

#### An Introduction to Formal Methods

Gisselquist Technology, LLC

Daniel E. Gisselquist, Ph.D.



# GT Lessons

▷ Welcome

Clocked and \$past

Motivation

k Induction

**Bus Properties** 

Free Variables

Multiple-Clocks

Parting Thoughts

Abstraction

Invariants

Sequences

Cover

Basics

#### Day one

- 1. Motivation
- 2. Basic Operators
- 3. Clocked Operators
- 4. Induction
- 5. Bus Properties

#### Day two

- 6. Free Variables
- 7. Abstraction

#### 8. Invariants

9. Multiple-Clocks

- 10. Cover
- 11. Sequences
- 12. Final Thoughts

# **G** Course Structure

| ▷ Welcome          | VHDL logic examples |  |
|--------------------|---------------------|--|
| Motivation         |                     |  |
| Basics             |                     |  |
| Clocked and \$past |                     |  |
| k Induction        |                     |  |
| Bus Properties     |                     |  |
| Free Variables     |                     |  |
| Abstraction        |                     |  |
| Invariants         |                     |  |
| Multiple-Clocks    |                     |  |
| Cover              |                     |  |
| Sequences          |                     |  |
| Parting Thoughts   |                     |  |
|                    |                     |  |
|                    |                     |  |
|                    |                     |  |

 $\mathbb{M}$ 

### **G** Course Structure

| $\triangleright$ | Welcome |
|------------------|---------|
|------------------|---------|

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

VHDL logic examples

System Verilog assertion wrappers

# **G** Course Structure

| ▷ Welcome          |   |
|--------------------|---|
| Motivation         |   |
| Basics             |   |
| Clocked and \$past |   |
| k Induction        |   |
| Bus Properties     | - |
| Free Variables     |   |
| Abstraction        |   |
| Invariants         |   |
| Multiple-Clocks    |   |
| Cover              |   |
| Sequences          |   |
|                    |   |

Parting Thoughts

 VHDL logic examples
 System Verilog assertion wrappers
 Each lesson will be followed by an exercise There are 12 exercises
 My goal is to have 50% lecture, 50% exercises
 Leading up to building a bus arbiter and testing an synchronous FIFO

#### G

#### $\mathcal{M}$

#### Welcome

Motivation

Intro

Basics

Clocked and \$past

k Induction

**Bus Properties** 

**Free Variables** 

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

#### Motivation

# **G** Lesson Overview

Welcome

- Motivation
- ⊳ Intro
- Basics
- Clocked and \$past
- k Induction
- **Bus Properties**
- Free Variables
- Abstraction
- Invariants
- Multiple-Clocks
- Cover
- Sequences
- Parting Thoughts

- 1. Why are you here?
- 2. What can I provide?
- 3. What have I learned from formal methods?
- Our Objectives
- Get to know a little bit about each other
- Motivate further discussion

### **G** Your expectations

|                       | rour expectations                                     |       |
|-----------------------|-------------------------------------------------------|-------|
| Welcome<br>Motivation | What do you want to learn and get out of this course? | ~~~~~ |
| ▷ Intro<br>Basics     |                                                       |       |
| Clocked and \$past    |                                                       |       |
| k Induction           |                                                       |       |
| Bus Properties        |                                                       |       |
| Free Variables        |                                                       |       |
| Abstraction           |                                                       |       |
| Invariants            |                                                       |       |
| Multiple-Clocks       |                                                       |       |
| Cover                 |                                                       |       |
| Sequences             |                                                       |       |
| Parting Thoughts      |                                                       |       |
|                       |                                                       |       |
|                       |                                                       |       |
|                       |                                                       |       |
|                       |                                                       |       |

# **G** From an ARM dev.

Welcome Motivation  $\triangleright$  Intro **Basics** Clocked and \$past k Induction **Bus Properties** Free Variables Abstraction Invariants Multiple-Clocks Cover Sequences

Parting Thoughts

"I think the main difference between FPGA and ASIC development is the level of verification you have to go through. Shipping a CPU or GPU to Samsung or whoever, and then telling them once they've taped out that you have a Cat1 bug that requires a respin is going to set them back \$1M per mask.

"...But our main verification is still done with constrained random test benches written in SV.

"Overall, you are looking at 50 man years per project minimum for an average project size."

# GT Would not exist

Welcome

Motivation

⊳ Intro

Basics

Clocked and \$past

k Induction

**Bus Properties** 

**Free Variables** 

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

"If we would not do formal verification, we would no longer exist."

– Shahar Ariel, now the former Head of VLSI design at Mellanox

#### **Pentium FDIV**

| Wel    | come |
|--------|------|
| V V CI | come |

Motivation

▷ Intro

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

One little mistake ....

....\$475M later.

### G Personal Experience

| Welcome            |
|--------------------|
| Motivation         |
| ⊳ Intro            |
| Basics             |
| Clocked and \$past |
| k Induction        |
| Bus Properties     |
| Free Variables     |
| Abstraction        |
| Invariants         |
| Multiple-Clocks    |
| Cover              |
| Sequences          |

Parting Thoughts

I have proven such things as,

- Formal bus properties (Wishbone, Avalon, AXI, etc.)
- Bus bridges (WB-AXI, Avalon-WB)
- AXI DMA's, firewalls, crossbars
- Prefetches, cache controllers, memory controllers, MMU
- SPI slaves and masters
  - $\hfill\square$  UART, both TX and RX
  - FIFO's, signal processing flows, FFT
  - Display (VGA) Controller
  - Flash controllers
  - Formal proof of the ZipCPU

# **G** Some Examples

Welcome

Motivation

▷ Intro

Basics

I've found bugs in things I thought were working.

- 1. FIFO
- 2. Pre-fetch and Instruction cache
- 3. SDRAM

4.

A peripheral timer Just how hard can a timer be to get right? It's just a counter!

Bus Properties

k Induction

Clocked and \$past

Free Variables Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

# GT Ex: FIFO

| Wel    | come   |
|--------|--------|
| V V CI | COILIC |

Motivation

⊳ Intro

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

It worked in my test bench

Failed when reading and writing on the same clock while empty

- Write first then read worked
- R+W on full FIFO is okay
- R+W on an empty FIFO

# **Ex:** FIFO

| Welcome               | It worked in my test bench                                                            |
|-----------------------|---------------------------------------------------------------------------------------|
| Motivation<br>▷ Intro | <ul> <li>Failed when reading and writing on the same clock while<br/>empty</li> </ul> |
| Basics                |                                                                                       |
| Clocked and \$past    | <ul> <li>Write first then read worked</li> </ul>                                      |
| k Induction           | <ul> <li>R+W on full FIFO is okay</li> </ul>                                          |
| Bus Properties        | <ul> <li>R+W on an empty FIFO not so much</li> </ul>                                  |
| Free Variables        |                                                                                       |
| Abstraction           | <ul> <li>My test bench didn't check that, formal did</li> </ul>                       |
| Invariants            |                                                                                       |
| Multiple-Clocks       |                                                                                       |
| Cover                 |                                                                                       |
| Sequences             |                                                                                       |
| Parting Thoughts      |                                                                                       |
|                       |                                                                                       |
|                       |                                                                                       |

# **G** Ex: Prefetch

| Welcome            |  |
|--------------------|--|
| Motivation         |  |
| ⊳ Intro            |  |
| Basics             |  |
| Clocked and \$past |  |
| k Induction        |  |
| Bus Properties     |  |
| Free Variables     |  |
| Abstraction        |  |
| Invariants         |  |
| Multiple-Clocks    |  |
| Cover              |  |
| Sequences          |  |
| Parting Thoughts   |  |

#### It worked in my test bench

- Ugliest bug I ever came across was in the prefetch cache It passed test-bench muster, but failed in the hardware with a strange set of symptoms
- When I learned formal, it was easy to prove that this would never happen again.

Low logic has always been one of my goals. Always asking, "will it work if I get rid of this condition?" Formal helps to answer that question for me.

Welcome

Motivation

⊳ Intro

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

- It worked in my test bench
- It passed my hardware testing
  - Test S/W: Week+, no bugs



Motivation

⊳ Intro

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

It worked in my test bench

- It passed my hardware testing
  - Test S/W: Week+, no bugs
  - Formal methods found the bug
  - Full proof took less than < 30 min

Welcome

Motivation

⊳ Intro

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

- It worked in my test bench
- It passed my hardware testing
- Background

|  | • |
|--|---|
|  |   |

| Welcome            |   |
|--------------------|---|
| Motivation         |   |
| ⊳ Intro            | П |
| Basics             |   |
| Clocked and \$past |   |
| k Induction        |   |
| Bus Properties     |   |
| Free Variables     |   |
| Abstraction        |   |
| Invariants         |   |
| Multiple-Clocks    |   |
| Cover              |   |
| Sequences          |   |
| Parting Thoughts   |   |
|                    |   |
|                    |   |

- It worked in my test bench
- It passed my hardware testing
- Background
  - SDRAM's are organized into separate banks, each having rows and columns
  - A row must be "activated" before it can be used.
  - The controller must keep track of which row is activated.
    - If a request comes in for a row that isn't activated, the active row must be deactivated, and the proper row must be activated.
  - A subtle bug in my SDRAM controller compared the active row address against the immediately previous (1-clock ago) required row address, not the currently requested address. This bug had lived in my design for years. Formal methods caught it.

# **G** Problem with Test Benches





Only examines a known good branch
 Cannot check for *every* out of bounds conditions

# **Problem with Test Benches**

| Welcome               | <ul> <li>Demonstr</li> <li>Through</li> </ul> |
|-----------------------|-----------------------------------------------|
| Motivation<br>> Intro | Through                                       |
| Basics                | – orali                                       |
| Clocked and \$past    | □ Never rig                                   |
| k Induction           | □ Not unifo                                   |
| Bus Properties        |                                               |
| Free Variables        | For the FIFO                                  |
| Abstraction           |                                               |
| Invariants            | I only rea                                    |
| Multiple-Clocks       | For the Prefe                                 |
| Cover                 | - I povor to                                  |
| Sequences             | I never te                                    |
| Parting Thoughts      | For the SDR                                   |
|                       | □ The error                                   |

rate design works

- a normal working path
  - mited number of extraneous paths
- orous enough to check everything orm in rigour

```
),
```

d when I knew it wasn't empty

etch,

ested jumping to the last location in a cache line AM,

was so obscure, it would be hard to trigger

# G Before Formal

| Welcome |  |
|---------|--|
|         |  |

Motivation

⊳ Intro

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

This was my method before starting to work with formal.

After . . .

- Proving my design with test benches
- Directed simulation
- I was still chasing bugs in hardware

I still use this approach for DSP algorithms.



# **G** Design Approach





- After finding the bug in my FIFO ... I was hooked.
- Rebuilding everything
   ... now using formal
- Formal found more bugs
  - ... in example after example
- I'm hooked!

# **G** When to use it?





Bus component I would not build a bus component without formal any more Multiplies Formal struggles with multiplication

#### G

|  | $\mathbb{N}$ |
|--|--------------|
|--|--------------|

#### Welcome

Motivation

▷ Basics

Basics

General Rule

Assert

Assume

BMC

Ex: Counter

Sol'n

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

#### Formal Verification Basics: assert and assume

# GT Lesson Overview

| Welcome                | Let's start at the beginning, and look at the very basics of formal               |
|------------------------|-----------------------------------------------------------------------------------|
| Motivation             | verification.                                                                     |
| Basics<br>▷ Basics     | Our Objective:                                                                    |
| General Rule<br>Assert | <ul> <li>To learn the basic two operators used in formal verification,</li> </ul> |
| Assume<br>BMC          | – assert()                                                                        |
| Ex: Counter<br>Sol'n   | – assume()                                                                        |
| Clocked and \$past     | To understand how these affect a design from a state space                        |
| k Induction            | perspective                                                                       |
| Bus Properties         | <ul> <li>We'll also look at several examples</li> </ul>                           |
| Free Variables         |                                                                                   |
| Abstraction            |                                                                                   |
| Invariants             |                                                                                   |
| Multiple-Clocks        |                                                                                   |
| Cover                  |                                                                                   |
| Sequences              |                                                                                   |
| Parting Thoughts       |                                                                                   |

# **G** Basic Premise

| Welcome                                                       | Formal methods are built around looking for redundancies                                                                                                    |  |
|---------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| Motivation<br>Basics<br>▷ Basics<br>General Rule<br>Assert    | <ul> <li>Basic difference between mediocre and excellent:<br/><i>Double checking your work</i> </li> <li>Two separate and distinct fashions     </li> </ul> |  |
| Assume<br>BMC<br>Ex: Counter<br>Sol'n                         | <ul> <li>First method calculates the answer</li> <li>Second method proved it was right</li> </ul>                                                           |  |
| Clocked and \$past                                            | Example: Division                                                                                                                                           |  |
| <u><i>k</i> Induction</u><br>Bus Properties<br>Free Variables | - $89,321/499 = 179$<br>- Does it? Let's check: $179 * 499 = 89,321$ — Yes                                                                                  |  |
| Abstraction                                                   | <ul> <li>Formal methods are similar</li> </ul>                                                                                                              |  |
| Invariants<br>Multiple-Clocks<br>Cover                        | <ul> <li>Your design is the first method</li> <li>Formal properties describe the second</li> </ul>                                                          |  |
| Sequences Parting Thoughts                                    |                                                                                                                                                             |  |

# **G** Basic Operators

| Wel | come |
|-----|------|
|     |      |

Motivation

Basics

▷ Basics

General Rule

Assert

Assume

BMC

Ex: Counter

Sol'n

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Let's start with the two basic operators

1. assume()

An **assume**(X) statement will limit the state space that the formal verification engine examines.

2. assert()

An **assert**(X) statement indicates that X *must* be true, or the design will fail to prove.

