introduction to cindy eisner formal methods group ibm haifa research laboratory february 2001...
TRANSCRIPT
![Page 1: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/1.jpg)
Introduction to
Cindy Eisner
Formal Methods Group
IBM Haifa Research Laboratory
February 2001
Copyright 2001 IBM Haifa Research Laboratory
![Page 2: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/2.jpg)
Introduction to RuleBase 2
Overview - day 1
• What is functional formal verification?
• Model checking
• Sugar (basics)
• EDL (basics)
• Exercise: a simple arbiter
![Page 3: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/3.jpg)
Day 1
![Page 4: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/4.jpg)
Introduction to RuleBase 4
What is verification?
Verification is making sure that:
• what you designed is what you specified
functional verification• what you sent to manufacturing is what you
designed
equivalence checking• what was manufactured is what you sent to
manufacturing
production testing
specification
VHDL/Verilog
transistors
silicon
![Page 5: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/5.jpg)
Introduction to RuleBase 5
Formal verification
• Prove mathematically that a design obeys its specification
• Contrast to simulation:
Formal verification Simulation
all legal input sequences (large) set of particular cases
correctness expressed as correctness usually expressed perset of general properties run (expected results)
• Methods: theorem proving, model checking
![Page 6: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/6.jpg)
Introduction to RuleBase 6
Model checking
• A method for formal functional verification• Any piece of sequential random logic is a
(very large) state machine, so:• View design as a finite state machine • Traverse the state machine to determine the
truth or falsity of a specification• Provide a trace showing a counter-example (if
false)
![Page 7: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/7.jpg)
Introduction to RuleBase 7
Model checking (continued)
“if a request is received, it will be processed within 3 clocks”
• first, we need a language in which to express properties
![Page 8: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/8.jpg)
Introduction to RuleBase 8
Sugar - introduction
• Extension of the branching time temporal logic CTL• Unwind state graph to obtain infinite computation tree
• Reason about (infinite) paths in the computation tree
FSM Infinite Computation Tree
![Page 9: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/9.jpg)
Introduction to RuleBase 9
CTL
• Path quantifiers
A - for all paths E - there exists a path• Tense Operators
Xp - p holds at the next cycle Fp - p holds sometime in the future Gp - p holds globally from the present time p U q - p holds until q holds• Temporal Operators AX, AF, AG, AU, EX, EF, EG, EU
![Page 10: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/10.jpg)
Introduction to RuleBase 10
AX p
![Page 11: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/11.jpg)
Introduction to RuleBase 11
AF p
![Page 12: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/12.jpg)
Introduction to RuleBase 12
AG p (exercise)
Complete the figure below
![Page 13: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/13.jpg)
Introduction to RuleBase 13
A[p U q] (exercise)
Complete the figure below (use different colors for p and q)
![Page 14: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/14.jpg)
Introduction to RuleBase 14
EX p (exercise)
Complete the figure below
![Page 15: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/15.jpg)
Introduction to RuleBase 15
EF p (exercise)
Complete the figure below
![Page 16: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/16.jpg)
Introduction to RuleBase 16
EG p
![Page 17: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/17.jpg)
Introduction to RuleBase 17
E[p U q] (exercise)
Complete the figure below (use different colors for p and q)
![Page 18: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/18.jpg)
Introduction to RuleBase 18
AG AF p
![Page 19: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/19.jpg)
Introduction to RuleBase 19
Boolean operators
• & - and
• | - or
• ! - not
• -> - implies
![Page 20: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/20.jpg)
Introduction to RuleBase 20
CTL (exercise)
• Express in CTL:
“if a request is received, it will be processed within 3 clocks”
_______________________________
![Page 21: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/21.jpg)
Introduction to RuleBase 21
CTL (more exercises)
• “read_en and write_en are mutually exclusive” _________________________________________• “two consecutive grants are not allowed” _________________________________________• “every request will eventually receive a grant” _________________________________________• “whenever a request is issued, signal request will
stay asserted until a grant is received” _________________________________________
![Page 22: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/22.jpg)
Introduction to RuleBase 22
Sugar - syntactic sugaring of CTL
• AW, EW
• AX[i]
• ABG[i..j], ABF[i..j]
• f until! g, f until g
• f before! g, f before g
• next_event!(b)(f), next_event(b)(f), next_event!(b)[i](f), next_event(b)[i](f)
![Page 23: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/23.jpg)
Introduction to RuleBase 23
Sugar - additional boolean operators
• ^, xor, != - logical xor (not equals)
• <->, = - logical xnor (equals)
![Page 24: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/24.jpg)
Introduction to RuleBase 24
Sugar (exercises)• “if a request is received, it will be processed within 3
clocks” __________________________________________
• “if a request is received, it will be processed on the 3rd clock”
__________________________________________
• “between two requests, there must be an ack” __________________________________________• “whenever read is asserted, read_en must be asserted” __________________________________________
![Page 25: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/25.jpg)
Introduction to RuleBase 25
Sugar (more exercises)
• “done is a pulsed signal (i.e., it is never asserted for two consecutive cycles)”
__________________________________________
• “if there is an error indication, it will remain active forever”
__________________________________________
• “if grant is asserted, and there is no retry the next cycle, busy must be asserted two cycles after the grant”
__________________________________________
![Page 26: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/26.jpg)
Introduction to RuleBase 26
Vacuity
AG (req -> AX (ack -> AF grant))
• when is this formula meaningless?
