0% found this document useful (0 votes)

152 views366 pages

Introduction to Formal Methods in VHDL

Uploaded by

AKSHAY SOM

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

152 views366 pages

Introduction to Formal Methods in VHDL

Uploaded by

AKSHAY SOM

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

An Introduction to

Formal Methods

Gisselquist Daniel E. Gisselquist, Ph.D.

Technology, LLC
Lessons
Ź Welcome Day one
Motivation
1. Motivation
Basics
2. Basic Operators
Clocked and $past

k Induction
3. Clocked Operators
Bus Properties
4. Induction
Free Variables 5. Bus Properties
Abstraction
Day two
Invariants

Multiple-Clocks 6. Free Variables

Cover 7. Abstraction
Sequences 8. Invariants
Parting Thoughts 9. Multiple-Clocks
10. Cover
11. Sequences
12. Final Thoughts

2 / 275
Course Structure
Ź Welcome ˝ VHDL logic examples
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

3 / 275
Course Structure
Ź Welcome ˝ VHDL logic examples
Motivation ˝ System Verilog assertion wrappers
Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

3 / 275
Course Structure
Ź Welcome ˝ VHDL logic examples
Motivation ˝ System Verilog assertion wrappers
Basics ˝ Each lesson will be followed by an exercise
Clocked and $past There are 12 exercises
k Induction
˝ My goal is to have 50% lecture, 50% exercises
Bus Properties
˝ Leading up to building a bus arbiter
Free Variables
and testing an synchronous FIFO
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

3 / 275
Welcome

Ź Motivation
Intro

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables Motivation

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

4 / 275
Lesson Overview
Welcome 1. Why are you here?
Motivation 2. What can I provide?
Ź Intro
3. What have I learned from formal methods?
Basics

Clocked and $past Our Objectives

k Induction

Bus Properties
˝ Get to know a little bit about each other
Free Variables ˝ Motivate further discussion
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

5 / 275
Your expectations
Welcome What do you want to learn and get out of this course?
Motivation
Ź Intro

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

6 / 275
From an ARM dev.
Welcome ˝ “I think the main difference between FPGA and ASIC
Motivation development is the level of verification you have to go
Ź Intro
through. Shipping a CPU or GPU to Samsung or whoever,
Basics
and then telling them once they’ve taped out that you have a
Clocked and $past

k Induction
Cat1 bug that requires a respin is going to set them back
Bus Properties
$1M per mask.
Free Variables ˝ “. . . But our main verification is still done with constrained
Abstraction random test benches written in SV.
Invariants ˝ “Overall, you are looking at 50 man years per project
Multiple-Clocks minimum for an average project size.”
Cover

Sequences

Parting Thoughts

7 / 275
Would not exist
Welcome “If we would not do formal verification, we would
Motivation no longer exist.”
Ź Intro

Basics
– Shahar Ariel, Head of VLSI design at Mellanox
Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

8 / 275
Pentium FDIV
Welcome One little mistake . . .
Motivation
Ź Intro

Basics

Clocked and $past . . . $475M later.

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

9 / 275
Personal Experience
Welcome I have proven such things as,
Motivation
Ź Intro
˝ Formal bus properties (Wishbone, Avalon, AXI, etc.)
Basics ˝ Bus bridges (WB-AXI, Avalon-WB, WB-WB)
Clocked and $past ˝ Prefetches, cache controllers, memory controllers, MMU
k Induction ˝ SPI based A/D controllers
Bus Properties ˝ SDRAM
Free Variables
˝ UART, both TX and RX
Abstraction
˝ FIFO’s, signal processing flows, DSP delay
Invariants
˝ Display (VGA) Controller
Multiple-Clocks
˝ LFSR’s
Cover

Sequences
˝ Flash controllers
Parting Thoughts ˝ Formal proof of the ZipCPU

10 / 275
Some Examples
Welcome I’ve found bugs in things I thought were working.
Motivation
Ź Intro
1. FIFO
Basics 2. Pre-fetch and Instruction cache
Clocked and $past 3. SDRAM
k Induction 4. A peripheral timer
Bus Properties Just how hard can a timer be to get right? It’s just a
Free Variables
counter!
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

11 / 275
Ex: FIFO
Welcome ˝ It worked in my test bench
Motivation ˝ Failed when reading and writing on the same clock while
Ź Intro
empty
Basics

Clocked and $past – Write first then read worked

k Induction
– R+W on full FIFO is okay
Bus Properties
– R+W on an empty FIFO
Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

12 / 275
Ex: FIFO
Welcome ˝ It worked in my test bench
Motivation ˝ Failed when reading and writing on the same clock while
Ź Intro
empty
Basics

Clocked and $past – Write first then read worked

k Induction
– R+W on full FIFO is okay
Bus Properties
– R+W on an empty FIFO . . . not so much
Free Variables

Abstraction ˝ My test bench didn’t check that, formal did

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

12 / 275
Ex: Prefetch
Welcome ˝ It worked in my test bench
Motivation ˝ Ugliest bug I ever came across was in the prefetch cache
Ź Intro
It passed test-bench muster, but failed in the hardware with a
Basics
strange set of symptoms
Clocked and $past
˝ When I learned formal, it was easy to prove that this would
k Induction

Bus Properties
never happen again.
Free Variables ˝ Low logic has always been one of my goals.
Abstraction Always asking, “will it work if I get rid of this condition?”
Invariants Formal helps to answer that question for me.
Multiple-Clocks

Cover

Sequences

Parting Thoughts

13 / 275
Ex: SDRAM
Welcome ˝ It worked in my test bench
Motivation ˝ It passed my hardware testing
Ź Intro

Basics – Test S/W: Week+, no bugs

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

14 / 275
Ex: SDRAM
Welcome ˝ It worked in my test bench
Motivation ˝ It passed my hardware testing
Ź Intro

Basics – Test S/W: Week+, no bugs

Clocked and $past – Formal methods found the bug
k Induction – Full proof took less than ă 30 min
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

14 / 275
Ex: SDRAM
Welcome ˝ It worked in my test bench
Motivation ˝ It passed my hardware testing
Ź Intro
˝ Background
Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

15 / 275
Ex: SDRAM
Welcome ˝ It worked in my test bench
Motivation ˝ It passed my hardware testing
Ź Intro
˝ Background
Basics

Clocked and $past – SDRAM’s are organized into separate banks, each having
k Induction rows and columns
Bus Properties – A row must be “activated” before it can be used.
Free Variables
– The controller must keep track of which row is activated.
Abstraction
– If a request comes in for a row that isn’t activated, the
Invariants
active row must be deactivated, and the proper row must
Multiple-Clocks
be activated.
Cover

Sequences ˝ A subtle bug in my SDRAM controller compared the active

Parting Thoughts row address against the immediately previous (1-clock ago)
required row address, not the currently requested address.
This bug had lived in my code for years. Formal methods
caught it.

15 / 275
Problem with Test Benches
Welcome

Motivation
Ź Intro

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
˝ Only examines a known good branch
Parting Thoughts
˝ Cannot check for every out of bounds conditions

16 / 275
Problem with Test Benches
Welcome ˝ Demonstrate code works
Motivation ˝ Through a normal working path
Ź Intro

Basics – or a limited number of extraneous paths

Clocked and $past
˝ Never rigorous enough to check everything
k Induction
˝ Not uniform in rigour
Bus Properties

Free Variables For the FIFO,

Abstraction

Invariants
˝ I only read when I knew it wasn’t empty
Multiple-Clocks For the Prefetch,
Cover

Sequences
˝ I never tested jumping to the last location in a cache line
Parting Thoughts For the SDRAM,
˝ The error was so obscure, it would be hard to trigger

17 / 275
Before Formal
Welcome This was my method before starting to work with formal.
Motivation
Ź Intro
˝ After . . .
Basics
– Proving my code with test
Clocked and $past
benches
k Induction
– Directed simulation
Bus Properties

Free Variables ˝ I was still chasing bugs in hard-

Abstraction ware
Invariants

Multiple-Clocks I still use this approach for DSP al-

Cover gorithms.
Sequences

Parting Thoughts

18 / 275
Design Approach
Welcome

Motivation
Ź Intro

Basics

Clocked and $past ˝ After finding the bug in my

k Induction FIFO . . . I was hooked.
Bus Properties
˝ Rebuilding everything
Free Variables
. . . now using formal
Abstraction
˝ Formal found more bugs
Invariants

Multiple-Clocks
. . . in example after example
Cover
˝ I’m hooked!
Sequences

Parting Thoughts

19 / 275
When to use it?
Welcome

Motivation
Ź Intro

Basics

Clocked and $past

k Induction
˝ Bus component
Bus Properties
I would not build a bus compo-
Free Variables nent without formal any more
Abstraction ˝ Multiplies
Invariants Formal struggles with multipli-
Multiple-Clocks cation
Cover

Sequences

Parting Thoughts

20 / 275
Welcome

Motivation

Ź Basics
Basics
General Rule
Assert
Assume
BMC
Ex: Counter
Formal Verification
Sol’n

Clocked and $past

k Induction
Basics: assert and assume
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

21 / 275
Lesson Overview
Welcome Let’s start at the beginning, and look at the very basics of formal
Motivation verification.
Basics Our Objective:
Ź Basics
General Rule ˝ To learn the basic two operators used in formal verification,
Assert
Assume
BMC
– assert()
Ex: Counter – assume()
Sol’n

Clocked and $past ˝ To understand how these affect a design from a state space
k Induction perspective
Bus Properties ˝ We’ll also look at several examples
Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

22 / 275
Basic Premise
Welcome Formal methods are built around looking for redundancies.
Motivation
˝ Basic difference between mediocre and excellent:
Basics
Ź Basics Double checking your work
General Rule ˝ Two separate and distinct fashions
Assert
Assume
BMC
– First method calculates the answer
Ex: Counter – Second method proved it was right
Sol’n

Clocked and $past ˝ Example: Division

k Induction
– 89, 321{499 “ 179
Bus Properties
– Does it? Let’s check: 179 ˚ 499 “ 89, 321 — Yes
Free Variables

Abstraction ˝ Formal methods are similar

Invariants
– Your code is the first method
Multiple-Clocks

Cover
– Formal properties describe the second
Sequences

Parting Thoughts

23 / 275
Basic Operators
Welcome There are really only two basic operators
Motivation
1. assume()
Basics
Ź Basics An assume(X) statement will limit the state space that the
General Rule formal verification engine examines.
Assert
Assume 2. assert()
BMC
Ex: Counter
An assert(X) statement indicates that X must be true, or the
Sol’n design will fail to prove.
Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

24 / 275
VHDL
Welcome

Motivation

Basics
Ź Basics
General Rule
Assert
Assume
BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables We’ll be using VHDL logic, System Verilog Assertions

Abstraction
˝ Proprietary Verific library gives Yosys access to VHDL
Invariants
˝ Formal properties will be written in System Verilog
Multiple-Clocks
˝ System Verilog bind operator will connect the two
Cover

Sequences

Parting Thoughts

25 / 275
Two basic forms
Welcome always @ ( ∗ )
Motivation assert (X ) ;
Basics
Ź Basics
// Use when y o u r p r o p e r t y h a s c l o c k d e p e n d e n c i e s ,
General Rule
Assert // s u c h a s r e f e r e n c i n g an i t e m s v a l u e i n t h e p a s t
Assume always @ ( posedge clk )
BMC
Ex: Counter assert (X ) ;
Sol’n

Clocked and $past As an example,

k Induction
always @ ( ∗ )
Bus Properties
a s s e r t ( counter < 2 0 ) ;
Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

26 / 275
General Rule
Welcome

Motivation

Basics
Basics
Ź General Rule
Assert
Assume
BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

27 / 275
Assert
Welcome

Motivation

Basics
Basics
General Rule
Ź Assert
Assume
BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction ˝ Assertions define the illegal state space.

Invariants
˝ Additional assertions will increase the size of the illegal state
Multiple-Clocks
space.
Cover

Sequences

Parting Thoughts

28 / 275
Assume
Welcome

Motivation

Basics
Basics
General Rule
Assert
Ź Assume
BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction ˝ Assumptions limit the universe of all possibilities

Invariants
˝ Additional assumptions will decrease the size of the total
Multiple-Clocks
state space
Cover
˝ Caution: One careless assumption can void the proof
Sequences

Parting Thoughts

29 / 275
The Careless Assumption
Welcome s i g n a l : unsigned ( 1 5 downto 0 ) := 0 ;
Motivation ´´´
Basics p r o c e s s ( clk )
Basics
General Rule
begin
Assert i f ( rising_edge ( clk ) ) then
Ź Assume counter <= counter + 1 ;
BMC
Ex: Counter end i f ;
Sol’n end p r o c e s s ;
Clocked and $past

k Induction
always @ ( ∗ )
Bus Properties
begin
Free Variables
a s s e r t ( counter <= 1 0 0 ) ;
Abstraction
assume ( counter <= 9 0 ) ;
Invariants
end
Multiple-Clocks

Cover Question: Will counter ever reach 120?

Sequences

Parting Thoughts

30 / 275
restrict vs assume
Welcome restrict () is very similar to assume()
Motivation

Basics
Basics
Operator Formal Verification Traditional Simulation
General Rule
Assert
restrict () Restricts search Ignored
Ź Assume assume() space Halts simulation
BMC
Ex: Counter assert() Illegal state with an error
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

31 / 275
restrict vs assume
Welcome restrict () is very similar to assume()
Motivation

Clocked and $past

k Induction ˝ restrict () : Like assume(X), it also limits the state space

Bus Properties ˝ But in a traditional simulation . . .
Free Variables

Abstraction
– restrict () is ignored
Invariants
– assume() is turned into an assert()
Multiple-Clocks

Cover

Sequences

Parting Thoughts

31 / 275
Bounded Model Checking
Welcome

Motivation

Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables
For bounded model checking,
Abstraction

Invariants 1. Start at the initial state

Multiple-Clocks 2. Examine all possible states for N clocks
Cover
3. Try to find a way to make an assert (); fail
Sequences
4. If it’s not possible in N clocks, then pass
Parting Thoughts

32 / 275
No Solution
Welcome

Motivation

Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Problem: initial assume(!initial_state);
Invariants
Model fails, no line number given.
Multiple-Clocks

Cover

Sequences

Parting Thoughts

33 / 275
No Solution
Welcome

Motivation

Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Problem: assume(!reachable_state);
Invariants
Model fails, no line number given.
Multiple-Clocks

Cover

Sequences

Parting Thoughts

34 / 275
Further thoughts
Welcome Unlike the rest of your digital design, formal properties . . .
Motivation
˝ don’t need to meet timing
Basics
Basics ˝ don’t need to meet a minimum logic requirement
General Rule
Assert We’ll discuss this more as we go along.
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

35 / 275
Example Bus Slave
Welcome Here’s an example of a bus slave
Motivation

Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover
˝ Inputs are assumed
Sequences
˝ Outputs are asserted
Parting Thoughts

36 / 275
Example Bus Master
Welcome Question: How would a bus master be different?
Motivation

Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

37 / 275
Example Bus Master
Welcome Question: How would a bus master be different?
Motivation

Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks The slave’s outputs are the master’s inputs

Cover
˝ assume() the inputs from the slave
Sequences
˝ assert() the outputs from the master
Parting Thoughts

37 / 275
Internal Bus
Welcome Question: What if both slave and master signals were part of the
Motivation same design?
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

38 / 275
Internal Bus
Welcome Question: What if both slave and master signals were part of the
Motivation same design?
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks ˝ All of the wires are now internal

Cover ˝ They should therefore be assert() ed
Sequences

Parting Thoughts

38 / 275
Serial Port Transmitter
Welcome ˝ Whenever the serial port is idle, the output line should be
Motivation high
Basics
Basics i f ( state == IDLE )
General Rule a s s e r t ( o_uart_tx ) ;
Assert
Assume
Ź BMC ˝ Whenever the serial port is not idle, busy should be high
Ex: Counter
Sol’n i f ( state != IDLE )
Clocked and $past a s s e r t ( o_busy ) ;
k Induction else
Bus Properties a s s e r t ( ! o_busy ) ;
Free Variables

Abstraction ˝ The design can only ever be in a valid state

Invariants
a s s e r t ( ( state <= TXUL_STOP )
Multiple-Clocks
| | ( state == TXUL_IDLE ) ) ;
Cover

Sequences

Parting Thoughts

39 / 275
Bus Arbiter
Welcome ˝ Arbiter cannot grant both A and B access
Motivation
always @ ( ∗ )
Basics
Basics
a s s e r t ( ( ! grant_A ) | | ( ! grant_B ) ) ;
General Rule
Assert ˝ While one has access, the other must be stalled
Assume
Ź BMC
always @ ( ∗ )
Ex: Counter
Sol’n i f ( grant_A )
Clocked and $past a s s e r t ( stall_B ) ;
k Induction always @ ( ∗ )
Bus Properties i f ( grant_B )
Free Variables a s s e r t ( stall_A ) ;
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

40 / 275
Bus Arbiter
Welcome ˝ While one is stalled, its outstanding requests must be zero
Motivation
always @ ( ∗ )
Basics
Basics
i f ( grant_A )
General Rule begin
Assert
a s s e r t ( f_nreqs_B == 0 ) ;
Assume
Ź BMC a s s e r t ( f_nacks_B == 0 ) ;
Ex: Counter a s s e r t ( f_outstanding_B == 0 ) ;
Sol’n
end
Clocked and $past

k Induction

Bus Properties I use the prefix f_ to indicate a variable that is

Free Variables
˝ Not part of the design
Abstraction
˝ But only used for Formal Verification
Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

41 / 275
Avalon bus
Welcome ˝ Avalon bus: will never issue a read and write request at the
Motivation same time
Basics
Basics always @ ( ∗ )
General Rule assume ( ( ! i_av_read ) | | ( ! i_av_write ) ) ;
Assert
Assume
Ź BMC ˝ The bus is initially idle
Ex: Counter
Sol’n initial assume ( ! i_av_read ) ;
Clocked and $past initial assume ( ! i_av_write ) ;
k Induction initial assume ( ! i_av_lock ) ;
Bus Properties initial a s s e r t ( ! o_av_readdatavalid ) ;
Free Variables initial a s s e r t ( ! o_av_writeresponsevalid ) ;
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

42 / 275
Avalon bus
Welcome ˝ Cannot respond to both read and write in the same clock
Motivation
always @ ( ∗ )
Basics
Basics
assume ( ( ! i_av_readdatavalid )
General Rule | | ( ! i_av_writeresponsevalid ) ) ;
Assert
Assume
Ź BMC Remember ! (A&&B) is equivalent to (!A )||(! B)
Ex: Counter ˝ Cannot respond if no request is outstanding
Sol’n

Clocked and $past always @ ( ∗ )

k Induction begin
Bus Properties i f ( f_wr_outstanding == 0 )
Free Variables a s s e r t ( ! o_av_writeresponsevalid ) ;
Abstraction i f ( f_rd_outstanding == 0 )
Invariants a s s e r t ( ! o_av_readdatavalid ) ;
Multiple-Clocks end
Cover

Sequences

Parting Thoughts

43 / 275
Wishbone
Welcome ˝ o_STB can only be high if o_CYC is also high
Motivation
always @ ( ∗ )
Basics
Basics
i f ( o_STB ) a s s e r t ( o_CYC ) ;
General Rule
Assert ˝ Count the number of outstanding requests:
Assume
Ź BMC
f_outstanding <= ” 0” when ( i_reset )
Ex: Counter
Sol’n e l s e f_nreqs ´ f_nacks ;
Clocked and $past

k Induction ˝ Acks can only respond to valid requests

Bus Properties
i f ( f_outstanding == 0 )
Free Variables
assume ( ! i_wb_ack ) ;
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

44 / 275
Wishbone
Welcome ˝ Well, what if a request is being made now?
Motivation
i f ( ( f_outstanding == 0 )
Basics
Basics
&&((! o_wb_stb ) | | ( i_wb_stall ) ) )
General Rule assume ( ! i_wb_ack ) ;
Assert
Assume
Ź BMC ˝ If not within a bus request, the ACK and ERR lines must be
Ex: Counter low
Sol’n

Clocked and $past i f ( ! o_CYC )

k Induction begin
Bus Properties assume ( ! i_ACK ) ;
Free Variables assume ( ! i_ERR ) ;
Abstraction end
Invariants

Multiple-Clocks ˝ Following any reset, the bus will be idle

Cover ˝ Requests remain unchanged until accepted
Sequences

Parting Thoughts

45 / 275
Cache
Welcome Want a guarantee that the cache response is consistent?
Motivation
˝ A valid cache entry must ...
Basics
Basics
always @ ( posedge i_clk )
General Rule
Assert i f ( o_valid )
Assume begin
Ź BMC
// Be marked v a l i d i n t h e c a c h e
Ex: Counter
Sol’n a s s e r t ( cache_valid [ f_addr [ CW ´1: LW ] ] ) ;
Clocked and $past // Have t h e same c a c h e t a g a s a d d r e s s
k Induction a s s e r t ( f_addr [ AW ´1: LW ] ==
Bus Properties cache_tag [ f_addr [ CW ´1: LW ] ] ) ;
Free Variables // Match t h e v a l u e i n t h e c a c h e
Abstraction a s s e r t ( o_data ==
Invariants cache_data [ f_addr [ CW ´ 1 : 0 ] ) ;
Multiple-Clocks // Must be i n r e s p o n s e t o a v a l i d
Cover
// r e q u e s t
Sequences
a s s e r t ( waiting_requests != 0 ) ;
Parting Thoughts
end

46 / 275
Multiply
Welcome Consider a multiply
Motivation
˝ Just because an algorithm doesn’t meet timing
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

47 / 275
Multiply
Welcome Consider a multiply
Motivation
˝ Just because an algorithm doesn’t meet timing, or
Basics
Basics ˝ Just because it take up logic your FPGA doesn’t have
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

47 / 275
Multiply
Welcome Consider a multiply
Motivation
˝ Just because an algorithm doesn’t meet timing, or
Basics
Basics ˝ Just because it take up logic your FPGA doesn’t have,
General Rule doesn’t mean you can’t use it now
Assert
Assume
Ź BMC
always @ ( posedge i_clk )
Ex: Counter begin
Sol’n f_answer = 0 ;
Clocked and $past f o r ( k=0; k<NA ; k=k+1)
k Induction begin
Bus Properties i f ( i_a [ k ] )
Free Variables f_answer = f_answer + ( i_b<<k ) ;
Abstraction end
Invariants

Multiple-Clocks a s s e r t ( o_result == f_answer ) ;

Cover end
Sequences

Parting Thoughts

47 / 275
Multiply
Welcome Let’s talk about that multiply some more . . .
Motivation
˝ The one thing formal solver’s don’t handle well is multiplies
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

48 / 275
Multiply
Welcome Let’s talk about that multiply some more . . .
Motivation
˝ The one thing formal solver’s don’t handle well is multiplies
Basics
Basics Abstraction offers alternatives
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

