>2) the FL Property that is the right operand holds at the current cycle or at some future cycle, and the FL Property that is the left operand holds at all cycles up to, but not necessarily including, the earliest cycle at which the FL Property that is the right operand holds.</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                 | 30  |
| <ul> <li>An until_ property holds in the current cycle of a given path iff:</li> <li>1) the FL Property that is the left operand holds forever or</li> <li>2) the FL Property that is the right operand holds at the current cycle or at some future cycle, and the FL Property that is the left operand holds at all cycles up to and including the earliest cycle at which the FL Property that is the right operand holds.</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                   | 35  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 40  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |     |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 45  |

#### 1 6.2.1.5 Sequence-based FL properties

FL Property ::=

### 6.2.1.5.1 Suffix implication

5 The *suffix implication* family of operators, shown in Box 41, specify that an FL property or sequence holds if some pre-requisite sequence holds.

10

15

20

Sequence (FL Property) Sequence |-> Sequence ! Sequence |-> Sequence ! Sequence |=> Sequence ! Sequence => Sequence

### Box 41—Suffix implication operators

The right operand of the operator is an FL Property or Sequence that is specified to hold if the Sequence that is the left operand holds.

The Sequence |-> Sequence !=> Sequence ! properties are strong properties, so they specify that the rightmost Sequence completes.

The Sequence |-> Sequence and Sequence |=> Sequence properties are weak properties, so they 25 do not specify that the rightmost Sequence necessarily completes (this can happen, for example, if the rightmost Sequence contains a [\*]).

Restrictions

None.

30

Informal semantics

35

40

45

- A Sequence (FL Property) property holds in a given cycle of a given path iff:
  - 1) the Sequence that is the left operand does not hold at the given cycle or
  - 2) the FL Property that is the right operand holds in any cycle C such that the left operand holds tightly from the given cycle to C.
  - A Sequence |-> Sequence! property holds in a given cycle of a given path iff:
    - the Sequence that is the left operand does not hold at the given cycle or 1)
- the Sequence that is the right operand holds in any cycle C such that the Sequence that is the left 2) operand holds tightly from the given cycle to C.
  - A Sequence |-> Sequence property holds in a given cycle of a given path iff:
    - the Sequence that is the left operand does not hold at the given cycle or 1)
  - in any cycle C such that the Sequence that is the left operand holds tightly from the given cycle to C, 2) either
    - i) the Sequence that is the right operand holds, or
    - ii) any prefix of the path beginning at C can be extended such that the Sequence that is the right operand holds tightly on the extension.
- A Sequence |=> Sequence! property holds in a given cycle of a given path iff: 50
  - the Sequence that is the left operand does not hold at the given cycle or 1)
  - the Sequence that is the right operand holds in the cycle after any cycle C such that the Sequence 2) that is the left operand holds tightly from the given cycle to C.
  - A Sequence |=> Sequence property holds in a given cycle of a given path iff:
  - 1) the Sequence that is the left operand does not hold at the given cycle; or

| ii) any prefix of the path beginning in the cycle after C can be extended such that the Sequence that is the right operand holds tightly on the extension.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 5  |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| 6.2.1.5.2 whilenot                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | 10 |
| The <b>whilenot</b> family of operators, shown in Box 42, specify that a sequence holds on the interval between the current cycle and a terminating condition.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |    |
| FL_Property ::=<br>whilenot! (Boolean) Sequence<br>  whilenot (Boolean) Sequence<br>  whilenot!_(Boolean) Sequence<br>  whilenot_(Boolean) Sequence                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | 15 |
| Box 42—whilenot operators                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 20 |
| The left operand of the whilenot family of operators is a Boolean expression that defines the end of the inter-<br>val in which the sequence holds. The left operand is called the "terminating condition". The right operand is the<br>sequence that holds within the interval.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 25 |
| The whilenot! and whilenot! _ operators are strong operators, thus they specify that the terminating con-<br>dition eventually holds.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |    |
| The whilenot and whilenot_operators are weak operators, thus they do not specify that the terminating condition eventually holds (and if the terminating condition does not eventually hold, then the sequence that is the right operand starts but never completes).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | 30 |
| The whilenot ! and whilenot operators are non-inclusive operators, that is, they specify that the sequence completes strictly before the terminating condition.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 35 |
| The whilenot!_ and whilenot_ operators are inclusive operators, that is, they specify that the sequence completes in the same cycle as the terminating condition.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |    |
| Restrictions                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | 40 |
| None.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |    |
| Informal semantics                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | 45 |
| <ul> <li>A whilenot! property holds in a given cycle of a given path iff either</li> <li>the terminating condition holds in the given cycle and the Sequence operand holds on the empty path, or</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |    |
| <ul> <li>2) there is a cycle C subsequent to the given cycle such that the terminating condition holds at C, the terminating condition does not hold at any cycle from the given cycle to the cycle before C, and the Sequence operand holds tightly from the given cycle to the cycle before C.</li> <li>— A whilenot!_ property holds in a given cycle of a given path iff either</li> <li>1) the terminating condition holds in the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the given cycle and the Sequence operand holds tightly from the giv</li></ul> | 50 |

2) in the cycle after any cycle C such that the Sequence that is the left operand holds tightly from the

given cycle to C, either

the Sequence that is the right operand holds, or

i)

Version 1.01

given cycle to itself, or

5

10

15

20

25

30

35

40

45

- 2) there is a cycle C subsequent to the given cycle such that the terminating condition holds at C, the terminating condition does not hold at any cycle from the given cycle to the cycle before C, and the Sequence operand holds tightly from the given cycle to C.
- A whilenot property holds in a given cycle of a given path iff
  - 1) the terminating condition holds in the given cycle and the Sequence operand holds on the empty path; or
    - 2) there is a cycle C subsequent to the given cycle such that the terminating condition holds at C, the terminating condition does not hold at any cycle from the given cycle to the cycle before C, and the Sequence operand holds tightly from the given cycle to the cycle before C; or
    - 3) any prefix of the given path can be extended such that the corresponding whilenot sequence holds tightly on the extended path and the termination condition does not hold on any cycle of the extended path.

### A whilenot property holds in a given cycle of a given path iff

- 1) the terminating condition holds in the given cycle and the Sequence operand holds tightly from the given cycle to itself; or
- 2) there is a cycle C subsequent to the given cycle such that the terminating condition holds at C, the terminating condition does not hold at any cycle from the given cycle to the cycle before C, and the Sequence operand holds tightly from the given cycle to C; or
- 3) any prefix of the given path can be extended such that the corresponding whilenot\_sequence holds tightly on the extended path and the terminating condition does not hold on any cycle of the extended path.

### 6.2.1.5.3 within

The **within** family of operators, shown in Box 43, specify that a given sequence holds on an interval starting with either the occurrence of an initial condition or completion of an initial sequence, and ending with the occurrence of a terminating condition.

FL\_Property ::=
 within! ( Sequence\_or\_Boolean , Boolean ) Sequence
 | within ( Sequence\_or\_Boolean , Boolean ) Sequence
 | within! ( Sequence\_or\_Boolean , Boolean ) Sequence
 | within\_ ( Sequence\_or\_Boolean , Boolean ) Sequence
 Sequence\_or\_Boolean ::=
 Sequence | Boolean

### Box 43—within operators

The leftmost operand of the within family of operators is a Sequence or Boolean expression that defines the beginning of an interval. If the leftmost operand is a Sequence, then completion of that Sequence defines the beginning of the interval. If the leftmost operand is a Boolean expression, then it is treated as if it were a Sequence containing exactly that Boolean expression. The middle operand is a Boolean condition (the "terminating condition"), the occurrence of which defines the end of the interval. The rightmost operand is a Sequence that holds on the interval.

50 The within! and within! \_ operators are strong operators, thus they specify that the terminating condition eventually holds.

The within and within operators are weak operators, thus they do not specify that the terminating condition eventually holds (and if the terminating condition does not eventually hold, then the sequence that is the rightmost operand starts but never completes).

55

1

10

15

20

25

30

35

40

45

50

55

| <ul> <li>ing condition does not hold at any cycle from C to the cycle before D, and the rightmost operand holds tightly from C to the cycle before D.</li> <li>A within!_ property holds in a given cycle of a given path iff <ol> <li>the leftmost operand does not hold at the given cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the terminating condition holds at C and the rightmost operand holds tightly from C to itself, or</li> <li>there is a cycle D subsequent to C such that the terminating condition holds at D, the terminating condition does not hold at any cycle from C to the cycle before D, and the rightmost operand holds tightly from C to D.</li> </ol> </li> <li>A within property holds in a given cycle of a given path iff: <ol> <li>the leftmost operand does not hold at the given cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the leftmost operand does not hold at the given cycle, or</li> </ol> </li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the leftmost operand does not hold at any cycle from C to the cycle before D, and the rightmost operand holds on the empty path, or</li> <li>the terminating condition holds at C and the rightmost operand holds at D, the terminating condition does not hold at any cycle from C to the cycle before D, and the rightmost operand holds tightly from C to the cycle before D, or</li> <li>iii) any prefix of the path beginning at C can be extended such that the corresponding within sequence holds tightly on the extended path and the termination condition does not hold on any cycle of the extended path.</li> <li>A within_property holds in a given cycle of a given path iff: <ol> <li>the leftmost operand does not hold at the given cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the leftmost op</li></ol></li></ul>            |          | thin! and within operators are non-inclusive operators, that is, they specify that the sequence that is those operand completes strictly before the cycle in which the terminating condition holds.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <ul> <li>None.</li> <li>Informal semantics <ul> <li>A within! property holds in a given cycle of a given path iff <ol> <li>the leftmost operand does not hold at the given cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>there is a cycle D subsequent to C such that the terminating condition holds at D, the terminating condition does not hold at any cycle form C to the cycle before D, and the rightmost operand holds tightly from C to the cycle of a given path iff</li> <li>there is a cycle D subsequent to C such that the cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the terminating condition holds at C and the rightmost operand holds tightly from C to itself, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the terminating condition holds at C and the rightmost operand holds at D, the terminating condition holds at any cycle from C to the cycle before D, and the rightmost operand holes at pycle J subsequent to C such that the terminating condition holds at D, the terminating condition holds at any cycle from C to the cycle before D, and the rightmost operand holds tightly from C to J.</li> </ol></li></ul> </li> <li>A witchin property holds in a given cycle of a given path iff: <ul> <li>the leftmost operand does not hold at the given cycle, or</li> </ul> </li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the terminating condition holds at C and the rightmost operand holds on the empty path, or</li> <li>the is a cycle D subsequent to C such that the terminating condition holds at D, the terminating condition holds at C and the rightmost operand holds on the empty path, or</li> <li>the terminating condition holds at C and the rightmost operand holds on the empty path, or</li> <li>the terminating condition holds at C and the rightmost operand holds on the</li></ul> |          |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| <ul> <li>Informal semantics <ul> <li>A within! property holds in a given cycle of a given path iff <ol> <li>the leftmost operand does not hold at the given cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the terminating condition holds at C and the rightmost operand holds on the empty path, or</li> <li>there is a cycle D subsequent to C such that the terminating condition holds at D, the terminating condition does not hold at any cycle from C to the cycle before D, and the rightmost operand holds tightly from C to the cycle before D.</li> </ol></li></ul> </li> <li>A within!_property holds in a given cycle of a given path iff <ol> <li>the leftmost operand does not hold at the given cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the terminating condition holds at C and the rightmost operand holds tightly from C to itself, or</li> <li>there is a cycle D subsequent to C such that the terminating condition holds at D, the terminating condition does not hold at the given cycle, or</li> </ol> </li> <li>A within property holds in a given cycle of a given path iff: <ol> <li>the leftmost operand does not hold at the given cycle, or</li> </ol> </li> <li>A within property holds in a given cycle of a given path iff: <ol> <li>the leftmost operand does not hold at the given cycle, or</li> </ol> </li> </ul> <li>A within property holds in a given cycle of a given path iff: <ol> <li>the leftmost operand holds at C and the rightmost operand holds on the empty path, or</li> <li>the terminating condition holds at C and the rightmost operand holds on the empty path, or</li> <li>the terminating condition holds at C and the rightmost operand holds on the empty path, or</li> <li>the terminating condition holds at C and the rightmost operand holds on the empty path, or</li> <li>the terminating condition holds at C and the rightmost operand holds on the empty path, or</li> <li>the terminating co</li></ol></li> | Restrict | tions                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| <ul> <li>A within! property holds in a given cycle of a given path iff <ol> <li>the leftmost operand does not hold at the given cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the terminating condition holds at C and the rightmost operand holds at D, the terminating condition does not hold at any cycle from C to the cycle before D, and the rightmost operand holds tightly from C to the cycle before D.</li> </ol> </li> <li>A within! _ property holds in a given cycle of a given path iff <ol> <li>the terminating condition does not hold at the given cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the terminating condition holds at C and the rightmost operand holds tightly from C to itself, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>there is a cycle D subsequent to C such that the terminating condition holds at D, the terminating condition does not hold at any cycle from C to the cycle before D, and the rightmost operand holds tightly from C to itself, or</li> <li>the leftmost operand does not hold at the given cycle, or</li> </ol> </li> <li>A within property holds in a given cycle of a given path iff: <ol> <li>the leftmost operand does not hold at the given cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the terminating condition holds at C and the rightmost operand holds at D, the terminating condition holds at C and the rightmost operand holds tightly from the six operand holds tightly from C to D.</li> </ol> </li> <li>A within 1, property holds in a given cycle from C to the cycle before D, and the rightmost operand holds tightly from C to the cycle before D, and the rightmost operand holds tightly from C to the cycle before D, and the rightmost operand holds tightly from C to the cycle before D, and the rightmost operand ho</li></ul>          | None.    |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| <ol> <li>the leftmost operand does not hold at the given cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either         <ol> <li>the terminating condition holds at C and the rightmost operand holds on the empty path, or                 ii) there is a cycle D subsequent to C such that the terminating condition holds at D, the terminating condition does not hold at any cycle from C to the cycle before D, and the rightmost operand holds tightly from C to the cycle before D.</li> <li>A within1_ property holds in a given cycle of a given path iff                 1) the leftmost operand does not hold at the given cycle, or                       2) in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either                       i) the terminating condition holds at C and the rightmost operand holds tightly from C to itself, or                       ii) there is a cycle D subsequent to C such that the terminating condition holds at D, the terminating condition does not hold at any cycle from C to the cycle before D, and the rightmost operand holds tightly from C to D.</li> </ol></li> <li>A within property holds in a given cycle of a given path iff:         <ul> <li>1) the leftmost operand does not hold at the given cycle, or</li> </ul> </li> <li>1) the leftmost operand does not hold at the given cycle, or</li> <li>2) in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either         <ul> <li>i) the terminating condition holds at C and the rightmost operand holds at D, the terminating condition holds at any cycle from C to the cycle before D, and the rightmost operand holds tightly from C to D.</li> </ul> </li> <li>A within property holds in a given cycle from C to the cycle before D, and the rightmost operand holds tightly from C to D.</li> <li>ii) an</li></ol>                                                                                                                                                           | Informa  | al semantics                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| <ul> <li>A within!_ property holds in a given cycle of a given path iff <ol> <li>the leftmost operand does not hold at the given cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the terminating condition holds at C and the rightmost operand holds tightly from C to itself, or</li> <li>there is a cycle D subsequent to C such that the terminating condition holds at D, the terminating condition does not hold at any cycle from C to the cycle before D, and the rightmost operand holds tightly from C to D.</li> <li>A within property holds in a given cycle of a given path iff:</li> <li>the leftmost operand does not hold at the given cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the terminating condition holds at C and the rightmost operand holds on the empty path, or</li> <li>the terminating condition holds at C such that the terminating condition holds at D, the terminating condition does not hold at any cycle from C to the cycle before D, and the rightmost operand holds tightly from C to the cycle before D, and the rightmost operand holds tightly from C to the cycle before D, and the rightmost operand holds tightly from C to the cycle before D, and the rightmost operand holds tightly from C to the cycle before D, or</li> <li>ii) any prefix of the path beginning at C can be extended such that the corresponding within sequence holds tightly on the extended path and the termination condition does not hold on any cycle of the extended path.</li> </ol> </li> <li>A within_ property holds in a given cycle of a given path iff: <ol> <li>the leftmost operand does not hold at the given cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from C to itself, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the leftmost operand does not hold at the given cycle, or</li> </ol> </li> <li>in any cycl</li></ul>          |          | <ol> <li>the leftmost operand does not hold at the given cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the terminating condition holds at C and the rightmost operand holds on the empty path, or</li> <li>there is a cycle D subsequent to C such that the terminating condition holds at D, the terminating condition does not hold at any cycle from C to the cycle before D, and the rightmost oper-</li> </ol>                                                                                                                                                                                                                                                                                                                                            |
| <ul> <li>A within property holds in a given cycle of a given path iff: <ol> <li>the leftmost operand does not hold at the given cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the terminating condition holds at C and the rightmost operand holds on the empty path, or</li> <li>there is a cycle D subsequent to C such that the terminating condition holds at D, the terminating condition does not hold at any cycle from C to the cycle before D, and the rightmost operand holds tightly from C to the cycle before D, or</li> <li>any prefix of the path beginning at C can be extended such that the corresponding within sequence holds tightly on the extended path and the termination condition does not hold on any cycle of the extended path.</li> </ol> </li> <li>A within_ property holds in a given cycle of a given path iff: <ol> <li>the leftmost operand does not hold at the given cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the leftmost operand does not hold at the given cycle, or</li> <li>in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>the terminating condition holds at C and the rightmost operand holds tightly from C to itself, or</li> <li>the terminating condition holds at C and the rightmost operand holds tightly from C to itself, or</li> <li>there is a cycle D subsequent to C such that the terminating condition holds at D, the terminating condition does not hold at any cycle from C to the cycle before D, and the rightmost operand holds tightly from C to itself, or</li> </ol> </li> </ul>                                                                                                                                                                                                                                                                                                                                                                        |          | <ul> <li>A within! property holds in a given cycle of a given path iff</li> <li>1) the leftmost operand does not hold at the given cycle, or</li> <li>2) in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>i) the terminating condition holds at C and the rightmost operand holds tightly from C to itself, or</li> <li>ii) there is a cycle D subsequent to C such that the terminating condition holds at D, the terminating condition does not hold at any cycle from C to the cycle before D, and the rightmost oper-</li> </ul>                                                                                                                                                                                                                                                 |
| <ul> <li>A within_ property holds in a given cycle of a given path iff:</li> <li>1) the leftmost operand does not hold at the given cycle, or</li> <li>2) in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>i) the terminating condition holds at C and the rightmost operand holds tightly from C to itself, or</li> <li>ii) there is a cycle D subsequent to C such that the terminating condition holds at D, the terminating condition does not hold at any cycle from C to the cycle before D, and the rightmost operand holds tightly from C to D, or</li> <li>iii) any prefix of the path beginning at C can be extended such that the corresponding within_</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |          | <ul> <li>A within property holds in a given cycle of a given path iff:</li> <li>1) the leftmost operand does not hold at the given cycle, or</li> <li>2) in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either</li> <li>i) the terminating condition holds at C and the rightmost operand holds on the empty path, or</li> <li>ii) there is a cycle D subsequent to C such that the terminating condition holds at D, the terminating condition does not hold at any cycle from C to the cycle before D, and the rightmost operand holds tightly from C to the cycle before D, or</li> <li>iii) any prefix of the path beginning at C can be extended such that the corresponding within sequence holds tightly on the extended path and the termination condition does not hold on any</li> </ul> |
| sequence holds tightly on the extended path and the termination condition does not hold on any cycle of the extended path.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | _        | <ul> <li>A within_ property holds in a given cycle of a given path iff:</li> <li>1) the leftmost operand does not hold at the given cycle, or</li> <li>2) in any cycle C such that the leftmost operand holds tightly from the given cycle to C, either <ol> <li>the terminating condition holds at C and the rightmost operand holds tightly from C to itself, or</li> <li>there is a cycle D subsequent to C such that the terminating condition holds at D, the terminating condition does not hold at any cycle from C to the cycle before D, and the rightmost operand holds tightly from C to D, or</li> <li>any prefix of the path beginning at C can be extended such that the corresponding within_ sequence holds tightly on the extended path and the termination condition does not hold on any</li> </ol> </li> </ul>         |