• solution: vacuity check
• if formula is false: counter-example
• if formula is true: witness
• if formula is vacuous: vacuous pass
![Page 27: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/27.jpg)
Introduction to RuleBase 27
Environment
![Page 28: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/28.jpg)
Introduction to RuleBase 28
EDL - overview
var req: boolean;assign init(req) := 0;assign next(req) :=
if busy then 0 else {0,1} endif;
var cmd: {READ, WRITE, NOP};define read_req := req & cmd=READ;
![Page 29: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/29.jpg)
Introduction to RuleBase 29
EDL - constants and variables
• Numeric constants: – decimal (1276), binary (1011B), hex (7FFFH)
• Enumerated constants:– var state: {idle, st1, st2, st3, waiting};
• Variable reference:– name -- simple variable/signal– name(i) -- one bit of array– name(i..j) -- a range of bits
![Page 30: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/30.jpg)
Introduction to RuleBase 30
EDL - expressions• Boolean connectives:
& | ! ^
• Relational operators: = != < <= > >=
![Page 31: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/31.jpg)
Introduction to RuleBase 31
EDL - expressions (continued)• Arithmetic:
+ - * / mod
• Non-deterministic choice: {read, write, nop} i..j - equivalent to {i, i+1, …, j}
![Page 32: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/32.jpg)
Introduction to RuleBase 32
EDL - variable declarations
var name1, name2, name3 : type;
• type is one of: boolean {enum1, enum2, …, enumN} i .. j
• examples: var read, write : boolean; var state : {idle, read, write, hold} var counter {1,2,3,4,5} var length 4..10
![Page 33: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/33.jpg)
Introduction to RuleBase 33
EDL - the assign statement
assign init(sig1) := expression;
assign next(sig1) := expression;
assign sig2 := expression;
• init/next - memory element• assign “simple” - combinational element• init omitted for a memory element: begins unspecified
(any legal value)• next omitted for a memory element: can change to
any legal value at any moment
![Page 34: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/34.jpg)
Introduction to RuleBase 34
EDL - if expression
Syntax:
sig := if condition then expr else expr endif;
Example:
assign a := if reset then 0 else b endif;
![Page 35: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/35.jpg)
Introduction to RuleBase 35
EDL - case expressionSyntax:
sig := case
condition1 : expr1 ;
condition2 : expr2 ;
...
else : exprN+1 ;
esac
else is not mandatory, but if you "fall" into esac the value is undefined
![Page 36: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/36.jpg)
Introduction to RuleBase 36
EDL - additional operators
• expr in {e1, e2, ... , eN} equivalent to expr=e1 | expr=e2 | ... | expr=eN
• fell(expr) expr was 1 and became 0• rose(expr) expr was 0 and became 1• prev(expr) value of expr in the last cycle
![Page 37: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/37.jpg)
Introduction to RuleBase 37
EDL - define statementSyntax:
define sig1 := expression1;
sig2 := expression2;
... • define’d signals are combinational signals• don't use define with non-deterministic expressions
(unless you know what you are doing.......)
Examples:
define selected_c := select & c1 | !selected & c2;
define cc := 3;
![Page 38: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/38.jpg)
Introduction to RuleBase 38
EDL - exercises
• sticky_bit: if rises, it stays active forever. __________________________________________
• req: may rise at any cycle. when rises, it must remain active until (including) the cycle in which gnt is active.