48 / 275
Memory Management Unit
Welcome ˝ For a page result to be valid, it must match the TLB
Motivation
always @ ( ∗ )
Basics
Basics
i f ( last_page_valid )
General Rule begin
Assert
a s s e r t ( tlb_valid [ f_last_page ] ) ;
Assume
Ź BMC a s s e r t ( last_ppage ==
Ex: Counter tlb_pdata [ f_last_page ] ) ;
Sol’n
a s s e r t ( last_vpage ==
Clocked and $past
tlb_vdata [ f_last_page ] ) ;
k Induction
a s s e r t ( last_ro ==
Bus Properties
tlb_flags [ f_last_page ] [ ROFLAG ] ) ;
Free Variables
a s s e r t ( last_exe ==
Abstraction
tlb_flags [ f_last_page ] [ EXEFLG ] ) ;
Invariants a s s e r t ( r_context_word [ LGCTXT ´ 1 : 1 ]
Multiple-Clocks == tlb_cdata [ f_last_page ] ) ;
Cover end
Sequences

Parting Thoughts

49 / 275
SDRAM
Welcome ˝ Writing requires the right row of the right bank to be
Motivation activated
Basics
Basics always @ ( posedge i_clk )
General Rule i f ( ( f_past_valid )&&(! maintenance_mode ) )
Assert
Assume
case ( f_cmd )
Ź BMC // . . .
Ex: Counter
F_WRITE : begin
Sol’n
// R e s p o n s e t o a w r i t e r e q u e s t
Clocked and $past
a s s e r t ( f_we ) ;
k Induction
// Bank i n q u e s t i o n must be a c t i v e
Bus Properties
a s s e r t ( bank_active [ o_ram_bs ] == 3 ’ b111 ) ;
Free Variables
// A c t i v e row must be f o r t h i s a d d r e s s
Abstraction
a s s e r t ( bank_row [ o_ram_bs ]
Invariants
== f_addr [ 2 2 : 1 0 ] ) ;
Multiple-Clocks
// Must be s e l e c t i n g t h e r i g h t bank
Cover
a s s e r t ( o_ram_bs == f_addr [ 9 : 8 ] ) ;
Sequences
end
Parting Thoughts
// . . .
50 / 275
Ex: Counter
Welcome Let’s work through a counter as an example.
Motivation
exercise-01/ Contains three files
Basics
Basics [Link] This will be the source code for
General Rule
our demo.
Assert
Assume counter [Link] This contains the formal prop-
BMC
Ź Ex: Counter
erties
Sol’n counter [Link] This is the SymbiYosys script
Clocked and $past for the demo
k Induction
Our Objectives:
Bus Properties

Free Variables ˝ Walk through the steps in the tool-flow

Abstraction ˝ Hands on experience with SymbiYosys
Invariants ˝ Ensure everyone has a working version of SymbiYosys
Multiple-Clocks
˝ Find and fix a design bug
Cover

Sequences

Parting Thoughts

51 / 275
Ex: Counter
Welcome e n t i t y counter i s
Motivation g e n e r i c ( MAX_AMOUNT : natural := 2 2 ) ;
Basics ´´´´ . . . .
Basics
General Rule
s i g n a l counts : unsigned ( 1 5 downto 0 ) ;
Assert ´´´´
Assume p r o c e s s ( i_clk )
BMC
Ź Ex: Counter begin
Sol’n i f ( rising_edge ( i_clk ) ) then
Clocked and $past i f ( ( i_start_signal = ’ 1 ’ )
k Induction and ( 0 = counts ) ) then
Bus Properties counts <= to_unsigned ( MAX_AMOUNT ´1, 1 6 ) ;
Free Variables else
Abstraction counts <= counts ´ 1 ;
Invariants end i f ;
Multiple-Clocks end i f ;
Cover end p r o c e s s ;
Sequences

Parting Thoughts o_busy <= ’ 1 ’ when ( 0 = counts ) e l s e ’0 ’;

52 / 275
Ex: Counter
Welcome

Motivation module counter_vhd ( i_clk , i_start_signal ,

Basics counts , o_busy ) ;
Basics
General Rule
Assert parameter [ 1 5 : 0 ] MAX_AMOUNT = 2 2 ;
Assume
BMC
Ź Ex: Counter input wire i_clk , i_start_signal ;
Sol’n input w i r e [ 1 5 : 0 ] counts ;
Clocked and $past input wire o_busy ;
k Induction

Bus Properties

Free Variables always @ ( ∗ )

Abstraction a s s e r t ( counts < MAX_AMOUNT ) ;
Invariants endmodule
Multiple-Clocks

Cover bind counter counter_vhd

Sequences #(. MAX_AMOUNT ( MAX_AMOUNT ) ) copy ( . ∗ ) ;
Parting Thoughts

53 / 275
Ex: Counter
Welcome // VHDL Ports and internal signals
Motivation module counter_vhd ( i_clk , i_start_signal ,
Basics counts , o_busy ) ;
Basics
General Rule
Assert parameter [ 1 5 : 0 ] MAX_AMOUNT = 2 2 ;
Assume
BMC
Ź Ex: Counter input wire i_clk , i_start_signal ;
Sol’n input w i r e [ 1 5 : 0 ] counts ;
Clocked and $past input wire o_busy ;
k Induction

Bus Properties

Free Variables always @ ( ∗ )

Abstraction a s s e r t ( counts < MAX_AMOUNT ) ;
Invariants endmodule
Multiple-Clocks

Cover bind counter counter_vhd

Sequences #(. MAX_AMOUNT ( MAX_AMOUNT ) ) copy ( . ∗ ) ;
Parting Thoughts

53 / 275
Ex: Counter
Welcome

Motivation module counter_vhd ( i_clk , i_start_signal ,

Basics counts , o_busy ) ;
Basics
General Rule
// Generic declaration
Assert parameter [ 1 5 : 0 ] MAX_AMOUNT = 2 2 ;
Assume
BMC
Ź Ex: Counter input wire i_clk , i_start_signal ;
Sol’n input w i r e [ 1 5 : 0 ] counts ;
Clocked and $past input wire o_busy ;
k Induction

Bus Properties

Free Variables always @ ( ∗ )

Abstraction a s s e r t ( counts < MAX_AMOUNT ) ;
Invariants endmodule
Multiple-Clocks

Cover bind counter counter_vhd

Sequences #(. MAX_AMOUNT ( MAX_AMOUNT ) ) copy ( . ∗ ) ;
Parting Thoughts

53 / 275
Ex: Counter
Welcome

Motivation module counter_vhd ( i_clk , i_start_signal ,

Basics counts , o_busy ) ;
Basics
General Rule
Assert parameter [ 1 5 : 0 ] MAX_AMOUNT = 2 2 ;
Assume // All wrapper ports are inputs
BMC
Ź Ex: Counter input wire i_clk , i_start_signal ;
Sol’n input w i r e [ 1 5 : 0 ] counts ;
Clocked and $past input wire o_busy ;
k Induction

Bus Properties

Free Variables always @ ( ∗ )

Abstraction a s s e r t ( counts < MAX_AMOUNT ) ;
Invariants endmodule
Multiple-Clocks

Cover bind counter counter_vhd

Sequences #(. MAX_AMOUNT ( MAX_AMOUNT ) ) copy ( . ∗ ) ;
Parting Thoughts

53 / 275
Ex: Counter
Welcome

Motivation module counter_vhd ( i_clk , i_start_signal ,

Bus Properties // Formal properties start here

Free Variables always @ ( ∗ )
Abstraction a s s e r t ( counts < MAX_AMOUNT ) ;
Invariants endmodule
Multiple-Clocks

Cover bind counter counter_vhd

Sequences #(. MAX_AMOUNT ( MAX_AMOUNT ) ) copy ( . ∗ ) ;
Parting Thoughts

53 / 275
Ex: Counter
Welcome

Motivation module counter_vhd ( i_clk , i_start_signal ,

Bus Properties

Free Variables always @ ( ∗ )

Abstraction a s s e r t ( counts < MAX_AMOUNT ) ;
Invariants endmodule
Multiple-Clocks // Connect the two modules together
Cover bind counter counter_vhd
Sequences #(. MAX_AMOUNT ( MAX_AMOUNT ) ) copy ( . ∗ ) ;
Parting Thoughts

53 / 275
Example: SymbiYosys
Welcome In the file, exercise-01/counter [Link], you’ll find:
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule [ engines ]
Assert
smtbmc
Assume
BMC [ script ]
Ź Ex: Counter verific ´vlog´define FORMAL
Sol’n
verific ´vhdl counter . vhd
Clocked and $past
verific ´sv counter_vhd . sv
k Induction
# . . . o t h e r f i l e s would go h e r e
Bus Properties
verific ímport éxtnets áll counter
Free Variables
prep ´top counter
Abstraction
[ files ]
Invariants counter . vhd
Multiple-Clocks counter_vhd . sv
Cover

Sequences

Parting Thoughts

54 / 275
Example: SymbiYosys
Welcome In the file, exercise-01/counter [Link], you’ll find:
Motivation
[ options ]
Basics
Basics
mode bmc Bounded model checking mode
General Rule [ engines ]
Assert
smtbmc
Assume
BMC [ script ]
Ź Ex: Counter verific ´vlog´define FORMAL
Sol’n
verific ´vhdl counter . vhd
Clocked and $past
verific ´sv counter_vhd . sv
k Induction
# . . . o t h e r f i l e s would go h e r e
Bus Properties
verific ímport éxtnets áll counter
Free Variables
prep ´top counter
Abstraction
[ files ]
Invariants counter . vhd
Multiple-Clocks counter_vhd . sv
Cover

Sequences

Parting Thoughts

54 / 275
Example: SymbiYosys
Welcome In the file, exercise-01/counter [Link], you’ll find:
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule [ engines ]
Assert
smtbmc Run, using yosys-smtbmc
Assume
BMC [ script ]
Ź Ex: Counter verific ´vlog´define FORMAL
Sol’n
verific ´vhdl counter . vhd
Clocked and $past
verific ´sv counter_vhd . sv
k Induction
# . . . o t h e r f i l e s would go h e r e
Bus Properties
verific ímport éxtnets áll counter
Free Variables
prep ´top counter
Abstraction
[ files ]
Invariants counter . vhd
Multiple-Clocks counter_vhd . sv
Cover

Sequences

Parting Thoughts

54 / 275
Example: SymbiYosys
Welcome In the file, exercise-01/counter [Link], you’ll find:
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule [ engines ]
Assert
smtbmc
Assume
BMC [ script ] Yosys commands
Ź Ex: Counter verific ´vlog´define FORMAL
Sol’n
verific ´vhdl counter . vhd
Clocked and $past
verific ´sv counter_vhd . sv
k Induction
# . . . o t h e r f i l e s would go h e r e
Bus Properties
verific ímport éxtnets áll counter
Free Variables
prep ´top counter
Abstraction
[ files ]
Invariants counter . vhd
Multiple-Clocks counter_vhd . sv
Cover

Sequences

Parting Thoughts

54 / 275
Example: SymbiYosys
Welcome In the file, exercise-01/counter [Link], you’ll find:
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule [ engines ]
Assert
smtbmc
Assume
BMC [ script ]
Ź Ex: Counter verific ´vlog´define FORMAL
Sol’n
verific ´vhdl counter . vhd Read VHDL file
Clocked and $past
verific ´sv counter_vhd . sv
k Induction
# . . . o t h e r f i l e s would go h e r e
Bus Properties
verific ímport éxtnets áll counter
Free Variables
prep ´top counter
Abstraction
[ files ]
Invariants counter . vhd
Multiple-Clocks counter_vhd . sv
Cover

Sequences

Parting Thoughts

54 / 275
Example: SymbiYosys
Welcome In the file, exercise-01/counter [Link], you’ll find:
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule [ engines ]
Assert
smtbmc
Assume
BMC [ script ]
Ź Ex: Counter verific ´vlog´define FORMAL
Sol’n
verific ´vhdl counter . vhd
Clocked and $past
verific ´sv counter_vhd . sv Read System Verilog file
k Induction
# . . . o t h e r f i l e s would go h e r e
Bus Properties
verific ímport éxtnets áll counter
Free Variables
prep ´top counter
Abstraction
[ files ]
Invariants counter . vhd
Multiple-Clocks counter_vhd . sv
Cover

Sequences

Parting Thoughts

54 / 275
Example: SymbiYosys
Welcome In the file, exercise-01/counter [Link], you’ll find:
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule [ engines ]
Assert
smtbmc
Assume
BMC [ script ]
Ź Ex: Counter verific ´vlog´define FORMAL
Sol’n
verific ´vhdl counter . vhd
Clocked and $past
verific ´sv counter_vhd . sv
k Induction
# . . . o t h e r f i l e s would go h e r e
Bus Properties
verific ímport éxtnets áll counter Import logic
Free Variables
prep ´top counter
Abstraction
[ files ]
Invariants counter . vhd
Multiple-Clocks counter_vhd . sv
Cover

Sequences

Parting Thoughts

54 / 275
Example: SymbiYosys
Welcome In the file, exercise-01/counter [Link], you’ll find:
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule [ engines ]
Assert
smtbmc
Assume
BMC [ script ]
Ź Ex: Counter verific ´vlog´define FORMAL
Sol’n
verific ´vhdl counter . vhd
Clocked and $past
verific ´sv counter_vhd . sv
k Induction
# . . . o t h e r f i l e s would go h e r e
Bus Properties
verific ímport éxtnets áll counter
Free Variables
prep ´top counter Prepare the file for formal
Abstraction
[ files ]
Invariants counter . vhd
Multiple-Clocks counter_vhd . sv
Cover

Sequences

Parting Thoughts

54 / 275
Example: SymbiYosys
Welcome In the file, exercise-01/counter [Link], you’ll find:
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule [ engines ]
Assert
smtbmc
Assume
BMC [ script ]
Ź Ex: Counter verific ´vlog´define FORMAL
Sol’n
verific ´vhdl counter . vhd
Clocked and $past
verific ´sv counter_vhd . sv
k Induction
# . . . o t h e r f i l e s would go h e r e
Bus Properties
verific ímport éxtnets áll counter
Free Variables
prep ´top counter
Abstraction
[ files ] List of files to be used
Invariants counter . vhd
Multiple-Clocks counter_vhd . sv
Cover

Sequences

Parting Thoughts

54 / 275
Example: SymbiYosys
Welcome Other usefull yosys commands
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule depth 20
Assert
[ engines ]
Assume
BMC smtbmc yices
Ź Ex: Counter # smtbmc b o o l e c t o r
Sol’n
# smtbmc z3
Clocked and $past
[ script ]
k Induction
read ´formal counter . v
Bus Properties
# . . . o t h e r f i l e s would go h e r e
Free Variables
prep ´top counter
Abstraction
opt_merge ´share_all
Invariants [ files ]
Multiple-Clocks counter . v
Cover

Sequences

Parting Thoughts

55 / 275
Example: SymbiYosys
Welcome Other usefull yosys commands
Motivation
[ options ]
Basics
Basics
mode bmc Other modes: prove, cover, live
General Rule depth 20
Assert
[ engines ]
Assume
BMC smtbmc yices
Ź Ex: Counter # smtbmc b o o l e c t o r
Sol’n
# smtbmc z3
Clocked and $past
[ script ]
k Induction
read ´formal counter . v
Bus Properties
# . . . o t h e r f i l e s would go h e r e
Free Variables
prep ´top counter
Abstraction
opt_merge ´share_all
Invariants [ files ]
Multiple-Clocks counter . v
Cover

Sequences

Parting Thoughts

55 / 275
Example: SymbiYosys
Welcome Other usefull yosys commands
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule depth 20 # of Steps to examine
Assert
[ engines ]
Assume
BMC smtbmc yices
Ź Ex: Counter # smtbmc b o o l e c t o r
Sol’n
# smtbmc z3
Clocked and $past
[ script ]
k Induction
read ´formal counter . v
Bus Properties
# . . . o t h e r f i l e s would go h e r e
Free Variables
prep ´top counter
Abstraction
opt_merge ´share_all
Invariants [ files ]
Multiple-Clocks counter . v
Cover

Sequences

Parting Thoughts

55 / 275
Example: SymbiYosys
Welcome Other usefull yosys commands
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule depth 20
Assert
[ engines ]
Assume
BMC smtbmc yices Yices theorem prover (default)
Ź Ex: Counter # smtbmc b o o l e c t o r
Sol’n
# smtbmc z3
Clocked and $past
[ script ]
k Induction
read ´formal counter . v
Bus Properties
# . . . o t h e r f i l e s would go h e r e
Free Variables
prep ´top counter
Abstraction
opt_merge ´share_all
Invariants [ files ]
Multiple-Clocks counter . v
Cover

Sequences

Parting Thoughts

55 / 275
Example: SymbiYosys
Welcome Other usefull yosys commands
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule depth 20
Assert
[ engines ]
Assume
BMC smtbmc yices
Ź Ex: Counter # smtbmc b o o l e c t o r Other potential solvers
Sol’n
# smtbmc z3
Clocked and $past
[ script ]
k Induction
read ´formal counter . v
Bus Properties
# . . . o t h e r f i l e s would go h e r e
Free Variables
prep ´top counter
Abstraction
opt_merge ´share_all
Invariants [ files ]
Multiple-Clocks counter . v
Cover

Sequences

Parting Thoughts

55 / 275
Example: SymbiYosys
Welcome Other usefull yosys commands
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule depth 20
Assert
[ engines ]
Assume
BMC smtbmc yices
Ź Ex: Counter # smtbmc b o o l e c t o r
Sol’n
# smtbmc z3
Clocked and $past
[ script ]
k Induction
read ´formal counter . v
Bus Properties
# . . . o t h e r f i l e s would go h e r e
Free Variables
prep ´top counter
Abstraction
opt_merge ´share_all We’ll discusss this later
Invariants [ files ]
Multiple-Clocks counter . v
Cover

Sequences

Parting Thoughts

55 / 275
Example: SymbiYosys
Welcome Other usefull yosys commands
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule depth 20
Assert
[ engines ]
Assume
BMC smtbmc yices
Ź Ex: Counter # smtbmc b o o l e c t o r
Sol’n
# smtbmc z3
Clocked and $past
[ script ]
k Induction
read ´formal counter . v
Bus Properties
# . . . o t h e r f i l e s would go h e r e
Free Variables
prep ´top counter
Abstraction
opt_merge ´share_all
Invariants [ files ]
Multiple-Clocks counter . v Full or relative pathnames go here
Cover

Sequences

Parting Thoughts

55 / 275
Running SymbiYosys
Welcome Run: % sby -f counter [Link]
Motivation

Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

56 / 275
Running SymbiYosys
Welcome Run: % sby -f counter [Link]
Motivation

Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

56 / 275
BMC Failed
Welcome Run: % sby -f counter [Link]
Motivation

Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

57 / 275
Where Next
Welcome Look at source line 55, and fire up gtkwave
Motivation

Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

58 / 275
GTKWave [Link]
Welcome Run: % gtkwave counter vhd/engine 0/[Link]
Motivation

Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

59 / 275
Examine the source
Welcome Run: % demo-rtl/counter vhd.v
Motivation What did we do wrong?
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

60 / 275
Examine the source
Welcome Run: % demo-rtl/counter vhd.v
Motivation Notice anything wrong?
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

61 / 275
Examine the source
Welcome Run: % demo-rtl/counter vhd.v
Motivation Notice anything wrong?
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences How about the missing initial value?

Parting Thoughts

61 / 275
Illegal Initial State
Welcome

Motivation

Basics
Basics
General Rule
Assert
Assume
BMC
Ex: Counter
Ź Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction ˝ Problem: No initial statement

Invariants
˝ Solver finds an invalid initial state
Multiple-Clocks
˝ Model fails
Cover

Sequences

Parting Thoughts

62 / 275
Exercise
Welcome Try adding in the initial value, will it work?
Motivation

Basics
Basics
General Rule
Assert
Assume
BMC
Ex: Counter
Ź Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

63 / 275
Welcome

Motivation

Basics
Clocked and
Ź $past
Past
$past Rule

Clocked and $past

Past Assertions
Past Valid
Examples
Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

64 / 275
Lesson Overview
Welcome Our Objective:
Motivation
˝ To learn how to make assertions crossing time intervals
Basics

Clocked and $past – $past()

Ź Past
$past Rule ˝ Before the beginning of time
Past Assertions
Past Valid – Assumptions always hold
Examples
Ex: Busy Counter – Assertions rarely hold
k Induction
˝ How to get around this with f_past_valid
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

65 / 275
The $past operator
Welcome ˝ $past(X) Returns the value of X one clock ago.
Motivation ˝ $past(X,N) Returns the value of X N clocks ago.
Basics ˝ Depends upon a clock
Clocked and $past
Ź Past – This is illegal
$past Rule
Past Assertions
Past Valid
always @ ( ∗ )
Examples i f (X)
Ex: Busy Counter a s s e r t ( Y == $past ( Y ) ) ;
k Induction

Bus Properties No clock is associated with the $past operator.

Free Variables – But you can do this
Abstraction

Invariants
always @ ( posedge clk )
Multiple-Clocks
i f (X)
Cover
a s s e r t ( Y == $past ( Y ) ) ;
Sequences

Parting Thoughts

66 / 275
$past Rule
Welcome

Motivation

Basics

Clocked and $past

Past
Ź $past Rule
Past Assertions
Past Valid
Examples
Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

67 / 275
Past Assertions
Welcome Let’s modify our counter, by creating some additional properties:
Motivation
always @ ( ∗ )
Basics
assume ( ! i_start_signal ) ;
Clocked and $past
Past
$past Rule always @ ( posedge clk )
Ź Past Assertions
a s s e r t ( $past ( counter == 0 ) ) ;
Past Valid
Examples
Ex: Busy Counter

k Induction
˝ i_start_signal is now never true, so the counter should
Bus Properties always be zero.
Free Variables ˝ assert(counter == 0);
Abstraction This should always be true, since counter starts at zero, and
Invariants is never changed from zero.
Multiple-Clocks ˝ Will assert($past(counter == 0)); succeed?
Cover

Sequences You can find this file in exercise-02/[Link]

Parting Thoughts

68 / 275
Past Assertions
Welcome ˝ This fails
Motivation
always @ ( ∗ )
Basics
assume ( ! i_start_signal ) ;
Clocked and $past
Past
$past Rule always @ ( ∗ )
Ź Past Assertions
a s s e r t ( $past ( counter == 0 ) ) ;
Past Valid
Examples
Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

69 / 275
Past Assertions
Welcome ˝ This succeeds
Motivation
always @ ( ∗ )
Basics
assume ( ! i_start_signal ) ;
Clocked and $past
Past
$past Rule always @ ( ∗ )
Ź Past Assertions
a s s e r t ( counter == 0 ) ;
Past Valid
Examples
Ex: Busy Counter ˝ Before time, counter is unconstrained.
k Induction ˝ The solver can make it take on any value it wants in order to
Bus Properties make things fail
Free Variables
˝ This will not show in the VCD file
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

70 / 275
Past Assertions
Welcome Let’s try again:
Motivation
always @ ( posedge clk )
Basics
i f ( $past ( i_start_signal ) )
Clocked and $past
Past
a s s e r t ( counter == MAX_AMOUNT ´1’b1 ) ;
$past Rule
Ź Past Assertions This should work, right?
Past Valid
Examples
Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

71 / 275
Past Assertions
Welcome Let’s try again:
Motivation
always @ ( posedge clk )
Basics
i f ( $past ( i_start_signal ) )
Clocked and $past
Past
a s s e r t ( counter == MAX_AMOUNT ´1’b1 ) ;
$past Rule
Ź Past Assertions This should work, right? No, it fails.
Past Valid
Examples
Ex: Busy Counter ˝ i_start_signal is unconstrained before time
k Induction ˝ counter is initially constrained to zero
Bus Properties ˝ If i_start_signal is one before time,
Free Variables counter will still be zero when time begins
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

71 / 275
f past valid
Welcome We can fix this with a register I call, f_past_valid:
Motivation
reg f_past_valid ;
Basics

Clocked and $past

Past
i n i t i a l f_past_valid = 1 ’ b0 ;
$past Rule always @ ( posedge clk )
Past Assertions
f_past_valid <= 1 ’ b1 ;
Ź Past Valid
Examples
Ex: Busy Counter always @ ( posedge clk )
k Induction i f ( ( f_past_valid)&&( $past ( i_start_signal ) ) )
Bus Properties a s s e r t ( counter == MAX_AMOUNT ´1’b1 ) ;
Free Variables

Abstraction Will this work?