# GT VHDL



Motivation

Basics

Basics

General Rule

Assert

Assume

BMC

Ex: Counter

Sol'n

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts



We'll be using VHDL logic, System Verilog Assertions

Proprietary Verific library gives Yosys access to VHDL Formal properties will be written in System Verilog

System Verilog **bind** operator will connect the two

### **G**<sup>T</sup> Two basic forms

Welcome

Motivation

Basics

▷ Basics

General Rule

Assert

Assume

BMC

Ex: Counter

Sol'n

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

always @(\*)
 assert(X);

As an example,

always @(\*)
 assert(counter < 20);</pre>

# G General Rule

|                                                                   | General Mule                             |
|-------------------------------------------------------------------|------------------------------------------|
| Welcome<br>Motivation<br>Basics<br>Basics                         | Master FV Rule                           |
| ➢ General Rule<br>Assert<br>Assume<br>BMC<br>Ex: Counter          |                                          |
| Sol'n <u>Clocked and \$past</u> <u>k Induction</u> Bus Properties | assert(local state);<br>assert(outputs); |
| Free Variables Abstraction Invariants                             |                                          |
| Multiple-Clocks<br>Cover<br>Sequences<br>Parting Thoughts         |                                          |

# GT Assert



# G Assume



### **G**<sup>-</sup> The Careless Assumption

| vveicome           | signal : uns   |
|--------------------|----------------|
| Motivation         |                |
| Basics             | process(clk)   |
| Basics             | begin          |
| General Rule       |                |
| Assert             | if (rising     |
| ⊳ Assume           | counter        |
| BMC                | end if;        |
| Ex: Counter        | ,              |
| Sol'n              | end process;   |
| Clocked and \$past |                |
| k Induction        | always @(*)    |
| Bus Properties     | begin          |
| Free Variables     |                |
|                    | asse           |
| Abstraction        | assu           |
| Invariants         | end            |
| Multiple-Clocks    |                |
| Cover              | Question: Will |
| Sequences          |                |

Welcome

Parting Thoughts

```
signal : unsigned(15 downto 0) := 0;
process(clk)
begin
    if (rising_edge(clk)) then
        counter <= counter + 1;
    end if;
end process:
```

```
lways @(*)
egin
    assert(counter <= 100);
    assume(counter <= 90);</pre>
```

Question: Will counter ever reach 120?

30 / 285

#### **G** restrict vs assume

**restrict** () is very similar to **assume**()

#### Welcome

Motivation

Basics

Basics

General Rule

Assert

▷ Assume

BMC

Ex: Counter

Sol'n

#### Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

| Operator    | Formal Verification | Traditional Simulation |
|-------------|---------------------|------------------------|
| restrict () | Restricts search    | Ignored                |
| assume()    | space               | Halts simulation       |
| assert()    | Illegal state       | with an error          |

#### **G** restrict vs assume

#### Welcome

Motivation

Basics

Basics

General Rule

Assert

▷ Assume

BMC

Ex: Counter

Sol'n

#### Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

| Operator                     | Formal Verification | Traditional Simulation |
|------------------------------|---------------------|------------------------|
| restrict () Restricts search |                     | Ignored                |
| assume()                     | space               | Halts simulation       |
| assert()                     | Illegal state       | with an error          |

**restrict** (): Like **assume**(X), it also limits the state space But in a traditional simulation ...

- restrict () is ignored

**restrict** () is very similar to **assume**()

assume() is turned into an assert()

#### GT Bounded Model Checking



# G No Solution



# G No Solution



### Further thoughts

| Welcome              | Unlike the rest of your |
|----------------------|-------------------------|
| Motivation           | don't need to meet      |
| Basics               |                         |
| Basics               | don't need to meet      |
| General Rule         | We'll discuss this more |
| Assert               |                         |
| Assume               |                         |
| ▷ BMC<br>Ex: Counter |                         |
| Sol'n                |                         |
|                      |                         |
| Clocked and \$past   |                         |
| k Induction          |                         |
| Bus Properties       |                         |
| Free Variables       |                         |
| Abstraction          |                         |
| Invariants           |                         |
| Multiple-Clocks      |                         |
| Cover                |                         |
| Sequences            |                         |
| Parting Thoughts     |                         |

r digital design, formal properties ...

- t timing
- t a minimum logic requirement

e as we go along.

#### **G** Example Bus Slave



# G Example Bus Master

|                        | Litample Dus Master                            |   |
|------------------------|------------------------------------------------|---|
| Welcome                | Question: How would a bus master be different? | • |
| Motivation             |                                                |   |
| Basics                 | Assume                                         |   |
| Basics<br>General Rule | Bus Master signals                             |   |
| Assert                 |                                                |   |
| Assume<br>▷ BMC        | Interface Module                               |   |
| Ex: Counter            | (Bus Slave)                                    |   |
| Sol'n                  |                                                |   |
| Clocked and \$past     |                                                |   |
| k Induction            | Assert                                         |   |
| Bus Properties         | Slave Signals                                  |   |
| Free Variables         |                                                |   |
| Abstraction            |                                                |   |
| Invariants             | Y                                              |   |
| Multiple-Clocks        |                                                |   |
| Cover                  |                                                |   |
| Sequences              |                                                |   |
| Parting Thoughts       |                                                |   |

#### **G** Example Bus Master



# GT Internal Bus

| Welcome<br>Motivation                                                                           | Question: What if both slave and master signals were part of the same design? |
|-------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------|
| Basics<br>Basics<br>General Rule<br>Assert<br>Assume<br>▷ BMC                                   | Slave                                                                         |
| Ex: Counter<br>Sol'n<br>Clocked and \$past                                                      | Master                                                                        |
| k       Induction         Bus       Properties         Free       Variables         Abstraction |                                                                               |
| Invariants<br>Multiple-Clocks                                                                   |                                                                               |
| Cover<br>Sequences                                                                              |                                                                               |
| Parting Thoughts                                                                                |                                                                               |

# G Internal Bus

| Welcome<br>Motivation                                                         | Question: What if both slave and master signals were part of the same design? |
|-------------------------------------------------------------------------------|-------------------------------------------------------------------------------|
| Basics<br>Basics<br>General Rule<br>Assert<br>Assume<br>▷ BMC                 | Slave                                                                         |
| Ex: Counter<br>Sol'n<br>Clocked and \$past<br>k Induction                     | Master Slave                                                                  |
| K induction         Bus Properties         Free Variables         Abstraction | Slave                                                                         |
| Invariants<br>Multiple-Clocks                                                 | <ul> <li>All of the wires are now internal</li> </ul>                         |
| Cover<br>Sequences                                                            | They should therefore be assert()ed                                           |
| Parting Thoughts                                                              |                                                                               |

#### **Serial Port Transmitter**

| Welcome            |  |
|--------------------|--|
| Motivation         |  |
| Basics             |  |
| Basics             |  |
| General Rule       |  |
| Assert             |  |
| Assume             |  |
| ⊳ вмс              |  |
| Ex: Counter        |  |
| Sol'n              |  |
| Clocked and \$past |  |
| k Induction        |  |
| Bus Properties     |  |
| Free Variables     |  |
| Abstraction        |  |
| Invariants         |  |
| Multiple-Clocks    |  |
| Cover              |  |
| Sequences          |  |
| Parting Thoughts   |  |

Whenever the serial port is idle, the output line should be high

```
if (state == IDLE)
        assert(o_uart_tx);
```

Whenever the serial port is not idle, busy should be high

```
if (state != IDLE)
        assert(o_busy);
```

else

```
assert(!o_busy);
```

The design can only ever be in a valid state

```
assert((state <= TXUL_STOP)</pre>
           (state == TXUL_IDLE));
```

# **G** Bus Arbiter

```
Welcome
```

Motivation

Basics

Basics

General Rule

Assert

Assume

⊳ BMC

Ex: Counter

Sol'n

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

```
    Arbiter cannot grant both A and B access
```

```
always @(*)
    assert((!grant_A)||(!grant_B));
```

• While one has access, the other must be stalled

```
always @(*)
if (grant_A)
    assert(stall_B);
```

```
always @(*)
if (grant_B)
    assert(stall_A);
```

# **G** Bus Arbiter

Welcome

Motivation

Basics

Basics

General Rule

Assert

Assume

▷ BMC

Ex: Counter

Sol'n

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

While one is stalled, its outstanding requests must be zero

```
always @(*)
if (grant_A)
begin
    assert(f_nreqs_B == 0);
    assert(f_nacks_B == 0);
    assert(f_outstanding_B == 0);
end
```

I use the prefix  $f_{t}$  to indicate a variable that is

- Not part of the design
- But only used for Formal Verification

# G Avalon bus

Motivation

Welcome

Basics

Basics

General Rule

Assert

Assume

⊳ BMC

Ex: Counter

Sol'n

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Avalon bus: will never issue a read and write request at the same time

always @(\*)
 assume((!i\_av\_read)||(!i\_av\_write));

The bus is initially idle

```
initial assume(!i_av_read);
initial assume(!i_av_write);
initial assume(!i_av_lock);
initial assert(!o_av_readdatavalid);
initial assert(!o_av_writeresponsevalid);
```

# G Avalon bus

Welcome

Motivation

Basics

Basics

General Rule

Assert

Assume

⊳ BMC

Ex: Counter

Sol'n

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Cannot respond to both read and write in the same clock

Remember ! (A&&B) is equivalent to (!A)||(!B) Cannot respond if no request is outstanding

```
always @(*)
begin
    if (f_wr_outstanding == 0)
        assert(!o_av_writeresponsevalid);
    if (f_rd_outstanding == 0)
        assert(!o_av_readdatavalid);
end
```

## **G** Wishbone

Welcome

Motivation

Basics

Basics

General Rule

Assert

Assume

⊳ BMC

Ex: Counter

Sol'n

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

o\_STB can only be high if o\_CYC is also high

always @(\*)
if (o\_STB)
 assert(o\_CYC);

Count the number of outstanding requests:

| f_outstanding <= "0" | when (i_reset)                 |
|----------------------|--------------------------------|
|                      | <b>else</b> f_nreqs — f_nacks; |

Acks can only respond to valid requests

if (f\_outstanding == 0)
 assume(!i\_wb\_ack);

### **G** Wishbone

Welcome

Motivation

Basics

Basics

General Rule

Assert

Assume

⊳ BMC

Ex: Counter

Sol'n

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Well, what if a request is being made now?

If not within a bus request, the ACK and ERR lines must be low

```
if (!o_CYC)
begin
    assume(!i_ACK);
    assume(!i_ERR);
```

#### end

Following any reset, the bus will be idle

Requests remain unchanged until accepted

## G Cache

```
Welcome
Motivation
Basics
Basics
General Rule
Assert
Assume
\triangleright BMC
Ex: Counter
Sol'n
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
```

Sequences

Parting Thoughts

Want a guarantee that the cache response is consistent?

A valid cache entry must …

```
always @(posedge i_clk)
if (o_valid)
begin
        // Be marked valid in the cache
        assert(cache_valid[f_addr[CW-1:LW]]);
        // Have the same cache tag as address
        assert(f_addr[AW-1:LW] ==
                cache_tag[f_addr[CW-1:LW]]);
        // Match the value in the cache
        assert(o_data ==
                cache_data[f_addr[CW-1:0]);
        // Must be in response to a valid
        // request
        assert(waiting_requests != 0);
end
```

# G Multiply

| Welcome            | Consider a multiply |
|--------------------|---------------------|
| Motivation         | Just because an     |
| Basics             |                     |
| Basics             |                     |
| General Rule       |                     |
| Assert             |                     |
| Assume             |                     |
| ⊳ вмс              |                     |
| Ex: Counter        |                     |
| Sol'n              |                     |
| Clocked and \$past |                     |
| k Induction        |                     |
| Bus Properties     |                     |
| Free Variables     |                     |
| Abstraction        |                     |
| Invariants         |                     |
| Multiple-Clocks    |                     |
| Cover              |                     |
| Sequences          |                     |
| Parting Thoughts   |                     |

Just because an algorithm doesn't meet timing

# G Multiply

| Welcome            | Сс | ons |
|--------------------|----|-----|
| Motivation         | _  | I   |
| Basics             |    | J   |
| Basics             |    | J   |
| General Rule       |    |     |
| Assert             |    |     |
| Assume             |    |     |
| ⊳ вмс              |    |     |
| Ex: Counter        |    |     |
| Sol'n              |    |     |
| Clocked and \$past |    |     |
| k Induction        |    |     |
| Bus Properties     |    |     |
| Free Variables     |    |     |
| Abstraction        |    |     |
| Invariants         |    |     |
| Multiple-Clocks    |    |     |
| Cover              |    |     |
| Sequences          |    |     |
| Parting Thoughts   |    |     |

Consider a multiply

- Just because an algorithm doesn't meet timing, or
- Just because it take up logic your FPGA doesn't have

# GT Multiply

```
Consider a multiply
Welcome
Motivation
                       Basics
                       Basics
General Rule
Assert
Assume
▷ BMC
                            begin
Ex: Counter
Sol'n
Clocked and $past
                                    begin
k Induction
Bus Properties
Free Variables
Abstraction
                                    end
Invariants
Multiple-Clocks
                            end
Cover
Sequences
Parting Thoughts
```

Just because an algorithm doesn't meet timing, or

 Just because it take up logic your FPGA doesn't have, doesn't mean you can't use it now

```
always @(posedge i_clk)
begin
    f_answer = 0;
    for(k=0; k<NA; k=k+1)
    begin
        if (i_a[k])
            f_answer = f_answer + (i_b<<k);
    end
    assert(o_result == f_answer);
end</pre>
```

# G Multiply

| Welcome            | Le |
|--------------------|----|
| Motivation         | _  |
| Basics             |    |
| Basics             |    |
| General Rule       |    |
| Assert             |    |
| Assume             |    |
| ▷ BMC              |    |
| Ex: Counter        |    |
| Sol'n              |    |
| Clocked and \$past |    |
| k Induction        |    |
| Bus Properties     |    |
| Free Variables     |    |
| Abstraction        |    |
| Invariants         |    |
| Multiple-Clocks    |    |
| Cover              |    |
| Sequences          |    |
| Parting Thoughts   |    |

et's talk about that multiply some more ...

The one thing formal solver's don't handle well is multiplies

# G Multiply

| Welcome            |
|--------------------|
| Motivation         |
| Basics             |
| Basics             |
| General Rule       |
| Assert             |
| Assume             |
| ⊳ вмс              |
| Ex: Counter        |
| Sol'n              |
| Clocked and \$past |
| k Induction        |
| Bus Properties     |
| Free Variables     |
| Abstraction        |
| Invariants         |
| Multiple-Clocks    |
| Cover              |
| Sequences          |
| Parting Thoughts   |

Let's talk about that multiply some more ...