## 1 6.2.1.6 Logical FL properties

### 6.2.1.6.1 Logical implication

| 5 | The logical implication | n operator (->). | shown in Box 44. | is used to specify | logical implication. |
|---|-------------------------|------------------|------------------|--------------------|----------------------|
| - | The logical implication | moperator ( ),   | Shown m Don 11,  | is abea to specify | iogical implication. |

10

FL\_Property ::= FL Property -> FL Property

### Box 44—Logical implication operator

15 The right operand of the logical implication operator is an FL Property that is specified to hold if the FL Property 15 which is the left operand holds.

Restrictions

Within the simple subset (see Section 4.4.5), the left operand of a logical implication property is restricted to be a Boolean expression.

#### Informal semantics

- A logical implication property holds in a given cycle of a given path iff:
  - the FL Property that is the left operand does not hold at the given cycle or
  - the FL Property that is the right operand does hold at the given cycle.

### 6.2.1.6.2 Logical iff

The *logical iff* operator (<->), shown in Box 45, is used to specify the iff (if and only if) relation between two properties.

35

25

30

FL\_Property ::= FL\_Property <-> FL\_Property

### Box 45—Logical iff operator

<sup>40</sup> The two operands of the logical iff operator are FL Properties. The logical iff operator specifies that either both operands hold, or neither operand holds.

Restrictions

45 Within the simple subset (see Section 4.4.5), both operands of a logical iff property are restricted to be a Boolean expression.

Informal semantics

- 50 A logical iff property holds in a given cycle of a given path iff:
  - both FL Properties that are operands hold at the given cycle or
  - neither of the FL Properties that are operands holds at the given cycle.

| FL_Prope<br>FL_Pr                                                                                                                                                                                 | rty ::=<br>operty AND_OP FL_Property                                                                                                               |   |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|---|
|                                                                                                                                                                                                   | Box 46—Logical and operator                                                                                                                        |   |
| The operands of the logical a                                                                                                                                                                     | nd operator are two FL Properties that are both specified to hold.                                                                                 |   |
| Restrictions                                                                                                                                                                                      |                                                                                                                                                    |   |
| Within the simple subset (see<br>an expression.                                                                                                                                                   | Section 4.4.5), the left operand of a logical and property is restricted to be a Bool-                                                             |   |
| nformal semantics                                                                                                                                                                                 |                                                                                                                                                    |   |
|                                                                                                                                                                                                   | n a given cycle of a given path iff the FL Properties that are the operands both hold                                                              |   |
|                                                                                                                                                                                                   |                                                                                                                                                    |   |
|                                                                                                                                                                                                   |                                                                                                                                                    |   |
| at the given cycle.                                                                                                                                                                               |                                                                                                                                                    | : |
| at the given cycle.<br>6.2.1.6.4 Logical or                                                                                                                                                       | n in Box 47, is used to specify logical or.                                                                                                        | 2 |
| tt the given cycle.<br>5.2.1.6.4 Logical or<br>The <i>logical or</i> operator, show<br>FL Prope                                                                                                   | rty ::=                                                                                                                                            |   |
| at the given cycle.<br>5.2.1.6.4 Logical or<br>The <i>logical or</i> operator, show<br>FL Prope                                                                                                   | rty ::=<br>operty OR_OP FL_Property                                                                                                                |   |
| at the given cycle.<br><b>5.2.1.6.4 Logical or</b><br>The <i>logical or</i> operator, show<br>FL Prope                                                                                            | rty ::=                                                                                                                                            |   |
| tt the given cycle.<br>5.2.1.6.4 Logical or<br>The <i>logical or</i> operator, show<br>FL_Prope<br>FL_Pr                                                                                          | rty ::=<br>operty OR_OP FL_Property                                                                                                                |   |
| tt the given cycle.<br>5.2.1.6.4 Logical or<br>The <i>logical or</i> operator, show<br>FL_Prope<br>FL_Pr                                                                                          | rty ::=<br>operty OR_OP FL_Property<br>Box 47—Logical or operator                                                                                  |   |
| tt the given cycle.<br><b>5.2.1.6.4 Logical or</b><br>The <i>logical or</i> operator, show<br>FL_Prope<br>FL_Pr<br>The operands of the logical o<br>Restrictions                                  | rty ::=<br>operty OR_OP FL_Property<br>Box 47—Logical or operator                                                                                  |   |
| tt the given cycle.<br><b>5.2.1.6.4 Logical or</b><br>The <i>logical or</i> operator, show<br>FL_Prope<br>FL_Pr<br>The operands of the logical o<br>Restrictions<br>Within the simple subset (see | try ::=<br>operty OR_OP FL_Property<br>Box 47—Logical or operator<br>r operator are two FL Properties, at least one of which is specified to hold. |   |

### 1 6.2.1.6.5 Logical not

The logical not operator, shown in Box 48, is used to specify logical negation.

| FL_Property ::=<br>NOT_OP FL_Property |  |
|---------------------------------------|--|
|                                       |  |

10

15

20

25

5

### Box 48—Logical not operator

The operand of the logical not operator is an FL Property that is specified to not hold.

### Restrictions

Within the simple subset (see Section 4.4.5), the operand of a logical not property is restricted to be a Boolean expression.

### Informal semantics

A logical not property holds in a given cycle of a given path iff the FL Property that is the operand does not hold at the given cycle.

### 6.2.1.7 LTL operators

The LTL operators, shown in Box 49, provide standard LTL syntax for other PSL operators.

| 30 | FL_Property ::=<br>X FL_Property<br>  X! FL_Property<br>  F FL_Property<br>  G FL_Property U FL_Property ]<br>  [ FL_Property W FL_Property ] |
|----|-----------------------------------------------------------------------------------------------------------------------------------------------|
| 35 |                                                                                                                                               |

### Box 49—LTL operators

The standard LTL operators are alternate syntax for the equivalent PSL operators, as shown in Table 3.

40

45

50

| Standard LTL<br>operator | Equivalent PSL<br>operator |
|--------------------------|----------------------------|
| Х                        | next                       |
| X !                      | next!                      |
| F                        | eventually!                |
| G                        | always                     |
| U                        | until!                     |
| W                        | until                      |

### Table 3—PSL equivalents

| Restrictions                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | 1  |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| The restrictions that apply to each equivalent PSL operator also apply to the corresponding standard LTL operator.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |    |
| 6.2.2 Optional Branching Extension (OBE) properties                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | 5  |
| Properties of the Optional Branching Extension ( <i>OBE</i> ), shown in Box 50, are interpreted over trees of states as opposed to properties of the Foundation Language (FL), which are interpreted over sequences of states. A <i>tree of states</i> is obtained from the model by unwrapping, where each path in the tree corresponds to some computation path of the model. A node in the tree branches to several nodes as a result of non-determinism in the model. A completely deterministic model unwraps to a tree of exactly one path, i.e., to a sequence of states. An OBE property holds or does not hold for a specific state of the tree. | 10 |
| OBE_Property ::=<br>Boolean<br>  ( OBE_Property )                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 15 |
| Box 50—OBE properties                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | 20 |
| The most basic OBE Property is a Boolean expression. An OBE Property enclosed in parentheses is also an OBE Property.<br>6.2.2.1 Universal OBE properties<br>6.2.2.1.1 AX operator                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 25 |
| The <b>AX</b> operator, shown in Box 51, specifies that an OBE property holds at all next states of the given state.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | 30 |
| OBE_Property ::=<br>AX OBE_Property<br>Box 51—AX operator                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 35 |
| The operand of AX is an OBE Property that is specified to hold at all next states of the given state.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |    |
| Restrictions                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | 40 |
| None.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |    |
| Informal semantics                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 45 |
| An AX property holds at a given state iff, for all paths beginning at the given state, the OBE Property that is the operand holds at the next state.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | 45 |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | 50 |

### 1 6.2.2.1.2 AG operator

The AG operator, shown in Box 52, specifies that an OBE property holds at the given state and at all future states.

OBE\_Property ::= AG OBE\_Property

10

5

### Box 52—AG operator

The operand of AG is an OBE Property that is specified to hold at the given state and at all future states.

15 *Restrictions* 

None.

### Informal semantics

An AG property holds at a given state iff, for all paths beginning at the given state, the OBE Property that is the operand holds at the given state and at all future states.

### 25

20

### 6.2.2.1.3 AF operator

The **AF** operator, shown in Box 53, specifies that an OBE property holds now or at some future state, for all paths beginning at the current state.

30

OBE\_Property ::= AF OBE\_Property

### 35

### Box 53—AF operator

The operand of AF is an OBE Property that is specified to hold now or at some future state, for all paths beginning at the current state.

40 *Restrictions* 

None.

45 Informal semantics

An AF property holds at a given state iff, for all paths beginning at the given state, the OBE Property that is the operand holds at the first state or at some future state.

| OBE_Property ::=<br>A [ OBE_Property U OBE_Property ]                                                                                                                                                                                                                                                    |   |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|
| Box 54—AU operator                                                                                                                                                                                                                                                                                       | 1 |
| The first operand of AU is an OBE Property that is specified to hold until the OBE Property that is the second operand holds along all paths starting at the given state.                                                                                                                                | ] |
| Restrictions                                                                                                                                                                                                                                                                                             |   |
| None.                                                                                                                                                                                                                                                                                                    |   |
| Informal semantics                                                                                                                                                                                                                                                                                       |   |
| An AU property holds at a given state iff, for all paths beginning at the given state:                                                                                                                                                                                                                   |   |
| <ul> <li>the OBE Property that is the right operand holds at the current state or at some future state; and</li> <li>the OBE Property that is the left operand holds at all states, up to but not necessarily including, the state in which the OBE Property that is the right operand holds.</li> </ul> | 2 |
| 6.2.2.2 Existential OBE properties                                                                                                                                                                                                                                                                       |   |
| 6.2.2.2.1 EX operator                                                                                                                                                                                                                                                                                    |   |
| The <b>EX</b> operator, shown in Box 55, specifies that an OBE property holds at some next state.<br>The operand of EX is an OBE property that is specified to hold at some next state of the given state.                                                                                               |   |
| OBE Property ::=<br>EX OBE_Property                                                                                                                                                                                                                                                                      |   |
| Box 55—EX operator                                                                                                                                                                                                                                                                                       |   |
| Restrictions                                                                                                                                                                                                                                                                                             |   |
| None.                                                                                                                                                                                                                                                                                                    |   |
| Informal semantics                                                                                                                                                                                                                                                                                       |   |
| An EX property holds at a given state iff there exists a path beginning at the given state, such that the OBE Property which is the operand holds at the next state.                                                                                                                                     |   |
|                                                                                                                                                                                                                                                                                                          |   |
|                                                                                                                                                                                                                                                                                                          |   |

### 1 6.2.2.2 EG operator

The **EG** operator, shown in Box 56, specifies that an OBE property holds at the current state and at all future states of some path beginning at the current state.

| C | BE Property ::=<br>EG OBE_Property |
|---|------------------------------------|

10

15

5

### Box 56—EG operator

The operand of EG is an OBE Property that is specified to hold at the current state and at all future states of some path beginning at the given state.

Restrictions

None.

# 20 Informal semantics

An EG property holds at a given state iff there exists a path beginning at the given state, such that the OBE Property that is the operand holds at the given state and at all future states.

### 25

### 6.2.2.2.3 EF operator

The **EF** operator, shown in Box 57, specifies that an OBE property holds now or at some future state of some path beginning at the given state.

|  | OBE Property ::=<br>EF OBE_Property |
|--|-------------------------------------|
|--|-------------------------------------|

35

40

# Box 57—EF operator

The operand of EF is an OBE Property that is specified to hold now or at some future state of some path beginning at the given state.

Restrictions

None.

45 Informal semantics

An EF property holds at a given state iff there exists a path beginning at the given state, such that the OBE Property that is the operand holds at the current state or at some future state.