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

72 / 275
f past valid
Welcome We can fix this with a register I call, f_past_valid:
Motivation
reg f_past_valid ;
Basics

Clocked and $past

Abstraction Will this work? Almost, but not yet.

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

72 / 275
Fixing the counter
Welcome ˝ What about the case where i_start_signal is raised while
Motivation the counter isn’t zero?
Basics
reg f_past_valid ;
Clocked and $past
Past
$past Rule i n i t i a l f_past_valid = 1 ’ b0 ;
Past Assertions
Ź Past Valid
always @ ( posedge clk )
Examples f_past_valid <= 1 ’ b1 ;
Ex: Busy Counter

k Induction always @ ( posedge clk )

Bus Properties i f ( ( f_past_valid)&&( $past ( i_start_signal ) )
Free Variables &&($past ( counter == 0 ) ) )
Abstraction a s s e r t ( counter == MAX_AMOUNT ´1’b1 ) ;
Invariants

Multiple-Clocks ˝ Will this work?

Cover

Sequences

Parting Thoughts

73 / 275
Fixing the counter
Welcome ˝ What about the case where i_start_signal is raised while
Motivation the counter isn’t zero?
Basics
reg f_past_valid ;
Clocked and $past
Past
$past Rule i n i t i a l f_past_valid = 1 ’ b0 ;
Past Assertions
Ź Past Valid
always @ ( posedge clk )
Examples f_past_valid <= 1 ’ b1 ;
Ex: Busy Counter

k Induction always @ ( posedge clk )

Bus Properties i f ( ( f_past_valid)&&( $past ( i_start_signal ) )
Free Variables &&($past ( counter == 0 ) ) )
Abstraction a s s e r t ( counter == MAX_AMOUNT ´1’b1 ) ;
Invariants

Multiple-Clocks ˝ Will this work? Yes, now it will work

Cover ˝ You’ll find lots of references to f_past_valid in my own code.
Sequences

Parting Thoughts

73 / 275
Examples
Welcome Let’s look at some practical examples
Motivation

Basics

Clocked and $past

Past
$past Rule
Past Assertions
Past Valid
Ź Examples
Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

74 / 275
Reset example, #1
Welcome The rule: Every design should start in the reset state.
Motivation
i n i t i a l assume ( i_RESET ) ;
Basics

Clocked and $past

Past
always @ ( ∗ )
$past Rule i f ( ! f_past_valid )
Past Assertions
assume ( i_RESET ) ;
Past Valid
Ź Examples
Ex: Busy Counter What would be the difference between these two properties?
k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

75 / 275
Reset example, #2
Welcome The rule: On the clock following a reset, there should be no
Motivation outstanding bus requests.
Basics
always @ ( posedge clk )
Clocked and $past
Past i f ( ( f_past_valid)&&( $past ( i_RESET ) ) )
$past Rule a s s e r t ( ! o_CYC ) ;
Past Assertions
Past Valid
Ź Examples
Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

76 / 275
Reset example, #2
Welcome Two times registers must have their reset value
Motivation
˝ Initially
Basics
˝ Following a reset
Clocked and $past
Past
$past Rule always @ ( posedge clk )
Past Assertions
Past Valid
i f ( ( ! f_past_valid ) | | ( $past ( i_reset ) ) )
Ź Examples begin
Ex: Busy Counter a s s e r t ( ! o_CYC ) ;
k Induction a s s e r t ( ! o_STB ) ;
Bus Properties // e t c .
Free Variables end
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

77 / 275
Bus example
Welcome The rule: while a request is being made, the request cannot
Motivation change until it is accepted.
Basics
always @ ( posedge clk )
Clocked and $past
Past i f ( ( f_past_valid )
$past Rule &&($past ( o_STB ))&&( $past ( i_STALL ) ) )
Past Assertions
Past Valid
begin
Ź Examples a s s e r t ( o_STB ) ;
Ex: Busy Counter a s s e r t ( o_REQ == $past ( o_REQ ) ) ;
k Induction end
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

78 / 275
Ex: Busy Counter
Welcome Many of my projects include some type of “busy counter”
Motivation
˝ Serial port logic must wait for a baud clock
Basics
Transmit characters must wait for the port to be idle
Clocked and $past
Past ˝ I2C logic needs to slow the clock down
$past Rule
Past Assertions
˝ SPI logic may also need to slow the clock down
Past Valid
Examples Objectives:
Ex: Busy
Ź Counter ˝ Gain some confidence using formal methods to prove that
k Induction alternative designs are equivalent
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

79 / 275
Exercise: Busy Counter
Welcome Here’s the basic code. It should look familiar.
Motivation
p r o c e s s ( i_clk )
Basics
begin
Clocked and $past
Past
i f ( rising_edge ( i_clk ) ) then
$past Rule i f ( i_reset ) then
Past Assertions
counter <= to_unsigned ( 0 , 1 6 ) ;
Past Valid
Examples e l s i f ( ( i_start_signal = ’ 1 ’ )
Ex: Busy and ( 0 = counter ) ) then
Ź Counter
counter <= to_unsigned ( MAX_AMOUNT ´ 1 , 1 6 ) ;
k Induction
e l s i f ( 0 /= counter ) then
Bus Properties
counter <= counter ´ 1 ;
Free Variables
end i f ;
Abstraction
end i f ;
Invariants
end p r o c e s s ;
Multiple-Clocks

Cover
o_busy <= ’ 0 ’ when ( 0 = counter ) e l s e ’1 ’;
Sequences

Parting Thoughts

80 / 275
Example: Busy Counter
Welcome You can find the code in exercise-03/[Link].
Motivation Exercise: Create the following properties:
Basics
1. i_start_signal may be raised at any time
Clocked and $past
Past No property needed here
$past Rule
Past Assertions
2. Once raised, assume i_start_signal will remain high until
Past Valid it is high and the counter is no longer busy.
Examples
Ex: Busy 3. o_busy will always be true while the counter is non-zero
Ź Counter
This is an assertion
k Induction
4. If the counter is non-zero, it should always be counting down
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

81 / 275
Busy Counter, Part two
Welcome Exercise:
Motivation
1. Make o_busy a clocked register
Basics

Clocked and $past p r o c e s s ( i_clk )

Past begin
$past Rule
Past Assertions i f ( rising_edge ( i_clk ) ) then
Past Valid o_busy <= ´´ Your l o g i c g o e s h e r e
Examples
Ex: Busy
end i f ;
Ź Counter end p r o c e s s ;
k Induction

Bus Properties 2. Prove that o_busy is true if and only if the counter is
Free Variables non-zero
Abstraction

Invariants ˝ You can use this approach to adjust your design to meet
Multiple-Clocks timing
Cover
– Shuffle logic from one clock to another, then
Sequences

Parting Thoughts
– Prove the new design remains valid

82 / 275
Welcome

Motivation

Basics

Clocked and $past

Ź k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Examples
k Induction
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

83 / 275
Lesson Overview
Welcome If you want to formally verify your design, BMC is insufficient
Motivation
˝ Bounded Model Checking (BMC) will only prove that your
Basics
design is correct for the first N clocks.
Clocked and $past
˝ It cannot prove that the design won’t fail on the next clock,
k Induction
Ź Lesson Overview clock N ` 1
vs BMC
General Rule
˝ This is the purpose of the induction step: proving correctness
The Trap for all time
Examples

Bus Properties Our Goals

Free Variables
˝ Be able to explain what induction is
Abstraction
˝ Be able to explain why induction is valuable
Invariants

Multiple-Clocks
˝ Know how to run induction
Cover ˝ What are the unique problems associated with induction
Sequences

Parting Thoughts

84 / 275
From Pre-Calc
Welcome Proof by induction has two steps:
Motivation
1. Base case: Prove for N “ 0 (or one)
Basics
2. Inductive step: Assume true for N , prove true for N ` 1.
Clocked and $past
Nÿ
´1
k Induction 1 ´ xN
n
Ź Lesson Overview Example: Prove x “
vs BMC
n“0
1´x
General Rule
The Trap
Examples
˝ For N “ 1, the sum is x0 or one
Bus Properties Nÿ
´1
1´x
Free Variables
xn “ x0 “
Abstraction
n“0
1´x
Invariants

Multiple-Clocks So this is true (for x ‰ 1).

Cover ˝ For the inductive step, we’ll
Sequences

Parting Thoughts
– Assume true for N , then prove for N ` 1

85 / 275
Proof, continued
Nÿ
´1
Welcome
n 1 ´ xN
Motivation Prove x “ for all N
n“0
1 ´ x
Basics

Clocked and $past ˝ Assume true for N , prove for N ` 1

N Nÿ´1 N
k Induction
Ź
ÿ 1 ´ x
Lesson Overview xn “ xN ` xn “ xN `
vs BMC
n“0 n“0
1´x
General Rule
The Trap ˝ Prove for N ` 1
Examples
N
Bus Properties ÿ
n 1 ´ x N 1 ´ xN
Free Variables x “ x `
n“0
1´x 1´x
Abstraction

Invariants xN ´ xN `1 ` 1 ´ xN 1 ´ xN `1
“ “
Multiple-Clocks
1´x 1´x
Cover

Sequences This proves the inductive case.

Parting Thoughts ˝ Hence this is true for all N (where N ą 0 and x ‰ 1)

86 / 275
k Induction
Welcome Suppose @n : P rns is what we wish to prove
Motivation
˝ Traditional induction
Basics

Clocked and $past – Base case: show P r0s

k Induction
Ź Lesson Overview
– Inductive case: show P rns Ñ P rn ` 1s
vs BMC
General Rule ˝ k induction
The Trap
N ´1
Examples ľ
Bus Properties
– Base case: show P rks
Free Variables
k“0
˜ ¸
Abstraction n
ľ
Invariants – k-induction step: P rks Ñ P rn ` 1s
Multiple-Clocks k“n´N `1
Cover

Sequences

Parting Thoughts

87 / 275
k Induction
Welcome Suppose @n : P rns is what we wish to prove
Motivation
˝ Traditional induction
Basics

Clocked and $past – Base case: show P r0s

k Induction
Ź Lesson Overview
– Inductive case: show P rns Ñ P rn ` 1s
vs BMC
General Rule ˝ k induction
The Trap
N ´1
Examples ľ
Bus Properties
– Base case: show P rks
Free Variables
k“0
This is what we did
˜ with BMC ¸
Abstraction
ľn
Invariants – k-induction step: P rks Ñ P rn ` 1s
Multiple-Clocks k“n´N `1
Cover

Sequences

Parting Thoughts

87 / 275
k Induction
Welcome Suppose @n : P rns is what we wish to prove
Motivation
˝ Traditional induction
Basics

Clocked and $past – Base case: show P r0s

Parting Thoughts

87 / 275
k Induction
Welcome Suppose @n : P rns is what we wish to prove
Motivation
˝ Traditional induction
Basics

Clocked and $past – Base case: show P r0s

Sequences

Parting Thoughts Why use k induction?

87 / 275
Induction in Verification
Welcome Formal verification uses k induction
Motivation
˝ Base case:
Basics
Assume the first N steps do not violate any assumptions, . . .
Clocked and $past

k Induction
Prove that the first N steps do not violate any assertions.
Ź Lesson Overview The is the BMC pass we’ve already done.
vs BMC
General Rule
˝ Inductive Step:
The Trap Assume N steps exist that neither violate any assumptions
Examples

Bus Properties
nor any assertions, and
Free Variables
Assume the N ` 1 step violates no assumptions, . . .
Abstraction Prove that the N ` 1 step does not violate any assertions.
Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

88 / 275
BMC vs Induction
Welcome BMC and induction are very different.
Motivation
˝ BMC, the base case
Basics

Clocked and $past

k Induction
Lesson Overview
Ź vs BMC ˝ Induction step
General Rule
The Trap
Examples

Bus Properties

Free Variables

Abstraction ˝ The number of BMC time-steps steps must be more than the
Invariants
number of inductive time-steps
Multiple-Clocks
˝ Register values at the beginning of the inductive step can be
Cover
anything allowed by your assertions and assumptions
Sequences
˝ This is where the work takes place.
Parting Thoughts

89 / 275
General Rule
Welcome

Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
Ź General Rule
The Trap
Examples

Bus Properties

Free Variables

Abstraction

Invariants The general rule hasn’t changed:

Multiple-Clocks
˝ assume inputs,
Cover
˝ assert internal states and any outputs.
Sequences

Parting Thoughts If you assume too much, your design will pass formal verification
and still not work.

90 / 275
Checkers
Welcome Some assertions:
Motivation
˝ Games are played on black squares
Basics
˝ Players will never have more than 12 pieces
Clocked and $past
˝ Only legal moves are possible
k Induction
Lesson Overview ˝ Game is over when one side can no longer move
vs BMC
Ź General Rule Where might the induction engine start?
The Trap
Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

91 / 275
Checkers in the Library
Welcome

Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
Ź General Rule
The Trap
Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Black’s going to move and win
Parting Thoughts

92 / 275
Checkers in the Library
Welcome

Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
Ź General Rule
The Trap
Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
White’s going to move and win
Parting Thoughts

92 / 275
Checkers in the Library
Welcome

Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
Ź General Rule
The Trap
Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Black’s going to . . . , huh?
Parting Thoughts

92 / 275
Checkers in the Library
Welcome

Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
Ź General Rule
The Trap
Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Would this pass our criteria?
Parting Thoughts

92 / 275
Checkers and Induction
Welcome What can we learn from Checkers?
Motivation
˝ Inductive step starts in the middle of the game
Basics
Only the assumptions and asserts are used to validate the
Clocked and $past

k Induction
game
Lesson Overview ˝ All of the FF’s (variables) start in arbitrary states
vs BMC
Ź General Rule
These states are only constrained by your assumptions and
The Trap assertions.
Examples
˝ Your formal constraints are required to limit the allowable
Bus Properties

Free Variables
states
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

93 / 275
The Trap
Welcome

Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
General Rule
Ź The Trap
Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
˝ If your formal properties are not strict enough,
Cover
Induction may start in an illegal state
Sequences ˝ This is a common problem!
Parting Thoughts

94 / 275
The Solution
Welcome

Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
General Rule
Ź The Trap
Examples

Bus Properties

Free Variables

Abstraction

Invariants To make induction work, you must . . .

Multiple-Clocks

Cover
˝ assume unrealistic inputs will never happen
Sequences ˝ assert any remaining unreachable states are illegal
Parting Thoughts ˝ Induction often requires more properties than BMC alone

95 / 275
Examples
Welcome ˝ Let’s look at some examples
Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Ź Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

96 / 275
Another Counter
Welcome This design would pass many steps of BMC
Motivation
s i g n a l counter : unsigned ( 1 5 downto 0 ) := 0 ;
Basics
´´´´
Clocked and $past
p r o c e s s ( clk )
k Induction
Lesson Overview
begin
vs BMC i f ( rising_edge ( clk ) ) then
General Rule counter <= counter + 1 ;
The Trap
Ź Examples end i f ;
Bus Properties end p r o c e s s ;
Free Variables

Abstraction always @ ( ∗ )
Invariants a s s e r t ( counter < 1 6 ’ d65000 ) ;
Multiple-Clocks

Cover It will not pass induction.

Sequences Can you explain why not?
Parting Thoughts

97 / 275
Another Counter
Welcome Here’s another counter that will pass BMC, but not induction
Motivation
s i g n a l : counter : unsigned ( 1 5 downto 0 ) := 0 ;
Basics
´´´´
Clocked and $past
i f ( rising_edge ( clk ) ) then
k Induction
Lesson Overview
i f ( counter = to_unsigned ( 2 2 , 1 6 ) ) then
vs BMC counter <= 0 ;
General Rule else
The Trap
Ź Examples counter <= counter + 1 ;
Bus Properties end i f ;
Free Variables
end i f ;
Abstraction

Invariants always @ ( ∗ )
Multiple-Clocks a s s e r t ( counter != 1 6 ’ d500 ) ;
Cover

Sequences Can you explain why not?

Parting Thoughts

98 / 275
Shift Register Comparison
Welcome These shift registers will be equal during BMC, but require at
Motivation least sixteen steps to pass induction
Basics
s i g n a l sa : unsigned ( 1 5 downto 0 ) := 0 ;
Clocked and $past
s i g n a l sb : unsigned ( 1 5 downto 0 ) := 0 ;
k Induction
Lesson Overview ´´´´
vs BMC i f ( rising_edge ( clk ) ) then
General Rule
The Trap
begin
Ź Examples

Bus Properties sa <= sa ( 1 4 downto 0 ) & i_bit ;

Free Variables sb <= sb ( 1 4 downto 0 ) & i_bit ;
Abstraction

Invariants end i f ;
Multiple-Clocks

Cover always @ ( ∗ )
Sequences a s s e r t ( sa [ 1 5 ] == sb [ 1 5 ] ) ;
Parting Thoughts

Can you explain why it would take so long?

99 / 275
Shift Register Comparison
Welcome This design is almost identical to the last one, yet fails induction.
Motivation The key difference is the if (i_ce = ’1’).
Basics
s i g n a l sa : unsigned ( 1 5 downto 0 ) := 0 ;
Clocked and $past
s i g n a l sb : unsigned ( 1 5 downto 0 ) := 0 ;
k Induction
Lesson Overview ´´´´
vs BMC i f ( rising_edge ( clk ) ) then
General Rule
The Trap
begin
Ź Examples i f ( i_ce = ’ 1 ’ ) then
Bus Properties sa <= sa ( 1 4 downto 0 ) & i_bit ;
Free Variables sb <= sb ( 1 4 downto 0 ) & i_bit ;
Abstraction end i f ;
Invariants end i f ;
Multiple-Clocks

Cover always @ ( ∗ )
Sequences a s s e r t ( sa [ 1 5 ] == sb [ 1 5 ] ) ;
Parting Thoughts

Can you explain why this wouldn’t pass?

100 / 275
Fixing Shift Reg
Welcome Several approaches to fixing this:
Motivation
1. assume(i_ce);
Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Ź Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

101 / 275
Fixing Shift Reg
Welcome Several approaches to fixing this:
Motivation
1. assume(i_ce);
Basics
Doesn’t really test the design
Clocked and $past

k Induction
2. opt_merge ´share_all, yosys option
Lesson Overview
vs BMC
General Rule
The Trap
Ź Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

101 / 275
Fixing Shift Reg
Welcome Several approaches to fixing this:
Motivation
1. assume(i_ce);
Basics
Doesn’t really test the design
Clocked and $past

k Induction
2. opt_merge ´share_all, yosys option
Lesson Overview Works for some designs
vs BMC
General Rule
3. assert(sa == sb);
The Trap
Ź Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

101 / 275
Fixing Shift Reg
Welcome Several approaches to fixing this:
Motivation
1. assume(i_ce);
Basics
Doesn’t really test the design
Clocked and $past

k Induction
2. opt_merge ´share_all, yosys option
Lesson Overview Works for some designs
vs BMC
General Rule
3. assert(sa == sb);
The Trap Best, but only works when sa and sb are visible
Ź Examples

Bus Properties
4. Insist on no more than M clocks between i_ce’s
Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

101 / 275
Fixing Shift Reg
Welcome Several approaches to fixing this:
Motivation
1. assume(i_ce);
Basics
Doesn’t really test the design
Clocked and $past

k Induction
2. opt_merge ´share_all, yosys option
Lesson Overview Works for some designs
vs BMC
General Rule
3. assert(sa == sb);
The Trap Best, but only works when sa and sb are visible
Ź Examples

Bus Properties
4. Insist on no more than M clocks between i_ce’s
Free Variables
5. Use a different prover, under the [engines] option
Abstraction ˝ smtbmc
Invariants
˝ abc pdr
Multiple-Clocks
˝ aiger avy
Cover
˝ aiger suprove
Sequences

Parting Thoughts

101 / 275
Fixing Shift Reg
Welcome Several approaches to fixing this:
Motivation
1. assume(i_ce);
Basics
Doesn’t really test the design
Clocked and $past

k Induction
2. opt_merge ´share_all, yosys option
Lesson Overview Works for some designs
vs BMC
General Rule
3. assert(sa == sb);
The Trap Best, but only works when sa and sb are visible
Ź Examples

Bus Properties
4. Insist on no more than M clocks between i_ce’s
Free Variables
5. Use a different prover, under the [engines] option
Abstraction ˝ smtbmc Inconclusive Proof (Induction fails)
Invariants
˝ abc pdr Pass
Multiple-Clocks
˝ aiger avy Pass
Cover
˝ aiger suprove Pass
Sequences

Parting Thoughts

101 / 275
Fixing Shift Reg
Welcome Several approaches to fixing this:
Motivation
1. assume(i_ce);
Basics
Doesn’t really test the design
Clocked and $past

k Induction
2. opt_merge ´share_all, yosys option
Lesson Overview Works for some designs
vs BMC
General Rule
3. assert(sa == sb);
The Trap Best, but only works when sa and sb are visible
Ź Examples

Parting Thoughts
Most of these options work for some designs only

101 / 275
SymbiYosys
Welcome Here’s how we’ll change our sby file:
Motivation
[ options ]
Basics
mode prove
Clocked and $past
[ engines ]
k Induction
Lesson Overview
smtbmc
vs BMC [ script ]
General Rule read ´vhdl lfsr_fib . vhd
The Trap
Ź Examples read ´vhdl dblpipe . vhd
Bus Properties read ´formal dblpipe_vhd . sv
Free Variables
prep ´top dblpipe
Abstraction
opt_merge ´share_all
Invariants
[ files ]
Multiple-Clocks
lfsr_fib . vhd
Cover
dblpipe . vhd
Sequences
dblpipe_vhd . sv
Parting Thoughts

102 / 275
SymbiYosys
Welcome Here’s how we’ll change our sby file:
Motivation
[ options ]
Basics
mode prove Use BMC and k-induction
Clocked and $past
[ engines ]
k Induction
Lesson Overview
smtbmc
vs BMC [ script ]
General Rule read ´vhdl lfsr_fib . vhd
The Trap
Ź Examples read ´vhdl dblpipe . vhd
Bus Properties read ´formal dblpipe_vhd . sv
Free Variables
prep ´top dblpipe
Abstraction
opt_merge ´share_all
Invariants
[ files ]
Multiple-Clocks
lfsr_fib . vhd
Cover
dblpipe . vhd
Sequences
dblpipe_vhd . sv
Parting Thoughts