The one thing formal solver's don't handle well is multiplies
 Abstraction offers alternatives

## G Memory Management Unit

```
For a page result to be valid, it must match the TLB
                Welcome
Motivation
                   always Q(*)
Basics
                   if (last_page_valid)
Basics
                   begin
General Rule
Assert
                              assert(tlb_valid[f_last_page]);
Assume
                              assert(last_ppage ==
▷ BMC
                                        tlb_pdata[f_last_page]);
Ex: Counter
Sol'n
                              assert(last_vpage ==
Clocked and $past
                                        tlb_vdata[f_last_page]);
k Induction
                              assert(last_ro
Bus Properties
                                      tlb_flags[f_last_page][ROFLAG]);
Free Variables
                              assert(last_exe
Abstraction
                                      tlb_flags[f_last_page][EXEFLG]);
                              assert (r_context_word [LGCTXT - 1:1]
Invariants
                                        == tlb_cdata[f_last_page]);
Multiple-Clocks
Cover
                   end
Sequences
Parting Thoughts
```

# GT SDRAM

|                                                      | <b>SL</b> |                                                                                                                                             |
|------------------------------------------------------|-----------|---------------------------------------------------------------------------------------------------------------------------------------------|
| Welcome<br>Motivation                                |           | Writing requires the right row of the right bank to be activated                                                                            |
| Basics<br>Basics<br>General Rule<br>Assert<br>Assume |           | <pre>always @(posedge i_clk) if ((f_past_valid)&amp;&amp;(!maintenance_mode)) case(f_cmd)</pre>                                             |
| ▷ BMC<br>Ex: Counter<br>Sol'n<br>Clocked and \$past  |           | //<br>F_WRITE: <b>begin</b><br>// Response to a write request                                                                               |
| k Induction<br>Bus Properties<br>Free Variables      |           | <pre>assert(f_we); // Bank in question must be active assert(bank_active[o_ram_bs] == 3'b111); // Active row must be for this address</pre> |
| Abstraction<br>Invariants<br>Multiple-Clocks         |           | <pre>assert(bank_row[o_ram_bs]<br/>== f_addr[22:10]);</pre>                                                                                 |
| Cover<br>Sequences<br>Parting Thoughts               |           | <pre>// Must be selecting the right bank assert(o_ram_bs == f_addr[9:8]); end //</pre>                                                      |
|                                                      |           |                                                                                                                                             |

| Welcome                                               | Let's work through a counter as an example.                                                                |
|-------------------------------------------------------|------------------------------------------------------------------------------------------------------------|
| <u>Motivation</u><br>Basics<br>Basics<br>General Rule | <pre>exercise-01/ Contains three files   counter.vhd This will be the HDL source for    our demo</pre>     |
| Assert<br>Assume<br>BMC<br>▷ Ex: Counter              | counter_vhd.sv This contains the formal prop-<br>erties                                                    |
| Sol'n <u>Clocked and \$past</u> k Induction           | counter_vhd.sby This is the SymbiYosys script<br>for the demo                                              |
| Bus Properties                                        | Our Objectives:                                                                                            |
| Free Variables                                        | <ul> <li>Walk through the steps in the tool-flow</li> </ul>                                                |
| Abstraction                                           | Hands on experience with SymbiYosys                                                                        |
| Invariants<br>Multiple-Clocks                         | <ul> <li>Ensure everyone has a working version of SymbiYosys</li> <li>Eind and fix a design bug</li> </ul> |
| Cover                                                 | <ul> <li>Find and fix a design bug</li> </ul>                                                              |
| Sequences                                             |                                                                                                            |
| Parting Thoughts                                      |                                                                                                            |

Welcome Motivation **Basics** Basics General Rule Assert Assume BMC  $\triangleright$  Ex: Counter Sol'n Clocked and \$past k Induction **Bus Properties** Free Variables Abstraction Invariants Multiple-Clocks Cover

Sequences

Parting Thoughts

```
entity counter is
  generic (MAX_AMOUNT: natural := 22);
  signal counts : unsigned(15 downto 0);
  process(i_clk)
  begin
    if (rising_edge(i_clk)) then
      if ((i_start_signal = '1')
          and (0 = counts) then
        counts \leq  to_unsigned(MAX_AMOUNT-1, 16);
      else
        counts \leq counts -1:
      end if;
    end if;
  end process;
  o_busy \leq '1' when (0 = \text{counts}) else '0';
```

|                        | Ex: Counter                                |
|------------------------|--------------------------------------------|
|                        | $\sim$                                     |
| Welcome                |                                            |
| Motivation             | module counter_vhd(i_clk, i_start_signal,  |
| Basics                 | counts, o_busy);                           |
| Basics                 |                                            |
| General Rule<br>Assert | <b>parameter</b> $[15:0]$ MAX_AMOUNT = 22; |
| Assume                 |                                            |
| ВМС                    | input wire i all i atort aignoli           |
| ▷ Ex: Counter          | input wire i_clk, i_start_signal;          |
| Sol'n                  | input wire [15:0] counts;                  |
| Clocked and \$past     | input wire o_busy;                         |
| k Induction            |                                            |
| Bus Properties         |                                            |
| Free Variables         | always @(*)                                |
| Abstraction            | assert (counts < MAX_AMOUNT);              |
| Invariants             | endmodule                                  |
|                        |                                            |
| Multiple-Clocks        |                                            |
| Cover                  | bind counter counter_vhd                   |
| Sequences              | $\#(.MAX_AMOUNT(MAX_AMOUNT))$ copy (.*);   |
| Parting Thoughts       |                                            |

|                      | Ex: Counter                               |
|----------------------|-------------------------------------------|
|                      | $\sim$                                    |
| Welcome              | // VHDL Ports and internal signals        |
| Motivation           | module counter_vhd(i_clk, i_start_signal, |
| Basics               | counts, o_busy);                          |
| Basics               |                                           |
| General Rule         |                                           |
| Assert               | $parameter [15:0] MAX_AMOUNT = 22;$       |
| Assume               |                                           |
| BMC<br>▷ Ex: Counter | input wire i_clk, i_start_signal;         |
| Sol'n                | input wire [15:0] counts;                 |
|                      |                                           |
| Clocked and \$past   | input wire o_busy;                        |
| k Induction          |                                           |
| Bus Properties       |                                           |
| Free Variables       | always @(*)                               |
|                      | assert (counts < MAX_AMOUNT);             |
| Abstraction          |                                           |
| Invariants           | endmodule                                 |
| Multiple-Clocks      |                                           |
| Cover                | bind counter counter_vhd                  |
|                      | $\#(.MAX_AMOUNT(MAX_AMOUNT))$ copy (.*);  |
| Sequences            |                                           |
| Parting Thoughts     |                                           |

|                           | =x: Counter                                |
|---------------------------|--------------------------------------------|
|                           | $\sim VV^{\sim}$                           |
| Welcome                   |                                            |
| Motivation                | module counter_vhd(i_clk, i_start_signal,  |
| Basics                    | counts, o_busy);                           |
| Basics                    | // Generic declaration                     |
| General Rule<br>Assert    | <b>parameter</b> $[15:0]$ MAX_AMOUNT = 22; |
| Assume                    |                                            |
| BMC                       | input wire i_clk, i_start_signal;          |
| Ex: Counter               | · · ·                                      |
| Sol'n                     | <pre>input wire [15:0] counts;</pre>       |
| <u>Clocked and \$past</u> | input wire o_busy;                         |
| k Induction               |                                            |
| Bus Properties            |                                            |
| Free Variables            | always @(*)                                |
| Abstraction               | $ $ assert (counts < MAX_AMOUNT);          |
| Invariants                | endmodule                                  |
| Multiple-Clocks           |                                            |
| Cover                     | bind counter_vhd                           |
| Sequences                 | $\#(.MAX_AMOUNT(MAX_AMOUNT))$ copy (.*);   |
| Parting Thoughts          |                                            |
|                           |                                            |

|                                       | EX: Counter                               |
|---------------------------------------|-------------------------------------------|
|                                       | $\sim$                                    |
| Welcome                               |                                           |
| Motivation                            | module counter_vhd(i_clk, i_start_signal, |
| Basics                                | counts, o_busy);                          |
| Basics                                |                                           |
| General Rule<br>Assert                | parameter [15:0] MAX_AMOUNT = 22;         |
| Assume                                | // All wrapper ports are inputs           |
| BMC                                   | input wire i_clk, i_start_signal;         |
| ▷ Ex: Counter<br>Sol'n                | input wire [15:0] counts;                 |
| Clocked and \$past                    | input wire o_busy;                        |
| k Induction                           |                                           |
| Bus Properties                        |                                           |
| · · · · · · · · · · · · · · · · · · · | always @(*)                               |
| Free Variables                        | assert(counts < MAX_AMOUNT);              |
| Abstraction                           | endmodule                                 |
| Invariants                            | enumouule                                 |
| Multiple-Clocks                       |                                           |
| Cover                                 | bind counter counter_vhd                  |
| Sequences                             | $\#(.MAX_AMOUNT(MAX_AMOUNT))$ copy (.*);  |
| Parting Thoughts                      |                                           |

|                        | :x: Counter                                  |
|------------------------|----------------------------------------------|
|                        | ~\\\`                                        |
| Welcome                |                                              |
| Motivation             | module counter_vhd(i_clk, i_start_signal,    |
| Basics                 | counts, o_busy);                             |
| Basics                 |                                              |
| General Rule<br>Assert | <b>parameter</b> $[15:0]$ MAX_AMOUNT = 22;   |
| Assume                 |                                              |
| ВМС                    | input wire i clk i start signal:             |
| ▷ Ex: Counter          | <pre>input wire i_clk, i_start_signal;</pre> |
| Sol'n                  | input wire [15:0] counts;                    |
| Clocked and \$past     | input wire o_busy;                           |
| k Induction            |                                              |
| Bus Properties         | // Formal properties start here              |
| Free Variables         | always @(*)                                  |
| Abstraction            | assert (counts < MAX_AMOUNT);                |
| Invariants             | endmodule                                    |
|                        |                                              |
| Multiple-Clocks        | bind counton whd                             |
| Cover                  | bind counter counter_vhd                     |
| Sequences              | $\#(.MAX_AMOUNT(MAX_AMOUNT))$ copy (.*);     |
| Parting Thoughts       |                                              |

|                              | Ex: Counter                                |
|------------------------------|--------------------------------------------|
|                              | ~\/\*                                      |
| Welcome                      |                                            |
| Motivation                   | module counter_vhd(i_clk, i_start_signal,  |
| Basics                       | counts, o_busy);                           |
| Basics                       |                                            |
| General Rule                 | [15.0] MAX AMOUNT = 22.                    |
| Assert                       | $parameter [15:0] MAX_AMOUNT = 22;$        |
| Assume<br>BMC                |                                            |
| $\triangleright$ Ex: Counter | input wire i_clk, i_start_signal;          |
| Sol'n                        | <pre>input wire [15:0] counts;</pre>       |
| Clocked and \$past           | input wire o_busy;                         |
| k Induction                  |                                            |
| Bus Properties               |                                            |
| Free Variables               | always @(*)                                |
| Abstraction                  | <pre>assert(counts &lt; MAX_AMOUNT);</pre> |
| Invariants                   | endmodule                                  |
| Multiple-Clocks              | // Connect the two modules together        |
| Cover                        | <b>bind</b> counter_vhd                    |
| Sequences                    | $#(.MAX_AMOUNT(MAX_AMOUNT))$ copy (.*);    |
| Parting Thoughts             |                                            |

#### **G** Example: SymbiYosys

| Welcome In the file, exercise-01/counter_vhd.sby, you'll find:                                                       | ĮV |
|----------------------------------------------------------------------------------------------------------------------|----|
| Motivation [options]                                                                                                 |    |
| Basics                                                                                                               |    |
| Basics mode bmc                                                                                                      |    |
| General Rule [engines]                                                                                               |    |
| Assert smtbmc                                                                                                        |    |
| Assume<br>BMC [script]                                                                                               |    |
| Ex: Counter read -vhdl counter.vhd                                                                                   |    |
|                                                                                                                      |    |
| Soln     read     -formal     counter_vhd.sv       Clocked and \$past     //     -thorn     files     would     read |    |
| # Other Thes would go here                                                                                           |    |
| <u>k Induction</u> <b>prep</b> -top counter                                                                          |    |
| Bus Properties [files]                                                                                               |    |
| Free Variables counter. vhd                                                                                          |    |
|                                                                                                                      |    |
| Abstraction counter_vhd.sv                                                                                           |    |
|                                                                                                                      |    |
| Multiple-Clocks                                                                                                      |    |
| Cover                                                                                                                |    |
| Sequences                                                                                                            |    |
| Parting Thoughts                                                                                                     |    |

 $\sqrt{\Lambda}$ 

#### **G** Example: SymbiYosys

| Welcome            | In the file, exercise-01/counter_vhd.sby, you'll find: |
|--------------------|--------------------------------------------------------|
| Motivation         | [options]                                              |
| Basics             | •                                                      |
| Basics             | mode bmc - Bounded model checking mode                 |
| General Rule       | [engines]                                              |
| Assert             | smtbmc                                                 |
| Assume             |                                                        |
| BMC                | [script]                                               |
| ▷ Ex: Counter      | read -vhdl counter.vhd                                 |
| Sol'n              | read -formal counter_vhd.sv                            |
| Clocked and \$past | # other files would go here                            |
| k Induction        | prep -top counter                                      |
| Bus Properties     | [files]                                                |
| Free Variables     | counter.vhd                                            |
| Abstraction        | counter_vhd.sv                                         |
| Invariants         |                                                        |
| Multiple-Clocks    |                                                        |
| Cover              |                                                        |
| Sequences          |                                                        |
| Parting Thoughts   |                                                        |

