daniel e. gisselquist, ph.d. technology,llc
TRANSCRIPT
![Page 1: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/1.jpg)
GisselquistTechnology, LLC
An Introduction to
Formal Methods
Daniel E. Gisselquist, Ph.D.
![Page 2: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/2.jpg)
Lessons
Ź Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
2 / 462
Day one
1. Motivation2. Basic Operators3. Clocked Operators4. Induction5. Bus Properties
Day two
6. Free Variables7. Abstraction8. Invariants9. Multiple-Clocks10. Cover11. Sequences12. Final Thoughts
![Page 3: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/3.jpg)
Course Structure
Ź Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
3 / 462
˝ We’ll be primarily using the immediate assertion subset of thefull SystemVerilog assertion language
– It’s easier to understand– Concurrent assertions are built on top of immediate
assertions under the hood
˝ Each lesson will be followed by an exerciseThere are 12 exercises
˝ My goal is to have 50% lecture, 50% exercises˝ Leading up to building a bus arbiter
and testing an synchronous FIFO
![Page 4: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/4.jpg)
Motivation
Welcome
Ź Motivation
Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
4 / 462
![Page 5: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/5.jpg)
Lesson Overview
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
5 / 462
1. Why are you here?2. What can I provide?3. What have I learned from formal methods?
Our Objectives
˝ Get to know a little bit about each other˝ Motivate further discussion
![Page 6: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/6.jpg)
Your expectations
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
6 / 462
What do you want to learn and get out of this course?
![Page 7: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/7.jpg)
From an ARM dev.
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
7 / 462
˝ “I think the main difference between FPGA and ASICdevelopment is the level of verification you have to gothrough. Shipping a CPU or GPU to Samsung or whoever,and then telling them once they’ve taped out that you have aCat1 bug that requires a respin is going to set them back$1M per mask.
˝ “. . . But our main verification is still done with constrainedrandom test benches written in SV.
˝ “Overall, you are looking at 50 man years per projectminimum for an average project size.”
![Page 8: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/8.jpg)
Would not exist
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
8 / 462
“If we would not do formal verification, we wouldno longer exist.”
– Shahar Ariel, now the former Head of VLSI design at Mellanox
![Page 9: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/9.jpg)
Pentium FDIV
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
9 / 462
One little mistake . . .
. . . $475M later.
![Page 10: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/10.jpg)
Personal Experience
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
10 / 462
I have proven such things as,
˝ Formal bus properties (Wishbone, Avalon, AXI, etc.)˝ Bus bridges (WB-AXI, Avalon-WB)˝ AXI DMA’s, firewalls, crossbars˝ Prefetches, cache controllers, memory controllers, MMU˝ SPI slaves and masters˝ UART, both TX and RX˝ FIFO’s, signal processing flows, FFT˝ Display (VGA) Controller˝ Flash controllers˝ Formal proof of the ZipCPU
![Page 11: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/11.jpg)
Some Examples
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
11 / 462
I’ve found bugs in things I thought were working.
1. FIFO2. Pre-fetch and Instruction cache3. SDRAM4. A peripheral timer
Just how hard can a timer be to get right? It’s just acounter!
![Page 12: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/12.jpg)
Ex: FIFO
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
12 / 462
˝ It worked in my test bench˝ Failed when reading and writing on the same clock while
empty
– Write first then read worked– R+W on full FIFO is okay– R+W on an empty FIFO
![Page 13: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/13.jpg)
Ex: FIFO
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
12 / 462
˝ It worked in my test bench˝ Failed when reading and writing on the same clock while
empty
– Write first then read worked– R+W on full FIFO is okay– R+W on an empty FIFO . . . not so much
˝ My test bench didn’t check that, formal did
![Page 14: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/14.jpg)
Ex: Prefetch
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
13 / 462
˝ It worked in my test bench˝ Ugliest bug I ever came across was in the prefetch cache
It passed test-bench muster, but failed in the hardware with astrange set of symptoms
˝ When I learned formal, it was easy to prove that this wouldnever happen again.
˝ Low logic has always been one of my goals.Always asking, “will it work if I get rid of this condition?”Formal helps to answer that question for me.
![Page 15: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/15.jpg)
Ex: SDRAM
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
14 / 462
˝ It worked in my test bench˝ It passed my hardware testing
– Test S/W: Week+, no bugs
![Page 16: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/16.jpg)
Ex: SDRAM
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
14 / 462
˝ It worked in my test bench˝ It passed my hardware testing
– Test S/W: Week+, no bugs– Formal methods found the bug– Full proof took less than ă 30 min
![Page 17: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/17.jpg)
Ex: SDRAM
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
15 / 462
˝ It worked in my test bench˝ It passed my hardware testing˝ Background
![Page 18: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/18.jpg)
Ex: SDRAM
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
15 / 462
˝ It worked in my test bench˝ It passed my hardware testing˝ Background
– SDRAM’s are organized into separate banks, each havingrows and columns
– A row must be “activated” before it can be used.– The controller must keep track of which row is activated.– If a request comes in for a row that isn’t activated, the
active row must be deactivated, and the proper row mustbe activated.
˝ A subtle bug in my SDRAM controller compared the activerow address against the immediately previous (1-clock ago)required row address, not the currently requested address.This bug had lived in my design for years. Formal methodscaught it.
![Page 19: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/19.jpg)
Problem with Test Benches
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
16 / 462
˝ Only examines a known good branch˝ Cannot check for every out of bounds conditions
![Page 20: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/20.jpg)
Problem with Test Benches
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
17 / 462
˝ Demonstrate design works˝ Through a normal working path
– or a limited number of extraneous paths
˝ Never rigorous enough to check everything˝ Not uniform in rigour
For the FIFO,
˝ I only read when I knew it wasn’t empty
For the Prefetch,
˝ I never tested jumping to the last location in a cache line
For the SDRAM,
˝ The error was so obscure, it would be hard to trigger
![Page 21: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/21.jpg)
Before Formal
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
18 / 462
This was my method before starting to work with formal.
˝ After . . .
– Proving my design with testbenches
– Directed simulation
˝ I was still chasing bugs in hard-ware
I still use this approach for DSP al-gorithms.
![Page 22: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/22.jpg)
Design Approach
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
19 / 462
˝ After finding the bug in myFIFO . . . I was hooked.
˝ Rebuilding everything. . . now using formal
˝ Formal found more bugs. . . in example after example
˝ I’m hooked!
![Page 23: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/23.jpg)
When to use it?
Welcome
Motivation
Ź Intro
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
20 / 462
˝ Bus componentI would not build a bus compo-nent without formal any more
˝ MultipliesFormal struggles with multipli-cation
![Page 24: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/24.jpg)
Formal VerificationBasics: assert and assume
Welcome
Motivation
Ź Basics
Basics
General Rule
Assert
Assume
BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
21 / 462
![Page 25: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/25.jpg)
Lesson Overview
Welcome
Motivation
Basics
Ź Basics
General Rule
Assert
Assume
BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
22 / 462
Let’s start at the beginning, and look at the very basics of formalverification.Our Objective:
˝ To learn the basic two operators used in formal verification,
– assert()
– assume()
˝ To understand how these affect a design from a state spaceperspective
˝ We’ll also look at several examples
![Page 26: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/26.jpg)
Basic Premise
Welcome
Motivation
Basics
Ź Basics
General Rule
Assert
Assume
BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
23 / 462
Formal methods are built around looking for redundancies.
˝ Basic difference between mediocre and excellent:Double checking your work
˝ Two separate and distinct fashions
– First method calculates the answer– Second method proved it was right
˝ Example: Division
– 89, 321{499 “ 179
– Does it? Let’s check: 179 ˚ 499 “ 89, 321 — Yes
˝ Formal methods are similar
– Your design is the first method– Formal properties describe the second
![Page 27: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/27.jpg)
Basic Operators
Welcome
Motivation
Basics
Ź Basics
General Rule
Assert
Assume
BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
24 / 462
Let’s start with the two basic operators
1. assume()
An assume(X) statement will limit the state space that theformal verification engine examines.
2. assert()
An assert(X) statement indicates that X must be true, or thedesign will fail to prove.
![Page 28: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/28.jpg)
Two basic forms
Welcome
Motivation
Basics
Ź Basics
General Rule
Assert
Assume
BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
25 / 462
always @ (∗ )as se r t (X ) ;
// Use when your p r o p e r t y has c l o c k dependenc i e s ,// such as r e f e r e n c i n g an i t ems va l u e i n the pa s talways @ ( posedge clk )
as se r t (X ) ;
As an example,
always @ (∗ )as se r t ( counter < 20 ) ;
![Page 29: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/29.jpg)
General Rule
Welcome
Motivation
Basics
Basics
Ź General Rule
Assert
Assume
BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
26 / 462
![Page 30: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/30.jpg)
Assert
Welcome
Motivation
Basics
Basics
General Rule
Ź Assert
Assume
BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
27 / 462
˝ Assertions define the illegal state space.˝ Additional assertions will increase the size of the illegal state
space.
![Page 31: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/31.jpg)
Assume
Welcome
Motivation
Basics
Basics
General Rule
Assert
Ź Assume
BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
28 / 462
˝ Assumptions limit the universe of all possibilities˝ Additional assumptions will decrease the size of the total
state space˝ Caution: One careless assumption can void the proof
![Page 32: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/32.jpg)
The Careless Assumption
Welcome
Motivation
Basics
Basics
General Rule
Assert
Ź Assume
BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
29 / 462
reg [ 1 5 : 0 ] counter ;
i n i t i a l counter = 0 ;always @ ( posedge clk )
counter <= counter + 1 ’b1 ;
always @ (∗ )begin
as se r t ( counter <= 100 ) ;assume ( counter <= 90 ) ;
end
Question: Will counter ever reach 120?
![Page 33: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/33.jpg)
restrict vs assume
Welcome
Motivation
Basics
Basics
General Rule
Assert
Ź Assume
BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
30 / 462
restrict () is very similar to assume()
Operator Formal Verification Traditional Simulation
restrict () Restricts search Ignoredassume() space Halts simulationassert() Illegal state with an error
![Page 34: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/34.jpg)
restrict vs assume
Welcome
Motivation
Basics
Basics
General Rule
Assert
Ź Assume
BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
30 / 462
restrict () is very similar to assume()
Operator Formal Verification Traditional Simulation
restrict () Restricts search Ignoredassume() space Halts simulationassert() Illegal state with an error
˝ restrict (): Like assume(X), it also limits the state space˝ But in a traditional simulation . . .
– restrict () is ignored– assume() is turned into an assert()
![Page 35: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/35.jpg)
Bounded Model Checking
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
31 / 462
For bounded model checking,
1. Start at the initial state2. Examine all possible states for N clocks3. Try to find a way to make an assert (); fail4. If it’s not possible in N clocks, then pass
![Page 36: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/36.jpg)
No Solution
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
32 / 462
Problem: initial assume(!initial_state);
Model fails, no line number given.
![Page 37: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/37.jpg)
No Solution
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
33 / 462
Problem: assume(!reachable_state);
Model fails, no line number given.
![Page 38: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/38.jpg)
Further thoughts
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
34 / 462
Unlike the rest of your digital design, formal properties . . .
˝ don’t need to meet timing˝ don’t need to meet a minimum logic requirement
We’ll discuss this more as we go along.
![Page 39: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/39.jpg)
Example Bus Slave
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
35 / 462
Here’s an example of a bus slave
˝ Inputs are assumed˝ Outputs are asserted
![Page 40: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/40.jpg)
Example Bus Master
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
36 / 462
Question: How would a bus master be different?
![Page 41: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/41.jpg)
Example Bus Master
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
36 / 462
Question: How would a bus master be different?
The slave’s outputs are the master’s inputs
˝ assume() the inputs from the slave˝ assert() the outputs from the master
![Page 42: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/42.jpg)
Internal Bus
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
37 / 462
Question: What if both slave and master signals were part of thesame design?
![Page 43: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/43.jpg)
Internal Bus
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
37 / 462
Question: What if both slave and master signals were part of thesame design?
˝ All of the wires are now internal˝ They should therefore be assert()ed
![Page 44: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/44.jpg)
Serial Port Transmitter
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
38 / 462
˝ Whenever the serial port is idle, the output line should behigh
i f ( state == IDLE )as se r t ( o_uart_tx ) ;
˝ Whenever the serial port is not idle, busy should be high
i f ( state != IDLE )as se r t ( o_busy ) ;
e l s eas se r t ( ! o_busy ) ;
˝ The design can only ever be in a valid state
as se r t ( ( state <= TXUL_STOP )| | ( state == TXUL_IDLE ) ) ;
![Page 45: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/45.jpg)
Bus Arbiter
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
39 / 462
˝ Arbiter cannot grant both A and B access
always @ (∗ )as se r t ( ( ! grant_A ) | | ( ! grant_B ) ) ;
˝ While one has access, the other must be stalled
always @ (∗ )i f ( grant_A )
as se r t ( stall_B ) ;
always @ (∗ )i f ( grant_B )
as se r t ( stall_A ) ;
![Page 46: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/46.jpg)
Bus Arbiter
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
40 / 462
˝ While one is stalled, its outstanding requests must be zero
always @ (∗ )i f ( grant_A )begin
as se r t ( f_nreqs_B == 0 ) ;as se r t ( f_nacks_B == 0 ) ;as se r t ( f_outstanding_B == 0 ) ;
end
I use the prefix f_ to indicate a variable that is
˝ Not part of the design˝ But only used for Formal Verification
![Page 47: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/47.jpg)
Avalon bus
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
41 / 462
˝ Avalon bus: will never issue a read and write request at thesame time
always @ (∗ )assume ( ( ! i_av_read ) | | ( ! i_av_write ) ) ;
˝ The bus is initially idle
i n i t i a l assume ( ! i_av_read ) ;i n i t i a l assume ( ! i_av_write ) ;i n i t i a l assume ( ! i_av_lock ) ;i n i t i a l a s se r t ( ! o_av_readdatavalid ) ;i n i t i a l a s se r t ( ! o_av_writeresponsevalid ) ;
![Page 48: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/48.jpg)
Avalon bus
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
42 / 462
˝ Cannot respond to both read and write in the same clock
always @ (∗ )assume ( ( ! i_av_readdatavalid )
| | ( ! i_av_writeresponsevalid ) ) ;
Remember ! (A&&B) is equivalent to (!A )||(! B)
˝ Cannot respond if no request is outstanding
always @ (∗ )begin
i f ( f_wr_outstanding == 0)as se r t ( ! o_av_writeresponsevalid ) ;
i f ( f_rd_outstanding == 0)as se r t ( ! o_av_readdatavalid ) ;
end
![Page 49: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/49.jpg)
Wishbone
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
43 / 462
˝ o_STB can only be high if o_CYC is also high
always @ (∗ )i f ( o_STB )
as se r t ( o_CYC ) ;
˝ Count the number of outstanding requests:
ass ign f_outstanding = ( i_reset ) ? 0: f_nreqs ´ f_nacks ;
˝ Acks can only respond to valid requests
i f ( f_outstanding == 0)assume ( ! i_wb_ack ) ;
![Page 50: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/50.jpg)
Wishbone
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
44 / 462
˝ Well, what if a request is being made now?
i f ( ( f_outstanding == 0)&&((!o_wb_stb ) | | ( i_wb_stall ) ) )
assume ( ! i_wb_ack ) ;
˝ If not within a bus request, the ACK and ERR lines must below
i f ( ! o_CYC )begin
assume ( ! i_ACK ) ;assume ( ! i_ERR ) ;
end
˝ Following any reset, the bus will be idle˝ Requests remain unchanged until accepted
![Page 51: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/51.jpg)
Cache
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
45 / 462
Want a guarantee that the cache response is consistent?
˝ A valid cache entry must ...
always @ ( posedge i_clk )i f ( o_valid )begin
// Be marked v a l i d i n the cacheas se r t ( cache_valid [ f_addr [ CW´1:LW ] ] ) ;// Have the same cache tag as add r e s sas se r t ( f_addr [ AW´1:LW ] ==
cache_tag [ f_addr [ CW´1:LW ] ] ) ;// Match the v a l u e i n the cacheas se r t ( o_data ==
cache_data [ f_addr [ CW´1 : 0 ] ) ;// Must be i n r e s pon s e to a v a l i d// r e q u e s tas se r t ( waiting_requests != 0 ) ;
end
![Page 52: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/52.jpg)
Multiply
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
46 / 462
Consider a multiply
˝ Just because an algorithm doesn’t meet timing
![Page 53: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/53.jpg)
Multiply
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
46 / 462
Consider a multiply
˝ Just because an algorithm doesn’t meet timing, or˝ Just because it take up logic your FPGA doesn’t have
![Page 54: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/54.jpg)
Multiply
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
46 / 462
Consider a multiply
˝ Just because an algorithm doesn’t meet timing, or˝ Just because it take up logic your FPGA doesn’t have,
doesn’t mean you can’t use it now
always @ ( posedge i_clk )begin
f_answer = 0 ;f o r (k=0; k<NA ; k=k+1)begin
i f ( i_a [ k ] )f_answer = f_answer + (i_b<<k ) ;
end
as se r t ( o_result == f_answer ) ;end
![Page 55: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/55.jpg)
Multiply
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
47 / 462
Let’s talk about that multiply some more . . .
˝ The one thing formal solver’s don’t handle well is multiplies
![Page 56: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/56.jpg)
Multiply
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
47 / 462
Let’s talk about that multiply some more . . .
˝ The one thing formal solver’s don’t handle well is multiplies
Abstraction offers alternatives
![Page 57: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/57.jpg)
Memory Management Unit
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
48 / 462
˝ For a page result to be valid, it must match the TLB
always @ (∗ )i f ( last_page_valid )begin
as se r t ( tlb_valid [ f_last_page ] ) ;as se r t ( last_ppage ==
tlb_pdata [ f_last_page ] ) ;as se r t ( last_vpage ==
tlb_vdata [ f_last_page ] ) ;as se r t ( last_ro ==
tlb_flags [ f_last_page ] [ ROFLAG ] ) ;as se r t ( last_exe ==
tlb_flags [ f_last_page ] [ EXEFLG ] ) ;as se r t ( r_context_word [ LGCTXT´1:1]
== tlb_cdata [ f_last_page ] ) ;end
![Page 58: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/58.jpg)
SDRAM
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
49 / 462
˝ Writing requires the right row of the right bank to beactivated
always @ ( posedge i_clk )i f ( ( f_past_valid )&&(!maintenance_mode ) )case ( f_cmd )
// . . .F_WRITE : begin
// Response to a w r i t e r e q u e s tas se r t ( f_we ) ;// Bank i n qu e s t i o n must be a c t i v eas se r t ( bank_active [ o_ram_bs ] == 3 ’ b111 ) ;// Ac t i v e row must be f o r t h i s a dd r e s sas se r t ( bank_row [ o_ram_bs ]
== f_addr [ 2 2 : 1 0 ] ) ;// Must be s e l e c t i n g the r i g h t bankas se r t ( o_ram_bs == f_addr [ 9 : 8 ] ) ;end
// . . .
![Page 59: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/59.jpg)
Ex: Counter
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
50 / 462
Let’s work through a counter as an example.
exercise-01/ Contains two filescounter.v This will be the HDL source for
our demo.counter.sby This is the SymbiYosys script
for the demo
Our Objectives:
˝ Walk through the steps in the tool-flow˝ Hands on experience with SymbiYosys˝ Ensure everyone has a working version of SymbiYosys˝ Find and fix a design bug
![Page 60: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/60.jpg)
Ex: Counter
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
51 / 462
parameter [ 1 5 : 0 ] MAX_AMOUNT = 22 ;reg [ 1 5 : 0 ] counter ;
always @ ( posedge i_clk )i f ( ( i_start_signal)&&(counter == 0))
counter <= MAX_AMOUNT´1’b1 ;e l s e i f ( counter != 0)
counter <= counter ´ 1 ’b1 ;
always @ (∗ )o_busy = ( counter != 0 ) ;
‘ i f d e f FORMAL
always @ (∗ )as se r t ( counter < MAX_AMOUNT ) ;
‘ e nd i f
![Page 61: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/61.jpg)
Example: SymbiYosys
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
52 / 462
In the file, exercise-01/counter.sby, you’ll find:
[ opt ions ]mode bmc
[ engines ]smtbmc
[ s c r i p t ]read ´formal counter . v# . . . o t h e r f i l e s would go he r eprep ´top counter
[ f i l e s ]counter . v
![Page 62: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/62.jpg)
Example: SymbiYosys
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
52 / 462
In the file, exercise-01/counter.sby, you’ll find:
[ opt ions ]mode bmc Bounded model checking mode
[ engines ]smtbmc
[ s c r i p t ]read ´formal counter . v# . . . o t h e r f i l e s would go he r eprep ´top counter
[ f i l e s ]counter . v
![Page 63: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/63.jpg)
Example: SymbiYosys
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
52 / 462
In the file, exercise-01/counter.sby, you’ll find:
[ opt ions ]mode bmc
[ engines ]smtbmc Run, using yosys-smtbmc
[ s c r i p t ]read ´formal counter . v# . . . o t h e r f i l e s would go he r eprep ´top counter
[ f i l e s ]counter . v
![Page 64: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/64.jpg)
Example: SymbiYosys
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
52 / 462
In the file, exercise-01/counter.sby, you’ll find:
[ opt ions ]mode bmc
[ engines ]smtbmc
[ s c r i p t ] Yosys commandsread ´formal counter . v# . . . o t h e r f i l e s would go he r eprep ´top counter
[ f i l e s ]counter . v
![Page 65: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/65.jpg)
Example: SymbiYosys
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
52 / 462
In the file, exercise-01/counter.sby, you’ll find:
[ opt ions ]mode bmc
[ engines ]smtbmc
[ s c r i p t ]read ´formal counter . v Read file# . . . o t h e r f i l e s would go he r eprep ´top counter
[ f i l e s ]counter . v
![Page 66: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/66.jpg)
Example: SymbiYosys
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
52 / 462
In the file, exercise-01/counter.sby, you’ll find:
[ opt ions ]mode bmc
[ engines ]smtbmc
[ s c r i p t ]read ´formal counter . v# . . . o t h e r f i l e s would go he r eprep ´top counter Prepare the file for formal
[ f i l e s ]counter . v
![Page 67: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/67.jpg)
Example: SymbiYosys
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
52 / 462
In the file, exercise-01/counter.sby, you’ll find:
[ opt ions ]mode bmc
[ engines ]smtbmc
[ s c r i p t ]read ´formal counter . v# . . . o t h e r f i l e s would go he r eprep ´top counter
[ f i l e s ] List of files to be usedcounter . v
![Page 68: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/68.jpg)
Example: SymbiYosys
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
53 / 462
Other usefull yosys commands
[ opt ions ]mode bmc
depth 20[ engines ]smtbmc yices
# smtbmc b o o l e c t o r# smtbmc z3[ s c r i p t ]read ´formal counter . v# . . . o t h e r f i l e s would go he r eprep ´top counter
opt_merge ´share_all[ f i l e s ]counter . v
![Page 69: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/69.jpg)
Example: SymbiYosys
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
53 / 462
Other usefull yosys commands
[ opt ions ]mode bmc Other modes: prove, cover, livedepth 20[ engines ]smtbmc yices
# smtbmc b o o l e c t o r# smtbmc z3[ s c r i p t ]read ´formal counter . v# . . . o t h e r f i l e s would go he r eprep ´top counter
opt_merge ´share_all[ f i l e s ]counter . v
![Page 70: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/70.jpg)
Example: SymbiYosys
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
53 / 462
Other usefull yosys commands
[ opt ions ]mode bmc
depth 20 # of Steps to examine[ engines ]smtbmc yices
# smtbmc b o o l e c t o r# smtbmc z3[ s c r i p t ]read ´formal counter . v# . . . o t h e r f i l e s would go he r eprep ´top counter
opt_merge ´share_all[ f i l e s ]counter . v
![Page 71: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/71.jpg)
Example: SymbiYosys
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
53 / 462
Other usefull yosys commands
[ opt ions ]mode bmc
depth 20[ engines ]smtbmc yices Yices theorem prover (default)# smtbmc b o o l e c t o r# smtbmc z3[ s c r i p t ]read ´formal counter . v# . . . o t h e r f i l e s would go he r eprep ´top counter
opt_merge ´share_all[ f i l e s ]counter . v
![Page 72: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/72.jpg)
Example: SymbiYosys
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
53 / 462
Other usefull yosys commands
[ opt ions ]mode bmc
depth 20[ engines ]smtbmc yices
# smtbmc b o o l e c t o r Other potential solvers# smtbmc z3[ s c r i p t ]read ´formal counter . v# . . . o t h e r f i l e s would go he r eprep ´top counter
opt_merge ´share_all[ f i l e s ]counter . v
![Page 73: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/73.jpg)
Example: SymbiYosys
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
53 / 462
Other usefull yosys commands
[ opt ions ]mode bmc
depth 20[ engines ]smtbmc yices
# smtbmc b o o l e c t o r# smtbmc z3[ s c r i p t ]read ´formal counter . v# . . . o t h e r f i l e s would go he r eprep ´top counter
opt_merge ´share_all We’ll discusss this later[ f i l e s ]counter . v
![Page 74: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/74.jpg)
Example: SymbiYosys
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
53 / 462
Other usefull yosys commands
[ opt ions ]mode bmc
depth 20[ engines ]smtbmc yices
# smtbmc b o o l e c t o r# smtbmc z3[ s c r i p t ]read ´formal counter . v# . . . o t h e r f i l e s would go he r eprep ´top counter
opt_merge ´share_all[ f i l e s ]counter . v Full or relative pathnames go here
![Page 75: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/75.jpg)
Running SymbiYosys
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
54 / 462
Run: % sby -f counter.sby
![Page 76: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/76.jpg)
Running SymbiYosys
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
54 / 462
Run: % sby -f counter.sby
![Page 77: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/77.jpg)
BMC Failed
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
55 / 462
Run: % sby -f counter.sby
![Page 78: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/78.jpg)
Where Next
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
56 / 462
Look at source line 63, and fire up gtkwave
![Page 79: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/79.jpg)
GTKWave trace.vcd
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
57 / 462
Run: % gtkwave counter/engine 0/trace.vcd
![Page 80: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/80.jpg)
Examine the source
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
58 / 462
Run: % gvim demo-rtl/counter.v
What did we do wrong?
![Page 81: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/81.jpg)
Examine the source
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
58 / 462
Run: % gvim demo-rtl/counter.v
What did we do wrong?
Did you notice the missing initial statement?
![Page 82: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/82.jpg)
Illegal Initial State
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ex: Counter
Ź Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
59 / 462
˝ Problem: No initial statement˝ Solver finds an invalid initial state˝ Model fails
![Page 83: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/83.jpg)
Exercise
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
BMC
Ex: Counter
Ź Sol’n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
60 / 462
Try adding in the initial statement, will it work?
![Page 84: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/84.jpg)
Clocked and $past
Welcome
Motivation
Basics
ŹClocked and$past
Past
$past Rule
Past Assertions
Past Valid
Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
61 / 462
![Page 85: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/85.jpg)
Lesson Overview
Welcome
Motivation
Basics
Clocked and $past
Ź Past
$past Rule
Past Assertions
Past Valid
Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
62 / 462
Our Objective:
˝ To learn how to make assertions crossing time intervals
– $past()
˝ Before the beginning of time
– Assumptions always hold– Assertions rarely hold
˝ How to get around this with f_past_valid
![Page 86: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/86.jpg)
The $past operator
Welcome
Motivation
Basics
Clocked and $past
Ź Past
$past Rule
Past Assertions
Past Valid
Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
63 / 462
˝ $past(X) Returns the value of X one clock ago.˝ $past(X,N) Returns the value of X N clocks ago.˝ Depends upon a clock
– This is illegal
always @ (∗ )i f (X )
as se r t (Y == $past (Y ) ) ;
No clock is associated with the $past operator.– But you can do this
always @ ( posedge clk )i f (X )
as se r t (Y == $past (Y ) ) ;
![Page 87: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/87.jpg)
$past Rule
Welcome
Motivation
Basics
Clocked and $past
Past
Ź $past Rule
Past Assertions
Past Valid
Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
64 / 462
![Page 88: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/88.jpg)
Past Assertions
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Ź Past Assertions
Past Valid
Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
65 / 462
Let’s modify our counter, by creating some additional properties:
always @ (∗ )assume ( ! i_start_signal ) ;
always @ ( posedge clk )as se r t ( $past ( counter == 0 ) ) ;
˝ i_start_signal is now never true, so the counter shouldalways be zero.