102 / 275
SymbiYosys
Welcome Here’s how we’ll change our sby file:
Motivation
[ options ]
Basics
mode prove
Clocked and $past
[ engines ]
k Induction
Lesson Overview
smtbmc Other potential engines would go here
vs BMC [ script ]
General Rule read ´vhdl lfsr_fib . vhd
The Trap
Ź Examples read ´vhdl dblpipe . vhd
Bus Properties read ´formal dblpipe_vhd . sv
Free Variables
prep ´top dblpipe
Abstraction
opt_merge ´share_all
Invariants
[ files ]
Multiple-Clocks
lfsr_fib . vhd
Cover
dblpipe . vhd
Sequences
dblpipe_vhd . sv
Parting Thoughts

102 / 275
SymbiYosys
Welcome Here’s how we’ll change our sby file:
Motivation
[ options ]
Basics
mode prove
Clocked and $past
[ engines ]
k Induction
Lesson Overview
smtbmc
vs BMC [ script ]
General Rule read ´vhdl lfsr_fib . vhd
The Trap
Ź Examples read ´vhdl dblpipe . vhd
Bus Properties read ´formal dblpipe_vhd . sv
Free Variables
prep ´top dblpipe
Abstraction
opt_merge ´share_all Here’s where opt merge would go
Invariants
[ files ]
Multiple-Clocks
lfsr_fib . vhd
Cover
dblpipe . vhd
Sequences
dblpipe_vhd . sv
Parting Thoughts

102 / 275
Ex: DblPipe
Welcome Exercise #4: [Link]
Motivation
one : lfsr_fib p o r t map (
Basics
i_clk => i_clk , i_reset => ’ 0 ’ ,
Clocked and $past
i_ce => i_ce , i_in => i_data ,
k Induction
Lesson Overview
o_bit => a_data ) ;
vs BMC
General Rule two : lfsr_fib p o r t map (
The Trap
Ź Examples i_clk => i_clk , i_reset => ’ 0 ’ ,
Bus Properties i_ce => i_ce , i_in => i_data ,
Free Variables
o_bit => b_data ) ;
Abstraction

Invariants
p r o c e s s ( a_data , b_data )
Multiple-Clocks
begin
Cover
o_data <= a_data xor b_data ;
Sequences
end p r o c e s s ;
Parting Thoughts

103 / 275
Ex: DblPipe
Welcome Exercise #4: [Link]
Motivation
˝ lfsr_fib just implements a Fibonacci linear feedback shift
Basics
register,
Clocked and $past

k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Ź Examples

Bus Properties
sreg ( LN´2 downto 0 ) <= sreg ( LN´1 downto 1 ) ;
Free Variables
sreg ( LN ´1) <= ( xor ( sreg and TAPS ) ) xor i_in ;
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

104 / 275
Ex: DblPipe
Welcome Exercise #4: [Link], lfsr [Link]
Motivation
p r o c e s s ( i_clk )
Basics
begin
Clocked and $past
i f ( rising_edge ( i_clk ) ) then
k Induction
Lesson Overview
i f ( i_reset = ’ 1 ’ ) then
vs BMC sreg <= INITIAL_FILL ;
General Rule e l s i f ( i_ce = ’ 1 ’ ) then
The Trap
Ź Examples sreg ( LN´2 downto 0 ) <= sreg ( LN´1 downto 1 ) ;
Bus Properties sreg ( LN ´1) <= ( xor ( sreg and TAPS ) )
Free Variables
xor i_in ;
Abstraction
end i f ;
Invariants
end i f ;
Multiple-Clocks
end p r o c e s s ;
Cover

Sequences
o_bit <= sreg ( 0 ) ;
Parting Thoughts

˝ Both registers one and two use the exact same logic

105 / 275
Ex: DblPipe
Welcome Exercise #4:
Motivation
˝ Using [Link]
Basics

Clocked and $past – Prove that the output, o_data, is zero

k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Ź Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

106 / 275
Ex: LFSRs
Welcome Galois and Fibonacci are supposedly identical
Motivation
˝ Galois
Basics

Clocked and $past

k Induction
Lesson Overview
˝ Fibonacci
vs BMC
General Rule
The Trap
Ź Examples

Bus Properties

Free Variables
˝ Exercise #5 will be to prove these two implementations are
Abstraction
identical
Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

107 / 275
Ex: LFSRs
Welcome Exercise #5:
Motivation
˝ exercise-05/ contains files lfsr [Link],
Basics
lfsr [Link], and lfsr [Link].
Clocked and $past
˝ lfsr [Link] contains a Galois version of an LFSR
k Induction
Lesson Overview ˝ lfsr [Link] contains a Fibonacci version of the same
vs BMC
General Rule
LFSR
The Trap ˝ lfsr [Link] contains an assertion that these are
Ź Examples

Bus Properties
equivalent
Free Variables Prove that these are truly equivalent shift registers.
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

108 / 275
Where is the bug?
Welcome Following an induction failure, look over the trace
Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
General Rule If you see a problem in section . . .
The Trap
Ź Examples A You have a missing one or more assertions
Bus Properties You’ll only have this problem with induction.
Free Variables
B You have a failing assert @(posedge clk)
Abstraction
C You have a failing assert @(∗)
Invariants
These latter two indicate a potential logic failure, but they
Multiple-Clocks

Cover
could still be caused by property failures.
Sequences

Parting Thoughts

109 / 275
Welcome

Motivation

Basics

Clocked and $past

k Induction

Ź Bus Properties
Ex: WB Bus
AXI
Avalon
Bus Properties
Wishbone
WB Basics
WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

110 / 275
Ex: WB Bus
Welcome We have everything we need now to write formal properties for a
Motivation bus
Basics
˝ This lesson walks through an example the Wishbone Bus
Clocked and $past

k Induction Our Objectives:

Bus Properties
Ź Ex: WB Bus ˝ Learn to apply formal methods to something imminently
AXI
Avalon
practical
Wishbone ˝ Learn to build the formal description of a bus component
WB Basics
WB Basics
˝ Help lead up to a bus arbiter component
Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

111 / 275
AXI Channels
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
Ź AXI
Avalon
Wishbone
WB Basics
WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

112 / 275
Avalon Channels
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Ź Avalon
Wishbone
WB Basics
WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

113 / 275
Wishbone Channels
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI ˝ Why use the Wishbone? It’s simpler!
Avalon
Ź Wishbone
WB Basics
WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

114 / 275
WB Signals
Welcome From the master’s perspective:
Motivation Specification name My name
Basics CYC O o wb cyc
Clocked and $past STB O o wb stb
k Induction
WE O o wb we
Bus Properties
Ex: WB Bus
ADDR O o wb addr
AXI DATA O o wb data
Avalon
Wishbone SEL O o wb sel
Ź WB Basics
STALL I i wb stall
WB Basics

Free Variables ACK I i wb ack

Abstraction DATA I i wb data
Invariants
ERR I i wb err
Multiple-Clocks

Cover

Sequences

Parting Thoughts

115 / 275
WB Signals
Welcome From the slave’s perspective:
Motivation Specification name My name
Basics CYC I i wb cyc
Clocked and $past STB I i wb stb
k Induction
WE I i wb we
Bus Properties
Ex: WB Bus
ADDR I i wb addr
AXI DATA I i wb data
Avalon
Wishbone SEL I i wb sel
Ź WB Basics
STALL O o wb stall
WB Basics

Free Variables ACK O o wb ack

Abstraction DATA O o wb data
Invariants
ERR O o wb err
Multiple-Clocks
To swap perspectives from master to slave . . .
Cover

Sequences ˝ Swap the port direction

Parting Thoughts ˝ Swap the assume() statements for assert() s

116 / 275
Single Read
Welcome CLK
Motivation
o CYC
Basics
o STB
Clocked and $past

k Induction
o WE
Bus Properties o ADDR A0

Ex: WB Bus
AXI
o DATA
Avalon i STALL
Wishbone
Ź WB Basics i ACK
WB Basics
i DATA D0
Free Variables

Abstraction ˝ STB must be low when CYC is low

Invariants
˝ If CYC goes low mid-transaction, the transaction is aborted
Multiple-Clocks
˝ While STB and STALL are active, the request cannot change
Cover
˝ One request is made for every clock with STB and !STALL
Sequences

Parting Thoughts

117 / 275
Single Read
Welcome CLK
Motivation
o CYC
Basics
o STB
Clocked and $past

k Induction
o WE
Bus Properties o ADDR A0

Ex: WB Bus
AXI
o DATA
Avalon i STALL
Wishbone
Ź WB Basics i ACK
WB Basics
i DATA D0
Free Variables

Abstraction ˝ One ACK response per request

Invariants
˝ No ACKs allowed when the bus is idle
Multiple-Clocks
˝ No way to stall the ACK line
Cover
˝ The bus result is in i DATA when i ACK is true
Sequences

Parting Thoughts

118 / 275
Three Writes
Welcome CLK
Motivation
o CYC
Basics
o STB
Clocked and $past

k Induction
o WE
Bus Properties o ADDR A1 A2 A3

Ex: WB Bus
AXI
o DATA D1 D2 D3

Avalon i STALL
Wishbone
Ź WB Basics i ACK
WB Basics
i DATA
Free Variables

Abstraction Let’s start building some formal properties

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

119 / 275
CYC and STB
Welcome ˝ The bus starts out idle, and returns to idle after a reset
Motivation
always @ ( posedge i_clk )
Basics
i f ( ( ! f_past_valid ) | | ( $past ( i_reset ) ) )
Clocked and $past
begin
k Induction
assume ( ! i_wb_ack ) ;
Bus Properties
Ex: WB Bus
assume ( ! i_wb_err ) ;
AXI //
Avalon a s s e r t ( ! o_wb_cyc ) ;
Wishbone
Ź WB Basics a s s e r t ( ! o_wb_stb ) ;
WB Basics end
Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

120 / 275
CYC and STB
Welcome ˝ The bus starts out idle, and returns to idle after a reset
Motivation
always @ ( posedge i_clk )
Basics
i f ( ( ! f_past_valid ) | | ( $past ( i_reset ) ) )
Clocked and $past
begin
k Induction
assume ( ! i_wb_ack ) ;
Bus Properties
Ex: WB Bus
assume ( ! i_wb_err ) ;
AXI //
Avalon a s s e r t ( ! o_wb_cyc ) ;
Wishbone
Ź WB Basics a s s e r t ( ! o_wb_stb ) ;
WB Basics end
Free Variables

Abstraction ˝ STB is low whenever CYC is low

Invariants
always @ ( ∗ )
Multiple-Clocks
i f ( ! o_wb_cyc )
Cover
a s s e r t ( ! o_wb_stb ) ;
Sequences

Parting Thoughts

120 / 275
The Master Waits
Welcome ˝ While STB and STALL are active, the request doesn’t change
Motivation
a s s i g n f_request = { o_stb , o_we , o_addr ,
Basics
o_data } ;
Clocked and $past
always @ ( posedge clk )
k Induction
i f ( $past ( o_wb_stb)&&( $past ( i_wb_stall ) ) )
Bus Properties
Ex: WB Bus
a s s e r t ( f_request == $past ( f_request ) ) ;
AXI
Avalon ˝ Did we get it?
Wishbone
Ź WB Basics
WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

121 / 275
The Master Waits
Welcome ˝ While STB and STALL are active, the request doesn’t change
Motivation
a s s i g n f_request = { o_stb , o_we , o_addr ,
Basics
o_data } ;
Clocked and $past
always @ ( posedge clk )
k Induction
i f ( $past ( o_wb_stb)&&( $past ( i_wb_stall ) ) )
Bus Properties
Ex: WB Bus
a s s e r t ( f_request == $past ( f_request ) ) ;
AXI
Avalon ˝ Did we get it? Well, not quite
Wishbone
Ź WB Basics o_data is a don’t care for any read request
WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

121 / 275
The Master Waits
Welcome ˝ While STB and STALL are active, the request doesn’t change
Motivation
a s s i g n f_rd_request = { o_stb , o_we , o_addr } ;
Basics
a s s i g n f_wr_request = { f_rd_request , o_data } ;
Clocked and $past

k Induction
always @ ( posedge clk )
Bus Properties
Ex: WB Bus
i f ( ( f_past_valid )
AXI &&($past ( o_wb_stb ))&&( $past ( i_wb_stall ) ) )
Avalon begin
Wishbone
Ź WB Basics // F i r s t , f o r r e a d s ´´o d a t a i s a don ’ t c a r e
WB Basics i f ( $past ( ! i_wb_we ) )
Free Variables a s s e r t ( f_rd_request == $past ( f_rd_request ) ) ;
Abstraction // Second , f o r w r i t e s ´´o d a t a must n o t c h a n ge
Invariants i f ( $past ( i_wb_we ) )
Multiple-Clocks a s s e r t ( f_wr_request == $past ( f_wr_request ) ) ;
Cover end
Sequences

Parting Thoughts

122 / 275
CYC and STB
Welcome ˝ No acknowledgements without a request
Motivation ˝ No errors without a request
Basics ˝ Following any error, the bus cycle ends
Clocked and $past ˝ A bus cycle can be terminated early
k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

123 / 275
Bus example
Welcome The rule: the slave (external) cannot stall the master more than
Motivation F_OPT_MAXSTALL counts:
Basics

Clocked and $past

i f ( rising_edge ( i_clk ) ) then
i f ( ( i_reset = ’ 1 ’ ) or ( o_CYC = ’ 0 ’ )
k Induction
or ( ( o_STB = ’1 ’)
Bus Properties
Ex: WB Bus and ( i_stall = ’ 0 ’ ) ) ) then
AXI f_stall_count <= 0 ;
Avalon
Wishbone
else
WB Basics f_stall_count <= f_stall_count + 1 ;
Ź WB Basics end i f ;
Free Variables end i f ;
Abstraction

Invariants
always @ ( posedge clk )
Multiple-Clocks
i f ( o_CYC )
Cover
assume ( f_stall_count < F_OPT_MAXSTALL ) ;
Sequences

Parting Thoughts
This solves the i_ce problem, this time with the i_STALL signal

124 / 275
Bus example
Welcome The rule: the slave can only respond to requests
Motivation
p r o c e s s ( i_clk )
Basics
begin
Clocked and $past
i f ( rising_edge ( i_clk ) ) then
k Induction
f_nreqs <= to_unsigned ( 0 , F_LGDEPTH ) ;
Bus Properties
Ex: WB Bus
elsif ( ( i_STB = ’ 1 ’ ) and ( o_STALL = ’ 0 ’ ) ) then
AXI f_nreqs <= f_nreqs + 1 ;
Avalon end i f ;
Wishbone
WB Basics end p r o c e s s ;
Ź WB Basics

Free Variables ´´ Need a s i m i l a r c o u n t e r f o r a c k n o w l e d g e m e n t s

Abstraction

Invariants
always @ ( ∗ )
Multiple-Clocks
i f ( f_nreqs == f_nacks )
Cover
a s s e r t ( ! o_ACK ) ;
Sequences

Parting Thoughts The logic above almost works. Can any one spot the problems?

125 / 275
Two Exercises
Welcome Let’s build up to proving a WB arbiter
Motivation
˝ Let’s prove (BMC + k-Induction) . . .
Basics

Clocked and $past 1. Exercise #6: A simple arbiter

k Induction exercise-06/[Link]
Bus Properties 2. Exercise #7: Then a Wishbone bus arbiter
Ex: WB Bus
AXI exercise-07/[Link]
Avalon
Wishbone ˝ Given a set of bus properties: fwb slave.v
WB Basics
Ź WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

126 / 275
Simple Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
The basics
Free Variables ˝ *_req requests a transaction
Abstraction ˝ *_data, the contents of the transaction
Invariants
˝ *_busy, true if the source must wait
Multiple-Clocks

Cover

Sequences

Parting Thoughts

127 / 275
Simple Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics ˝ If (∗_req)&&(!∗_busy),
Free Variables
the request is accepted
Abstraction
˝ If (∗_req)&&(∗_busy),
Invariants
the request may not change, except on reset
Multiple-Clocks

Cover

Sequences

Parting Thoughts

128 / 275
Simple Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
To prove:
Free Variables ˝ No data will be lost, no requests will be dropped
Abstraction Assume all requests remain stable until accepted
Invariants
˝ Only one source ever gets access at a time
Multiple-Clocks
Assert one busy line is always high
Cover
˝ Therefore, all requests go through . . . eventually
Sequences

Parting Thoughts

129 / 275
WB Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction Shall we try this with Wishbone?

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

130 / 275
WB Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction This request side is almost identical

Invariants
˝ If (STB)&&(!STALL)
Multiple-Clocks
the request is accepted
Cover
˝ If (STB)&&(STALL)
Sequences

Parting Thoughts
the request must not change

131 / 275
WB Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction The difference is the acknowledgements

Invariants
˝ The arbiter cannot change during an active transaction
Multiple-Clocks
˝ All requests get responses
Cover
˝ No response can be returned without a request
Sequences

Parting Thoughts

132 / 275
WB Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction Now, prove that exercise-07/[Link] works.

Invariants
˝ Use both BMC and k-induction (move prove)
Multiple-Clocks
˝ You’ll need to build fwb master.v properties
Cover

Sequences

Parting Thoughts

133 / 275
WB Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction The fwb slave.v properties will

Invariants
˝ Assume a behaving master
Multiple-Clocks
˝ Assert a behaving slave
Cover

Sequences

Parting Thoughts

134 / 275
WB Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction You’ll write the fwb master.v properties

Invariants
˝ Swapping inputs with outputs
Multiple-Clocks

Cover – Port names need not change

Sequences
˝ Swapping assumptions with assertions
Parting Thoughts

135 / 275
WB Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction The magic is in how the files are connected

Invariants
˝ If one interface is connected, both master and slave. . .
Multiple-Clocks

Cover – Should see the same number of requests

Sequences – Should see the same number of acknowledgements
Parting Thoughts

136 / 275
WB Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction The magic is in how the files are connected

Invariants
˝ If one interface is connected, the other . . .
Multiple-Clocks

Cover – Should not have made any successful requests

Sequences – Should not have received any acknowledgements
Parting Thoughts

137 / 275
Multiple Files
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
˝ Design with multiple files
Free Variables
˝ They were each formally correct
Abstraction ˝ Problems?
Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

138 / 275
Multiple Files
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
˝ Design with multiple files
Free Variables
˝ They were each formally correct
Abstraction ˝ Problems? Yes! In induction
Invariants ˝ State variables needed to be formally synchronized (assert() )
Multiple-Clocks

Cover

Sequences

Parting Thoughts

138 / 275
Multiple Files
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction

Invariants
Proving properties for many components together can quickly
Multiple-Clocks get out of hand!
Cover

Sequences

Parting Thoughts

139 / 275
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Ź Free Variables
Lesson Overview
Formal
Free Variables
Formal
Memory
So what?
Rule
Discussion

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

140 / 275
Lesson Overview
Welcome When dealing with memory, ...
Motivation
˝ Testing the entire memory is not required
Basics
˝ Testing an arbitrary value is
Clocked and $past

k Induction It’s time to discuss (∗ anyconst ∗) and (∗ anyseq ∗)

Bus Properties Objectives
Free Variables
Ź Lesson Overview ˝ Understand what a free variable is
Formal
Formal
˝ Understand how (∗ anyconst ∗) and (∗ anyseq ∗) can be
Memory used to create free variables
So what?
Rule ˝ Learn how you can use free variables to validate memory and
Discussion memory interfaces
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

141 / 275
any*
Welcome ˝ (∗ anyconst ∗)
Motivation
( ∗ anyconst ∗ ) wire [ N ´ 1 : 0 ] cval ;
Basics

Clocked and $past

k Induction – Can be anything

Bus Properties – Defined at the beginning of time
Free Variables – Never changed
Lesson Overview
Ź Formal
Formal ˝ (∗ anyseq ∗)
Memory
So what? ( ∗ anyseq ∗ ) wire [ N ´ 1 : 0 ] sval ;
Rule
Discussion

Abstraction – Can change from one timestep to the next

Invariants

Multiple-Clocks Both can still be constrained via assume() statements

Cover

Sequences

Parting Thoughts

142 / 275
VHDL any* attributes
Welcome These properties can be used from within VHDL as well:
Motivation
˝ These are VHDL attributes in Yosys
Basics
˝ anyconst
Clocked and $past

k Induction s i g n a l cval : std_logic_vector ( N´1 downto 0 ) ;

Bus Properties

Free Variables a t t r i b u t e anyconst : bit ;

Lesson Overview
a t t r i b u t e anyconst o f cval : s i g n a l i s ’1 ’;
Formal
Ź Formal
Memory ˝ anyseq
So what?
Rule s i g n a l sval : std_logic_vector ( N´1 downto 0 ) ;
Discussion

Abstraction
a t t r i b u t e anyseq : bit ;
Invariants
a t t r i b u t e anyseq o f sval : s i g n a l i s ’1 ’;
Multiple-Clocks

Cover

Sequences

Parting Thoughts

143 / 275
Memory
Welcome How might you build a memory with this?
Motivation
( ∗ anyconst ∗ ) w i r e [ AW ´ 1 : 0 ] f_const_addr ;
Basics
reg [ AW ´ 1 : 0 ] f_mem_value ;
Clocked and $past

k Induction

Bus Properties
// Han d l e w r i t e s
Free Variables
always @ ( posedge i_clk )
Lesson Overview i f ( ( i_stb)&&(i_we)&&(i_addr == f_const_addr ) )
Formal
f_mem_value <= i_data ;
Formal
Ź Memory
So what? // Han d l e r e a d s
Rule
Discussion
always @ ( posedge i_clk )
Abstraction
i f ( ( f_past_valid)&&( $past ( i_stb ))&&(! $past ( i_we ) )
Invariants
&&($past ( i_addr == f_const_addr ) ) )
Multiple-Clocks
a s s e r t ( o_data == f_mem_value ) ;
Cover

Sequences

Parting Thoughts

144 / 275
So what?
Welcome Consider the specification of a prefetch
Motivation
˝ The contract
Basics

Clocked and $past always @ ( posedge i_clk )

k Induction i f ( ( o_valid)&&(o_pc == f_const_addr ) )
Bus Properties a s s e r t ( o_insn == f_const_data ) ;
Free Variables
Lesson Overview ˝ You’ll also need to assume a bus input
Formal
Formal always @ ( posedge i_clk )
Memory
Ź So what? i f ( ( i_ack)&&(ackd_address == f_const_addr ) )
Rule assume ( i_data == f_const_data ) ;
Discussion

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

145 / 275
Rule of Free Variables
Welcome How would our general rule apply here?
Motivation
˝ Assume inputs, assert internal state and outputs
Basics
˝ You could have written
Clocked and $past

k Induction port ( . . . i_value : i n . . . ; ...);