50

| 6.2.2.2.4 EU operator                                                                                                                                                                                                                                                                                    | 1        |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
| The <b>EU</b> operator, shown in Box 58, specifies that an OBE property holds until a specified terminating property holds, for some path beginning at the given state.                                                                                                                                  | 5        |
| OBE Property ::=<br>E [ OBE_Property ]                                                                                                                                                                                                                                                                   | 5        |
| Box 58—EU operator                                                                                                                                                                                                                                                                                       | 10       |
| The first operand of EU is an OBE Property that is specified to hold until the OBE Property that is the second operand holds for some path beginning at the given state.                                                                                                                                 | 15       |
| Restrictions                                                                                                                                                                                                                                                                                             | 15       |
| None.                                                                                                                                                                                                                                                                                                    |          |
| Informal semantics                                                                                                                                                                                                                                                                                       | 20       |
| An EU property holds at a given state iff there exists a path beginning at the given state, such that:                                                                                                                                                                                                   |          |
| <ul> <li>the OBE Property that is the right operand holds at the current state or at some future state; and</li> <li>the OBE Property that is the left operand holds at all states, up to but not necessarily including, the state in which the OBE Property that is the right operand holds.</li> </ul> | 25       |
| 6.2.2.3 Logical OBE properties<br>6.2.2.3.1 OBE implication                                                                                                                                                                                                                                              | 30       |
| The <i>OBE implication</i> operator (->), shown in Box 59, is used to specify logical implication.                                                                                                                                                                                                       | 35       |
| OBE_Property ::=<br>OBE_Property -> OBE_Property                                                                                                                                                                                                                                                         |          |
| Box 59—OBE implication operator                                                                                                                                                                                                                                                                          | 40       |
| The right operand of the OBE implication operator is an OBE Property that is specified to hold if the OBE Property that is the left operand holds.                                                                                                                                                       |          |
|                                                                                                                                                                                                                                                                                                          |          |
| Restrictions                                                                                                                                                                                                                                                                                             | 45       |
|                                                                                                                                                                                                                                                                                                          | 45       |
| Restrictions                                                                                                                                                                                                                                                                                             | -        |
| Restrictions None.                                                                                                                                                                                                                                                                                       | 45<br>50 |

# 1 6.2.2.3.2 OBE iff

5

The *OBE iff* operator (<->), shown in Box 60, is used to specify the *iff* (if and only if) relation between two properties.

|    | OBE_Property ::=<br>OBE_Property <-> OBE_Property                                                                                               |
|----|-------------------------------------------------------------------------------------------------------------------------------------------------|
| 10 | Box 60—OBE iff operator                                                                                                                         |
| 15 | The two operands of the OBE iff operator are OBE Properties. The OBE iff operator specifies that either operands hold or neither operand holds. |
| 10 | Restrictions                                                                                                                                    |
|    | None.                                                                                                                                           |
| 20 | Informal semantics                                                                                                                              |
|    | An OBE iff property holds in a given state iff:                                                                                                 |
|    |                                                                                                                                                 |

both OBE Properties that are operands hold at the given state or
 neither of the OBE Properties that are operands hold at the given state.

# 6.2.2.3.3 OBE and

The OBE and operator, shown in Box 61, is used to specify logical and.

| OBE_Property ::=<br>OBE_Property AND_OP OBE_Property |  |
|------------------------------------------------------|--|
|                                                      |  |

# Box 61—OBE and operator

The operands of the OBE and operator are two OBE Properties that are both specified to hold.

Restrictions

None.

45 Informal semantics

An OBE and property holds in a given state iff the OBE Properties that are the operands both hold at the given state.

50

30

35

55

both

| 0                                                                                        | BE_Property ::=<br>OBE_Property OR_OP OBE_Property                                                                            |  |
|------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--|
|                                                                                          | Box 62—OBE or operator                                                                                                        |  |
| The operands of the C                                                                    | BE or operator are two OBE Properties, at least one of which is specified to hold.                                            |  |
| <i>Cestrictions</i>                                                                      |                                                                                                                               |  |
| Jone.                                                                                    |                                                                                                                               |  |
| nformal semantics                                                                        |                                                                                                                               |  |
| njormai semantics                                                                        |                                                                                                                               |  |
| OBE or property ho                                                                       | olds in a given state iff at least one of the OBE Properties that are the operands holds at the                               |  |
| A OBE or property ho<br>iven state.                                                      | olds in a given state iff at least one of the OBE Properties that are the operands holds at the                               |  |
| A OBE or property ho<br>iven state.                                                      | olds in a given state iff at least one of the OBE Properties that are the operands holds at the                               |  |
| A OBE or property ho<br>iven state.<br>5.2.2.3.5 OBE not<br>The <i>OBE not</i> operator  |                                                                                                                               |  |
| A OBE or property ho<br>jiven state.<br>5.2.2.3.5 OBE not<br>The <i>OBE not</i> operator | ; shown in Box 63, is used to specify logical negation.<br>BE Property ::=                                                    |  |
| A OBE or property ho<br>iven state.                                                      | s, shown in Box 63, is used to specify logical negation.<br>BE_Property ::=<br>NOT_OP OBE_Property                            |  |
| A OBE or property ho<br>iven state.                                                      | s, shown in Box 63, is used to specify logical negation.<br>BE_Property ::=<br>NOT_OP OBE_Property<br>Box 63—OBE not operator |  |
| A OBE or property ho<br>iven state.                                                      | s, shown in Box 63, is used to specify logical negation.<br>BE_Property ::=<br>NOT_OP OBE_Property<br>Box 63—OBE not operator |  |
| A OBE or property here iven state.                                                       | s, shown in Box 63, is used to specify logical negation.<br>BE_Property ::=<br>NOT_OP OBE_Property<br>Box 63—OBE not operator |  |

### 1 6.2.3 Replicated properties

5 Property ::= Replicator Property Replicator ::= forall Name [ IndexRange ] in ValueSet : 10 IndexRange ::= LEFT\_SYM finite\_Range RIGHT\_SYM Flavor Macro LEFT\_SYM = Verilog: [ / VHDL: ( / GDL: ( Flavor Macro RIGHT\_SYM = Verilog: / VHDL: / GDL: ) 15 ValueSet ::= ValueRange {, ValueRange } } boolean ValueRange ::= Value 20 finite Range Range ::= LowBound RANGE SYM HighBound Box 64—Replicating properties 25 The first operand of a Replicator is the parameter in the parameterized property. This parameter can be an array. The second operand is the set of values over which replication occurs. 1) If the parameter is not an array, then the property is replicated once for each value in the set of val-30 ues, with that value substituted for the parameter. The total number of replications is equal to the size of the set of values. 2) If the parameter is an array of size N, then the property is replicated once for each possible combination of N (not necessarily distinct) values from the set of values, with those values substituted for the N elements of the array parameter. If the set of values has size K, then the total number of repli-35 cations is equal to  $K^N$ . The set of values can be specified in three different ways — The keyword **boolean** specifies the set of values {*True*, *False*}. 40 — A ValueRange specifies the set of all values within the given range. The comma (,) between *ValueRanges* indicates the union of the obtained sets. Restrictions 45 If the Name has an associated IndexRange, the IndexRange shall be specified as a finite Range, each bound of the Range shall be statically computable, and the left bound of the Range shall be less than or equal to the right bound of the Range. 50 If a Value is used to specify a ValueRange, the Value shall be statically computable. If a Range is used to specify a ValueRange, the Range shall be a finite Range, each bound of the Range shall be statically computable, and the left bound of the Range shall be less than or equal to the right bound of the Range.

Replicated properties are specified using the operator forall, as shown in Box 64. The first operand of the rep-

licated property is a Replicator and the second operand is a parameterized property.

5

10

15

The Name shall be used in one or more expressions in the Property, or as an actual parameter in the instantiation of a parameterized Property, so that each of the replicated instances of the Property corresponds to a unique value of the Name.

An implementation may impose restrictions on the use of a replication variable Name defined by a Replicator. However, an implementation shall support at least comparison (equality, inequality) between the Name and an expression, and use of the Name as an index or repetition count.

Replicators can be nested, but all nested Replicators shall be at the top level. A replicated property shall not be nested within a non-replicated property.

NOTE—The Name defined by a replicator represents a non-static variable. Since the bounds of both an IndexRange and a ValueRange must be defined by statically computable expressions, those expressions cannot refer to the replication variable Name of another Replicator, and therefore neither the IndexRange nor the ValueRange of a nested Replicator can be defined in terms of the replicator variable Name of a containing Replicator.

#### Informal semantics

| — A forall i in boolean: f(i) property is replicated to define two instances<br>of the property f(i):        | 20 |
|--------------------------------------------------------------------------------------------------------------|----|
| f(true)<br>f(false)                                                                                          |    |
| — A forall i in {j:k} : f(i) property is replicated to define k-j+1 instances<br>of the property f(i):       | 25 |
| f(j)<br>f(j+1)<br>f(j+2)                                                                                     | 30 |
| f(k)                                                                                                         |    |
| — A forall i in {j,l} : f(i) property is replicated to define two instances<br>of the property f(i):         | 35 |
| f(j)<br>f(l)                                                                                                 |    |
| — A forall i[0:1] in boolean : f(i) property is replicated to define four instances<br>of the property f(i): | 40 |
| <pre>f({false,false}) f({false,true}) f({true,false}) f({true,true})</pre>                                   | 45 |
| — A forall i[0:2] in {4,5} : f(i) property is replicated to define eight instances of the property f(i):     | 50 |
| $f({4,4,4})$<br>$f({4,4,5})$                                                                                 | 50 |
| f({4,5,4})<br>f({4,5,5})                                                                                     | 55 |

```
1
           f({5,4,4})
           f({5,4,5})
           f({5,5,4})
           f({5,5,5})
 5
        Examples
10
        Legal:
           forall i[0:3] in boolean:
15
                request && (data_in == i) -> next(data_out == i)
           forall i in boolean:
              forall j in \{0:7\}:
                  forall k in \{0:3\}:
20
                     f(i,j,k)
        Illegal:
25
           always (request ->
                forall i in boolean: next e[1:10](response[i]))
           forall j in \{0:7\}:
30
                forall k in \{0:j\}:
                   f(j,k)
```

#### 6.2.4 Named properties

A given property may be applicable in more than one part of the design. In such a case, it is convenient to be able to define the property once and refer to the single definition wherever the property applies. Declaration and instantiation of *named properties* provide this capability.

40

35

45

50

|  | 1 |
|--|---|
|  | 1 |
|  |   |

10

15

# 6.2.4.1 Property declaration

A *property declaration*, shown in Box 65, defines a property and gives it a name. A property declaration can also specify a list of formal parameters that can be referenced within the property.

| PSL_Declaration ::=<br>Property Declaration                           |
|-----------------------------------------------------------------------|
| Property Declaration ::=                                              |
| <b>property</b> Name [ ( Formal_Parameter_List ) ] DEF_SYM Property ; |
| Formal Parameter List ::=                                             |
| Formal Parameter { ; Formal Parameter }                               |
| Formal Parameter ::=                                                  |
| ParamKind Name {, Name }                                              |
| ParamKind ::=                                                         |
| const   boolean   property   sequence                                 |

#### Box 65—Property declaration

| Restrictions                                                                                                                                                                                                                                                                                                                                                                                                                  | 20 |  |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|--|
| The Name of a declared property shall not be the same as the name of any other PSL declaration.                                                                                                                                                                                                                                                                                                                               |    |  |
| Example                                                                                                                                                                                                                                                                                                                                                                                                                       |    |  |
| <pre>property ResultAfterN (boolean start; property result; const n; boolean stop) =     always ((start -&gt; next[n] (result)) @ (posedge clk) abort stop);</pre>                                                                                                                                                                                                                                                            | 25 |  |
| This property could also be declared as follows:                                                                                                                                                                                                                                                                                                                                                                              |    |  |
| <pre>property ResultAfterN (boolean start, stop; property result; const n) =     always ((start -&gt; next[n] (result)) @ (posedge clk) abort stop);</pre>                                                                                                                                                                                                                                                                    | 30 |  |
| The two declarations have slightly different interfaces (i.e., different formal parameter orders), but they both declare the same property ResultAfterN. This property describes behavior in which a specified result (a property) occurs n cycles after an enabling condition (parameter start) occurs, with cycles defined by rising edges of signal clk, unless an (asynchronous) abort condition (parameter stop) occurs. | 35 |  |
| NOTE—There is no requirement to use formal parameters in a property declaration. A declared property may refer directly to signals in the design as well as to formal parameters.                                                                                                                                                                                                                                             | 40 |  |
| 6.2.4.2 Property instantiation                                                                                                                                                                                                                                                                                                                                                                                                | -  |  |
| A <i>property instantiation</i> , shown in Box 66, creates an instance of a named property and provides actual parameters for formal parameters (if any) of the named property.                                                                                                                                                                                                                                               | 45 |  |
| <pre>FL_Property ::=     property_Name [ ( Actual_Parameter_List ) ]</pre>                                                                                                                                                                                                                                                                                                                                                    |    |  |
| Actual_Parameter_List ::=<br>Actual_Parameter { , Actual_Parameter }<br>Actual_Parameter ::=<br>Number   Boolean   Property   Sequence                                                                                                                                                                                                                                                                                        | 50 |  |
| Box 66—Property instantiation                                                                                                                                                                                                                                                                                                                                                                                                 |    |  |

#### 1 Restrictions

For each formal parameter of the named property *property\_Name*, the property instantiation shall provide a corresponding actual parameter. For a const formal parameter, the actual parameter shall be a statically evaluable integer expression. For a boolean formal parameter, the actual parameter shall be a Boolean expression. For a property formal parameter, the actual parameter shall be an FL Property. For a sequence formal parameter, the actual parameter, the actual parameter, the actual parameter, the actual parameter shall be an FL Property. For a sequence formal parameter, the actual parameter shall be a Sequence.

# 10 Informal semantics

An instance of a named property holds at a given evaluation cycle if and only if the named property, modified by replacing each formal parameter in the property declaration with the corresponding actual parameter in the property instantiation, holds in that evaluation cycle.

15

5

#### 20 Example

Given the first declaration for the property ResultAfterN in 6.2.4.1,

is equivalent to

35

40

45

50

# 7. Verification layer

The verification layer provides *directives* which tell the verification tools what to do with the specified properties. The verification layer also provides constructs which group related directives and other PSL statements.

# 7.1 Verification directives

The verification directives are:

- assert
- assume
- assume\_guarantee
- restrict
- restrict\_guarantee
- cover
- fairness and strong fairness

#### 7.1.1 assert

The verification directive assert, shown in Box 67, instructs the verification tool to verify that a property holds.

|                      | 25 |
|----------------------|----|
| Assert_Statement ::= | 23 |
| assert Property;     |    |

#### Box 67—Assert statement

Example

The directive

assert always (ack -> next !ack);

instructs the verification tool to verify that the property

always (ack -> next !ack)

holds in the design.

#### 7.1.2 assume

The verification directive assume, shown in Box 68, instructs the verification tool to constrain the verification 45 (e.g., the behavior of the input signals) so that a property holds.

Assume\_Statement ::= **assume** Property ;

Box 68—Assume statement

50

1

5

10

15

20

30

35

#### 1 Restrictions

The Property that is the operand of an assume directive must be an FL Property.

5 Example

The directive

10 assume always (ack -> next !ack);

> instructs the verification tool to constrain the verification (e.g., the behavior of the input signals) so that the property

15 always (ack -> next !ack)

holds in the design.

Verification tools are not obligated to verify the assumed property. Assumptions are often used to specify the 20 operating conditions of a design property by constraining the behavior of the design inputs. In other words, an asserted property is required to hold only along those paths which obey the assumption.

#### 7.1.3 assume guarantee

- 25 The assume guarantee directive, shown in Box 69, instructs the verification tool to constrain the verification (e.g., the behavior of the input signals) so that a property holds and also to verify that the assumed property holds.
- 30

40

Assume Guarantee Statement ::= **assume guarantee** Property ;

### Box 69—Assume\_guarantee statement

35 Restrictions

The Property that is the operand of an assume guarantee directive must be an FL Property.

Example

The directive

assume guarantee always (ack -> next !ack);

45 instructs the tool to assume that whenever signal ack is asserted, it is not asserted at the next cycle, while also verifying that the property holds. To illustrate how this verification directive is used, imagine two design blocks, A and B, and the signal ack as an output from block B and an input to block A. The property

assume guarantee always (ack -> next !ack);

can be assumed to verify some other properties related to block A. However, verification tools shall also indicate the proof obligation of this property when block B is present. How this information is used is tool-dependent.