˝ assert(counter == 0);
This should always be true, since counter starts at zero, andis never changed from zero.
˝ Will assert($past(counter == 0)); succeed?
You can find this file in exercise-02/pastassert.v
![Page 89: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/89.jpg)
Past Assertions
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Ź Past Assertions
Past Valid
Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
66 / 462
˝ This fails
always @ (∗ )assume ( ! i_start_signal ) ;
always @ ( posedge clk )as se r t ( $past ( counter == 0 ) ) ;
![Page 90: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/90.jpg)
Past Assertions
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Ź Past Assertions
Past Valid
Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
66 / 462
˝ This fails
always @ (∗ )assume ( ! i_start_signal ) ;
always @ ( posedge clk )as se r t ( $past ( counter == 0 ) ) ;
˝ Before time, counter is unconstrained.˝ The solver can make it take on any value it wants in order to
make things fail˝ This will not show in the VCD file
![Page 91: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/91.jpg)
Past Assertions
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Ź Past Assertions
Past Valid
Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
67 / 462
˝ This succeeds
always @ (∗ )assume ( ! i_start_signal ) ;
always @ (∗ )as se r t ( counter == 0 ) ;
![Page 92: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/92.jpg)
Past Assertions
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Ź Past Assertions
Past Valid
Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
68 / 462
Let’s try again:
always @ ( posedge clk )i f ( $past ( i_start_signal ) )
as se r t ( counter == MAX_AMOUNT´1’b1 ) ;
This should work, right?
![Page 93: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/93.jpg)
Past Assertions
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Ź Past Assertions
Past Valid
Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
68 / 462
Let’s try again:
always @ ( posedge clk )i f ( $past ( i_start_signal ) )
as se r t ( counter == MAX_AMOUNT´1’b1 ) ;
This should work, right? No, it fails.
˝ i_start_signal is unconstrained before time˝ counter is initially constrained to zero˝ If i_start_signal is one before time,
counter will still be zero when time begins
![Page 94: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/94.jpg)
f past valid
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Past Assertions
Ź Past Valid
Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
69 / 462
We can fix this with a register I call, f_past_valid:
reg f_past_valid ;
i n i t i a l f_past_valid = 1 ’b0 ;always @ ( posedge clk )
f_past_valid <= 1 ’b1 ;
always @ ( posedge clk )i f ( ( f_past_valid)&&($past ( i_start_signal ) ) )
as se r t ( counter == MAX_AMOUNT´1’b1 ) ;
Will this work?
![Page 95: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/95.jpg)
f past valid
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Past Assertions
Ź Past Valid
Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
69 / 462
We can fix this with a register I call, f_past_valid:
reg f_past_valid ;
i n i t i a l f_past_valid = 1 ’b0 ;always @ ( posedge clk )
f_past_valid <= 1 ’b1 ;
always @ ( posedge clk )i f ( ( f_past_valid)&&($past ( i_start_signal ) ) )
as se r t ( counter == MAX_AMOUNT´1’b1 ) ;
Will this work? Almost, but not yet.
![Page 96: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/96.jpg)
Fixing the counter
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Past Assertions
Ź Past Valid
Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
70 / 462
˝ What about the case where i_start_signal is raised whilethe counter isn’t zero?
reg f_past_valid ;
i n i t i a l f_past_valid = 1 ’b0 ;always @ ( posedge clk )
f_past_valid <= 1 ’b1 ;
always @ ( posedge clk )i f ( ( f_past_valid)&&($past ( i_start_signal ) )
&&($past ( counter == 0) ) )as se r t ( counter == MAX_AMOUNT´1’b1 ) ;
˝ Will this work?
![Page 97: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/97.jpg)
Fixing the counter
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Past Assertions
Ź Past Valid
Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
70 / 462
˝ What about the case where i_start_signal is raised whilethe counter isn’t zero?
reg f_past_valid ;
i n i t i a l f_past_valid = 1 ’b0 ;always @ ( posedge clk )
f_past_valid <= 1 ’b1 ;
always @ ( posedge clk )i f ( ( f_past_valid)&&($past ( i_start_signal ) )
&&($past ( counter == 0) ) )as se r t ( counter == MAX_AMOUNT´1’b1 ) ;
˝ Will this work? Yes, now it will work˝ You’ll find lots of references to f_past_valid in my own
designs
![Page 98: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/98.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Past Assertions
Past Valid
Ź Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
71 / 462
Let’s look at some practical examples
![Page 99: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/99.jpg)
Reset example, #1
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Past Assertions
Past Valid
Ź Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
72 / 462
The rule: Every design should start in the reset state.
i n i t i a l assume ( i_RESET ) ;
always @ (∗ )i f ( ! f_past_valid )
assume ( i_RESET ) ;
What would be the difference between these two properties?
![Page 100: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/100.jpg)
Reset example, #2
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Past Assertions
Past Valid
Ź Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
73 / 462
The rule: On the clock following a reset, there should be nooutstanding bus requests.
always @ ( posedge clk )i f ( ( f_past_valid)&&($past ( i_RESET ) ) )
as se r t ( ! o_CYC ) ;
![Page 101: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/101.jpg)
Reset example, #2
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Past Assertions
Past Valid
Ź Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
74 / 462
Two times registers must have their reset value
˝ Initially˝ Following a reset
always @ ( posedge clk )i f ( ( ! f_past_valid ) | | ( $past ( i_reset ) ) )begin
as se r t ( ! o_CYC ) ;as se r t ( ! o_STB ) ;// e t c .
end
![Page 102: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/102.jpg)
Bus example
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Past Assertions
Past Valid
Ź Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
75 / 462
The rule: while a request is being made, the request cannotchange until it is accepted.
always @ ( posedge clk )i f ( ( f_past_valid )
&&($past ( o_STB ))&&($past ( i_STALL ) ) )begin
as se r t ( o_STB ) ;as se r t ( o_REQ == $past ( o_REQ ) ) ;
end
![Page 103: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/103.jpg)
Ex: Busy Counter
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Past Assertions
Past Valid
Examples
ŹEx: BusyCounter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
76 / 462
Many of my projects include some type of “busy counter”
˝ Serial port logic must wait for a baud clockTransmit characters must wait for the port to be idle
˝ I2C logic needs to slow the clock down˝ SPI logic may also need to slow the clock down
Objectives:
˝ Gain some confidence using formal methods to prove thatalternative designs are equivalent
![Page 104: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/104.jpg)
Exercise: Busy Counter
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Past Assertions
Past Valid
Examples
ŹEx: BusyCounter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
77 / 462
Here’s the basic design. It should look familiar.
parameter [ 1 5 : 0 ] MAX_AMOUNT = 22 ;
reg [ 1 5 : 0 ] counter ;
i n i t i a l counter = 0 ;always @ ( posedge i_clk )i f ( i_reset )
counter <= 0 ;e l s e i f ( ( i_start_signal)&&(counter == 0))
counter <= MAX_AMOUNT´1’b1 ;e l s e i f ( counter != 0)
counter <= counter ´ 1 ;
always @ (∗ )o_busy = ( counter != 0 ) ;
![Page 105: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/105.jpg)
Exercise: Busy Counter
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Past Assertions
Past Valid
Examples
ŹEx: BusyCounter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
78 / 462
You can find the design in exercise-03/busyctr.v.Exercise: Create the following properties:
1. i_start_signal may be raised at any timeNo property needed here
2. Once raised, assume i_start_signal will remain high untilit is high and the counter is no longer busy.
3. o_busy will always be true while the counter is non-zeroMake sure you check o_busy both when counter == 0 andcounter != 0
This requires an assertion4. If the counter is non-zero, it should always be counting down
Beware of the reset!This requires another assertion
![Page 106: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/106.jpg)
Exercise: Busy Counter
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Past Assertions
Past Valid
Examples
ŹEx: BusyCounter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
79 / 462
Let’s draw this requirement out
2. Once raised, assume i_start_signal will remain high untilit is high and the counter is no longer busy.
i clk
i start signal
o busy
counter 5 4 3 2 1 0 21
![Page 107: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/107.jpg)
Busy Counter, Part two
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Past Assertions
Past Valid
Examples
ŹEx: BusyCounter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
80 / 462
Exercise:
1. Make o_busy a clocked register
always @ ( posedge i_clk )o_busy <= /∗ your l o g i c goes he r e ∗/ ;
2. Prove that o_busy is true if and only if the counter isnon-zero
˝ You can use this approach to adjust your design to meettiming
– Shuffle logic from one clock to another, then– Prove the new design remains valid
![Page 108: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/108.jpg)
k Induction
Welcome
Motivation
Basics
Clocked and $past
Ź k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
81 / 462
![Page 109: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/109.jpg)
Lesson Overview
Welcome
Motivation
Basics
Clocked and $past
k Induction
Ź Lesson Overview
vs BMC
General Rule
The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
82 / 462
If you want to formally verify your design, BMC is insufficient
˝ Bounded Model Checking (BMC) will only prove that yourdesign is correct for the first N clocks.
˝ It cannot prove that the design won’t fail on the next clock,clock N ` 1
˝ This is the purpose of the induction step: proving correctnessfor all time
Our Goals
˝ Be able to explain what induction is˝ Be able to explain why induction is valuable˝ Know how to run induction˝ What are the unique problems associated with induction
![Page 110: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/110.jpg)
From Pre-Calc
Welcome
Motivation
Basics
Clocked and $past
k Induction
Ź Lesson Overview
vs BMC
General Rule
The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
83 / 462
Proof by induction has two steps:
1. Base case: Prove for N “ 0 (or one)2. Inductive step: Assume true for N , prove true for N ` 1.
Example: ProveN´1ÿ
n“0
xn “1´ xN
1´ x
˝ For N “ 1, the sum is x0 or one
N´1ÿ
n“0
xn “ x0 “1´ x
1´ x
So this is true (for x ‰ 1).˝ For the inductive step, we’ll
– Assume true for N , then prove for N ` 1
![Page 111: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/111.jpg)
Proof, continued
Welcome
Motivation
Basics
Clocked and $past
k Induction
Ź Lesson Overview
vs BMC
General Rule
The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
84 / 462
ProveN´1ÿ
n“0
xn “1´ xN
1´ xfor all N
˝ Assume true for N , prove for N ` 1Nÿ
n“0
xn “ xN `N´1ÿ
n“0
xn “ xN `1´ xN
1´ x
˝ Prove for N ` 1
Nÿ
n“0
xn “1´ x
1´ xxN `
1´ xN
1´ x
“xN ´ xN`1 ` 1´ xN
1´ x“
1´ xN`1
1´ x
This proves the inductive case.˝ Hence this is true for all N (where N ą 0 and x ‰ 1)
![Page 112: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/112.jpg)
k Induction
Welcome
Motivation
Basics
Clocked and $past
k Induction
Ź Lesson Overview
vs BMC
General Rule
The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
85 / 462
Suppose @n : P rns is what we wish to prove
˝ Traditional induction
– Base case: show P r0s– Inductive case: show P rns Ñ P rn` 1s
˝ k induction
– Base case: showN´1ľ
k“0
P rks
– k-induction step:
˜
nľ
k“n´N`1
P rks
¸
Ñ P rn` 1s
![Page 113: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/113.jpg)
k Induction
Welcome
Motivation
Basics
Clocked and $past
k Induction
Ź Lesson Overview
vs BMC
General Rule
The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
85 / 462
Suppose @n : P rns is what we wish to prove
˝ Traditional induction
– Base case: show P r0s– Inductive case: show P rns Ñ P rn` 1s
˝ k induction
– Base case: showN´1ľ
k“0
P rks
This is what we did with BMC
– k-induction step:
˜
nľ
k“n´N`1
P rks
¸
Ñ P rn` 1s
![Page 114: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/114.jpg)
k Induction
Welcome
Motivation
Basics
Clocked and $past
k Induction
Ź Lesson Overview
vs BMC
General Rule
The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
85 / 462
Suppose @n : P rns is what we wish to prove
˝ Traditional induction
– Base case: show P r0s– Inductive case: show P rns Ñ P rn` 1s
˝ k induction
– Base case: showN´1ľ
k“0
P rks
– k-induction step:
˜
nľ
k“n´N`1
P rks
¸
Ñ P rn` 1s
This is our next step
![Page 115: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/115.jpg)
k Induction
Welcome
Motivation
Basics
Clocked and $past
k Induction
Ź Lesson Overview
vs BMC
General Rule
The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
85 / 462
Suppose @n : P rns is what we wish to prove
˝ Traditional induction
– Base case: show P r0s– Inductive case: show P rns Ñ P rn` 1s
˝ k induction
– Base case: showN´1ľ
k“0
P rks
– k-induction step:
˜
nľ
k“n´N`1
P rks
¸
Ñ P rn` 1s
Why use k induction?
![Page 116: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/116.jpg)
Induction in Verification
Welcome
Motivation
Basics
Clocked and $past
k Induction
Ź Lesson Overview
vs BMC
General Rule
The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
86 / 462
Formal verification uses k induction
˝ Base case:Assume the first N steps do not violate any assumptions, . . .Prove that the first N steps do not violate any assertions.The is the BMC pass we’ve already done.
˝ Inductive Step:Assume N steps exist that neither violate any assumptionsnor any assertions, andAssume the N ` 1 step violates no assumptions, . . .Prove that the N ` 1 step does not violate any assertions.
![Page 117: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/117.jpg)
BMC vs Induction
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
Ź vs BMC
General Rule
The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
87 / 462
BMC and induction are very different.
˝ BMC, the base case
˝ Induction step
˝ The number of BMC time-steps steps must be more than thenumber of inductive time-steps
˝ Register values at the beginning of the inductive step can beanything allowed by your assertions and assumptions
˝ This is where the work takes place.
![Page 118: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/118.jpg)
General Rule
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
Ź General Rule
The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
88 / 462
The general rule hasn’t changed:
˝ assume inputs,˝ assert internal states and any outputs.
If you assume too much, your design will pass formal verificationand still not work.
![Page 119: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/119.jpg)
Checkers
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
Ź General Rule
The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
89 / 462
Some assertions:
˝ Games are played on black squares˝ Players will never have more than 12 pieces˝ Only legal moves are possible˝ Game is over when one side can no longer move
Where might the induction engine start?
![Page 120: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/120.jpg)
Checkers in the Library
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
Ź General Rule
The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
90 / 462
Black’s going to move and win
![Page 121: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/121.jpg)
Checkers in the Library
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
Ź General Rule
The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
90 / 462
White’s going to move and win
![Page 122: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/122.jpg)
Checkers in the Library
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
Ź General Rule
The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
90 / 462
Black’s going to . . . , huh?
![Page 123: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/123.jpg)
Checkers in the Library
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
Ź General Rule
The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
90 / 462
Would this pass our criteria?
![Page 124: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/124.jpg)
Checkers and Induction
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
Ź General Rule
The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
91 / 462
What can we learn from Checkers?
˝ Inductive step starts in the middle of the gameOnly the assumptions and asserts are used to validate thegame
˝ All of the FF’s (variables) start in arbitrary statesThese states are only constrained by your assumptions andassertions.
˝ Your formal constraints are required to limit the allowablestates
![Page 125: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/125.jpg)
The Trap
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
Ź The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
92 / 462
˝ If your formal properties are not strict enough,Induction may start in an unreachable state
˝ This is a common problem!
![Page 126: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/126.jpg)
The Solution
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
Ź The Trap
Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
93 / 462
To make induction work, you must . . .
˝ assume unrealistic inputs will never happen˝ assert any remaining unreachable states are illegal˝ Induction often requires more properties than BMC alone
![Page 127: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/127.jpg)
Results
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Ź Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
94 / 462
Unlike BMC, the results of induction might be inconclusive
kInduction Basecase (BMC)
FAIL PASS
FAIL Design UNKNOWNPASS Fails SUCCESS!
The k induction pass will fail if your design doesn’t have enoughassertions.
![Page 128: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/128.jpg)
Results
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Ź Results
Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
95 / 462
There’s also a difference in when BMC and induction finish
˝ BMC will finish early if the design FAILs˝ Induction will finish early if the design PASSes˝ In all other cases, they will take a full depth steps
You can use this fact to trim the depth of your proof
˝ Once induction succeeds, trim your proof depth to thatlength
˝ This will immediately make your proof run that much faster
![Page 129: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/129.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
96 / 462
˝ Let’s look at some examples
![Page 130: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/130.jpg)
Another Counter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
97 / 462
This design would pass many steps of BMC
reg [ 1 5 : 0 ] counter ;
i n i t i a l counter = 0 ;always @ ( posedge clk )
counter <= counter + 1 ’b1 ;
always @ (∗ )as se r t ( counter < 16 ’ d65000 ) ;
It will not pass induction.Can you explain why not?
![Page 131: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/131.jpg)
Another Counter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
98 / 462
Here’s another counter that will pass BMC, but not induction
reg [ 1 5 : 0 ] counter ;
i n i t i a l counter = 0 ;always @ ( posedge clk )i f ( counter == 16 ’ d22 )
counter <= 0 ;e l s e
counter <= counter + 1 ’b1 ;
always @ (∗ )as se r t ( counter != 16 ’ d500 ) ;
Can you explain why not?
![Page 132: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/132.jpg)
Another Counter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
99 / 462
With one simple change, this design will now pass induction
reg [ 1 5 : 0 ] counter ;
i n i t i a l counter = 0 ;always @ ( posedge clk )i f ( counter == 16 ’ d22 )
counter <= 0 ;e l s e
counter <= counter + 1 ’b1 ;
always @ (∗ )as se r t ( counter <= 16 ’ d22 ) ;
See the difference?
![Page 133: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/133.jpg)
Shift Register Comparison
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
100 / 462
These shift registers will be equal during BMC, but require atleast sixteen steps to pass induction
reg [ 1 5 : 0 ] sa , sb ;i n i t i a l sa = 0 ;i n i t i a l sb = 0 ;always @ ( posedge clk )
sa <= { sa [ 1 4 : 0 ] , i_bit } ;
always @ ( posedge clk )
sb <= { sb [ 1 4 : 0 ] , i_bit } ;
always @ (∗ )as se r t (sa [ 1 5 ] == sb [ 1 5 ] ) ;
Can you explain why it would take so long?
![Page 134: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/134.jpg)
Shift Register Comparison
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
101 / 462
This design is almost identical to the last one, yet fails induction.The key difference is the if (i_ce).
reg [ 1 5 : 0 ] sa , sb ;i n i t i a l sa = 0 ;i n i t i a l sb = 0 ;always @ ( posedge clk )i f ( i_ce )
sa <= { sa [ 1 4 : 0 ] , i_bit } ;
always @ ( posedge clk )i f ( i_ce )
sb <= { sb [ 1 4 : 0 ] , i_bit } ;
always @ (∗ )as se r t (sa [ 1 5 ] == sb [ 1 5 ] ) ;
Can you explain why this wouldn’t pass?
![Page 135: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/135.jpg)
Fixing Shift Reg
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
102 / 462
Several approaches to fixing this:
1. assume(i_ce);
![Page 136: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/136.jpg)
Fixing Shift Reg
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
102 / 462
Several approaches to fixing this:
1. assume(i_ce);
Doesn’t really test the design2. opt_merge ´share_all, yosys option
![Page 137: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/137.jpg)
Fixing Shift Reg
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
102 / 462
Several approaches to fixing this:
1. assume(i_ce);
Doesn’t really test the design2. opt_merge ´share_all, yosys option
Works for some designs3. assert(sa == sb);
![Page 138: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/138.jpg)
Fixing Shift Reg
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
102 / 462
Several approaches to fixing this:
1. assume(i_ce);
Doesn’t really test the design2. opt_merge ´share_all, yosys option
Works for some designs3. assert(sa == sb);
Best, but only works when sa and sb are visible4. Insist on no more than M clocks between i_ce’s
![Page 139: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/139.jpg)
Fixing Shift Reg
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
102 / 462
Several approaches to fixing this:
1. assume(i_ce);
Doesn’t really test the design2. opt_merge ´share_all, yosys option
Works for some designs3. assert(sa == sb);
Best, but only works when sa and sb are visible4. Insist on no more than M clocks between i_ce’s5. Use a different prover, under the [engines] option
˝ smtbmc
˝ abc pdr
˝ aiger suprove
![Page 140: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/140.jpg)
Fixing Shift Reg
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
102 / 462
Several approaches to fixing this:
1. assume(i_ce);
Doesn’t really test the design2. opt_merge ´share_all, yosys option
Works for some designs3. assert(sa == sb);
Best, but only works when sa and sb are visible4. Insist on no more than M clocks between i_ce’s5. Use a different prover, under the [engines] option
˝ smtbmc Inconclusive Proof (Induction fails)˝ abc pdr Pass˝ aiger suprove Pass
![Page 141: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/141.jpg)
Fixing Shift Reg
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
102 / 462
Several approaches to fixing this:
1. assume(i_ce);
Doesn’t really test the design2. opt_merge ´share_all, yosys option
Works for some designs3. assert(sa == sb);
Best, but only works when sa and sb are visible4. Insist on no more than M clocks between i_ce’s5. Use a different prover, under the [engines] option
˝ smtbmc Inconclusive Proof (Induction fails)˝ abc pdr Pass˝ aiger suprove Pass
Most of these options work for some designs only
![Page 142: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/142.jpg)
SymbiYosys
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
103 / 462
Here’s how we’ll change our sby file:
[ opt ions ]mode prove
[ engines ]smtbmc
[ s c r i p t ]read ´formal module . v# . . . o t h e r f i l e s would go he r eprep ´top module
opt_merge ´share_all
[ f i l e s ]. . / path´to/module . v
![Page 143: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/143.jpg)
SymbiYosys
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
103 / 462
Here’s how we’ll change our sby file:
[ opt ions ]mode prove Use BMC and k-induction
[ engines ]smtbmc
[ s c r i p t ]read ´formal module . v# . . . o t h e r f i l e s would go he r eprep ´top module
opt_merge ´share_all
[ f i l e s ]. . / path´to/module . v
![Page 144: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/144.jpg)
SymbiYosys
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
103 / 462
Here’s how we’ll change our sby file:
[ opt ions ]mode prove
[ engines ]smtbmc Other potential engines would go here
[ s c r i p t ]read ´formal module . v# . . . o t h e r f i l e s would go he r eprep ´top module
opt_merge ´share_all
[ f i l e s ]. . / path´to/module . v
![Page 145: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/145.jpg)
SymbiYosys
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
103 / 462
Here’s how we’ll change our sby file:
[ opt ions ]mode prove
[ engines ]smtbmc
[ s c r i p t ]read ´formal module . v# . . . o t h e r f i l e s would go he r eprep ´top module
opt_merge ´share_all Here’s where opt merge would go
[ f i l e s ]. . / path´to/module . v
![Page 146: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/146.jpg)
Ex: DblPipe
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
104 / 462
Exercise #4: dblpipe.v
module dblpipe ( i_clk ,i_ce , i_data , o_data ) ;
// . . .
wire a_data , b_data ;
lfsr_fib one ( i_clk , 1 ’b0 , i_ce ,i_data , a_data ) ;
lfsr_fib two ( i_clk , 1 ’b0 , i_ce ,i_data , b_data ) ;
i n i t i a l o_data = 1 ’b0 ;always @ ( posedge i_clk )
o_data <= a_data ˆ b_data ;endmodule
![Page 147: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/147.jpg)
Ex: DblPipe
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
105 / 462
Exercise #4: dblpipe.v
˝ lfsr_fib just implements a Fibonacci linear feedback shiftregister,
sreg [ ( LN´2) :0 ] <= sreg [ ( LN´1 ) : 1 ] ;sreg [ ( LN´1)] <= (ˆ( sreg & TAPS ) ) ˆ i_in ;
![Page 148: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/148.jpg)
Ex: DblPipe
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
106 / 462
Exercise #4: dblpipe.v, lfsr fib.v
reg [ ( LN´1) :0 ] sreg ;
i n i t i a l sreg = INITIAL_FILL ;always @ ( posedge i_clk )i f ( i_reset )
sreg <= INITIAL_FILL ;e l s e i f ( i_ce )begin // Bas i c s h i f t r e g i s t e r update o p e r a t i o n
sreg [ ( LN´2) :0 ] <= sreg [ ( LN´1 ) : 1 ] ;sreg [ ( LN´1)] <= (ˆ( sreg & TAPS ) ) ˆ i_in ;
end
ass ign o_bit = sreg [ 0 ] ;
˝ Both registers one and two use the exact same logic
![Page 149: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/149.jpg)
Ex: DblPipe
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
107 / 462
Exercise #4:
˝ Using dblpipe.v
– Prove that the output, o_data, is zero
![Page 150: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/150.jpg)
Ex: LFSRs
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
108 / 462
Galois and Fibonacci are supposedly identical
˝ Galois
˝ Fibonacci
˝ Exercise #5 will be to prove these two implementations areidentical
![Page 151: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/151.jpg)
Ex: LFSRs
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
109 / 462
Exercise #5:
˝ exercise-05/ contains files lfsr equiv.v, lfsr gal.v,and lfsr fib.v.
˝ lfsr gal.v contains a Galois version of an LFSR˝ lfsr fib.v contains a Fibonacci version of the same LFSR˝ lfsr equiv.v contains an assertion that these are equivalent
Prove that these are truly equivalent shift registers.
![Page 152: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/152.jpg)
Where is the bug?
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
110 / 462
Following an induction failure, look over the trace
If you see a problem in section . . .
A You have a missing one or more assertionsYou’ll only have this problem with induction.
B You have a failing assert @(posedge clk)
C You have a failing assert @(∗)
These latter two indicate a potential logic failure, but theycould still be caused by property failures.
![Page 153: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/153.jpg)
Bus Properties
Welcome
Motivation
Basics
Clocked and $past
k Induction
Ź Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
111 / 462
![Page 154: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/154.jpg)
Ex: WB Bus
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ź Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
112 / 462
We have everything we need now to write formal properties for abus
˝ This lesson walks through an example the Wishbone Bus
Our Objectives:
˝ Learn to apply formal methods to something imminentlypractical
˝ Learn to build the formal description of a bus component˝ Help lead up to a bus arbiter component
![Page 155: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/155.jpg)
AXI Channels
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
Ź AXI
Avalon
Wishbone
WB Basics
WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
113 / 462
![Page 156: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/156.jpg)
Avalon Channels
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Ź Avalon
Wishbone
WB Basics
WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
114 / 462
![Page 157: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/157.jpg)
Wishbone Channels
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Ź Wishbone
WB Basics
WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
115 / 462
˝ Why use the Wishbone? It’s simpler!
![Page 158: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/158.jpg)
WB Signals
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
Ź WB Basics
WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
116 / 462
From the master’s perspective:Specification name My name
CYC O o wb cycSTB O o wb stbWE O o wb we
ADDR O o wb addrDATA O o wb dataSEL O o wb sel
STALL I i wb stallACK I i wb ackDATA I i wb data
ERR I i wb err
![Page 159: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/159.jpg)
WB Signals
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
Ź WB Basics
WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
117 / 462
From the slave’s perspective:Specification name My name
CYC I i wb cycSTB I i wb stbWE I i wb we
ADDR I i wb addrDATA I i wb dataSEL I i wb sel
STALL O o wb stallACK O o wb ackDATA O o wb data
ERR O o wb errTo swap perspectives from master to slave . . .