Bus Properties

Free Variables
Lesson Overview
always @ ( posedge i_clk )
Formal assume ( i_value == $past ( i_value ) ) ;
Formal
Memory
So what?
for the same effect as (∗ anyconst ∗)
Ź Rule ˝ Both (∗ anyconst ∗) and (∗ anyseq ∗) act like inputs
Discussion
˝ assume() them therefore, and not assert()
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

146 / 275
Ex: Flash Controller
Welcome This works for a flash (or other ROM) controller too:
Motivation
a t t r i b u t e anyconst o f f_addr : signal is ’1 ’;
Basics
a t t r i b u t e anyconst o f f_valid : s i g n a l i s ’1 ’;
Clocked and $past

k Induction

Bus Properties always @ ( ∗ )

Free Variables
i f ( ( o_wb_ack)&&(f_request_addr == f_addr ) )
Lesson Overview a s s e r t ( o_wb_data == f_value ) ;
Formal
Formal
Memory Don’t forget the corollary assumptions!
So what?
Ź Rule always @ ( ∗ )
Discussion i f ( f_request_addr == f_addr )
Abstraction assume ( i_spi_data
Invariants == f_data [ controller_state ] ) ;
Multiple-Clocks

Cover . . . or something similar

Sequences

Parting Thoughts

147 / 275
Ex: Serial Port
Welcome You can use this to build a serial port transmitter
Motivation
a t t r i b u t e anyseq o f f_tx_start : s i g n a l i s ’1 ’;
Basics
a t t r i b u t e anyseq o f f_tx_data : signal is ’1 ’;
Clocked and $past

k Induction

Bus Properties
always @ ( ∗ )
Free Variables
i f ( f_tx_busy )
Lesson Overview assume ( ! f_tx_start ) ;
Formal
Formal
Memory always @ ( posedge f_txclk )
So what? i f ( f_tx_busy )
Ź Rule
assume ( f_tx_data == $past ( f_tx_data ) ) ;
Discussion

Abstraction

Invariants
You can then
Multiple-Clocks ˝ Tie assertions to partially received data
Cover ˝ . . . and pass induction
Sequences

Parting Thoughts

148 / 275
Discussion
Welcome How would you use free variables to verify a cache
Motivation implementation?
Basics

Clocked and $past

k Induction

Bus Properties

Free Variables
Lesson Overview
Formal
Formal
Memory
So what?
Rule
Ź Discussion

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

149 / 275
Discussion
Welcome How would you use free variables to verify a cache
Motivation implementation?
Basics

Clocked and $past Hint: you only need three properties for the cache contract
k Induction

Bus Properties

Free Variables
Lesson Overview
Formal
Formal
Memory
So what?
Rule
Ź Discussion

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

149 / 275
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Ź Abstraction Abstraction
Lesson Overview
Formal
Proof
Pictures
Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

150 / 275
Lesson Overview
Welcome ˝ Proving simple modules is easy.
Motivation ˝ What about large and complex ones?
Basics

Clocked and $past It’s time to discus abstraction.

k Induction Objectives
Bus Properties
˝ Understand what abstraction is
Free Variables
˝ Gain confidence in the idea of abstraction
Abstraction
Ź Lesson Overview ˝ Understand how to reduce a design via abstraction
Formal
Proof
Pictures
Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

151 / 275
Abstraction Formally
Welcome Formally, if
Motivation

Basics AÑC
Clocked and $past

k Induction then we can also say that

Bus Properties

Free Variables pABq Ñ C

Abstraction
Lesson Overview
Ź Formal
Proof
Pictures
Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

152 / 275
Formal Proof
Welcome Shall we go over the proof?
Motivation

Basics AÑC ñ A _ C “ True

Clocked and $past
True or anything is still true, so
k Induction

Bus Properties
p A _ Cq _ B
Free Variables Rearranging terms
Abstraction
Lesson Overview
A_ B_C
Formal
pABq _ C
Ź Proof
Pictures Expressing as an implication
Examples
Exercise pABq Ñ C
Invariants

Multiple-Clocks Q.E.D.!
Cover

Sequences

Parting Thoughts

153 / 275
So what?
Welcome With every additional module,
Motivation
˝ Formal verification becomes more difficult
Basics
˝ Complexity increases exponentially
Clocked and $past
˝ You only have so many hours and dollars
k Induction

Bus Properties On the other hand,

Free Variables

Abstraction
˝ Anything you can simplify by abstraction . . .
Lesson Overview ˝ is one less thing you need to prove
Formal
Ź Proof
Pictures
Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

154 / 275
In Pictures
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
Suppose your state space looked like this
Exercise

Invariants ˝ It takes many transitions required to get to interesting states

Multiple-Clocks

Cover

Sequences

Parting Thoughts

155 / 275
In Pictures
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
Suppose we added to this design . . .
Exercise

Invariants ˝ Some additional states, and

Multiple-Clocks ˝ Additional transitions
Cover

Sequences
The real states and transitions must still remain
Parting Thoughts

156 / 275
In Pictures
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
If this new design still passes, then . . .
Exercise

Invariants ˝ Since the original design is a subset . . .

Multiple-Clocks ˝ The original design must also still pass
Cover

Sequences
If done well, the new design will require less effort to prove
Parting Thoughts

157 / 275
A CPU
Welcome Where would you start?
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

158 / 275
A CPU
Welcome Where would you start?
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
Exercise

Invariants

Multiple-Clocks

Cover At the interfaces!

Sequences

Parting Thoughts

158 / 275
Prefetch
Welcome Let’s consider a prefetch module as an example.
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables
If you do this right,
Abstraction ˝ Any internally consistent Prefetch,
Lesson Overview
Formal ˝ that properly responds to the CPU, and
Proof ˝ interacts properly with the bus,
Ź Pictures
Examples ˝ must work!
Exercise

Invariants
Care to try a different prefetch approach?
Multiple-Clocks

Cover

Sequences

Parting Thoughts

159 / 275
Prefetch
Welcome Suppose the prefetch was just a shell
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables
It would still interact properly with
Abstraction ˝ The bus, and
Lesson Overview
Formal ˝ The CPU
Proof ˝ It just might not return values from the bus to the CPU
Ź Pictures
Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

160 / 275
Prefetch
Welcome Suppose the prefetch was just a shell
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables
If the CPU still acted “correctly”
Abstraction ˝ With either the right, or the wrong instructions, then
Lesson Overview
Formal ˝ The CPU must act correctly with the right instructions
Proof
Ź Pictures
Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

161 / 275
Examples
Welcome Consider these statements:
Motivation
˝
Basics

Clocked and $past

k Induction
If
Bus Properties
And
Free Variables Then
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

162 / 275
Examples
Welcome Consider these statements:
Motivation
˝ Prefetch is bus master, interfaces w/CPU
Basics

Clocked and $past

k Induction
If (Prefetch responds to CPU insn requests)
Bus Properties
And (Prefetch produces the right instructions)
Free Variables Then (The prefetch works within the design)
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

162 / 275
Examples
Welcome Consider these statements:
Motivation
˝ The CPU is just a wishbone master within a design
Basics

Clocked and $past

k Induction
If (The CPU is valid bus master)
Bus Properties
And (CPU properly executes instructions)
Free Variables Then (CPU works within a design)
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

162 / 275
Examples
Welcome Consider these statements:
Motivation
˝ The ALU must return a calculated number
Basics

Clocked and $past

k Induction
If (ALU returns a value when requested)
Bus Properties
And (It is the right value)
Free Variables Then (The ALU works within the design)
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

162 / 275
Examples
Welcome Consider these statements:
Motivation
˝ A flash device responds in 8-80 clocks
Basics

Clocked and $past

k Induction
If (Bus master reads/responds to a request)
Bus Properties
And (The response comes back in 8-80 clocks)
Free Variables Then (The CPU can interact with a flash memory)
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

162 / 275
Examples
Welcome Consider these statements:
Motivation
˝ The divide must return a calculated number
Basics

Clocked and $past

k Induction
If (Divide returns a value when requested)
Bus Properties
And (It is the right value)
Free Variables Then (The divide works within the design)
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

162 / 275
Examples
Welcome Consider these statements:
Motivation
˝ Formal solvers break down when applied to multiplies
Basics

Clocked and $past

k Induction
If (Multiply unit returns an answer N clocks later)
Bus Properties
And (It is the right value)
Free Variables Then (The multiply works within the design)
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

162 / 275
Abstracted CPU components
Welcome Looking at the CPU again,
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover
˝ Replace all the components with abstract shells
Sequences
˝ . . . shells that might produce the same answers
Parting Thoughts

163 / 275
Back to the Counter
Welcome Let’s consider a fractional counter:
Motivation
s i g n a l r_count : unsigned ( 3 1 downto 0 ) := 0 ;
Basics
´´´´
Clocked and $past
p r o c e s s ( i_clk )
k Induction
begin
Bus Properties
i f ( rising_edge ( i_clk ) ) then
Free Variables
( o_pps , r_count ) <= resize ( r_count , 3 3 ) + 4 3 ;
Abstraction
end i f ;
Lesson Overview
Formal end p r o c e s s ;
Proof
Pictures
Ź Examples
The problem with this counter
Exercise
˝ It will take 100 ˆ 106 clocks to roll over and set o_pps
Invariants
˝ Formally checking 100 ˆ 106 clocks is prohibitive
Multiple-Clocks

Cover We’ll need a better way, or we’ll never deal with this
Sequences

Parting Thoughts

164 / 275
Back to the Counter
Welcome How might we build an abstract counter?
Motivation
˝ First, create an arbitrary counter increment
Basics

Clocked and $past s i g n a l increment : unsigned ( 3 1 downto 0 )

k Induction := to_unsigned ( 1 , 3 2 ) ;
Bus Properties a t t r i b u t e anyseq o f increment : s i g n a l i s ’ 1 ’ ;
Free Variables ´´´´
Abstraction p r o c e s s ( i_clk )
Lesson Overview begin
Formal
Proof
i f ( rising_edge ( i_clk ) ) then
Pictures ( o_pps , r_count ) <= resize ( r_count , 3 3 )
Ź Examples
+ increment ;
Exercise
end i f ;
Invariants
end p r o c e s s ;
Multiple-Clocks

Cover
rollover <= ´r_count ;
Sequences

Parting Thoughts
We’ll constrain this increment next
165 / 275
Back to the Counter
Welcome How might we build an abstract counter?
Motivation
˝ First, create an arbitrary counter increment
Basics
˝ Then constrain the arbitrary increment
Clocked and $past

k Induction always @ ( ∗ )
Bus Properties begin
Free Variables assume ( increment > 0 ) ;
Abstraction assume ( increment < { 2 ’ h1 , 3 0 ’ h0 } ) ;
Lesson Overview
i f ( rollover < 3 2 ’ d43 )
Formal
Proof assume ( increment == 3 2 ’ d43 ) ;
Pictures else
Ź Examples
assume ( increment < rollover ) ;
Exercise

Invariants
end
Multiple-Clocks

Cover The correct increment, 43, must be a possibility

Sequences

Parting Thoughts

166 / 275
Back to the Counter
Welcome Will this work?
Motivation
˝ Let’s try this to see!
Basics

Clocked and $past always @ ( posedge i_clk )

k Induction i f ( f_past_valid )
Bus Properties a s s e r t ( r_count != $past ( r_count ) ) ;
Free Variables

Abstraction always @ ( posedge i_clk )

Lesson Overview i f ( ( f_past_valid)&&(r_count < $past ( r_count ) ) )
Formal
Proof
a s s e r t ( o_pps ) ;
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

167 / 275
Other Possibilities
Welcome How else might you use this?
Motivation
˝ Bypassing the runup for an external peripheral
Basics
˝ Testing a real-time clock or date
Clocked and $past

k Induction Or . . . how about that CPU?

Bus Properties

Free Variables

Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

168 / 275
Exercise
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables Let’s modify this abstract counter

Abstraction
Lesson Overview ˝ Increment by one, rather than fractionally
Formal
Proof Exercise Objectives:
Pictures
Examples
Ź Exercise
˝ Prove a design works both with and without abstraction
Invariants
˝ Gain some confidence using abstraction
Multiple-Clocks

Cover

Sequences

Parting Thoughts

169 / 275
Exercise #8
Welcome Your task:
Motivation
˝ Rebuild the counter
Basics
˝ Make it increment by one
Clocked and $past
˝ Build it so that . . .
k Induction

Bus Properties always @ ( ∗ )

Free Variables a s s e r t ( o_carry == ( r_count == 0 ) ) ;
Abstraction
Lesson Overview
Formal
// and
Proof
Pictures always @ ( posedge i_clk )
Examples
Ź Exercise i f ( ( f_past_valid )&&(! $past (&r_count ) ) )
Invariants a s s e r t ( ! o_carry ) ;
Multiple-Clocks

Cover
˝ Prove that this abstracted counter works
Sequences

Parting Thoughts

170 / 275
Exercise #8
Welcome Your task:
Motivation
˝ Rebuild the counter
Basics
˝ Make it increment by one
Clocked and $past
˝ Prove that this abstracted counter works
k Induction

Bus Properties

Free Variables

Abstraction
Lesson Overview
Formal
Proof
Pictures
Examples
Ź Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

171 / 275
Exercise #8
Welcome Your task:
Motivation
˝ Rebuild the counter
Basics
˝ Make it increment by one
Clocked and $past
˝ Prove that this abstracted counter works
k Induction

Bus Properties Hints:

Free Variables

Abstraction
˝ &r_count must take place before r_count==0
Lesson Overview ˝ You cannot skip &r_count
Formal
Proof ˝ Neither can you skip r_count == 0
Pictures
Examples
Ź Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

171 / 275
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Invariants
Ź Invariants
Lesson Removed

Multiple-Clocks

Cover

Sequences

Parting Thoughts

172 / 275
Lesson Removed
Welcome This lesson is currently being revised, and will be released again
Motivation shortly
Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants
Ź Lesson Removed

Multiple-Clocks

Cover

Sequences

Parting Thoughts

173 / 275
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Multiple-Clocks
Invariants

Ź Multiple-Clocks
Basics
SBY File
$global clock
$rose
$stable
Examples
Exercises

Cover

Sequences

Parting Thoughts

174 / 275
Lesson Overview
Welcome The SymbiYosys option multiclock . . .
Motivation
˝ Used to process systems with dissimilar clocks
Basics
˝ Examples
Clocked and $past

k Induction – A serial port, with a formally generated transmitter

Bus Properties coming from a different clock domain
Free Variables
– A SPI controller that needs both high speed and low
Abstraction
speed logic
Invariants

Multiple-Clocks
Ź Basics
Our Objective:
SBY File
$global clock
˝ To learn how to handle multiple clocks within a design
$rose
$stable – $global clock
Examples – $stable, $changed
Exercises

Cover
– $rose, $fell
Sequences

Parting Thoughts

175 / 275
SymbiYosys config change
Welcome [ options ]
Motivation mode prove
Basics multiclock on
Clocked and $past

k Induction [ engines ]
Bus Properties smtbmc
Free Variables

Abstraction [ script ]
Invariants read ´vhdl module . vhd
Multiple-Clocks read ´formal module_vhd . sv
Basics prep ´top module
Ź SBY File
$global clock
$rose [ files ]
$stable
# file list
Examples
Exercises

Cover

Sequences

Parting Thoughts

176 / 275
SymbiYosys config change
Welcome [ options ]
Motivation mode prove
Basics multiclock on Multiple clocks require this line
Clocked and $past

k Induction [ engines ]
Bus Properties smtbmc
Free Variables

Cover

Sequences

Parting Thoughts

176 / 275
Five Tools
Welcome ˝ $global clock
Motivation A global simulation clock, updated on each time-step
Basics ˝ $stable
Clocked and $past True if a signal is stable (i.e. doesn’t change) with this clock.
k Induction
Equivalent to A == $past(A)
Bus Properties
˝ $changed
Free Variables
True if a signal has changed since the last clock tick.
Abstraction

Invariants
Equivalent to A != $past(A)
Multiple-Clocks
˝ $rose
Basics True if the signal rises on this simulation step
Ź SBY File
$global clock This is very useful for positive edged clocks transitions
$rose
$rose(A) is equivalent to (A[0])&&(!$past(A[0]))
$stable
Examples ˝ $fell
Exercises
True if a signal falls on this simulation step, creating a
Cover
negative edge
Sequences
$fell (A) is equivalent to (!A[0])&&($past(A[0]))
Parting Thoughts

177 / 275
$global clock
Welcome ˝ A global simulation clock, updated on each time-step
Motivation
( ∗ gclk ∗ ) w i r e gbl_clk ;
Basics
g l o b a l c l o c k i n g @ ( posedge gbl_clk ) ; e n d c l o c k i n g
Clocked and $past

k Induction
˝ You can use this to describe clock properties
Bus Properties

Free Variables // Assume a s i n g l e c l o c k s i g n a l

Abstraction //
Invariants reg f_last_clk ;
Multiple-Clocks
Basics i n i t i a l f_last_clk = 0 ;
SBY File
Ź $global clock
always @ ( $ g l o b a l c l o c k )
$rose begin
$stable f_last_clk <= ! f_last_clk ;
Examples
Exercises
assume ( i_clk == f_last_clk ) ;
Cover
end
Sequences

Parting Thoughts

178 / 275
$global clock
Welcome ˝ A global simulation clock, updated on each time-step
Motivation
( ∗ gclk ∗ ) w i r e gbl_clk ;
Basics
g l o b a l c l o c k i n g @ ( posedge gbl_clk ) ; e n d c l o c k i n g
Clocked and $past

k Induction
˝ You can use this to describe clock properties
Bus Properties

Free Variables // Assume two r e l a t e d c l o c k s i g n a l s

Abstraction //
Invariants reg [3:0] f_clk_counter ;
Multiple-Clocks
Basics i n i t i a l f_clk_counter = 0 ;
SBY File
Ź $global clock
always @ ( $ g l o b a l c l o c k )
$rose begin
$stable f_clk_counter <= f_clk_counter + 1 ’ b1 ;
Examples
Exercises
assume ( i_clk_fast == f_clk_counter [ 0 ] ) ;
Cover
assume ( i_clk_slow == f_clk_counter [ 3 ] ) ;
Sequences
end
Parting Thoughts

179 / 275
$global clock
Welcome ˝ A global simulation clock, updated on each time-step
Motivation ˝ You can use this to describe clock properties
Basics
// Assume two c l o c k s , same sp eed ,
Clocked and $past
// unknown c o n s t a n t p h a s e o f f s e t
k Induction
// ...
Bus Properties
(∗ anyconst ∗ ) w i r e [ 3 : 0 ] f_clk_offset ;
Free Variables

Abstraction
i n i t i a l f_clk_counter= 0 ;
Invariants
always @ ( $ g l o b a l c l o c k )
Multiple-Clocks
Basics
begin
SBY File f_clk_counter <= f_clk_counter + 1 ’ b1 ;
Ź $global clock f_clk_two <= f_clk_counter
$rose
$stable + f_clk_offset ;
Examples assume ( i_clk_one == f_clk_counter [ 3 ] ) ;
Exercises
assume ( i_clk_two == f_clk_two [ 3 ] ) ;
Cover
end
Sequences

Parting Thoughts

180 / 275
$global clock
Welcome How might you describe two unrelated clocks?
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
Ź $global clock
$rose
$stable
Examples
Exercises

Cover

Sequences

Parting Thoughts

181 / 275
$global clock
Welcome How might you describe two unrelated clocks?
Motivation
( ∗ anyconst ∗ ) w i r e [ 7 : 0 ] f_a_step ;
Basics
always @ ( ∗ )
Clocked and $past
assume ( ( f_a_step > 0 )
k Induction
&&(f_a_step [ 7 ] == 1 ’ b0 ) ) ;
Bus Properties

Free Variables
always @ ( $ g l o b a l c l o c k )
Abstraction
begin
Invariants
f_a_counter <= f_a_counter + f_a_step ;
Multiple-Clocks
Basics
SBY File assume ( i_clk_a == f_a_counter [ 7 ] ) ;
Ź $global clock end
$rose
$stable
Examples
Exercises ˝ The (∗ anyconst ∗) will take on any arbitrary, but constant
Cover value
Sequences ˝ You can repeat this logic for the second clock.
Parting Thoughts

181 / 275
$rose
Welcome Synchronous logic has some requirements
Motivation
˝ Inputs should only change on a clock edge
Basics
They should be stable otherwise
Clocked and $past
˝ $rose(i_clk) can be used to express this
k Induction

Bus Properties Here’s an example using $rose(i_clk) . . .

Free Variables

Abstraction
always @ ( $ g l o b a l c l o c k )
Invariants
i f ( ! $ros e ( i_clk ) )
Multiple-Clocks
assume ( i_input == $past ( i_input ) ) ;
Basics
SBY File
$global clock
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Parting Thoughts

182 / 275
$rose
Welcome Would this work?
Motivation
always @ ( $ g l o b a l c l o c k )
Basics
i f ( ! $ros e ( i_clk ) )
Clocked and $past
a s s e r t ( i_input == $past ( i_input ) ) ;
k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
$global clock
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Parting Thoughts

183 / 275
$rose
Welcome Would this work?
Motivation
always @ ( $ g l o b a l c l o c k )
Basics
i f ( ! $ros e ( i_clk ) )
Clocked and $past
a s s e r t ( i_input == $past ( i_input ) ) ;
k Induction

Bus Properties

Free Variables ˝ No. The general rule hasn’t changed

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
$global clock
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Parting Thoughts

183 / 275
$rose
Welcome Could we do it this way?
Motivation
always @ ( $ g l o b a l c l o c k )
Basics
i f ( $ f e l l ( i_clk ) )
Clocked and $past
a s s e r t ( state == $past ( state ) ) ;
k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
$global clock
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Parting Thoughts

184 / 275
$rose
Welcome Could we do it this way?
Motivation
always @ ( $ g l o b a l c l o c k )
Basics
i f ( $ f e l l ( i_clk ) )
Clocked and $past
a s s e r t ( state == $past ( state ) ) ;
k Induction

Bus Properties

Free Variables ˝ No, this doesn’t work either

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
$global clock
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Parting Thoughts

184 / 275
$rose
Welcome Is this equivalent?
Motivation
always @ ( $ g l o b a l c l o c k )
Basics
i f ( ! $past ( i_clk ) )
Clocked and $past
a s s e r t ( state == $past ( state ) ) ;
k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
$global clock
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Parting Thoughts

185 / 275
$rose
Welcome Is this equivalent?
Motivation
always @ ( $ g l o b a l c l o c k )
Basics
i f ( ! $past ( i_clk ) )
Clocked and $past
a s s e r t ( state == $past ( state ) ) ;
k Induction

Bus Properties

Free Variables ˝ Why not?

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
$global clock
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Parting Thoughts

185 / 275
$rose
Welcome This fixes our problems. Will this work?
Motivation
always @ ( $ g l o b a l c l o c k )
Basics
i f ( ! $ros e ( i_clk ) )
Clocked and $past
a s s e r t ( state == $past ( state ) ) ;
k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
$global clock
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Parting Thoughts

186 / 275
$rose
Welcome This fixes our problems. Will this work?
Motivation
always @ ( $ g l o b a l c l o c k )
Basics
i f ( ! $ros e ( i_clk ) )
Clocked and $past
a s s e r t ( state == $past ( state ) ) ;
k Induction

Bus Properties

Free Variables ˝ Not quite. Can you see the problem?

