rules.docx

5/19/2018 rules.docx

1/50

1

Formality Coding Rules

Introduction

This chapter provides detailed reference information for the Leda Formalitypolicy, which is centered on the Synopsys formal verification tool Formality.The policy is designed to simplify and improve your use of Formality in thedesign flow. This policy is available for both Verilog and VHDL source code.The rules are grouped into the rulesets shown inTable 2

Table 2: Formali ty Policy Rulesets

Ruleset Description

"Hard CaseRuleset"

These rules detect hardware constructs that requiremore attention when using Formality (for example,asynchronous feedback loops, use of DesignWare, etc.).

"SimulationMismatch Ruleset"

These rules detect constructs that can generatemismatches between RTL and gate-level simulations.

"V2K Ruleset"These rules detect Verilog 2001 features that are notsupported in Formality 2003.06.

"SystemVerilogRuleset"

These rules detect SystemVerilog features that are notsupported in Formality 2006.06.

.

Hard Case Ruleset
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#1001338https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#1001338https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#1001338https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#999075https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#999075https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#999442https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#999442https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#1004694https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#1014766https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#1014766https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#1014766https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#1014766https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#1004694https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#999442https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#999442https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#999075https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#999075https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_formality.html#1001338


2/50

The following rules are from the hard case ruleset:

FM_1_1

Message: Avoid asynchronous feedback loop

DescriptionFormality does not support automatic loop breaking in RTL-to-gate checking. To solve this problem, manually break the loopor remove it.

Policy FORMALITY

Ruleset HARD_CASE

Language VHDL/Verilog

Type Chip-level

Severity Fatal

Example

The following diagram shows an invalid circuit that has an asynchronousfeedback loop.

FM_1_2


3/50

Message: Usage of complex arithmetic operations thatinclude multiplication, division, remainder or modulus is notrecommended (important memory usage)

DescriptionFormality supports arithmetic operators (+, -, *, /), but it hassome limitations depending on the version of the software thatyou are using. To solve this problem, split the operators overseveral assignments.

Policy FORMALITY

Ruleset HARD_CASE


Type Chip-level

Severity

Warning

Example

The following examples of valid and invalid Verilog code illustrate thisproblem and how to correct it:

Invalid Verilog Code:

module FM_1_2_NG ( A,B,C,D,E);input [7:0] A,B,C,D;

output [15:0] E;reg [15:0] E;

always @( A or B or C or D) begin

E = (A+B) * (C+D); // FAIL

// Complex arithmetic binary operation with multiplierendendmodule

Valid Verilog Code:

module FM_1_2_OK( A,B,C ); input [7:0] A,B;output [15:0] C;reg [15:0] C;

always @( A or B ) begin

C = A * B; // PASS, because there is ONLY one multiplierendendmodule

FM_1_3


4/50

Message: Identifier of instance starts with DW. If it is aDesignWare Foundation cell, then Formality requires extrasettings

Description

Formality supports DesignWare implementations, but you mustdefine hdlin_dwroot in order to specify the location of theDesignWare components. To set the value of this variable withinFormality, use:set hdlin_dwrootvaluewhere valueissomething like /snps-1999.10.

Policy FORMALITY

Ruleset HARD_CASE


Type Block-level

Severity Warning

Example

The following example of invalid Verilog code illustrates an incorrectDesignWare direct instantiation:

module FM_1_3_1 ( inst_A, inst_B, inst_TC, inst_CLK, PRODUCT_inst );parameter A_width = 8;parameter B_width = 8;

input [A_width-1 : 0] inst_A;input [B_width-1 : 0] inst_B;input inst_TC;input inst_CLK;output [A_width+B_width-1 : 0] PRODUCT_inst;

// Instance of DW02_mult_2_stageDW02_mult_2_stage #(A_width, B_width)

U1 ( .A(inst_A), .B(inst_B), .TC(inst_TC), .CLK(inst_CLK),

.PRODUCT(PRODUCT_inst) ); // FAILendmodule

FM_1_4

Message: Do not assign signal/variable to asynchronousset/reset

DescriptionWhen signal is assigned to asynchronous set/reset, it may causesimulation mismatch between RTL and Gate. Because after the


5/50

synthesis, the signal will be changed only when theasynchronous set/reset is active.