˝ Swap the port direction˝ Swap the assume() statements for assert()s
![Page 160: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/160.jpg)
Single Read
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
Ź WB Basics
WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
118 / 462
CLK
o CYC
o STB
o WE
o ADDR A0
o DATA
i STALL
i ACK
i DATA D0
˝ STB must be low when CYC is low˝ If CYC goes low mid-transaction, the transaction is aborted˝ While STB and STALL are active, the request cannot change˝ One request is made for every clock with STB and !STALL
![Page 161: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/161.jpg)
Single Read
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
Ź WB Basics
WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
119 / 462
CLK
o CYC
o STB
o WE
o ADDR A0
o DATA
i STALL
i ACK
i DATA D0
˝ One ACK response per request˝ No ACKs allowed when the bus is idle˝ No way to stall the ACK line˝ The bus result is in i DATA when i ACK is true
![Page 162: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/162.jpg)
Three Writes
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
Ź WB Basics
WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
120 / 462
CLK
o CYC
o STB
o WE
o ADDR A1 A2 A3
o DATA D1 D2 D3
i STALL
i ACK
i DATA
Let’s start building some formal properties
![Page 163: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/163.jpg)
CYC and STB
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
Ź WB Basics
WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
121 / 462
˝ The bus starts out idle, and returns to idle after a reset
always @ ( posedge i_clk )i f ( ( ! f_past_valid ) | | ( $past ( i_reset ) ) )begin
assume ( ! i_wb_ack ) ;assume ( ! i_wb_err ) ;//as se r t ( ! o_wb_cyc ) ;as se r t ( ! o_wb_stb ) ;
end
![Page 164: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/164.jpg)
CYC and STB
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
Ź WB Basics
WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
121 / 462
˝ The bus starts out idle, and returns to idle after a reset
always @ ( posedge i_clk )i f ( ( ! f_past_valid ) | | ( $past ( i_reset ) ) )begin
assume ( ! i_wb_ack ) ;assume ( ! i_wb_err ) ;//as se r t ( ! o_wb_cyc ) ;as se r t ( ! o_wb_stb ) ;
end
˝ STB is low whenever CYC is low
always @ (∗ )i f ( ! o_wb_cyc )
as se r t ( ! o_wb_stb ) ;
![Page 165: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/165.jpg)
The Master Waits
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
Ź WB Basics
WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
122 / 462
˝ While STB and STALL are active, the request doesn’t change
ass ign f_request = { o_stb , o_we , o_addr ,o_data } ;
always @ ( posedge clk )i f ( $past ( o_wb_stb)&&($past ( i_wb_stall ) ) )
as se r t ( f_request == $past ( f_request ) ) ;
˝ Did we get it?
![Page 166: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/166.jpg)
The Master Waits
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
Ź WB Basics
WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
122 / 462
˝ While STB and STALL are active, the request doesn’t change
ass ign f_request = { o_stb , o_we , o_addr ,o_data } ;
always @ ( posedge clk )i f ( $past ( o_wb_stb)&&($past ( i_wb_stall ) ) )
as se r t ( f_request == $past ( f_request ) ) ;
˝ Did we get it? Well, not quiteo_data is a don’t care for any read request
![Page 167: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/167.jpg)
The Master Waits
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
Ź WB Basics
WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
123 / 462
˝ While STB and STALL are active, the request doesn’t change
ass ign f_rd_request = { o_stb , o_we , o_addr } ;ass ign f_wr_request = { f_rd_request , o_data } ;
always @ ( posedge clk )i f ( ( f_past_valid )&&($past ( o_wb_stb ))&&($past ( i_wb_stall ) ) )
begin// F i r s t , f o r reads ´́ o da ta i s a don ’ t c a r ei f ( $past ( ! i_wb_we ) )
as se r t ( f_rd_request == $past ( f_rd_request ) ) ;// Second , f o r w r i t e s ´́ o da ta must not changei f ( $past ( i_wb_we ) )
as se r t ( f_wr_request == $past ( f_wr_request ) ) ;end
![Page 168: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/168.jpg)
CYC and STB
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
124 / 462
˝ No acknowledgements without a request˝ No errors without a request˝ Following any error, the bus cycle ends˝ A bus cycle can be terminated early
![Page 169: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/169.jpg)
Bus example
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
125 / 462
The rule: the slave (external) cannot stall the master more thanF_OPT_MAXSTALL counts:
i n i t i a l f_stall_count = 0 ;always @ ( posedge i_clk )i f ( ( i_reset ) | | ( ! o_CYC ) | | ( ( o_STB )&&(!i_STALL ) ) )
f_stall_count <= 0 ;e l s e i f ( o_STB )
f_stall_count <= f_stall_count + 1 ’b1 ;
always @ ( posedge i_clk )i f ( o_CYC )
assume ( f_stall_count < F_OPT_MAXSTALL ) ;
This solves the i_ce problem, this time with the i_STALL signal
![Page 170: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/170.jpg)
Bus example
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
126 / 462
The rule: the slave can only respond to requests
i n i t i a l f_nreqs = 0 ;always @ ( posedge clk )i f ( ( i_reset ) | | ( ! i_CYC ) )
f_nreqs <= 1 ’b0 ;e l s e i f ( ( i_STB )&&(!o_STALL ) )
f_nreqs <= f_nreqs + 1 ’b1 ;// S im i l a r coun t e r f o r acknowledgementsalways @ (∗ )i f ( f_nreqs == f_nacks )
as se r t ( ! o_ACK ) ;
The logic above almost works. Can any one spot the problems?
![Page 171: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/171.jpg)
Two Exercises
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
127 / 462
Let’s build up to proving a WB arbiter
˝ Let’s prove (BMC + k-Induction) . . .
1. Exercise #6: A simple arbiterexercise-06/reqarb.v
2. Exercise #7: Then a Wishbone bus arbiterexercise-07/wbpriarbiter.v
˝ Given a set of bus properties: fwb slave.v
![Page 172: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/172.jpg)
Simple Arbiter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
128 / 462
The basics
˝ *_req requests a transaction˝ *_data, the contents of the transaction˝ *_busy, true if the source must wait
![Page 173: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/173.jpg)
Simple Arbiter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
129 / 462
˝ If (∗_req)&&(!∗_busy),the request is accepted
˝ If (∗_req)&&(∗_busy),the request may not change, except on reset
![Page 174: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/174.jpg)
Simple Arbiter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
130 / 462
To prove:
˝ No data will be lost, no requests will be droppedAssume all requests remain stable until accepted
˝ Only one source ever gets access at a timeAssert one busy line is always high
˝ Therefore, all requests go through . . . eventuallyThis is a natural consequence of the above. Don’t worryabout starvation here.
![Page 175: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/175.jpg)
WB Arbiter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
131 / 462
Shall we try this with Wishbone?
![Page 176: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/176.jpg)
WB Arbiter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
132 / 462
This request side is almost identical
˝ If (STB)&&(!STALL)
the request is accepted˝ If (STB)&&(STALL)
the request must not change
![Page 177: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/177.jpg)
WB Arbiter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
133 / 462
The difference is the acknowledgements
˝ The arbiter cannot change during an active transaction˝ All requests get responses˝ No response can be returned without a request
![Page 178: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/178.jpg)
WB Arbiter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
134 / 462
Now, prove that exercise-07/wbpriarbiter.v works.
˝ Use both BMC and k-induction (mode prove)˝ You’ll need to build fwb master.v properties
![Page 179: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/179.jpg)
WB Arbiter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
135 / 462
The fwb slave.v properties will
˝ Assume a behaving master˝ Assert a behaving slave
![Page 180: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/180.jpg)
WB Arbiter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
136 / 462
You’ll write the fwb master.v properties
˝ Swapping inputs with outputs
– Port names need not change
˝ Swapping assumptions with assertions
![Page 181: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/181.jpg)
WB Arbiter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
137 / 462
The magic is in how the files are connected
˝ If one interface is connected, both master and slave. . .
– Should see the same number of requests– Should see the same number of acknowledgements
![Page 182: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/182.jpg)
WB Arbiter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
138 / 462
The magic is in how the files are connected
˝ If one interface is connected, the other . . .
– Should not have made any successful requests– Should not have received any acknowledgements
![Page 183: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/183.jpg)
File Structure
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
139 / 462
˝ Traditional test-bench file structure˝ Doesn’t work with yosys formal˝ Why not?
![Page 184: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/184.jpg)
Single File
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
140 / 462
˝ Formal Properties can be placed at the bottom˝ This works well for testing some modules˝ What’s the limitation?
![Page 185: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/185.jpg)
Multiple Files
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
141 / 462
˝ Design with multiple files˝ They were each formally correct˝ Problems?
![Page 186: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/186.jpg)
Multiple Files
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
141 / 462
˝ Design with multiple files˝ They were each formally correct˝ Problems? Yes! In induction˝ State variables needed to be formally synchronized (assert())
![Page 187: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/187.jpg)
Multiple Files
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
142 / 462
Proving properties for many components together can quicklyget out of hand!
![Page 188: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/188.jpg)
Free Variables
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Ź Free Variables
Lesson Overview
Formal
Memory
So what?
Rule
Discussion
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
143 / 462
![Page 189: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/189.jpg)
Lesson Overview
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Ź Lesson Overview
Formal
Memory
So what?
Rule
Discussion
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
144 / 462
When dealing with memory, ...
˝ Testing the entire memory is not required˝ Testing an arbitrary value is
It’s time to discuss (∗ anyconst ∗) and (∗ anyseq ∗)
Objectives
˝ Understand what a free variable is˝ Understand how (∗ anyconst ∗) and (∗ anyseq ∗) can be
used to create free variables˝ Learn how you can use free variables to validate memory and
memory interfaces
![Page 190: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/190.jpg)
any*
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Lesson Overview
Ź Formal
Memory
So what?
Rule
Discussion
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
145 / 462
˝ (∗ anyconst ∗)
(∗ anyconst ∗) wire [ N´1:0] cval ;
– Can be anything– Defined at the beginning of time– Never changed
˝ (∗ anyseq ∗)
(∗ anyseq ∗) wire [ N´1:0] sval ;
– Can change from one timestep to the next
Both can still be constrained via assume() statements
![Page 191: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/191.jpg)
Memory
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Lesson Overview
Formal
Ź Memory
So what?
Rule
Discussion
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
146 / 462
How might you verify a memory with this?
(∗ anyconst ∗) wire [ AW´1:0] f_const_addr ;reg [ DW´1:0] f_mem_value ;
// Handle w r i t e salways @ ( posedge i_clk )i f ( ( i_stb)&&(i_we)&&(i_addr == f_const_addr ) )
f_mem_value <= i_data ;
// Handle r e ad salways @ ( posedge i_clk )i f ( ( f_past_valid)&&($past ( i_stb ))&&(! $past ( i_we ) )
&&($past ( i_addr == f_const_addr ) ) )as se r t ( o_data == f_mem_value ) ;
![Page 192: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/192.jpg)
So what?
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Lesson Overview
Formal
Memory
Ź So what?
Rule
Discussion
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
147 / 462
Consider the specification of a prefetch
˝ The contract
(∗ anyconst ∗) wire [ 3 1 : 0 ] f_const_data ;
always @ ( posedge i_clk )i f ( ( o_valid)&&(o_pc == f_const_addr ) )
as se r t ( o_insn == f_const_data ) ;
˝ You’ll also need to assume a bus input
always @ ( posedge i_clk )i f ( ( i_ack)&&(ackd_address == f_const_addr ) )
assume ( i_data == f_const_data ) ;
![Page 193: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/193.jpg)
Rule of Free Variables
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Lesson Overview
Formal
Memory
So what?
Ź Rule
Discussion
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
148 / 462
How would our general rule apply here?
˝ Assume inputs, assert internal state and outputs˝ Both (∗ anyconst ∗) and (∗ anyseq ∗) act like inputs˝ You could have written
input wire i_value ;
always @ ( posedge i_clk )assume ( i_value == $past ( i_value ) ) ;
for the same effect as (∗ anyconst ∗)
˝ assume() them therefore, and not assert()
![Page 194: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/194.jpg)
Ex: Flash Controller
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Lesson Overview
Formal
Memory
So what?
Ź Rule
Discussion
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
149 / 462
This works for a flash (or other ROM) controller too:
(∗ anyconst ∗) wire [ AW´1:0] f_addr ;(∗ anyconst ∗) wire [ DW´1:0] f_data ;
always @ (∗ )i f ( ( o_wb_ack)&&(f_request_addr == f_addr ) )
as se r t ( o_wb_data == f_data ) ;
Don’t forget the corollary assumptions!
always @ (∗ )i f ( f_request_addr == f_addr )
assume ( i_spi_miso== f_data [ controller_state ] ) ;
. . . or something similar
![Page 195: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/195.jpg)
Ex: Serial Port
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Lesson Overview
Formal
Memory
So what?
Ź Rule
Discussion
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
150 / 462
You can use this to build a serial port transmitter
(∗ anyseq ∗) wire f_tx_start ;(∗ anyseq ∗) wire [ 7 : 0 ] f_tx_data ;always @ (∗ )i f ( f_tx_busy )
assume ( ! f_tx_start ) ;
always @ ( posedge f_txclk )i f ( f_tx_busy )
assume ( f_tx_data == $past ( f_tx_data ) ) ;
You can then
˝ Tie assertions to partially received data˝ . . . and pass induction
![Page 196: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/196.jpg)
Discussion
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Lesson Overview
Formal
Memory
So what?
Rule
Ź Discussion
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
151 / 462
How would you use free variables to verify a cacheimplementation?
![Page 197: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/197.jpg)
Discussion
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Lesson Overview
Formal
Memory
So what?
Rule
Ź Discussion
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
151 / 462
How would you use free variables to verify a cacheimplementation?
Hint: you only need three properties for the cache contract
![Page 198: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/198.jpg)
Abstraction
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Ź Abstraction
Lesson Overview
Formal
Proof
Pictures
Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
152 / 462
![Page 199: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/199.jpg)
Lesson Overview
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Ź Lesson Overview
Formal
Proof
Pictures
Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
153 / 462
˝ Proving simple modules is easy.˝ What about large and complex ones?
It’s time to discus abstraction.Objectives
˝ Understand what abstraction is˝ Gain confidence in the idea of abstraction˝ Understand how to reduce a design via abstraction
![Page 200: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/200.jpg)
Abstraction Formally
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Ź Formal
Proof
Pictures
Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
154 / 462
Formally, if
AÑ C
then we can also say that
pABq Ñ C
![Page 201: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/201.jpg)
Formal Proof
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Ź Proof
Pictures
Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
155 / 462
Shall we go over the proof?
AÑ C ñ A_ C “ True
True or anything is still true, so
p A_ Cq _ B
Rearranging terms
A_ B _ C
pABq _ C
Expressing as an implication
pABq Ñ C
Q.E.D.!
![Page 202: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/202.jpg)
So what?
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Ź Proof
Pictures
Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
156 / 462
With every additional module,
˝ Formal verification becomes more difficult˝ Complexity increases exponentially˝ You only have so many hours and dollars
On the other hand,
˝ Anything you can simplify by abstraction . . .˝ is one less thing you need to prove
![Page 203: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/203.jpg)
In Pictures
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
157 / 462
Suppose your state space looked like this
˝ It takes many transitions required to get to interesting states
![Page 204: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/204.jpg)
In Pictures
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
158 / 462
Suppose we added to this design . . .
˝ Some additional states, and˝ Additional transitions
The real states and transitions must still remain
![Page 205: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/205.jpg)
In Pictures
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
159 / 462
If this new design still passes, then . . .
˝ Since the original design is a subset . . .˝ The original design must also still pass
If done well, the new design will require less effort to prove
![Page 206: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/206.jpg)
A CPU
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
160 / 462
Where would you start?
![Page 207: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/207.jpg)
A CPU
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
160 / 462
Where would you start?
At the interfaces!
![Page 208: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/208.jpg)
Prefetch
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
161 / 462
Let’s consider a prefetch module as an example.
If you do this right,
˝ Any internally consistent Prefetch,˝ that properly responds to the CPU, and˝ interacts properly with the bus,˝ must work!
Care to try a different prefetch approach?
![Page 209: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/209.jpg)
Prefetch
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
162 / 462
Suppose the prefetch was just a shell
It would still interact properly with
˝ The bus, and˝ The CPU˝ It just might not return values from the bus to the CPU
![Page 210: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/210.jpg)
Prefetch
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
163 / 462
Suppose the prefetch was just a shell
If the CPU still acted “correctly”
˝ With either the right, or the wrong instructions, then˝ The CPU must act correctly with the right instructions
![Page 211: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/211.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
164 / 462
Consider these statements:
˝
IfAndThen
![Page 212: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/212.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
164 / 462
Consider these statements:
˝ Prefetch is bus master, interfaces w/CPU
If (Prefetch responds to CPU insn requests)And (Prefetch produces the right instructions)Then (The prefetch works within the design)
![Page 213: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/213.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
164 / 462
Consider these statements:
˝ The CPU is just a wishbone master within a design
If (The CPU is valid bus master)And (CPU properly executes instructions)Then (CPU works within a design)
![Page 214: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/214.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
164 / 462
Consider these statements:
˝ The ALU must return a calculated number
If (ALU returns a value when requested)And (It is the right value)Then (The ALU works within the design)
![Page 215: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/215.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
164 / 462
Consider these statements:
˝ A flash device responds in 8-80 clocks
If (Bus master reads/responds to a request)And (The response comes back in 8-80 clocks)Then (The CPU can interact with a flash memory)
![Page 216: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/216.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
164 / 462
Consider these statements:
˝ The divide must return a calculated number
If (Divide returns a value when requested)And (It is the right value)Then (The divide works within the design)
![Page 217: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/217.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
164 / 462
Consider these statements:
˝ Formal solvers break down when applied to multiplies
If (Multiply unit returns an answer N clocks later)And (It is the right value)Then (The multiply works within the design)
![Page 218: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/218.jpg)
Abstracted CPU components
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
165 / 462
Looking at the CPU again,
˝ Replace all the components with abstract shells˝ . . . shells that might produce the same answers
![Page 219: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/219.jpg)
Back to the Counter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
166 / 462
Let’s consider a fractional counter:
reg [ 3 1 : 0 ] r_count ;i n i t i a l r_count = 0 ;i n i t i a l o_pps = 0 ;always @ ( posedge i_clk )
{ o_pps , r_count } <= r_count + 32 ’ d43 ;
The problem with this counter
˝ It will take 100ˆ 106 clocks to roll over and set o_pps
˝ Formally checking 100ˆ 106 clocks is prohibitive
We’ll need a better way, or we’ll never deal with this
![Page 220: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/220.jpg)
Back to the Counter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
167 / 462
How might we build an abstract counter?
˝ First, create an arbitrary counter increment
(∗ anyseq ∗) wire [ 3 1 : 0 ] increment ;ass ign rollover = ´ r_count ;always @ (∗ )begin
assume ( increment > 0 ) ;assume ( increment < { 2 ’h1 , 30 ’h0 } ) ;i f ( rollover < 32 ’ d43 )
assume ( increment == 32 ’ d43 ) ;e l s e
assume ( increment < rollover ) ;end
The correct increment, 32’d43, must be a possibility
![Page 221: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/221.jpg)
Back to the Counter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
168 / 462
We can now increment our counter by this arbitrary increment
always @ ( posedge i_clk ){ o_pps , r_count } <= r_count + increment ;
Will this work?
˝ Let’s try this to see!
always @ ( posedge i_clk )i f ( f_past_valid )
as se r t ( r_count != $past ( r_count ) ) ;
always @ ( posedge i_clk )i f ( ( f_past_valid)&&(r_count < $past ( r_count ) ) )
as se r t ( o_pps ) ;
![Page 222: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/222.jpg)
Other Possibilities
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
169 / 462
How else might you use this?
˝ Bypassing the runup for an external peripheral˝ Testing a real-time clock or date
Or . . . how about that CPU?
![Page 223: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/223.jpg)
Exercise
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Pictures
Examples
Ź Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
170 / 462
Let’s modify this abstract counter
˝ Increment by one, rather than fractionally
Exercise Objectives:
˝ Prove a design works both with and without abstraction˝ Gain some confidence using abstraction
![Page 224: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/224.jpg)
Exercise #8
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Pictures
Examples
Ź Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
171 / 462
Your task:
˝ Rebuild the counter˝ Make it increment by one˝ Build it so that . . .
always @ (∗ )as se r t ( o_carry == ( r_count == 0 ) ) ;
// and
always @ ( posedge i_clk )i f ( ( f_past_valid )&&(!$past(&r_count ) ) )
as se r t ( ! o_carry ) ;
˝ Prove that this abstracted counter works
![Page 225: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/225.jpg)
Exercise #8
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Pictures
Examples
Ź Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
172 / 462
Your task:
˝ Rebuild the counter˝ Make it increment by one˝ Prove that this abstracted counter works
![Page 226: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/226.jpg)
Exercise #8
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Pictures
Examples
Ź Exercise
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
172 / 462
Your task:
˝ Rebuild the counter˝ Make it increment by one˝ Prove that this abstracted counter works
Hints:
˝ &r_count must take place before r_count==0
˝ You cannot skip &r_count
˝ Neither can you skip r_count == 0
![Page 227: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/227.jpg)
Invariants
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Ź Invariants
Lesson Removed
Multiple-Clocks
Cover
Sequences
Quizzes
173 / 462
![Page 228: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/228.jpg)
Lesson Removed
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Ź Lesson Removed
Multiple-Clocks
Cover
Sequences
Quizzes
174 / 462
This lesson is currently being revised, and will be released againshortly
![Page 229: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/229.jpg)
Multiple-Clocks
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Ź Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
175 / 462
![Page 230: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/230.jpg)
Lesson Overview
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Ź Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
176 / 462
The SymbiYosys option multiclock . . .
˝ Used to process systems with dissimilar clocks˝ Examples
– A serial port, with a formally generated transmittercoming from a different clock domain
– A SPI controller that needs both high speed and lowspeed logic
Our Objective:
˝ To learn how to handle multiple clocks within a design
– (∗ gclk ∗)
– $stable, $changed
– $rose, $fell
![Page 231: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/231.jpg)
SymbiYosys config change
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
Ź SBY File
(* gclk *)
$rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
177 / 462
[ opt ions ]mode prove
mult ic lock on
[ engines ]smtbmc
[ s c r i p t ]read ´formal module . vprep ´top module
[ f i l e s ]# f i l e l i s t
![Page 232: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/232.jpg)
SymbiYosys config change
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
Ź SBY File
(* gclk *)
$rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
177 / 462
[ opt ions ]mode prove
mult ic lock on Multiple clocks require this line
[ engines ]smtbmc
[ s c r i p t ]read ´formal module . vprep ´top module
[ f i l e s ]# f i l e l i s t
![Page 233: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/233.jpg)
Five Tools
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
Ź SBY File
(* gclk *)
$rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
178 / 462
˝ (∗ gclk ∗)
Provides access to the global formal time-step˝ $stable
True if a signal is stable (i.e. doesn’t change) with this clock.Equivalent to A == $past(A)
˝ $changed
True if a signal has changed since the last clock tick.Equivalent to A != $past(A)
˝ $rose
True if the signal rises on this formal time-stepThis is very useful for positive edged clocks transitions$rose(A) is equivalent to (A[0])&&(!$past(A[0]))
˝ $fell
True if a signal falls on this time-step, creating a negativeedge$fell (A) is equivalent to (!A[0])&&($past(A[0]))
![Page 234: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/234.jpg)
(* gclk *)
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
Ź (* gclk *)
$rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
179 / 462
˝ A global formal time step
(∗ gclk ∗) wire gbl_clk ;
˝ You can use this to describe clock properties
// Assume a s i n g l e c l o c k s i g n a l//reg f_last_clk ;
i n i t i a l f_last_clk = 0 ;always @ ( posedge gbl_clk )begin
f_last_clk <= ! f_last_clk ;assume ( i_clk == f_last_clk ) ;
end
![Page 235: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/235.jpg)
(* gclk *)
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
Ź (* gclk *)
$rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
180 / 462
always @ ( posedge gbl_clk )begin
f_last_clk <= ! f_last_clk ;assume ( i_clk == f_last_clk ) ;
end
f last clk
i clk
![Page 236: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/236.jpg)
(* gclk *)
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
Ź (* gclk *)
$rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
181 / 462
˝ Used to gain access to the formal time-step
(∗ gclk ∗) wire gbl_clk ;
˝ You can use this to describe clock properties
// Assume two r e l a t e d c l o c k s i g n a l s//reg [ 2 : 0 ] f_clk_counter ;
i n i t i a l f_clk_counter = 0 ;always @ ( posedge gbl_clk )begin
f_clk_counter <= f_clk_counter + 1 ’b1 ;assume ( i_clk_fast == f_clk_counter [ 0 ] ) ;assume ( i_clk_slow == f_clk_counter [ 2 ] ) ;
end
![Page 237: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/237.jpg)
(* gclk *)
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
Ź (* gclk *)
$rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
182 / 462
The clock logic on the last slide forces these two clocks to be insyncf clk counter 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0
i clk fast
i clk slow
![Page 238: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/238.jpg)
(* gclk *)
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
Ź (* gclk *)
$rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
183 / 462
˝ Used to gain access to the formal time-step˝ You can use this to describe clock properties
// Assume two c l o ck s , same speed ,// unknown con s t an t phase o f f s e t(∗ gclk ∗) wire gbl_clk ;(∗ anyconst ∗) wire [ 2 : 0 ] f_clk_offset ;
i n i t i a l f_clk_counter= 0 ;always @ ( posedge gbl_clk )begin
f_clk_counter <= f_clk_counter + 1 ’b1 ;f_clk_two <= f_clk_counter
+ f_clk_offset ;assume ( i_clk_one == f_clk_counter [ 2 ] ) ;assume ( i_clk_two == f_clk_two [ 2 ] ) ;
end
![Page 239: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/239.jpg)
(* gclk *)
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
Ź (* gclk *)
$rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
184 / 462
The formal tool will pick the phase offset between these twogenerated clock waveformsf clk counter 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
i clk one
i clk two
![Page 240: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/240.jpg)
(* gclk *)
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
Ź (* gclk *)
$rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
185 / 462
How might you describe two unrelated clocks?
![Page 241: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/241.jpg)
(* gclk *)
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
Ź (* gclk *)
$rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
185 / 462
How might you describe two unrelated clocks?
(∗ gclk ∗) wire gbl_clk ;(∗ anyconst ∗) wire [ 7 : 0 ] f_a_step ;always @ (∗ )assume ( ( f_a_step > 0) &&(f_a_step [ 7 ] == 1 ’b0 ) ) ;
always @ ( posedge gbl_clk )begin
f_a_counter <= f_a_counter + f_a_step ;
assume ( i_clk_a == f_a_counter [ 7 ] ) ;end
˝ The (∗ anyconst ∗) register may take on any constant value˝ You can repeat this logic for the second clock.
![Page 242: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/242.jpg)
(* gclk *)
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
Ź (* gclk *)
$rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
186 / 462
The timing relationship between these two clocks can beanything
˝ Each clock can have an arbitrary frequency˝ Each clock can have an arbitrary phase
Here’s a theoretical example trace
i_clk_a
i_clk_b
Don’t be surprised by the appearance of phase noise
Bonus: The trace above isn’t realistic. Why not?