55

| 7.1.4 | restrict |
|-------|----------|
|       |          |

The verification directive restrict, shown in Box 70, is a way to constrain the design inputs using sequences.

| Restrict_Statement ::=<br>restrict Sequence ;                                                                                                                                                                                                               | 5  |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| Box 70—Restrict statement                                                                                                                                                                                                                                   | 10 |
| A restrict directive can be used to initialize the design to get to a specific state before checking assertions.                                                                                                                                            |    |
| Note-Verification tools are not obligated to verify that the restricted sequence holds.                                                                                                                                                                     | 15 |
| Example                                                                                                                                                                                                                                                     | 15 |
| The directive                                                                                                                                                                                                                                               |    |
| restrict {!rst;rst[*3];!rst[*]};                                                                                                                                                                                                                            | 20 |
| is a constraint that every execution trace begins with one cycle of rst low, followed by three cycles of rst<br>high, followed by rst being low forever.                                                                                                    |    |
| 7.1.5 restrict_guarantee                                                                                                                                                                                                                                    | 25 |
| The directive restrict_guarantee, shown in Box 71, instructs the verification tool to constrain the design inputs so that a sequence holds and also to verify that the restrict sequence holds.                                                             |    |
| Restrict_Guarantee_Statement ::=<br>restrict_guarantee Sequence ;                                                                                                                                                                                           | 30 |
| Box 71—Restrict_guarantee statement                                                                                                                                                                                                                         |    |
| Example                                                                                                                                                                                                                                                     | 35 |
| The directive                                                                                                                                                                                                                                               |    |
| <pre>restrict_guarantee {!rst;rst[*3];!rst[*]};</pre>                                                                                                                                                                                                       | 40 |
| is a constraint that every execution trace begins with one cycle of rst low, followed by three cycles of rst<br>high, followed by rst being low forever, while also verifying that the constraint holds. How this information is<br>used is tool-dependent. |    |
| 7.1.6 cover                                                                                                                                                                                                                                                 | 45 |
| The verification directive cover, shown in Box 72, directs the verification tool to check if a certain path was covered by the verification space based on a simulation test suite or a set of given constraints.                                           | 50 |
| Cover_Statement ::=<br>cover Sequence ;                                                                                                                                                                                                                     |    |
| Box 72—Cover statement                                                                                                                                                                                                                                      | 55 |

#### 1 Example

The directive

5

10

cover {start trans;!end trans[\*];start trans & end trans};

instructs the verification tool to check if there is at least one case in which a transaction starts and then another one starts the same cycle which the previous one completed.

#### 7.1.7 fairness and strong fairness

The directives fairness and strong fairness, shown in Box 73, are special kinds of assumptions which correspond to liveness properties.

15

| Fairness Statement ::=            |  |
|-----------------------------------|--|
| fairness Boolean;                 |  |
| strong fairness Boolean, Boolean; |  |

20

## Box 73—Fairness statement

If the fairness constraint includes the keyword strong, then it is a *strong fairness constraint*; otherwise it is a *simple fairness constraint*.

25

30

Fairness constraints can be used to filter out certain behaviors. For example, they can be used to filter out a repeated occurrence of an event that blocks another event forever. Fairness constraints guide the verification tool to verify the property only over fair paths. A path is *fair* if every fairness constraint holds along the path. A simple fairness constraint holds along a path if the given Boolean expression occurs infinitely many times along the path. A strong fairness constraint holds along the path if a given Boolean expression does not occur infinitely many times along the path.

Examples

35 The directive

fairness p;

instructs the verification tool to verify the formula only over paths in which the Boolean expression p occursinfinitely often. Semantically it is equivalent to the assumption

assume GF p;

The directive

strong fairness p,q;

instructs the verification tool to verify the formula only over paths in which either the Boolean expression p does not occur infinitely often or the Boolean expression q occurs infinitely often. Semantically it is equivalent to the assumption

assume (GF p) -> (GF q);

55

45

7.2 Verification units

A verification unit, shown in Box 74, is used to group verification directives and other PSL statements.

| Verification Unit ::=                          | 5  |
|------------------------------------------------|----|
| VUnitType Name [ ( Hierarchical_HDL_Name ) ] { |    |
| { Inherit Spec }                               |    |
| VUnit Item }                                   |    |
|                                                | 10 |
| VUnitType ::=                                  | 10 |
| vunit   vprop   vmode                          |    |
| Name ::=                                       |    |
| HDL ID                                         |    |
| Hierarchical HDL Name ::=                      |    |
| module_Name { PATH_SYM instance_Name }         | 15 |
| Inherit Spec ::=                               | 10 |
| <b>inherit</b> vunit_Name { , vunit_Name } ;   |    |
| VUnit_Item ::=                                 |    |
| HDL_Decl_or_Stmt                               |    |
| PSL_Declaration                                |    |
| Verification_Directive                         | 20 |
|                                                | 20 |

Box 74—Verification unit

| The <i>Name</i> is the name by which this verification unit is known to the verification tools.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 25 |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| The optional <i>Hierarchical_HDL_Name</i> indicates the design module or module instance to which the verification unit is bound. If the <i>Hierarchical_HDL_Name</i> is not present, then the verification unit binds to the top-level module of the design under verification. See 7.2.1 for a discussion of binding.                                                                                                                                                                                                                                                                                                                                                                                                                 |    |
| An <i>Inherit_Spec</i> indicates another verification unit from which this verification unit inherits contents. See 7.2.2 for a discussion of inheritance.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | 30 |
| A <i>VUnit_Item</i> is a verification directive or other PSL statement grouped by this verification unit. See 7.2.3 for a discussion of which PSL statements can be grouped by verification units.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | 35 |
| The <i>VUnitType</i> specifies the type of the Verification Unit. Verification unit types vprop and vmode enable sep-<br>arate definition of assertions to verify and constraints (i.e., assumptions or restrictions) to be considered in<br>attempting to verify those assertions. Various vprop verification units can be created containing different sets of<br>assertions to verify and various vmode verification units containing different sets of constraints can be created to<br>represent the different conditions under which verification should take place. By combining one or more vprop<br>verification units with one or more vmode verification units, the user can easily compose different verification<br>tasks. | 40 |
| Verification unit type vunit enables a combined approach in which both assertions to verify and applicable constraints, if any, can be defined together. All three types of verification units can be used together in a single verification run.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | 45 |
| The default verification unit (i.e., one named default) can be used to define constraints that are common to all verification environments, or defaults that can be overridden in other verification units. For example, the default verification unit might include a default clock declaration or a sequence declaration for the most common reset                                                                                                                                                                                                                                                                                                                                                                                    | 50 |

sequence.

- 1 Restrictions
  - A Verification Unit of type vmode shall not contain an assert directive.
  - 5 A Verification Unit of type vprop shall not contain a directive that is not an assert directive.

A Verification Unit of type vprop shall not inherit a Verification Unit of type vunit or vmode.

10 A default Verification Unit, if it exists, shall be of type vmode.

#### 7.2.1 Verification unit binding

The connection between signals referred to in a verification unit and signals of the design under verification is by name, relative to the module or module instance to which the verification unit is bound.

If the verification unit is bound to a module (as opposed to a module instance), then this is equivalent to duplicating the contents of the verification unit and binding each duplication to one instance.

```
20 Examples
```

15

25

30

```
vunit ex1a(top_block.i1.i2) {
   assert never (ena && enb);
}
```

vunit exla is bound to instance top\_block.i1.i2. This is equivalent to the following non-bound vunit exlb:

```
vunit ex1b {
   assert never (top_block.i1.i2.ena && top_block.i1.i2.enb);
}
```

As a second example, consider:

```
35 vunit ex2a(mod1) {
    assert never (ena && enb);
}
```

40 The verification unit is bound to module mod1. If this module is instantiated twice in the design, once as top\_block.il.i2 and once as top\_block.il.i3, then vunit ex2a is equivalent to the following non-bound vunit ex2b:

```
vunit ex2b {
   assert never(top_block.i1.i2.ena && top_block.i1.i2.enb);
   assert never(top_block.i1.i3.ena && top_block.i1.i3.enb);
}
```

The binding of a verification unit to a module or module instance affects all the names in the vunit.

```
50 vunit ex3a (top_block.i1) {
    property mutex = never (ena && enb);
    assert mutex;
}
```

55

| vunit ex3a is bound to the instance top_block.i1. This is equivalent to the following non-bound vunit ex3b:                                                                                                                                                                                                           | 1  |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| <pre>vunit ex3b {    property tob_block.i1.mutex =         never (tob_block.i1.ena &amp;&amp; tob_block.i1.enb);    assert tob_block.i1.mutex; }</pre>                                                                                                                                                                | 5  |
| 7.2.2 Verification unit inheritance                                                                                                                                                                                                                                                                                   | 10 |
| When a verification unit inherits another verification unit, the effect is as if the contents of the inherited verifica-<br>tion unit had appeared within the inheriting verification unit, except:                                                                                                                   |    |
| a) The inherited verification unit is bound according to its own definition, and is not affected by the binding of the inheriting verification unit.                                                                                                                                                                  | 15 |
| b) In the case where the inheriting verification unit and the inherited verification unit declare items with the same name (after taking into account the respective bindings), then the declaration in the inheriting verification unit takes precedence. A vunit can contain HDL declarations and PSL declarations. | 20 |
| For more on resolution of apparent declaration conflicts, see 7.2.4.                                                                                                                                                                                                                                                  |    |
| Examples                                                                                                                                                                                                                                                                                                              | 25 |
| <pre>vunit ex4a(top_block.i1) {    assert never (read_en &amp;&amp; write_en); }</pre>                                                                                                                                                                                                                                | 20 |
| <pre>vunit ex4b(top_block.i1.i2) {     inherit ex4a;     assert never (ena &amp;&amp; enb); }</pre>                                                                                                                                                                                                                   | 30 |
| vunit ex4b inherits vunit ex4a. This is equivalent to the following non-bound vunit ex4c:                                                                                                                                                                                                                             | 35 |
| <pre>vunit ex4c {     assert never (top_block.i1.read_en &amp;&amp; top_block.i1.write_en);     assert never (top_block.i1.i2.ena &amp;&amp; top_block.i1.i2.enb); }</pre>                                                                                                                                            | 55 |
| As a second example, consider:                                                                                                                                                                                                                                                                                        | 40 |
| <pre>vunit ex5a(top_block.i1) {   wire temp;   assign temp = ack1    ack2;   assert always (reqa -&gt; next temp);</pre>                                                                                                                                                                                              | 45 |
| <pre>} vunit ex5b(top_block.i1) {     inherit ex5a;     wire temp;     assign temp = ack1    ack2    ack3;</pre>                                                                                                                                                                                                      | 50 |
| <pre>assert always (reqb -&gt; next temp); }</pre>                                                                                                                                                                                                                                                                    | 55 |

1 vunit ex5b inherits ex5a. Both verification units are bound to the same instance and both declare wires named temp. The declaration of temp in the inheriting verification unit takes precedence, so vunit ex5b is equivalent to the following non-bound vunit ex5c:

```
5 vunit ex5c {
    wire top_block.i1.temp;
    assign top_block.i1.temp =
        top_block.i1.ack1 || top_block.i1.ack2 || top_block.i1.ack3;
10
    assert always (top_block.i1.reqa -> next top_block.i1.temp);
    assert always (top_block.i1.reqb -> next top_block.i1.temp);
}
```

15 As an example of how binding and inheritance affect PSL declarations, consider:

```
vunit ex6a (top_block.i1) {
    property AckInOneCycle (boolean req, ack, clk)
                          = always (req -> next ack) @ (posedge clk);
20     }
20     }
vunit ex6b (top_block.i1) {
        inherit ex6a;
        assert AckInOneCycle(req, ack, clk);
     }
25
```

The vunit ex6b is equivalent to the following non-bound vunit ex6c:

# 35

40

45

### 7.2.3 Verification unit contents

The declarations and statements that can be grouped inside a verification unit are:

- a) Any modeling layer statement or declaration.
  - b) A property, endpoint, sequence, or clock declaration.
  - c) A verification directive.

7.2.4 Verification unit scoping rules

```
As discussed in 7.2.2, when an inheriting verification unit and an inherited verification unit declare items with the same name (after taking into account the respective bindings), then the declaration in the inheriting verification unit takes precedence. This general scoping rule has a specific use: it allows a verification unit to redeclare and/or give new behavior to a signal in the design under verification.
```

50

55

PSL recognizes four levels at which an identifier is declared. In order of increasing precedence, they are:

- a) In the design.
- b) In the default verification unit.
- c) In an inherited verification unit.

| d) In the current verification unit.                                                                                    | 1  |
|-------------------------------------------------------------------------------------------------------------------------|----|
| It is illegal for an identifier to be declared twice at the same level.                                                 |    |
| Example                                                                                                                 | 5  |
| <pre>vunit V {    wire S;    assign S = req    ack;    sequence S = {req;ack}; // illegal - S already declared   </pre> | 10 |
| }                                                                                                                       | 15 |
|                                                                                                                         | 20 |
|                                                                                                                         | 25 |
|                                                                                                                         | 30 |
|                                                                                                                         | 35 |
|                                                                                                                         | 40 |
|                                                                                                                         | 45 |
|                                                                                                                         | 50 |
|                                                                                                                         | 55 |

| 1  |  |  |  |
|----|--|--|--|
| 5  |  |  |  |
| 10 |  |  |  |
| 15 |  |  |  |
| 20 |  |  |  |
| 25 |  |  |  |
| 30 |  |  |  |
| 35 |  |  |  |
| 40 |  |  |  |
| 45 |  |  |  |
| 50 |  |  |  |
| 55 |  |  |  |

# 8. Modeling layer

The modeling layer provides a means to model behavior of design inputs (for tools such as formal verification tools in which the behavior is not otherwise specified), and to declare and give behavior to auxiliary signals and variables. The modeling layer comes in three flavors, corresponding to Verilog, VHDL, and GDL. Each is described in the following sections.

# 8.1 The Verilog-flavored modeling layer

The Verilog flavor of the modeling layer consists of a synthesizable subset defined by IEEE P1364.1.

This subset of Verilog has also been augmented with the following:

- integer ranges
- structures
- non-determinism
- built-in functions rose(), fell(), next(), and prev()

as defined in the following subsections.

#### 8.1.1 Integer ranges

The Verilog flavor of the modeling layer extends the Verilog data types with a finite integer type, shown in Box 75, where the range of values which the variable can take on is indicated at the declaration.

| Extended_Verilog_Type_Declaration ::=<br>integer Integer_Range list_of_variable_identifiers; |    |
|----------------------------------------------------------------------------------------------|----|
| Integer_Range ::=<br>(constant_expression : constant_expression)                             | 30 |

#### Box 75—integer range declaration

| The nonterminals list_of_variable_identifiers and constant_expression are defined in the syntax for IEEE 1364-2001 Verilog. | 35 |
|-----------------------------------------------------------------------------------------------------------------------------|----|
| Example                                                                                                                     |    |
| integer (1:5) a, b[1:20];                                                                                                   | 40 |
|                                                                                                                             |    |

This declares an integer variable a, which can take on values between 1 and 5, inclusive, and an integer array b, each of whose twenty entries can take on values between 1 and 5, inclusive.

#### 8.1.2 Structures

The Verilog flavor of the modeling layer also extends the Verilog data types to allow declaration of C-like structures, as shown in Box 76.

50

55

45

1

5

10

15

20



1

5

#### Box 76—Structure declaration

15 The nonterminals list\_of\_variable\_identifiers, net\_declaration, reg\_declaration, and integer\_declaration are defined in the syntax for IEEE 1364-2001 Verilog.

Example

```
20 struct {
    wire w1, w2;
    reg r;
    integer(0..7) i;
} s1, s2;
```

25

which declares two structures, s1 and s2, each with four fields, w1, w2, r, and i. Structure fields are accessed as s1.w1, s1.w2, etc.

#### 8.1.3 Non-determinism

The **union** operator specifies two values, shown in Box 77, either of which can be the value of the resulting expression.

35

30

Union\_Expression ::= HDL\_or\_PSL\_Expression **union** HDL\_or\_PSL\_Expression

Box 77—Structure declaration

40 Example

a = b union c;

This is a non-deterministic assignment of either b or c to variable or signal a.

50

45

### 8.1.4 Built-in functions rose(), fell(), next(), prev()

The Verilog-flavored modeling layer adds the built-in functions rose(), fell(), prev(), and next(), shown in Box 78.

Built\_In\_Function\_Call ::= rose (Boolean) | fell (Boolean) | prev (HDL\_or\_PSL\_Expression[, Number]) | next (Boolean)



#### 8.1.4.1 rose()

The built-in function rose() is similar to posedge in Verilog. It takes a Boolean signal as argument and produces a Boolean that is true if the argument's value is 1 at the current cycle and 0 at the previous cycle, with respect to the clock of its context, otherwise it is false.

The clock context may be provided by the PSL property in which the function call is nested, or by a relevant default clock declaration. If the context does not specify a clock, the relevant clock is that corresponding to the granularity of time as seen by the verification tool.