 $\sqrt{\Lambda}$ 

#### **G** Example: SymbiYosys

| Welcome            | In the file, exercise-01/counter_vhd.sby, you'll find: |
|--------------------|--------------------------------------------------------|
| Motivation         | [options]                                              |
| Basics             |                                                        |
| Basics             | mode bmc                                               |
| General Rule       | [engines]                                              |
| Assert             | smtbmc - Run, using yosys-smtbmc                       |
| Assume<br>BMC      | [script]                                               |
| Ex: Counter        | read -vhdl counter.vhd                                 |
| Sol'n              | <pre>read -formal counter_vhd.sv</pre>                 |
| Clocked and \$past | # other files would go here                            |
| k Induction        | prep -top counter                                      |
| Bus Properties     | [files]                                                |
| Free Variables     | counter.vhd                                            |
| Abstraction        | counter_vhd.sv                                         |
| Invariants         |                                                        |
| Multiple-Clocks    |                                                        |
| Cover              |                                                        |
| Sequences          |                                                        |
| Parting Thoughts   |                                                        |

 $\sqrt{\Lambda}$ 

|                    | In the file energies 01 (counter while the you'll find. |
|--------------------|---------------------------------------------------------|
| Welcome            | In the file, exercise-01/counter_vhd.sby, you'll find:  |
| Motivation         | [options]                                               |
| Basics             | mode bmc                                                |
| Basics             |                                                         |
| General Rule       | [engines]                                               |
| Assert             | smtbmc                                                  |
| Assume<br>BMC      | [script] ← Yosys commands                               |
| ▷ Ex: Counter      | read -vhdl counter.vhd                                  |
| Sol'n              | <pre>read -formal counter_vhd.sv</pre>                  |
| Clocked and \$past | # other files would go here                             |
| k Induction        | prep -top counter                                       |
| Bus Properties     | [files]                                                 |
| Free Variables     | counter.vhd                                             |
| Abstraction        | counter_vhd.sv                                          |
| Invariants         |                                                         |
| Multiple-Clocks    |                                                         |
| Cover              |                                                         |
| Sequences          |                                                         |
| Parting Thoughts   |                                                         |

|                    | In the file, exercise-01/counter_vhd.sby, you'll find: |
|--------------------|--------------------------------------------------------|
| Welcome            |                                                        |
| Motivation         | [options]                                              |
| Basics             | mode bmc                                               |
| Basics             |                                                        |
| General Rule       | [engines]                                              |
| Assert<br>Assume   | smtbmc                                                 |
| Assume<br>BMC      | [script]                                               |
| Ex: Counter        | read -vhdl counter.vhd ← Read VHDL file                |
| Sol'n              | <b>read</b> -formal counter_vhd.sv                     |
| Clocked and \$past | # other files would go here                            |
| k Induction        |                                                        |
|                    | prep -top counter                                      |
| Bus Properties     | [files]                                                |
| Free Variables     | counter.vhd                                            |
| Abstraction        | counter_vhd.sv                                         |
| Invariants         |                                                        |
| Multiple-Clocks    |                                                        |
| Cover              |                                                        |
|                    |                                                        |
| Sequences          |                                                        |
| Parting Thoughts   |                                                        |

| Welcome            | In the file, exercise-01/counter_vhd.sby, you'll find: |
|--------------------|--------------------------------------------------------|
| Motivation         | [options]                                              |
| Basics             | mode bmc                                               |
| Basics             |                                                        |
| General Rule       | [engines]                                              |
| Assert             | smtbmc                                                 |
| Assume<br>BMC      | [script]                                               |
| ▷ Ex: Counter      | read -vhdl counter.vhd                                 |
| Sol'n              | read -formal counter_vhd.sv ← Read SV file w/SVA       |
| Clocked and \$past | # other files would go here                            |
| k Induction        | prep -top counter                                      |
| Bus Properties     | [files]                                                |
| Free Variables     | counter.vhd                                            |
| Abstraction        | counter_vhd.sv                                         |
| Invariants         |                                                        |
| Multiple-Clocks    |                                                        |
| Cover              |                                                        |
| Sequences          |                                                        |
| Parting Thoughts   |                                                        |

|                        | * V V                                                  |
|------------------------|--------------------------------------------------------|
| Welcome                | In the file, exercise-01/counter_vhd.sby, you'll find: |
| Motivation             | [options]                                              |
| Basics                 |                                                        |
| Basics                 | mode bmc                                               |
| General Rule           | [engines]                                              |
| Assert                 | smtbmc                                                 |
| Assume                 | [script]                                               |
| BMC                    |                                                        |
| ▷ Ex: Counter<br>Sol'n | read -vhdl counter.vhd                                 |
|                        | read -formal counter_vhd.sv                            |
| Clocked and \$past     | # other files would go here                            |
| <u>k</u> Induction     | <b>prep</b> -top counter - Prepare the file for formal |
| Bus Properties         | [files]                                                |
| Free Variables         | counter.vhd                                            |
| Abstraction            | counter_vhd.sv                                         |
| Invariants             |                                                        |
| Multiple-Clocks        |                                                        |
| Cover                  |                                                        |
| Sequences              |                                                        |
| Parting Thoughts       |                                                        |

|                    | · · · · · · · · · · · · · · · · · · ·                  |
|--------------------|--------------------------------------------------------|
| Welcome            | In the file, exercise-01/counter_vhd.sby, you'll find: |
| Motivation         | [options]                                              |
| Basics             | mode bmc                                               |
| Basics             |                                                        |
| General Rule       | [engines]                                              |
| Assert             | smtbmc                                                 |
| Assume             | [script]                                               |
| BMC                |                                                        |
| Ex: Counter        | read -vhdl counter.vhd                                 |
| Sol'n              | read -formal counter_vhd.sv                            |
| Clocked and \$past | # other files would go here                            |
| k Induction        | prep -top counter                                      |
| Bus Properties     | [files]                                                |
| Free Variables     | counter.vhd                                            |
| Abstraction        | counter_vhd.sv                                         |
| Invariants         |                                                        |
| Multiple-Clocks    |                                                        |
| Cover              |                                                        |
| Sequences          |                                                        |
| Parting Thoughts   |                                                        |

| Welcome                                                                                                                        | Other usefull yosys commands                                                                                                    | VV |
|--------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------|----|
| Motivation<br>Basics<br>Basics<br>General Rule<br>Assert<br>Assume<br>BMC<br>▷ Ex: Counter<br>Sol'n                            | <pre>[options] mode bmc depth 20 [engines] smtbmc yices # smtbmc boolector # smtbmc z3</pre>                                    |    |
| Clocked and \$past<br>k Induction<br>Bus Properties<br>Free Variables<br>Abstraction<br>Invariants<br>Multiple-Clocks<br>Cover | <pre>[script] read -formal counter.v # other files would go here prep -top counter opt_merge -share_all [files] counter.v</pre> |    |
| Sequences<br>Parting Thoughts                                                                                                  |                                                                                                                                 |    |

| Welcome                                                                                    | Other usefull yosys commands                                                                                          | ° V V |
|--------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|-------|
| Motivation<br>Basics<br>Basics<br>General Rule<br>Assert<br>Assume<br>BMC<br>▷ Ex: Counter | <pre>[options] mode bmc</pre>                                                                                         |       |
| Sol'n<br><u>Clocked and \$past</u><br><u>k Induction</u><br><u>Bus Properties</u>          | <pre># smtbmc boorcetor<br/># smtbmc z3<br/>[script]<br/>read -formal counter.v<br/># other files would go here</pre> |       |
| Free Variables Abstraction Invariants Multiple-Clocks Cover                                | <pre>prep -top counter opt_merge -share_all [files] counter.v</pre>                                                   |       |
| Sequences<br>Parting Thoughts                                                              |                                                                                                                       |       |

| Welcome              | Other usefull yosys commands       | VV |
|----------------------|------------------------------------|----|
| Motivation           | [options]                          |    |
| Basics               |                                    |    |
| Basics               | mode bmc                           |    |
| General Rule         | depth 20                           |    |
| Assert               | [engines]                          |    |
| Assume               | smtbmc yices                       |    |
| BMC<br>▷ Ex: Counter |                                    |    |
| Sol'n                | # smtbmc boolector                 |    |
|                      | <i># smtbmc z3</i>                 |    |
| Clocked and \$past   | [script]                           |    |
| k Induction          | <b>read</b> -formal counter.v      |    |
| Bus Properties       | <i># other files would go here</i> |    |
| Free Variables       | prep -top counter                  |    |
| Abstraction          | opt_merge -share_all               |    |
| Invariants           | [files]                            |    |
| Multiple-Clocks      | counter.v                          |    |
| Cover                |                                    |    |
| Sequences            |                                    |    |
| Parting Thoughts     |                                    |    |

| Welcome                                                                                                                                         | Other usefull yosys commands                                                                                                                | VV |
|-------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|----|
| Motivation<br>Basics<br>Basics<br>General Rule<br>Assert<br>Assume<br>BMC                                                                       | <pre>[options] mode bmc depth 20 [engines] smtbmc yices ← Yices theorem prover (default)</pre>                                              |    |
| <ul> <li>Ex: Counter</li> <li>Sol'n</li> <li>Clocked and \$past</li> <li>k Induction</li> <li>Bus Properties</li> <li>Free Variables</li> </ul> | <pre># smtbmc boolector<br/># smtbmc z3<br/>[script]<br/>read -formal counter.v<br/># other files would go here<br/>prep -top counter</pre> |    |
| Abstraction<br>Invariants<br>Multiple-Clocks<br>Cover<br>Sequences<br>Parting Thoughts                                                          | <pre>opt_merge -share_all [files] counter.v</pre>                                                                                           |    |

| Welcome                                                  | Other usefull yosys commands                      | VV |
|----------------------------------------------------------|---------------------------------------------------|----|
| Motivation<br>Basics<br>Basics<br>General Rule<br>Assert | [options]<br>mode bmc<br>depth 20<br>[engines]    |    |
| Assume<br>BMC                                            | smtbmc yices                                      |    |
| ▷ Ex: Counter<br>Sol'n                                   | <pre># smtbmc boolector</pre>                     |    |
| <u>Clocked and \$past</u><br><i>k</i> Induction          | [script]<br>read -formal counter.v                |    |
| Bus Properties                                           | # other files would go here                       |    |
| Free Variables Abstraction                               | <pre>prep -top counter opt_merge -share_all</pre> |    |
| Invariants<br>Multiple-Clocks                            | [files]                                           |    |
| Cover                                                    | counter.v                                         |    |
| Sequences<br>Parting Thoughts                            |                                                   |    |

| Welcome                                                                                                                        | Other usefull yosys commands                                                                                                                                            | VV |
|--------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| Motivation<br>Basics<br>Basics<br>General Rule<br>Assert<br>Assume<br>BMC<br>▷ Ex: Counter<br>Sol'n                            | <pre>[options] mode bmc depth 20 [engines] smtbmc yices # smtbmc boolector // amthma = 2</pre>                                                                          |    |
| Clocked and \$past<br>k Induction<br>Bus Properties<br>Free Variables<br>Abstraction<br>Invariants<br>Multiple-Clocks<br>Cover | <pre># smtbmc z3 [script] read -formal counter.v # other files would go here prep -top counter opt_merge -share_all ← We'll discusss this later [files] counter.v</pre> |    |
| Sequences<br>Parting Thoughts                                                                                                  |                                                                                                                                                                         |    |

| Welcome                | Other usefull yosys commands                   | V • |
|------------------------|------------------------------------------------|-----|
| Motivation             | [options]                                      |     |
| Basics                 | mode bmc                                       |     |
| Basics<br>General Rule | depth 20                                       |     |
| Assert                 | [engines]                                      |     |
| Assume<br>BMC          | smtbmc yices                                   |     |
| ⊳ Ex: Counter          | <i># smtbmc boolector</i>                      |     |
| Sol'n                  | # smtbmc z3                                    |     |
| Clocked and \$past     | [script]                                       |     |
| k Induction            | <b>read</b> -formal counter.v                  |     |
| Bus Properties         | # other files would go here                    |     |
| Free Variables         | prep -top counter                              |     |
| Abstraction            | opt_merge -share_all                           |     |
| Invariants             | [files]                                        |     |
| Multiple-Clocks        | counter v - Full or relative pathnames go here |     |
| Cover                  |                                                |     |
| Sequences              |                                                |     |
| Parting Thoughts       |                                                |     |

# **G** Running SymbiYosys

| Welcome            | Run: % sby -f counter_vhd.sby | VV |
|--------------------|-------------------------------|----|
| Motivation         |                               |    |
| Basics             |                               |    |
| Basics             |                               |    |
| General Rule       |                               |    |
| Assert             |                               |    |
| Assume             |                               |    |
| BMC                |                               |    |
| ⊳ Ex: Counter      |                               |    |
| Sol'n              |                               |    |
| Clocked and \$past |                               |    |
| k Induction        |                               |    |
| Bus Properties     |                               |    |
| Free Variables     |                               |    |
| Abstraction        |                               |    |
| Invariants         |                               |    |
| Multiple-Clocks    |                               |    |
| Cover              |                               |    |
| Sequences          |                               |    |
| Parting Thoughts   |                               |    |

