Groebner Bases Based Verification Solution for SystemVerilog Concurrent Assertions

We introduce an approach exploiting the power of polynomial ring algebra to perform SystemVerilog assertion verification over digital circuit systems. This method is based on Groebner bases theory and sequential properties checking. We define a constrained subset of SVAs so that an efficient polynomial modeling mechanism for both circuit descriptions and assertions can be applied. We present an algorithm framework based on the algebraic representations using Groebner bases for concurrent SVAs checking. Case studies show that computer algebra can provide canonical symbolic representations for both assertions and circuit designs and can act as a novel solver engine from the viewpoint of symbolic computation.


Introduction
SystemVerilog [1,2] is the most important unified Hardware Description and Verification Language (HDVL) and provides a major set of extensions from the Verilog language with the added benefit of supporting object orientated constructs and assertions feature. SystemVerilog provides special language constructs and assertions, to specify and verify design behavior. An assertion is a statement that a specific condition, or sequence of conditions, in a design is true. In the industry of integrated circuits design, Assertionsbased verification (ABV) using SystemVerilog Assertions (SVAs) is now changing the traditional design process. With the help of SVAs, it is easy to formally characterize the design requirements at various levels of abstraction, guide the verification task, and simplify the design of the testbench. Assertions essentially become active design comments, and one important methodology treats them exactly like active design comments.
Moreover, assertions can be attached directly to RTL, working in cycle-precise domain, or they can operate in transactional domain with the help of monitors data extractors.
Then, these modular checkers minimize or even eliminate the need of model checkers, which consist of HDL modules to provide the verification.
An important benefit of assertions is the ease of specifying functional coverage. Simulation tools compute the functional coverage, as defined by the assertions, which add a greater level of assurance that the testbench invoked the desired functions.
More recently, the key EDA tool vendors have researched new verification methodologies and languages, which implement functional code coverage, assertion-based coverage. and constrained random techniques inside a complete verification environment.
In [3], a subset of SystemVerilog assertions is defined to apply induction-based bounded model checking (BMC) to this subset of SVAs within acceptable run times and moderate memory requirements. As is well known, the conventional simulation for assertion checking is the well-understood and most commonly used technique, but only feasible for very small scale systems and cannot provide exhaustive checking. While symbolic simulation proposed by Darringer [4] as early as 1979 can provide exhaustive checking by covering 2 Journal of Applied Mathematics many conditions with a single simulation sequence, but it could not handle large circuits due to exponential symbolic expressions. Earlier work in applications of symbolic manipulation and algebraic computation has gained significant extensions and improvements. In [5], a technique framework on Groebner bases demonstrated that computer algebraic geometry method can be used to perform symbolic model checking using an encoding of Boolean sets as the common zeros of sets of polynomials. In [6], a similar technique to framework based Wu's Method has been further extended to bit level symbolic model checking. In [7], an improved framework of multivalued model checking via Groebner bases method was proposed, which is based on a canonical polynomial representation of the multivalued logics.
In our previous work [8], we proposed a method using Groebner bases to perform SEREs assertion verification for synchronous digital circuit systems. Then we introduced a verification solution based on Wu's method towards Sys-temVerilog assertion checking [9]. This paper aims to verify whether a SVA property holds or not on the traces produced after several cycles running over a given synchronous sequential circuit. It is the follow-up work of [9]. Groebner Bases and Wu's method are the most important methods of computer algebra. Wu's method of characteristic set is a powerful theorem proving technique, and Groebner Bases allows many important properties of the ideal and the associated algebraic variety to be deduced easily. So Groebner Bases method has a better theoretical guide, and the algorithm based on Wu's method is more efficient.
Checking SVAs is computationally very complex in general while for practical purposes a subset is sufficient. In this work we (1) define a constrained subset of SVAs; (2) perform algebraization of SVA operators for the constrained subset; (3) do translation of SVAs into polynomial set representations; (4) provide a symbolic computation based algebraic algorithm for SVAs verification.
Our approach can handle safety properties that argue over a bounded number of time steps. Local variables in SVAs can be handled as symbolic constant without any temporal information. Nevertheless, liveness properties and infinite sequences in SVAs are excluded.