The function rose() can be expressed in terms of the built-in function prev() as follows: rose(b) is equivalent to the expression b && !prev(b), where b is a Boolean signal. The function rose(b) can be used just like any other Boolean.

For four-valued logic, the value of rose() is extended in the same way that Verilog extends posedge.

#### Example

In the timing diagram below, the function call rose (a) is true at times 2 and 5 and at no other time, if it has no clock context. In the context of clock clk, the function call rose (a) is true at the tick of clk at time 3 and at no other tick point of clk.

| time | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
|------|---|---|---|---|---|---|---|---|
| clk  | 0 | 1 | 0 | 1 | 0 | 1 | 0 | 1 |
| a    | 0 | 0 | 1 | 1 | 0 | 1 | 0 | 0 |

#### 8.1.4.2 fell()

The built-in function fell() is similar to negedge in Verilog. It takes a Boolean signal as argument and produces a Boolean that is true if the argument's value is 0 at the current cycle and 1 at the previous cycle, with respect the clock of its context, otherwise it is false.

The clock context may be provided by the PSL property in which the function call is nested, or by a relevant default clock declaration. If the context does not specify a clock, the relevant clock is that corresponding to the granularity of time as seen by the verification tool.

The function fell() can be expressed in terms of the built-in function prev() as follows: fell(b) is equivalent to the expression !b & prev(b), where b is a Boolean signal. The function fell(b) can be used just like any other Boolean.

5

10

1

20

25

30

35

40

45

50

1 For four-valued logic, the value of fell() is extended in the same way that Verilog extends negedge.

Example

5 In the timing diagram below, the function call fell(a) is true at times 4 and 6 and at no other time if it does not have a clock context. In the context of clock clk, the function call fell(a) is true at the tick of clk at time 7 and at no other tick point of clk.

10

20

25

| time | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |  |
|------|---|---|---|---|---|---|---|---|--|
|      |   |   |   |   |   |   |   |   |  |
| clk  | 0 | 1 | 0 | 1 | 0 | 1 | 0 | 1 |  |
| a    | 0 | 0 | 1 | 1 | 0 | 1 | 0 | 0 |  |

# 15 8.1.4.3 prev()

The built-in function prev() takes an expression of arbitrary type as argument and returns a previous value of that expression. With a single argument, the built-in function prev() gives the value of the expression in the previous cycle, with respect to the clock of its context. If a second argument is specified and has the value *i*, the built-in function prev() gives the value of the expression in the *i*<sup>th</sup> previous cycle, with respect to the clock of its context.

The clock context may be provided by the PSL property in which the function call is nested, or by a relevant default clock declaration. If the context does not specify a clock, the relevant clock is that corresponding to the granularity of time as seen by the verification tool.

Note-The first argument of prev() is not necessarily a Boolean expression. For example, prev(data(0..31)) returns the previous value of the entire bit vector.

30 Restrictions

If a call to prev() includes a Number, it must be a positive Number that is statically evaluatable.

Example

In the timing diagram below, the function call prev(a) returns the value 1 at times 3, 4, and 6, and the value 0 at other times, if it does not have a clock context. In the context of clock clk, the call prev(a) returns the value 1 at times 5 and 7, and the value 0 at other tick points. In the context of clock clk, the call prev(a, 2) returns the value 1 at time 7, and 0 at other tick points.

40

35

| time | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
|------|---|---|---|---|---|---|---|---|
|      |   |   |   |   |   |   |   | - |
| clk  | 0 | 1 | 0 | 1 | 0 | 1 | 0 | 1 |
| a    | 0 | 0 | 1 | 1 | 0 | 1 | 0 | 0 |

#### 45

50

55

### 8.1.4.4 next()

The built-in function next() gives the value of a signal of arbitrary type at the next cycle, with respect to the finest granularity of time as seen by the verification tool. In contrast to the built-in functions rose(), fell(), and prev(), the function next() is not affected by the clock of its context.

#### Restrictions

The argument of next() shall be the name of a signal; an expression other than a simple name is not allowed. A call to next() can only be used on the right-hand-side of an assignment to a memory element (register or

latch). It cannot be used on the right-hand-side of an assignment to a combinational signal, nor can it be used directly in a property.

#### Example

In the timing diagram below, the function call next (a) returns the value 1 at times 1, 2, and 4.

| time | <br>0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
|------|-------|---|---|---|---|---|---|---|
| clk  | <br>0 | 1 | 0 | 1 | 0 | 1 | 0 | 1 |
| a    | 0     | 0 | 1 | 1 | 0 | 1 | 0 | 0 |

### 8.2 Other flavors

#### 8.2.1 The VHDL-flavored modeling layer

The VHDL-flavored modeling layer remains undefined at this time. In the future, it can be defined as a synthesizable subset of VHDL, augmented with the same features with which the Verilog flavor is augmented. The additional features shall take on a VHDL-like syntax in the VHDL-flavored modeling layer and support VHDLstyle comments.

#### 8.2.2 The GDL-flavored modeling layer

The GDL-flavored modeling layer remains undefined at this time. In the future, it can be defined as a general description language that can express abstract behavior independent of either Verilog or VHDL.

30

1

5

15

20

25

40

45

50

| 1  |  |  |  |
|----|--|--|--|
| 5  |  |  |  |
| 10 |  |  |  |
| 15 |  |  |  |
| 20 |  |  |  |
| 25 |  |  |  |
| 30 |  |  |  |
| 35 |  |  |  |
| 40 |  |  |  |
| 45 |  |  |  |
| 50 |  |  |  |
| 55 |  |  |  |

| Δnn    | endix A                                                                                                                                                                                                                                                                                                       | 1  |
|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| ~~~    |                                                                                                                                                                                                                                                                                                               | 1  |
| (norn  | native)                                                                                                                                                                                                                                                                                                       |    |
| Syn    | tax rule summary                                                                                                                                                                                                                                                                                              | 5  |
| The ap | opendix summarizes the syntax .                                                                                                                                                                                                                                                                               | 10 |
| A.1 M  | Meta-syntax                                                                                                                                                                                                                                                                                                   |    |
| The fo | rmal syntax described in this standard uses the following extended Backus-Naur Form (BNF).                                                                                                                                                                                                                    | 15 |
| a)     | The initial character of each word in a nonterminal is capitalized. For example:                                                                                                                                                                                                                              |    |
|        | PSL_Statement                                                                                                                                                                                                                                                                                                 |    |
|        | A nonterminal can be either a single word or multiple words separated by underscores. When a multiple-<br>word nonterminal containing underscores is referenced within the text (e.g., in a statement that describes<br>the semantics of the corresponding syntax), the underscores are replaced with spaces. | 20 |
| b)     | Boldface words are used to denote reserved keywords, operators, and punctuation marks as a required part of the syntax. These words appear in a larger font for distinction. For example:                                                                                                                     | 25 |
|        | vunit (;                                                                                                                                                                                                                                                                                                      |    |
| c)     | The : := operator separates the two parts of a BNF syntax definition. The syntax category appears to the left of this operator and the syntax description appears to the right of the operator. For example, item d) shows three options for a <i>VUnitType</i> .                                             | 30 |
| d)     | A vertical bar separates alternative items (use one only) unless it appears in boldface, in which case it stands for itself. For example:                                                                                                                                                                     |    |
|        | VUnitType ::= <b>vunit</b>   <b>vprop</b>   <b>vmode</b>                                                                                                                                                                                                                                                      | 35 |
| e)     | Square brackets enclose optional items unless it appears in boldface, in which case it stands for itself. For example:                                                                                                                                                                                        |    |
|        | Sequence_Declaration ::= sequence Name [ ( Formal_Parameter_List ) ] DEF_SYM Sequence ;                                                                                                                                                                                                                       |    |
|        | indicates Formal_Parameter_List is an optional syntax item for Sequence_Declaration, whereas                                                                                                                                                                                                                  | 40 |
|        | SERE <b>[</b> * [ Range ] <b>]</b>                                                                                                                                                                                                                                                                            |    |
|        | indicates that (the outer) square brackets are part of the syntax for this SERE, while Range is optional.                                                                                                                                                                                                     |    |
| f)     | Braces enclose a repeated item unless it appears in boldface, in which case it stands for itself. A repeated item may appear zero or more times; the repetitions occur from left to right as with an equivalent left-recursive rule. Thus, the following two rules are equivalent:                            | 45 |
|        | Formal_Parameter_List ::= Formal_Parameter { ; Formal_Parameter }<br>Formal_Parameter_List ::= Formal_Parameter   Formal_Parameter_List ; Formal_Parameter                                                                                                                                                    | 50 |
| g)     | A comment in a production is preceded by a colon (:) unless it appears in boldface, in which case it stands for itself.                                                                                                                                                                                       | 20 |

- h) If the name of any category starts with an italicized part, it is equivalent to the category name without the italicized part. The italicized part is intended to convey some semantic information. For example, *vunit* Name is equivalent to Name.
- 5 i) Flavor macros, containing embedded underscores, are shown in uppercase. These reflect the various HDLs which can be used within the PSL syntax and show the definition for each HDL. The general format is the term Flavor Macro, then the actual *macro name*, followed by the = operator, and, finally, the definition for each of the HDLs. For example:

Flavor Macro PATH SYM = Verilog: . / VHDL: : / GDL: /

shows the path symbol macro. See 4.3.2 for further details about flavor macros.

The main text uses *italicized* type when a term is being defined, and monospace font for examples and references to constants such as 0, 1, or x values.

# A.2 HDL Dependencies

20 PSL depends upon the syntax and semantics of an underlying hardware description language. In particular, PSL syntax includes productions that refer to nonterminals in Verilog, VHDL, or GDL. PSL syntax also includes Flavor Macros which cause each flavor of PSL to match that of the underlying HDL for that flavor.

For Verilog, the PSL syntax refers to the following nonterminals in the IEEE 1364-2001 Verilog syntax:

- module\_or\_generate\_item\_declaration
- module\_or\_generate\_item
- list\_of\_variable\_identifiers
- 30

40

45

25

1

10

- identifier
- expression
- constant\_expression

For VHDL, the PSL syntax refers to the following nonterminals in the IEEE 1076-1993 VHDL syntax:

- 35 declaration
  - concurrent statement
  - design unit
  - identifer
  - expression

For GDL, the PSL syntax refers to the following nonterminals in the GDL syntax:

- module\_item\_declaration
- module item
- module\_declaration
- identifer
- expression

# 50 A.2.1 Verilog Extensions

For the Verilog flavor, PSL extends the forms of declaration that can be used in the modeling layer by defining two additional forms of type declaration. PSL also adds an additional form of expression for both Verilog and VHDL flavors.

55

|                                                                                                                                                                                                                                     | 1  |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| Extended_Verilog_Declaration ::=<br>Verilog_module_or_generate_item_declaration<br>  Extended_Verilog_Type_Declaration                                                                                                              | 5  |
| Extended_Verilog_Type_Declaration ::=<br>integer Integer_Range list_of_variable_identifiers ;<br>  struct { Declaration_List } list_of_variable_identifiers ;                                                                       | 10 |
| Integer_Range ::=<br>( constant_expression : constant_expression )                                                                                                                                                                  |    |
| Declaration_List ::=<br>HDL_Variable_or_Net_Declaration { HDL_Variable_or_Net_Declaration }                                                                                                                                         | 15 |
| HDL_Variable_or_Net_Declaration ::=<br>net_declaration<br>  reg_declaration<br>  integer_declaration                                                                                                                                | 20 |
| Extended_Verilog_Expression ::=<br>Verilog_expression<br>  Verilog_Union_Expression                                                                                                                                                 | 25 |
| Extended_VHDL_Expression ::=<br>VHDL_expression<br> VHDL_Union_Expression<br>Union_Expression ::=<br>HDL_or_PSL_Expression union HDL_or_PSL_Expression                                                                              | 30 |
| A.2.2 Flavor macros                                                                                                                                                                                                                 | 35 |
| <pre>Flavor Macro PATH_SYM =     Verilog: . / VHDL: : / GDL: / Flavor Macro HDL_ID =     Verilog: Verilog_Identifier / VHDL: VHDL_Identifier / GDL: GDL_Identifier Flavor Macro DEF_SYM =     Verilog: = / VHDL: is / GDL: :=</pre> | 40 |
| Flavor Macro RANGE_SYM =<br>Verilog: : / VHDL: to / GDL:<br>Flavor Macro AND_OP =<br>Verilog: && / VHDL: and / GDL: &                                                                                                               | 45 |
| Flavor Macro OR_OP =<br>Verilog:    / VHDL: or / GDL:  <br>Flavor Macro NOT_OP =<br>Verilog: ! / VHDL: not / GDL: !<br>Flavor Macro MIN_VAL =                                                                                       | 50 |
| Verilog: <b>0</b> / VHDL: <b>0</b> / GDL: <i>null</i><br>Flavor Macro MAX_VAL =                                                                                                                                                     | 55 |

| 1  | Verilog: <b>inf</b> / VHDL: <b>inf</b> / GDL: <i>null</i>                                                                 |
|----|---------------------------------------------------------------------------------------------------------------------------|
|    | Flavor Macro HDL_EXPR =                                                                                                   |
|    | Verilog: Extended_Verilog_Expression / VHDL: Extended_VHDL_Expression / GDL: <i>GDL</i> _Expression                       |
| 5  | Flavor Macro HDL_UNIT =                                                                                                   |
|    | Verilog: Verilog_module_declaration / VHDL: VHDL_design_unit / GDL: GDL_module_declaration                                |
|    | Flavor Macro HDL_DECL =                                                                                                   |
|    | Verilog: Extended_Verilog_Declaration / VHDL: VHDL_declaration                                                            |
| 10 | / GDL: GDL_module_item_declaration                                                                                        |
|    | Flavor Macro HDL_STMT =                                                                                                   |
|    | Verilog: <i>Verilog</i> _module_or_generate_item / VHDL: <i>VHDL</i> _concurrent_statement / GDL: <i>GDL</i> _module_item |
|    | Flavor Macro LEFT_SYM =                                                                                                   |
| 15 | Verilog: [ / VHDL: ( / GDL: (                                                                                             |
|    | Flavor Macro RIGHT_SYM =                                                                                                  |
|    | Verilog: ] / VHDL: ) / GDL: )                                                                                             |

# <sup>20</sup> A.3 Syntax productions

The rest of this section defines the PSL syntax.