__________________________________________ • reset: active for 6 cycles. Then inactive forever. __________________________________________
• data: an integer of range 0 to 7, stable while data_ready (a boolean signal) is active, and have non-deterministic value elsewhere.
__________________________________________
![Page 39: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/39.jpg)
Introduction to RuleBase 39
EDL - more exercises
• model control of a cyclic fifo of depth 16• inputs:
– put - data is read in – get - data is written out
• outputs: full and empty• put and get can come together• put/get cannot come when the fifo is full/empty ___________________________________________________
_________________________________________________________________________________________________________________________________________________________
![Page 40: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/40.jpg)
Introduction to RuleBase 40
EDL - arrays
• declaration: var name ( index1 .. index2 ) : type ;• actually declares name(index1), ..., name(index2) • index1 can be either greater or less than index2• examples: var addr(0..7) : boolean; counter(4..5) : 0..3; status(0..3) : {empty, notempty, full };
![Page 41: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/41.jpg)
Introduction to RuleBase 41
EDL - array operations
• :=• = !=• & | ^ ! -> <-> -- boolean arrays only• > >= < <= -- boolean arrays
only• + - * -- boolean arrays only (beware of *)• >> << -- boolean arrays only
rhs is constant or integer
![Page 42: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/42.jpg)
Introduction to RuleBase 42
EDL - more array operations
• ++ -- concatenate bits or sub-vectors• zeroes(n) -- 0++0++ ... ++0 n times• ones(n) -- 1++1++ ... ++1 n times• nondets(n) -- {0,1}++ ... ++{0,1} n times• rep(expr,n) -- expr++ ... ++ expr n times• itobv(i) -- convert integer expr to bit vector• bvtoi(vec(i..j)) -- convert bit vector to integer expr
• no need for itobv with numeric constants
![Page 43: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/43.jpg)
Introduction to RuleBase 43
EDL - array examples• var a(0..2), b(0..8), c(7..0) : boolean;• define f(0..2) := b(2..0) & c(5..7); • assign next( a(0..2) ) := case reset : 0; a(0..2) > b(0..2) : c(1..3); a(0..1) = 10B : d(0..2); else : a(0..2); esac;• var counter(0..7) : boolean; assign init ( counter(0..7) ) := 0; next( counter(0..7) ) := counter(0..7) + 1;
![Page 44: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/44.jpg)
Introduction to RuleBase 44
EDL - more array examples
assign
co++sum(0..15) := 0++op1(0..15) + 0++op2(0..15);
prod(0..7) := zeroes(4)++op1(0..3) * zeroes(4)++op2(0..3);
var cmd(0..4): boolean;
assign cmd(0..4) := {5, 7, 13};
var cmd(0..4): {5, 7, 13}; -- totally different
![Page 45: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/45.jpg)
Introduction to RuleBase 45
EDL- array exercise
• cmd_lt(0..2) should be equal to the value of cmd(0..2) the previous cycle
________________________________________________________________________________________________
![Page 46: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/46.jpg)
Introduction to RuleBase 46
EDL - another array exercise
• cmd(0..2) can be one of read(101), write(010), sync(011), or idle(000). The command must be stable until (including) gnt is asserted. The cycle after gnt, cmd must be 0. gnt is a pulse.
________________________________________________________________________________________________
![Page 47: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/47.jpg)
Introduction to RuleBase 47
EDL - %for %for i in 0..3 do
define aa(i) := i > 2;
define bb%{ii} := i > 2;
%end
is equivalent to:
define aa(0) := 0>2; define bb0 := 0>2;
define aa(1) := 1>2; define bb1 := 1>2;
define aa(2) := 2>2; define bb2 := 2>2;
define aa(3) := 3>2; define bb3 := 3>2;
![Page 48: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/48.jpg)
Introduction to RuleBase 48
EDL - %for example
define parity :=
%for i in 0..15 do
data(i) ^
%end
0;
![Page 49: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/49.jpg)
Introduction to RuleBase 49
EDL - clocks
• In a one clock design, declare the clock to be a constant 1:
define clk := 1;
• For multiple synchronous clocks, declare the fastest clock to be a constant 1, others to be a function of it
![Page 50: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/50.jpg)
Introduction to RuleBase 50
EDL -resets• Designs with reset signal: var reset_counter : 0..4; assign init(reset_counter) := 0; next(reset_counter) := if reset_counter=4 then 4 else reset_counter+1
endif; define RESET := reset_counter != 4;
• Designs with initial values don't need reset
![Page 51: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/51.jpg)
Introduction to RuleBase 51
EDL - exercises
• from the time data_en is asserted until one cycle after it, data should be stable, elsewhere it can change.