![Page 243: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/243.jpg)
$rose
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
187 / 462
Synchronous logic has some requirements
˝ Inputs should only change on a clock edgeThey should be stable otherwise
˝ $rose(i_clk) can be used to express this
Here’s an example using $rose(i_clk) . . .
always @ ( posedge gbl_clk )i f ( ! $rose ( i_clk ) )
assume ( i_input == $past ( i_input ) ) ;
![Page 244: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/244.jpg)
$fell
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
188 / 462
$fell is like $rose, only it describes a negative edge
i_clk
$rose(i_clk)
$fell (i_clk)
![Page 245: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/245.jpg)
$rose
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
189 / 462
Let’s go back to the synchronous logic requirements
˝ Inputs only change on clock edges˝ $rose(i_clk) and $fell (i_clk) can be used to express this˝ Let’s try this out
Would this work?
always @ ( posedge gbl_clk )i f ( ! $rose ( i_clk ) )
as se r t ( i_input == $past ( i_input ) ) ;
![Page 246: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/246.jpg)
$rose
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
189 / 462
Let’s go back to the synchronous logic requirements
˝ Inputs only change on clock edges˝ $rose(i_clk) and $fell (i_clk) can be used to express this˝ Let’s try this out
Would this work?
always @ ( posedge gbl_clk )i f ( ! $rose ( i_clk ) )
as se r t ( i_input == $past ( i_input ) ) ;
˝ No. The general rule hasn’t changed
![Page 247: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/247.jpg)
$rose
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
190 / 462
Could we do it this way?
always @ ( posedge gbl_clk )i f ( $ f e l l ( i_clk ) )
as se r t ( state == $past ( state ) ) ;
![Page 248: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/248.jpg)
$rose
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
190 / 462
Could we do it this way?
always @ ( posedge gbl_clk )i f ( $ f e l l ( i_clk ) )
as se r t ( state == $past ( state ) ) ;
˝ No, this doesn’t work either
i_clk
state Stable Unconstrained Stable Unconstrained
$fell (i_clk)
![Page 249: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/249.jpg)
$rose
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
191 / 462
Is this equivalent?
always @ ( posedge gbl_clk )i f ( ! $past ( i_clk ) )
as se r t ( state == $past ( state ) ) ;
![Page 250: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/250.jpg)
$rose
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
191 / 462
Is this equivalent?
always @ ( posedge gbl_clk )i f ( ! $past ( i_clk ) )
as se r t ( state == $past ( state ) ) ;
˝ Why not?
i_clk
state Unconstrained Stable Uncon No change Uncon
!$past(i_clk)
![Page 251: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/251.jpg)
$rose
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
192 / 462
This fixes our problems. Will this work?
always @ ( posedge gbl_clk )i f ( ! $rose ( i_clk ) )
as se r t ( state == $past ( state ) ) ;
![Page 252: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/252.jpg)
$rose
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
192 / 462
This fixes our problems. Will this work?
always @ ( posedge gbl_clk )i f ( ! $rose ( i_clk ) )
as se r t ( state == $past ( state ) ) ;
˝ Not quite. Can you see the problem?
![Page 253: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/253.jpg)
$rose
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises
Cover
Sequences
Quizzes
193 / 462
˝ State/outputs should be clock synchronous
always @ ( posedge gbl_clk )i f ( ( f_past_valid )&&(!$rose ( i_clk ) )
as se r t ( state == $past ( state ) ) ;
˝ With f_past_valid this works
i_clk
state Stable Stable Stable
f_past_valid
!$rose(i_clk)
˝ $rose requires a clock, such asalways @(posedge gbl_clk)
![Page 254: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/254.jpg)
$stable
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
Ź $stable
Examples
Exercises
Cover
Sequences
Quizzes
194 / 462
Describes a signal which has not changed
always @ ( posedge gbl_clk )i f ( ( f_past_valid )&&(! $rose ( i_clk ) ) )
as se r t ( $stab le ( state ) ) ;
˝ Requires a clock edge
always @(posedge gbl_clk)
always @(posedge i_clk)
˝ This is basically the same as state == $past(state)
![Page 255: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/255.jpg)
$stable
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
Ź $stable
Examples
Exercises
Cover
Sequences
Quizzes
195 / 462
Caution: $stable(X) might still change between clock edges
always @ ( posedge i_clk )assume ( $stab le ( i_value ) ) ;
The waveform below would satisfy the assumption above
i_clk
i_value 0 1 0 1 0 1 0 1 0 1 0
$past(i_value) 0 0 0
$stable(i_value)
The key to understanding what’s going on is to realize . . .
˝ The assumption is only evaluated on @(posedge i_clk)
˝ $past(i_value) is only sampled @(posedge i_clk)
˝ . . . and not on the formal (∗ gclk ∗) time step.
![Page 256: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/256.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Ź Examples
Exercises
Cover
Sequences
Quizzes
196 / 462
˝ Most logic doesn’t need the multiclock option˝ To help with logic that might need it, I use a parameter
parameter [ 0 : 0 ] F_OPT_CLK2FFLOGIC = 1 ’b0 ;
generate i f ( F_OPT_CLK2FFLOGIC )begin
(∗ gclk ∗) wire gbl_clk ;
always @ ( posedge gbl_clk )i f ( ( f_past_valid )&&(!$rose ( i_clk ) ) )begin
assume ( $stab le ( i_axi_awready ) ) ;assume ( $stab le ( i_axi_wready ) ) ;// . . .
endend endgenerate
![Page 257: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/257.jpg)
Ex SPI Port
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Ź Examples
Exercises
Cover
Sequences
Quizzes
197 / 462
o CS n
o SCK
o MOSI
i MISO
˝ How would you formally describe the o_SCK and o_CS_n
relationship?
![Page 258: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/258.jpg)
Ex SPI Port
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Ź Examples
Exercises
Cover
Sequences
Quizzes
197 / 462
o CS n
o SCK
o MOSI
i MISO
˝ How would you formally describe the o_SCK and o_CS_n
relationship?
i n i t i a l a s se r t ( o_CS_n ) ;i n i t i a l a s se r t ( o_SCK ) ;
always @ (∗ )i f ( ! o_SCK )
as se r t ( ! o_CS_n ) ;
![Page 259: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/259.jpg)
Ex SPI Port
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Ź Examples
Exercises
Cover
Sequences
Quizzes
198 / 462
o CS n
o SCK
o MOSI
i MISO
˝ How would you formally describe the o_SCK and o_CS_n
relationship?
always @ ( posedge gbl_clk )i f ( ( f_past_valid )
&&(($rose ( o_CS_n ) ) | | ( $ f e l l ( o_CS_n ) ) ) )as se r t ( ( o_SCK)&&($stab le ( o_SCK ) ) ) ;
![Page 260: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/260.jpg)
Ex SPI Port
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Ź Examples
Exercises
Cover
Sequences
Quizzes
199 / 462
o CS n
o SCK
o MOSI
i MISO
˝ How would you describe o_MOSI?
![Page 261: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/261.jpg)
Ex SPI Port
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Ź Examples
Exercises
Cover
Sequences
Quizzes
199 / 462
o CS n
o SCK
o MOSI
i MISO
˝ How would you describe o_MOSI?
always @ ( posedge gbl_clk )i f ( ( f_past_valid )&&(!o_CS_n )&&(! $ f e l l ( o_SCK ) ) )
as se r t ( $stab le ( o_MOSI ) ) ;
![Page 262: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/262.jpg)
Ex SPI Port
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Ź Examples
Exercises
Cover
Sequences
Quizzes
200 / 462
o CS n
o SCK
o MOSI
i MISO
˝ How would you describe i_MISO?
![Page 263: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/263.jpg)
Ex SPI Port
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Ź Examples
Exercises
Cover
Sequences
Quizzes
200 / 462
o CS n
o SCK
o MOSI
i MISO
˝ How would you describe i_MISO?
always @ ( posedge gbl_clk )i f ( ( ! o_CS_n)&&(o_SCK ) )
assume ( $stab le ( i_MISO ) ) ;
![Page 264: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/264.jpg)
Ex SPI Port
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Ź Examples
Exercises
Cover
Sequences
Quizzes
201 / 462
o CS n
o SCK
o MOSI
i MISO
˝ Should the i_MISO be able to change more than once perclock?
![Page 265: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/265.jpg)
Ex SPI Port
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Ź Examples
Exercises
Cover
Sequences
Quizzes
202 / 462
˝ A little logic will force i_MISO to have only one transition perclock
always @ ( posedge gbl_clk )i f ( ( o_CS_n ) | | ( o_SCK ) )
f_chgd <= 1 ’b0 ;e l s e i f ( i_MISO != $past ( i_MISO ) )
f_chgd <= 1 ’b1 ;
always @ ( posedge gbl_clk )i f ( ( f_past_valid)&&(f_chgd ) )
assume ( $stab le ( i_MISO ) ) ;
˝ How would we force exactly 8 o_SCK clocks?
![Page 266: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/266.jpg)
Ex SPI Port
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Ź Examples
Exercises
Cover
Sequences
Quizzes
203 / 462
˝ Forcing exactly 8 clocks
always @ ( posedge gbl_clk )i f ( o_CS_n )
f_spi_bits <= 0 ;e l s e i f ( $rose ( o_SCK ) )
f_spi_bits <= f_spi_bits + 1 ’b1 ;
always @ ( posedge gbl_clk )i f ( ( f_past_valid)&&($rose ( o_CS_n ) ) )
as se r t ( f_spi_bits == 8 ) ;
˝ Don’t forget the induction requirement
always @ (∗ )as se r t ( f_spi_bits <= 8 ) ;
![Page 267: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/267.jpg)
Exercises
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises
Cover
Sequences
Quizzes
204 / 462
Three exercises, chose one to verify:
1. Input serdesexercises-09/iserdes.v
2. Clock gateexercises-10/clkgate.v
3. Clock Switchexercises-11/clkswitch.v
![Page 268: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/268.jpg)
Ex: Input Serdes
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises
Cover
Sequences
Quizzes
205 / 462
Getting a SERDES right is a good example of multiple clocks
i fast clk
i pin
i slow clk
o word 0x0b
![Page 269: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/269.jpg)
Ex: Input Serdes
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises
Cover
Sequences
Quizzes
206 / 462
Getting a SERDES right is a good example of multiple clocks
˝ Two clocks, one fast and one slow
Clocks must be synchronous$rose(slow_clk) implies $rose(fast_clk)
˝ exercise-09/ Contains the file iserdes.v˝ Can you formally verify that it works?
![Page 270: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/270.jpg)
Ex: Input Serdes
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises
Cover
Sequences
Quizzes
207 / 462
Be aware of the asynchronous reset signal!
i areset n
i fast clk
i pin
i slow clk
o word Prior value RESET RESET
˝ Can be asserted at any time˝ Can only be de-asserted on $rose(i_slow_clk)
˝ assume() these properties, since the reset is an input
![Page 271: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/271.jpg)
Ex: Clock Gate
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises
Cover
Sequences
Quizzes
208 / 462
The goal: a clock that can be gated, that doesn’t glitch
˝ exercise-10/ Contains the file clkgate.v
![Page 272: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/272.jpg)
Ex: Clock Gate
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises
Cover
Sequences
Quizzes
209 / 462
The goal: a clock that can be gated, that doesn’t glitch
i clk
i en
o clk
![Page 273: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/273.jpg)
Ex: Clock Gate
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises
Cover
Sequences
Quizzes
210 / 462
The goal: a clock that can be gated, that doesn’t glitch
˝ One clock, one unrelated enable˝ Prove that the output clock
– is always high for the full width, but– . . . never longer.– For any clock rate
See exercise-10/clkgate.v
![Page 274: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/274.jpg)
Ex: Clock Gate
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises
Cover
Sequences
Quizzes
211 / 462
Hints:
˝ The output clock should only rise if the incoming clock rises˝ The output clock should only fall if the incoming clock fall˝ If the output clock is ever high, it should always fall with the
incoming clock
Be aware of the reset! The output clock might fall mid-clockperiod due to the asynchronous reset.
![Page 275: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/275.jpg)
Ex: Clock Switch
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises
Cover
Sequences
Quizzes
212 / 462
Goal: To safely switch from one clock frequency to another
![Page 276: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/276.jpg)
Ex: Clock Switch
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises
Cover
Sequences
Quizzes
213 / 462
Goal: To safely switch from one clock frequency to another
˝ Inputs
– Two arbitrary clocks– One select line
Prove that the output clock
˝ Is always high (or low) for at least the duration of one of theclocks
˝ Doesn’t stop
You may need to constrain the select line.
![Page 277: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/277.jpg)
Ex: Clock Switch
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises
Cover
Sequences
Quizzes
214 / 462
Hints:
˝ You may assume the reset is only ever initially true˝ Only one set of FF’s should ever change at any time
![Page 278: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/278.jpg)
Cover
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Ź Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Counter
Sequences
Quizzes
215 / 462
![Page 279: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/279.jpg)
Lesson Overview
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Ź Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Counter
Sequences
Quizzes
216 / 462
The cover element is used to make certain something remainspossible
˝ BMC and induction test safety propertiesThey prove that something will not happen
˝ Cover tests a liveness propertyIt proves that something may happen
Objectives
˝ Understand why cover is important˝ Understand how to use cover
![Page 280: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/280.jpg)
Why Cover
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Ź Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Counter
Sequences
Quizzes
217 / 462
Personal examples:
˝ Forgot to set f_past_valid to oneMany assertions were ignored
˝ Av to WB bridge, passed FV, but couldn’t handle writes˝ Error analysis
The simulation trace doesn’t make sense. Can it bereproduced?
˝ As an anti-assertionCan this situation actually happen?
What is cover good for? Catching the careless assumption!What else? Ad hoc simulation traces!
![Page 281: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/281.jpg)
BMC vs Cover
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
Ź BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Counter
Sequences
Quizzes
218 / 462
Cover is more like BMC than Induction is
˝ BMC
˝ Cover
˝ BMC searches for failures˝ Cover searches for a success
Formally, we might say . . .
˝ BMC + k-Induction: proof for all@assume()ñ @assert()
˝ Cover: there exists one@assume()ñ Dcover()
![Page 282: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/282.jpg)
Cover in Verilog
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Ź Cover in Verilog
State Space
SymbiYosys
Examples
Counter
Sequences
Quizzes
219 / 462
Just like an assumption or an assertion
// Make s u r e a w r i t e i s p o s s i b l ealways @ ( posedge i_clk )cover ( ( o_wb_stb )&&(!i_wb_stall)&&(o_wb_we ) ) ;
// Or
// What happens when a bus c y c l e i s abo r t ed ?always @ ( posedge i_clk )i f ( i_reset )
cover ( ( o_wb_cyc)&&(f_wb_outstanding >0)) ;
Well, almost but not quite.
![Page 283: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/283.jpg)
Cover in Verilog
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Ź Cover in Verilog
State Space
SymbiYosys
Examples
Counter
Sequences
Quizzes
220 / 462
Assert and cover handle surrounding logic differently
˝ Assert logic
always @ ( posedge i_clk )i f (A )
as se r t (B ) ;
is equivalent to,
always @ ( posedge i_clk )as se r t ( ( ! A ) | | (B ) ) ;
This is not true of cover.
![Page 284: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/284.jpg)
Cover in Verilog
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Ź Cover in Verilog
State Space
SymbiYosys
Examples
Counter
Sequences
Quizzes
221 / 462
Assert and cover handle surrounding logic differently
˝ Assert logic˝ Cover logic
always @ ( posedge i_clk )i f (A )
cover (B ) ;
is equivalent to,
always @ ( posedge i_clk )cover ( (A ) && (B ) ) ;
// NOT the same as// a s s e r t ( ( !A) | | (B) ) ;
![Page 285: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/285.jpg)
State Space
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
Ź State Space
SymbiYosys
Examples
Counter
Sequences
Quizzes
222 / 462
˝ Goal is to prove certain state’s are reachable˝ Prover solves for example traces
![Page 286: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/286.jpg)
SymbiYosys
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter
Sequences
Quizzes
223 / 462
The SymbiYosys script for cover needs to change as well
˝ SymbiYosys needs the option: mode cover
˝ Produces one trace per cover() statement. . . or fail
![Page 287: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/287.jpg)
SymbiYosys cover config
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter
Sequences
Quizzes
224 / 462
[ opt ions ]mode cover
depth 40append 20
[ engines ]smtbmc
[ s c r i p t ]read ´formal module . vprep ´top module
[ f i l e s ]# f i l e l i s t
![Page 288: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/288.jpg)
SymbiYosys cover config
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter
Sequences
Quizzes
224 / 462
[ opt ions ]mode cover Run a coverage analysisdepth 40append 20
[ engines ]smtbmc
[ s c r i p t ]read ´formal module . vprep ´top module
[ f i l e s ]# f i l e l i s t
![Page 289: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/289.jpg)
SymbiYosys cover config
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter
Sequences
Quizzes
224 / 462
[ opt ions ]mode cover
depth 40 How far to look for a covered stateappend 20
[ engines ]smtbmc
[ s c r i p t ]read ´formal module . vprep ´top module
[ f i l e s ]# f i l e l i s t
![Page 290: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/290.jpg)
SymbiYosys cover config
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter
Sequences
Quizzes
224 / 462
[ opt ions ]mode cover
depth 40append 20 Follow each trace with 20 extra clocks
[ engines ]smtbmc
[ s c r i p t ]read ´formal module . vprep ´top module
[ f i l e s ]# f i l e l i s t
![Page 291: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/291.jpg)
SymbiYosys tasks
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter
Sequences
Quizzes
225 / 462
[ tasks ]prf
cvr
[ opt ions ]prf : mode prove
cvr : mode cover
depth 40
# . . .
![Page 292: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/292.jpg)
SymbiYosys tasks
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter
Sequences
Quizzes
225 / 462
[ tasks ]prf Run two tasks: prf and cvrcvr
[ opt ions ]prf : mode prove
cvr : mode cover
depth 40
# . . .
![Page 293: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/293.jpg)
SymbiYosys tasks
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter
Sequences
Quizzes
225 / 462
[ tasks ]prf
cvr
[ opt ions ]prf : mode prove The prf tasks runs inductioncvr : mode cover
depth 40
# . . .
![Page 294: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/294.jpg)
SymbiYosys tasks
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter
Sequences
Quizzes
225 / 462
[ tasks ]prf
cvr
[ opt ions ]prf : mode prove
cvr : mode cover The cvr tasks runs in cover modedepth 40
# . . .
![Page 295: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/295.jpg)
SymbiYosys tasks
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter
Sequences
Quizzes
225 / 462
[ tasks ]prf
cvr
[ opt ions ]prf : mode prove
cvr : mode cover
depth 40 The same depth can apply to both
# . . .
![Page 296: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/296.jpg)
SymbiYosys tasks
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter
Sequences
Quizzes
225 / 462
[ tasks ]prf
cvr
[ opt ions ]prf : mode prove
cvr : mode cover
depth 40
# . . .
% sby -f sbyfil.sby now runs both modes
![Page 297: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/297.jpg)
SymbiYosys tasks
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter
Sequences
Quizzes
225 / 462
[ tasks ]prf
cvr
[ opt ions ]prf : mode prove
cvr : mode cover
depth 40
# . . .
% sby -f sbyfil.sby cvr will run the cover mode alone
![Page 298: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/298.jpg)
Cover Failures
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter
Sequences
Quizzes
226 / 462
Two basic types of cover failures
1. Covered state is unreachableNo VCD file will be generated upon failure
2. Covered state is reachable, but only by breaking assertionsVCD file will be generated
![Page 299: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/299.jpg)
Ex: I-Cache
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Ź Examples
Counter
Sequences
Quizzes
227 / 462
Consider a CPU I-cache:
always @ ( posedge i_clk )cover ( o_valid ) ;
With no other formal logic, what will this trace look like?
˝ CPU must provide a PC address˝ Design must fill the appropriate cache line˝ Design returns an item from that cache line
That’s a lot of trace for two lines of HDL!
![Page 300: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/300.jpg)
Ex: Flash
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Ź Examples
Counter
Sequences
Quizzes
228 / 462
Consider a Flash controller:
always @ ( posedge i_clk )cover ( o_wb_ack ) ;
With no other formal logic, what will this trace look like?The controller must,
˝ Initialize the flash device˝ Accept a bus request˝ Request a read from the flash˝ Accumulate the result to return on the bus
![Page 301: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/301.jpg)
Ex: MMU
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Ź Examples
Counter
Sequences
Quizzes
229 / 462
Consider a Memory Management Unit (MMU):
always @ ( posedge i_clk )cover ( o_wb_ack ) ;
The MMU must,
˝ Be told a TLB entry˝ Accept a bus request˝ Look the request up in the TLB˝ Forward the modified request downstream˝ Wait for a return˝ Forward the value returned upstream
![Page 302: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/302.jpg)
Ex: SDRAM
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Ź Examples
Counter
Sequences
Quizzes
230 / 462
How about an SDRAM controller?
always @ ( posedge i_clk )cover ( o_wb_ack ) ;
The controller must,
˝ Initialize the SDRAM˝ Accept a bus request˝ Activate a row on a bank˝ Issue a read (or write) command from that row˝ Wait for a return value˝ Return the result
![Page 303: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/303.jpg)
Counter
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter
Sequences
Quizzes
231 / 462
Remember our counter?
i n i t i a l counter = 0 ;always @ ( posedge i_clk )i f ( ( i_start_signal)&&(counter == 0))
counter <= MAX_AMOUNT´1’b1 ;e l s e i f ( counter != 0)
counter <= counter ´ 1 ’b1 ;
always @ (∗ )o_busy = ( counter != 0 ) ;
![Page 304: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/304.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter
Sequences
Quizzes
232 / 462
Let’s add some cover statements. . .
// T r a n s i t i o n to busyalways @ ( posedge i_clk )i f ( ( f_past_valid )&&(!$past ( o_busy ) ) )
cover ( o_busy ) ;
// T r a n s i t i o n back to i d l ealways @ ( posedge i_clk )i f ( ( f_past_valid)&&($past ( o_busy ) ) )
cover ( ! o_busy ) ;
// Mid´c y c l ealways @ ( posedge i_clk )
cover ( counter == 3 ) ;
Will SymbiYosys find traces?
![Page 305: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/305.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter
Sequences
Quizzes
233 / 462
How about now?
always @ ( posedge i_clk )cover ( ( o_busy)&&(counter == 0 ) ) ;
![Page 306: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/306.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter
Sequences
Quizzes
233 / 462
How about now?
always @ ( posedge i_clk )cover ( ( o_busy)&&(counter == 0 ) ) ;
Or this one,
always @ ( posedge i_clk )cover ( counter == MAX_AMOUNT ) ;
Will these succeed?
![Page 307: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/307.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter
Sequences
Quizzes
233 / 462
How about now?
always @ ( posedge i_clk )cover ( ( o_busy)&&(counter == 0 ) ) ;
Or this one,
always @ ( posedge i_clk )cover ( counter == MAX_AMOUNT ) ;
Will these succeed? No. Both will fail
˝ These are outside the reachable state space
![Page 308: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/308.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter
Sequences
Quizzes
234 / 462
What if the state is unreachable?
// Keep the coun t e r from ev e r s t a r t i n galways @ (∗ )
assume ( ! i_start_signal ) ;
always @ ( posedge i_clk )cover ( counter != 0 ) ;
Will this succeed?
![Page 309: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/309.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter
Sequences
Quizzes
234 / 462
What if the state is unreachable?
// Keep the coun t e r from ev e r s t a r t i n galways @ (∗ )
assume ( ! i_start_signal ) ;
always @ ( posedge i_clk )cover ( counter != 0 ) ;
Will this succeed? No. This will fail with no trace.
˝ If i_start_signal is never true, the cover cannot be reached
![Page 310: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/310.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter
Sequences
Quizzes
235 / 462
What if an assertion needs to be violated?
always @ (∗ )as se r t ( counter != 10 ) ;
always @ ( posedge i_clk )cover ( counter == 4 ) ;
What will happen here?
![Page 311: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/311.jpg)
Examples
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter
Sequences
Quizzes
235 / 462
What if an assertion needs to be violated?
always @ (∗ )as se r t ( counter != 10 ) ;
always @ ( posedge i_clk )cover ( counter == 4 ) ;
What will happen here?
˝ Cover statement is reachable˝ But requires an assertion failure, so a trace is generated
![Page 312: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/312.jpg)
Clock Switch
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter
Sequences
Quizzes
236 / 462
Covering the clock switch
˝ Shows the clock switching from fast to slow,˝ and again from slow to fast
![Page 313: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/313.jpg)
Ex #7 Revisited
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter
Sequences
Quizzes
237 / 462
Return to your Wishbone arbiter. Let’s cover four cases:
1. Cover both A and B receiving the bus2. Cover how B will get the bus after A gets an
acknowledgement3. Cover how A will get the bus after B gets an
acknowledgement4. Add to the last cover
˝ B must request while A still holds the bus
Plot and examine traces for each cases. Do they look right?
˝ If everything works, the first case showing both A and Breceiving the bus will FAIL
˝ No trace is needed from that case˝ After getting this failure, you may want to remove it from
your cover checks
![Page 314: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/314.jpg)
Ex #7 Revisited
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter
Sequences
Quizzes
238 / 462
Notice what we just proved:
1. The arbiter will allow both sources to master the bus2. The arbiter will transition from one source to another3. The arbiter won’t starve A or B
This wasn’t possible with just the safety properties (assertstatements)
![Page 315: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/315.jpg)
Discussion
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter
Sequences
Quizzes
239 / 462
When should you use cover?
![Page 316: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/316.jpg)
Sequences
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Ź Sequences
Overview
Clocking
Bind
Sequences
Questions?
Quizzes
240 / 462
![Page 317: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/317.jpg)
Lesson Overview
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Ź Overview
Clocking
Bind
Sequences
Questions?
Quizzes
241 / 462
SystemVerilog has some amazing formal properties
˝ property can be assumed or assertedBy rewriting our assert’s and assume’s as properties, we canthen control when they are asserted or assumed better.
˝ bind formal properties to a subset of your designAllows us to (finally) separate the properties from the modulethey support
˝ sequence – A standard property description language
Objectives
˝ Learn the basics of SystemVerilog Assertions˝ Gain confidence with yosys+verific
![Page 318: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/318.jpg)
Building on the past
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Ź Overview
Clocking
Bind
Sequences
Questions?
Quizzes
242 / 462
Much of what we’ve written can easily be rewritten in SVA
always @ (∗ )i f (A )
as se r t (B ) ;
can be rewritten as,
as se r t property (@ ( posedge i_clk )A |´> B ) ;
Note that this is now a clocked assertion, but otherwise it’sequivalent
![Page 319: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/319.jpg)
Building on the past
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Ź Overview
Clocking
Bind
Sequences
Questions?
Quizzes
243 / 462
Much of what we’ve written can easily be rewritten in SVA
always @ ( posedge i_clk )i f ( ( f_past_valid)&&($past (A ) ) )
as se r t (B ) ;
Can be rewritten as,
as se r t property (@ ( posedge i_clk )A |=> B ) ;
![Page 320: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/320.jpg)
Building on the past
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Ź Overview
Clocking
Bind
Sequences
Questions?
Quizzes
243 / 462
Much of what we’ve written can easily be rewritten in SVA
always @ ( posedge i_clk )i f ( ( f_past_valid)&&($past (A ) ) )
as se r t (B ) ;
Can be rewritten as,
as se r t property (@ ( posedge i_clk )A |=> B ) ;
˝ Read this as A implies B on the next clock tick.˝ No f_past_valid required anymore. This is a statement
about the next clock tick, not the last one.
These equivalencies apply to assume() as well
![Page 321: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/321.jpg)
Properties
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Ź Overview
Clocking
Bind
Sequences
Questions?
Quizzes
244 / 462
You can also declare properties:
property SIMPLE_PROPERTY ;@ ( posedge i_clk ) a |=> b ;
endproperty
as se r t property ( SIMPLE_PROPERTY ) ;
This would be the same as
always @ ( posedge i_clk )i f ( ( f_past_valid)&&($past (a ) ) )
as se r t (b ) ;
![Page 322: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/322.jpg)
Assume vs Assert
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Ź Overview
Clocking
Bind
Sequences
Questions?
Quizzes
245 / 462
You could also do something like:
parameter [ 0 : 0 ] F_SUBMODULE = 1 ’b0 ;
generate i f ( F_SUBMODULE )begin
assume property ( INPUT_PROP ) ;end e l s e begin
as se r t property ( INPUT_PROP ) ;end endgenerate
as se r t property ( LOCAL_PROP ) ;as se r t property ( OUTPUT_PROP ) ;
This would work quite nicely for a bus property file
![Page 323: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/323.jpg)
Parameterized Properties
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Ź Overview
Clocking
Bind
Sequences
Questions?