# **G** Running SymbiYosys

| Welcome            | Run: % sby -f counter_vhd.sby                                                                                                                                                    |
|--------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Motivation         | <pre>:~/ /exercise-01\$ sby -f counter_vhd.sby SBY 11:39:14 [counter_vhd] Removing directory 'counter_vhd'.</pre>                                                                |
| Basics             | <pre>SBY 11:39:14 [counter_vhd] Copy 'counter.vhd' to 'counter_vhd/src/counter.vhd'. SBY 11:39:14 [counter_vhd] Copy 'counter_vhd.sv' to 'counter_vhd/src/counter_vhd.sv'.</pre> |
| Basics             | SBY 11:39:14 [counter_vhd] engine_0: smtbmc<br>SBY 11:39:14 [counter vhd] base: starting process "cd counter vhd/src; yosys -ql/model/design.log/mode                            |
| General Rule       | l/design.ys"                                                                                                                                                                     |
| Assert             | SBY 11:39:14 [counter_vhd] base: finished (returncode=0)                                                                                                                         |
| Assume             | SBY 11:39:14 [counter_vhd] smt2: starting process "cd counter_vhd/model; yosys -ql design_smt2.log design_sm<br>t2.ys"                                                           |
|                    | SBY 11:39:14 [counter vhd] smt2: finished (returncode=0)                                                                                                                         |
| BMC                | SBY 11:39:14 [counter_vhd] engine_0: starting process "cd counter_vhd; yosys-smtbmcpresatunrollnopr                                                                              |
| ⊳ Ex: Counter      | ogress -t 20append 0dump-vcd engine_0/trace.vcddump-vlogtb engine_0/trace_tb.vdump-smtc engine_0<br>/trace.smtc model/design smt2.smt2"                                          |
| Sol'n              | SBY 11:39:14 [counter vhd] engine 0: ## 0:00:00 Solver: yices                                                                                                                    |
|                    | SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Checking assumptions in step 0                                                                                                   |
| Clocked and \$past | SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Checking assertions in step 0                                                                                                    |
|                    | SBY 11:39:14 [counter_vhd] engine_0: ##   0:00:00  BMC failed!<br>SBY 11:39:14 [counter vhd] engine 0: ##   0:00:00  Assert failed in counter.copy: counter vhd.sv:55            |
| k Induction        | SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Writing trace to VCD file: engine 0/trace.vcd                                                                                    |
| Pue Droparties     | SBY 11:39:14 [counter vhd] engine 0: ## 0:00:00 Writing trace to Verilog testbench: engine 0/trace tb.v                                                                          |
| Bus Properties     | SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Writing trace to constraints file: engine_0/trace.smtc                                                                           |
| Free Variables     | SBY 11:39:14 [counter_vhd] engine_0: ##   0:00:00  Status: failed<br>SBY 11:39:14 [counter vhd] engine 0: finished (returncode=1)                                                |
|                    | SBY 11:39:14 [counter_vhd] engine_0: finished (returnedde-1)<br>SBY 11:39:14 [counter vhd] engine 0: Status returned by engine: FAIL                                             |
| Abstraction        | SBY 11:39:14 [counter_vhd] summary: Elapsed clock time [H:MM:SS (secs)]: 0:00:00 (0)                                                                                             |
|                    | SBY 11:39:14 [counter_vhd] summary: Elapsed process time [H:MM:SS (secs)]: 0:00:00 (0)                                                                                           |
| Invariants         | SBY 11:39:14 [counter_vhd] summary: engine_0 (smtbmc) returned FAIL<br>SBY 11:39:14 [counter vhd] summary: counterexample trace: counter vhd/engine 0/trace.vcd                  |
|                    | SBY 11:39:14 [counter_vhd] Summary: counterexample trace. counter_vhd/engine_0/trace.vcd<br>SBY 11:39:14 [counter vhd] DONE (FAIL, rc=2)                                         |
| Multiple-Clocks    | Aundlarians:~/auntational approximation /exercise-01\$                                                                                                                           |
| Cover              |                                                                                                                                                                                  |
|                    |                                                                                                                                                                                  |
| Sequences          |                                                                                                                                                                                  |
|                    |                                                                                                                                                                                  |
| Parting Thoughts   |                                                                                                                                                                                  |

# G BMC Failed

|                    | Run: % sby -f counter_vhd.sby                                                                                                                                                                                                |
|--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Welcome            |                                                                                                                                                                                                                              |
| Motivation         | <pre>:~/ /exercise-01\$ sby -f counter_vhd.sby SBY 11:39:14 [counter_vhd] Removing directory 'counter_vhd'. SDY 11:30:14 [counter_vhd] Conv [counter_vhd] to [counter_vhd].</pre>                                            |
| Basics             | <pre>SBY 11:39:14 [counter_vhd] Copy 'counter.vhd' to 'counter_vhd/src/counter.vhd'. SBY 11:39:14 [counter_vhd] Copy 'counter_vhd.sv' to 'counter_vhd/src/counter_vhd.sv'. SBY 11:39:14 [counter vhd] engine 0: smtbmc</pre> |
| Basics             | SBY 11:39:14 [counter_vhd] engine_0. smtbmc<br>SBY 11:39:14 [counter vhd] base: starting process "cd counter vhd/src; yosys -ql/model/design.log/mode                                                                        |
| General Rule       | l/design.ys"                                                                                                                                                                                                                 |
| Assert             | SBY 11:39:14 [counter_vhd] base: finished (returncode=0)<br>SBY 11:39:14 [counter vhd] smt2: starting process "cd counter vhd/model; yosys -ql design smt2.log design sm                                                     |
| Assume             | t2.ys"                                                                                                                                                                                                                       |
| BMC                | <pre>SBY 11:39:14 [counter_vhd] smt2: finished (returncode=0) SBY 11:39:14 [counter_vhd] engine_0: starting process "cd counter_vhd; yosys-smtbmcpresatunrollnopr</pre>                                                      |
| ⊳ Ex: Counter      | ogress -t 20append 0dump-vcd engine_0/trace.vcddump-vlogtb engine_0/trace_tb.vdump-smtc engine_0                                                                                                                             |
| Sol'n              | /trace.smtc model/design_smt2.smt2"<br>SBY 11:39:14 [counter vhd] engine 0: ##  0:00:00  Solver: yices                                                                                                                       |
|                    | SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Checking assumptions in step 0                                                                                                                                               |
| Clocked and \$past | SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Checking assertions in step 0<br>SBY 11:39:14 [counter vhd] engine 0: ## 0:00:00 BMC failed!                                                                                 |
| k Induction        | SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Second funced in counter.copy: counter_vhd.sv:55                                                                                                                             |
|                    | SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Writing trace to VCD file: engine_0/trace.vcd<br>SBY 11:39:14 [counter vhd] engine 0: ## 0:00:00 Writing trace to Verilog testbench: engine 0/trace tb.v                     |
| Bus Properties     | SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Writing truce to constraints file: engine_0/trace.smtc                                                                                                                       |
| Free Variables     | SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Statis: failed<br>SBY 11:39:14 [counter vhd] engine 0: finished (returncode-1)                                                                                               |
|                    | SBY 11:39:14 [counter vhd] engine 0: Status returned by engine: FAIL                                                                                                                                                         |
| Abstraction        | SBY 11:39:14 [counter_vhd] summary: Elapsed clock time [H:MM:SS (secs)]: 0:00:00 (0)<br>SBY 11:39:14 [counter vhd] summary: Elapsed process time [H:M:SS (secs)]: 0:00:00 (0)                                                |
| Invariants         | SBY 11:39:14 [counter vhd] summary: engine 0 (smtbmc) retened FAIL >                                                                                                                                                         |
| invariants         | SBY 11:39:14 [counter_vhd] summary. counterexample trace: counter_vnd/engine_0/trace.vcd                                                                                                                                     |
| Multiple-Clocks    | SBY 11:39:14 [counter_vhd] DON = (FAIL, rc=2)<br>:~/ /exercise-01\$                                                                                                                                                          |
| Cover              |                                                                                                                                                                                                                              |
|                    |                                                                                                                                                                                                                              |
| Sequences          |                                                                                                                                                                                                                              |
| Parting Thoughts   |                                                                                                                                                                                                                              |

# GT Where Next

|                    | $\sim$                                                                                                                                                                                                                                                                              |
|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Welcome            | Look at source line 55, and fire up gtkwave                                                                                                                                                                                                                                         |
| Motivation         | <pre>:~/ /exercise-01\$ sby -f counter vhd.sby SBY 11:39:14 [counter_vhd] Removing directory 'counter_vhd'.</pre>                                                                                                                                                                   |
| Basics             | SBY 11:39:14 [counter_vhd] Copy 'counter.vhd' to 'counter_vhd/src/counter.vhd'.<br>SBY 11:39:14 [counter_vhd] Copy 'counter_vhd.sv' to 'counter_vhd/src/counter_vhd.sv'.                                                                                                            |
| Basics             | SBY 11:39:14 [counter_vhd] engine_0: smtbmc<br>SBY 11:39:14 [counter vhd] base: starting process "cd counter vhd/src; yosys -ql/model/design.log/mode                                                                                                                               |
| General Rule       | l/design.ys"                                                                                                                                                                                                                                                                        |
| Assert             | SBY 11:39:14 [counter_vhd] base: finished (returncode=0)<br>SBY 11:39:14 [counter vhd] smt2: starting process "cd counter vhd/model; yosys -ql design smt2.log design sm                                                                                                            |
| Assume             | t2.ys"                                                                                                                                                                                                                                                                              |
| BMC                | SBY 11:39:14 [counter_vhd] smt2: finished (returncode=0)<br>SBY 11:39:14 [counter vhd] engine 0: starting process "cd counter vhd; yosys-smtbmcpresatunrollnopr                                                                                                                     |
| ⊳ Ex: Counter      | ogress -t 20append 0dump-vcd engine_0/trace.vcddump-vlogtb engine_0/trace_tb.vdump-smtc engine_0<br>/trace.smtc model/design smt2.smt2"                                                                                                                                             |
| Sol'n              | SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Solver: yices                                                                                                                                                                                                                       |
| Clocked and \$past | SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Checking assumptions in step 0<br>SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Checking assertions in step 0<br>SBY 11:39:14 [counter vhd] engine 0: ## 0:00:00 BMC failed!                                                      |
| k Induction        | SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Assert failed in counter.copy: counter vhd.sv:55<br>SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Writing trace to VCD file: engine 0/trace.vcd                                                                                   |
| Bus Properties     | SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Writing trace to Verilog testbench: engine_0/trace_tb.v<br>SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Writing trace to constraints file: engine_0/trace.smtc<br>SBY 11:39:14 [counter_vhd] engine_0: ## 0:00:00 Status: failed |
| Free Variables     | SBY 11:39:14 [counter_vhd] engine_0: finished (returncode=1)                                                                                                                                                                                                                        |
| Abstraction        | SBY 11:39:14 [counter_vhd] engine_0: Status returned by engine: FAIL<br>SBY 11:39:14 [counter_vhd] summary: Elapsed clock time [H:MM:SS (secs)]: 0:00:00 (0)<br>SBY 11:39:14 [counter_vhd] summary: Elapsed process time [H:MM:SS (secs)]: 0:00:00 (0)                              |
| Invariants         | SBY 11:39:14 [counter_vhd] summary: engine_0 (smtbmc) returned FAIL<br>SBY 11:39:14 [counter vhd] summary: counterexample trace: counter vhd/engine 0/trace.vcd                                                                                                                     |
| Multiple-Clocks    | SBY 11:39:14 [counter_vhd] DONE (FAIL, rc=2)<br>:~/ /exercise-01\$                                                                                                                                                                                                                  |
| Cover              |                                                                                                                                                                                                                                                                                     |
| Sequences          |                                                                                                                                                                                                                                                                                     |
| Parting Thoughts   |                                                                                                                                                                                                                                                                                     |

# **GTK**Wave trace.vcd

| Welcome                           | Run: % gtkwav          | ve counter_vhd/engine_0/trace.vcd                                         |
|-----------------------------------|------------------------|---------------------------------------------------------------------------|
| Motivation                        | 😹 🔄 💼 🖼 🖬              | 🥱 🗲 ➔ 🕹 🕹 😽 ↔ 🕹 From: 0 sec 🛛 To: 10 ns 🛛 🕹 Marker: 0 sec   Cursor: 0 sec |
| Basics                            | ▼ SST                  | Signals Waves 3 ns 6 ns                                                   |
| Basics                            | L <sup>a</sup> counter | counter[15:0] =: 8000                                                     |
| General Rule                      |                        |                                                                           |
| Assert                            | Type Signals           |                                                                           |
| Assume                            | event smt_clock        |                                                                           |
| BMC                               | int smt_step           | This should be less than 22, not 0x8000.                                  |
| ▷ Ex: Counter                     |                        | Why isn't it less than 22?                                                |
| Sol'n                             |                        |                                                                           |
| Clocked and \$past<br>k Induction | Filter:                |                                                                           |
| Bus Properties                    |                        |                                                                           |
| Free Variables                    |                        |                                                                           |
| Abstraction                       |                        |                                                                           |
| Invariants                        |                        |                                                                           |
| Multiple-Clocks                   |                        |                                                                           |
| Cover                             |                        |                                                                           |
| Sequences                         |                        |                                                                           |
| Parting Thoughts                  |                        |                                                                           |

# **G Examine the source**

| WelcomeMotivationBasicsBasicsBasicsGeneral RuleAssertAssumeBMC $\triangleright$ Ex: CounterSol'nClocked and \$pastk InductionBus PropertiesFree VariablesAbstractionInvariantsMultiple-ClocksCoverSequences | Run: % gvim demo-rtl/counter_vhd.v<br>What did we do wrong?<br>********************************** |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|
| Parting Thoughts                                                                                                                                                                                            |                                                                                                   |

#### **Examine the source**

| Welcome            | Run: % demo-rtl/counter_vhd.v                                                                                     |  |  |
|--------------------|-------------------------------------------------------------------------------------------------------------------|--|--|
| Motivation         | Notice anything wrong?                                                                                            |  |  |
| Basics             | □ • □ ● ◇ ◇ ∠ → □ ♀ ← ゐ 3 .8 ◇ □ ◇ ⊘ 🕸                                                                            |  |  |
| Basics             | 51 architecture behavior of counter is                                                                            |  |  |
| General Rule       | 52 signal counts : unsigned(15 downto 0);                                                                         |  |  |
| Assert             | 53 begin                                                                                                          |  |  |
|                    | 54                                                                                                                |  |  |
| Assume             | 55 process(i_clk)                                                                                                 |  |  |
| BMC                | 56 begin                                                                                                          |  |  |
| ⊳ Ex: Counter      | 57 if (rising_edge(i_clk)) then                                                                                   |  |  |
| Sol'n              | <pre>58 if ((i_start_signal = '1') and (0 = counts)) the<br/>59 counts &lt;= to unsigned(MAX AMOUNT-1, 16);</pre> |  |  |
| 30111              | 59 counts <= to_unsigned(MAX_AMOUNT-1, 16);<br>60 else                                                            |  |  |
| Clocked and \$past | 61 counts <= counts - 1;                                                                                          |  |  |
|                    | 62 end if;                                                                                                        |  |  |
| k Induction        | 63 end if;                                                                                                        |  |  |
|                    | 64 end process;                                                                                                   |  |  |
| Bus Properties     | 65                                                                                                                |  |  |
| Free Variables     | 66 process(all)                                                                                                   |  |  |
|                    | 67 begin                                                                                                          |  |  |
| Abstraction        | 68 if (0 = counts) then                                                                                           |  |  |
|                    | 69 o_busy <= '1';                                                                                                 |  |  |
| Invariants         | 70 else<br>71 o busy <= '0';                                                                                      |  |  |
|                    | 72 end if;                                                                                                        |  |  |
| Multiple-Clocks    | 73 end process;                                                                                                   |  |  |
| Cover              | 51,1                                                                                                              |  |  |
| Sequences          |                                                                                                                   |  |  |
| Parting Thoughts   |                                                                                                                   |  |  |