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
$global clock
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Parting Thoughts

186 / 275
$rose
Welcome ˝ State/outputs should be clock synchronous
Motivation
always @ ( $ g l o b a l c l o c k )
Basics
i f ( ( f_past_valid )&&(! $ros e ( i_clk ) )
Clocked and $past
a s s e r t ( state == $past ( state ) ) ;
k Induction

Bus Properties
˝ With f_past_valid this works
Free Variables
˝ $rose requires a clock, such as
Abstraction
always @($global clock)
Invariants

Multiple-Clocks
Basics
SBY File
$global clock
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Parting Thoughts

187 / 275
$stable
Welcome Describes a signal which has not changed
Motivation
˝ Requires a clock edge
Basics

Clocked and $past always @($global clock)

k Induction always @(posedge i_clk)
Bus Properties
˝ Caution: The value might still change between clock edges
Free Variables

Abstraction always @ ( $ g l o b a l c l o c k )
Invariants i f ( ( f_past_valid )&&(! $ros e ( i_clk ) ) )
Multiple-Clocks a s s e r t ( $ s t a b l e ( state ) ) ;
Basics
SBY File
$global clock ˝ This is basically the same as state == $past(state)
$rose
Ź $stable
Examples
Exercises

Cover

Sequences

Parting Thoughts

188 / 275
$fell
Welcome $fell is like $rose, only it describes a negative edge
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
$global clock
$rose
Ź $stable
Examples
Exercises

Cover

Sequences

Parting Thoughts

189 / 275
Examples
Welcome ˝ Most logic doesn’t need the multiclock option
Motivation ˝ To help with logic that might need it, I use a parameter
Basics

Clocked and $past parameter [ 0 : 0 ] F_OPT_CLK2FFLOGIC = 1 ’ b0 ;

k Induction

Bus Properties generate i f ( F_OPT_CLK2FFLOGIC )

Free Variables begin
Abstraction always @ ( $ g l o b a l c l o c k )
Invariants i f ( ( f_past_valid )&&(! $ros e ( i_clk ) ) )
Multiple-Clocks begin
Basics
SBY File
assume ( $ s t a b l e ( i_axi_awready ) ) ;
$global clock assume ( $ s t a b l e ( i_axi_wready ) ) ;
$rose //
$stable
Ź Examples
a s s e r t ( $ s t a b l e ( o_axi_bid ) ) ;
Exercises // . . .
Cover end
Sequences end endgenerate
Parting Thoughts

190 / 275
Ex SPI Port
Welcome o CS n
Motivation
o SCK
Basics
o MOSI
Clocked and $past

k Induction
i MISO
Bus Properties

Free Variables
˝ How would you formally describe the o_SCK and o_CS_n
Abstraction relationship?
Invariants

Multiple-Clocks
Basics
SBY File
$global clock
$rose
$stable
Ź Examples
Exercises

Cover

Sequences

Parting Thoughts

191 / 275
Ex SPI Port
Welcome o CS n
Motivation
o SCK
Basics
o MOSI
Clocked and $past

k Induction
i MISO
Bus Properties

Free Variables
˝ How would you formally describe the o_SCK and o_CS_n
Abstraction relationship?
Invariants

Multiple-Clocks i n i t i a l a s s e r t ( o_CS_n ) ;
Basics
i n i t i a l a s s e r t ( o_SCK ) ;
SBY File
$global clock
$rose always @ ( ∗ )
$stable
Ź Examples
i f ( ! o_SCK )
Exercises a s s e r t ( ! o_CS_n ) ;
Cover

Sequences

Parting Thoughts

191 / 275
Ex SPI Port
Welcome o CS n
Motivation
o SCK
Basics
o MOSI
Clocked and $past

k Induction
i MISO
Bus Properties

Free Variables
˝ How would you formally describe the o_SCK and o_CS_n
Abstraction relationship?
Invariants

Multiple-Clocks always @ ( $ g l o b a l c l o c k )
Basics
i f ( ( f_past_valid )
SBY File
$global clock &&(( $ros e ( o_CS_n ) ) | | ( $ f e l l ( o_CS_n ) ) ) )
$rose a s s e r t ( ( o_SCK)&&( $ s t a b l e ( o_SCK ) ) ) ;
$stable
Ź Examples
Exercises

Cover

Sequences

Parting Thoughts

192 / 275
Ex SPI Port
Welcome o CS n
Motivation
o SCK
Basics
o MOSI
Clocked and $past

k Induction
i MISO
Bus Properties

Free Variables
˝ How would you describe o_MOSI?
Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
$global clock
$rose
$stable
Ź Examples
Exercises

Cover

Sequences

Parting Thoughts

193 / 275
Ex SPI Port
Welcome o CS n
Motivation
o SCK
Basics
o MOSI
Clocked and $past

k Induction
i MISO
Bus Properties

Free Variables
˝ How would you describe o_MOSI?
Abstraction

Invariants always @ ( $ g l o b a l c l o c k )
Multiple-Clocks i f ( ( f_past_valid )&&(! o_CS_n )&&(! $ f e l l ( o_SCK ) ) )
Basics a s s e r t ( $ s t a b l e ( o_MOSI ) ) ;
SBY File
$global clock
$rose
$stable
Ź Examples
Exercises

Cover

Sequences

Parting Thoughts

193 / 275
Ex SPI Port
Welcome o CS n
Motivation
o SCK
Basics
o MOSI
Clocked and $past

k Induction
i MISO
Bus Properties

Free Variables
˝ How would you describe i_MISO?
Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
$global clock
$rose
$stable
Ź Examples
Exercises

Cover

Sequences

Parting Thoughts

194 / 275
Ex SPI Port
Welcome o CS n
Motivation
o SCK
Basics
o MOSI
Clocked and $past

k Induction
i MISO
Bus Properties

Free Variables
˝ How would you describe i_MISO?
Abstraction

Invariants always @ ( $ g l o b a l c l o c k )
Multiple-Clocks i f ( ( ! o_CS_n)&&(o_SCK ) )
Basics assume ( $ s t a b l e ( i_MISO ) ) ;
SBY File
$global clock
$rose
$stable
Ź Examples
Exercises

Cover

Sequences

Parting Thoughts

194 / 275
Ex SPI Port
Welcome o CS n
Motivation
o SCK
Basics
o MOSI
Clocked and $past

k Induction
i MISO
Bus Properties

Free Variables
˝ Should the i_MISO be able to change more than once per
Abstraction clock?
Invariants

Multiple-Clocks
Basics
SBY File
$global clock
$rose
$stable
Ź Examples
Exercises

Cover

Sequences

Parting Thoughts

195 / 275
Ex SPI Port
Welcome ˝ A little logic will force i_MISO to have only one transition per
Motivation clock
Basics
always @ ( $ g l o b a l c l o c k )
Clocked and $past
i f ( ( o_CS_n ) | | ( o_SCK ) )
k Induction
f_chgd <= 1 ’ b0 ;
Bus Properties
e l s e i f ( i_MISO != $past ( i_MISO ) )
Free Variables
f_chgd <= 1 ’ b1 ;
Abstraction

Invariants
always @ ( $ g l o b a l c l o c k )
Multiple-Clocks
Basics
i f ( ( f_past_valid)&&(f_chgd ) )
SBY File assume ( $ s t a b l e ( i_MISO ) ) ;
$global clock
$rose
$stable
˝ How would we force exactly 8 o_SCK clocks?
Ź Examples
Exercises

Cover

Sequences

Parting Thoughts

196 / 275
Ex SPI Port
Welcome ˝ Forcing exactly 8 clocks
Motivation
always @ ( $ g l o b a l c l o c k )
Basics
i f ( o_CS_n )
Clocked and $past
f_spi_bits <= 0 ;
k Induction
e l s e i f ( $ros e ( o_SCK ) )
Bus Properties
f_spi_bits <= f_spi_bits + 1 ’ b1 ;
Free Variables

Abstraction
always @ ( $ g l o b a l c l o c k )
Invariants
i f ( ( f_past_valid)&&( $ros e ( o_CS_n ) ) )
Multiple-Clocks a s s e r t ( f_spi_bits == 8 ) ;
Basics
SBY File
$global clock ˝ Don’t forget the induction requirement
$rose
$stable always @ ( ∗ )
Ź Examples
a s s e r t ( f_spi_bits <= 8 ) ;
Exercises

Cover

Sequences

Parting Thoughts

197 / 275
Exercises
Welcome Three exercises, chose one to verify:
Motivation
1. Input serdes
Basics
exercises-09/[Link]
Clocked and $past

k Induction
2. Clock gate
Bus Properties
exercises-10/[Link]
Free Variables 3. Clock Switch
Abstraction exercises-11/[Link]
Invariants

Multiple-Clocks
Basics
SBY File
$global clock
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Parting Thoughts

198 / 275
Ex: Input Serdes
Welcome Getting a SERDES right is a good example of multiple clocks
Motivation

Basics i fast clk

Clocked and $past
i pin
k Induction
i slow clk
Bus Properties

Free Variables
o word 0x0b

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
$global clock
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Parting Thoughts

199 / 275
Ex: Input Serdes
Welcome Getting a SERDES right is a good example of multiple clocks
Motivation
˝ Two clocks, one fast and one slow
Basics

Clocked and $past Clocks must be synchronous

k Induction $rose(slow_clk) implies $rose(fast_clk)
Bus Properties
˝ exercise-09/ Contains the file iserdes.v
Free Variables

Abstraction
˝ Can you formally verify that it works?
Invariants

Multiple-Clocks
Basics
SBY File
$global clock
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Parting Thoughts

200 / 275
Ex: Input Serdes
Welcome Be aware of the asynchronous reset signal!
Motivation

Basics i areset n
Clocked and $past
i fast clk
k Induction
i pin
Bus Properties

Free Variables
i slow clk
Abstraction o word Prior value RESET RESET

Invariants

Multiple-Clocks ˝ Can be asserted at any time

Basics
SBY File
˝ Can only be de-asserted on $rose(i_slow_clk)
$global clock ˝ assume() these properties, since the reset is an input
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Parting Thoughts

201 / 275
Ex: Clock Gate
Welcome The goal: a clock that can be gated, that doesn’t glitch
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
˝ exercise-10/ Contains the file [Link]
Invariants

Multiple-Clocks
Basics
SBY File
$global clock
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Parting Thoughts

202 / 275
Ex: Clock Gate
Welcome The goal: a clock that can be gated, that doesn’t glitch
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants
i clk
Multiple-Clocks i en
Basics
SBY File
o clk
$global clock
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Parting Thoughts

203 / 275
Ex: Clock Gate
Welcome The goal: a clock that can be gated, that doesn’t glitch
Motivation
˝ One clock, one unrelated enable
Basics
˝ Prove that the output clock
Clocked and $past

k Induction – is always high for the full width, but

Bus Properties – . . . never longer.
Free Variables
– For any clock rate
Abstraction

Invariants See exercise-10/clkgate.v

Multiple-Clocks
Basics
SBY File
$global clock
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Parting Thoughts

204 / 275
Ex: Clock Gate
Welcome Hints:
Motivation
˝ The output clock should only rise if the incoming clock rises
Basics
˝ The output clock should only fall if the incoming clock fall
Clocked and $past
˝ If the output clock is ever high, it should always fall with the
k Induction

Bus Properties
incoming clock
Free Variables
Be aware of the reset! The output clock might fall mid-clock
Abstraction
period due to the asynchronous reset.
Invariants

Multiple-Clocks
Basics
SBY File
$global clock
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Parting Thoughts

205 / 275
Ex: Clock Switch
Welcome Goal: To safely switch from one clock frequency to another
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
$global clock
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Parting Thoughts

206 / 275
Ex: Clock Switch
Welcome Goal: To safely switch from one clock frequency to another
Motivation
˝ Inputs
Basics

Clocked and $past – Two arbitrary clocks

k Induction – One select line
Bus Properties

Free Variables Prove that the output clock

Abstraction
˝ Is always high (or low) for at least the duration of one of the
Invariants

Multiple-Clocks
clocks
Basics ˝ Doesn’t stop
SBY File
$global clock You may need to constrain the select line.
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Parting Thoughts

207 / 275
Ex: Clock Switch
Welcome Hints:
Motivation
˝ You may assume the reset is only ever initially true
Basics
˝ Only one set of FF’s should ever change at any time
Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
$global clock
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Parting Thoughts

208 / 275
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Cover
Invariants

Multiple-Clocks

Ź Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Counter

Sequences

Parting Thoughts

209 / 275
Lesson Overview
Welcome The cover element is used to make certain something remains
Motivation possible
Basics
˝ BMC and induction test safety properties
Clocked and $past

k Induction
They prove that something will not happen
Bus Properties
˝ Cover tests a liveness property
Free Variables It proves that something may happen
Abstraction
Objectives
Invariants

Multiple-Clocks ˝ Understand why cover is important

Cover ˝ Understand how to use cover
Ź Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Counter

Sequences

Parting Thoughts

210 / 275
Why Cover
Welcome Personal examples:
Motivation
˝ Forgot to set f_past_valid to one
Basics
Many assertions were ignored
Clocked and $past
˝ Av to WB bridge, passed FV, but couldn’t handle writes
k Induction

Bus Properties
˝ Error analysis
Free Variables The simulation trace doesn’t make sense. Can it be
Abstraction reproduced?
Invariants ˝ As an anti-assertion
Multiple-Clocks Can this situation actually happen?
Cover
Ź Lesson Overview What is cover good for? Catching the careless assumption!
BMC vs Cover
Cover in Verilog
What else? Ad hoc simulation traces!
State Space
SymbiYosys
Examples
Counter

Sequences

Parting Thoughts

211 / 275
BMC vs Cover
Welcome Cover is more like BMC than Induction is
Motivation
˝ BMC
Basics

Clocked and $past

k Induction

Bus Properties ˝ Cover

Free Variables

Abstraction

Invariants

Multiple-Clocks ˝ BMC searches for failures

Cover ˝ Cover searches for a success
Lesson Overview
Ź BMC vs Cover Formally, we might say . . .
Cover in Verilog
State Space
SymbiYosys
˝ BMC + k-Induction: proof for all
Examples @assume()ñ @assert()
Counter
˝ Cover: there exists one
Sequences
@assume()ñ Dcover()
Parting Thoughts

212 / 275
Cover in Verilog
Welcome Just like an assumption or an assertion
Motivation
// Make s u r e a w r i t e i s p o s s i b l e
Basics
always @ ( posedge i_clk )
Clocked and $past
cover ( ( o_wb_stb )&&(! i_wb_stall)&&(o_wb_we ) ) ;
k Induction

Bus Properties
// Or
Free Variables

Abstraction
// What h a p p e n s when a bus c y c l e i s a b o r t e d ?
Invariants
always @ ( posedge i_clk )
Multiple-Clocks i f ( i_reset )
Cover cover ( ( o_wb_cyc)&&(f_wb_outstanding > 0 ) ) ;
Lesson Overview
BMC vs Cover
Ź Cover in Verilog Well, almost but not quite.
State Space
SymbiYosys
Examples
Counter

Sequences

Parting Thoughts

213 / 275
Cover in Verilog
Welcome Assert and cover handle surrounding logic differently
Motivation
˝ Assert logic
Basics

Clocked and $past always @ ( posedge i_clk )

k Induction i f (A)
Bus Properties assert (B ) ;
Free Variables

Abstraction is equivalent to,

Invariants
always @ ( posedge i_clk )
Multiple-Clocks
assert ( (! A) | | (B) ) ;
Cover
Lesson Overview
BMC vs Cover This is not true of cover.
Ź Cover in Verilog
State Space
SymbiYosys
Examples
Counter

Sequences

Parting Thoughts

214 / 275
Cover in Verilog
Welcome Assert and cover handle surrounding logic differently
Motivation
˝ Assert logic
Basics
˝ Cover logic
Clocked and $past

k Induction always @ ( posedge i_clk )

Bus Properties i f (A)
Free Variables cover ( B ) ;
Abstraction

Invariants is equivalent to,

Multiple-Clocks
always @ ( posedge i_clk )
Cover
Lesson Overview
cover ( ( A ) && ( B ) ) ;
BMC vs Cover // NOT t h e same a s
Ź Cover in Verilog // a s s e r t ( ( ! A) | | (B) ) ;
State Space
SymbiYosys
Examples
Counter

Sequences

Parting Thoughts

215 / 275
State Space
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover
Lesson Overview
BMC vs Cover
Cover in Verilog ˝ Goal is to prove certain state’s are reachable
Ź State Space
˝ Prover solves for example traces
SymbiYosys
Examples
Counter

Sequences

Parting Thoughts

216 / 275
SymbiYosys
Welcome The SymbiYosys script for cover needs to change as well
Motivation
˝ SymbiYosys needs the option: mode cover
Basics
˝ Produces one trace per cover statement
Clocked and $past

k Induction
. . . or fail
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter

Sequences

Parting Thoughts

217 / 275
SymbiYosys cover config
Welcome [ options ]
Motivation mode cover
Basics depth 40
Clocked and $past append 20
k Induction

Bus Properties [ engines ]

Free Variables smtbmc
Abstraction

Invariants [ script ]
Multiple-Clocks read ´vhdl module . vhd
Cover read ´formal module_vhd . sv
Lesson Overview prep ´top module
BMC vs Cover
Cover in Verilog
State Space [ files ]
Ź SymbiYosys
# file list
Examples
Counter

Sequences

Parting Thoughts

218 / 275
SymbiYosys cover config
Welcome [ options ]
Motivation mode cover Run a coverage analysis
Basics depth 40
Clocked and $past append 20
k Induction

Bus Properties [ engines ]

Free Variables smtbmc
Abstraction

Sequences

Parting Thoughts

218 / 275
SymbiYosys cover config
Welcome [ options ]
Motivation mode cover
Basics depth 40 How far to look for a covered state
Clocked and $past append 20
k Induction

Bus Properties [ engines ]

Free Variables smtbmc
Abstraction

Sequences

Parting Thoughts

218 / 275
SymbiYosys cover config
Welcome [ options ]
Motivation mode cover
Basics depth 40
Clocked and $past append 20 Follow each trace with 20 extra clocks
k Induction

Bus Properties [ engines ]

Free Variables smtbmc
Abstraction

Sequences

Parting Thoughts

218 / 275
Cover Failures
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover
Lesson Overview Two basic types of cover failures
BMC vs Cover
Cover in Verilog 1. Covered state is unreachable
State Space
Ź SymbiYosys
No VCD file will be generated upon failure
Examples 2. Covered state is reachable, but only by breaking assertions
Counter

Sequences
VCD file will be generated
Parting Thoughts

219 / 275
Ex: I-Cache
Welcome Consider a CPU I-cache:
Motivation
always @ ( posedge i_clk )
Basics
cover ( o_valid ) ;
Clocked and $past

k Induction
With no other formal logic, what will this trace look like?
Bus Properties

Free Variables ˝ CPU must provide a PC address

Abstraction ˝ Design must fill the appropriate cache line
Invariants ˝ Design returns an item from that cache line
Multiple-Clocks
That’s a lot of trace for two lines of added code!
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Ź Examples
Counter

Sequences

Parting Thoughts

220 / 275
Ex: Flash
Welcome Consider a Flash controller:
Motivation
always @ ( posedge i_clk )
Basics
cover ( o_wb_ack ) ;
Clocked and $past

k Induction
With no other formal logic, what will this trace look like?
Bus Properties
The controller must,
Free Variables

Abstraction ˝ Initialize the flash device

Invariants ˝ Accept a bus request
Multiple-Clocks ˝ Request a read from the flash
Cover ˝ Accumulate the result to return on the bus
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Ź Examples
Counter

Sequences

Parting Thoughts

221 / 275
Ex: MMU
Welcome Consider a Memory Management Unit (MMU):
Motivation
always @ ( posedge i_clk )
Basics
cover ( o_wb_ack ) ;
Clocked and $past

k Induction
The MMU must,
Bus Properties

Free Variables ˝ Be told a TLB entry

Abstraction ˝ Accept a bus request
Invariants ˝ Look the request up in the TLB
Multiple-Clocks ˝ Forward the modified request downstream
Cover
Lesson Overview
˝ Wait for a return
BMC vs Cover ˝ Forward the value returned upstream
Cover in Verilog
State Space
SymbiYosys
Ź Examples
Counter

Sequences

Parting Thoughts

222 / 275
Ex: SDRAM
Welcome How about an SDRAM controller?
Motivation
always @ ( posedge i_clk )
Basics
cover ( o_wb_ack ) ;
Clocked and $past

k Induction
The controller must,
Bus Properties

Free Variables ˝ Initialize the SDRAM

Abstraction ˝ Accept a bus request
Invariants ˝ Activate a row on a bank
Multiple-Clocks ˝ Issue a read (or write) command from that row
Cover ˝ Wait for a return value
Lesson Overview
BMC vs Cover ˝ Return the result
Cover in Verilog
State Space
SymbiYosys
Ź Examples
Counter

Sequences

Parting Thoughts

223 / 275
Counter
Welcome Remember our counter?
Motivation
signal counts : unsigned ( 1 5 downto 0 )
Basics
:= to_unsigned ( 0 , 1 6 ) ;
Clocked and $past
´´´´´
k Induction
p r o c e s s ( i_clk )
Bus Properties
begin
Free Variables
i f ( rising_edge ( i_clk ) ) then
Abstraction
i f ( ( i_start_signal = ’ 1 ’ )
Invariants
and ( 0 = counts ) ) then
Multiple-Clocks counts <= to_unsigned ( MAX_AMOUNT ´1, 1 6 ) ;
Cover else
Lesson Overview
BMC vs Cover counts <= counts ´ 1 ;
Cover in Verilog end i f ;
State Space
SymbiYosys
end i f ;
Examples end p r o c e s s ;
Ź Counter

Sequences o_busy <= ’ 1 ’ when ( 0 = counts ) e l s e ’0 ’;

Parting Thoughts

224 / 275
Examples
Welcome Let’s add some cover statements. . .
Motivation
// T r a n s i t i o n t o b u s y
Basics
always @ ( posedge i_clk )
Clocked and $past
i f ( ( f_past_valid )&&(! $past ( o_busy ) ) )
k Induction
cover ( o_busy ) ;
Bus Properties

Free Variables
// T r a n s i t i o n back t o i d l e
Abstraction
always @ ( posedge i_clk )
Invariants
i f ( ( f_past_valid)&&( $past ( o_busy ) ) )
Multiple-Clocks cover ( ! o_busy ) ;
Cover
Lesson Overview
BMC vs Cover // Mid´c y c l e
Cover in Verilog always @ ( posedge i_clk )
State Space
SymbiYosys
cover ( counter == 3 ) ;
Examples
Ź Counter Will SymbiYosys find traces?
Sequences

Parting Thoughts

225 / 275
Examples
Welcome How about now?
Motivation
always @ ( posedge i_clk )
Basics
cover ( ( o_busy)&&(counter == 0 ) ) ;
Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Parting Thoughts

226 / 275
Examples
Welcome How about now?
Motivation
always @ ( posedge i_clk )
Basics
cover ( ( o_busy)&&(counter == 0 ) ) ;
Clocked and $past

k Induction
Or this one,
Bus Properties

Free Variables always @ ( posedge i_clk )

Abstraction cover ( counter == MAX_AMOUNT ) ;
Invariants

Multiple-Clocks
Will these succeed?
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Parting Thoughts

226 / 275
Examples
Welcome How about now?
Motivation
always @ ( posedge i_clk )
Basics
cover ( ( o_busy)&&(counter == 0 ) ) ;
Clocked and $past

k Induction
Or this one,
Bus Properties

Free Variables always @ ( posedge i_clk )

Abstraction cover ( counter == MAX_AMOUNT ) ;
Invariants

Multiple-Clocks
Will these succeed? No. Both will fail
Cover ˝ These are outside the reachable state space
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Parting Thoughts

226 / 275
Examples
Welcome What if the state is unreachable?
Motivation
// Keep t h e c o u n t e r from e v e r s t a r t i n g
Basics
always @ ( ∗ )
Clocked and $past
assume ( ! i_start_signal ) ;
k Induction

Bus Properties
always @ ( posedge i_clk )
Free Variables
cover ( counter != 0 ) ;
Abstraction

Invariants Will this succeed?