Quizzes
246 / 462
Properties can also accept parameters
property IMPLIES (a , b ) ;@ ( posedge i_clk )a |´> b ;
endproperty
as se r t property ( IMPLIES (x , y ) ) ;
![Page 324: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/324.jpg)
Parameterized Properties
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Ź Overview
Clocking
Bind
Sequences
Questions?
Quizzes
247 / 462
Properties can also accept parameters
property IMPLIES_NEXT (a , b ) ;@ ( posedge i_clk ) a |=> b ;
endproperty
as se r t property ( IMPLIES_NEXT (x , y ) ) ;
Remember, if you want to use |=>, $past, etc., you need todefine a clock.
![Page 325: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/325.jpg)
Clocking
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Ź Clocking
Bind
Sequences
Questions?
Quizzes
248 / 462
Getting tired of writing @(posedge i_clk)?
˝ You can set a default clock
de fau l t c lock ing @ ( posedge i_clk ) ;endclocking
Assumes i_clk if no clock is given.
![Page 326: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/326.jpg)
Clocking
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Ź Clocking
Bind
Sequences
Questions?
Quizzes
249 / 462
Getting tired of writing @(posedge i_clk)?
˝ You can set a default clock˝ You can set a default clock within a given block
c lock ing @ ( posedge i_clk ) ;// Your p r o p e r t i e s can go he r e// As wi th a s s e r t , assume ,// sequence , e t c .
endclocking
Assumes i_clk for all of the properties within the clockingblock.
![Page 327: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/327.jpg)
Global Clocking
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Ź Clocking
Bind
Sequences
Questions?
Quizzes
250 / 462
When using verific, $global clock must first be defined
(∗ gclk ∗) wire gbl_clk ;g loba l c lock ing @ ( posedge gbl_clk ) ; endclocking
This defines the $global clock . . .
˝ as a positive edge transition of gbl_clk.˝ The (∗ gclk ∗) attribute turns it into a formal timestep
![Page 328: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/328.jpg)
Bind
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Ź Bind
Sequences
Questions?
Quizzes
251 / 462
˝ Common bench testing works on black boxes˝ This doesn’t work well with formal methods
![Page 329: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/329.jpg)
Bind
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Ź Bind
Sequences
Questions?
Quizzes
251 / 462
˝ Common bench testing works on black boxes˝ This doesn’t work well with formal methods˝ Placing properties within a module doesn’t separate the two
![Page 330: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/330.jpg)
Bind
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Ź Bind
Sequences
Questions?
Quizzes
251 / 462
˝ Common bench testing works on black boxes˝ This doesn’t work well with formal methods˝ Placing properties within a module doesn’t separate the two
Using the SVA bind command, we can
˝ Separate properties from a design˝ Maintains the necessary “white box” perspective
![Page 331: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/331.jpg)
Bind
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Ź Bind
Sequences
Questions?
Quizzes
252 / 462
˝ Can bind to specific named variables
module mut ( input i , output o ) ;reg r ;// Your l o g i c he r e
endmodule
module mut_formal ( input a , input b , input r ) ;// Your f o rma l p r o p e r t i e s go he r e
endmodule
bind mut mut_formal mut_instance (// Bind i n p u t s t o g e t h e r. a (i ) , . b (o ) , . r (r )// The g e n e r a l fo rmat i s. mut_formal_name ( mut_name ) ) ;
˝ Note all mut_formal ports must be inputs
![Page 332: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/332.jpg)
Bind
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Ź Bind
Sequences
Questions?
Quizzes
253 / 462
˝ Can bind to specific named variables˝ Can also make all variables available to your properties
module mut ( input i , output o ) ;reg r ;// Your l o g i c he r e
endmodule
module mut_formal ( input i , input o , input r ) ;// Your f o rma l p r o p e r t i e s go he r e
endmodule
// Make e v e r y mut v a r i a b l e a v a i l a b l e i n// mut fo rma l w i th a v a r i a b l e o f the same// namebind mut mut_formal mut_instance ( . ∗ ) ;
˝ In order to use .∗, names must match
![Page 333: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/333.jpg)
Bind
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Ź Bind
Sequences
Questions?
Quizzes
254 / 462
˝ Can bind to specific named variables˝ Can also make all variables available to your properties˝ Can pass parameters through as well
module mut ( input i , output o ) ;parameter ONE = 5 ;// Your l o g i c he r e
endmodule
module mut_formal ( input i , input o , input r ) ;parameter TWO = 14 ;// Your f o rma l p r o p e r t i e s go he r e
endmodule
bind mut mut_formal #(.TWO ( ONE ) )mut_instance ( . ∗ ) ;
![Page 334: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/334.jpg)
Sequences
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
255 / 462
So far with properties,
˝ We haven’t done anything really all that new.˝ We’ve just rewritten what we’ve done before in a new form.
Sequences are something new
![Page 335: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/335.jpg)
Sequence
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
256 / 462
With sequences, you can
˝ Specify a series of actions
sequence EXAMPLE ;@ ( posedge i_clk ) a ##1 b ##1 c ##1 d ;
endsequence
In this example, b always follows a by one clock, c follows b,and d follows c
![Page 336: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/336.jpg)
Sequence
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
257 / 462
With sequences, you can
˝ Specify a series of actions, separated by some number ofclocks
sequence EXAMPLE ;@ ( posedge i_clk ) a ##2 b ##5 c ;
endsequence
In this example, b always follows a two clocks later, and cfollows five clocks after b
![Page 337: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/337.jpg)
Sequence
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
258 / 462
With sequences, you can
˝ Specify a series of predicates, separated in time˝ Can express range(s) of repeated values
sequence EXAMPLE ;@ ( posedge i_clk ) b [ ∗ 2 : 3 ] ##1 c ;
endsequence// i s e q u i v a l e n t to . . .sequence EXAMPLE_A_2x ; // 2x
@ ( posedge i_clk ) b ##1 b ##1 c ;endsequence// orsequence EXAMPLE_A_3x ; // 3x
@ ( posedge i_clk ) b ##1 b ##1 b ##1 c ;endsequence
![Page 338: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/338.jpg)
Sequence
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
259 / 462
With sequences, you can
˝ Specify a series of predicates, separated in time˝ Can express range(s) of repeated values
– [∗0:M] Predicate may be skipped– [∗N:M] specifies from N to M repeats– [∗N:$] Repeats at least N times, with no maximum
Ranges can include empty sequences, such as ##[∗0:4]
˝ Compose multiple sequences together
– AND, seq_1 and seq_2
– OR, seq_1 or seq_2
– NOT, not seq
![Page 339: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/339.jpg)
And vs Intersect
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
260 / 462
The and and intersect operators are very similar
˝ and is only true if both sequences are true˝ intersect is only true if both sequences are true and have the
same length
![Page 340: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/340.jpg)
Equivalences
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
261 / 462
˝ Throughout
sequence A ;@ ( posedge i_clk )( EXP ) [ ∗ 0 : $ ] i n t e r s e c t SEQ ;
endsequence
is equivalent to
sequence B ;@ ( posedge i_clk )( EXP ) throughout SEQ ;
endsequence
The EXP expression must be true from now until SEQ ends
![Page 341: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/341.jpg)
Equivalences
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
262 / 462
˝ Throughout˝ Until
property A ;@ ( posedge i_clk )(E1 ) [ ∗ 0 : $ ] ##1 (E2 ) ;
endproperty
is equivalent to
property B ;@ ( posedge i_clk )(E1 ) un t i l E2 ;
endproperty
˝ until can only be used in a property, not within a sequence
![Page 342: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/342.jpg)
Equivalences
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
262 / 462
˝ Throughout˝ Until
property A ;@ ( posedge i_clk )(E1 ) [ ∗ 0 : $ ] ##1 (E2 ) ;
endproperty
is equivalent to
property B ;@ ( posedge i_clk )(E1 ) un t i l E2 ;
endproperty
˝ until can only be used in a property, not within a sequence
˝ There is an ugly subtlety here
– Must E2 ever take place?
![Page 343: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/343.jpg)
Equivalences
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
263 / 462
˝ Throughout˝ Until˝ Within
sequence A ;@ ( posedge i_clk )( 1 [ ∗ 0 : $ ] ##1 S1 ##1 1 [ ∗ 0 : $ ] )
i n t e r s e c t S2 ;endsequence
is equivalent to
sequence B ;@ ( posedge i_clk )(S1 ) with in S2 ;
endsequence
![Page 344: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/344.jpg)
Returning to Properties
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
264 / 462
Properties can reference sequences
˝ Directly
as se r t property ( seq ) ;as se r t property ( expr |´> seq ) ;
˝ Implication: sequences can imply properties
as se r t property ( seq |´> some_other_property ) ;as se r t property ( seq |=> another_property ) ;
![Page 345: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/345.jpg)
Returning to Properties
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
265 / 462
Properties can include . . .
˝ if statements
as se r t property ( i f (A ) P1 e l s e P2 ) ;
˝ not, and, or even or statements
as se r t property ( not P1 ) ;as se r t property (P1 and P2 ) ;as se r t property (P1 or P2 ) ;
![Page 346: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/346.jpg)
Ex. Bus Request
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
266 / 462
A bus request will not change until it is accepted
property BUS_REQUEST_HOLD ;@ ( posedge i_clk )( STB)&&(STALL )|=> ( STB)&&($stab le ( REQUEST ) ) ;
endproperty
as se r t property ( BUS_REQUEST_HOLD ) ;
![Page 347: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/347.jpg)
Ex. Bus Request
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
267 / 462
A request persists until it is accepted
sequence BUS_REQUEST ;@ ( posedge i_clk )// Repeat up to MAX STALL c l k s( STB)&&(STALL ) [ ∗ 0 : MAX_STALL ]##1 ( STB )&&(!STALL ) ;
endsequence
as se r t property ( STB |´> BUS_REQUEST ) ;
You no longer need to count stalls yourself.
![Page 348: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/348.jpg)
Ex. Bus Request
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
267 / 462
A request persists until it is accepted
sequence BUS_REQUEST ;@ ( posedge i_clk )// Repeat up to MAX STALL c l k s( STB)&&(STALL ) [ ∗ 0 : MAX_STALL ]##1 ( STB )&&(!STALL ) ;
endsequence
as se r t property ( STB |´> BUS_REQUEST ) ;
You no longer need to count stalls yourself.Could we do this with an until statement?
![Page 349: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/349.jpg)
Ex. Bus Request
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
268 / 462
A request persists until it is accepted
sequence BUS_REQUEST ;@ ( posedge i_clk )( STB)&&(STALL ) un t i l ( STB )&&(!STALL ) ;
endsequence
as se r t property ( STB |´> BUS_REQUEST ) ;
What is the difference?
![Page 350: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/350.jpg)
Ex. Bus Request
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
268 / 462
A request persists until it is accepted
sequence BUS_REQUEST ;@ ( posedge i_clk )( STB)&&(STALL ) un t i l ( STB )&&(!STALL ) ;
endsequence
as se r t property ( STB |´> BUS_REQUEST ) ;
What is the difference? The until statement goes forever, ourprior example was limited to MAX_STALL clock cycles.
![Page 351: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/351.jpg)
Ex. Bus Request
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
268 / 462
A request persists until it is accepted
sequence BUS_REQUEST ;@ ( posedge i_clk )( STB)&&(STALL ) un t i l ( STB )&&(!STALL ) ;
endsequence
as se r t property ( STB |´> BUS_REQUEST ) ;
What is the difference?
But . . . what happens if RESET is asserted?
![Page 352: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/352.jpg)
Bus Request
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
269 / 462
A property can be conditionally disabled
sequence BUS_REQUEST ;// Repeat up to MAX STALL c l k s( STB)&&(STALL ) [ ∗ 0 : MAX_STALL ]##1 ( STB )&&(!STALL ) ;
endsequence
as se r t property (@ ( posedge i_clk )d i sab l e iff ( i_reset )STB |´> BUS_REQUEST ) ;
The assertion will no longer fail if i_reset clears the requestWhat if the request is aborted?
![Page 353: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/353.jpg)
Ex. Bus Request
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
270 / 462
A property can be conditionally disabled
sequence BUS_REQUEST ;@ ( posedge i_clk )// Repeat up to MAX STALL c l k s( STB)&&(STALL ) [ ∗ 0 : MAX_STALL ]##1 ( STB )&&(!STALL ) ;
endsequence
as se r t property (@ ( posedge i_clk )d i sab l e iff ( ( i_reset ) | | ( ! CYC ) )STB |´> BUS_REQUEST ) ;
Will this work?
![Page 354: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/354.jpg)
Ex. Bus Request
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
270 / 462
A property can be conditionally disabled
sequence BUS_REQUEST ;@ ( posedge i_clk )// Repeat up to MAX STALL c l k s( STB)&&(STALL ) [ ∗ 0 : MAX_STALL ]##1 ( STB )&&(!STALL ) ;
endsequence
as se r t property (@ ( posedge i_clk )d i sab l e iff ( ( i_reset ) | | ( ! CYC ) )STB |´> BUS_REQUEST ) ;
Will this work? Yes!
![Page 355: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/355.jpg)
Ex. Bus ACKs
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
271 / 462
Some peripherals will only ever accept one request
sequence SINGLE_ACK ( MAX_DELAY ) ;@ ( posedge i_clk )( ! ACK)&&(STALL ) [ ∗ 0 : MAX_DELAY ]##1 ( ACK )&&(!STALL ) ;
endsequence
as se r t property (d i sab l e iff ( ( i_reset ) | | ( ! CYC ) )( STB )&&(!STALL ) |=> SINGLE_ACK ( 3 2 ) ;) ;
This peripheral will
˝ Stall up to 32 clocks following any accepted request, until it˝ Acknowledges the request, and˝ Releases the bus on the same cycle
![Page 356: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/356.jpg)
Ex. Bus ACKs
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
272 / 462
Some peripherals will
˝ Never stall the bus, and˝ Acknowledge every request after a fixed number of clock ticks
property NEVER_STALL ( DELAY ) ;@ ( posedge i_clk )d i sab l e iff ( ( i_reset ) | | ( ! CYC ) )( STB ) |´> ##[∗DELAY ] ( ACK ) ;
endproperty
as se r t property ( NEVER_STALL ( DELAY )and ( ! STALL ) ) ;
This is illegal. Can you spot the bug?
![Page 357: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/357.jpg)
Ex. Bus ACKs
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
272 / 462
Some peripherals will
˝ Never stall the bus, and˝ Acknowledge every request after a fixed number of clock ticks
property NEVER_STALL ( DELAY ) ;@ ( posedge i_clk )d i sab l e iff ( ( i_reset ) | | ( ! CYC ) )( STB ) |´> ##[∗DELAY ] ( ACK ) ;
endproperty
as se r t property ( NEVER_STALL ( DELAY )and ( ! STALL ) ) ;
This is illegal. Can you spot the bug? What logic does thedisable iff apply to?
![Page 358: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/358.jpg)
Ex. Bus ACKs
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
273 / 462
Some peripherals will
˝ Never stall the bus, and˝ Acknowledge every request after a fixed number of clock ticks
property NEVER_STALL ( DELAY ) ;@ ( posedge i_clk )d i sab l e iff ( ( i_reset ) | | ( ! CYC ) )( STB ) |´> ##[∗DELAY ] ( ACK ) ;
endproperty
as se r t property ( NEVER_STALL ( DELAY ) ) ;as se r t property ( ! STALL ) ;
This is valid
![Page 359: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/359.jpg)
Ex. Bus ACKs
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
274 / 462
Cannot ACK or ERR when no request is pending
as se r t property ( @ ( posedge i_clk )( ( ! i_CYC ) | | ( i_reset ) )##1 ( ( ! i_CYC ) | | ( i_reset ) )|´> ( ( ! o_ACK )&&(!o_ERR ) ) ;
Or as we did it before
always @ ( posedge i_clk )i f ( ( f_past_valid )
&&(($past ( i_reset ) ) | | ( ! $past ( i_CYC ) ) )&&((i_reset ) | | ( ! i_CYC ) )as se r t ( ( ! o_ACK )&&(!o_ERR ) ) ;
Which is simpler to understand?
![Page 360: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/360.jpg)
Ex. UART Tx
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
275 / 462
Let’s look at an serial port transmitter example.A baud interval is CKS clocks . . .
˝ Output data is constant˝ Logic doesn’t change state˝ Internal shift register value is known˝ Ends with zero_baud_counter
sequence BAUD_INTERVAL (CKS , DAT , SR , ST ) ;( ( o_uart_tx == DAT)&&(state == ST )
&&(lcl_data == SR )&&(!zero_baud_counter ) ) [ ∗ ( CKS´1)]
##1 ( o_uart_tx == DAT)&&(state == ST )&&(lcl_data == SR )&&(zero_baud_counter ) )
endsequence
![Page 361: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/361.jpg)
Ex. UART Tx
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
276 / 462
A byte consists of 10 Baud intervals
sequence SEND (CKS , DATA ) ;BAUD_INTERVAL (CKS , 1 ’b0 , DATA , 4 ’h0 )##1 BAUD_INTERVAL (CKS , DATA [ 0 ] ,
{{ (1){1 ’ b1 }} , DATA [ 7 : 1 ] } , 4 ’h1 )##1 BAUD_INTERVAL (CKS , DATA [ 1 ] ,
{{ (2){1 ’ b1 }} , DATA [ 7 : 2 ] } , 4 ’h2 )//##1 BAUD_INTERVAL (CKS , DATA [ 6 ] ,
{{ (7){1 ’ b1 }} , DATA [ 7 ] } , 4 ’h7 )##1 BAUD_INTERVAL (CKS , DATA [ 7 ] ,
{ 7 ’h7f , DATA [ 7 ] } , 4 ’h8 )##1 BAUD_INTERVAL (CKS , 1 ’b1 , 8 ’hff , 4 ’h9 ) ;
endsequence
![Page 362: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/362.jpg)
Ex. UART Tx
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
277 / 462
Transmitting a byte requires
always @ ( posedge i_clk )i f ( ( i_wr )&&(!o_busy ) )
fsv_data <= i_data ;
as se r t property (@ ( posedge i_clk )( i_wr )&&(!o_busy )|=> ( ( o_busy ) throughout
SEND ( CLOCKS_PER_BAUD , fsv_data ) )##1 ( ( ! o_busy)&&(o_uart_tx )
&&(zero_baud_counter ) ) ;
˝ A transmit request is received˝ The data is sent˝ The controller returns to idle
![Page 363: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/363.jpg)
Ex. UART Tx
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
278 / 462
Transmitting a byte requires
as se r t property (@ ( posedge i_clk )( i_wr )&&(!o_busy )|=> ( ( o_busy ) throughout
SEND ( CLOCKS_PER_BAUD , fsv_data ) )##1 ( ( ! o_busy)&&(o_uart_tx )
&&(zero_baud_counter ) ) ;
Make sure . . .
˝ The sequence has a defined beginningOnly ever triggered once at a time
˝ Doesn’t reference changing data˝ throughout is within parenthesis˝ You tie all relevant state information together
![Page 364: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/364.jpg)
SymbiYosys
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
279 / 462
Using SystemVerilog Assertions with Yosys requires Verific
[ opt ions ]mode prove
[ engines ]smtbmc[ s c r i p t ]##read ´formal module . v# . . . o t h e r f i l e s would go he r eprep ´top module
opt_merge ´share_all
[ f i l e s ]. . / demo´rtl/module . v
![Page 365: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/365.jpg)
SymbiYosys
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
279 / 462
Using SystemVerilog Assertions with Yosys requires Verific
[ opt ions ]mode prove
[ engines ]smtbmc[ s c r i p t ]# The read command works both with and without Verific# SymbiYosys script doesn’t change thereforeread ´formal module . v# . . . o t h e r f i l e s would go he r eprep ´top module
opt_merge ´share_all
[ f i l e s ]. . / demo´rtl/module . v
![Page 366: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/366.jpg)
SysVerilog Conclusions
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
280 / 462
SystemVerilog Concurrent Assertions . . .
˝ can be very powerful˝ can be very confusing˝ can be used with immediate assertions
You can keep using the simpler property form we’ve beenusing
![Page 367: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/367.jpg)
Last Exercise
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
281 / 462
Let’s formally verify a synchronous FIFO
module sfifo ( i_clk , i_reset ,i_wr , i_data , o_full ,i_rd , o_data , o_empty ,o_err ) ;
// . . .‘ i f d e f FORMAL
// P r o p e r t i e s unde r s tood by e i t h e r// Yosys or V e r i f i c// . . . .
‘ e nd i f‘ i f d e f VERIFIC_SVA
// V e r i f i c ´on l y p r o p e r t i e s// . . . .
‘ e nd i fendmodule
![Page 368: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/368.jpg)
Last Exercise
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
282 / 462
Let’s formally verify a synchronous FIFOWhat properties do you think would be appropriate?
![Page 369: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/369.jpg)
Last Exercise
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
282 / 462
Let’s formally verify a synchronous FIFOWhat properties do you think would be appropriate?
˝ Should never go from full to empty
![Page 370: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/370.jpg)
Last Exercise
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
282 / 462
Let’s formally verify a synchronous FIFOWhat properties do you think would be appropriate?
˝ Should never go from full to empty except on a reset
![Page 371: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/371.jpg)
Last Exercise
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
282 / 462
Let’s formally verify a synchronous FIFOWhat properties do you think would be appropriate?
˝ Should never go from full to empty except on a reset˝ Should never go from empty to full
![Page 372: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/372.jpg)
Last Exercise
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
282 / 462
Let’s formally verify a synchronous FIFOWhat properties do you think would be appropriate?
˝ Should never go from full to empty except on a reset˝ Should never go from empty to full˝ The two outputs, o_empty and o_full, should properly reflect
the size of the FIFO
– o_empty means the FIFO is currently empty– o_full means the FIFO has 2N elements within it
![Page 373: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/373.jpg)
Last Exercise
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
282 / 462
Let’s formally verify a synchronous FIFOWhat properties do you think would be appropriate?
˝ Should never go from full to empty except on a reset˝ Should never go from empty to full˝ The two outputs, o_empty and o_full, should properly reflect
the size of the FIFO
– o_empty means the FIFO is currently empty– o_full means the FIFO has 2N elements within it
˝ Challenge: Use sequences to prove that
– Given any two values written successfully– Verify that those two values can (some time later) be read
successfully, and in the right order(Unless a reset takes place in the meantime)
![Page 374: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/374.jpg)
Hint
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
283 / 462
When using sequences,. . .
˝ It can be very difficult to figure out what part of thesequence failed.The assertion that fails will reference the entire failingsequence.
Suggestions:
˝ Sequences must be triggeredBe aware of what triggers a sequence
˝ Use combinational logic to define wires that will thenrepresent steps in the sequence
˝ Build the sequences out of these wires
![Page 375: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/375.jpg)
Hint continued
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?
Quizzes
284 / 462
Here’s an example:
wire f_a , f_b , f_c ;//ass ign f_a = // your l o g i cass ign f_b = // your l o g i cass ign f_c = // your l o g i c//sequence ARBITRARY_EXAMPLE_SEQUENCE
f_a [ ∗ 0 : 4 ] ##1 f_b ##1 f_c [ ∗ 1 2 : 1 6 ] ;endsequence
If you use this approach
˝ Interpreting the wave file will be much easier˝ The f_a, etc., lines will be in the trace
![Page 376: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/376.jpg)
Questions?
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Bind
Sequences
Ź Questions?
Quizzes
285 / 462
![Page 377: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/377.jpg)
Quizzes
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Ź Quizzes
286 / 462
![Page 378: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/378.jpg)
Quiz #1
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
287 / 462
Will the assertion below ever fail?
reg [ 1 5 : 0 ] counter ;
i n i t i a l counter = 0 ;always @ ( posedge clk )
counter <= counter + 1 ’b1 ;
always @ (∗ )begin
as se r t ( counter <= 100 ) ;assume ( counter <= 90 ) ;
end
![Page 379: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/379.jpg)
Answer #1
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
288 / 462
No, it will never fail.The assumption will prohibit the assertion from being evaluated.
always @ (∗ )begin
as se r t ( counter <= 100 ) ;assume ( counter <= 90 ) ;
end
This is an example of what I call a careless asumption.
![Page 380: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/380.jpg)
Quiz #2
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
289 / 462
Will this simple counter ever pass formal verification?
parameter [ 1 5 : 0 ] MAX_AMOUNT = 22 ;reg [ 1 5 : 0 ] counter ;
always @ ( posedge i_clk )i f ( ( i_start_signal)&&(counter == 0))
counter <= MAX_AMOUNT´1’b1 ;e l s e i f ( counter != 0)
counter <= counter ´ 1 ;
always @ (∗ )o_busy = ( counter != 0 ) ;
‘ i f d e f FORMAL
always @ (∗ )as se r t ( counter < MAX_AMOUNT ) ;
‘ e nd i f
![Page 381: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/381.jpg)
Answer #2
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
290 / 462
This design just needs an initial counter value to pass
parameter [ 1 5 : 0 ] MAX_AMOUNT = 22 ;reg [ 1 5 : 0 ] counter = 0 ;
always @ ( posedge i_clk )i f ( ( i_start_signal)&&(counter == 0))
counter <= MAX_AMOUNT´1’b1 ;e l s e i f ( counter != 0)
counter <= counter ´ 1 ;
always @ (∗ )o_busy = ( counter != 0 ) ;
‘ i f d e f FORMAL
always @ (∗ )as se r t ( counter < MAX_AMOUNT ) ;
‘ e nd i f
![Page 382: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/382.jpg)
Quiz #3
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
291 / 462
Will the following design pass formal verification?
reg [ 1 5 : 0 ] counter ;
i n i t i a l counter = 0 ;always @ ( posedge clk )i f ( counter == 16 ’ d22 )
counter <= 0 ;e l s e
counter <= counter + 1 ’b1 ;
always @ (∗ )as se r t ( counter != 16 ’ d500 ) ;
![Page 383: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/383.jpg)
Answer #3
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
292 / 462
The following approach will pass both BMC and induction.
reg [ 1 5 : 0 ] counter ;
i n i t i a l counter = 0 ;always @ ( posedge i_clk )i f ( i_reset ) // Keep ASIC d e s i g n e r s happy
counter <= 0 ;e l s e i f ( counter == 16 ’ d22 )
counter <= 0 ;e l s e
counter <= counter + 1 ’b1 ;
// The c o r r e c t a s s e r t i o n shou l d r e f e r e n c e// a l l o f the un r e a chab l e coun t e r v a l u e salways @ (∗ )
as se r t ( counter <= 16 ’ d22 ) ;
![Page 384: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/384.jpg)
Quiz #4
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
293 / 462
Will the following design pass formal verification?
i n i t i a l counter = 0 ;always @ ( posedge i_clk )i f ( ( i_start_signal)&&(counter == 0))
counter <= 23 ;e l s e i f ( counter != 0)
counter <= counter ´ 1 ’b1 ;
always @ (∗ )as se r t ( counter < 24 ) ;
always @ (∗ )assume ( ! i_start_signal ) ;
always @ ( posedge i_clk )as se r t ( $past ( counter == 0 ) ) ;
![Page 385: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/385.jpg)
Answer #4
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
294 / 462
If you replace assert($past(counter==0)); withassert(counter==0);, then this design passes.
i n i t i a l counter = 0 ;always @ ( posedge i_clk )i f ( ( i_start_signal)&&(counter == 0))
counter <= 23 ;e l s e i f ( counter != 0)
counter <= counter ´ 1 ’b1 ;
always @ (∗ )as se r t ( counter < 24 ) ;
always @ (∗ )assume ( ! i_start_signal ) ;
always @ ( posedge i_clk )as se r t ( counter == 0 ) ;
![Page 386: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/386.jpg)
Quiz #5
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
295 / 462
How are the following two assertions different?
i n i t i a l f_past_valid = 1 ’b0 ;always @ ( posedge i_clk )
f_past_valid <= 1 ’b1 ;
always @ ( posedge i_clk )i f ( ( f_past_valid)&&($past ( o_wb_stb ) )
&&($past ( i_wb_stall ) ) )as se r t ( ( o_wb_stb )
&&($stab le ({ i_wb_addr , i_wb_we } ) ) ) ;
as se r t property (@ ( posedge i_clk )( o_wb_stb)&&(i_wb_stall )|=> o_wb_stb
&&($stab le ({ i_wb_addr , i_wb_we } ) ) ) ;
![Page 387: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/387.jpg)
Answer #5
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
296 / 462
˝ The first assertion was an “immediate” assertion, the seconda “concurrent assertion”.