Policy FORMALITY

Ruleset HARD_CASE


Type Block-level

Severity Error

Example

The following example of invalid Verilog code and invalid VHDL illustrates theproblem:

Invalid Verilog code

module fm_1_22 ( CLK, RST, RST_IN, D_IN, D_OUT);input CLK, RST, RST_IN, D_IN;output D_OUT;reg D_OUT;

always@(posedge CLK or negedge RST) beginif (!RST)

D_OUT


6/50

change the user module name that is not duplicated with librarycells.

Policy FORMALITY

Ruleset HARD_CASE


Type Block-level

Severity Warning

FM_1_6

Message: Use only one asynchronous set/reset signal per

process

Description

When there are multiple asynchronous signals in aalways/process, the RTL description shows prioritized condition.But synthesis tools may ignore that kind of priority withdirectives. So that it may cause simulation mismatch betweenRTL and Gate.

Policy FORMALITY

Ruleset HARD_CASE

Language

VHDL/Verilog

Type Block-level

Severity Error

Example

The following example of invalid Verilog code and invalid VHDL illustrates theproblem:

Invalid Verilog code

always@(posedge CLK or negedge RST or negedge SET) beginif (!RST)

D_OUT


7/50

Invalid VHDL code

process (CLK , RST, SET) beginif (RST=='0') then

D_OUT


8/50

Simulation Mismatch Ruleset

The following rules are from the simulation mismatch ruleset:

FM_2_1A

Message: Redundant signals in the sensitivity list

Description

The synthesis tool used by Formality does not strictly follow thesensitivity list when performing hardware inference. This meansthat an incorrect sensitivity list results in simulation mismatchesbetween the pre- and post-synthesis simulations. For asequential process, the sensitivity list must contain only theclock and reset if it is asynchronous. For a combinatorialprocess, all read signals must be in the sensitivity list.

Policy FORMALITY

Ruleset SIMULATION_MISMATCH


Type Block-level

Severity Error

Example

The following examples of invalid VHDL code exhibits this problem:

library IEEE;use IEEE.std_logic_1164.all;entity FM_2_1_3 is

port(A,B,C,D : in std_logic;E : out std_logic);

end FM_2_1_3 ;architecture ARCH of FM_2_1_3 isbegin

process(A,B,C,D) begin-- FAIL : "D" is redundant in sensitivity listif (A='1') then

E


9/50

FM_2_1B

Message: Missing signals in the sensitivity list

Description

By default, Formality generates warning messages when it findsmissing signals in a sensitivity list. In such cases, theverification does not run because the synthesis tool used byFormality does not strictly follow the sensitivity list whenperforming hardware inference. This means that an incorrectsensitivity list results in simulation mismatches between thepre- and post-synthesis simulations. For a sequential process,the sensitivity list must contain only the clock and reset if it isan asynchronous reset.For a combinatorial process, all readsignals must be in the sensitivity list.Note that Formality userscan control this setting with the

"hdlin_warn_on_mismatch_message" variable.

Policy FORMALITY



Type Block-level

Severity Error

The following examples of invalid Verilog code exhibits this problem:

module FM_2_1 (A,B,C,SEL);input A,B,SEL;output C;reg C;

always@(A or B) begin

case (SEL) // FAIL : "SEL" is missing in sensitivity list1'b1 : C = A;1'b0 : C = B;default C = 1'bx;

endcase

endendmodule

FM_2_10

Message: Using X, Z values in case items is notrecommended (such items may be ignored by synthesis tool)


10/50

DescriptionCase items that use X or Z values are always considered to befalse by the synthesis tool. This can cause simulation results todisagree with synthesis results.