96%

and (0 = counts)) then

# **G Examine the source**

| Welcome                      | Run: % demo-rtl/counter_vhd.v                          |
|------------------------------|--------------------------------------------------------|
| Motivation                   | Notice anything wrong?                                 |
| Basics                       | 😑 🛃 😫 👒 🤌 😹 ⊆ 📴 🤐 ➔ ♦ 🕼 🔡 ஃ 💁 💷 🗇 🕑 🔯                  |
| Basics                       | 51 architecture behavior of counter is                 |
| General Rule                 | <pre>52 signal counts : unsigned(15 downto 0);</pre>   |
| Assert                       | 53 begin                                               |
| Assume                       | 54<br>55 process(i clk)                                |
| BMC                          | 56 begin                                               |
| $\triangleright$ Ex: Counter | 57 if (rising_edge(i_clk)) then                        |
| Sol'n                        | 58 if ((i_start_signal = '1') and (0 = counts)) then   |
| 50111                        | 59 counts <= to_unsigned(MAX_AMOUNT-1, 16);<br>60 else |
| Clocked and \$past           | 61 counts <= counts - 1;                               |
|                              | 62 end if;                                             |
| k Induction                  | 63 end if;                                             |
| Bus Properties               | 64 end process;<br>65                                  |
|                              | 66 process(all)                                        |
| Free Variables               | 67 begin                                               |
| Abstraction                  | 68 if (0 = counts) then                                |
| Abstraction                  | 69 o_busy <= '1';                                      |
| Invariants                   | 70 else<br>71 o busy <= '0';                           |
|                              | 72 end if;                                             |
| Multiple-Clocks              | 73 end process;                                        |
| Cover                        | 51,1 96%                                               |
|                              | How about the missing initial value?                   |
| Sequences                    |                                                        |
| Parting Thoughts             |                                                        |

# G Illegal Initial State



# **G** Exercise

| Welcome            | Try adding in the initial value, will it work? |
|--------------------|------------------------------------------------|
|                    |                                                |
| Motivation         |                                                |
| Basics             |                                                |
| Basics             |                                                |
| General Rule       |                                                |
| Assert             |                                                |
| Assume             |                                                |
| BMC                |                                                |
| Ex: Counter        |                                                |
| ⊳ Sol'n            |                                                |
| Clocked and \$past |                                                |
| k Induction        |                                                |
| Bus Properties     |                                                |
| Free Variables     |                                                |
| Abstraction        |                                                |
| Invariants         |                                                |
| Multiple-Clocks    |                                                |
| Cover              |                                                |
| Sequences          |                                                |
| Parting Thoughts   |                                                |

# G

#### $\mathcal{M}$

#### Welcome

Motivation

Basics

Clocked and

⊳ \$past

Past

\$past Rule

Past Assertions

Past Valid

Examples

Ex: Busy Counter

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

#### **Clocked and \$past**

# **G** Lesson Overview

| <u>۱۸/ما</u> | come |
|--------------|------|
| vve          | come |

Motivation

Basics

Clocked and \$past

⊳ Past

\$past Rule

Past Assertions

Past Valid

Examples

Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Our Objective:

• To learn how to make assertions crossing time intervals

– **\$p**ast()

- Before the beginning of time
  - Assumptions always hold
  - Assertions rarely hold
  - How to get around this with f\_past\_valid

# **G** The \$past operator

Welcome Motivation **Basics** Clocked and \$past  $\triangleright$  Past \$past Rule Past Assertions Past Valid Examples Ex: Busy Counter k Induction **Bus Properties** Free Variables Abstraction Invariants Multiple-Clocks Cover Sequences

Parting Thoughts

**\$past**(X) Returns the value of X one clock ago. **\$past**(X,N) Returns the value of X N clocks ago. Depends upon a clock

Depends upon a clock

This is illegal

No clock is associated with the **\$past** operator.

- But you can do this

```
always @(posedge clk)
if (X)
    assert(Y == $past(Y));
```

# GT \$past Rule

Welcome

Motivation

Basics

Clocked and \$past

Past

▷ \$past Rule

Past Assertions

Past Valid

Examples

Ex: Busy Counter

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

#### \$past FV Rule

Only use \$past as a precondition

always @(posedge clk) if ((f\_past\_valid)&&(\$past(value))) assert(something);

```
Welcome
Motivation
```

Basics

```
Clocked and $past
```

Past

```
$past Rule
```

▷ Past Assertions

Past Valid

```
Examples
```

```
Ex: Busy Counter
```

k Induction

```
Bus Properties
```

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Let's modify our counter, by creating some additional properties:

```
always @(*)
    assume(!i_start_signal);
```

```
always @(posedge clk)
    assert($past(counter == 0));
```

i\_start\_signal is now never true, so the counter should always be zero.

• assert(counter == 0);

This should always be true, since counter starts at zero, and is never changed from zero.

Will **assert**(**\$past**(counter == 0)); succeed?

You can find this file in exercise-02/pastassert.vhd

This fails

Welcome

Motivation

Basics

Clocked and \$past

Past

\$past Rule

▷ Past Assertions

Past Valid

Examples

Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

```
always @(*)
    assume(!i_start_signal);
```

```
always @(posedge clk)
    assert($past(counter == 0));
```

This fails

П

Welcome

Motivation

Basics

Clocked and \$past

Past

\$past Rule

▷ Past Assertions

Past Valid

Examples

Ex: Busy Counter

 $\boldsymbol{k}$  Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

```
always @(*)
    assume(!i_start_signal);
always @(posedge clk)
```

assert(\$past(counter == 0));

Before time, counter is unconstrained.

 The solver can make it take on any value it wants in order to make things fail

This will not show in the VCD file

This succeeds

Welcome

Motivation

Basics

Clocked and \$past

Past

\$past Rule

▷ Past Assertions

Past Valid

Examples

Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

```
always @(*)
    assume(!i_start_signal);
always @(*)
```

```
assert(counter == 0);
```

Let's try again:

Motivation

Basics

Clocked and \$past

Past

\$past Rule

▷ Past Assertions

Past Valid

Examples

Ex: Busy Counter

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

This should work, right?

Let's try again:

| come |
|------|
|      |
|      |

Motivation

Basics

Clocked and \$past

Past

\$past Rule

▷ Past Assertions

Past Valid

Examples

Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

This should work, right? No, it fails.

i\_start\_signal is unconstrained before time counter is initially constrained to zero If i\_start\_signal is one before time, counter will still be zero when time begins

# 

| Welcome                                        | We can fix this with a register I call, f_past_valid:             |
|------------------------------------------------|-------------------------------------------------------------------|
| Motivation<br>Basics                           | <pre>reg f_past_valid;</pre>                                      |
| Clocked and \$past<br>Past                     | <pre>initial f_past_valid = 1'b0;<br/>always @(posedge clk)</pre> |
| \$past Rule<br>Past Assertions<br>▷ Past Valid | f_past_valid <= 1'b1;                                             |
| Examples<br>Ex: Busy Counter                   | always @(posedge clk)                                             |
| <u>k</u> Induction<br>Bus Properties           | <pre>if ((f_past_valid)&amp;&amp;(\$past(i_start_signal)))</pre>  |
| Free Variables Abstraction                     | Will this work?                                                   |
| Invariants<br>Multiple-Clocks                  |                                                                   |
| Cover                                          |                                                                   |
| Sequences Parting Thoughts                     |                                                                   |

# 

|                                                    | i_past_vana                                                       |
|----------------------------------------------------|-------------------------------------------------------------------|
| Welcome                                            | We can fix this with a register I call, f_past_valid:             |
| Motivation<br>Basics                               | <pre>reg f_past_valid;</pre>                                      |
| Clocked and \$past<br>Past                         | <pre>initial f_past_valid = 1'b0;<br/>always @(posedge clk)</pre> |
| \$past Rule<br>Past Assertions<br>▷ Past Valid     | f_past_valid <= 1'b1;                                             |
| Examples<br>Ex: Busy Counter<br><i>k</i> Induction | always @(posedge clk)                                             |
| Bus Properties                                     | <pre>if ((f_past_valid)&amp;&amp;(\$past(i_start_signal)))</pre>  |
| Free Variables Abstraction                         | Will this work? Almost, but not yet.                              |
| Invariants<br>Multiple-Clocks                      |                                                                   |
| <u>Cover</u><br>Sequences                          |                                                                   |
| Parting Thoughts                                   |                                                                   |

# **G** Fixing the counter

```
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Past Assertions
▷ Past Valid
Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
                              Will this work?
                         Multiple-Clocks
Cover
Sequences
Parting Thoughts
```

What about the case where i\_start\_signal is raised while the counter isn't zero?

# **G** Fixing the counter

```
Welcome
Motivation
Basics
Clocked and $past
Past
$past Rule
Past Assertions
▷ Past Valid
Examples
Ex: Busy Counter
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
                         Multiple-Clocks
Cover
                         Sequences
Parting Thoughts
```

What about the case where i\_start\_signal is raised while the counter isn't zero?

Will this work? Yes, now it will work You'll find lots of references to f\_past\_valid in my own designs

### **GTExamples**

|                                                                                                               | Examples                              |     |
|---------------------------------------------------------------------------------------------------------------|---------------------------------------|-----|
| Welcome                                                                                                       | Let's look at some practical examples | VV° |
| Motivation                                                                                                    |                                       |     |
| Basics                                                                                                        |                                       |     |
| Clocked and \$past<br>Past<br>\$past Rule<br>Past Assertions<br>Past Valid<br>D> Examples<br>Ex: Busy Counter |                                       |     |
| k Induction                                                                                                   |                                       |     |
| Bus Properties                                                                                                |                                       |     |
| Free Variables                                                                                                |                                       |     |
| Abstraction                                                                                                   |                                       |     |
| Invariants                                                                                                    |                                       |     |
| Multiple-Clocks                                                                                               |                                       |     |
| Cover                                                                                                         |                                       |     |
| Sequences                                                                                                     |                                       |     |
| Parting Thoughts                                                                                              |                                       |     |

### **G** Reset example, #1

| Welcome |
|---------|
|---------|

Motivation

Basics

Clocked and \$past

Past

\$past Rule

Past Assertions

Past Valid

 $\triangleright$  Examples

Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

The rule: Every design should start in the reset state.

```
initial assume(i_RESET);
```

What would be the difference between these two properties?

### **G** Reset example, #2

| Welcome<br>Motivation                                                  | The rule: On the clock following a reset, there should be no outstanding bus requests. |
|------------------------------------------------------------------------|----------------------------------------------------------------------------------------|
| Basics<br>Clocked and \$past<br>Past<br>\$past Rule<br>Past Assertions | <pre>always @(posedge clk) if ((f_past_valid)&amp;&amp;(\$past(i_RESET)))</pre>        |
| Past Valid<br>▷ Examples<br>Ex: Busy Counter                           |                                                                                        |
| <u>k</u> Induction<br>Bus Properties<br>Free Variables                 |                                                                                        |
| Abstraction<br>Invariants<br>Multiple-Clocks                           |                                                                                        |
| Cover<br>Sequences<br>Parting Thoughts                                 |                                                                                        |
|                                                                        |                                                                                        |

# **G** Reset example, #2

|                                                                                                                                                                                   | Reset example, #2                                                              |       |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------|-------|
| Welcome<br><u>Motivation</u><br>Basics<br><u>Clocked and \$past</u><br>Past                                                                                                       | Two times registers must have their reset value<br>Initially Following a reset | -vvv- |
| Fast         \$past Rule         Past Assertions         Past Valid         ▷ Examples         Ex: Busy Counter         k Induction         Bus Properties         Free Variables | <pre>always @(posedge clk) if ((!f_past_valid)  (\$past(i_reset))) begin</pre> |       |
| Abstraction<br>Invariants<br>Multiple-Clocks<br>Cover<br>Sequences<br>Parting Thoughts                                                                                            |                                                                                |       |

## **G** Bus example

|                                                                                                                                                                                                                                                                                 | Bus example                                                                              |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|
| Welcome<br>Motivation                                                                                                                                                                                                                                                           | The rule: while a request is being made, the request cannot change until it is accepted. |
| Basics         Clocked and \$past         Past         Past         \$past Rule         Past Assertions         Past Valid         ▷ Examples         Ex: Busy Counter         k Induction         Bus Properties         Free Variables         Abstraction         Invariants | <pre>always @(posedge clk) if ((f_past_valid)</pre>                                      |
| Multiple-Clocks<br>Cover<br>Sequences<br>Parting Thoughts                                                                                                                                                                                                                       |                                                                                          |

## **Ex: Busy Counter**

| Welcome                                                                                            | Many of my projects include some type of "busy counter" ${}^{f V}$                                                                                                                                                                 |
|----------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Motivation<br>Basics<br>Clocked and \$past<br>Past<br>\$past Rule<br>Past Assertions<br>Past Valid | <ul> <li>Serial port logic must wait for a baud clock<br/>Transmit characters must wait for the port to be idle</li> <li>I2C logic needs to slow the clock down</li> <li>SPI logic may also need to slow the clock down</li> </ul> |
| Examples                                                                                           | Objectives:                                                                                                                                                                                                                        |
| Ex: Busy<br>▷ Counter                                                                              | <ul> <li>Gain some confidence using formal methods to prove that</li> </ul>                                                                                                                                                        |
| k Induction                                                                                        | alternative designs are equivalent                                                                                                                                                                                                 |
| Bus Properties                                                                                     |                                                                                                                                                                                                                                    |
| Abstraction                                                                                        |                                                                                                                                                                                                                                    |
| Invariants                                                                                         |                                                                                                                                                                                                                                    |
| Multiple-Clocks                                                                                    |                                                                                                                                                                                                                                    |
| Cover                                                                                              |                                                                                                                                                                                                                                    |
| Sequences                                                                                          |                                                                                                                                                                                                                                    |
| Parting Thoughts                                                                                   |                                                                                                                                                                                                                                    |