________________________________________________________________________________________________________________________________________________________________
![Page 52: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/52.jpg)
Introduction to RuleBase 52
EDL - more exercises
• config_reg: a 3-bit array variable that chooses a value from 0 through 5 and remains with it forever.
________________________________________________________________
• sticky_bit: may rise randomly and stay active forever.
________________________________
![Page 53: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/53.jpg)
Introduction to RuleBase 53
RuleBase exercise 1
• Copy directory exercise1 from $RBEXERCISES/exercise1
• See file README
![Page 54: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/54.jpg)
Day 2
![Page 55: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/55.jpg)
Introduction to RuleBase 55
Overview - day 2
• More Sugar• Fairness• More EDL• Size problems (basics)• Managing multiple environments• RuleBase options• Design for formal verification• Exercise - a simple buffer
![Page 56: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/56.jpg)
Introduction to RuleBase 56
Sugar - safety vs. liveness
• Safety: nothing bad ever happens AG, AX, AW, ABG, ABF, until, before,
next_event• Liveness: something good eventually happens
AF, AU, until!, before!, next_event!• Safety is easier to verify than liveness• Safety on-the-fly, liveness on-the-fly
![Page 57: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/57.jpg)
Introduction to RuleBase 57
Sugar - sequences
{e0,e1,e2,...}(f) • f must hold on the last cycle of all computations that
agree with the sequence e0 at cycle 0, e1 at cycle 1, e2 at cycle 2, etc.
Example: ”every req on cycle X that gets a gnt at cycle X+1 and doesn't get retried at cycle X+2, should cause busy to be active at cycle X+2"
• AG {req,gnt,!retry}(busy)
![Page 58: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/58.jpg)
Introduction to RuleBase 58
Sugar - sequence operators
• e1,e2 e1, then e2 (e2 starts the cycle after e1 completes)
• e1~e2 e1, then e2 (e2 starts the same cycle that e1 completes)
• e1||e2 either e1 occurs, or e2 occurs• e1&&e2 both e1 and e2 occur• e1[*] e1 occurs 0 or more times• e1[+] e1 occurs 1 or more times
![Page 59: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/59.jpg)
Introduction to RuleBase 59
Sugar - more sequence operators
• e1[i] e1 occurs i times• e1[i..j] e1 occurs at least i but not more than j times• e1[i..] e1 occurs i or more times• e1[..j] e1 occurs no more than j times• [*],[+], etc. abbreviate true[*], true[+], etc.• b[=j] a sequence in which b occurs i times• b[>j], b[>=j], b[<j], b[<=j], b[>j,<k], b[>=j, <k], etc.
![Page 60: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/60.jpg)
Introduction to RuleBase 60
Sugar - sequence examples
• “an urgent request must be served within the next five (not necessarily consecutive) scrolls
AG {urgent_req,{scroll[>5] && serve_urgent[=0]}}(false)
• “if there is a request and one cycle after there is either read and no cancel_read until done, or write and no cancel_write until done, then ok is asserted with done”
AG {request,{read,!cancel_read[*],done}|| {write,!cancel_write[*],done}}(ok)
![Page 61: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/61.jpg)
Introduction to RuleBase 61
Sugar - more sequences
{p, q} -> {s[*], t}!
{p, q} -> {s[*], t}
• A sequence matching the left-hand side must be followed by a sequence matching the right-hand side
• The strong version (!) must reach its end (in example above, t must eventually occur)
• The weak version is not required to reach its end (in example above, s may hold forever)
![Page 62: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/62.jpg)
Introduction to RuleBase 62
Sugar - sequence exercises
• “Whenever a read request is followed on the next cycle by an ack, then eventually we expect to see a grant followed by a read data cycle
__________________________________________
• “Whenever signal get is asserted and tag has the value 1, then the next time that signal get is asserted, tag will have the value 2. However, it is not required that there be such a next time.”