Preliminaries
In this section, to keep the paper self-contained, we will give the basics of SystemVerilog and algebraic symbolic computation used throughout this paper.
SystemVerilog has combined many of the best features of both VHDL and Verilog.
Therefore, on the one hand, VHDL users will recognize many of the SystemVerilog constructs, such as enumerated types, records, and multidimensional arrays. On the other hand, Verilog users can reuse existing designs; SystemVerilog is a superset of Verilog so no modification of existing Verilog code is required.
Generally, the SystemVerilog language provides three important benefits over Verilog.
(1) Explicit design intent-SystemVerilog introduces several constructs that allow designers to explicitly state what type of logic should be generated.
(2) Conciseness of expressions-SystemVerilog includes commands that allow the users to specify design behavior more concisely than previously possible.
(3) High level design abstraction-The SystemVerilog interface construct facilitates intermodule communication.
Especially, SystemVerilog provides special language constructs and assertions, to verify design behavior. An assertion is a statement that a specific condition, or sequence of conditions, in a design is true. If the condition or sequence is not true, the assertion statement will generate an error message.
Additionally, one important capability in SystemVerilog is the ability to define assertions outside of Verilog modules and then bind them to a specific module or module instance. This feature allows test engineers to add assertions to existing Verilog models, without having to change the model in any way. One of the goals of SystemVerilog assertions is to provide a common semantic meaning for assertions so that they can be used to drive various design and verification tools.
In SystemVerilog, there are two types of assertions.
(1) Immediate Assertions. Immediate assertions follow simulation event semantics for their execution and are executed like a statement in a procedural block. Immediate assertions are primarily intended to be used with simulation and evaluate using simulation event-based semantics.
( This property states that signal and then signal become high and signal will be high in the next cycle. As illustrated in this example, a concurrent assertion property in SystemVerilog will never be evaluated by itself except when it is invoked by a verification statement. Therefore, the statement: assert property ( , , ) will cause the checker to perform assertion checking.
Basically, the verification statement in SVA has three forms described as follows: (i) assert to specify the property as a checker to ensure that the property holds for the design; (ii) assume to specify the property as an assumption for the environment. Simulators check that the property holds, while formal tools use the information to generate input stimulus. The purpose of the assume statement is to allow properties to be considered as assumptions for formal analysis as well as for dynamic simulation tools; (iii) cover to monitor the property evaluation for coverage.
When a property is assumed, the tools constrain the environment so that the property holds. In simulation, asserted and assumed properties are continuously verified to ensure that the design or the testbench never violate them.
In some tools, the assumptions on the environment can be used as sequential constraints on the DUT (device under test) inputs in constrained-random simulation.
These proofs are usually subject to other properties that describe the assumed behavior of the environment using assume property statements.