˝ While the Symbiotic EDA Suite supports both assertions, thefree version of Yosys only supports immediate assertions
˝ The second assertion is more compact, and perhaps eveneasier to read
as se r t property (@ ( posedge i_clk )( o_wb_stb)&&(i_wb_stall )|=> o_wb_stb
&&($stab le ({ i_wb_addr , i_wb_we } ) ) ) ;
Functionally, the two assertions are identical!
![Page 388: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/388.jpg)
Quiz #6
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
297 / 462
When using multiclock techniques, which of the belowdescriptions describes a signal that only changes on the positiveedge of a clock?
(∗ gclk ∗) reg gbl_clk ;always @ ( posedge gbl_clk )i f ( $ f e l l ( i_clk ) )
as se r t ( $stab le ( signal ) ) ;
always @ ( posedge gbl_clk )i f ( ! $rose ( i_clk ) )
as se r t ( $stab le ( signal ) ) ;
always @ ( posedge gbl_clk )i f ( ! $past ( i_clk ) )
as se r t ( $stab le ( signal ) ) ;
![Page 389: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/389.jpg)
Answer #6
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
298 / 462
The correct way to assert that a signal will only change on apositive clock edge requires asserting that the signal will bestable in all other cases.
always @ ( posedge gbl_clk )i f ( ( f_past_valid_gbl )&&(! $rose ( i_clk ) ) )
as se r t ( $stab le ( signal ) ) ;
Be aware, $rose() depends upon the $past(), so don’t forget anf_past_valid signal!With (∗ gclk ∗), I like to call it f_past_valid_gbl, and define itas,
reg f_past_valid_gbl = 1 ’b0 ;always @ ( posedge gbl_clk )
f_past_valid_gbl <= 1 ’b1 ;
![Page 390: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/390.jpg)
Quiz #7
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
299 / 462
Will this simple counter ever pass formal verification?
reg [ 1 5 : 0 ] counter = 0 ;
always @ ( posedge i_clk )i f ( ( i_start_signal)&&(counter == 0))
counter <= 21 ;e l s e i f ( counter != 0)
counter <= counter ´ 1 ;
always @ (∗ )o_busy = ( counter != 0 ) ;
always @ ( posedge i_clk )i f ( $past ( i_start_signal ) )
as se r t ( counter == 21 ) ;
![Page 391: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/391.jpg)
Answer #7
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
300 / 462
No, the assertion would not pass: it neither checked for the pastcounter == 0, nor did it make sure $past() was valid.The modified assertion, below, will pass.
always @ ( posedge i_clk )i f ( ( f_past_valid )
&&($past ( i_start_signal ) )&&($past ( counter ) == 0))as se r t ( counter == 21 ) ;
Alternatively, the following concurrent assertion would also work:
as se r t property @ ( posedge i_clk )( i_start_signal)&&(counter == 0)|=> ( counter == 21 ) ;
This exercise is a good example of how formal methods force youto look just a little harder at a problem.
![Page 392: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/392.jpg)
Quiz #8
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
301 / 462
Will this design pass a Bounded Model Check (BMC)?
reg [ 1 5 : 0 ] counter ;
i n i t i a l counter = 0 ;always @ ( posedge clk )
counter <= counter + 1 ’b1 ;
always @ (∗ )as se r t ( counter < 16 ’ d65000 ) ;
![Page 393: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/393.jpg)
Answer #8
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
302 / 462
Will this design pass a Bounded Model Check (BMC)?
reg [ 1 5 : 0 ] counter ;
i n i t i a l counter = 0 ;always @ ( posedge clk )
counter <= counter + 1 ’b1 ;
always @ (∗ )as se r t ( counter < 16 ’ d65000 ) ;
Not unless you prove it with a depth of over 65,000!This is a classic example of a proof that is easier to do withinduction. Less than five steps of induction would find thisproblem.
![Page 394: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/394.jpg)
Quiz #9
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
303 / 462
Will the following design pass formal verification?
reg [ 1 5 : 0 ] counter ;
always @ (∗ )begin
counter = 2 ;as se r t ( counter == 5 ) ;counter = counter + 3 ;
end
![Page 395: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/395.jpg)
Answer #9
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
304 / 462
Will the following design pass formal verification?
always @ (∗ )begin
counter = 2 ;as se r t ( counter == 5 ) ;counter = counter + 3 ;
end
No, it will not pass.
˝ counter = 2 is a blocking statement. It is completed beforethe assert().
˝ counter==2 when the assert is applied˝ Only after the assert is counter set to 5.˝ Were the assert the last line of the block, it would’ve passed˝ This is one reason why I separate my assertions from my logic
![Page 396: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/396.jpg)
Quiz #10
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
305 / 462
Goal: to prove that whenever a request is being made, therequest will stay stable until it is accepted.Will this assertion capture what we want?
i f ( ( $past ( o_REQUEST ))&&($past ( i_STALL ) ) )begin
as se r t ( o_REQUEST ) ;as se r t ( $stab le ( o_REQUEST_DETAILS ) ) ;
end
![Page 397: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/397.jpg)
Answer #10
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
306 / 462
Not quite, there’s a couple of things missingTwo examples would be i_reset and f_past_valid
Here’s an updated assertion that should fix those lacks
i f ( ( f_past_valid )&&(!$past ( i_reset ) )&&($past ( o_REQUEST ))&&($past ( i_STALL ) ) )
beginas se r t ( o_REQUEST ) ;as se r t ( $stab le ( o_REQUEST_DETAILS ) ) ;
end
Alternatively, we could have written,
as se r t property @ ( posedge i_clk )d i sab l e iff ( i_reset )( o_REQUEST)&&(i_STALL )|=> ( o_REQUEST )
&&($stab le ( o_REQUEST_DETAILS ) ) ;
![Page 398: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/398.jpg)
Quiz #11
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
307 / 462
The following design fails induction. How would you adjust it sothat it would pass?
reg [ 1 5 : 0 ] sa = 0 , sb = 0 ;
always @ ( posedge i_clk )i f ( i_ce )begin
sa <= { sa [ 1 4 : 0 ] , i_bit } ;sb <= { i_bit , sb [ 1 5 : 1 ] } ;
end
always @ (∗ )as se r t (sa [ 1 5 ] == sb [ 0 ] ) ;
![Page 399: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/399.jpg)
Answer #11
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
308 / 462
There are many solutions to this problem
1. Use a non-smtbmc engine, such as abc pdr
2. Force i_ce
always @ ( posedge i_clk )i f ( ! $past ( i_ce ) )
assume ( i_ce ) ;
3. Assert all bits
always @ (∗ )begin
as se r t (sa [ 1 4 ] == sb [ 1 ] ) ;as se r t (sa [ 1 3 ] == sb [ 2 ] ) ;as se r t (sa [ 1 2 ] == sb [ 3 ] ) ;as se r t (sa [ 1 1 ] == sb [ 4 ] ) ;// . . . th rough a l l c omb ina t i on s
![Page 400: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/400.jpg)
Quiz #12
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
309 / 462
The logic below is designed to ensure that the design will onlyacknowledge requests and nothing more: one acknowledgmentper request. It almost works. Can you spot any problem(s)?
i n i t i a l f_nreqs = 0 ;always @ ( posedge i_clk )i f ( ( i_reset ) | | ( ! i_wb_cyc ) )
f_nreqs <= 1 ’b0 ;e l s e i f ( ( i_wb_stb )&&(!o_wb_stall ) )
f_nreqs <= f_nreqs + 1 ’b1 ;// f n a c k i s a s i m i l a r l y d e f i n e d counte r ,// on l y one tha t count s acknowledgmentsalways @ (∗ )i f ( f_nreqs == f_nacks )
as se r t ( ! o_wb_ack ) ;
Assume a sufficient number of bits in f_nreqs and f_nacks.
![Page 401: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/401.jpg)
Answer #12
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
310 / 462
No, it will not pass. The problem is that it may be possible toACK a request on the same clock it is received. The followingupdated assertion will fix this.
always @ (∗ )i f ( ( f_nreqs == f_nacks )
&&((!i_wb_stb ) | | ( o_wb_stall ) ) )as se r t ( ! o_wb_ack ) ;
Originally, I disallowed ACK’s on the same clock as the STB.Then I tried formally verifying someone else’s design. When itdidn’t pass, I went back and re-read the WB-spec only todiscover the error in my ways.
![Page 402: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/402.jpg)
Quiz #13
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
311 / 462
Given that X is defined somehow, which of the followingassertions will fail?
always @ ( posedge i_clk )i f ( f_past_valid )begin
as se r t ( $stab le (X )== (X == $past (X ) ) ) ;
as se r t ($changed (X )== (X != $past (X ) ) ) ;
as se r t ( $rose (X )== ( ( X)&&(!$past (X ) ) ) ) ;
as se r t ( $ f e l l (X )== ( ( ! X)&&($past (X ) ) ) ) ;
end
![Page 403: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/403.jpg)
Answer #13
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
312 / 462
Two of these assertions will fail if X is wider than one bit
as se r t ( $rose (X ) == ( ( X)&&(!$past (X ) ) ) ) ;as se r t ( $ f e l l (X ) == ( ( ! X)&&($past (X ) ) ) ) ;
From the 2012 SystemVerilog standard,
These updated assertions will succeed,
as se r t ( $rose (X ) == ( ( X [ 0 ] )&&(! $past (X [ 0 ] ) ) ) ) ;as se r t ( $ f e l l (X ) == ( ( ! X [0 ])&&( $past (X [ 0 ] ) ) ) ) ;
![Page 404: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/404.jpg)
Quiz #14
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
313 / 462
The following logic creates two clocks with nearly identicalfrequencies. Can you spot any missing assumptions?
(∗ gclk ∗) reg gbl_clk ;(∗ anyconst ∗) reg [ 7 : 0 ] f_step_one , f_step_two ;always @ (∗ )i f ( f_step_one > f_step_two )
assume ( f_step_one ´ f_step_two < 8 ’h2 ) ;e l s e
assume ( f_step_two ´ f_step_one < 8 ’h2 ) ;always @ ( posedge gbl_clk ) begin
f_counter_one <= f_counter_one + f_step_one ;f_counter_two <= f_counter_two + f_step_two ;//assume ( i_clk_one == f_counter_one [ 7 ] ) ;assume ( i_clk_two == f_counter_two [ 7 ] ) ;
end
![Page 405: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/405.jpg)
Answer #14
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
314 / 462
The step sizes cannot ever be zero, and steps greater than 8’h80
will alias.
always @ (∗ )begin
assume ( f_step_one != 0 ) ;assume ( f_step_two != 0 ) ;assume ( f_step_one <= 8 ’ h80 ) ;assume ( f_step_two <= 8 ’ h80 ) ;
end
For performance reasons, you may choose to assume the speedof the fastest clock.
always @ (∗ )assume ( ( f_step_one == 8 ’ h80 )
| | ( f_step_two == 8 ’ h80 ) ) ;
![Page 406: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/406.jpg)
Quiz #15
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
315 / 462
Will the following assertion pass?
always @ ( posedge i_clk )begin
i f ( i_write )mem [ i_waddr ] <= i_data ;
i f ( i_read )o_data <= mem [ i_raddr ] ;
end
always @ ( posedge i_clk )i f ( ( f_past_valid )
&&($past ( i_write ))&&($past ( i_read ) )&&($past ( i_waddr)==$past ( i_raddr ) ) )
as se r t ( o_data == $past ( i_data ) ) ;
![Page 407: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/407.jpg)
Answer #15
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
316 / 462
Will the following assertion pass?
always @ ( posedge i_clk )begin
i f ( i_write )mem [ i_waddr ] <= i_data ;
i f ( i_read )o_data <= mem [ i_raddr ] ;
end
always @ ( posedge i_clk )i f ( ( f_past_valid )
&&($past ( i_write ))&&($past ( i_read ) )&&($past ( i_waddr)==$past ( i_raddr ) ) )
as se r t ( o_data == $past ( i_data ) ) ;
No.How would you describe a write–through block RAM?
![Page 408: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/408.jpg)
Quiz #16
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
317 / 462
The formal property below was written for the case of asynchronous reset. How would you adjust it so that it accuratelyreflects the behavior of the flip-flop under an asynchronous reset?
always @ ( posedge i_clk , negedge i_areset_n )i f ( ! i_areset_n )
a <= 0 ;e l s e
a <= something ;
always @ ( posedge i_clk )i f ( ( f_past_valid)&&($past ( i_areset_n ) )
as se r t (a == $past ( something ) ) ;
![Page 409: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/409.jpg)
Answer #16
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
318 / 462
The following assertion can be used to describe the response oflogic to a negative logic asynchronous reset.
always @ ( posedge i_clk , negedge i_areset_n )i f ( ! i_areset_n )
a <= 0 ;e l s e
a <= something ;
always @ ( posedge i_clk )i f ( ! i_areset_n )
as se r t (a == 0 ) ;e l s e i f ( ( f_past_valid)&&($past ( i_areset_n ) )
as se r t (a == $past ( something ) ) ;
Don’t forget to assume an initial reset!
i n i t i a l assume ( ! i_areset_n ) ;
![Page 410: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/410.jpg)
Quiz #17
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
319 / 462
Your design passes a bounded model check (BMC), but failsduring induction. Upon inspection, you find a failure in section A(below) of your trace.
How should you address this problem?
![Page 411: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/411.jpg)
Answer #17
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
320 / 462
Your design passes a bounded model check (BMC), but failsduring induction. Upon inspection, you find a failure in section A(below) of your trace.
How should you address this problem?This is not a problem with your logic. Rather, the formalproperties that are constraining your logic are insufficient
˝ You need more properties to keep the design from failing˝ If an input is out of bounds, assume it will be within bounds˝ If your design starts in an invalid state, assert such invalid
states will never happen˝ initial statements will not help during induction
![Page 412: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/412.jpg)
Quiz #18
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
321 / 462
Your design fails in section C (below) of your trace.
Upon inspection, you discover analways @(posedge i_clk) assume(X); property is not gettingapplied.How would you fix this situation?
![Page 413: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/413.jpg)
Answer #18
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
322 / 462
An always @(posedge i_clk) assume(X); property is not gettingapplied, causing your design to fail in section C of your trace
The problem is that always @(posedge i_clk) properties are notapplied until the the next clock edge (i.e. section B of the trace)
˝ This can cause an always @(∗) assert(Y); to fail in section C
How would you fix this situation?
˝ You can make the always @(∗) property a clocked property˝ You can evaluate the always @(posedge i_clk) assumption as
an always @(∗) assumption instead
– You might need to create your own $past value to do this
![Page 414: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/414.jpg)
Quiz #19
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
323 / 462
Will the following design pass formal verification?
reg [ 1 5 : 0 ] counter = 0 ;always @ ( posedge i_clk )i f ( i_reset )
counter <= 0 ;e l s e
counter <= counter + 1 ;
always @ (∗ )i f ( counter > 2)
assume ( i_reset ) ;
as se r t property (@ ( posedge i_clk )d i sab l e iff ( i_reset )( counter < 2 ) ) ;
![Page 415: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/415.jpg)
Answer #19
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
324 / 462
Much to my own surprise, this design will pass a formal check.
This is roughly equivalent to:
reg check = 1 ;always @ ( posedge i_clk )
check <= ( counter < 2 ) | | ( i_reset ) ;always @ (∗ )
i f ( ! i_reset ) as se r t ( check ) ;
![Page 416: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/416.jpg)
Quiz #20
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
325 / 462
Consider the following trace from an asynchronous context:
i clk
f past valid
o value
Will this formal stability assertion pass or fail?
always @ ( posedge i_clk )i f ( f_past_valid )
as se r t ( $stab le ( o_value ) ) ;
![Page 417: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/417.jpg)
Answer #20
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
326 / 462
Yes, this stability assertion will hold.
i clk
f past valid
o value
˝ Note that everytime $rose(i_clk) is true, $past(o_value) isalso true.
˝ Since the check is only accomplished on the positive edge ofi_clk, o_value is only checked at this time.
˝ Since $past(o_value) is always true just prior to@(posedge i_clk), the assertion passes
always @ ( posedge i_clk )i f ( f_past_valid )
as se r t ( $stab le ( o_value ) ) ;
![Page 418: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/418.jpg)
Quiz #21
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
327 / 462
Your design contains the following generate block:
parameter [ 0 : 0 ] A = 1 ;parameter [ 0 : 0 ] B = 1 ;// . . .generate i f (A )begin : A_BLOCK
// Some l o g i cend e l s e i f (B )begin : B_BLOCK
// Some o th e r l o g i cend e l s e begin : ELSE_BLOCK
// Some f i n a l s e t o f l o g i cend endgenerate
How should this impact the design of your SymbiYosysconfiguration file?
![Page 419: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/419.jpg)
Answer #21
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
328 / 462
How should conditional generate blocks be handled?
˝ By creating a separate task for each parameter set˝ Each set of parameters can then be verified independently
[ tasks ]A
B
Other
[ s c r i p t ]read ´formal toplvl . v´́ pycode´begin´́cmd=” h i e r a r c h y ´top t o p l v l ”cmd+=” ´chparam A %d” % (1 if ”A” in tags else 0)cmd+=” ´chparam B %d” % (1 if ”B” in tags else 0)output ( cmd )´́ pycode´end´́prep ´top toplvl
![Page 420: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/420.jpg)
Quiz #22
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
329 / 462
When working with cover(), how do you handle a failure?
˝ On a cover() success a trace is generated.No trace is generated on a cover() failure.
˝ At first glance, you have nothing to go with
How do you debug your design in this situation?
![Page 421: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/421.jpg)
Answer #22
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
330 / 462
When working with cover(), how do you handle a failure?
˝ Suppose your design needs to accomplish a sequence of steps,and then cover the last one.
always @ (∗ )cover ( step_24 ) ;
˝ How shall you debug this failure?
Solution: cover the intermediate steps
always @ (∗ )begin
cover ( step_01 ) ;// . . .cover ( step_23 ) ;
end
This will lead you to the failing clock cycle
![Page 422: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/422.jpg)
Quiz #23
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
331 / 462
Consider the following design:
input wire [ 3 1 : 0 ] i_v ;output wire o_v ;
ass ign o_v = ( i_v == 32 ’ hdeadbeef ) ;
always @ (∗ )as se r t ( i_v != 32 ’ hdeadbeef ) ;
always @ (∗ )assume ( ! o_v ) ;
Given that the solver can pick any value for i_v, will theassertion ever fail?
![Page 423: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/423.jpg)
Answer #23
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
332 / 462
Consider the following design:
ass ign o_v = ( i_v == 32 ’ hdeadbeef ) ;always @ (∗ )
as se r t ( i_v != 32 ’ hdeadbeef ) ;always @ (∗ )
assume ( ! o_v ) ;
˝ The assumption is forced to be true before evaluating anyassertions
˝ !o_v will only ever be true if i_v != 32’hdeadbeef
˝ Therefore, the solver will never even consider the case wherei_v == 32’hdeadbeef
˝ The assertion can never fail
![Page 424: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/424.jpg)
Quiz #24
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
333 / 462
Consider the following trace from an AXI read interaction:
S AXI ACLK
S AXI ARESETN
S AXI ARVALID
S AXI ARID
S AXI RVALID
S AXI RID
˝ Assume all of the relevant xREADY lines are high
Can you spot the bug?
![Page 425: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/425.jpg)
Answer #24
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
334 / 462
Can you spot the bug?
S AXI ACLK
S AXI ARESETN
S AXI ARVALID
S AXI ARID
S AXI RVALID
S AXI RID
The request response has the wrong ID
˝ Request was made for ID=1, response has ID=0˝ The cause? Xilinx’s example core doesn’t register the ID
The trace above was found by applying the Symbiotic EDA Suiteto Xilinx’s example AXI4 core
![Page 426: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/426.jpg)
Quiz #25
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
335 / 462
Consider the following trace from an AXI write interaction,ending in a steady state
S AXI ACLK
S AXI ARESETN
S AXI AWVALID
S AXI AWREADY
S AXI WVALID
S AXI WREADY
S AXI WLAST
S AXI BVALID
S AXI BREADY
What sort of formal property would catch this bug?
![Page 427: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/427.jpg)
Answer #25
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
336 / 462
A transaction timeout can find this bug
always @ ( posedge i_clk )i f ( ( ! i_axi_reset_n ) | | ( ! i_axi_awvalid )
| | ( i_axi_awready )| | ( f_axi_wr_pending > 0) )
f_axi_awstall <= 0 ;e l s e i f ( ( ! i_axi_bvalid ) | | ( i_axi_bready ) )
f_axi_awstall <= f_axi_awstall + 1 ’b1 ;
always @ (∗ )as se r t ( f_axi_awstall < F_AXI_MAXWAIT ) ;
where f_axi_wr_pending is a reference to the number ofremaining write data transactions in this burstThe bug in this question was found by applying the SymbioticEDA Suite to Xilinx’s example AXI4 core
![Page 428: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/428.jpg)
Answer #25b
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
337 / 462
Oops, the last timeout logic captured when the incoming writeaddress channel was stalled, not the delay on the write responsechannel.
˝ Here’s the timeout logic that actually found this bug.
always @ ( posedge i_clk )i f ( ( ! i_reset_n ) | | ( i_bvalid ) | | ( i_wvalid )
| | ( ( f_awr_nbursts == 1)&&(f_wr_pending>0))
| | ( f_awr_nbursts == 0))f_awr_ack_delay <= 0 ;
e l s ef_awr_ack_delay <= f_awr_ack_delay + 1 ’b1 ;
always @ ( posedge i_clk )as se r t ( f_awr_ack_delay < F_AXI_MAXDELAY ) ;
![Page 429: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/429.jpg)
Quiz #26
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
338 / 462
Consider the following trace drawn from an AXI interconnect Ihad the opportunity to verify. It had never seen a formal checkbefore.
S AXI ACLK
S AXI ARESETN
S AXI AWVALID
S AXI AWLEN 3
S AXI WVALID
S AXI WLAST
S AXI BVALID
Assume all ∗READY signals are trueCan anyone see the bug? What formal property would catch thisbug?
![Page 430: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/430.jpg)
Answer #26
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
339 / 462
Correctly identifying the bug is important, otherwise you’ll “fix”the wrong “bug”
S AXI ACLK
S AXI ARESETN
S AXI AWVALID
S AXI AWLEN 3
S AXI WVALID
S AXI WLAST
S AXI BVALID
In this case, there is no missing S_AXI_WLAST signal. Accordingto spec, the burst is S_AXI_AWLEN+1 beats long, so there’s still amissing write beat. The bus master just hasn’t sent the finalbeat yet.
![Page 431: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/431.jpg)
Answer #26b
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
340 / 462
The bug? You can’t return a BVALID response until the firstwrite burst has completed.To verify this, you need to count items remaining in the burst, Iuse f_wr_pending, as well as the number of bursts outstanding,something I call f_awr_nbursts. You can then check,
always @ (∗ )i f ( f_awr_nbursts == 0)
// I f t h e r e a r e no b u r s t s ou t s t a nd i n g// then no BVALID can be r e t u r n e das se r t ( ! S_AXI_BVALID ) ;
e l s e i f ( f_awr_nbursts == 1)// I f the w r i t e channe l i s s t i l l s e nd i ng// data , then the BVALID cannot ( y e t ) be// r e t u r n e d .as se r t ( ( f_wr_pending == 0)
| | ! S_AXI_BVALID ) ;
![Page 432: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/432.jpg)
Quiz #27
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
341 / 462
Can you explain why the following cover statement fails?
reg read_counter ;i n i t i a l read_counter = 0 ;always @ ( posedge i_clk )i f ( i_reset )
read_counter <= 0 ;e l s e i f ( some_event )
read_counter <= read_counter + 1 ;
always @ (∗ )cover ( read_counter > 4 ) ;
![Page 433: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/433.jpg)
Answer #27
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
342 / 462
Can you explain why the following cover statement fails?
reg read_counter ;i n i t i a l read_counter = 0 ;always @ ( posedge i_clk )i f ( i_reset )
read_counter <= 0 ;e l s e i f ( some_event )
read_counter <= read_counter + 1 ;
always @ (∗ )cover ( read_counter > 4 ) ;
Did you notice the number of bits in the read_counter? At onlyone bit, read_counter can never be more than one.
![Page 434: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/434.jpg)
Quiz #28
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
343 / 462
Let NM be the number of masters, and NS the number of slaves.You want to cover a full set of write grants.
reg cvr_property ;always @ (∗ )begin
cvr_property = 1 ;f o r (iN=0; iN < (NM > NS ) ? NS : NM ; iN=iN+1)i f ( ! write_grant [ iN ] )
cvr_property = 0 ;end
always @ (∗ )cover ( cvr_property ) ;
Much to my surprise, yosys ran out of memory while elaboratingthis design.Can anyone see why?
![Page 435: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/435.jpg)
Answer #28
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
344 / 462
This is an order of operations issue. The example design isequivalent to
always @ (∗ )begin
cvr_property = 1 ;f o r (iN=0; (iN < (NM > NS ) ) ? NS : NM ;
iN=iN+1)i f ( ! write_grant [ iN ] )
cvr_property = 0 ;end
The end condition will therefore elaborate to either NM or NS,both of which are non-zero and therefore “true”.As for the out-of-memory error, remember this is hardware.Yosys is elaborating new hardware circuits every time throughthe loop, and the loop doesn’t have an end.
![Page 436: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/436.jpg)
Quiz #29
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
345 / 462
There are three steps required to verify an AXI-lite interface:
1. First, attach the formal interface property file
‘ i f d e f FORMAL
faxil_slave #(. C_AXI_ADDR_WIDTH ( C_S_AXI_ADDR_WIDTH ) )
properties (. i_clk ( S_AXI_ACLK ) ,. i_axi_reset_n ( S_AXI_ARESETN ) ,// . . .
2. If using SymbiYosys, you’ll also need to create an SBY file
What’s the missing step that’s required to formally verify anAXI-lite slave interface matches bus requirements for all time?
![Page 437: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/437.jpg)
Answer #29
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
346 / 462
3. Reference the state information from the property file,
‘ i f d e f FORMAL
faxil_slave #(/∗ . . . ∗/ )properties ( // . . .
. f_axi_rd_outstanding ( rd_inproc ) ,// . . .
and use it to assert() that the state maches your logic
always @ (∗ )as se r t ( rd_inproc == ( axi_rvalid ? 1 : 0 )
+(axi_arready ? 0 : 1 ) ) ;// . . .
The example above is from one of my own designs, as this stepcan be very design dependent.
![Page 438: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/438.jpg)
Quiz #30
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
347 / 462
The following illustrates a common FIFO mistake
always @ ( posedge i_clk )i f ( i_reset )
{ rd_addr , wr_addr } <= 0 ;e l s e i f ( i_rd )
rd_addr <= rd_addr + 1 ;e l s e i f ( i_wr )
wr_addr <= wr_addr + 1 ;
Can you identify the bug, and suggest a way of fixing it?
![Page 439: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/439.jpg)
Answer #30
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
348 / 462
The first bug is not setting the pointers initially
i n i t i a l {rd_addr , wr_addr } = 0 ;
The next bug is not checking for underflow or overflow
always @ ( posedge i_clk )i f ( i_reset )
{ rd_addr , wr_addr } <= 0 ;e l s e i f ( i_rd && ! o_empty )
rd_addr <= rd_addr + 1 ;e l s e i f ( i_wr && ! o_full )
wr_addr <= wr_addr + 1 ;
That leaves at least one more bug
![Page 440: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/440.jpg)
Answer #30b
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
349 / 462
The real problem is that the whole structure is wrong.