Multiple-Clocks

Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Parting Thoughts

227 / 275
Examples
Welcome What if the state is unreachable?
Motivation
// Keep t h e c o u n t e r from e v e r s t a r t i n g
Basics
always @ ( ∗ )
Clocked and $past
assume ( ! i_start_signal ) ;
k Induction

Bus Properties
always @ ( posedge i_clk )
Free Variables
cover ( counter != 0 ) ;
Abstraction

Invariants Will this succeed? No. This will fail with no trace.
Multiple-Clocks

Cover
˝ If i_start_signal is never true, the cover cannot be reached
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Parting Thoughts

227 / 275
Examples
Welcome What if an assertion needs to be violated?
Motivation
always @ ( ∗ )
Basics
a s s e r t ( counter != 1 0 ) ;
Clocked and $past

k Induction
always @ ( posedge i_clk )
Bus Properties
cover ( counter == 4 ) ;
Free Variables

Abstraction What will happen here?

Invariants

Multiple-Clocks

Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Parting Thoughts

228 / 275
Examples
Welcome What if an assertion needs to be violated?
Motivation
always @ ( ∗ )
Basics
a s s e r t ( counter != 1 0 ) ;
Clocked and $past

k Induction
always @ ( posedge i_clk )
Bus Properties
cover ( counter == 4 ) ;
Free Variables

Abstraction What will happen here?

Invariants

Multiple-Clocks
˝ Cover statement is reachable
Cover ˝ But requires an assertion failure, so a trace is generated
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Parting Thoughts

228 / 275
Clock Switch
Welcome Covering the clock switch
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants
˝ Shows the clock switching from fast to slow,
Multiple-Clocks

Cover
˝ and again from slow to fast
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Parting Thoughts

229 / 275
Ex #8 Revisited
Welcome Return to your Wishbone arbiter. Let’s cover two cases:
Motivation
1. Cover both A and B receiving the bus
Basics
2. Cover how B will get the bus after A gets an
Clocked and $past

k Induction
acknowledgement
Bus Properties
3. Cover how A will get the bus after B gets an
Free Variables acknowledgement
Abstraction 4. Add to the last cover
Invariants
˝ B must request while A still holds the bus
Multiple-Clocks

Cover Plot and examine traces for both cases. Do they look right?
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Parting Thoughts

230 / 275
Ex #8 Revisited
Welcome Notice what we just proved:
Motivation
1. The arbiter will allow both sources to master the bus
Basics
2. The arbiter will transition from one source to another
Clocked and $past

k Induction
3. The arbiter won’t starve A or B
Bus Properties This wasn’t possible with just the safety properties (assert
Free Variables
statements)
Abstraction

Invariants

Multiple-Clocks

Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Parting Thoughts

231 / 275
Discussion
Welcome When should you use cover?
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Parting Thoughts

232 / 275
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Sequences
Invariants

Multiple-Clocks

Cover

Ź Sequences
Overview
Clocking
Sequences
Exercise

Parting Thoughts

233 / 275
Lesson Overview
Welcome SystemVerilog has some amazing formal properties
Motivation
˝ property can be assumed or asserted
Basics
By rewriting our assert’s and assume’s as properties, we can
Clocked and $past

k Induction
then control when they are asserted or assumed better.
Bus Properties
˝ bind formal properties to a subset of your design
Free Variables Allows us to (finally) separate the properties from the module
Abstraction they support
Invariants ˝ sequence – A standard property description language
Multiple-Clocks
Objectives
Cover

Sequences ˝ Learn the basics of SystemVerilog Assertions

Ź Overview
Clocking ˝ Gain confidence with yosys+verific
Sequences
Exercise

Parting Thoughts

234 / 275
Building on the past
Welcome Much of what we’ve written can easily be rewritten in SVA
Motivation
always @ ( ∗ )
Basics
i f (A)
Clocked and $past
assert (B ) ;
k Induction

Bus Properties
can be rewritten as,
Free Variables

Abstraction always @ ( ∗ )
Invariants a s s e r t ( A |´> B ) ;
Multiple-Clocks

Cover

Sequences
Ź Overview
Clocking
Sequences
Exercise

Parting Thoughts

235 / 275
Building on the past
Welcome Much of what we’ve written can easily be rewritten in SVA
Motivation
always @ ( posedge i_clk )
Basics
i f ( ( f_past_valid)&&( $past ( A ) ) )
Clocked and $past
assert (B ) ;
k Induction

Bus Properties
Can be rewritten as,
Free Variables

Abstraction always @ ( posedge i_clk )

Invariants a s s e r t ( A |=> B ) ;
Multiple-Clocks

Cover a s s e r t p r o p e r t y ( @ ( posedge i_clk ) A |=> B ) ;

Sequences
Ź Overview
Clocking
Sequences
Exercise

Parting Thoughts

236 / 275
Building on the past
Welcome Much of what we’ve written can easily be rewritten in SVA
Motivation
always @ ( posedge i_clk )
Basics
i f ( ( f_past_valid)&&( $past ( A ) ) )
Clocked and $past
assert (B ) ;
k Induction

Bus Properties
Can be rewritten as,
Free Variables

Abstraction always @ ( posedge i_clk )

Invariants a s s e r t ( A |=> B ) ;
Multiple-Clocks

Cover a s s e r t p r o p e r t y ( @ ( posedge i_clk ) A |=> B ) ;

Sequences
Ź Overview
Clocking ˝ Read this as A implies B on the next clock tick.
Sequences
Exercise ˝ No f_past_valid required anymore. This is a statement
Parting Thoughts about the next clock tick, not the last one.
These equivalencies apply to assume() as well

236 / 275
Properties
Welcome You can also declare properties:
Motivation
p r o p e r t y SIMPLE_PROPERTY ;
Basics
@ ( posedge i_clk ) a |=> b ;
Clocked and $past
endproperty
k Induction

Bus Properties
a s s e r t p r o p e r t y ( SIMPLE_PROPERTY ) ;
Free Variables

Abstraction This would be the same as

Invariants

Multiple-Clocks
always @ ( posedge i_clk )
Cover
i f ( ( f_past_valid)&&( $past ( a ) ) )
Sequences
assert (b ) ;
Ź Overview
Clocking
Sequences
Exercise

Parting Thoughts

237 / 275
Assume vs Assert
Welcome You could also do something like:
Motivation
parameter [ 0 : 0 ] SUBMODULE = 1 ’ b0 ;
Basics

Clocked and $past

generate i f ( SUBMODULE )
k Induction
begin
Bus Properties
assume p r o p e r t y ( INPUT_PROP ) ;
Free Variables
a s s e r t p r o p e r t y ( LOCAL_PROP ) ;
Abstraction
a s s e r t p r o p e r t y ( OUTPUT_PROP ) ;
Invariants
end e l s e begin
Multiple-Clocks a s s e r t p r o p e r t y ( INPUT_PROP ) ;
Cover assume p r o p e r t y ( LOCAL_PROP ) ;
Sequences assume p r o p e r t y ( OUTPUT_PROP ) ;
Ź Overview
Clocking
end endgenerate
Sequences
Exercise Applications: Invariants, bus properties, etc.
Parting Thoughts

238 / 275
Parameterized Properties
Welcome Properties can also accept parameters
Motivation
p r o p e r t y IMPLIES ( a , b ) ;
Basics
a |´> b ;
Clocked and $past
endproperty
k Induction

Bus Properties
a s s e r t p r o p e r t y ( IMPLIES ( x , y ) ) ;
Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Ź Overview
Clocking
Sequences
Exercise

Parting Thoughts

239 / 275
Parameterized Properties
Welcome Properties can also accept parameters
Motivation
p r o p e r t y IMPLIES_NEXT ( a , b ) ;
Basics
@ ( posedge i_clk ) a |=> b ;
Clocked and $past
endproperty
k Induction

Bus Properties
a s s e r t p r o p e r t y ( IMPLIES_NEXT ( x , y ) ) ;
Free Variables

Abstraction Remember, if you want to use |=>, $past, etc., you need to
Invariants
define a clock.
Multiple-Clocks

Cover

Sequences
Ź Overview
Clocking
Sequences
Exercise

Parting Thoughts

240 / 275
Clocking
Welcome Getting tired of writing @(posedge i_clk)?
Motivation
˝ You can set a default clock
Basics

Clocked and $past d e f a u l t c l o c k i n g @ ( posedge i_clk ) ;

k Induction endclocking
Bus Properties

Free Variables Assumes i_clk if no clock is given.

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Overview
Ź Clocking
Sequences
Exercise

Parting Thoughts

241 / 275
Clocking
Welcome Getting tired of writing @(posedge i_clk)?
Motivation
˝ You can set a default clock
Basics
˝ You can set a default clock within a given block
Clocked and $past

k Induction c l o c k i n g @ ( posedge i_clk ) ;

Bus Properties // Your p r o p e r t i e s can go h e r e
Free Variables // As w i t h a s s e r t , assume ,
Abstraction // s e q u e n c e , e t c .
Invariants endclocking
Multiple-Clocks

Cover Assumes i_clk for all of the properties within the clocking
Sequences block.
Overview
Ź Clocking
Sequences
Exercise

Parting Thoughts

242 / 275
Sequences
Welcome So far with properties,
Motivation
˝ We haven’t done anything really all that new.
Basics
˝ We’ve just rewritten what we’ve done before in a new form.
Clocked and $past

k Induction Sequences are something new

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Ź Sequences
Exercise

Parting Thoughts

243 / 275
Sequence
Welcome With sequences, you can
Motivation
˝ Specify a series of actions
Basics

Clocked and $past sequence EXAMPLE ;

k Induction @ ( posedge i_clk ) a ##1 b ##1 c ##1 d ;
Bus Properties endsequence
Free Variables

Abstraction In this example, b always follows a by one clock, c follows b,

Invariants and d follows c
Multiple-Clocks

Cover

Sequences
Overview
Clocking
Ź Sequences
Exercise

Parting Thoughts

244 / 275
Sequence
Welcome With sequences, you can
Motivation
˝ Specify a series of actions, separated by some number of
Basics
clocks
Clocked and $past

k Induction sequence EXAMPLE ;

Bus Properties @ ( posedge i_clk ) a ##2 b ##5 c ;
Free Variables endsequence
Abstraction

Invariants In this example, b always follows a two clocks later, and c

Multiple-Clocks follows five clocks after b
Cover

Sequences
Overview
Clocking
Ź Sequences
Exercise

Parting Thoughts

245 / 275
Sequence
Welcome With sequences, you can
Motivation
˝ Specify a series of predicates, separated in time
Basics
˝ Can express range(s) of repeated values
Clocked and $past

k Induction sequence EXAMPLE ;

Bus Properties @ ( posedge i_clk ) b [ ∗ 2 : 3 ] ##1 c ;
Free Variables endsequence
Abstraction // i s e q u i v a l e n t t o . . .
Invariants sequence EXAMPLE_A_2x ; // 2 x
Multiple-Clocks @ ( posedge i_clk ) b ##1 b ##1 c ;
Cover endsequence
Sequences // o r
Overview sequence EXAMPLE_A_3x ; // 3 x
Clocking
Ź Sequences
@ ( posedge i_clk ) b ##1 b ##1 b ##1 c ;
Exercise endsequence
Parting Thoughts

246 / 275
Sequence
Welcome With sequences, you can
Motivation
˝ Specify a series of predicates, separated in time
Basics
˝ Can express range(s) of repeated values
Clocked and $past

k Induction – [∗0: M] Predicate may be skipped

Bus Properties – [∗N:M] specifies from N to M repeats
Free Variables
– [∗N:$] Repeats at least N times, with no maximum
Abstraction

Invariants
Ranges can include empty sequences, such as ##[∗0:4]
Multiple-Clocks ˝ Compose multiple sequences together
Cover
– AND, seq_1 and seq_2
Sequences
Overview – OR, seq_1 or seq_2
Clocking – NOT, not seq
Ź Sequences
Exercise

Parting Thoughts

247 / 275
And vs Intersect
Welcome The and and intersect operators are very similar
Motivation
˝ and is only true if both sequences are true
Basics
˝ intersect is only true if both sequences are true and have the
Clocked and $past

k Induction
same length
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Ź Sequences
Exercise

Parting Thoughts

248 / 275
Equivalences
Welcome ˝ Throughout
Motivation
sequence A ;
Basics
@ ( posedge i_clk )
Clocked and $past
( EXP ) [ ∗ 0 : $ ] i n t e r s e c t SEQ ;
k Induction
endsequence
Bus Properties

Free Variables
is equivalent to
Abstraction

Invariants sequence B ;
Multiple-Clocks
@ ( posedge i_clk )
Cover
( EXP ) throughout SEQ ;
Sequences
endsequence
Overview
Clocking The EXP expression must be true from now until SEQ ends
Ź Sequences
Exercise

Parting Thoughts

249 / 275
Equivalences
Welcome ˝ Throughout
Motivation ˝ Until
Basics
sequence A ;
Clocked and $past
@ ( posedge i_clk )
k Induction
( E1 ) [ ∗ 0 : $ ] ##1 ( E2 ) ;
Bus Properties
endsequence
Free Variables

Abstraction
is equivalent to
Invariants

Multiple-Clocks sequence B ;
Cover @ ( posedge i_clk )
Sequences ( E1 ) u n t i l E2 ;
Overview endsequence
Clocking
Ź Sequences
Exercise

Parting Thoughts

250 / 275
Equivalences
Welcome ˝ Throughout
Motivation ˝ Until
Basics
sequence A ;
Clocked and $past
@ ( posedge i_clk )
k Induction
( E1 ) [ ∗ 0 : $ ] ##1 ( E2 ) ;
Bus Properties
endsequence
Free Variables

Abstraction
is equivalent to
Invariants

Multiple-Clocks sequence B ;
Cover @ ( posedge i_clk )
Sequences ( E1 ) u n t i l E2 ;
Overview endsequence
Clocking
Ź Sequences
Exercise ˝ There is an ugly subtlety here
Parting Thoughts

250 / 275
Equivalences
Welcome ˝ Throughout
Motivation ˝ Until
Basics ˝ Within
Clocked and $past

k Induction
sequence A ;
Bus Properties
@ ( posedge i_clk )
Free Variables
( 1 [ ∗ 0 : $ ] ##1 S1 ##1 1 [ ∗ 0 : $ ] )
i n t e r s e c t S2 ;
Abstraction
endsequence
Invariants

Multiple-Clocks
is equivalent to
Cover

Sequences sequence B ;
Overview @ ( posedge i_clk )
Clocking
Ź Sequences ( S1 ) w i t h i n S2 ;
Exercise endsequence
Parting Thoughts

251 / 275
Returning to Properties
Welcome Properties can reference sequences
Motivation
˝ Directly
Basics

Clocked and $past a s s e r t p r o p e r t y ( seq ) ;

k Induction a s s e r t p r o p e r t y ( expr |´> seq ) ;
Bus Properties

Free Variables ˝ Implication: sequences can imply properties

Abstraction
a s s e r t p r o p e r t y ( seq |´> some_other_property ) ;
Invariants
a s s e r t p r o p e r t y ( seq |=> another_property ) ;
Multiple-Clocks

Cover

Sequences
Overview
Clocking
Ź Sequences
Exercise

Parting Thoughts

252 / 275
Returning to Properties
Welcome Properties can include . . .
Motivation
˝ if statements
Basics

Clocked and $past a s s e r t p r o p e r t y ( i f ( A ) P1 e l s e P2 ) ;

k Induction

Bus Properties ˝ not, and, or even or statements

Free Variables
a s s e r t p r o p e r t y ( not P1 ) ;
Abstraction
a s s e r t p r o p e r t y ( P1 and P2 ) ;
Invariants
a s s e r t p r o p e r t y ( P1 or P2 ) ;
Multiple-Clocks

Cover

Sequences
Overview
Clocking
Ź Sequences
Exercise

Parting Thoughts

253 / 275
Ex. Bus Request
Welcome A bus request will not change until it is accepted
Motivation
p r o p e r t y BUS_REQUEST_HOLD ;
Basics
@ ( posedge i_clk )
Clocked and $past
( STB)&&(STALL )
k Induction
|=> ( STB)&&( $ s t a b l e ( REQUEST ) ) ;
Bus Properties
endproperty
Free Variables

Abstraction
a s s e r t p r o p e r t y ( BUS_REQUEST_HOLD ) ;
Invariants

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Ź Sequences
Exercise

Parting Thoughts

254 / 275
Ex. Bus Request
Welcome A request persists until it is accepted
Motivation
sequence BUS_REQUEST ;
Basics
@ ( posedge i_clk )
Clocked and $past
// R e p e a t up t o MAX STALL c l k s
k Induction
( STB)&&(STALL ) [ ∗ 0 : MAX_STALL ]
Bus Properties
##1 ( STB )&&(! STALL ) ;
Free Variables
endsequence
Abstraction

Invariants
a s s e r t p r o p e r t y ( STB |´> BUS_REQUEST ) ;
Multiple-Clocks

Cover You no longer need to count stalls yourself.

Sequences
Overview
Clocking
Ź Sequences
Exercise

Parting Thoughts

255 / 275
Ex. Bus Request
Welcome A request persists until it is accepted
Motivation
sequence BUS_REQUEST ;
Basics
@ ( posedge i_clk )
Clocked and $past
// R e p e a t up t o MAX STALL c l k s
k Induction
( STB)&&(STALL ) [ ∗ 0 : MAX_STALL ]
Bus Properties
##1 ( STB )&&(! STALL ) ;
Free Variables
endsequence
Abstraction

Invariants
a s s e r t p r o p e r t y ( STB |´> BUS_REQUEST ) ;
Multiple-Clocks

Cover You no longer need to count stalls yourself.

Sequences Could we do this with an until statement?
Overview
Clocking
Ź Sequences
Exercise

Parting Thoughts

255 / 275
Ex. Bus Request
Welcome A request persists until it is accepted
Motivation
sequence BUS_REQUEST ;
Basics
@ ( posedge i_clk )
Clocked and $past
( STB)&&(STALL ) u n t i l ( STB )&&(! STALL ) ;
k Induction
endsequence
Bus Properties

Free Variables
a s s e r t p r o p e r t y ( STB |´> BUS_REQUEST ) ;
Abstraction

Invariants What is the difference?

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Ź Sequences
Exercise

Parting Thoughts

256 / 275
Ex. Bus Request
Welcome A request persists until it is accepted
Motivation
sequence BUS_REQUEST ;
Basics
@ ( posedge i_clk )
Clocked and $past
( STB)&&(STALL ) u n t i l ( STB )&&(! STALL ) ;
k Induction
endsequence
Bus Properties

Free Variables
a s s e r t p r o p e r t y ( STB |´> BUS_REQUEST ) ;
Abstraction

Invariants What is the difference? The until statement goes forever, our
Multiple-Clocks
prior example was limited to MAX_STALL clock cycles.
Cover

Sequences
Overview
Clocking
Ź Sequences
Exercise

Parting Thoughts

Free Variables
a s s e r t p r o p e r t y ( STB |´> BUS_REQUEST ) ;
Abstraction

Invariants What is the difference?