Groebner Bases Preliminary.
Firstly, we will recall some of the key notions of Groebner bases theory and symbolic computation. More detailed and elementary introduction to this subject can be available in books, such as those by Little et al. [10] or those by Becker and Weispfenning [11].
We begin by listing some general facts and establishing notations.
Let be an algebraically closed field, and let [ 1 , . . . , ] be the polynomial ring in variables 1 , 2 , . . . , with coefficient in , under addition and multiplication of polynomial. The basic structure of polynomial rings is given in terms of subsets called ideals which is closed under addition and closed under multiplication by any element of the ring.
Any set of points in can be regarded as the variety of some ideal. Note that there will be more than one ideal defining a given variety. For example, the ideals ⟨ 0 ⟩ and ⟨ 0 , 1 0 − 1⟩ both define the variety ( 0 ).
In order to perform verification, we need to be able to determine when two ideals represent the same set of points. That is to say, we need a canonical representation for any ideal. Groebner bases can be used for this purpose.
An essential ingredient for defining Groebner bases is a monomial ordering on a polynomial ring [ 1 , . . . , ], which allows us to pick out a leading term for any polynomial.
Examples of monomial ordering include lexicographic order, graded lexicographic order, and graded reverse lexicographic order.
Equivalently, but more informally, a set { 1 , . . . , } ⊂ is a Groebner basis of if and only if the leading term of any element of is divisible by one of the ( ).
In [12], Buchberger provided an algorithm for constructing a Groebner basis for a given ideal. This algorithm can also be used to determine whether a polynomial belongs to a given ideal.
A reduced Groebner basis is a Groebner basis where the leading coefficients of polynomials in are all 1 and no monomial of an element of lies in the ideal generated by the leading terms of other elements of : ∀ ∈ and no monomial of is in ⟨ ( − { })⟩.
The important result is that, for a fixed monomial ordering, any nonzero ideal has a unique reduced Groebner basis. The algorithm for finding a Groebner basis can easily be extended to output its reduced Groebner basis. Thus we will have a canonical symbolic representation for any ideal.
is a Groebner basis of the th elimination ideal .

Theorem 6. Let be a Groebner basis for an ideal
Then ∈ if and only if the remainder on division of by is zero, denoted by ( , ) = 0.
The property given in Theorem 6 can also be taken as the definition of a Groebner basis. Then we will get an efficient algorithm for solving the ideal membership problem. Assuming that we know a Groebner basis for the ideal in question, we only need to compute the remainder with respect to to determine whether ∈ .
In this paper, we will then use the ideal or any basis for the ideal as an efficient way of algebraization of system to be verified.

Circuit Representation Model.
In this section, we will sketch the underlying digital system model for simulation used in our work.
Most modern circuit design is carried out within the synchronous model, which simplifies reasoning about behavior at the cost of strict requirements on clocking.
As shown in Figure 1, a classical synchronous design is comprised of combinatorial logic and blocks of registers with a global clock. In a synchronous digital system, the clock signal is often regarded as simple control signal and used to define a time reference for the movement of data within that system. Combinational logic performs all the logical functions in the circuit and it typically consists of logic gates. Registers usually synchronize the circuit's operation to the edges of the clock signal, and are the only elements which have memory properties.
The basic circuit model we used can be abstracted as the following model. In the following, we will discuss polynomial representation of a given circuit model. Firstly, let us retrospect the classical circuit representation model.
Traditionally, Binary decision diagrams (BDD) [13], the first generation decision diagrams technique, designed by Akers in 1978, acts as an efficient digital circuit representation (or Boolean functions). Recently, the next generation of decision diagrams, that is, word-level decision diagrams (WLDD) [14], has considerably widened its expressiveness for datapath operations due to processing of data in wordlevel format.
Generally, ROBDD or WLDD is mapped into hardware description languages according to the following scheme: Though the dimension of a decision diagram is exponentially bounded by the number of variables, decision diagrams based canonical data structure is very useful in many wellknown verification methods.
From the viewpoint of abstract symbolic computation, these decision diagrams based on representation for circuit systems are not suitable any more. Thus, we will adopt an alternative representation form based on polynomial sets instead of decision diagrams according to the following scheme: As is well known, given a monomial order, there is precisely one polynomial representation of a function.
For convenience, we introduce the following symbols for algebraic representations.
(2) If a running cycle is given, its algebraic representation form can be denoted by ⟦ ⟧ [ ] .
(3) Furthermore, if a time range [ ⋅ ⋅ ⋅ ] is specified, its algebraic representation form can then be denoted by Here, denotes the current time and = ( − ) denotes time steps.
Journal of Applied Mathematics 5

Arithmetic operation
Polynomial representation

Arithmetic operation Polynomial representation
Cycle-based symbolic simulation will be performed on the system model for verification. Intuitively, cycle-based symbolic simulation is a hybrid approach in the sense that the values that are propagated through the network can be either symbolic expressions or constant values. It assumes that there exists one unified clock signal in the circuit and all inputs of the systems remain unchanged while evaluating their values in each simulation cycle. The results of simulation report only the final values of the output signals or states in the current simulation cycle.
The detailed simulation process can be described as follows. Firstly, cycle-based symbolic simulation is initialized by setting the state of the circuit to the initial vector. Each of the primary input signals will be assigned a distinct symbolic or a constant value. Then, at the end of a simulation step, the expressions representing the next-state functions generally undergo a parametric transformation based optimization. After transformation, the newly generated functions are used as present state for the next state of simulation.