# A.3.1 Verification units

|    | PSL_Specification ::=<br>{ Verification_Item }                                      |
|----|-------------------------------------------------------------------------------------|
| 30 | Verification_Item ::=<br>HDL_UNIT   Verification_Unit                               |
|    | Verification_Unit ::=                                                               |
|    | VUnitType Name [ ( Hierarchical_HDL_Name ) ] {                                      |
|    | { Inherit_Spec }<br>{ VUnit_Item }                                                  |
| 35 | }                                                                                   |
|    | VUnitType ::=                                                                       |
|    | vunit   vprop   vmode                                                               |
|    | Name ::=                                                                            |
|    | HDL_ID                                                                              |
| 40 | Hierarchical_HDL_Name ::=<br>module_Name { PATH_SYM instance_Name }                 |
|    | Inherit_Spec ::=                                                                    |
|    | <b>inherit</b> <i>vunit</i> _Name { , <i>vunit</i> _Name } ;                        |
| 45 | VUnit_Item ::=<br>HDL_Decl_or_Stmt<br>  PSL_Declaration<br>  Verification Directive |
|    |                                                                                     |
|    | HDL_Decl_or_Stmt ::=<br>HDL_DECL   HDL_STMT                                         |
| 50 |                                                                                     |

(see A.3.2) (see A.3.3)

50

55

## A.3.2 PSL declarations

PSL\_Declaration ::= Property\_Declaration

| Sequence_Declaration<br>  Endpoint_Declaration<br>  Clock_Declaration                       |                      | 1  |
|---------------------------------------------------------------------------------------------|----------------------|----|
| Property Declaration ::=                                                                    |                      |    |
| <b>property</b> Name [ ( Formal_Parameter_List ) ] DEF_SYM Property ;                       |                      | 5  |
| Formal Parameter List ::=                                                                   |                      | 5  |
| Formal_Parameter { ; Formal_Parameter }                                                     |                      |    |
| Formal Parameter ::=                                                                        |                      |    |
| ParamKind Name {, Name }                                                                    |                      | 10 |
| ParamKind ::=                                                                               |                      |    |
| const   boolean   property   sequence                                                       |                      |    |
| Sequence Declaration ::=                                                                    |                      |    |
| sequence_Dectatution<br>sequence Name [ ( Formal_Parameter_List ) ] DEF_SYM Sequence ;      | (see A.3.5)          |    |
| Endpoint Declaration ::=                                                                    | (500 11.5.5)         | 15 |
| endpoint_Declaration<br>endpoint Name [ ( Formal_Parameter_List ) ] DEF_SYM Sequence ;      | (see A.3.5)          |    |
| Clock_Declaration ::=                                                                       | (300 11.3.3)         |    |
| default clock DEF_SYM Boolean ;                                                             | (see A.3.7)          |    |
| Actual Parameter List ::=                                                                   | (300 11.3.7)         | 20 |
| Actual_Parameter { , Actual_Parameter }                                                     |                      | 20 |
|                                                                                             |                      |    |
| Actual_Parameter ::=<br>Number   Boolean   Property   Sequence (see A.3.7) (see A.3.7) (see | e A 3 3) (see A 3 5) |    |
|                                                                                             | (see 11.5.5)         |    |
| A.3.3 PSL statements Verification Directive ::=                                             |                      | 25 |
| Assert_Statement<br>  Assume Statement                                                      |                      | 20 |
| Assume_Guarantee_Statement                                                                  |                      | 30 |
| Restrict_Statement                                                                          |                      |    |
| Restrict_Guarantee_Statement                                                                |                      |    |
| Cover_Statement<br>  Fairness Statement                                                     |                      |    |
| Assert Statement ::=                                                                        |                      | 35 |
| assert Property ;                                                                           | (see A.3.4)          | 55 |
| Assume_Statement ::=                                                                        | (300 1.3.4)          |    |
| assume Property ;                                                                           | (see A.3.4)          |    |
|                                                                                             | (300 A.J.4)          |    |
| Assume_Guarantee_Statement ::= assume_guarantee Property;                                   | (see A.3.4)          | 40 |
|                                                                                             | (See A.5.4)          |    |
| Restrict_Statement ::=                                                                      | (a a A 2 5)          |    |
| restrict Sequence ;                                                                         | (see A.3.5)          |    |
| Restrict_Guarantee_Statement ::=                                                            |                      |    |
| restrict_guarantee Sequence ;                                                               | (see A.3.5)          | 45 |
| Cover_Statement ::=                                                                         |                      |    |
| cover Sequence ;                                                                            | (see A.3.5)          |    |
| Fairness_Statement ::=                                                                      |                      |    |
| fairness Boolean;                                                                           |                      | 50 |
| strong fairness Boolean , Boolean ;                                                         | (see A.3.7)          | 50 |

1 A.3.4 PSL properties

|    | Property ::=                                |             |
|----|---------------------------------------------|-------------|
|    | Replicator Property                         |             |
| 5  | FL_Property                                 |             |
|    | OBE_Property                                |             |
|    | Replicator ::=                              |             |
|    | forall Name [IndexRange] in ValueSet :      |             |
| 10 | IndexRange ::=                              |             |
|    | LEFT_SYM <i>finite</i> Range RIGHT_SYM      |             |
|    | ValueSet ::=                                |             |
|    | {ValueRange {, ValueRange }}                |             |
|    | boolean                                     |             |
| 15 |                                             |             |
| 10 | ValueRange ::=                              |             |
|    | Value                                       | (see A.3.7) |
|    | <i>finite</i> _Range                        | (see A.3.5) |
|    | FL_Property ::=                             |             |
| 20 | Boolean                                     | (see A.3.7) |
| 20 | (FL_Property)                               |             |
|    | property_Name [ ( Actual_Parameter_List ) ] |             |
|    |                                             |             |
|    | FL_Property @ clock_Boolean [ ! ]           |             |
| 25 | FL_Property <b>abort</b> Boolean            |             |
| 25 | : Logical Operators :                       |             |
|    | NOT_OP FL_Property                          |             |
|    | FL_Property AND_OP FL_Property              |             |
|    | FL_Property OR_OP FL_Property               |             |
| 20 | :                                           |             |
| 30 | FL_Property -> FL_Property                  |             |
|    | FL_Property <-> FL_Property                 |             |
|    | : Primitive LTL Operators :                 |             |
|    | X FL Property                               |             |
|    | X! FL Property                              |             |
| 35 | <b>F</b> FL Property                        |             |
|    |                                             |             |
|    | G FL_Property                               |             |
|    | [ FL_Property U FL_Property ]               |             |
|    | [ FL_Property W FL_Property ]               |             |
| 40 | : Simple Temporal Operators :               |             |
|    | always FL_Property                          |             |
|    | <b>never</b> FL_Property                    |             |
|    | <b>next</b> FL Property                     |             |
|    | next! FL Property                           |             |
| 45 | eventually! FL_Property                     |             |
|    | ·                                           |             |
|    | FL_Property <b>until!</b> FL_Property       |             |
|    | FL Property <b>until</b> FL Property        |             |
|    | FL_Property until!_FL_Property              |             |
| 50 |                                             |             |
|    | FL_Property <b>until_</b> FL_Property       |             |
|    | EL Derret hoforel EL D                      |             |
|    | FL_Property <b>before!</b> FL_Property      |             |
|    | FL_Property <b>before</b> FL_Property       |             |
| 55 | FL_Property <b>before!_</b> FL_Property     |             |

| FL_Property <b>before_</b> FL_Property<br>: Extended Next (Event) Operators : (see A.3.7)<br>  <b>X</b> [ Number ] (FL Property )                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 1  |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| Image: A line of a line line of a line of a line of a line of a l | 5  |
| <pre>(see A.S.S) [next_a [finite_Range] (FL_Property) [next_e [finite_Range] (FL_Property) [next_e! [finite_Range] (FL_Property)</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 10 |
| <pre>inext_event! (Boolean) (FL_Property) next_event (Boolean) (FL_Property) next_event! (Boolean) [positive_Number] (FL_Property) next_event (Boolean) [positive_Number] (FL_Property)</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | 15 |
| <pre>inext_event_a! (Boolean) [finite_positive_Range] (FL_Property) [next_event_a (Boolean) [finite_positive_Range] (FL_Property) [next_event_e! (Boolean) [finite_positive_Range] (FL_Property) [next_event_e (Boolean) [finite_positive_Range] (FL_Property)</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 20 |
| : Operators on SEREs : (see A.3.5)<br>  Sequence (FL_Property)<br>  Sequence  -> Sequence [!]<br>  Sequence  => Sequence [!]                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | 25 |
| always Sequence<br>never Sequence<br>eventually! Sequence                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | 30 |
| within! (Sequence_or_Boolean, Boolean) Sequence<br>within (Sequence_or_Boolean, Boolean) Sequence<br>within!_ (Sequence_or_Boolean, Boolean) Sequence<br>within_ (Sequence_or_Boolean, Boolean) Sequence                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 35 |
| whilenot! (Boolean) Sequence<br>whilenot (Boolean) Sequence<br>whilenot!_(Boolean) Sequence<br>whilenot_(Boolean) Sequence                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | 40 |
| Sequence_or_Boolean ::=<br>Sequence   Boolean                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | 45 |
| A.3.5 Sequences                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |    |
| Sequence ::=<br>{ SERE }                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 50 |

| sequence\_Name [ ( Actual\_Parameter\_List ) ]

# 1 A.3.6 Sequential extended regular expressions

|    | SERE ::=                                            |
|----|-----------------------------------------------------|
|    | Boolean                                             |
| 5  | Sequence                                            |
|    | SERE @ clock_Boolean                                |
|    | : Composition Operators :                           |
|    | SERE ; SERE                                         |
| 10 | Sequence : Sequence                                 |
|    | Sequence AndOrOp Sequence                           |
|    | : RegExp Qualifiers :                               |
|    | SERE [ * [ Count ] ]                                |
| 15 | <b>[ *</b> [ Count ] <b>]</b>                       |
| 15 | SERE [ + ]                                          |
|    | [+]                                                 |
|    |                                                     |
|    | Boolean [ = Count ]                                 |
| 20 | Boolean [ -> [ <i>positive</i> _Count ] ]           |
|    | AndOrOp ::=                                         |
|    | &&   &                                              |
|    |                                                     |
|    | Count ::=                                           |
| 25 | Number   Range                                      |
|    | Range ::=                                           |
|    | LowBound RANGE_SYM HighBound                        |
|    | LowBound ::=                                        |
| 20 | Number   MIN_VAL                                    |
| 30 | HighBound ::=<br>Number   MAX_VAL                   |
|    | Nullioer   MAA_VAL                                  |
|    | A 2.7 Former of commencient                         |
|    | A.3.7 Forms of expression                           |
| 35 | Value ::=                                           |
|    | Boolean   Number                                    |
|    | Boolean ::=                                         |
|    | boolean HDL_or_PSL_Expression                       |
| 10 | HDL or PSL Expression ::=                           |
| 40 | HDL_Expression                                      |
|    | <i>endpoint</i> _Name [ ( Actual_Parameter_List ) ] |

Built In Function Call

HDL\_Expression ::=

Number ::=

98

HDL\_EXPR Built\_In\_Function\_Call ::=

rose ( Boolean )
| fell ( Boolean )

| **next** ( Boolean )

integer\_HDL\_Expression

| HDL\_or\_PSL\_Expression union HDL\_or\_PSL\_Expression

| **prev** ( HDL\_or\_PSL\_Expression [, Number ] )

(see A.3.7)

45

| A.3.8 Optional | branching | extension |
|----------------|-----------|-----------|
|----------------|-----------|-----------|

| OBE_Property ::=                            |    |
|---------------------------------------------|----|
| Boolean                                     |    |
| ( OBE_Property )                            | 5  |
| property_Name [ ( Actual_Parameter_List ) ] |    |
| : Logical Operators :                       |    |
| ! OBE_Property                              |    |
| OBE_Property & OBE_Property                 | 10 |
| OBE_Property   OBE_Property                 |    |
| OBE_Property -> OBE_Property                |    |
| OBE_Property <-> OBE_Property               |    |
| : Universal Operators :                     | 15 |
| <b>AX</b> OBE_Property                      | 10 |
| AG OBE_Property                             |    |
| AF OBE_Property                             |    |
| A [OBE_Property U OBE_Property]             |    |
| : Existential Operators :                   | 20 |
| <b>EX</b> OBE_Property                      |    |
| <b>EG</b> OBE_Property                      |    |
| <b>EF</b> OBE_Property                      |    |
| <b>E</b> [OBE_Property U OBE_Property]      |    |
|                                             | 25 |

| 1  |  |  |  |
|----|--|--|--|
| 5  |  |  |  |
| 10 |  |  |  |
| 15 |  |  |  |
| 20 |  |  |  |
| 25 |  |  |  |
| 30 |  |  |  |
| 35 |  |  |  |
| 40 |  |  |  |
| 45 |  |  |  |
| 50 |  |  |  |

# Appendix B

(normative)

# Formal syntax and semantics of the temporal layer

This appendix formally describes the syntax and semantics of the temporal layer.

# **B.1 Syntax**

Boolean expression syntax varies according to the Sugar flavor used. The formal syntax definition uses the complete set  $\{\neg, \land\}$ , and semantics are given here only to these two operators. Semantics of any other boolean expression follow directly from these.

# Definition 1 (Boolean expression).

| <ul> <li>Every atomic proposition is a boolean expression.</li> <li>If b, b<sub>1</sub>, and b<sub>2</sub> are boolean expressions, then so are the following: <ul> <li>(b)</li> <li>¬b</li> <li>b<sub>1</sub> ∧ b<sub>2</sub></li> </ul> </li> </ul>                                  | 25 |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| Definition 2 (Sugar Extended Regular Expressions (SEREs)).                                                                                                                                                                                                                             |    |
| <ul> <li>Every boolean expression is a SERE.</li> <li>If r, r<sub>1</sub>, and r<sub>2</sub> are SEREs, and clk is a boolean expression, then the following are SEREs:</li> </ul>                                                                                                      | 30 |
| • $\{r\}$<br>• $r_1$ ; $r_2$<br>• $r_1$ : $r_2$<br>• $\{r_1\} \mid \{r_2\}$<br>• $\{r_1\} \&\& \{r_2\}$                                                                                                                                                                                | 35 |
| • $r[*]$<br>• $r@clk$                                                                                                                                                                                                                                                                  | 40 |
| Definition 3 (Formulas of the Sugar Foundation Language (FL)).                                                                                                                                                                                                                         |    |
| <ul> <li>Every boolean expression is a Sugar FL formula.</li> <li>If b and clk are boolean expressions, f, f<sub>1</sub>, and f<sub>2</sub> are Sugar FL formulas and r, r<sub>1</sub>, and r<sub>2</sub> are SEREs, then the following are Sugar FL formulas:</li> <li>(f)</li> </ul> | 45 |
| • $(f)'$<br>• $\neg f$<br>• $f_1 \wedge f_2$<br>• $X! f$                                                                                                                                                                                                                               | 50 |

- $[f_1 \ U \ f_2]$
- $\{r\}(f)$

55

1

5

10

15

- $\{r_1\} \mapsto \{r_2\}!$ •  $\{r_1\} \mapsto \{r_2\}$ • f abort b
- f@clk
- f@clk!

1

5

In Section B.3, we show additional operators which provide syntactic sugaring to those described above.

# Definition 4 (Formulas of the Optional Branching Extension (OBE)).

- 15 Every boolean expression is an OBE formula.
   If f, f<sub>1</sub>, and f<sub>2</sub> are OBE formulas, then so are the following:

   (f)
   ¬f
  - - $f_1 \wedge f_2$ 
      - EXf
      - $E[f_1 \ U \ f_2]$
      - EGf

25

40

20

Additional OBE operators are derived from these as follows <sup>1</sup>:

$$\begin{array}{l} -f_1 \lor f_2 = \neg (\neg f_1 \land \neg f_2) \\ -f_1 \to f_2 = \neg f_1 \lor f_2 \\ 30 \qquad -f_1 \leftrightarrow f_2 = (f_1 \to f_2) \land (f_2 \to f_1) \\ -EFf = E[\operatorname{T} U f] \\ -AXf = \neg EX \neg f \\ -A[f_1 U f_2] = \neg (E[\neg f_2 U (\neg f_1 \land \neg f_2)] \lor EG \neg f_2) \\ 35 \qquad -AGf = \neg E[\operatorname{T} U \neg f] \\ -AFf = A[\operatorname{T} U f] \end{array}$$

# Definition 5 (Sugar Formulas).

- Every Sugar FL formula is a Sugar formula.
- Every OBE formula is a Sugar formula.

# 45 B.2 Semantics

The semantics of a Sugar formula are defined with respect to a model M. A model is a quintuple  $(S, S_0, R, P, L)$ , where S is a finite set of states,  $S_0 \subseteq S$  is a set of initial states,  $R \subseteq S \times S$  is the transition relation, P is a non-empty set of atomic propositions, and L is the valuation, a function  $L : S \longrightarrow 2^P$ , mapping each state with a set of atomic propositions valid in that state.

55

<sup>1</sup> Where  $\overline{\mathbf{T}} = p \vee \neg p$  for some  $p \in P$ .

A path  $\pi$  is a finite (or infinite) sequence of states  $\pi = (\pi_0, \pi_1, \pi_2, \dots, \pi_n)$  (or  $\pi = (\pi_0, \pi_1, \pi_2, \dots)$ ). A computation path  $\pi$  of a model M is a finite (or infinite) path  $\pi$  such that for every i < n,  $R(\pi_i, \pi_{i+1})$  and for no s,  $R(\pi_n, s)$  (or such that for every i,  $R(\pi_i, \pi_{i+1})$ ). Given a finite (or infinite) path  $\pi$ , we define  $\hat{L}$ , an extension of the valuation function L from states to paths as follows:  $\hat{L}(\pi) = L(\pi_0)L(\pi_1)\dots L(\pi_n)$  (or  $\hat{L}(\pi) = L(\pi_0)L(\pi_1)\dots$ ). Thus we have a mapping from states in M to letters of  $2^P$ , and from finite (or infinite) sequences of states in M to finite (or infinite) words over  $2^P$ .