Policy FORMALITY

Ruleset

SIMULATION_MISMATCH


Type Block-level

Severity Error

Example

The following examples of invalid Verilog and VHDL code exhibit this

problem:


module FM_2_10 (A,B,C,SEL);input A,B;input [1:0] SEL;output C;reg C;

always@(SEL) begincase (SEL)

2'b11 : C = A;2'b10 : C = B;

2'b0X : C = 1'b1 ; // FAIL2'b0Z : C = 1'b0 ; // FAIL

endcaseendendmodule

Invalid VHDL Code:

library IEEE;use IEEE.std_logic_1164.all;use IEEE.std_logic_arith.all;use IEEE.std_logic_unsigned.all;

entity fm_2_10 isport( A : in std_logic_vector (1 downto 0 );CE, BF : in std_logic;B : out std_logic

);end fm_2_10;

architecture ARCH of fm_2_10 isbeginprocess( A,CE,BF )


11/50

begincase A iswhen "11" => B B B


12/50

Message: Incomplete case_statement using full_casedirective is not recommended (not supported by simulationtool)

Description Simulation tools do not support the Synopsys full_case directive.To solve this problem, remove the Synopsys full_case directiveor use a default clause.

Policy FORMALITY


Language Verilog

Type Block-level

Severity Error

Example

The following example of invalid Verilog code exhibits this problem:

module FM_2_12 (A,SEL,OUT0);input A ;input [1:0] SEL;output OUT0;reg OUT0;

always @( A or SEL) begin

case (SEL) // FAIL -- Synopsys full_case

2'b00 : OUT = 1'b0;2'b01 : OUT = 1'b1;

2'b11 : OUT = A ; // This is not full_case definitionendcase

endendmodule

FM_2_13

Message: When case items are duplicated (parallel), do notuse parallel_case directive

Description

Simulation tools do not support the Synopsys parallel_casedirective. To solve this problem, change your RTL code to avoidoverlapping branches. This prevents mismatches between pre-and post-synthesis simulation results.

Policy FORMALITY


13/50


Language Verilog

Type Block-level

Severity

Error

Example


module FM_2_13 (SEL,OUT0);input [1:0] SEL ;output OUT0;reg OUT0;

always@(SEL) begin

case ( SEL ) // FAIL -- Synopsys

parallel_case2'b10: y = 1'b0;2'b01: y = 1'b1;2'b11: y = 1'b0;

2'b11: y = 1'b1; // This is parallel caseendcase

endendmodule

FM_2_15

Message: Using blocking assignments in sequential alwaysblock may generate incorrect logic

Description

Using blocking assignments in sequential blocks can createinvalid logic (see example). It will flag an error only if the LHSinfers a register. This rule is flagged for unintentional latchesalso.

Policy FORMALITY


Language Verilog

Type Block-level

Severity Error

Example


14/50

The following examples of valid and invalid Verilog code, accompanied bycorresponding circuit diagrams, illustrate this problem and how to correct it:


always@(posedge CLK) beginB = A;C = B;

end

Valid Verilog Code:

always@(posedge CLK) beginB


15/50

always@(posedge CLK) begin

B = A;C


16/50

OUT_1 = TMP | C;endmodule

FM_2_17

Message: Avoid operand size mismatch assignments

Description

Simulation and synthesis tools do not always extend operandsof different sizes the same way. To solve this problem, useoperands of the same size. Otherwise, you may get simulationmismatches.It flags an error if there is a mismatch betweenactuals and formals in function calls and module instantiations.It also flag an error on declarations. For example,wire [0:7]w = (test)?a[0:8]:1'b1;

Policy

FORMALITY



Type Block-level

Severity Error

Example

The following examples of invalid VHDL and Verilog code and valid Verilogcode illustrate this problem and how to correct it:


module FM_2_17 (A, B);inout [7:0] A;input B;

assign A = B ? 4'b0 : 4'bz; // FAIL : A is 8 bitendmodule

Valid Verilog Code:

module FM_2_17_OK (A, B);inout [7:0] A;input B;

assign A = B ? 8'b0 : 8'bz; // PASSendmodule

Invalid VHDL Code:


17/50

entity test isport( in_1 : in bit_vector ( 3 downto 0 );

in_2 : in bit_vector ( 3 downto 0 );out_1 : out bit_vector ( 7 downto 0 ) );

end;architecture rtl of test isbegin

out_1


18/50

Valid Verilog Code:

module FM_2_18_OK (A,B,C,D,SEL,OUT0);input [1:0] SEL ;input A,B,C,D ;output OUT0 ;

reg OUT0 ;always @( SEL or A or B or C or D) begin

case (SEL) // PASS2'b00 : OUT0 = A ;2'b01 : OUT0 = B ;2'b10 : OUT0 = C ;default : OUT0 = D ;

endcaseendendmodule

FM_2_19

Message: Using net type other than wire (wand, wor, ...) isnot recommended (can generate mismatch duringsimulation)

DescriptionSynthesis tools map wand or wor to logic gates. This can causemismatches between RTL and gate-level simulations.

Policy FORMALITY


Language

Verilog

Type Block-level

Severity Error

Example


module FM_2_19 ( DATA_1,DATA_2, OUT0);

input DATA_1,DATA_2;output OUT0;reg OUT0;

wand tmp_OUT; // FAIL

assign tmp_OUT = DATA_1;assign tmp_OUT = DATA_2;always @ ( tmp_OUT )beginOUT0 = tmp_OUT;


19/50

endendmodule

FM_2_2

Message: Delays are ignored by synthesis tool

DescriptionSynthesis tools ignore delay values. This can cause mismatchesbetween RTL and gate-level simulations.

Policy FORMALITY



Type Block-level

Severity

Error

Example

The following examples of invalid Verilog and VHDL code exhibit thisproblem:


module FM_2_2 ( a, b, q);parameter delay = 10;input a, b;output q;

assign #delay q = a + b; // FAIL : Don't use delayendmodule

Invalid VHDL Code:

library IEEE;use IEEE.std_logic_1164.all;entity FM_2_2 is

port( CLK,A,B: in std_logic;REG_OUT : out std_logic );

end FM_2_2 ;architecture ARCH of FM_2_2 issignal tmp : std_logic;begin

process(CLK,A) beginif (CLK'event and CLK='1') then

tmp


20/50

end ARCH;

FM_2_20

Message: Do not use event_control in assignments (not

handled by all tools)

DescriptionSome tools do not support event control in assignmentstatements.

Policy FORMALITY


Language Verilog

Type Block-level

Severity

Error

Example



module FM_2_20_NG ( CLK, DATA, Q );

input CLK, DATA;output Q;reg Q;alwaysbegin

Q


21/50

Message: Do not use duplicated port definitions (some toolsrename duplicated ports automatically)

DescriptionSome tools automatically change duplicate port names found in

the same module.

Policy FORMALITY


Language Verilog

Type Block-level

Severity Error

Example



module FM_2_21_NG ( CLK, DATA, Q ,CLK); // FAIL : CLK is defined twice.input CLK, DATA;output Q;reg Q;always @(posedge CLK) beginQ


22/50

the allowed range. Range overflows can cause unpredictableresults.

Policy FORMALITY


Language Verilog

Type Block-level

Severity Warning

Example



module FM_2_22_NG ( a,b_out,array,c);input [2:0] a;input [3:0] array;input c;output b_out;reg b_out;

always@( a or c or array) beginif(c)

b_out = 1'b0;else

b_out = array[a]; // FAIL : when a is over 4, it is overflow.endendmodule

Valid Verilog Code:

module FM_2_22_OK ( a,b_out,array,c);input [1:0] a;input [3:0] array;input c;output b_out;reg b_out;

always@( a or c or array) begin

if(c)b_out = 1'b0;

else

b_out = array[a]; // PASS : a is 0 or 1 or 2 or 3.endendmodule

FM_2_23


23/50

Message: Non-driven output ports or signals detected

Description

Non-driven output ports and signals are automatically set to 0or 1. This can generate mismatches between RTL and gate-levelsimulations. Note that in VHDL designs, buffers are notconsidered to be drivers, and a signal driven by only one bufferis not considered to be driven.