Arithmetic and Logic Unit
Modeling. In this paper, we only focus on arithmetic unit for calculating fixed-point operations. For any arithmetic unit, integer arithmetic operations (addition, subtraction, multiplication, and division) can be constructed by the polynomials in Table 1.
The basic logic operations, like "AND", "OR", and "NOT" can be modeled by the following forms. Their corresponding polynomial representations [15] are specified as in Table 2.
Furthermore, we can extend the above rule to other common logic operators. For example, For all bit level variables (0 ≤ ≤ ), a limitation ⟨{ * − }⟩ should be added.

Sequential Unit
Modeling. Each flip-flop (FF) in the circuit can be modeled as a multiplexer. We have the following proposition to state this model.

Proposition 8. For a flip-flop ( is the next state), with an enable signal , its equivalent combinational formal is
, whose polynomial algebraic model can be described as Proof. Let be the current state and let denote the next state of the flip-flop. When the signal value is 0, has the same value as so that the FF maintains its present state; when the signal value is 1, takes a new value from the input (where, denotes the new value next state of the FF). Therefore, we have the 2-value multiway branch model and its polynomial set representation for FF.

Proposition 9.
Let be an FF model, ( is the next state), without enable signal, then its equivalent combinational formal polynomial algebraic model can be described as: ( − ).

Proof. Straightforward.
3.5. Sequential Unrolling. Generally, for a sequential circuit C, one time frame of a sequential circuit is viewed as a combinational circuit in which each flip-flop will be converted into two corresponding signals: a pseudo primary input (PPI) and a pseudo primary output (PPO).
Symbolical simulation of a sequential circuit for cycles can be regarded as unrolling the circuit times. The unrolled circuit is still a pure combinational circuit, and the th copy of the circuit represents the circuit at cycle . Thus, the unrolled circuit contains all the symbolic results from the cycles.

Indexed Polynomial Set Representation.
To illustrate the sequential modeling for a given cycle number clearly, we define an indexed polynomial set representation for the th cycle.
Let [ ] (0 ≤ ≤ ) denote the input signals for the th clock, [ ] (0 ≤ ≤ ) the intermediate signals, and [ ] (0 ≤ ≤ ) the output signals. We then have the following time frame expansion model for the sequential circuit:

Sequence Depth Calculation
In this subsection, we will discuss the important feature of SVA, time range, and its signal constraint unrolled model.
In SVA, for each sequence the earliest time step for the evaluation and the latest time step should be determined firstly. The sequence is then unrolled based on above information. Finally, the unrolled sequence will be performed using algebraization process.
In [3], a time range calculating algorithm is provided. Here, we will introduce some related definition and special handling for our purpose.
The following is the syntax definition for time range.

Time Range
Definition 10 (time range syntax). The syntax of "time range" can be described as follows.
Note that is computed at compile time and must result in an integer value and can only be 0 or greater.
In this paper, we only focus on constant time range case. Thus, its form can be simplified as: (1) ##[ : ] ( , ∈ N and ≥ ≥ 0) Their corresponding algebraic forms are Then we have the equivalent form of above representation set as Furthermore, the maximum of two intervals 1 and 2 is defined by max( 1 , 2 ) = [max( 1 , 2 ) ⋅ ⋅ ⋅ max(ℎ 1 , ℎ 2 )].

Sequential Depth
In the same manner, the sum of two time ranges of 1 and 2 is defined as  For example, the following sequence is used to illustrate how to calculate the sequence depth.  Similarly, we can have the sequence depth of the whole sequence and all its subsequences as denoted in the figure.