We will denote a letter from  $2^P$  by  $\ell$ , and a finite or infinite word from  $2^P$  by  $\omega$ . We denote the length of word  $\omega$  as  $|\omega|$ . A finite word  $\omega = \ell_0 \ell_1 \ell_2 \cdots \ell_n$  has length n+1, while an infinite word has length  $\infty$ . We denote by  $\omega^i$  the suffix of  $\omega$  starting at  $\ell_i$ . That is,  $\omega^i = \ell_i \ell_{i+1} \cdots \ell_n$  (or  $\omega^i = \ell_i \ell_{i+1} \cdots$ ). We denote by  $\omega^{i,j}$  the finite sequence of letters starting from  $\ell_i$  and ending in  $\ell_j$ . That is,  $\omega^{i,j} = \ell_i \ell_{i+1} \cdots \ell_j$ .

For readability, we first define the semantics of unclocked Sugar formulas (and SEREs) and only then the semantics of clocked Sugar formulas (and clocked SEREs). In fact, the semantics of unclocked Sugar formulas (and unclocked SEREs) can be obtained from the semantics of clocked Sugar formulas (and clocked SEREs) by replacing the clock context with  $T^2$ .

#### **B.2.1 Semantics of Boolean expressions**

We define the semantics of boolean expressions over letters from the alphabet  $2^P$ , thus a letter is a subset of the set of atomic propositions P. The notation  $\ell \models b$  means that boolean expression b holds under the truth assignment represented by  $\ell$ . The semantics of boolean expressions are defined as follows, where p denotes an atomic proposition and b,  $b_1$ , and  $b_2$  denote boolean expressions.

$$-\ell \models p \iff p \in \ell -\ell \models (b) \iff \ell \models b$$

$$35$$

 $-\ell \models \neg b \iff \ell \not\models b$  $-\ell \models b_1 \land b_2 \iff \ell \models b_1 \text{ and } \ell \models b_2$ 

#### **B.2.2 Unclocked semantics**

#### **B.2.2.1 Semantics of unclocked SEREs**

The semantics of unclocked SEREs are defined over finite words from the alphabet  $2^{P}$ . We will denote a finite word over  $2^{P}$  by w. The concatenation of  $w_{1}$  and  $w_{2}$  is denoted by  $w_{1}w_{2}$ . The empty word is denoted by  $\epsilon$ , so that  $w\epsilon = \epsilon w = w$ . The notation  $w \models r$ , where r is a SERE, means that w is in the language of r. The semantics of SEREs are defined as follows, where b denotes a boolean expression, r,  $r_{1}$ , and  $r_{2}$  denote unclocked SEREs, and [i..k] denotes the set of integers  $\{j : i \leq j \land j \leq k\}$ .

103

40

45

50

55

1

5

10

15

20

25

<sup>&</sup>lt;sup>2</sup> Where  $T = p \lor \neg p$  for some  $p \in P$ .

|  | - |
|--|---|
|  | Т |
|  | 1 |

- $-w \models b \iff |w| = 1 \text{ and } \ell_0 \models b$  $-w \models \{r\} \iff w \models r$
- 5  $-w \models r_1; r_2 \iff$  there exist  $w_1$  and  $w_2$  such that  $w = w_1 w_2, w_1 \models r_1$ , and  $w_2 \models r_2$  $-w \models r_1: r_2 \iff$  there exist  $w_1, w_2$ , and  $\ell$  such that  $w = w_1 \ell w_2, w_1 \ell \models r_1$ , and  $\ell w_2 \models r_2$

10 
$$-w \models \{r_1\} \mid \{r_2\} \iff w \models r_1 \text{ or } w \models r_2$$

- $-w \models \{r_1\} \&\& \{r_2\} \iff w \models r_1 \text{ and } w \models r_2$ 
  - $-w \models r[*] \iff$  either  $w = \epsilon$  or there exist  $w_1, w_2, \dots, w_j$  such that  $w = w_1 w_2 \dots w_j$ and for every  $i \in [1..j], w_i \models r$

#### B.2.2.2 Semantics of unclocked FL formulas

The semantics of Sugar FL formulas are defined over finite or infinite words from the 20 alphabet  $2^{P}$ . The notation  $\omega \models f$  means that formula f holds along the (finite or infinite) word  $\omega$ . The notation  $M \models f$  means that  $\hat{L}(\pi) \models f$  for every computation path  $\pi$  in M such that  $\pi_0 \in S_0$ . The semantics of an FL formula are defined as follows<sup>3</sup>, where b denotes a boolean expression,  $r, r_1$ , and  $r_2$  denote SEREs,  $f, f_1$ , and  $f_2$  denote FL formulas, and [i..k] denotes the set of integers  $\{j : i \leq j \land j < k\}$ .

$$\begin{aligned} & -\omega \models b \Longleftrightarrow \ell_0 \models b \\ & -\omega \models (f) \Longleftrightarrow \omega \models f \\ & -\omega \models \neg f \Longleftrightarrow \omega \not\models f \\ & -\omega \models f_1 \land f_2 \Leftrightarrow \omega \models f_1 \text{ and } \omega \models f_2 \\ & -\omega \models X! \ f \Leftrightarrow |\omega| > 1 \text{ and } \omega^1 \models f \\ & -\omega \models [f_1 \ U \ f_2] \iff \text{there exists } k \in [0..|\omega|) \text{ such that } \omega^k \models f_2, \text{ and for every} \\ & j \in [0..k), \ \omega^j \models f_1 \\ & -\omega \models \{r\}(f) \iff \text{for every } j \in [0..|\omega|) \text{ such that } \omega^{0,j} \models r, \ \omega^j \models f \\ & -\omega \models \{r_1\} \mapsto \{r_2\}! \iff \text{for every } j \in [0..|\omega|) \text{ such that } \omega^{0,j} \models r_1 \text{ there exists} \\ & k \in [j..|\omega|) \text{ such that } \omega^{j,k} \models r_2 \\ & 40 \\ & -\omega \models \{r_1\} \mapsto \{r_2\} \iff \text{for every } j \in [0..|\omega|) \text{ such that } \omega^{0,j} \models r_1 \text{ either there exists} \\ & k \in [j..|\omega|) \text{ such that } \omega^{j,k} \models r_2 \text{ or for every } k \in [j..|\omega|) \text{ there exists a finite word} \\ & \omega' \text{ such that } \omega^{j,k} \omega' \models r_2 \\ & -\omega \models f \text{ abort } b \iff \text{either } \omega \models f \text{ or } \omega \models b \text{ or there exists } j \in [1..|\omega|) \text{ and word } \omega' \\ & \text{ such that } \omega^{j,k} \models b \text{ and } \omega^{0,j-1}\omega' \models f \end{aligned}$$

#### **B.2.3 Clocked semantics**

In the above we disregarded the *clock operator* (<sup>(a)</sup>) in the definition of Sugar formulas (and SEREs). The semantics of clocked SEREs and clocked Sugar formulas are defined formally below<sup>4</sup>.

50

<sup>&</sup>lt;sup>3</sup> The semantics presented here for the LTL operators are the standard ones.

<sup>&</sup>lt;sup>4</sup> An equivalent definition in terms of rewrite rules is given in Appendix B.5.

5

10

15

25

50

55

#### **B.2.3.1 Semantics of clocked SEREs**

Clocked SEREs are defined over finite words from the alphabet  $2^P$  and a boolean expression that serves as the clock context. The notation  $w \models^{c} r$ , where r is a SERE and c is a boolean expression, means that w is in the language of r in context of clock c. The semantics of clocked SEREs are defined as follows, where b, c, and  $c_1$  denote boolean expressions, r,  $r_1$ , and  $r_2$  denote clocked SEREs, and [i..k] denotes the set of integers  $\{j : i \leq j \land j < k\}$ .

- $-w \models c b \iff |w| \ge 1$ , for every  $i \in [0, |w| 1)$ ,  $\ell_i \models \neg c$  and  $\ell_{|w|-1} \models c \land b$  $-w \models \{r\} \iff w \models r$
- $-w \models^{c} r_{1}; r_{2} \iff$  there exists  $w_{1}$  and  $w_{2}$  such that  $w = w_{1}w_{2}, w_{1} \models^{c} r_{1}$ , and  $w_{2} \models^{c} r_{2}$
- $-w \models^{c} r_{1}: r_{2} \iff$  there exists  $w_{1}, w_{2}$ , and  $\ell$  such that  $w = w_{1}\ell w_{2}, w_{1}\ell \models^{c} r_{1}$ , and  $\ell w_2 \models r_2$
- $-w \models^{c} \{r_1\} \mid \{r_2\} \iff w \models^{c} r_1 \text{ or } w \models^{c} r_2$ 20
- $-w \models^{c} \{r_1\} \&\& \{r_2\} \iff w \models^{c} r_1 \text{ and } w \models^{c} r_2$
- $-w \models^{c} r[*] \iff$  either  $w = \epsilon$  or there exists  $w_1, w_2, \ldots, w_j$  such that  $w = w_1 w_2 \ldots w_j$ and for every  $i \in [1..j], w_i \models r$
- $-w \models r@c_1 \iff$  there exists  $i \in [0, |\omega|)$  such that  $\omega^{0,i} \models \{\neg c_1[*]; c_1\}$  and  $\omega^i \models r$

#### B.2.3.2 Semantics of clocked FL formulas

We now turn to the semantics of clocked Sugar FL formulas. The notation  $\omega \models f$ where f is a formula and c is a boolean expression means that formula f holds along 30 the (finite or infinite) word  $\omega$  in the context of clock c. The notation  $M \models f$  means that  $\hat{L}(\pi) \models^{\mathrm{T}} f$  for every computation path  $\pi$  in M such that  $\pi_0 \in S_0$  (where  $\mathrm{T} = p \vee \neg p$  for some  $p \in P$ ). The semantics of a (clocked) Sugar FL formula are defined as follows<sup>5</sup>, where b, c, and  $c_1$  denote boolean expressions,  $r, r_1$ , and  $r_2$  denote SEREs,  $f, f_1$ , and 35  $f_2$  denote (clocked) FL formulas, [i..k) denotes the set of integers  $\{j : i \leq j \land j < k\}$ , and (i..k) denotes the set of integers  $\{j : i < j \land j < k\}$ .

$$\begin{array}{c}
\omega \stackrel{c}{\models} b \iff \ell_0 \models b \\
- \omega \stackrel{c}{\models} (f) \iff \omega \stackrel{c}{\models} f
\end{array}$$
40

- $-\omega \models^{c} \neg f \iff \omega \not\models^{c} f$
- $-\omega \models^{c} f_{1} \wedge f_{2} \iff \omega \models^{c} f_{1} \text{ and } \omega \models^{c} f_{2}$
- $\omega \models^{c} X! \ f \iff \text{there exists } i \in [1..|w|) \text{ such that } \omega^{1,i} \models^{T} \{\neg c[*]; c\} \text{ and } \omega^{i} \models^{c} f$ 45
- $-\omega \models^{c} [f_1 \ U \ f_2] \iff$  there exists  $k \in [0, |\omega|)$  such that  $\omega^{k} \models^{T} c, \ \omega^{k} \models^{c} f_2$ , and for every  $j \in [0..k)$  for which  $\omega^j \models^{\mathrm{T}} c, \ \omega^j \models^c f_1$
- $-\omega \models^{c} \{r\}(f) \iff$  for every  $i \in [0., |\omega|)$  such that  $\omega^{0,i} \models^{c} r$ , there exists  $j \in [i., |\omega|)$ such that  $\omega^{i,j} \models \{\neg c[*]; c\}$  and  $\omega^j \models f$

<sup>&</sup>lt;sup>5</sup> When the context is T, the semantics reduce to the unclocked semantics as previously presented. Thus, the semantics of the LTL operators in context T reduce to the standard ones.

- $-\omega \models^{c} \{r_{1}\} \mapsto \{r_{2}\}! \iff \text{for every } i \in [0..|\omega|) \text{ such that } \omega^{0,i} \models^{c} r_{1} \text{ there exists } j \in [i..|\omega|) \text{ such that } \omega^{i,j} \models^{c} r_{2}$
- $-\omega \models^{c} \{r_{1}\} \mapsto \{r_{2}\} \iff \text{for every } i \in [0..|\omega|) \text{ such that } \omega^{0,i} \models^{c} r_{1}, \text{ either there exists}$  $j \in [i..|\omega|) \text{ such that } \omega^{i,j} \models^{c} r_{2} \text{ or for every } j \in [i..|\omega|) \text{ there exists a finite word}$  $\omega' \text{ such that } \omega^{i,j}\omega' \models^{c} r_{2}$
- 10  $-\omega \models f \text{ abort } b \iff \text{either } \omega \models f \text{ or } \omega \models b \text{ or there exists } i \in [1..|\omega|) \text{ and word } \omega'$ such that  $\omega^i \models^{\mathrm{T}} c \wedge b$  and  $\omega^{0,i-1} \omega' \models f$   $-\omega \models f@c_1! \iff \text{there exists } i \in [0..|\omega|) \text{ such that } \omega^{0,i} \models^{\mathrm{T}} \{\neg c_1[*]; c_1\} \text{ and } \omega^i \models f$
- 15

1

5

#### B.2.4 Semantics of OBE formulas

The semantics of OBE formulas are defined over states in the model, rather than finite or infinite words. The notation  $M, s \models f$  means that formula f holds in state s of model M. The notation  $M \models f$  is equivalent to  $\forall s \in S_0 : M, s \models f$ . In other words, f is valid for every initial state of M. The semantics of an OBE formula are defined as follows<sup>6</sup>, where b denotes a boolean expression and  $f, f_1$ , and  $f_2$  denote OBE formulas.

25

30

35

40

45

$$\begin{array}{c} -M,s \models b \Longleftrightarrow s \models b \\ -M,s \models (f) \Longleftrightarrow M,s \models f \\ -M,s \models \neg f \Longleftrightarrow M,s \not\models f \end{array}$$

 $-M, s \models f_1 \land f_2 \iff M, s \models f_1 \text{ and } M, s \models f_2$ 

 $-M, s \models EX f \iff$  there exists a computation path  $\pi$  of M such that  $|\pi| > 1$ ,  $\pi_0 = s$ , and  $M, \pi_1 \models f$ 

 $-M, s \models E[f_1 \ U \ f_2] \iff$  there exists a computation path  $\pi$  of M such that  $\pi_0 = s$ and there exists  $k < |\pi|$  such that  $M, \pi_k \models f_2$  and for every j such that j < k:  $M, \pi_i \models f_1$ 

 $-M, s \models EG f \iff$  there exists a computation path  $\pi$  of M such that  $\pi_0 = s$  and for every j such that  $0 \le j < |\pi|$ :  $M, \pi_j \models f$ 

#### B.3 Syntactic sugaring

The remainder of the temporal layer is syntactic sugar. In other words, it does not add expressive power, and every piece of syntactic sugar can be defined in terms of the basic Sugar FL operators presented above. The syntactic sugar is defined below<sup>7</sup>.

Note: the definitions given here do not necessarily represent the most efficient implementation. In some cases, there is an equivalent syntactic sugaring, or a direct implementation, that is more efficient.

50

<sup>&</sup>lt;sup>6</sup> The semantics are those of standard CTL.

<sup>&</sup>lt;sup>7</sup> Where  $T = p \lor \neg p$  for some  $p \in P$  and  $F = p \land \neg p$  for some  $p \in P$ .