˝ This really needs ot be handled in either two logic blocks, or˝ Using a case statement, as shown below
i n i t i a l {rd_addr , wr_addr } = 0 ;always @ ( posedge i_clk )i f ( i_reset )
{ rd_addr , wr_addr } <= 0 ;e l s e case ({ i_rd & ! o_empty , i_wr && ! o_full })2 ’ b10 : rd_addr <= rd_addr + 1 ;2 ’ b01 : wr_addr <= wr_addr + 1 ;2 ’ b11 : begin
rd_addr <= rd_addr + 1 ;wr_addr <= wr_addr + 1 ;end
endcase
![Page 441: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/441.jpg)
Quiz #31
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
350 / 462
The following proof passes.
reg f_past_valid = 0 ;always @ ( posedge i_clk )
f_past_valid <= 1 ;
always @ (∗ )i f ( f_past_valid )
assume ( i_reset ) ;
always @ ( posedge i_clk )counter <= really_complex_logic ;
always @ (∗ )i f ( f_past_valid && ! i_reset )
as se r t ( counter == counter + 1 ) ;
Can you spot the bug?
![Page 442: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/442.jpg)
Answer #31
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
351 / 462
Did you notice the assumption that i_reset is held high?
always @ (∗ )i f ( f_past_valid )
assume ( i_reset ) ;
The assertion never got checked!
always @ (∗ )i f ( f_past_valid && ! i_reset )
as se r t ( counter == counter + 1 ) ;
A basic cover test would find this problem
always @ (∗ )cover ( f_past_valid && ! i_reset ) ;
// or evenalways @ ( posedge i_clk )
cover ( counter == $past ( counter + 1 ) ) ;
![Page 443: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/443.jpg)
Quiz #32
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
352 / 462
How would you verify the o_empty and o_full properties of aFIFO, given the read and write addresses?
˝ The o_empty flag
ass ign fill = wr_addr ´ rd_addr ;always @ (∗ )begin
as se r t ( o_empty == ( fill == 0 ) ) ;
˝ The o_full flag, given a FIFO with FIFO_SIZE elements
as se r t ( o_full == ( fill >= FIFO_SIZE ) ) ;// . . .
end
What property is missing?
![Page 444: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/444.jpg)
Answer #32
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
353 / 462
The missing property?
˝ We checked the o_empty flag˝ We checked the o_full flag˝ Don’t forget to check that the fill never exceeds the capacity
of the FIFO
as se r t ( fill <= FIFO_SIZE ) ;
Checking the data content of the FIFO still requires the twinwrite followed by twin read test. You can read more about thatin my on-line tutorial.
![Page 445: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/445.jpg)
Quiz #33
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
354 / 462
Formally verifying a cache requires three properties
First, let the solver to pick an arbitrary address and value
(∗ anyconst ∗) reg [ AW´1:0] f_const_addr ;(∗ anyconst ∗) reg [ DW´1:0] f_const_data ;
1. Then when the bus returns a value for the given address,assume the known value.
i f ( i_wb_ack && ackd_address == f_const_addr )assume ( i_wb_data == f_const_data ) ;
2. Whenever the cache returns the value for the specialaddress, assert that the known value is returned
i f ( o_valid && o_address == f_const_addr )as se r t ( o_value == f_const_data ) ;
3. What’s missing?
![Page 446: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/446.jpg)
Answer #33
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
355 / 462
Formally verifying a cache requires three properties
First, allow the solver to pick an arbitrary address, and anarbitrary data word at that address.
1. assume a known bus response from the given address2. assert that same response from the cache when that same
address is requested
The missing property?
3. Assert that, if the known address is validly within the cache,that the value associated with that address matches thesolver chosen value
always @ (∗ )i f ( cache_valid [ f_const_addr ] )
as se r t ( cache [ f_const_addr [ CW´1 : 0 ] ]== f_const_data ) ;
![Page 447: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/447.jpg)
Quiz #34
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
356 / 462
The following design illustrates a common AXI coding mistake:
always @ ( posedge S_AXI_ACLK )i f ( ! S_AXI_ARESETN )
// Do someth inge l s e i f ( S_AXI_AWVALID && S_AXI_AWREADY
&& something_else )// Wri te l o g i c
e l s e i f ( S_AXI_BREADY )// Las t c o n d i t i o n// . . . .
Can you identify the bug, and suggest one or two fixes?
![Page 448: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/448.jpg)
Answer #34
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
357 / 462
The following design illustrates a common AXI coding mistake:
always @ ( posedge S_AXI_ACLK )// . . .i f ( S_AXI_AWVALID && S_AXI_AWREADY
&& something_else )// . . .
The mistake? Checking for something_else when processinginformation from the bus. To fix it,
1. Adjust the logic for S_AXI_AWREADY2. Prove that every time something_else is false, then
S_AXI_AWREADY is will also be false
as se r t property (@ ( posedge S_AXI_ACLK )! something_else |´> ! S_AXI_AWREADY ) ;
![Page 449: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/449.jpg)
Quiz #35
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
358 / 462
Will the following logic pass formal verification?
reg [ 1 5 : 0 ] counter , last ;
i n i t i a l counter = 1 ;i n i t i a l last = 0 ;
always @ ( posedge i_clk )begin
counter <= counter + 1 ;last <= counter ;
end
always @ (∗ )as se r t ( last + 1 == counter ) ;
![Page 450: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/450.jpg)
Answer #35
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
359 / 462
The problem is that last+1 is a 32-bit value, whereas counter isa 16-bit unsigned value. This assertion will always fail whencounter rolls over.
i clk
counter 16’hfffd 16’hfffe 16’hffff 16’h0000
last 16’hfffc 16’hfffd 16’hfffe 16’hffff
last`1 32’h0fffd 32’hfffe 32’h0ffff 32’h10000
failing timestep
If you map last+1 to a 16-bit value, the assetion will pass
wire [ 1 5 : 0 ] last_plus_one = last + 1 ;always @ (∗ )
as se r t ( last_plus_one == counter ) ;
![Page 451: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/451.jpg)
Quiz #36
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
360 / 462
The following design generates a warmup failure.
input wire [ 3 1 : 0 ] i_a , i_b , i_c ;
always @ (∗ )begin
assume ( i_a+ i_b == 32 ’h4 ) ;assume ( i_b +i_c == 32 ’h8 ) ;assume ( i_a+{ i_b , 1 ’b0}+i_c == 32 ’h7 ) ;
end
Which assumption is at fault?
![Page 452: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/452.jpg)
Answer #36
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
361 / 462
Which assumption is at fault?
input wire [ 3 1 : 0 ] i_a , i_b , i_c ;
always @ (∗ )begin
assume ( i_a+ i_b == 32 ’h4 ) ;assume ( i_b +i_c == 32 ’h8 ) ;assume ( i_a+{ i_b , 1 ’b0}+i_c == 32 ’h7 ) ;
end
Removing any one of these assumptions will resolve the warmupfailure.
˝ This illustrates one of the fundamental problems of warmupfailures: Since any one of several assumptions might causethe design to fail, there’s no way for the solver to tell whichassumption was truly at fault.
![Page 453: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/453.jpg)
Quiz #37
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
362 / 462
What are the three most common bus interface properties?
1. Following a reset, the bus should return to an idle state andany pending requests should be dropped
2. If the bus is stalled, the request must not change3. . . .
There’s one other basic, yet common, bus interface propertythat’s missing. What is it?
![Page 454: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/454.jpg)
Answer #37
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
363 / 462
What are the three most common bus interface properties?
1. Following a reset, the bus should return to an idle state andany pending requests should be dropped
2. If the bus is stalled, the request must not change3. There should be one and only one response for every bus
request
I’ll ask about the “contract” property to insure that the busactually works next week
![Page 455: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/455.jpg)
Quiz #38
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
364 / 462
None of the properties we examined last week truly expresses the“contract” associated with bus transactions. How should thatcontract be expressed for a generic bus component?
1. Let the solver pick an arbitrary address, and a value to be atthat address
2. . . .3. Prove that reads from that address return the value from
within the slave found at that address
What’s the missing step?
![Page 456: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/456.jpg)
Answer #38
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
365 / 462
How should the formal contract be expressed for a bus slave?
1. Let the solver pick an arbitrary address, and a value to be atthat address
2. Adjust the value at that address following any write request3. Prove that reads from that address return the value from
within the slave found at that address
You should find these basic property steps common across manybus components
1. Not-so-generic bus slaves may need to use a slightly differentapproach, verifying instead that the result matches the valuewithin the bus slave
2. Sequence is important, especially with AXI: the return valuemight be waiting for a RREADY longer than that returnvalue accurately expresses the register’s value within the core
![Page 457: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/457.jpg)
Quiz #39
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
366 / 462
Can you spot the AXI bug below?
S AXI ACLK
S AXI ARESETN
S AXI AWVALID
S AXI AWREADY
S AXI AWADDR ’h....0
S AXI AWLEN 0
S AXI AWSIZE 3’h0
S AXI WVALID
S AXI WREADY
S AXI WDATA[31:0] ’h87654321
S AXI WSTRB[3:0] 4’h2
![Page 458: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/458.jpg)
Answer #39
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
367 / 462
Take a closer look at AWADDR, AWSIZE, and WSTRB
S AXI ACLK
S AXI AWVALID
S AXI AWADDR ’h....0
S AXI AWSIZE 3’h0
S AXI WVALID
S AXI WSTRB[3:0] 4’h2
If AWADDR ends in 4’h0, for an 8-bit transfer (AWSIZE=0),WSTRB can only be 4’h0 or 4’h1
![Page 459: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/459.jpg)
Quiz #40
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
368 / 462
Consider the design below
reg A , B , C , D , E , Z ;always @ ( posedge clk )begin
// As s i gn to A, B, C , D, E , and Z somehowend
as se r t property (@ ( posedge clk )Z |=> (A && B && C && D && E ) ) ;
Would you consider this to be a good or a bad assertion?
![Page 460: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/460.jpg)
Answer #40
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
369 / 462
While the assertion below is legal,
as se r t property (@ ( posedge clk )Z |=> (A && B && C && D && E ) ) ;
because the assertion tests for the and of many conditions, it canbe difficult to tell from a trace which condition caused theassertion failure. You might find that splitting it up makes iteasier to work with.
as se r t property (@ ( posedge clk ) Z |=> A ) ;as se r t property (@ ( posedge clk ) Z |=> B ) ;as se r t property (@ ( posedge clk ) Z |=> C ) ;as se r t property (@ ( posedge clk ) Z |=> D ) ;as se r t property (@ ( posedge clk ) Z |=> E ) ;
![Page 461: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/461.jpg)
Quiz #41
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
370 / 462
Can you spot the AXI bug below?
S AXI ACLK
S AXI ARESETN
S AXI AWVALID
S AXI AWREADY
S AXI AWADDR ’h..1
S AXI AWLEN 0
S AXI AWSIZE 3’h1
S AXI WVALID
S AXI WREADY
S AXI WDATA[31:0] ’h87654321
S AXI WSTRB[3:0] 4’hf
![Page 462: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/462.jpg)
Answer #41
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
371 / 462
Can you spot the AXI bug below?
S AXI AWVALID
S AXI AWADDR ’h..1
S AXI AWSIZE 3’h1
S AXI WVALID
S AXI WSTRB[3:0] 4’hf
1. If AWSIZE==1, then only two bits of WSTRB may ever be seton any given beat. These can either be 4’h3 or 4’hc for a32-bit bus
2. If AWADDR[1:0]==2’b01, then only bit WSTRB[1] may be set
Note that AXI explicitly allows WVALID before AWVALID
![Page 463: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/463.jpg)
Quiz #42
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
372 / 462
Consider the design below
reg A , B , C , D , Z ;always @ ( posedge clk )begin
// As s i gn to A, B, C , D, and Z somehowend
as se r t property (@ ( posedge clk )Z |=> A
##1 B [ ∗ 0 : $ ]##1 C
##1 B [ ∗ 0 : $ ]##1 D ) ;
Would you consider this to be a good or a bad assertion?
![Page 464: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/464.jpg)
Answer #42
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
373 / 462
This assertion will never pass induction
as se r t property (@ ( posedge clk )Z |=> A ##1 B [ ∗ 0 : $ ] ##1 C
##1 B [ ∗ 0 : $ ] ##1 D ) ;
Why?
˝ Because the induction engine doesn’t start at t “ 0
– There’s no way to tell if the design is in the first B state orthe second B state
˝ Worse, if B & C might ever hold, then the induction enginedoesn’t know how many times B was ever entered
– The design might start with B true, and then set B & C forany number of clock ticks
– The same applies to D
![Page 465: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/465.jpg)
Quiz #43
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
374 / 462
Is this a valid AXI read request?
S AXI ACLK
S AXI ARVALID
S AXI ARREADY
S AXI ARADDR 20’h01000
S AXI ARLEN 8’h4
S AXI ARBURST WRAP
S AXI ARSIZE 3’h1
You may assume the reset is inactive.
![Page 466: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/466.jpg)
Answer #43
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
375 / 462
Is this a valid AXI read request?
S AXI ACLK
S AXI ARVALID
S AXI ARREADY
S AXI ARADDR 20’h01000
S AXI ARLEN 8’h4
S AXI ARBURST WRAP
No.
˝ When using wrapped addressing, the burst length must beeither 2, 4, 8 or 16.AxLEN must be one less than that length
˝ In this case, ARLEN = 4, indicating a burst length of 5.
![Page 467: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/467.jpg)
Answer #43 – Bonus
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
376 / 462
How would you detect this problem?
S AXI ARVALID
S AXI ARLEN 8’h4
S AXI ARBURST WRAP
The following property would capture this check
always @ (∗ )i f ( ( S_AXI_ARVALID)&&(S_AXI_ARBURST == WRAP ) )
as se r t ( ( S_AXI_ARLEN == 8 ’h1 )| | ( S_AXI_ARLEN == 8 ’h3 )| | ( S_AXI_ARLEN == 8 ’h7 )| | ( S_AXI_ARLEN == 8 ’ h15 ) ) ;
Be aware: Passing induction would take a bit more work
![Page 468: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/468.jpg)
Quiz #44
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
377 / 462
Consider the following FIFO design that passed its testbench
always @ ( posedge i_clk )begini f ( i_rd && ! o_empty )
rd_addr <= rd_addr + 1 ;i f ( i_wr && ! o_full )
wr_addr <= wr_addr + 1 ;end
always @ ( posedge i_clk )i f ( i_rd && ! i_wr )
fifo_fill <= fifo_fill ´ 1 ;e l s e i f ( i_wr && ! i_rd )
fifo_fill <= fifo_fill + 1 ;
Ignoring the missing reset and initial states, and assumingo_empty and o_full are suitably defined, do you see any bugs?
![Page 469: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/469.jpg)
Answer #44
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
378 / 462
Bugs in the FIFO? What about the following sequence?
i clk
i wr
o full
i rd
o empty
fifo fill 0 -1
Did you see any others? (There were more ...)
![Page 470: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/470.jpg)
Answer #44 - Formal
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
379 / 462
What formal properties might have found these bugs?
reg [ LGFIFO : 0 ] f_fifo_fill ;
always @ (∗ )f_fifo_fill = wr_addr ´ rd_addr ;
always @ (∗ )as se r t ( f_fifo_fill == fifo_fill ) ;
This one assertion would’ve caught these bugs. You could easilypivot from here and catch any o_empty or o_full errors as well,
always @ (∗ )as se r t ( o_empty== ( f_fifo_fill == 0 ) ) ;
always @ (∗ )as se r t ( o_full ==
( f_fifo_fill== (1<<LGFIFO ) ) ) ;
But this goes beyond what was in the quiz question.
![Page 471: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/471.jpg)
Quiz #45
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
380 / 462
What addresses and in what order is this request asking for?
S AXI ACLK
S AXI ARVALID
S AXI ARADDR ’h1006
S AXI ARLEN 8’h7
S AXI ARBURST WRAP
S AXI ARSIZE 3’h1
Assume a 32’bit bus width
![Page 472: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/472.jpg)
Answer #45
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
381 / 462
What address and in what order is this request asking for?
S AXI ACLK
S AXI ARVALID
S AXI ARADDR ’h1006
S AXI ARLEN 8’h7
S AXI ARBURST WRAP
S AXI ARSIZE 3’h1
The addresses read and returned will be 1006h, 1008h, 100Ah,100Ch, 100Eh, 1000h, 1002h, 1004h in that order
![Page 473: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/473.jpg)
Quiz #46
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
382 / 462
You’ve just built a new peripheral. You’d like to formally verify it.What properties would you start with?
![Page 474: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/474.jpg)
Answer #46
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
383 / 462
This is a very open ended question, so there are many answers tothis question.Here are some of my own:
1. Start with any bus interface formal property filesThis will immediately include a set of assumptions andassertions, which will then validate your bus interface
2. Consider assuming an initial reset3. cover() the end of every type of bus request you expect to
respond toDon’t forget to cover() the design returning back to idle!
4. Create sequences (SVA or poor man’s) describing the actionsassociated with each operation you expect to perform, andending with the bus responseDon’t forget the return to idle!
![Page 475: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/475.jpg)
Quiz #47
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
384 / 462
There are three basic methods to include formal properties into adesign
1. Placing the formal properties within the design itself
module modulename ( /∗ . . . ∗/ ) ;// Des ign l o g i c
‘ i f d e f FORMAL
// P r o p e r t i e s‘ e nd i f // FORMALendmodule
This works nicely with the open version of SymbiYosys.2. Binding the properties from one file into the logic of another
bind designmodule propertymodule instance ( . ∗ ) ;
Can anyone think of a third method?
![Page 476: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/476.jpg)
Answer #47
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
385 / 462
A third method of adding properties into a design is to wrap thedesign with the properties like you would with a test bench.
˝ Without access to internal state values, passing induction canbe a challengeRemember, induction is a form of white-box verification
˝ State registers within the design may still be referenced usingdot notationDot notation support is currently only available when usingcommercial formal tools, such as the SymbioticEDA Suite
![Page 477: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/477.jpg)
Quiz #48
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
386 / 462
You are trying to verify a CPU.
˝ How would you go about verifying that your instruction fetchworks?
˝ What formal properties would be appropriate to describe the“contract” between the instruction fetch and the CPU?
![Page 478: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/478.jpg)
Answer #48
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
387 / 462
1. Include a formal bus property file, to verify the businteraction
2. Pick an address in memory, pick a piece of data at thataddress, decide if the address will return a bus error or not
(∗ anyconst ∗) reg [ AW´1:0] f_fetch_addr ;(∗ anyconst ∗) reg [ DW´1:0] f_fetch_data ;(∗ anyconst ∗) reg f_fetch_err ;
3. assume() on the bus interface . . .
˝ That any request for f_fetch_addr returns f_fetch_data˝ That it also returns a bus error if and only if f_fetch_err
4. assert() within your CPU, that any time the instructionaddress matches f_fetch_addr
˝ That the instruction matches f_fetch_data˝ That an error condition exists if f_fetch_err is ever true
![Page 479: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/479.jpg)
Quiz #49
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
388 / 462
The following design is used to read from either a controlregister, or sequential elements from a block RAM.
always @ ( posedge i_clk ) begini f ( i_wb_stb && i_wb_we
i_wb_addr == CONTROL )addr <= 0 ;
e l s e i f ( i_wb_stb && ! i_wb_we&& i_wb_addr == DATA )
addr <= addr + 1 ;memv <= mem [ addr ] ;case ( i_wb_addr )CONTROL : o_wb_data <= control_reg ;DATA : o_wb_data <= memv ;endcaseo_wb_ack <= i_wb_stb ; // . . .
See the bug?
![Page 480: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/480.jpg)
Answer #49
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
389 / 462
Did you notice the time it takes to read a value?
˝ Reads take two clocks: one to read the value from memory,and a second to select the value read.
˝ By setting o_wb_ack immediately after o_wb_stb, the memoryvalue doesn’t make it into o_wb_data in time.
˝ Delaying o_wb_ack by one clock would fix this.
This bug was living in one of my cores for years.
˝ Reading all ones or all zeros values never caught it˝ Neither did slower serial port commanded reads.˝ I only caught this bug recently when reading from a DMA
returned elements 0, 0, 1, 2, 3, etc.
What formal properties would you recommend adding to thisdesign in order to catch these bugs?
![Page 481: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/481.jpg)
Answer #49b
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
390 / 462
Chances are the process of formal verification would catch this
˝ Just putting the property together is likely to force you tothink through what you want your logic to do
˝ . . . and catch the bug
Once thought out, the following property would double-check thetwo clock read.
as se r t property (@ ( posedge i_clk )d i sab l e iff ( i_reset | | ! i_wb_cyc )( i_wb_stb && ! o_wb_stall
&& ! i_wb_we && i_wb_addr == DATA )|=> ( addr == $past ( addr + 1))##1 o_wb_ack
&& ( o_wb_data == $past ( mem [ addr ] , 2 ) ) ) ;
Watch out for overflow in that addition!
![Page 482: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/482.jpg)
Quiz #50
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
391 / 462
The following construct works well to make certain that initialvalues and reset values match
reg f_past_valid = 0 ;always @ ( posedge i_clk )
f_past_valid <= 1 ;
always @ ( posedge i_clk )i f ( ! f_past_valid | | $past ( i_reset ) )begin
// Check f o r r e s e t p r o p e r t i e s// For example . . .as se r t ( counter == 0 ) ;
end
How would you go about verifying the reset works on a designwith no initial values or for hardware that doesn’t support them?
![Page 483: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/483.jpg)
Answer #50
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
392 / 462
The key to not having any initial value support lies in assumingan initial reset
i n i t i a l assume ( i_reset ) ;
always @ ( posedge i_clk )i f ( ! i_reset && $past ( i_reset ) )begin
// Check r e s e t p r o p e r t i e s// For example . . .as se r t ( counter == 0 ) ;
end
Bonus: How would you verify a design with an asynchronousreset?
![Page 484: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/484.jpg)
Quiz #51
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
393 / 462
Your design contains a FIFO. You want to assert a property ofits output. How do you go about it?
sfifo fifo ( i_clk , i_reset , i_wr , i_wval ,i_rd , i_rval ) ;
always @ (∗ )as se r t ( something_about_i_rval ) ;
![Page 485: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/485.jpg)
Answer #51
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
394 / 462
FIFO’s are typically verified by following one or two itemsthrough the FIFO process. These special values can be used toprove the assertion below.
sfifo fifo ( i_clk , i_reset , i_wr , i_wval ,i_rd , i_rval ) ;
always @ (∗ )i f ( rval_is_special_value )
as se r t ( something_about_i_rval ) ;e l s e // i f ( ! r v a l i s s p e c i a l v a l u e )
assume ( something_about_i_rval ) ;always @ (∗ )i f ( special_value_in_fifo )begin
// A s s e r t someth ing about the s p e c i a l// v a l u e wh i l e i t i s i n the FIFO
![Page 486: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/486.jpg)
Quiz #52
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
395 / 462
You are trying to formally verify a CPU. How would you goabout verifying that your load/store unit works?
![Page 487: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/487.jpg)
Answer #52
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
396 / 462
1. Start by including the formal bus property file2. As with the instruction fetch, let the solver pick a . . .
˝ Special address, f_lsu_addr,˝ Special data value, f_lsu_data, and˝ Whether the bus should return an error, f_lsu_err.
3. Track writes to f_lsu_addr using the data values
˝ Any time a store instruction is issued for f_lsu_addr,adjust the value of f_lsu_data
˝ Any time a write is issued over the bus for f_lsu_addr,assert() the value written is f_lsu_data
4. assume() reads from the address return f_lsu_data, andreturn errors if and only if f_lsu_err
5. assert() within your CPU, that any time f_lsu_addr is read,f_lsu_data is written to the register file
![Page 488: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/488.jpg)
Quiz #53
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
397 / 462
Consider the VHDL design below controlling an AXI slave:
AXI_READ_RLAST_P : process ( S_AXI_ACLK ) i sbegin
i f ( S_AXI_ACLK ’ event and S_AXI_ACLK= ’1 ’) theni f ( S_AXI_ARESETN = ’0 ’ ) then
S_AXI_RLAST <= ’0 ’ ;e l s i f S_AXI_RREADY = ’1 ’ then
S_AXI_RLAST <= s_axi_rlast_i and rvalid ;end i f ;
end i f ;end process AXI_READ_RLAST_P ;
Can you spot any bugs in this snippet alone?
![Page 489: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/489.jpg)
Answer #53
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
398 / 462
SymbiYosys found the following trace,
S AXI ACLK
S AXI ARESETN
S AXI ARVALID
S AXI ARREADY
S AXI ARLEN 0 3E AB
S AXI RVALID
S AXI RREADY
S AXI RLAST ?
This bug lived for years in a piece of commercial IP that wasregularly checked by a “best in class” property checker. A firstever formal AXI property check turned it up immediately.
![Page 490: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/490.jpg)
Answer #53b
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
399 / 462
The correct check would include not only S_AXI_RREADY, but alsothe possibility that !S_AXI_RVALID.
AXI_READ_RLAST_P : process ( S_AXI_ACLK ) i sbegin
i f ( S_AXI_ACLK ’ event and S_AXI_ACLK= ’1 ’) theni f ( S_AXI_ARESETN = ’0 ’ ) then
S_AXI_RLAST <= ’0 ’ ;e l s i f ( S_AXI_RVALID = ’0 ’ ´́ e x t r a check !
or S_AXI_RREADY = ’1 ’ ) thenS_AXI_RLAST <= s_axi_rlast_i and rvalid ;
end i f ;end i f ;
end process AXI_READ_RLAST_P ;
![Page 491: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/491.jpg)
Quiz #54
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
400 / 462
You are trying to verify a CPU. How can you go about verifyingthat a single ALU instruction works? Let’s consider an ADD
instruction for this example.
![Page 492: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/492.jpg)
Answer #54
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
401 / 462
How shall you verify an ADD instruction within a CPU?
1. Generate a packet as the ADD instruction gets processed
˝ Capture the instruction word, current/next programcounter, register inputs, ALU output, etc.
2. cover() an ADD instruction getting retired3. When the instruction is retired, use assertions to check . . .
˝ Is the output equal to the register inputs summedtogether?
˝ Pick a register. If the input to the instruction is thatregister, does it match the value of the last time theregister was written?
˝ Is the current program counter equal to the next programcounter from the previous instruction?
˝ Is the next program counter the next location in memory?
![Page 493: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/493.jpg)
Quiz #55
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
402 / 462
You are working on a bus component, and you want to knowhow much throughput you can achieve per clock using thatcomponentHow might you use formal tools to solve this problem?
![Page 494: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/494.jpg)
Answer #55
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
403 / 462
cover() makes a great way of measuring best case throughput.The following formal logic will generate a trace demonstratingthe maximum AXI write throughput within a design
reg [ 3 : 0 ] cvr_writes ;i n i t i a l cvr_writes = 0 ;always @ ( posedge i_clk )i f ( ! S_AXI_ARESETN )
cvr_writes <= 0 ;e l s e i f ( S_AXI_BVALID && S_AXI_BREADY )
cvr_writes <= cvr_writes + 1 ;
always @ (∗ )cover ( cvr_writes > 4 ) ;
This logic will generate the earliest possible trace showing aresponse to five separate write requests (each w/ AWLEN=0)
![Page 495: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/495.jpg)
Quiz #56
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
404 / 462
You are working on an AXI bus slave, and you want to know howmuch throughput you can achieve per clock. Moreover, your coreis able to handle multiple burst sizes.How might you determine how fast your core can handle burstwrites?