Multiple-Clocks

Cover
But . . . what happens if RESET is asserted?
Sequences
Overview
Clocking
Ź Sequences
Exercise

Parting Thoughts

256 / 275
Bus Request
Welcome A property can be conditionally disabled
Motivation
sequence BUS_REQUEST ;
Basics
@ ( posedge i_clk )
Clocked and $past
// R e p e a t up t o MAX STALL c l k s
k Induction
( STB)&&(STALL ) [ ∗ 0 : MAX_STALL ]
Bus Properties
##1 ( STB )&&(! STALL ) ;
Free Variables
endsequence
Abstraction

Invariants
assert property (
Multiple-Clocks @ ( posedge i_clk )
Cover d i s a b l e iff ( i_reset )
Sequences STB |´> BUS_REQUEST ) ;
Overview
Clocking
Ź Sequences The assertion will no longer fail if i_reset clears the request
Exercise
What if the request is aborted?
Parting Thoughts

257 / 275
Ex. Bus Request
Welcome A property can be conditionally disabled
Motivation
sequence BUS_REQUEST ;
Basics
@ ( posedge i_clk )
Clocked and $past
// R e p e a t up t o MAX STALL c l k s
k Induction
( STB)&&(STALL ) [ ∗ 0 : MAX_STALL ]
Bus Properties
##1 ( STB )&&(! STALL ) ;
Free Variables
endsequence
Abstraction

Invariants
assert property (
Multiple-Clocks @ ( posedge i_clk )
Cover d i s a b l e iff ( ( i_reset ) | | ( ! CYC ) )
Sequences STB |´> BUS_REQUEST ) ;
Overview
Clocking
Ź Sequences Will this work?
Exercise

Parting Thoughts

258 / 275
Ex. Bus Request
Welcome A property can be conditionally disabled
Motivation
sequence BUS_REQUEST ;
Basics
@ ( posedge i_clk )
Clocked and $past
// R e p e a t up t o MAX STALL c l k s
k Induction
( STB)&&(STALL ) [ ∗ 0 : MAX_STALL ]
Bus Properties
##1 ( STB )&&(! STALL ) ;
Free Variables
endsequence
Abstraction

Parting Thoughts

258 / 275
Ex. Bus ACKs
Welcome Some peripherals will only ever accept one request
Motivation
sequence SINGLE_ACK ( MAX_DELAY ) ;
Basics
@ ( posedge i_clk )
Clocked and $past
( ! ACK)&&(STALL ) [ ∗ 0 : MAX_DELAY ]
k Induction
##1 ( ACK )&&(! STALL ) ;
Bus Properties
endsequence
Free Variables

Abstraction
assert property (
Invariants
d i s a b l e iff ( ( i_reset ) | | ( ! CYC ) )
Multiple-Clocks ( STB )&&(! STALL ) |=> SINGLE_ACK ( 3 2 ) ;
Cover );
Sequences
Overview
Clocking
This peripheral will
Ź Sequences
Exercise ˝ Stall up to 32 clocks following any accepted request, until it
Parting Thoughts ˝ Acknowledges the request, and
˝ Releases the bus on the same cycle

259 / 275
Ex. Bus ACKs
Welcome Some peripherals will
Motivation
˝ Never stall the bus, and
Basics
˝ Acknowledge every request after a fixed number of clock ticks
Clocked and $past

k Induction p r o p e r t y NEVER_STALL ( DELAY ) ;

Bus Properties @ ( posedge i_clk )
Free Variables d i s a b l e iff ( ( i_reset ) | | ( ! CYC ) )
Abstraction ( STB ) |´> ##[∗DELAY ] ( ACK ) ;
Invariants endproperty
Multiple-Clocks

Cover a s s e r t p r o p e r t y ( NEVER_STALL ( DELAY )

Sequences and ( ! STALL ) ) ;
Overview
Clocking
Ź Sequences This is illegal. Can you spot the bug?
Exercise

Parting Thoughts

260 / 275
Ex. Bus ACKs
Welcome Some peripherals will
Motivation
˝ Never stall the bus, and
Basics
˝ Acknowledge every request after a fixed number of clock ticks
Clocked and $past

k Induction p r o p e r t y NEVER_STALL ( DELAY ) ;

Bus Properties @ ( posedge i_clk )
Free Variables d i s a b l e iff ( ( i_reset ) | | ( ! CYC ) )
Abstraction ( STB ) |´> ##[∗DELAY ] ( ACK ) ;
Invariants endproperty
Multiple-Clocks

Cover a s s e r t p r o p e r t y ( NEVER_STALL ( DELAY )

Sequences and ( ! STALL ) ) ;
Overview
Clocking
Ź Sequences This is illegal. Can you spot the bug? What logic does the
Exercise
disable iff apply to?
Parting Thoughts

260 / 275
Ex. Bus ACKs
Welcome Some peripherals will
Motivation
˝ Never stall the bus, and
Basics
˝ Acknowledge every request after a fixed number of clock ticks
Clocked and $past

k Induction p r o p e r t y NEVER_STALL ( DELAY ) ;

Bus Properties @ ( posedge i_clk )
Free Variables d i s a b l e iff ( ( i_reset ) | | ( ! CYC ) )
Abstraction ( STB ) |´> ##[∗DELAY ] ( ACK ) ;
Invariants endproperty
Multiple-Clocks

Cover a s s e r t p r o p e r t y ( NEVER_STALL ( DELAY ) ) ;

Sequences a s s e r t p r o p e r t y ( ! STALL ) ;
Overview
Clocking
Ź Sequences This is valid
Exercise

Parting Thoughts

261 / 275
Ex. Bus ACKs
Welcome Cannot ACK or ERR when no request is pending
Motivation
a s s e r t p r o p e r t y ( @ ( posedge i_clk )
Basics
( ( ! i_CYC ) | | ( i_reset ) )
Clocked and $past
##1 ( ( ! i_CYC ) | | ( i_reset ) )
k Induction
|´> ( ( ! o_ACK )&&(! o_ERR ) ) ;
Bus Properties

Free Variables
Or as we did it before
Abstraction

Invariants always @ ( posedge i_clk )

Multiple-Clocks
i f ( ( f_past_valid )
Cover
&&(( $past ( i_reset ) ) | | ( ! $past ( i_CYC ) ) )
Sequences
&&((i_reset ) | | ( ! i_CYC ) )
Overview a s s e r t ( ( ! o_ACK )&&(! o_ERR ) ) ;
Clocking
Ź Sequences
Exercise
Which is simpler to understand?
Parting Thoughts

262 / 275
Ex. UART Tx
Welcome Let’s look at an serial port transmitter example.
Motivation A baud interval is CKS clocks . . .
Basics
˝ Output data is constant
Clocked and $past
˝ Logic doesn’t change state
k Induction

Bus Properties
˝ Internal shift register value is known
Free Variables ˝ Ends with zero_baud_counter
Abstraction

Invariants sequence BAUD_INTERVAL ( CKS , DAT , SR , ST ) ;

Multiple-Clocks
( ( o_uart_tx == DAT)&&(state == ST )
Cover
&&(lcl_data == SR )
Sequences
&&(! zero_baud_counter ) ) [ ∗ ( CKS ´1)]
Overview ##1 ( o_uart_tx == DAT)&&(state == ST )
Clocking &&(lcl_data == SR )
Ź Sequences
Exercise &&(zero_baud_counter ) )
Parting Thoughts endsequence

263 / 275
Ex. UART Tx
Welcome A byte consists of 10 Baud intervals
Motivation
sequence SEND ( CKS , DATA ) ;
Basics
BAUD_INTERVAL ( CKS , 1 ’ b0 , DATA , 4 ’ h0 )
Clocked and $past
##1 BAUD_INTERVAL ( CKS , DATA [ 0 ] ,
k Induction
{ { ( 1 ) { 1 ’ b1 } } , DATA [ 7 : 1 ] , 4 ’ h1 )
Bus Properties
##1 BAUD_INTERVAL ( CKS , DATA [ 1 ] ,
Free Variables
{ { ( 2 ) { 1 ’ b1 } } , DATA [ 7 : 2 ] , 4 ’ h2 )
Abstraction
//
Invariants
##1 BAUD_INTERVAL ( CKS , DATA [ 6 ] ,
Multiple-Clocks { { ( 7 ) { 1 ’ b1 } } , DATA [ 7 ] , 4 ’ h7 )
Cover ##1 BAUD_INTERVAL ( CKS , DATA [ 7 ] ,
Sequences 7 ’ hff , DATA [ 7 ] , 4 ’ h8 )
Overview
Clocking
##1 BAUD_INTERVAL ( CKS , 1 ’ b1 , 8 ’ hff , 4 ’ h9 ) ;
Ź Sequences endsequence
Exercise

Parting Thoughts

264 / 275
Ex. UART Tx
Welcome Transmitting a byte requires
Motivation
always @ ( posedge i_clk )
Basics
i f ( ( i_wr )&&(! o_busy ) )
Clocked and $past
fsv_data <= i_data ;
k Induction

Bus Properties
a s s e r t p r o p e r t y ( @ ( posedge i_clk )
Free Variables
( i_wr )&&(! o_busy )
Abstraction
|=> ( ( o_busy ) throughout
Invariants
SEND ( CLOCKS_PER_BAUD , fsv_data ) )
Multiple-Clocks ##1 ( ( ! o_busy)&&(o_uart_tx )
Cover &&(zero_baud_counter ) ) ;
Sequences
Overview
Clocking
Ź Sequences
˝ A transmit request is received
Exercise ˝ The data is sent
Parting Thoughts ˝ The controller returns to idle

265 / 275
Ex. UART Tx
Welcome Transmitting a byte requires
Motivation
a s s e r t p r o p e r t y ( @ ( posedge i_clk )
Basics
( i_wr )&&(! o_busy )
Clocked and $past
|=> ( ( o_busy ) throughout
k Induction
SEND ( CLOCKS_PER_BAUD , fsv_data ) )
Bus Properties
##1 ( ( ! o_busy)&&(o_uart_tx )
Free Variables
&&(zero_baud_counter ) ) ;
Abstraction

Invariants Make sure . . .

Multiple-Clocks

Cover
˝ The sequence has a defined beginning
Sequences Only ever triggered once at a time
Overview ˝ Doesn’t reference changing data
Clocking
Ź Sequences ˝ throughout is within parenthesis
Exercise
˝ You tie all relevant state information together
Parting Thoughts

266 / 275
SysVerilog Conclusions
Welcome SystemVerilog Concurrent Assertions . . .
Motivation
˝ can be very powerful
Basics
˝ can be very confusing
Clocked and $past
˝ can be used with immediate assertions
k Induction

Bus Properties
You can keep using the simpler property form we’ve been
Free Variables using
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Ź Sequences
Exercise

Parting Thoughts

267 / 275
Last Exercise!
Welcome Let’s formally verify a synchronous FIFO
Motivation
e n t i t y sfifo i s
Basics
g e n e r i c ( BW : natural := 8 ;
Clocked and $past
LGFLEN : natural := 4 ) ;
k Induction

Bus Properties
p o r t ( i_clk , i_reset : i n std_logic ;
Free Variables
´´ The i n c o m i n g ( w r i t e ) i n t e r f a c e
Abstraction
i_wr : i n std_logic ;
Invariants
i_data : i n std_logic_vector ( BW´1 downto 0 ) ;
Multiple-Clocks o_full : out std_logic := ’ 0 ’ ;
Cover ´´ The o u t g o i n g ( r e a d ) i n t e r f a c e
Sequences i_rd : i n std_logic ;
Overview
Clocking
o_data : out std_logic_vector ( BW´1 downto 0 ) ;
Sequences o_empty : out std_logic := ’ 1 ’ ;
Ź Exercise
o_err : out std_logic := ’ 0 ’ ) ;
Parting Thoughts
end e n t i t y sfifo ;

268 / 275
Last Exercise
Welcome Let’s formally verify a synchronous FIFO
Motivation
a r c h i t e c t u r e behavior o f sfifo i s
Basics
constant FLEN : natural := 2 ∗∗ LGFLEN ;
Clocked and $past

k Induction
type data_type i s
Bus Properties
std_logic_vetor ( BW´1 downto 0 ) ;
Free Variables
type mem_type i s
Abstraction
a r r a y ( FLEN´1 downto 0 ) o f data_type ;
Invariants
type ptr_type i s
Multiple-Clocks unsigned ( LGFLEN downto 0 ) ;
Cover

Sequences signal mem : mem_type ;

Overview
Clocking
Sequences s i g n a l r_first : ptr_type
Ź Exercise
:= to_unsigned ( 0 , LGFLEN +1);
Parting Thoughts

See the problem?

269 / 275
Last Exercise
Welcome Let’s formally verify a synchronous FIFO
Motivation
a r c h i t e c t u r e behavior o f sfifo i s
Basics
constant FLEN : natural := 2 ∗∗ LGFLEN ;
Clocked and $past

Sequences signal mem : mem_type ;

Overview
Clocking
Sequences s i g n a l r_first : ptr_type
Ź Exercise
:= to_unsigned ( 0 , LGFLEN +1);
Parting Thoughts

See the problem? You can’t pass memories through ports!

269 / 275
Last Exercise
Welcome How will you pass the memory to the formal tool?
Motivation
˝ You might pass an arbitrary address and value instead
Basics

Clocked and $past

s i g n a l test_address : ptr_type ;
k Induction
a t t r i b u t e anyconst o f test_address
Bus Properties
: signal is ’1 ’;
Free Variables
s i g n a l test_value : data_type ;
Abstraction
´´´´
Invariants test_value <= mem ( to_integer ( unsigned ( ´´´´
Multiple-Clocks test_address ( LGFLEN´1 downto 0 ) ) ) ) ;
Cover

Sequences
Overview
Clocking
Sequences
Ź Exercise

Parting Thoughts

270 / 275
Last Exercise
Welcome Let’s formally verify a synchronous FIFO
Motivation What properties do you think would be appropriate?
Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Sequences
Ź Exercise

Parting Thoughts

271 / 275
Last Exercise
Welcome Let’s formally verify a synchronous FIFO
Motivation What properties do you think would be appropriate?
Basics
˝ Should never go from full to empty
Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Sequences
Ź Exercise

Parting Thoughts

271 / 275
Last Exercise
Welcome Let’s formally verify a synchronous FIFO
Motivation What properties do you think would be appropriate?
Basics
˝ Should never go from full to empty except on a reset
Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Sequences
Ź Exercise

Parting Thoughts

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Sequences
Ź Exercise

Parting Thoughts

Bus Properties
˝ The two outputs, o_empty and o_full, should properly reflect
Free Variables the size of the FIFO
Abstraction
– o_empty means the FIFO is currently empty
Invariants
– o_full means the FIFO has 2N elements within it
Multiple-Clocks

Cover

Sequences
Overview
Clocking
Sequences
Ź Exercise

Parting Thoughts

Cover ˝ Challenge: Use sequences to prove that

Sequences
Overview – Given any two values written successfully
Clocking – Verify that those two values can (some time later) be read
Sequences
Ź Exercise successfully, and in the right order
Parting Thoughts (Unless a reset takes place in the meantime)

271 / 275
Hint
Welcome When using sequences,. . .
Motivation
˝ It can be very difficult to figure out what part of the
Basics
sequence failed.
Clocked and $past

k Induction
The assertion that fails will reference the entire failing
Bus Properties
sequence.
Free Variables
Suggestions:
Abstraction

Invariants
˝ Sequences must be triggered
Multiple-Clocks Be aware of what triggers a sequence
Cover ˝ Use combinational logic to define wires that will then
Sequences represent steps in the sequence
Overview
Clocking ˝ Build the sequences out of these wires
Sequences
Ź Exercise

Parting Thoughts

272 / 275
Hint continued
Welcome Here’s an example:
Motivation
w i r e f_a , f_b , f_c ;
Basics
//
Clocked and $past
a s s i g n f_a = // y o u r l o g i c
k Induction
a s s i g n f_b = // y o u r l o g i c
Bus Properties
a s s i g n f_c = // y o u r l o g i c
Free Variables
//
Abstraction
sequence ARBITRARY_EXAMPLE_SEQUENCE
Invariants
f_a [ ∗ 0 : 4 ] ##1 f_b ##1 f_c [ ∗ 1 2 : 1 6 ] ;
Multiple-Clocks endsequence
Cover

Sequences If you use this approach

Overview
Clocking ˝ Interpreting the wave file will be much easier
Sequences
Ź Exercise ˝ The f_a, etc., lines will be in the trace
Parting Thoughts

273 / 275
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Parting Thoughts
Invariants

Multiple-Clocks

Cover

Sequences
Parting
Ź Thoughts
Questions?

274 / 275
Questions?
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts
Ź Questions?

275 / 275

Introduction to Formal Methods in Verification
No ratings yet
Introduction to Formal Methods in Verification
435 pages
Introduction to Formal Methods in Verification
No ratings yet
Introduction to Formal Methods in Verification
553 pages
Formal Verification Techniques Overview
No ratings yet
Formal Verification Techniques Overview
29 pages
Formal Verification in Safety-Critical Systems
No ratings yet
Formal Verification in Safety-Critical Systems
35 pages
PSG V1 Formal Verification Guide
No ratings yet
PSG V1 Formal Verification Guide
31 pages
VLSI Design: CMOS Logic & Timing
No ratings yet
VLSI Design: CMOS Logic & Timing
23 pages
System Verilog Notes: Basics to Advanced
No ratings yet
System Verilog Notes: Basics to Advanced
37 pages
Microprocessor Verification Methodology
No ratings yet
Microprocessor Verification Methodology
19 pages
Cadence Formal Verification Bootcamp
No ratings yet
Cadence Formal Verification Bootcamp
80 pages
IC Lab Verification Techniques Overview
No ratings yet
IC Lab Verification Techniques Overview
54 pages
Introduction To Formal Hardware Verification-Springer-Verlag Berlin Heidelberg (1999)
No ratings yet
Introduction To Formal Hardware Verification-Springer-Verlag Berlin Heidelberg (1999)
308 pages
SV Notes
No ratings yet
SV Notes
81 pages
Ixana Interview Experience Summary
No ratings yet
Ixana Interview Experience Summary
5 pages
Formal Verification: Static & Dynamic Methods
No ratings yet
Formal Verification: Static & Dynamic Methods
140 pages
Advanced Digital Electronics Webinar
No ratings yet
Advanced Digital Electronics Webinar
5 pages
William K Lam Hardware Design Verification Simulation and Formal Method Based Approaches Prentice Hall 2008
50% (2)
William K Lam Hardware Design Verification Simulation and Formal Method Based Approaches Prentice Hall 2008
837 pages
Integrating Formal Verification in CS Education
No ratings yet
Integrating Formal Verification in CS Education
8 pages
International Verilog Conference and VHDL International Users
No ratings yet
International Verilog Conference and VHDL International Users
5 pages
Verilog Synthesis Methodology Guide
No ratings yet
Verilog Synthesis Methodology Guide
23 pages
RTL Syllabus
No ratings yet
RTL Syllabus
15 pages
Qualcomm Technical Interview Insights
100% (1)
Qualcomm Technical Interview Insights
7 pages
Book Systemverilog For Verification
No ratings yet
Book Systemverilog For Verification
326 pages
Memory Testing Techniques Overview
No ratings yet
Memory Testing Techniques Overview
54 pages
Interview Insights: Apoorvi Patel's Experience
No ratings yet
Interview Insights: Apoorvi Patel's Experience
6 pages
Processor Design: Single & Multi-Cycle CPU
No ratings yet
Processor Design: Single & Multi-Cycle CPU
70 pages
William K Lam - Hardware Design Verification - Simulation and Formal Verification Based Approaches
No ratings yet
William K Lam - Hardware Design Verification - Simulation and Formal Verification Based Approaches
497 pages
Verilog Basics for Hardware Design
No ratings yet
Verilog Basics for Hardware Design
10 pages
Verification Techniques Overview
No ratings yet
Verification Techniques Overview
8 pages
Moore FSM Design in Behavioral VHDL
No ratings yet
Moore FSM Design in Behavioral VHDL
169 pages
Placement Chronicles AY 2024-25
No ratings yet
Placement Chronicles AY 2024-25
132 pages
SVV - Abb
No ratings yet
SVV - Abb
11 pages
Static Methods and Variables in SystemVerilog
No ratings yet
Static Methods and Variables in SystemVerilog
37 pages
RTL Design Interview Preparation Guide
No ratings yet
RTL Design Interview Preparation Guide
19 pages
SystemVerilog Overview and Data Types
100% (1)
SystemVerilog Overview and Data Types
4 pages
FV Chapter1-13 Merged
No ratings yet
FV Chapter1-13 Merged
271 pages
Good VLSI Design Test Power Tutorial
No ratings yet
Good VLSI Design Test Power Tutorial
1,515 pages
Verilog (1)
No ratings yet
Verilog (1)
54 pages
MIPS Implementation Overview
No ratings yet
MIPS Implementation Overview
29 pages
Interview Insights for MTech ESE Candidates
No ratings yet
Interview Insights for MTech ESE Candidates
5 pages
VHDL While Loop Examples Explained
No ratings yet
VHDL While Loop Examples Explained
43 pages
Ece4750 Tut3 Verilog PDF
No ratings yet
Ece4750 Tut3 Verilog PDF
79 pages
VHDL Array and Type Attributes Guide
No ratings yet
VHDL Array and Type Attributes Guide
14 pages
MIPS Assembly and Verilog Lab Guide
No ratings yet
MIPS Assembly and Verilog Lab Guide
38 pages
Computer Fundamentals and C Programming Guide
No ratings yet
Computer Fundamentals and C Programming Guide
12 pages
Single-Cycle MIPS Processor Overview
No ratings yet
Single-Cycle MIPS Processor Overview
59 pages
VLSI Design and Performance Insights
No ratings yet
VLSI Design and Performance Insights
24 pages
VLSI Design Verification Course Overview
No ratings yet
VLSI Design Verification Course Overview
6 pages
Verilog Testbench and FSM Basics
No ratings yet
Verilog Testbench and FSM Basics
36 pages
VHDL Data Types
No ratings yet
VHDL Data Types
12 pages
Extended
No ratings yet
Extended
124 pages
VLSI Interview Questions Overview
No ratings yet
VLSI Interview Questions Overview
65 pages
Overview of Formal Verification Techniques
No ratings yet
Overview of Formal Verification Techniques
55 pages
SQL Server 2008 Security Model Explained
No ratings yet
SQL Server 2008 Security Model Explained
714 pages
Indian Economy: Key Concepts and Reforms
No ratings yet
Indian Economy: Key Concepts and Reforms
44 pages
Heart Disease Risk Prediction Model
No ratings yet
Heart Disease Risk Prediction Model
2 pages
Lucknow Pact and Home Rule Movement
No ratings yet
Lucknow Pact and Home Rule Movement
8 pages
Azad Hind Fauj and India's Independence
No ratings yet
Azad Hind Fauj and India's Independence
9 pages
Railway Reservation System Overview
100% (1)
Railway Reservation System Overview
5 pages
Closest Facility Analysis in Bengaluru
No ratings yet
Closest Facility Analysis in Bengaluru
5 pages
C++ Loops: Types and Examples
No ratings yet
C++ Loops: Types and Examples
27 pages
IS 274 Object-Oriented Design Insights
No ratings yet
IS 274 Object-Oriented Design Insights
2 pages
Web/Mobile Developer & UI/UX Designer Resume
No ratings yet
Web/Mobile Developer & UI/UX Designer Resume
3 pages
Programmer's Guide For Free Pascal, Version 3.0.4 Document Version 3.0.4 September 2017
No ratings yet
Programmer's Guide For Free Pascal, Version 3.0.4 Document Version 3.0.4 September 2017
180 pages
Key Personnel User Manual Guide
No ratings yet
Key Personnel User Manual Guide
29 pages
Web-Based Bank Management System
No ratings yet
Web-Based Bank Management System
6 pages
Aspire One Series Service Guide
No ratings yet
Aspire One Series Service Guide
174 pages
Zoiper
No ratings yet
Zoiper
51 pages
Fife CDP-01 Operations Manual Guide
No ratings yet
Fife CDP-01 Operations Manual Guide
2 pages
Database Security and Access Control Guide
No ratings yet
Database Security and Access Control Guide
18 pages
Setting Up Local Coding Environment
No ratings yet
Setting Up Local Coding Environment
13 pages
Google App Campaign Best Practices
No ratings yet
Google App Campaign Best Practices
15 pages
Overview of Software Engineering Documents
No ratings yet
Overview of Software Engineering Documents
37 pages
Tuple and Domain Calculus Queries
No ratings yet
Tuple and Domain Calculus Queries
22 pages
Est3 PDF
No ratings yet
Est3 PDF
4 pages
Overview of Compiler Construction
No ratings yet
Overview of Compiler Construction
11 pages
Configuring SNMP for MRTG on FortiGate
No ratings yet
Configuring SNMP for MRTG on FortiGate
9 pages
EBS to OTM Integration Guide
No ratings yet
EBS to OTM Integration Guide
29 pages
Understanding Cyber Threat Vectors
No ratings yet
Understanding Cyber Threat Vectors
32 pages
Online Medicine Management System
No ratings yet
Online Medicine Management System
18 pages
EIZO ATC Visual Display Solutions
No ratings yet
EIZO ATC Visual Display Solutions
7 pages
Mark VIe Control Systems Guide
No ratings yet
Mark VIe Control Systems Guide
1,278 pages
RAG Pipeline with Docling and Azure AI
No ratings yet
RAG Pipeline with Docling and Azure AI
12 pages
Web-Based Pharmacy Management System Proposal
No ratings yet
Web-Based Pharmacy Management System Proposal
3 pages
Cyber Crime: Types and Prevention Guide
No ratings yet
Cyber Crime: Types and Prevention Guide
22 pages
Secure Application Development Assignment
No ratings yet
Secure Application Development Assignment
5 pages
IGCSE 2210 Computer Science Notes
No ratings yet
IGCSE 2210 Computer Science Notes
15 pages
Know Your Pensioner (KYP) Form Guide
No ratings yet
Know Your Pensioner (KYP) Form Guide
2 pages