SVA to Polynomial Set Translation
As mentioned previously, SystemVerilog assertions are an integral component of SystemVerilog and provide two kinds of assertions: immediate assertions and concurrent assertions.
In this section, we only discuss concurrent assertions and their temporal layer representation model.
Concurrent assertions express functional design intent and can be used to express assumed input behavior, expected output behavior, and forbidden behavior. That is, assertions define properties that the design must meet. Many properties can be expressed strictly from variables available in the design, while properties are often constructed out of sequential behaviors.
Thus, we will firstly discuss the basic algebraization process for the sequential behavior model.

Algebraization Process.
The properties written in SVA will be unrolled and checked against the design for bounded time steps in our method. Note that only a constrained subset of SVA can be supported by our method (unspecified upper bound time range and first-match operator are excluded).
Firstly, we translate the properties described by the constrained subset of SVA into flat sequences according to the semantics of each supported operator.
As mentioned in [16], the total set of SVA is divided into 4 subgroups, namely, simple sequence expression (SSE), interval sequence expression (ISE), complex sequence expression (CSE), and unbounded sequence expression (USE). Here, in our method, these groups can only be partly supported.
Therefore, we define the following sequence expressions by adding further conditions. (iii) Constrained complex sequence expression is a super set of CSSE and CISE containing operators or and intersection.
Secondly, the unrolled flat sequences will be added to temporal constraints to form proportional formulas with logical connectives (∨, ∧, and ¬).
Finally, the resulted proportional formulas will be translated into equivalent polynomial set.
Then, the verification problem is reduced to proving zero set inclusion relationship which can be resolved by Groebner bases approaches.

Boolean Layer
Modeling. The Boolean layer of SVA forms an underlying basis for the whole assertion architecture which consists of Boolean expressions that hold or do not hold at a given cycle.
In this paper, we distinguish between signal logic values and truth logic values. That is, for a truth logic statement about a given property, its truth can be evaluated to or . But for a signal, when primary inputs are symbolic values, its signal logic value may not be evaluated as ℎ ℎ or . Therefore, we have the following definition for signal logic.
Definition 12 (signal logic). In digital circuit systems, signal logic (SL, for short) is defined as: (i) if a signal is active-high ( , for short), then its signal value is defined as 1; (ii) if a signal is active-low ( , for short), then its signal value is defined as 0. (1) to encode an arbitrary Boolean constraints among a set of circuit nodes in a parametric form; (2) to encode all possible scalar values for a set of nodes.
Assume denotes a symbolic constant for signal logic and denotes its negative form, if denotes ℎ ℎ then will be . Consider In SVA, the following are valid Boolean expressions: Since the state of a signal variable can be viewed as a zero of a set of polynomials. We have the following.
(1) For any signal holds at a given time step , thus, the state of == 1 ( is active-high at cycle ) can be represented by polynomial { [ ] − 1}.

Sequence Operator Modeling.
Temporal assertions define not only the values of signals, but also the relationship between signals over time. The sequences are the building blocks of temporal assertions and can express a set of linear behavior lasting for one or more cycles. These sequences are usually used to specify and verify interface and bus protocols. A sequence is a regular expression over the Boolean expressions that concisely specifies a set of linear sequences. The Boolean expressions must be true at those specific clock ticks for the sequence to be true over time.
SystemVerilog provides several sequence composition operators to combine individual sequences in a variety of ways that enhance code writing and readability which can construct sequence expressions from Boolean expressions.
In this paper, throughout operator, [1 : $] operator, and the first match operator are not supported by our method.
SystemVerilog defines a number of operations that can be performed on sequences. The sequence composition operators in SVA are listed as follows. The resulted sequences constructed by operators are then used in properties for use in assertions and covers.

Cycle Delay Operator.
In SystemVerilog, the ## construct is referred to as a cycle delay operator.
"##1" and "##0" are concatenation operators: the former is the classical regular expression concatenation; the latter is a variant with one-letter overlapping.
A ## followed by a number or range specifies the cycles delay from the current clock cycle to the beginning of the sequence that follows.