![Page 496: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/496.jpg)
Answer #56
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
405 / 462
You can use cover() again! This time, create a flag, we’ll call itcvr_wr_bursts, that will only be true if all write requests are oflength four or greater.
reg cvr_wr_bursts = 1 ;always @ ( posedge i_clk )i f ( ! S_AXI_ARESETN )
cvr_wr_bursts <= 1 ;e l s e i f ( S_AXI_AWVALID && S_AXI_AWLEN < 3)
cvr_wr_bursts <= 0 ;
// c v r w r i t e s count s BVALID & BREADY as b e f o r ealways @ (∗ )
cover ( cvr_wr_bursts && cvr_writes > 2 ) ;
The above example will generate a trace showing a response tothree separate write bursts, each with AWLEN=3.
![Page 497: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/497.jpg)
Quiz #57
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
406 / 462
Many of the AXI bugs I’ve found have centered around theinability of a slave design to handle backpressure.
S AXI ACLK
S AXI ARESETN
S AXI ARVALID
S AXI ARREADY
S AXI RVALID
S AXI RREADY
Backpressure
What simulation or cover() goals might you use to guaranteeyour design doesn’t suffer from an inability to handlebackpressure?
![Page 498: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/498.jpg)
Answer #57
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
407 / 462
A useful simulation or cover() goal might be to holdS_AXI_ARVALID high while holding S_AXI_RREADY low, creating amaximum forward and backpressure. You could then examinethe trace to see if it looks right.
˝ This still requires examining the trace to know if the corehandled the backpressure correctly
˝ A formal property checker, given a bus property file, wouldautomatically check this setup by nature
˝ Such a checker would also examine the signals for you, tofind exactly where a request wasn’t properly given a response.
Of course, this is only one of the many possible simulation goals
˝ With simulation, you’ll never know if you’ve done enough
![Page 499: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/499.jpg)
Quiz #58
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
408 / 462
You’ve built a complex state machine, and now want to verifythat without a start signal the state machine will remain idle.Worse, you want to verify several other consequences ofremaining idle as well.How might you go about building such a proof using Yosys?
![Page 500: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/500.jpg)
Answer #58
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
409 / 462
Here’s an approach that I’ve used on several projects
˝ First, let the solver pick whether to do this check or not
(∗ anyconst ∗) reg f_idle_check ;
˝ Then, if set, assume no start signal
always @ (∗ )i f ( f_idle_check )begin
assume ( ! i_start_signal ) ;
˝ Finally, assert your special case conditions
as se r t ( state == IDLE ) ;as se r t ( consequence_one ) ;// . . . e t c .
end
![Page 501: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/501.jpg)
Quiz #59
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
410 / 462
You are trying to verify a hardware DMA
˝ A DMA is essentially a hardware memory copy
1. It receives a source address, destination address, andcopy length from the bus
2. Then copies (length) bytes of memory from source todestination address
˝ Ignoring the obvious undefined behavior associated withoverlap between source and destination . . .
What formal properties would be appropriate to describe the“contract” that such a DMA is required to fulfill?
![Page 502: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/502.jpg)
Answer #59
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
411 / 462
What formal properties would be appropriate to describe the“contract” that a DMA is required to fulfill?
˝ The first step is easy: connect your bus properties to bothcontrol port and the data port.
That might just find most of your bugs, but for completenessyou’ll want to do one more:
˝ Pick a value in memory, at some offset within the sourceregion
˝ assume this value is returned by a read of that address˝ assert this value is written by a write to the same offset, but
within the destination region˝ If the solver can pick the value and offset arbitrarily, and the
resulting proof passes, then the entire DMA will thereforework.
![Page 503: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/503.jpg)
Quiz #60
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
412 / 462
You are trying to verify a CPU. How can you go about verifyingthat a multiplication instruction works?
always @ ( posedge i_clk )mpy_out <= i_a ∗ i_b ;
always @ ( posedge i_clk )case ( insn_type )ALU_INSN : result <= alu_out ;MPY_INSN : result <= mpy_out ;DIV_INSN : result <= alu_out ;LOD_INSN : result <= lsu_out ; // Load/ Sto r e I n s nendcase
always @ (∗ ) // What a s s e r t i o n ( s ) might you use ?i f ( insn_type == MPY_INSN )
as se r t ( mpy_out == ? ) ;
![Page 504: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/504.jpg)
Answer #60
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
413 / 462
This issue is complicated by the fact that formally verifying theresult of a multiplication tends to be beyond the capability of thestate of the art of formal verification. Given that, here are somethings you can do:
˝ Replace the output of the multiply with a (constrained)arbitrary value
– Possible constraints include assuming the correct value inthe case of multiplication by zero, one, or negative one
– Alternatively, you might XOR’ing the inputs together withanother value
Although these solutions don’t check the result of theinstruction, they can still catch bugs associated with the pipelinetiming, forwarding, etc.
˝ The actual multiply result can then be checked via simulation
![Page 505: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/505.jpg)
Quiz #61
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
414 / 462
Just as formal tools struggle with multiplies, they also strugglewith divides. Worse, many divide instructions take many clocksto complete
˝ How can you go about verifying a divide using either BMC orcover, but without processing all 32 (or more) steps of thedivide?
![Page 506: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/506.jpg)
Answer #61
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
415 / 462
Verifying that the divide pipeline works is still valuable
˝ Consider using the approaches we used for a multiply toverify that the divide is properly handled by its context
˝ You can capture the duration of the divide using a(∗ anyseq ∗) “free variable.” Let this value range from only acouple of clocks in duration all the way to the correct lengthof the divide. This will keep things within the range of bothBMC and cover()
Verifying that the pipeline works for all durations of the divideeffectively verifies that it works for the correct duration
˝ You can use simulation to actually verify the result of thedivide
˝ Alternatively, you can use formal to verify the individualinternal steps of the divide
![Page 507: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/507.jpg)
Quiz #62
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
416 / 462
You have a counter that is supposed to count down from someprogrammable value to zero. How can you assert that thiscounter will never be higher than the programmable value, giventhat the value might change mid count?
always @ ( posedge i_clk )begin
i f ( set_value ) max_value <= new_value ;
i f ( counter == 0)counter <= max_value ;
e l s ecounter <= counter ´ 1 ;
// Thi s f a i l s i f the max va lue e v e r// changes mid countdown !as se r t ( counter <= max_value ) ;
end
![Page 508: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/508.jpg)
Answer #62
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
417 / 462
Q: How can you assert that a counter will never be higher thanthe programmable value, given that the value might change midcount?Answer: Capture a copy of the maximum value at the time thecounter is set
always @ ( posedge i_clk )i f ( counter == 0)
f_max_value <= max_value ;
always @ (∗ )as se r t ( counter <= f_max_value ) ;
Remember: you can use Verilog to your advantage!
![Page 509: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/509.jpg)
Quiz #63
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
418 / 462
You have a CPU component of a larger design.
cpu mycpu ( i_clk , i_reset ,bus_master_outputs , // . . .bus_master_inputs , // . . .interrupt_line ) ; // or l i n e s
Your CPU passes formal verification.How would you go about formally verifying the rest of thedesign?
![Page 510: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/510.jpg)
Answer #63
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
419 / 462
How would you go about formally verifying the rest of thedesign?Replace the CPU with a set of bus interface properties!
˝ Assume the CPU is a generic bus master˝ This will disconnect any bus transactions from the CPU
operation that would cause themOn the other hand, you just proved the CPU would properlyexecute its instructions
˝ You will want to do the same thing with your bus slaves aswell as the interconnect
This will then allow you to verify the top level of your design
![Page 511: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/511.jpg)
Answer #63b
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
420 / 462
How would you go about formally verifying the rest of thedesign?Replace the bus components with bus interface properties!
![Page 512: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/512.jpg)
Quiz #64
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
421 / 462
Consider the VHDL design below controlling an AXI slave:
AXI_READ_VALID_P : process ( S_AXI_ACLK ) i sbegin
i f ( S_AXI_ACLK ’ event and S_AXI_ACLK= ’1 ’) theni f ( S_AXI_ARESETN = ’0 ’ ) then
S_AXI_RVALID <= ’0 ’ ;e l s i f S_AXI_RREADY = ’1 ’ then
S_AXI_RVALID <= rvalid ;end i f ;
end i f ;end process AXI_READ_VALID_P ;
Can you spot any bugs in this snippet alone?
![Page 513: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/513.jpg)
Answer #64
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
422 / 462
Can you spot any bugs in this snippet alone?
AXI_READ_VALID_P : process ( S_AXI_ACLK ) i sbegin
i f ( S_AXI_ACLK ’ event and S_AXI_ACLK= ’1 ’) theni f ( S_AXI_ARESETN = ’0 ’ ) then
S_AXI_RVALID <= ’0 ’ ;e l s i f S_AXI_RREADY = ’1 ’ then
S_AXI_RVALID <= rvalid ;end i f ;
end i f ;end process AXI_READ_VALID_P ;
Absolutely!What happens if (!S_AXI_RVALID && !S_AXI_RREADY)?If the master hasn’t set S_AXI_RREADY in anticipation of aresponse, something it isn’t required to do, the design will hang.
![Page 514: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/514.jpg)
Quiz #65
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
423 / 462
SymbiYosys extends Verilog, SV, and VHDL with severalattributes, including
˝ (∗ anyconst ∗), (∗ anyseq ∗), and (∗ gclk ∗)
Let’s discuss (∗ anyconst ∗): How might you achieve the sameresult as
(∗ anyconst ∗) wire A ;
while only using one of the other two attributes?
![Page 515: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/515.jpg)
Answer #65
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
424 / 462
SymbiYosys extends Verilog, SV, and VHDL with severalattributes, including
˝ (∗ anyconst ∗), (∗ anyseq ∗), and (∗ gclk ∗)
Let’s discuss (∗ anyconst ∗): How might you achieve the sameresult as
(∗ anyconst ∗) wire A ;
while only using one of the other two attributes?The following declaration and property would be equivalent
(∗ anyseq ∗) wire A ;always @ ( posedge i_clk )
assume ( $stab le (A ) ) ;
Bonus: How would you adjust this to handle multiple clocks?
![Page 516: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/516.jpg)
Quiz #66
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
425 / 462
The following logic comes from a major vendor’s AXI streammaster implementation. Can you spot the bug?
always @ ( posedge ACLK )i f ( ! ARESETN )
// . . .e l s e begin
TVALID <= ( state == SEND_STREAM ) && rptr < MAX ;TLAST <= ( rptr == MAX ´ 1 ) ;
i f ( rptr < MAX ) begini f ( TVALID && TREADY ) begin
done <= 0 ; rptr <= rptr + 1 ;end end e l s e begin
done <= 1 ; rptr <= 0 ;end end
Hint: the bug is not in the reset logic, nor is it in rptr or state
![Page 517: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/517.jpg)
Answer #66
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
426 / 462
What happens whenTVALID && !TREADY && !TLAST && rptr == MAX´1?
˝ TLAST will change when things should’ve been stalled
ACLK
TVALID
TREADY
TLAST
rptr M-2 M-1 M 0
done
![Page 518: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/518.jpg)
Answer #66b
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
427 / 462
What happens whenTVALID && !TREADY && !TLAST && rptr == MAX?
˝ TVALID will change when things should’ve been stalled
ACLK
TVALID
TREADY
TLAST
rptr M-1 M 0
done
![Page 519: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/519.jpg)
Answer #66c
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
428 / 462
Adding a check for !TVALID || TREADY fixes both of these bugs
// . . .e l s e i f ( ! TVALID | | TREADY ) begin
TVALID <= ( state == SEND_STREAM ) && rptr < MAX ;TLAST <= ( rptr == MAX ´ 1 ) ;
i f ( rptr < MAX ) begini f ( TVALID && TREADY ) begin
done <= 0 ; rptr <= rptr + 1 ;end end e l s e begin
done <= 1 ; rptr <= 0 ;end end
![Page 520: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/520.jpg)
Quiz #67
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
429 / 462
Can you spot the AXI-lite bug below?
always @ ( posedge S_AXI_ACLK )i f ( S_AXI_ARESETN == 1 ’b0 )
axi_arready <= 1 ’b0 ;e l s e i f ( ! axi_arready && S_AXI_ARVALID )
axi_arready <= 1 ’b1 ;e l s e
axi_arready <= 1 ’b0 ;
![Page 521: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/521.jpg)
Answer #67
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
430 / 462
AWREADY, WREADY and ARREADY all need to be responsive tobackpressure from the master. In this case, if RREADY is low longenough then subsequent responses to consecutive requests willget dropped.
ACLK
ARESETN
ARVALID
ARREADY
RVALID
RREADY
?
Your design will then hang.Example courtesy of Vivado, from 2016.3 to the present (2020.1)
![Page 522: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/522.jpg)
Quiz #68
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
431 / 462
Here’s a second AXI4-lite bug, also courtesy of Vivado 2020.1.Can you spot it?
always @ ( posedge S_AXI_ACLK )i f ( S_AXI_ARESETN == 1 ’b0 )
axi_rvalid <= 0 ;e l s e i f ( axi_arready && S_AXI_ARVALID
&& ˜axi_rvalid )axi_rvalid <= 1 ’b1 ;
e l s e i f ( axi_rvalid && S_AXI_RREADY )axi_rvalid <= 1 ’b0 ;
Yes, let me assure you, there is a bug in this code.
![Page 523: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/523.jpg)
Answer #68
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
432 / 462
Never transition on VALID && READY and anything thing else.
˝ What happens if axi_arready && S_AXI_ARVALID
&& axi_rvalid? axi_rvalid is dropped.
ACLK
ARESETN
ARVALID
ARREADY
RVALID
RREADY
?
If your design isn’t ready to accept a transaction for some reasonor other, then it’s your responsibility to hold READY low.
![Page 524: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/524.jpg)
Answer #68b
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
433 / 462
Several individuals have suggested that this answer dependsupon how axi_arready is assigned.
˝ Had it been combinatorially assigned, there would be no error.
ass ign axi_arready = ! axi_rvalid ;
This is true.˝ Had it been assigned that way, the logic could’ve also been
simplified to the correct answer
always @ ( posedge S_AXI_ACLK )i f ( S_AXI_ARESETN == 1 ’b0 )
axi_rvalid <= 0 ;e l s e i f ( axi_arready && S_AXI_ARVALID )
axi_rvalid <= 1 ’b1 ;e l s e i f ( axi_rvalid && S_AXI_RREADY )
axi_rvalid <= 1 ’b0 ;
![Page 525: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/525.jpg)
Quiz #69
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
434 / 462
SymbiYosys extends Verilog, SV, and VHDL with severalattributes, including
˝ (∗ anyconst ∗), (∗ anyseq ∗), and (∗ gclk ∗)
To formally verify an asynchronous design, you need access tothe formal time-step. How might you use (∗ gclk ∗) for thispurpose? What other changes would be required in your design?
![Page 526: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/526.jpg)
Answer #69
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
435 / 462
The formal timestep can be described using (∗ gclk ∗) by firstdeclaring a global time-step,
(∗ gclk ∗) wire gbl_clk ;
and then using it in your design:
always @ ( posedge gbl_clk )
Don’t forget to add the SymbiYosys multiclock option:
[ opt ions ]# . . .mult ic lock on
![Page 527: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/527.jpg)
Quiz #70
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
436 / 462
Looking at the following vendor supplied AXI master design, doyou see any AXI protocol errors?
parameter AXI_BASE_ADDR = 32 ’ h4000_0000 ;parameter BURST_LEN = 8 ;ass ign burst_size_bytes
= BURST_LEN ∗ ( AXI_DATA_WIDTH /8 ) ;
always @ ( posedge ACLK )i f ( ! M_AXI_ARESETN | | init_pulse )
axi_awaddr <= 0 ;e l s e i f ( M_AXI_AWREADY && axi_awvalid )
axi_awaddr <= axi_awaddr + burst_size_bytes ;
ass ign M_AXI_AWADDR = BASE_ADDR + axi_awaddr ;ass ign M_AXI_AWLEN = BURST_LEN´1;
You may assume init_pulse |´> !M_AXI_AWVALID.
![Page 528: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/528.jpg)
Answer #70
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
437 / 462
This bug is rather subtle, if present at all. (We can argue that.)
˝ As currently parameterized, there are no bugs.˝ What happens if the parameters are overridden?˝ Specifically, what if BASE_ADDR[11:0] > 12’hfe0 for a 32-bit
bus?˝ The AXI Spec prohibits bursts from crossing a 4kB boundary˝ Nothing in the demo indicates that the address can not be
arbitrarily overridden
What do you think? Is this a bona fide “bug”?
˝ It’s led to many broken user designs based upon thisdemonstration code
![Page 529: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/529.jpg)
Quiz #71
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
438 / 462
Can you spot any bugs in the AXI4–lite code below?
i n i t i a l BVALID = 0 ;always @ ( posedge ACLK )i f ( ! ARESETN )
BVALID <= 0 ;e l s e i f ( AWVALID && AWREADY
&& WVALID && WREADY
&& ! BVALID )BVALID <= 1 ;
e l s e i f ( BREADY && BVALID )BVALID <= 0 ;
˝ Hint: Xilinx’s VIP won’t necessarily find these bugs
If you’re not sure if there is a bug, how would you find out?
![Page 530: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/530.jpg)
Answer #71
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
439 / 462
What happens if . . .
1. Either of AWVALID or WVALID but not both,2. (AWVALID && WVALID) && AWREADY != WREADY, or even3. (AWVALID && WVALID) && AWREADY && BVALID?
A couple assertions can quickly determine if any of theseconditions would ever be a problem:
˝ assert(AWREADY == WREADY);
˝ if (AWREADY) assert(AWVALID && WVALID);
˝ if (BVALID) assert(!AWREADY);
Of course, if these assertions would pass, then the logic could’vebeen greatly simplified
![Page 531: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/531.jpg)
Answer #71b
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
440 / 462
To fix this logic, I like using skid buffers and a combinatorial flag
always @ (∗ )write_ready = awskd_valid && wskd_valid
&& ( ! BVALID | | BREADY ) ;
always @ ( posedge ACLK )i f ( ! ARESETN )
BVALID <= 0 ;e l s e i f ( write_ready )
BVALID <= 1 ;e l s e i f ( BREADY )
BVALID <= 0 ;
Using the skidbuffer gets around the requirement that all AXIoutputs be registered, since the skid buffer ready input doesn’tneed to be registered.
![Page 532: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/532.jpg)
Answer #71c
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
441 / 462
You could also fix this logic without the skid buffers but only ata loss of 50% throughput
always @ ( posedge i_clk )i f ( ! ARESETN )
write_ready <= 0 ;e l s e begin
write_ready <= ( AWVALID && AWREADY ) ;i f ( write_ready )
write_ready <= 0 ;// Note you ∗must∗ check f o r// b a c kp r e s s u r e when u s i n g AXIi f ( BVALID && ! BREADY )
write_ready <= 0 ;end
ass ign AWREADY = write_ready ;ass ign WREADY = write_ready ;
![Page 533: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/533.jpg)
Quiz #72
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
442 / 462
(∗ anyconst ∗) and (∗ anyseq ∗) can both be used to createrandom values carefully chosen by the solver within your proof.If these values need to be constrained, what kind of constraintsshould be used on them?
![Page 534: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/534.jpg)
Answer #72
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
443 / 462
(∗ anyconst ∗) and (∗ anyseq ∗) can both be used to createrandom values carefully chosen by the solver within your proof.If these values need additional constraints, what kind ofconstraints should be used on them?
˝ Because (∗ anyconst ∗) and (∗ anyseq ∗) values act likeinputs, assumptions are appropriate for constraining them
˝ Beware, these two attributes will be ignored by a simulator
– In simulation, assume() constraints will become assert()s– This will likely cause any simulation depending upon their
assumed values to fail– You might wish to ifdef out any free variable sections
when running simulations, or– Arrange them so they’ll work without additional
constraints under simulation
![Page 535: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/535.jpg)
Quiz #73
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
444 / 462
Let’s talk about the depth of a proof
˝ For bounded and cover checks
– The depth is the number of steps that get checked
˝ For induction passes
– The depth is the number of steps where assertions areassumed to be valid
˝ Be aware, the time required for the proof typically increasesexponentially with the depth
When building a full proof (i.e. with induction), what depthshould you start with?
![Page 536: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/536.jpg)
Answer #73
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
445 / 462
I recommend the following rules for setting the depth
˝ Start with the length of the longest operation the designmust accomplish before returning to idle – if possible
– Otherwise shorten to what you have the patience for
˝ Start with the bounded check. Once it passes, add induction˝ Once induction succeeds,
– Reduce the depth to the number of steps the inductioncheck took to succeed
Remember, a trace generated from a bounded check is easier todebug
![Page 537: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/537.jpg)
Quiz #74
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
446 / 462
Can you see anything wrong with the following assertion?
as se r t property (@ ( posedge i_clk )A ##1 B ##1 C
) ;
![Page 538: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/538.jpg)
Answer #74
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
447 / 462
Can you see anything wrong with the following assertion?
as se r t property (@ ( posedge i_clk )A ##1 B ##1 C
) ;
Yes. Assertions need triggers. Without an trigger, this assertionrequires that A be true on every cycle, and that B and C follow.Chances are what you mean to assert was something closer to,
as se r t property (@ ( posedge i_clk )A |=> B ##1 C
) ;
This says that if A is ever true, then B and then C must follow,not that A must be true on every cycle.
![Page 539: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/539.jpg)
Quiz #75
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
448 / 462
Will the following assertion pass a formal verification check?
input wire A ;
i n i t i a l assume (A ) ;assume property (@ ( posedge CLK ) A ) ;
always @ (∗ )as se r t (A ) ;
![Page 540: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/540.jpg)
Answer #75
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
449 / 462
No, it will not. You’ll get something similar to the followingtrace:
CLK
A
It’s as though the assumption never took effect!What went wrong? Clocked properties require a clock edgebefore taking effect.
![Page 541: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/541.jpg)
Answer #75b
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
450 / 462
The assertion is equivalent to the following:
reg p_assumption = 1 , f_initial = 1 ;
always @ ( posedge CLK ) beginf_initial <= 0 ;// R e g i s t e r the c l o c k ed assumpt ionp_assumption <= A ;
end
always @ (∗ ) begini f ( f_initial ) assume (A ) ;assume ( p_assumption ) ;as se r t (A ) ;
end
As you can see, p_assumption only gets checked after the clockedge
![Page 542: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/542.jpg)
Quiz #76
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
451 / 462
How do you know if your design has enough assertions?
![Page 543: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/543.jpg)
Answer #76
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
452 / 462
How do you know if your design has enough assertions?Here are some tests you can use:
˝ Is every assumption made by a module depending on yourdesign covered by an assertion?I like using shared interface property files for this, to makecertain that assumptions don’t get lost.
˝ Is every output pinned down? Could you tell, for example viaan assertion failure, if an output had the wrong value?
˝ Does the design pass induction?
You can also use mcy (mutation coverage with yosys) to findthings that aren’t covered by any assertions.
![Page 544: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/544.jpg)
Quiz #77
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
453 / 462
The following example was inspired by some endiannessadjustment logic.Will the following assertion pass?
input wire [ 3 1 : 0 ] in ;input wire [ 2 : 0 ] shift ;output reg [ 3 1 : 0 ] out ;
always @ (∗ )out = in >> 4∗(˜ shift ) ;
as se r t property (@ ( posedge clk )in == 32 ’ hfeedbead && shift == 3 ’h7|´> out == 32 ’ hfeedbead ) ;
![Page 545: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/545.jpg)
Answer #77
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
454 / 462
No, it will not pass.
˝ When evaluating logic with multiple widths, the synthesistool is supposed to first expand every term to the maximumwidth used
˝ shift[2:0] thus gets expanded to 32’h7
˝ ˜shift[2:0] becomes 32’hffff_fff8
˝ 32’d4 ∗ 32’hffff_fff8 is then 32’hffff_ff80, and˝ 32’dfeedbead >> 32’hffff_ff80 is zero, not 32’hfeedbead
Note: I didn’t get this right the first time either.
![Page 546: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/546.jpg)
Quiz #78
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
455 / 462
The following student cover() statement was intended togenerate a trace showing a FIFO go from empty to full and backagain.
cover property (@ ( posedge i_clk )o_empty ##1 1 [ ∗ 0 : $ ]
##1 o_full ##1 1 [ ∗ 0 : $ ]##1 o_empty ) ;
Much to the student’s surprise, the resulting trace wasn’t at allwhat he was expecting.Judging from the cover() statement above, what do you thinkwent wrong?
![Page 547: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/547.jpg)
Answer #78
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
456 / 462
The student forgot to keep the reset low (inactive)
˝ The solver jumped from full to empty on a reset˝ This short-circuited his desired cover proof
i clk
i reset
i wr
o full
i rd
o empty
o fill 0 1 2 3 4 5 6 7 0
![Page 548: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/548.jpg)
Answer #78b
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
457 / 462
Disabling the cover() statement on a reset solves this problem
cover property (@ ( posedge i_clk )d i sab l e iff ( i_reset )
o_empty ##1 1 [ ∗ 0 : $ ]##1 o_full ##1 1 [ ∗ 0 : $ ]##1 o_empty ) ;
Since the student also wanted to see some non-zero data passingthrough the FIFO, we made the disable iff statement a touchmore complex.
cover property (@ ( posedge i_clk )d i sab l e iff ( i_reset | | i_data != wr_addr )
o_empty ##1 1 [ ∗ 0 : $ ]##1 o_full ##1 1 [ ∗ 0 : $ ]##1 o_empty ) ;
![Page 549: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/549.jpg)
Quiz #79
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
458 / 462
Your UART appears to be running at the wrong baud rate inhardware. Tracing this problem down further, it appears asthough your clock may be running at the wrong frequency.What’s an easy way to verify the frequency your clock is runningat?
![Page 550: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/550.jpg)
Answer #79
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
459 / 462
Here’s my personal favorite approach to verifying a clock’s rate:
reg [ 3 1 : 0 ] counter ;
always @ ( posedge i_clk )// 43 == 2ˆ32 / 100 MHzcounter <= counter + 32 ’ d43 ;
always @ (∗ )o_led = counter [ 3 1 ] ;
A 100MHz system clock will now cause this LED to blink at 1Hz.
![Page 551: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/551.jpg)
Answer #79b
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
460 / 462
For those in an engineering lab, there’s also the obvious
˝ Forward the clock to a pin, and examine it with an externaloscilloscope
Other approaches to this problem deserve an honorable mention,if for no other reason than for their creativity:
˝ Output a square wave to a piezo speaker and comare it to atuning fork
˝ Causing a pin to transmit on the AM band (1MHz or so),look for it’s signal using a nearby radio receiver
˝ Use a known frequency to count edges from the unknownclock
˝ Transmit a perpetual 0x55 over UART, and looking for theresulting square wave with an oscilloscope
![Page 552: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/552.jpg)
Quiz #80
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
461 / 462
Consider the following trace initiating an AXI write burst.
S AXI ACLK
S AXI ARESETN
S AXI AWVALID
S AXI AWADDR ’b..01
S AXI AWLEN 1
S AXI AWSIZE 3’h1
S AXI WVALID
S AXI WSTRB[3:0] 4’b0110
S AXI WLAST
Assume that the C_AXI_DATA_WIDTH == 32, andC_AXI_ADDR_WIDTH > 2. Is the first beat of this burst legal?
![Page 553: Daniel E. Gisselquist, Ph.D. Technology,LLC](https://reader033.vdocuments.net/reader033/viewer/2022061102/629c4f607a26bb42c6384c95/html5/thumbnails/553.jpg)
Answer #80
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Quizzes
462 / 462
No. The WSTRB value in the write beat is not legal.The burst exists to help illustrate this.
˝ It’s two beats long˝ Each beat is 16-bits, or two bytes˝ The second address is aligned on a 16-bit boundary
08162431
3 2 1 0
3 2 1 0
˝ This means that WSTRB[2] belongs to the second beat, not thefirst.
While the problem would exist without the burst, the burstdetails help to illuminate the problem.
DEMOCRACY, POLITICAL INSTITUTIONS, AND DEVELOPMENT DR. RACHEL GISSELQUIST RESEARCH FELLOW, UNU-WIDER
Michael A. Diefenbach, Ph.D. & Kevin Durr Mount Sinai School of Medicine & notsoldseparately.com LLC