### **G** Exercise: Busy Counter

Here's the basic design. It should look familiar. Welcome Motivation process(i\_clk) Basics begin Clocked and \$past if (rising\_edge(i\_clk)) then Past if (i\_reset) then \$past Rule Past Assertions counter  $\leq to_unsigned(0, 16);$ Past Valid elsif ((i\_start\_signal = '1') Examples and (0 = counter) then Ex: Busy  $\triangleright$  Counter counter  $\leq$  to\_unsigned(MAX\_AMOUNT - 1, 16); k Induction elsif (0 /= counter) then **Bus Properties** counter  $\leq$  counter -1: Free Variables end if: Abstraction end if; Invariants end process; Multiple-Clocks Cover o\_busy  $\leq '0'$  when (0 = counter) else '1'; Sequences Parting Thoughts

### **G** Exercise: Busy Counter

| Welcome            |          |
|--------------------|----------|
|                    | E        |
| Motivation         | L        |
| Basics             | 1        |
| Clocked and \$past | <b>–</b> |
| Past               |          |
| \$past Rule        | 2        |
| Past Assertions    | 2        |
| Past Valid         |          |
| Examples           | ~        |
| Ex: Busy           | Ĵ        |
| ▷ Counter          |          |
| k Induction        |          |
| Bus Properties     |          |
| Free Variables     | /        |
| Abstraction        | 4        |
| Invariants         |          |
| Multiple-Clocks    |          |
| Cover              |          |
| Sequences          |          |
| Parting Thoughts   |          |

You can find the design in exercise-03/busyctr.vhd. Exercise: Create the following properties:

- . i\_start\_signal may be raised at any time No property needed here
- Once raised, assume i\_start\_signal will remain high until it is high and the counter is no longer busy.
- 3. o\_busy will always be true while the counter is non-zero Make sure you check o\_busy both when counter == 0 and counter != 0

This requires an assertion

 If the counter is non-zero, it should always be counting down Beware of the reset!

This requires another assertion

### **G** Exercise: Busy Counter

#### Let's draw this requirement out

2. Once raised, *assume* i\_start\_signal will remain high until it is high and the counter is no longer busy.



| <u>۱۸/ما</u> | como |
|--------------|------|
| vve          | come |

Motivation

Basics

Clocked and \$past

Past

\$past Rule

Past Assertions

Past Valid

Examples

Ex: Busy ▷ Counter

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

### G Busy Counter, Part two

Exercise:

Welcome

Motivation

Basics

Clocked and \$past

Past

\$past Rule

Past Assertions

Past Valid

Examples

Ex: Busy ▷ Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

```
1. Make o_busy a clocked register
```

```
process(i_clk)
begin
    if (rising_edge(i_clk)) then
        o_busy <= --- Your logic goes here
    end if;
end process;</pre>
```

- 2. *Prove* that o\_busy is true if and only if the counter is non-zero
  - You can use this approach to adjust your design to meet timing
    - Shuffle logic from one clock to another, then
    - Prove the new design remains valid

### G

### M

#### Welcome

Motivation

Basics

Clocked and \$past

 $\triangleright k$  Induction

Lesson Overview

vs BMC

General Rule

The Trap

Results

Examples

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

### k Induction

### **G** Lesson Overview

| Welcome                                                                                                                                               |
|-------------------------------------------------------------------------------------------------------------------------------------------------------|
| Motivation                                                                                                                                            |
| Basics                                                                                                                                                |
| Clocked and \$past                                                                                                                                    |
| <ul> <li>k Induction</li> <li>▷ Lesson Overview</li> <li>vs BMC</li> <li>General Rule</li> <li>The Trap</li> <li>Results</li> <li>Examples</li> </ul> |
| Bus Properties                                                                                                                                        |
| Free Variables                                                                                                                                        |
| Abstraction                                                                                                                                           |
| Invariants                                                                                                                                            |
| Multiple-Clocks                                                                                                                                       |
| Cover                                                                                                                                                 |
| Sequences                                                                                                                                             |
| Parting Thoughts                                                                                                                                      |

If you want to formally verify your design, BMC is insufficient

- Bounded Model Checking (BMC) will only prove that your design is correct for the first N clocks.
- $\hfill\square$  It cannot prove that the design won't fail on the next clock, clock N+1
- This is the purpose of the *induction* step: proving correctness for all time

#### Our Goals

- Be able to explain what induction is
- Be able to explain why induction is valuable
- Know how to run induction
- What are the unique problems associated with induction

### G From Pre-Calc

Welcome

Motivation

Basics

Clocked and \$past

k Induction

▷ Lesson Overview

vs BMC

General Rule

The Trap

Results

Examples

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Proof by induction has two steps:

1. **Base case:** Prove for N = 0 (or one)

2. Inductive step: Assume true for N, prove true for N + 1.

Example: Prove 
$$\sum_{n=0}^{N-1} x^n = \frac{1-x^N}{1-x}$$

• For N = 1, the sum is  $x^0$  or one

$$\sum_{n=0}^{N-1} x^n = x^0 = \frac{1-x}{1-x}$$

So this is true (for  $x \neq 1$ ). For the inductive step, we'll

- Assume true for N, then prove for N+1

### **Proof**, continued

Welcome

Motivation

Basics

Clocked and \$past

k Induction

▷ Lesson Overview

vs BMC

General Rule

The Trap

Results

Examples

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Prove  $\sum_{n=1}^{N-1} x^n = \frac{1-x^N}{1-x}$  for all Nn=0Assume true for  $N,\ensuremath{\mathsf{, prove for }} N+1$  $\sum_{n=0}^{N} x^{n} = x^{N} + \sum_{n=0}^{N-1} x^{n} = x^{N} + \frac{1-x^{N}}{1-x}$ Prove for N+1 $\sum_{n=1}^{N} x^{n} = \frac{1-x}{1-x}x^{N} + \frac{1-x^{N}}{1-x}$ n = 0 $= \frac{x^N - x^{N+1} + 1 - x^N}{1 - x} = \frac{1 - x^{N+1}}{1 - x}$ 

This proves the inductive case. Hence this is true for all N (where N > 0 and  $x \neq 1$ )

87 / 285

Welcome

Motivation

Basics

Clocked and \$past

k Induction

▷ Lesson Overview

vs BMC

General Rule

The Trap

Results

Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Suppose  $\forall n : P[n]$  is what we wish to prove

Traditional induction

- Base case: show P[0]- Inductive case: show  $P[n] \rightarrow P[n+1]$ 

 $\square$  k induction

- Base case: show 
$$\bigwedge_{k=0}^{N-1} P[k]$$

- k-induction step: 
$$\left(\bigwedge_{k=n-N+1}^{n} P[k]\right) \rightarrow P[n+1]$$

Welcome

Motivation

Basics

Clocked and \$past

k Induction

▷ Lesson Overview

vs BMC

General Rule

The Trap

Results

Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Suppose  $\forall n : P[n]$  is what we wish to prove

Traditional induction

Base case: show P [0]
Inductive case: show P [n] → P [n + 1]
k induction
Base case: show <sup>N-1</sup> <sub>k=0</sub> <sub>P [k]</sub>
This is what we did with BMC
k-induction step: ( <sup>n</sup> <sub>k=n-N+1</sub> P [k] ) → P [n + 1]

Welcome

Motivation

Basics

Clocked and \$past

k Induction

▷ Lesson Overview

vs BMC

General Rule

The Trap

Results

Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Suppose  $\forall n : P[n]$  is what we wish to prove

Traditional induction

- Base case: show P[0]- Inductive case: show  $P[n] \rightarrow P[n+1]$ 

**A T** 

 $\square$  k induction

- Base case: show 
$$\bigwedge_{k=0}^{N-1} P[k]$$

- k-induction step: 
$$\left(\bigwedge_{k=n-N+1}^{n} P[k]\right) \to P[n+1]$$

This is our next step

Welcome

Motivation

Basics

Clocked and \$past

k Induction

▷ Lesson Overview

vs BMC

General Rule

The Trap

Results

Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Suppose  $\forall n : P[n]$  is what we wish to prove

Traditional induction

- Base case: show P[0]- Inductive case: show  $P[n] \rightarrow P[n+1]$ 

 $\square$  k induction

- Base case: show 
$$\bigwedge_{k=0}^{N-1} P[k]$$

- k-induction step: 
$$\left(\bigwedge_{k=n-N+1}^{n} P[k]\right) \rightarrow P[n+1]$$

Why use k induction?

### **G**<sup>-</sup>**Induction in Verification**

#### Welcome Motivation Basics Clocked and \$past k Induction ▷ Lesson Overview vs BMC General Rule The Trap Results Examples **Bus Properties** Free Variables Abstraction Invariants Multiple-Clocks Cover Sequences Parting Thoughts

Formal verification uses k induction

#### Base case:

Assume the first N steps do not violate any assumptions, ... Prove that the first N steps do not violate any assertions. The is the BMC pass we've already done.

#### Inductive Step:

Assume N steps exist that neither violate any assumptions nor any assertions, and

Assume the N + 1 step violates no assumptions, . . .

*Prove* that the N + 1 step does not violate any *assertions*.

### **G**<sup>T</sup> BMC vs Induction



### G General Rule



### **G** Checkers

| Welcome            | 50 |
|--------------------|----|
| Motivation         | П  |
| Basics             |    |
| Clocked and \$past |    |
| k Induction        |    |
| Lesson Overview    |    |
| vs BMC             |    |
| ⊳ General Rule     | W  |
| The Trap           |    |
| Results            |    |
| Examples           |    |
| Bus Properties     |    |
| Free Variables     |    |
| Abstraction        |    |
| Invariants         |    |
| Multiple-Clocks    |    |
| Cover              |    |
| Sequences          |    |

Parting Thoughts

Some assertions:

- Games are played on black squares
- Players will never have more than 12 pieces
- Only legal moves are possible
- Game is over when one side can no longer move

Where might the induction engine start?

# **G**<sup>-</sup> Checkers in the Library

| Welcome                  |         |        |        |            |     |     |  |
|--------------------------|---------|--------|--------|------------|-----|-----|--|
| Motivation               |         |        |        |            |     |     |  |
| Basics                   |         |        |        |            |     |     |  |
| Clocked and \$past       |         |        |        |            |     |     |  |
| k Induction              |         |        |        |            |     |     |  |
| Lesson Overview          |         |        |        |            |     |     |  |
| vs BMC<br>▷ General Rule |         |        |        |            |     |     |  |
| The Trap                 |         |        |        |            |     |     |  |
| Results                  |         | $\sim$ |        |            |     |     |  |
| Examples                 |         |        |        |            |     |     |  |
| Bus Properties           |         |        |        |            |     |     |  |
| Free Variables           |         |        |        |            |     |     |  |
| Abstraction              |         |        |        | $\bigcirc$ |     |     |  |
| Invariants               |         |        |        |            |     |     |  |
| Multiple-Clocks          |         |        |        |            |     |     |  |
| Cover                    |         |        |        |            |     |     |  |
| Sequences                | Black's | going  | g to i | move       | and | win |  |
| Parting Thoughts         |         |        |        |            |     |     |  |

 $\sim$ 

### **G**<sup>-</sup> Checkers in the Library

| Welcome            |   |        |      |      |     |       |     |  |
|--------------------|---|--------|------|------|-----|-------|-----|--|
| Motivation         |   |        |      |      |     |       |     |  |
| Basics             |   |        |      |      |     |       |     |  |
| Clocked and \$past |   |        |      |      |     |       |     |  |
| k Induction        |   |        |      |      |     |       |     |  |
| Lesson Overview    |   |        |      |      |     |       |     |  |
| vs BMC             |   |        |      |      |     |       |     |  |
| ⊳ General Rule     |   |        |      |      |     |       |     |  |
| The Trap           |   |        |      |      |     |       |     |  |
| Results            |   |        |      |      |     |       |     |  |
| Examples           |   |        |      |      |     |       |     |  |
| Bus Properties     |   |        |      |      |     |       |     |  |
| Free Variables     |   |        |      |      |     |       |     |  |
| Abstraction        |   |        |      |      |     |       |     |  |
| Invariants         |   |        |      |      |     |       |     |  |
| Multiple-Clocks    |   |        |      |      |     |       |     |  |
| Cover              |   |        | -    |      |     | -     | _   |  |
| Sequences          | W | hite's | goin | g to | mov | e and | win |  |
| Parting Thoughts   |   |        |      |      |     |       |     |  |

### **G** Checkers in the Library

| Welcome    |  |
|------------|--|
| Motivation |  |
|            |  |

Basics

Clocked and \$past

k Induction

Lesson Overview

vs BMC

▷ General Rule

The Trap

Results

Examples

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts



Black's going to ..., huh?

### **G**<sup>-</sup> Checkers in the Library

| vveicome           |            |
|--------------------|------------|
| Motivation         |            |
| Basics             |            |
| Clocked and \$past |            |
| k Induction        |            |
| Lesson Overview    |            |
| vs BMC             | )          |
| ⊳ General Rule     |            |
| The Trap           |            |
| Results            |            |
| Examples           |            |
| Bus Properties     | $\bigcirc$ |
| Free Variables     |            |
| Abstraction        |            |
| Invariants         |            |
| Multiple-Clocks    |            |
|                    |            |

Cover

Sequences

Parting Thoughts



Would this pass our criteria?

### G Checkers and Induction

#### What can we learn from Checkers?

Motivation

Welcome

Basics

Clocked and \$past

k Induction

Lesson Overview

vs BMC

▷ General Rule

The Trap

Results

Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Inductive step starts in the *middle of the game* Only the assumptions and asserts are used to validate the game

All of the FF's (variables) start in arbitrary states These states are *only* constrained by your assumptions and assertions.