Policy FORMALITY



Type Block-level

Severity Error

Example



module FM_2_23_1( EN,CLK,D_1,D_2,OUT_1,OUT_2);input EN,CLK;input [0:3] D_1;input [0:2] D_2;

output [0:7] OUT_1,OUT_2;// FAIL : OUT_1 is NOT assigned any signal.reg [0:7] OUT_2;

reg [0:7] TMP; // FAIL : TMP[4] is NOT assigned any signalalways @( EN or DA or DB) beginif( EN == 1'b1 )

TMP[0:3]


24/50

reg [0:7] TMP; // PASS : All TMP signals are assigned.always @( EN or D_1 or D_1) beginif( EN == 1'b1 )

TMP[0:4]


25/50

FM_2_25

Message: Operator === is treated as ==

Description

Formality interprets the Verilog case equality operator as asimple equality check. This can cause simulation results todisagree with synthesis.

Policy FORMALITY


Language Verilog

Type Block-level

Severity Warning

Example


module test(a, b, o);input [1:0] a, b;output o; reg o;

always@(a or b)begin

if(a === b)o = 0;

elseo = 1;end

endmodule

FM_2_26

Message: Operator !== is treated as !=

DescriptionFormality interprets the Verilog case inequality operator as asimple inequality check. This can cause simulation results to

disagree with synthesis.

Policy FORMALITY


Language Verilog

Type Block-level


26/50

Severity Warning

Example


module test(a, b, o);input [1:0] a, b;output o; reg o;

always@(a or b)begin

if(a !== b)o = 0;

elseo = 1;

endendmodule

FM_2_27

Message: Keyword TRANSPORT ignored in signal assignment

Description

A transport delay mechanism is used when modeling an idealdevice with infinite frequency response, in which any inputpulse, no matter how short, produces an output pulse. Formalityignores such signal assignments.

Policy FORMALITY


Language VHDL

Type Block-level

Severity Error

Example

The following example of invalid VHDL code exhibits this problem:

library IEEE;use IEEE.std_logic_1164.all;

entity FM_2_27 isport (

A : in std_logic;B : out std_logic);

end FM_2_27;


27/50

architecture FM_2_27_arch of FM_2_27 is

signal B1 : std_logic;signal B2 : std_logic;signal B3 : std_logic;signal B4 : std_logic;signal B5 : std_logic;

begin

B


28/50

Invalid VHDL Code:

architecture ARCH of FM_2_3 isbegin

process(DATA0,ENV)variable TMP: STD_LOGIC;

beginOUT0


29/50

entity FM_2_32 isend;architecture ARCH of FM_2_32 isfunction bad_funct(arg1: integer) return integer isbegin

if (arg1 = 1) thenreturn 42;

end if;

-- when 'if' is false, function returns no valueend;signal z: integer;beginz


30/50

Severity Warning

FM_2_33C

Message: Do not use enum_encoding attribute

DescriptionEnum_encoding attribute is supported by synthesis tools only,so that it may cause simulation mismatch between RTL andgate.

Policy FORMALITY


Language VHDL

Type Block-level

Severity Warning

FM_2_33D

Message: Do not use translate_on/off or synthesis_on/offpragmas

DescriptionTranslate off/on or synthesis off/on attributes are supported bysynthesis tools only, so that it may cause simulation mismatchbetween RTL and gate.

Policy FORMALITY



Type Block-level

Severity

Warning

FM_2_33E

Message: Do not use enum or state_vector attributes


31/50

DescriptionEnum or state_vector attributes are supported by synthesistools only, so that it may cause simulation mismatch betweenRTL and gate.

Policy FORMALITY

Ruleset

SIMULATION_MISMATCH

Language Verilog

Type Block-level

Severity Warning

FM_2_34B

Message: Do not use 'unconnected_drive

Description'unconnected_drive directive is by supported simulation toolsonly, so that it may cause simulation mismatch between RTLand gate.

Policy FORMALITY


Language Verilog

Type

Block-level

Severity Warning

FM_2_34C

Message: Do not use 'resetall

Description'resetall directive is supported by simulation tools only, so that itmay cause simulation mismatch between RTL and gate.

Policy FORMALITY


Language Verilog

Type Block-level


32/50

Severity Warning

FM_2_34D

Message: Do not use 'default_nettype

Description'default_nettype directive is supported by simulation tools only,so that it may cause simulation mismatch between RTL andgate.