Intersect
Operator. The two operands of intersect operator are sequences. The requirements for match of the intersect operation are as follows.
(i) Both operands must match.
(ii) The lengths of the two matches of the operand sequences must be the same.
1 intersect 2 . 1 starts at the same time as 2 ; the intersection will match if 1 , starting at the same time as 2 , matches at the same time as 2 matches. Therefore, we have The sequence length matching intersect operator constructs a sequence like the and nonlength matching operator, except that both sequences must be completed in same cycle. Operator. 1 and 2 .

and
This operator states that 1 starts at the same time as 2 and the sequence expression matches with the later of 1 and 2 matching. This binary operator and is used when both operands are expected to match, but the end times of the operand sequences can be different.
That is, 1 and 2 denotes both 1 and 2 holds for the same number cycles. Then, the matches of 1 and 2 must satisfy the following: (i) The start point of the match of 1 must be no earlier than the start point of the match of 2 .
(ii) The end point of the match of 1 must be no later than the end point of the match of 2 .
The sequence nonlength matching and operator constructs a sequence in which two sequences both hold at the current cycle regardless of whether they are completed in the same cycle or in different cycles Here, = ( ) ⋅ , ℎ = ( ) ⋅ ℎ, and 0 < ≤ 2.

or
Operator. 1 or 2 . The sequence or operator constructs a sequence in which one of two alternative sequences hold at the current cycle. Thus, the sequence ( ##1 ) or ( ##1 ) states that either sequence , or sequence , would satisfy the assertion Here, = ( ) ⋅ , ℎ = ( ) ⋅ ℎ, and 0 < ≤ 2.

Local
Variables. SystemVerilog provides a feature by which variables can be used in assertions. The user can declare variables local to a property. This feature is highly useful in pipelined designs where the consequent occurrence might be many cycles later than their corresponding antecedents. Local variables are optional and local to properties. They can be initialized, assigned (and reassigned) a value, operated on, and compared to other expressions.
The syntax of a sequence declaration with a local variable is shown below.
The property declaration syntax with a local variable can be illustrated as follows: The variable identifier declaration syntax of a local variable can be illustrated as follows: The dynamic creation of a variable and its assignment is achieved by using the local variable declaration in a sequence or property declaration and making an assignment in the sequence.
Thus, local variables of a sequence (or property) may be set to a value, which can be computed from a parameter or other objects (e.g., arguments, constants, and objects visible by the sequence (or property)).
For example, a property of a pipeline with a fixed latency can be specified below.

endproperty.
This property e is evaluated as follows: When V is true, is assigned the value of . If 3 cycles later, is equal to + 1, then property is true. Otherwise, the property is false. When V is false, property is evaluated as true. For the algebraization of SVA properties with local variables, in our method these local variables will be taken as common signal variables (symbolic constant) without any sequential information.

Repetition Operators.
SystemVerilog allows the user to specify repetitions when defining sequences of Boolean expressions. The repetition counts can be specified as either a range of constants or a single constant expression. Nonconsecutive repetition specifies finitely many iterative matches of the operand Boolean expression, with a delay of one or more clock ticks from one match of the operand to the next successive match and no match of the operand strictly in between. The overall repetition sequence matches at or after the last iterative match of the operand, but before any later match of the operand.
The syntax of repetition operator can be illustrated as follows: The number of iterations of a repetition can be specified by exact count.
For example, a sequence with repetition can be defined as The sequence expects that 2 clock cycles after the valid start, signal " " will be repeated three times. We