__________________________________________
![Page 63: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/63.jpg)
Introduction to RuleBase 63
Sugar - more exercises
• “whenever a high priority request is received, then one of the next two grants must be to a high priority requestor”
____________________________________________________________________________________
• “every transaction must complete, and within every transaction, a full data transfer must occur”
____________________________________________________________________________________
![Page 64: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/64.jpg)
Introduction to RuleBase 64
Sugar - more exercises
• “a sequence beginning with the assertion of signal start, and containing eight not necessarily consecutive assertions of signal get, during which kill is not asserted, must be followed by a sequence containing eight assertions of signal put before signal end can be asserted”
______________________________________________________________________________________________________________________________
![Page 65: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/65.jpg)
Introduction to RuleBase 65
Fairness
Design underverification
req
ack
start
done
idle busy
gendone
!startstart
done
start
problem - the env model can stay in state busy forever
![Page 66: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/66.jpg)
Introduction to RuleBase 66
Fairness (continued)
• fairness is used to filter out paths from the environment
• Syntax:
fairness expr;
• requires that expr occur an infinite number of times
![Page 67: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/67.jpg)
Introduction to RuleBase 67
Fairness (continued)
idle busy
gendone
!startstart
done
start
• Be careful with fairness! What is wrong with the following?
• fairness state=gen_done;
![Page 68: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/68.jpg)
Introduction to RuleBase 68
Fairness (continued)
idle busy
gendone
!startstart
done
start
• What is the correct fairness constraint? ____________________________________
![Page 69: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/69.jpg)
Introduction to RuleBase 69
EDL - modules
module proc(gnt)(req, cmd) {
var req: boolean;
var cmd: {read, write, nop};
assign init(req) := 0;
assign next(req) := if gnt then {0,1} else 0 endif;
}
instance proc1: proc(gnt1)(req1, cmd1);
instance proc2: proc(gnt2)(req2, cmd2);
![Page 70: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/70.jpg)
Introduction to RuleBase 70
EDL - processes
process { var a: boolean; a := 0; if (b | c) a := 1;
}
![Page 71: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/71.jpg)
Introduction to RuleBase 71
EDL - assign vs. define
• assign requires a state variable
• define is “for free”
![Page 72: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/72.jpg)
Introduction to RuleBase 72
EDL - invariants
• Syntax:
invar expr;
• restricts the analysis to states in which expr holds
• can be used to model the environment or to (over) restrict the design
![Page 73: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/73.jpg)
Introduction to RuleBase 73
EDL - invariant example
• Suppose the environment must supply a read request, or a write request, but never both:
var read_req, write_req: boolean; assign write_req := if read_req then 0 else {0,1} endif;
• a simpler way using invariants:
var read_req, write_req: boolean; invar !(read_req & write_req);
![Page 74: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/74.jpg)
Introduction to RuleBase 74
Size problems - strategies
• (over) restrict the environment: define pipeline_enable := 0;• design overrides: var override internal_sig1: boolean; define override internal_sig2 := 0; var override internal_sig3: boolean; assign init(internal_sig3) := …; assign next(internal_sig3) := …;
![Page 75: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/75.jpg)
Introduction to RuleBase 75
Size problems - strategies (continued)
• Safety on-the-fly
• BDD reordering– enabling– configuring– toggling– bdd order pool
![Page 76: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/76.jpg)
Introduction to RuleBase 76
Managing multiple environments
foo(1) lowest priority
define override foo := …; (2)
mode read_only {
define override foo := …;
}
rule read_only_no_pipeline {
envs read_only; (3)
define override foo := …; (4) highest priority
}
![Page 77: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/77.jpg)
RuleBase options
![Page 78: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/78.jpg)
Introduction to RuleBase 78
Design for Formal Verification
• Control works well under model checking, datapath doesn’t: – Separate control from datapath!– Also separate control from address path,
bookkeeping code
![Page 79: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/79.jpg)
Introduction to RuleBase 79
RuleBase exercise 2
• Copy directory exercise2 from $ $RBEXERCISES/exercise2
• See file README
![Page 80: Introduction to Cindy Eisner Formal Methods Group IBM Haifa Research Laboratory February 2001 Copyright 2001 IBM Haifa Research Laboratory](https://reader035.vdocuments.net/reader035/viewer/2022062408/56649f335503460f94c4f1e6/html5/thumbnails/80.jpg)
Introduction to RuleBase 80
RuleBase exercise 3
• Copy directory exercise3 from $ $RBEXERCISES/exercise3
• See file README