Policy FORMALITY


Language Verilog

Type Block-level

Severity Warning

FM_2_35

Message: Use fully assigned variables in function bodies

Description

Function is always used as combinational logic by synthesistools. But simulation tools may use function as latch, whenfunction does not have fully assignments for every conditions. Itmay cause simulation mismatch between RTL and gate.

Policy FORMALITY


Language Verilog

Type Block-level

Severity Warning

Example

The following examples of invalid and valid Verilog code illustrate thisproblem and how to correct it:



33/50

function test; //FAILinput D_IN,RST;if( RST )

test = D_IN; // FAILendfunction

Valid Verilog Code:

function test; //PASSinput D_IN,RST;if( RST )

test = D_IN;else

test = 1'b1; // PASS, because variable is fully assignedendfunction

Some SystemVerilog functions will give false violations for this rule and it isbest to disable it for SV code.

Inout or output parameter (result):

function void test (int a , inout bit [`SIZE-1:0] result );if (a == 0) return;result = a * result * $root.test ( a-1 ) ;

endfunction

Local variables such as i in the below example:

function STP test ;input STP s ;int i,j;begin

for(i=0;i0)begin

$display ($time,,"%d%d %b",j,i,s.r);

s.b = 1;return s ;endelse

$display ("%d %b",i,s.r);end

endendfunction


34/50

Recursive functions:

function bit [`SIZE-1:0] test ;input int a;//beginif (a == 0) return 1;

if (a > 0)begin

test = a * test ( a-1 ) ;end//endendfunction

Simulation functions

function func1;bit [P:0] a;

bit [P:P-1] b;bit [P:P+2] c;bit [P:P*P] d;bit [-P:0] e;bit [1-P:P*P] f;bit [P:5] g;bit [0:-P] h;bit [P-P:P] i;bit [P/P:P] j;bit [P%2:P] k;$displayb (a,,b,,c,,d,,e,,f,,g,,h,,i,,j,,k);

endfunction

FM_2_36

Message: Signal is read before being assigned

Description

When the signal is read before assignment, simulation toolsexecute it as the order. But synthesis tools does not depend onthe order. It may cause simulation mismatch between RTL andgate-level.

Policy FORMALITY

Ruleset

SIMULATION_MISMATCH

Language Verilog

Type Block-level

Severity Warning

Example


35/50

The following examples of invalid and valid Verilog code illustrate thisproblem and how to correct it:


module fm_2_36 (A, B, C, D);input A,B,C;output D;reg D,tmp;always@( A or B or C ) begin

D = C & tmp;tmp = A & B;

endendmodule

Valid Verilog Code:

always@( A or B or C ) begintmp = A & B;D = C & tmp;

end

FM_2_4

Message: Assignment to X is not recommended (handleddifferently by simulation and synthesis tools). Does not flagan error for use of x in default clause of case statements

Description

Simulation and synthesis tools handle X value assignmentsdifferently. Simulation tools handle X value assignments assimple assignments, but synthesis tools may ignore X valueassignments. This can cause mismatches between thesimulation results.

Policy FORMALITY



Type

Block-level

Severity Error

Example



36/50


module FM_2_4 ( SET,DATA0,OUT0);input SET,DATA0;output OUT0;reg OUT0;

always @ (SET or DATA0) beginif ( SET == 0 )

OUT0


37/50

Type Block-level

Severity Error

Example



module FM_2_5 ();

wire (supply0,supply1) tmp = 1'b1;// FAILendmodule

Invalid VHDL Code:


port( DATA0 ,CLK ,EN : in STD_LOGIC ;OUT0 : out STD_LOGIC );

end FM_2_5 ;architecture ARCH of FM_2_5 isbegin

process( DATA0, CLK ,EN) beginif (CLK'event and CLK = '0') then

if (ENV = '1' ) then

OUT0


38/50

Type Block-level

Severity Error

Example


module FM_2_6 ( DATA0,DATA1,OUT0);input DATA0,DATA1;output OUT0;reg OUT0;

initial begin // FAILOUT0 = 0;endalways @( DATA0 or DATA1) beginOUT0


39/50

end FM_2_6 ;architecture ARCH of FM_2_6 is

signal TMP : STD_LOGIC := '1'; -- FAILbegin

process( DATA0, DATA1 ) beginTMP


40/50

Invalid VHDL Code:


port( DATA0, DATA1,C LK : in STD_LOGIC ;