Property Operator Modeling.
In general, property expressions in SVA are built using sequences, other sublevel properties, and simple Boolean expressions via property operators.
In SVA, a property that is a sequence is evaluated as true if, and only if, there is a nonempty match of the sequence. A sequence that admits an empty match is not allowed as a property.
The success of assertion-based verification methodology relies heavily on the quality of properties describing the intended behavior of the design. Since it is a fairly new methodology, verification and design engineers are often faced with a question of "how to identify good properties" for a design. It may be tempting to write properties that closely resemble the implementation.
Properties we discussed in this paper can be classified as.
(1) Design Centric. Design centric properties represent assertions added by the RTL designers to characterize white box design attributes. These properties are typically towards FSMs, local memories, clock synchronization logic, and other hardware-related designs. The design should conform to the expectations of these properties.
(2) Assumption Centric. Assumption centric properties represent assumptions about the design environment. They are used in informal verification to specify assumptions about the inputs. The assume directive can inform a verification tool to assume such a condition during the analysis.
(3) Requirement/Verification Centric. Many requirement properties are best described using a "cause-to-effect" style that specifies what should happen under a given condition. This type of properties can be specified by implication operator. For example, a handshake can be described as "if request is asserted, then acknowledge should be asserted within 5 cycles". In general, property expressions are built using sequences, other sublevel properties, and simple Boolean expressions.
These individual elements are combined using property operators: implication, NOT, AND, OR, and so forth.
The property composition operators are listed as follows.
Note that disable if and only if will not be supported in this paper. Property operators construct properties out of sequence expressions.

Implication
Operators. The SystemVerilog implication operator supports sequence implication and provides two forms of implication: overlapped using operator |− >, and nonoverlapped using operator | =>, respectively.
The syntax of implication is described as follows: The implication operator takes a sequence as its antecedent and a property as its consequent. Every time the sequence matches the property must hold. Note that both the running of the sequence and the property may span multiple clock cycles and that the sequence may match multiple times.
For each successful match of the antecedent sequence, the consequence sequence (right-hand operand) is separately evaluated, beginning at the end point of the matched antecedent sequence. All matches of antecedent sequence require a match of the consequence sequence.
Moreover, if the antecedent sequence (left hand operand) does not succeed, implication succeeds vacuously by returning true. For many protocol related assertions, it is important to specify the sequence of events (the antecedent or cause) that must occur before checking for another sequence (the consequent or effect). This is because if the antecedent does not occur, then there is no need to perform any further verification. In hardware, this occurs because the antecedent reflects an expression that, when active, triggers something to happen.

11
A property with a consequent sequence behaves as if the consequent has an implication first-match applied to it.

NOT
Operator. The operator NOT states that the evaluation of the property returns the opposite of the evaluation of the underlying .

AND
Operator. The formula " 1 AND 2 " states that the property is evaluated as true if, and only if, both 1 and 2 are evaluatd as true.

OR
Operator. The operator " 1 OR 2 " states that the property is evaluated as true if and only if, at least one of 1 and 2 is evaluated as true.

IF-ELSE
Operator. This operator has two valid forms which are listed as follows.
A property of this form is evaluated as true if, and only if, either is evaluated as false or 1 is evaluated as true.
A property of this form is evaluated as true if, and only if, either is evaluated as true and 1 is evaluated as true or is evaluated as false and 2 is evaluated as true. From previous discussion, we have the following proposition for property reasoning.
Proposition 16. Assume that , 1 , and 2 are valid properties in SVA, the following rules are used to construct the corresponding verification process. Here, ℎ ( , ) : {ture, false} is a self-defined checking function that can determine whether a given " " holds or not with respect to a circuit model " ". ).

Verification Algorithm
In this section, we will describe how an assertion is checked using Groebner bases approach. Firstly, we will discuss a practical algorithm using Groebner bases for assertion checking.
6.1. Basic Principle. As just mentioned, our checking method is based on algebraic geometry which is the study of the geometric objects arising as the common zeros of collections of polynomials. Our aim is to find polynomials whose zeros correspond to pairs of states in which the appropriate assignments are made. We can regard any set of points in as the variety of some ideal. We can then use the ideal or any basis for the ideal as a way of encoding the set of points.
From Groebner Bases theory [10,12]  Firstly, the original system model is transformed into a normal polynomial representation and the assertion as well. Then, calculate the hypothesis set and its Groebner basis using the Buchberger algorithm [18] and their elimination ideals. Finally, examine the inclusion relationship between elimination ideals to determine whether the assertion to be checked holds or not.
From above discussion, we have the following process steps and detailed algorithm description. Algorithm 1.
For convenience, we can derive another version checking procedure named " ℎ (⟦ ⟧, ⟦ ⟧)" which can accept polynomial representations as inputs without explicit polynomial construction process.
Further, by applying Theorem 18 and the checking algorithm " ℎ (⟦ ⟧, ⟦ ⟧)", we can easily verify all supported properties written in SVA.