5

#### **B.3.1 Additional SERE operators**

If i, j, k, and l are integer constants such that  $i \ge 0, j \ge i, k \ge 1$  and  $l \ge k$ , then additional SERE operators can be viewed as abbreviations of the basic SERE operators defined above, as follows, where b denotes a boolean expression, and rdenotes a SERE.

| $- \{r_1\} \& \{r_2\} = \{\{r_1\} \&\& \{r_2; \mathbf{T}[*]\}\} \mid \{\{r_1; \mathbf{T}[*]\} \&\& \{r_2\}\}$                        | 10 |
|--------------------------------------------------------------------------------------------------------------------------------------|----|
| -r[+] = r;r[*]                                                                                                                       | 10 |
| $-r[*i] = \begin{cases} \mathbf{F}[*] & \text{if } i = 0\\ \overbrace{r;r;\dots;r}^{i \text{ times}} & \text{otherwise} \end{cases}$ |    |
| $-r[*i] = \begin{cases} i \ times \\ r = 1 \end{cases}$ otherwise                                                                    |    |
| $-r[*ij] = \{r[*i]\}  \{r[*j]\}$                                                                                                     | 15 |
| $ r_{[*i]} = \{r_{[*i]}\}; \{r_{[*]}\} $                                                                                             |    |
| $ \begin{array}{c} r_{[*:]} = \{r_{[*:i]}, r_{[*:i]} \\ - r_{[*:.i]} = \{r_{[*:0]}\}     \{r_{[*i]}\} \end{array} $                  |    |
| -r[*] = r[*0.]                                                                                                                       |    |
| - [+] = T[+]                                                                                                                         | 20 |
| [1] = T[1]<br>- $[*] = T[*]$                                                                                                         |    |
| [*] = 1[*] - [*i] = T[*i]                                                                                                            |    |
| -[*ij] = T[*ij]                                                                                                                      |    |
| -[*i] = T[*i]                                                                                                                        | 25 |
| -[*i] = T[*i]                                                                                                                        | 23 |
| -[*] = T[*]                                                                                                                          |    |
| $b[=i] = \{\neg b[*]; b\}[*i]; \neg b[*]$                                                                                            |    |
| $-b[=ij] = \{b[=i]\}  \{b[=j]\}$                                                                                                     | 30 |
| -b[=i] = b[=i]; [*]                                                                                                                  | 30 |
| $-b[=i] = \{b[=0]\}  \{b[=i]\}$                                                                                                      |    |
| -b[=]=b[=0]                                                                                                                          |    |
| $(-b[\rightarrow)] = \neg b[*]; b$                                                                                                   | 25 |
| $(-b[ ightarrow k]=\{ eg b[*];b\}[*k]$                                                                                               | 35 |
| $(b \mapsto kl] = \{b \mapsto k]\}  \{b \mapsto l]\}$                                                                                |    |
| $(b \mapsto k] = \{b \mapsto k]\} \{b \mapsto k]; [*]; b\}$                                                                          |    |
| $b[ ightarrowk] = \{b[ ightarrow 1]\}   \{b[ ightarrow k]\}$                                                                         |    |
| - b[ ightarrow] = b[ ightarrow 1]                                                                                                    | 40 |

#### **B.3.2 Additional operators**

If i, j, k and l are integers such that  $i \ge 0, j \ge i, k > 0$  and  $l \ge k$  then additional operators can be viewed as abbreviations of the basic operators defined above, as follows, where b denotes a boolean expression,  $r, r_1$ , and  $r_2$  denote SEREs, and  $f, f_1$ , and  $f_2$  denote FL formulas. 50

$$\begin{array}{l} -f_1 \lor f_2 = \neg(\neg f_1 \land \neg f_2) \\ -f_1 \to f_2 = \neg f_1 \lor f_2 \\ -f_1 \leftrightarrow f_2 = (f_1 \to f_2) \land (f_2 \to f_1) \end{array}$$

Property Specification Language Reference Manual

$$\begin{array}{ll} - \{r_1\} \mapsto \{r_2\}! = \{r_1\} \mapsto \{\mathrm{T}; r_2\}! & 1 \\ - \{r_1\} \mapsto \{r_2\} = \{r_1\} \mapsto \{\mathrm{T}; r_2\} & \\ - always\{r\} = \{\mathrm{T}[*]\} \mapsto \{\mathrm{T}\} & \\ - always\{r\} = \{\mathrm{T}[*]; r\} \mapsto \{\mathrm{F}\} & 5 \\ - eventually! \{r\} = \{\mathrm{T}\} \mapsto \{\mathrm{T}[*]; r\}! & \\ - within!(r_1, b)\{r_2\} = \{r_1\} \mapsto \{r_2 \&\& b[=0]; b\}! & \\ - within(r_1, b)\{r_2\} = \{r_1\} \mapsto \{r_2 \&\& b[=0]; b\}! & \\ - within\_(r_1, b)\{r_2\} = \{r_1\} \mapsto \{r_2 \&\& \{b[=0]; b\}\}! & \\ - within\_(r_1, b)\{r_2\} = \{r_1\} \mapsto \{r_2 \&\& \{b[=0]; b\}\}! & \\ - within\_(r_1, b)\{r_2\} = \{r_1\} \mapsto \{r_2 \&\& \{b[=0]; b\}\}! & \\ - whilenot!(b)\{r\} = within!(\mathrm{T}, b)\{r\} & \\ - whilenot!(b)\{r\} = within!(\mathrm{T}, b)\{r\} & \\ - whilenot!\_(b)\{r\} = within!\_(\mathrm{T}, b)\{r\} & \\ - whilenot\_(b)\{r\} & \\ - whilenot\_(b)\{r\}$$

#### B.3.3 forall

#### If f is a Sugar formula, $v_0, v_1, \dots, v_n$ are constants, and j, k, l and m are integers, then the following are Sugar formulas:

- $forall \ i \ in \ \{v_0, v_1, \cdots, v_n\} : f$
- forall i in j..k : f
- forall i in boolean : f

- forall 
$$i\langle l..m\rangle$$
 in  $\{v_0, v_1, \cdots, v_n\}$ : f

- forall i(l..m) in j..k:f
- forall i(l..m) in boolean : f

Forall does not add expressive power. Rather, it can be viewed as additional syntactic sugar, as follows: .

$$- forall i in \{v_0, v_1, \cdots, v_n\} : f = \bigwedge_{u \in \{v_0, v_1, \cdots, v_n\}} f[i \leftarrow u]$$

$$+ \int_{a}^{k} f[i \leftarrow u]$$

$$40$$

$$- \text{ for all } i \text{ in } j..k: f = \bigwedge_{u=j}^{n} f[i \leftarrow u]$$

$$- \text{ for all } i \text{ in boolean}: f = \bigwedge_{u=0}^{1} f[i \leftarrow u]$$

$$45$$

$$- \text{ for all } i\langle l..m\rangle \text{ in } \{v_0, v_1, \cdots, v_n\} : f = \bigwedge_{u_l \in \{v_0, v_1, \cdots, v_n\}} \dots \bigwedge_{u_m \in \{v_0, v_1, \cdots, v_n\}} f[i\langle l..m\rangle \leftarrow \langle u_l..u_m\rangle]$$

109

25

30

where  $f[i \leftarrow u]$  is the formula obtained from f by replacing every occurrence of i by u and  $f[i\langle l..m \rangle \leftarrow \langle u_l..u_m \rangle]$  is the formula obtained from f by replacing every occurrence of index j (where  $l \leq j \leq m$ ) in the vector i by  $u_j$ .

5

1

#### **B.4 Typed-text representation of symbols**

10 Table 1 shows the mapping of various symbols used in this definition to the corresponding typed-text Sugar representation.

Table 1. Typed-text symbols in the Verilog, VHDL, and EDL flavors

|                   |         |      | <b>DDT</b> |
|-------------------|---------|------|------------|
|                   | Verilog | VHDL | EDL        |
| $\mapsto$         | ->      | ->   | ->         |
| $\Rightarrow$     | =>      | =>   | =>         |
| $\rightarrow$     | ->      | ->   | ->         |
| $\leftrightarrow$ | <->     | <->  | <->        |
| Γ                 | !       | not  | !          |
| $\sim$            | \$\$    | and  | &          |
| $\sim$            |         | or   |            |
|                   | :       | to   |            |
| $\langle \rangle$ | []      | ()   | ()         |

20

15

25

35

50

55

## <sup>30</sup> B.5 Rewriting rules for clocks

In Section B.2 we gave the semantics of clocked Sugar formulas directly. There is an equivalent definition in terms of unclocked Sugar formulas, as follows: Starting from the outermost clock, use the following rules to translate clocked SEREs into unclocked SEREs, and clocked Sugar formulas into unclocked Sugar formulas. The rewrite rules for SEREs are:

 $T^{c}(r_{2})$ 

40  
1. 
$$\mathcal{T}^{c}(b) = \{\neg c[*]; c \land b\}$$
  
2.  $\mathcal{T}^{c}(r_{1}; r_{2}) = \mathcal{T}^{c}(r_{1}); \mathcal{T}^{c}(r_{2})$   
3.  $\mathcal{T}^{c}(r_{1}; r_{2}) = \mathcal{T}^{c}(r_{1}); \mathcal{T}^{c}(r_{2})$   
4.  $\mathcal{T}^{c}(r_{1} | r_{2}) = \mathcal{T}^{c}(r_{1}) | \mathcal{T}^{c}(r_{2})$   
45  
5.  $\mathcal{T}^{c}(r_{1} | k \& r_{2}) = \mathcal{T}^{c}(r_{1}) \& \& c$   
6.  $\mathcal{T}^{c}(r[*]) = \{\mathcal{T}^{c}(r)\}[*]$ 

7. 
$$T^{c}(r@c_{1}) = \{\neg c_{1}[*]; \{c_{1}:T^{c_{1}}(r)\}\}$$

The rewriting rules for Sugar formulas are:

1. 
$$\mathcal{T}^{c}(b) = b$$
  
2.  $\mathcal{T}^{c}(\neg f) = \neg \mathcal{T}^{c}(f)$   
3.  $\mathcal{T}^{c}(f_{1} \wedge f_{2}) = (\mathcal{T}^{c}(f_{1}) \wedge \mathcal{T}^{c}(f_{2}))$ 

- 5
- 10
- 15

20

25

30

,0

35

40

45

- 50
- 50
- 55

Version 1.01

4.  $\mathcal{T}^{c}(\mathsf{X}!f) = \mathsf{X}! \left[\neg c \ \mathsf{U} \ (c \land \mathcal{T}^{c}(f))\right]$ 

5.  $\mathcal{T}^{c}(f_{1} \cup f_{2}) = [(c \to \mathcal{T}^{c}(f_{1})) \cup (c \land \mathcal{T}^{c}(f_{2}))]]$ 

6.  $\mathcal{T}^{c}(\{r\}(f)) = \{\mathcal{T}^{c}(r)\}([\neg c \cup (c \land \mathcal{T}^{c}(f)])$ 

7.  $\mathcal{T}^{c}(\{r_1\} \mapsto \{r_2\}!) = \{\mathcal{T}^{c}(r_1)\} \mapsto \{\mathcal{T}^{c}(r_2)\}!)$ 

8.  $\mathcal{T}^{c}(\{r_1\} \mapsto \{r_2\}) = \{\mathcal{T}^{c}(r_1)\} \mapsto \{\mathcal{T}^{c}(r_2)\})$ 

B.6 Status of the formal semantic definition

The formal semantics presented above contain three anomalies, described below. They will be addressed in version 1.1. A preliminary version of the proposed version 1.1 semantics can be found at: http://www.eda.org/vfv/docs/truncated\_semantics.pdf.

addressed by defining the semantics of unclocked Sugar formulas over empty as well as non-empty paths. This will eliminate the need for two clock operators of varying strengths. From the user's point of view, this will have minimal effect, since it is a corner case resulting from a multi-clocked trace "ending too early" after a clock

domain switch. To minimize the impact of this change, tool builders can use the rewrite rules to implement the clock operators, and then move to the new rewrite

dressed by modifying the semantics of abort to what Armoni et al. term "reset semantics". Thus, in the semantics presented above the formula ((*eventually*! false) abort b) must fail in all designs, while in version 1.1, this formula will pass if b is asserted. From the user's point of view, this will have minimal effect, since it is a corner case

resulting from aborting a non-satisfiable formula. From a tool builder's point of view, this will involve removing one step in the algorithm that builds the automaton for a given formula (the step that removes states from which there is no accepting run). 3. An issue related to #2 above involves what happens to weak suffix implications

in which the right-hand side contains a SERE whose language is empty. According to the semantics presented above, such a formula will fail in all designs. While in the case of SEREs there is no complexity issue, the semantics for version 1.1 may be modified in such a way that such a formula can pass in some circumstances. This will align the

treatment of formulas containing an unsatisfiable sub-formula with the treatment of SEREs whose language is empty. For instance, according to the semantics presented above, the formula  $\{a; b; c\} \mapsto \{d; e[*]; false\}$  fails in all designs, since there is no word in the language of  $\{d; e[*]; false\}$ . In version 1.1, the semantics may be modified to

allow this formula to pass in the case that the trace ends with an e, or if there are

 As pointed out by Armoni et al. in http://www.cs.rice.edu/vardi/misc/abortreset.pdf, the complexity of the abort operator is problematical. This issue will be ad-

 The strength of the clock has a minimal effect, in that it distinguishes only between paths with no ticks of the clock and paths with one or more ticks of the clock. Thus, for instance, (eventually! b)@clk evaluates to true if there are no ticks of clk, but to false if there's just one tick, at which b doesn't hold. This issue will be

9.  $\mathcal{T}^{c}(f \text{ abort } b) = \mathcal{T}^{c}(f) \text{ abort } (c \wedge b)$ 10.  $\mathcal{T}^{c}(f@c_{1}!) = [\neg c_{1} \cup (c_{1} \wedge \mathcal{T}^{c_{1}}(f))]$ 

rules in the next version.

an infinite number of e's. From the user's point of view, this will have minimal effect since it is a corner case resulting from coding a SERE whose language is empty. From a tool builder's point of view, this will have minimal effect since the change involves
 removing one step in the algorithm that builds the automaton for the a given SERE (the step that removes states from which there is no accepting run).

- -

# Index

## A

abort 53 AF 64 AG 64 always 46 and length-matching 40 non-length-matching 39 assert 75 assertion 2, 9 assume 75 assume\_guarantee 76 assumption 9 assumptions 2 AU 65 AX 63

## B

before 53 behavior 9 Boolean 9 Boolean expression 2, 9, 13, 27 Boolean layer 13, 27 branching semantics 24 built-in function fell 87 next 88 prev 88 rose 87 built-in functions 87

## С

checker 9 clock 33, 44 rewriting rules 110 clock expression 15, 24, 28 clocked property 24 PSL FL formula 105 comments 19 completes 9 computation path 9 concatenation 34 consecutive repetition 35 constraint 9 count 9 cover 77 coverage 9 CTL 4 cycle 9

## D

default clock declaration 28 describes 9 design 9 design behavior 9 directives 75 dynamic verification 10

## E

EF 66 EG 66 endpoint 28, 42 declaration 42 instantiation 43 EU 67 evaluation 10 evaluation cycle 10 eventually! 47 EX 65 extension 10

## F

fair 78 fairness 78 fairness constraints 78 False 10 family of operators 43 fell() 87 finite range 10 FL operators 15 FL properties 44 flavor 13, 19 **GDL** 14 Verilog 13 VHDL 14 flavor macro 21 forall 70 form strong 24 weak 24 formal verification 10 Foundation Language 15 fusion 38

## G

goto repetition 37

## H

HDL expression 27

holds 10, 23 holds tightly 10

## I

iff 12 integer range 85

## K

keywords 14

#### L

layers 13 length-matching and 40 linear semantics 24 liveness property 10, 24 logic type 10 logical and 61 iff 60 implication 60 not 62 or 61 logical operators 15 logical value 10 LTL 4 LTL operators 62

### Μ

metalogical value 10 model checking 10 modeling layer 13 Verilog 87 VHDL 89 multi-cycle behavior 2, 32, 44

## N

named properties 72 named sequences 40 never 46 next 47 next() 88 next\_a 48 next\_e 49 next\_event 50 next\_event\_a 51 next\_event\_e 52 non-consecutive repetition 36 non-length-matching and 39 number 11

## 0

OBE 17, 63

and 68 iff 68 implication 67 not 69 or 69 occurrence 11 occurs 11 operator clock 33, 44 HDL 15 LTL 62 **OBE 17** precedence 15 strong 24 temporal 2 weak 24 operators 15, 43 Optional Branching Extension 17, 63 or 39 overlap 38

## Р

path 11 positive count 11 positive number 11 positive range 11 precedence 15, 82 prefix 11 prev() 88 properties 43, 63 property 2, 11, 16, 17, 31 clocked 24 declaration 73 instantiation 73 liveness 10, 24 safety 24 unclocked 24

## R

range 11 repetition consecutive 35 goto 37 non-consecutive 36 replicated properties 70 required 11 restrict 77 restrict\_guarantee 77 restriction 11 rewriting rules 110 rose() 87

### S

safety property 11, 24 satellite 4 scoping 82 sequence 11, 16 declaration 40 instantiation 41 sequential expression 2, 11 Sequential Extended Regular Expression 15 SERE 11, 15, 32 simple subset 3 simulation 11 simulation checker 2 standard temporal logics 4 starts 11 strictly before 11 strong form 24 operator 11 strong fairness 78 struct 86 structure 85 suffix implication 56

## Т

temporal layer 13 temporal operators 2 terminating condition 12, 24 terminating property 12 tree of states 63 True 12

## U

unclocked property 24 union 86 until 54

### V

verification 12 verification layer 13 verification unit 79 binding 80 groupings 82 inheritance 81 scoping rule 82

#### W

weak form 24 operator 12 whilenot 57 within 58