OUT0 : out STD_LOGIC );end FM_2_7 ;architecture ARCH of FM_2_7 iscomponent LOWport ( DATA0, DATA1, CLK : in std_logic;

OUT0 : out std_logic ) ;end component;begin

U0: LOW port map ( DATA0,DATA1,CLK,OUT0 ); -- FAILend ARCH;

FM_2_8

Message: Multiple non-tristate drivers detected for

DescriptionUsing drivers in several always/process blocks generates wiredconnections. Depending on the delays, these wires can causedifferences between RTL and gate-level simulations.

Policy FORMALITY



Type Chip-level

Severity Warning

Example



module FM_2_8 (CLK,A,B,C);input CLK,A,B;output C;

reg tmp; // FAIL : tmp has multiple assignmentalways@(posedge CLK) begin

tmp


41/50

tmp


42/50

module FM_2_9 (A,B,C,D,OUT0);input A,B,C,D;output OUT0;reg OUT0;always @( A or B or C or D) begin

if( A == 1'bZ ) // FAIL

OUT0


43/50

Type Block-level

Severity Error

FM_108

Message: Do not use recursive task or function

Description This is a limitation of Formality 2003.06.

Policy FORMALITY

Ruleset V2K

Language Verilog

Type

Block-level

Severity Error

FM_111

Message: Do not use v2k enhanced file IO


Policy

FORMALITY

Ruleset V2K

Language Verilog

Type Block-level

Severity Error

FM_117

Message: Do not use variable initial value


Policy FORMALITY

Ruleset V2K


44/50

Language Verilog

Type Block-level

Severity Warning

SystemVerilog Ruleset

The following rules are from the SystemVerilog ruleset:

FM_200

Message: The intent of the always_latch construct is notverified by Formality

DescriptionThis rule checks if the SystemVerilog code uses the always_latchconstruct. This is a limitation of Formality 2006.06.

Policy FORMALITY

Ruleset SystemVerilog

Language SystemVerilog

Type Hardware

Severity Warning

The following example of SystemVerilog code exhibits a violation of this rule:

// FAIL test case.

module latched_arith (input logic [7:0] a, b, input logic ena, outputlogic [7:0] sum, diff);always_latch

if (ena)begin

sum = a + b;diff = a - b;end

endmodule

FM_201


45/50

Message: Declarations of types tasks and functions at $rootis not supported

Description

This rule checks if the SystemVerilog code has declarations of

tasks and functions in $root instance. If it does, Leda issues anerror message. This is a limitation of Formality 2006.06.

Policy FORMALITY



Type Hardware

Severity Error


// FAIL - Function declared in $rootfunction automatic reg [31:0] preg_cat (input reg [31:0] a, b);

preg_cat = a + b;endfunction

module func4 (input reg [31:0] in_a, in_b, output reg [31:0] data_out);assign data_out = preg_cat(in_a, in_b);

endmodule

FM_202

Message: Reference to the $root instance path are notsupported

DescriptionThis rule checks if the SystemVerilog code has references to$root instance path. If it does, Leda issues an error message.This is a limitation of Formality 2006.06.

Policy FORMALITY

Ruleset

SystemVerilog


Type Hardware

Severity Error


46/50


typedef struct { logic d;} pilz;

module m (a, y1);

input bit a;output bit y1;

always @* begin

y1 = $root.pilz.d; // FAIL - Reference to $root instance path$root.pilz.d = a;

endendmodule

FM_203

Message: Automatic interfaces are not supported

DescriptionThis rule checks if the SystemVerilog code has any automaticinterfaces. If it does, Leda issues an error message. This is alimitation of Formality 2006.06.