An Example
In this section, we will study a classical circuit to show how SVA properties are verified by polynomial representation and algebra computation method.
Consider the Johnson counter circuit in Figure 3. Johnson counters can provide individual digit outputs rather than a binary or BCD output, as shown in Table 3. Notice that each legal count may be defined by the location of the last flip-flop to change states and which way it changed state.

Algebraization of Circuit and Assertion.
Johnson counter provides individual digit outputs, as shown in Table 3. The polynomial set for Johnson counter circuit in Figure 3 can be constructed as follows: where 1 denotes the next state of 1. For the th cycle, we use 1 [ ] to denote variable name in current cycle.
Similarly, another Johnson counter circuit with an error is shown in Figure 4, the corresponding polynomial set can be described by  To illustrate the problem clearly, we define polynomial set representation [ ] for th cycle as follows: Support that the circuit will run 6 cycles for verification, therefore, we have [ ]}. For any Boolean variable , we will add an extra constraint: * − . Thus, we define the corresponding constraints set as follows: In the same manner, we have [ ]}. The sequential property for this counter circuit can be specified by the following SystemVerilog assertions.  We will afterwards demonstrate the verification process step by step.
The circuit model to be verified is as shown below: The property of this counter can be specified as the following SVA assertion: assert property ( 1) assert property ( 2).  As shown in maple outputs, the given circuit has been modeled as polynomial set (its Groebner bases is denoted by ) and assertion expected result as { 3 [1] − 1}. From the running result, we have 1 ∉ and return value of is 0 which means is divided with no remainder by { 3 [1] − 1}.
Thus, from the previously mentioned verification principles, it is easy to conclude that the assertion 1 holds under this circuit model after 3 cycles.
More detailed experiment results for verification of circuit shown in Figure 3 are listed in Table 5.
Conversely, we check these assertions against the circuit shown in Figure 4 in a similar way. More detailed experiment results are demonstrated in Table 6.
From above table, when checking assertion, the result := ( 3 [3] , , ) ̸ = 0 so that we can conclude the assertion does not hold. Therefore, there must exist unexpected errors in the original circuit.
This case is a fairly complete illustration of how the checking algorithm works.

Conclusion
In this paper, we presented a new method for SVA properties checking by using Groebner bases based symbolic algebraic approaches. To guarantee the feasibility we defined a constrained subset of SVAs, which is powerful enough for practical purposes.
We first introduce a notion of symbolic constant without any sequential information for handling local variables in SVAs inspired from STE. We then proposed a practical algebraization method for each sequence operator. For sequential circuits verification, we introduce a parameterized polynomial set modeling method based on time frame expansion.
Our approach is based on polynomial models construction for both circuit models and SVA assertions. This method is to eventually translate a simulation based verification problem into a pure algebraic zero set determination problem by a series of proposed steps, which can be performed on any general symbolic algebraic tool.
This method allows users to deal with more than one state and many input combinations every cycle. This advantage comes directly from the fact that many vectors are simulated at once using symbolic value.
In summary, in this research, by suitable restrictions of SVA assertions, we can guarantee the availability of polynomial set representation. Based on this polynomial set model, symbolic simulation can be performed to produce symbolic traces and temporal relationship constraints of signal variables as well. We then apply symbolic algebra approach to check the zeros set relation between their polynomial sets and determine whether the temporal assertion holds or not under current running cycle.