Policy FORMALITY



Type Hardware

Severity

Error

The following examples of SystemVerilog code exhibits a violation of thisrule:

Example 1:

module automatic m (input int a, b, output bit [33:0] c); // Fail -

// automatic modulefunction fadd (input int a, b);

fadd = a + b;endfunction

assign c = fadd(a,b);

endmodule;

Example 2:


47/50

// Fail - This example has an automatic interface.interface automatic simple_bus; //Automatic inferface

wire a,b;reg r1,r2;int factout;

function integer fact;input [7:0] in;begin

if (in == 0) fact = 1;else fact = (in-1) * in;

endendfunctionassign b = a;alwaysbeginr1 = a;if (a) r2 = a; else r2 = ~a;endalways

beginfactout = fact(4);end

endinterface

module top (i, o_b, o_r1, o_r2, o_fout);input i;output o_b, o_r1, o_r2;output [31:0] o_fout;wire t1,t2;simple_bus ifc_inst();assign ifc_inst.a = i;assign o_b = ifc_inst.b;

assign o_r1 = ifc_inst.r1;assign o_r2 = ifc_inst.r2;assign o_fout = ifc_inst.factout;endmodule

FM_204

Message: Const declarations are not supported

DescriptionThis rule checks if the SystemVerilog code uses constantdeclaration. If it does, Leda issues an error message. This is a

limitation of Formality 2006.06.

Policy FORMALITY



Type Hardware


48/50

Severity Error


module m (input int i, output int o2);

const int s = 100; //Fail - automatic moduleassign o2 = s + i;

endmodule

FM_205

Message: Structure literal assignments are not supported

DescriptionThis rule checks if the SystemVerilog code uses structureliterals. If it does, Leda issues an error message. This is alimitation of Formality 2006.06.

Policy FORMALITY



Type Hardware

Severity Error


typedef struct {logic [32:0] sum;logic [31:0] diff;

} addsub;

module FM_205 (input [31:0] val1, input [31:0] val2, output addsub out);logic [31:0] tmp_diff;logic [32:0] tmp_sum;

always@(val1 or val2)begin

tmp_sum = val1 + val2;tmp_diff = val1 - val2;

out = { tmp_sum, tmp_diff };//Should Fail - structure literals

//but currently limitation in FE

out = { sum:tmp_sum, diff:tmp_diff };//Fail -structure literalsend


49/50

endmodule

FM_206

Message: Array literal assignments are not supported

DescriptionThis rule checks if the SystemVerilog code uses array literals. Ifit does, Leda issues an error message. This is a limitation ofFormality 2006.06.

Policy FORMALITY



Type

Hardware

Severity Error


module mFM_206 (output int d1_out_0, d1_out_1);int d1 [0:3];

assign d1 = { {0:7,1:3,2:0,3:5} }; //Fail - array literals

endmodule

FM_207

Message: Generic interfaces are not supported

DescriptionThis rule checks if the SystemVerilog code uses genericinterfaces. If it does, Leda issues an error message. This is alimitation of Formality 2006.06.

Policy FORMALITY



Type Hardware

Severity Error


50/50


Note that module mod passes an unspecified interface reference as a place-holder for an interface to be selected when the module itself is instantiated.The unspecified interface is referred to as a generic interface reference.

interface abc ();bit a, b;bit d, e;logic [2:0] c;modport mp (input a, b, output c);

endinterface

interface abc_clone ();logic a, b;logic [2:0] c;modport mp1 (input a, b, output c);

endinterface

module top (a1, a2, b1, b2, c1, c2);input a1, a2, b1, b2;output logic [2:0] c1, c2;abc ab (); // interface abc instantiatedabc_clone ac (); // interface abc_clone instantiatedassign ab.a = a1;assign ab.b = b1;assign c1 = ab.c;assign ac.a = a2;assign ac.b = b2;assign c2 = ac.c;mod am (ab.mp); // passing ab.mp modport to generic interfacemod pm (ac.mp1); // passing ac.mp1 modport to generic interface

endmodule

module mod (interface a); // generic interfacealways_comb

a.c = a.a | a.b;endmodule

rules.docx

Documents

following rules

use of formality

policy formalityruleset

hard case rulesethttps

arithmetic operators

asynchronous feedback

hardware constructs

systemverilog features