 Your formal constraints are required to limit the allowable states

# G The Trap



### **G**<sup>T</sup> The Solution

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Lesson Overview

vs BMC

General Rule

▷ The Trap

Results

Examples

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts



To make induction work, you must ....

assume unrealistic inputs will never happen assert any remaining unreachable states are illegal Induction often requires more properties than BMC alone

### **G** Results

| Welcome |  |
|---------|--|
|         |  |

Motivation

Basics

Clocked and \$past

k Induction

Lesson Overview

vs BMC

General Rule

The Trap

 $\triangleright$  Results

Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Unlike BMC, the results of induction might be inconclusive



The k induction pass will fail if your design doesn't have enough assertions.

## **G** Results

#### Welcome Motivation Basics Clocked and \$past k Induction Lesson Overview vs BMC General Rule The Trap $\triangleright$ Results Examples **Bus Properties** Free Variables Abstraction Invariants Multiple-Clocks Cover Sequences Parting Thoughts

There's also a difference in when BMC and induction finish

BMC will finish early if the design FAILs
 Induction will finish early if the design PASSes
 In all other cases, they will take a full depth steps

You can use this fact to trim the depth of your proof

- Once induction succeeds, trim your proof depth to that length
  - This will immediately make your proof run that much faster

### **GTExamples**

|                                                 | LXamples                                        |  |
|-------------------------------------------------|-------------------------------------------------|--|
| Welcome                                         | <ul> <li>Let's look at some examples</li> </ul> |  |
| Motivation                                      |                                                 |  |
| Basics                                          |                                                 |  |
| Clocked and \$past                              |                                                 |  |
| <u>k</u> Induction<br>Lesson Overview<br>vs BMC |                                                 |  |
| General Rule                                    |                                                 |  |
| The Trap<br>Results<br>▷ Examples               |                                                 |  |
| Bus Properties                                  |                                                 |  |
| Free Variables                                  |                                                 |  |
| Abstraction                                     |                                                 |  |
| Invariants                                      |                                                 |  |
| Multiple-Clocks                                 |                                                 |  |
| Cover                                           |                                                 |  |
| Sequences                                       |                                                 |  |
| Parting Thoughts                                |                                                 |  |

### G Another Counter

```
This design would pass many steps of BMC
Welcome
Motivation
                  signal counter : unsigned (15 \text{ downto } 0) := 0;
Basics
Clocked and $past
                  process(clk)
k Induction
                  begin
Lesson Overview
                     if (rising_edge(clk)) then
vs BMC
General Rule
                        counter \leq counter + 1;
The Trap
                     end if;
Results
                  end process;
\triangleright Examples
Bus Properties
Free Variables
                  always Q(*)
Abstraction
                              assert (counter < 16' d65000);
Invariants
Multiple-Clocks
                  It will not pass induction.
Cover
                  Can you explain why not?
Sequences
Parting Thoughts
```

### G Another Counter

```
Here's another counter that will pass BMC, but not induction
Welcome
Motivation
                  signal : counter : unsigned (15 \text{ downto } 0) := 0;
Basics
Clocked and $past
                     if (rising_edge(clk)) then
k Induction
                        if (counter = to_unsigned(22, 16)) then
Lesson Overview
                           counter \leq 0:
vs BMC
General Rule
                        else
The Trap
                           counter \leq counter + 1:
Results
                       end if;
\triangleright Examples
                     end if;
Bus Properties
Free Variables
Abstraction
                  always Q(*)
Invariants
                              assert (counter != 16'd500);
Multiple-Clocks
                  Can you explain why not?
Cover
Sequences
Parting Thoughts
```

### G Another Counter

```
With one simple change, this design will now pass induction
Welcome
Motivation
                  signal : counter : unsigned (15 \text{ downto } 0) := 0;
Basics
Clocked and $past
                     if (rising_edge(clk)) then
k Induction
                        if (counter = to_unsigned(22, 16)) then
Lesson Overview
                           counter \leq 0:
vs BMC
General Rule
                        else
The Trap
                           counter \leq counter + 1:
Results
                        end if;
\triangleright Examples
                     end if;
Bus Properties
Free Variables
Abstraction
                  always Q(*)
Invariants
                              assert (counter \leq 16' d22);
Multiple-Clocks
                  See the difference?
Cover
Sequences
Parting Thoughts
```

### **G** Shift Register Comparison

| Welcome<br>Motivation                 | These shift registers will be equal during BMC, but require at least sixteen steps to pass induction |
|---------------------------------------|------------------------------------------------------------------------------------------------------|
| Basics Clocked and \$past k Induction | <pre>signal sa : unsigned(15 downto 0) := 0; signal sb : unsigned(15 downto 0) := 0;</pre>           |
| Lesson Overview<br>vs BMC             | <pre>if (rising_edge(clk)) then</pre>                                                                |
| General Rule<br>The Trap<br>Results   | begin                                                                                                |
| $\triangleright$ Examples             | <pre>sa &lt;= sa(14 downto 0) &amp; i_bit;</pre>                                                     |
| Bus Properties                        | $sb \ll sb(14 \text{ downto } 0) \& i_bit;$                                                          |
| Free Variables Abstraction            | end if;                                                                                              |
| Invariants                            |                                                                                                      |
| Multiple-Clocks                       | always @(*)                                                                                          |
| <u>Cover</u><br>Sequences             | assert(sa[15] = sb[15]);                                                                             |
| Parting Thoughts                      | Can you explain why it would take so long?                                                           |

# **G** Shift Register Comparison

```
This design is almost identical to the last one, yet fails induction.
Welcome
                  The key difference is the if (i_c = '1').
Motivation
Basics
                  signal sa : unsigned (15 \text{ downto } 0) := 0;
Clocked and $past
                  signal sb : unsigned(15 downto 0) := 0;
k Induction
Lesson Overview
                     if (rising_edge(clk)) then
vs BMC
General Rule
                     begin
The Trap
                        if (i_c = '1') then
Results
                          sa <= sa(14 downto 0) & i_bit;</pre>
\triangleright Examples
                          sb \ll sb(14 \text{ downto } 0) \& i_bit;
Bus Properties
                       end if;
Free Variables
                    end if;
Abstraction
Invariants
Multiple-Clocks
                  always Q(*)
Cover
                             assert(sa[15] == sb[15]);
Sequences
Parting Thoughts
                  Can you explain why this wouldn't pass?
```

Motivation

Basics

Clocked and \$past

k Induction

Lesson Overview

vs BMC

General Rule

The Trap

Results

▷ Examples

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Several approaches to fixing this:

### 1. assume(i\_ce);

| Welcome                                      | Sever |
|----------------------------------------------|-------|
| Motivation                                   | 1. a  |
| Basics                                       | 1. a: |
| Clocked and \$past                           |       |
| <u><i>k</i></u> Induction<br>Lesson Overview | 2. oʻ |
| vs BMC                                       |       |
| General Rule                                 |       |
| The Trap                                     |       |
| Results                                      |       |
| $\triangleright$ Examples                    |       |
| Bus Properties                               |       |
| Free Variables                               |       |
| Abstraction                                  |       |
| Invariants                                   |       |
| Multiple-Clocks                              |       |
| Cover                                        |       |
| Sequences                                    |       |
| Parting Thoughts                             |       |
|                                              |       |

Several approaches to fixing this:

- .. assume(i\_ce);
  - Doesn't really test the design
- . opt\_merge -share\_all, yosys option

| Welcome            |
|--------------------|
| Motivation         |
| Basics             |
|                    |
| Clocked and \$past |
| k Induction        |
| Lesson Overview    |
| vs BMC             |
| General Rule       |
| The Trap           |
| Results            |
| ▷ Examples         |
| Bus Properties     |
| Free Variables     |
| Abstraction        |
| Invariants         |
| Multiple-Clocks    |
| Cover              |
| Sequences          |
| Parting Thoughts   |

Several approaches to fixing this:

- assume(i\_ce); Doesn't really test the design
   opt\_merge -share\_all, yosys option Works for some designs
- 3. assert(sa == sb);

# **G**<sup>-</sup> Fixing Shift Reg

| Welcome                   |
|---------------------------|
| Motivation                |
| Basics                    |
| Clocked and \$past        |
| k Induction               |
| Lesson Overview           |
| vs BMC                    |
| General Rule              |
| The Trap                  |
| Results                   |
| $\triangleright$ Examples |
| Bus Properties            |
| Free Variables            |
| Abstraction               |
| Invariants                |
| Multiple-Clocks           |
| Cover                     |
| Sequences                 |
| Parting Thoughts          |

Several approaches to fixing this:

- assume(i\_ce); Doesn't really test the design
   opt\_merge -share\_all, yosys option Works for some designs
- 3. assert(sa == sb);
  - Best, but only works when sa and sb are visible
- 4. Insist on no more than M clocks between i\_ce's

# **G**<sup>-</sup> Fixing Shift Reg

|                    | Sev |
|--------------------|-----|
| Welcome            | Jev |
| Motivation         | 1   |
| Basics             | Τ.  |
| Clocked and \$past | C   |
| k Induction        | 2.  |
| Lesson Overview    |     |
| vs BMC             | 2   |
| General Rule       | 3.  |
| The Trap           |     |
| Results            | л   |
| ▷ Examples         | 4.  |
| Bus Properties     | 5.  |
| Free Variables     |     |
| Abstraction        |     |
| Invariants         |     |
| Multiple-Clocks    |     |
| Cover              |     |
| Sequences          |     |
| Parting Thoughts   |     |

Several approaches to fixing this:

- assume(i\_ce);
   Doesn't really test the design
   opt\_merge -share\_all, yosys option
   Works for some designs
- assert(sa == sb);

*Best, but only works when sa and sb are visible* Insist on no more than *M* clocks between i\_ce's

- Use a different prover, under the [engines] option
  - smtbmc
  - abc pdr
  - aiger suprove

| Welcome                                                     | Sev      | eral approac                                                 |
|-------------------------------------------------------------|----------|--------------------------------------------------------------|
| Motivation<br>Basics                                        | 1.       | assume(i_c<br>Doesn't rea                                    |
| Clocked and \$past<br><u>k</u> Induction<br>Lesson Overview | 2.       | opt_merge<br><i>Works for s</i>                              |
| vs BMC<br>General Rule<br>The Trap                          | 3.       | assert(sa =<br>Best, but o                                   |
| Results<br>▷ Examples<br>Bus Properties                     | 4.<br>5. | Insist on no<br>Use a differ                                 |
| Free Variables Abstraction Invariants Multiple-Clocks Cover |          | <ul> <li>smtbmc</li> <li>abc pdr</li> <li>aiger s</li> </ul> |
| Sequences<br>Parting Thoughts                               |          |                                                              |
|                                                             |          |                                                              |

thes to fixing this: :e); ally test the design -share\_all, yosys option some designs = sb); only works when sa and sb are visible b more than M clocks between i\_ce's rent prover, under the [engines] option Inconclusive Proof (Induction fails) Pass

- r
  - Pass suprove

| Welcome                                                                                                               | Several approaches to fixing this:                                                                                                                                                                                                                                                                                                             |
|-----------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| MotivationBasicsClocked and \$pastk InductionLesson Overviewvs BMCGeneral RuleThe TrapResults▷ ExamplesBus Properties | <ol> <li>assume(i_ce);<br/>Doesn't really test the design</li> <li>opt_merge -share_all, yosys option<br/>Works for some designs</li> <li>assert(sa == sb);<br/>Best, but only works when sa and sb are visible</li> <li>Insist on no more than M clocks between i_ce's</li> <li>Use a different prover, under the [engines] option</li> </ol> |
| Free Variables Abstraction Invariants Multiple-Clocks Cover Sequences Parting Thoughts                                | <ul> <li>smtbmc</li> <li>abc pdr</li> <li>aiger suprove</li> <li>Most of these options work for <i>some</i> designs only</li> </ul>                                                                                                                                                                                                            |

|                           | SymbiYosys                            |                                        |
|---------------------------|---------------------------------------|----------------------------------------|
| Welcome                   | Here's how we'll change our sby file: | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| Motivation                | [options]                             |                                        |
| Basics                    | mode prove                            |                                        |
| Clocked and \$past        | [engines]                             |                                        |
| <u>k</u> Induction        | smtbmc                                |                                        |
| Lesson Overview<br>vs BMC | [script]                              |                                        |
| General Rule              | read -vhdl lfsr_fib.vhd               |                                        |
| The Trap<br>Results       | <b>read</b> -vhdl dblpipe.vhd         |                                        |
| > Examples                | <b>read</b> -formal dblpipe_vhd.sv    |                                        |
| Bus Properties            | prep —top dblpipe                     |                                        |
| Free Variables            | opt_merge -share_all                  |                                        |
| Abstraction               | [files]                               |                                        |
| Invariants                | lfsr_fib.vhd                          |                                        |
| Multiple-Clocks           | dblpipe.vhd                           |                                        |
| Cover                     | dblpipe_vhd.sv                        |                                        |
| Sequences                 |                                       |                                        |
| Parting Thoughts          |                                       |                                        |
|                           |                                       |                                        |

|                           | Sympleosys                                             |  |
|---------------------------|--------------------------------------------------------|--|
| Welcome                   | Here's how we'll change our sby file:                  |  |
| Motivation                | [options]                                              |  |
| Basics                    | <b>mode</b> prove $\leftarrow$ Use BMC and k-induction |  |
| Clocked and \$past        | [engines]                                              |  |
| k Induction               | smtbmc                                                 |  |
| Lesson Overview<br>vs BMC | [script]                                               |  |
| General Rule              | read -vhdl lfsr_fib.vhd                                |  |
| The Trap<br>Results       | <b>read</b> -vhdl dblpipe.vhd                          |  |
| $\triangleright$ Examples | <b>read</b> -formal dblpipe_vhd.sv                     |  |
| Bus Properties            | <b>prep</b> —top dblpipe                               |  |
| Free Variables            | opt_merge -share_all                                   |  |
| Abstraction               | [files]                                                |  |
| Invariants                | lfsr_fib.vhd                                           |  |
| Multiple-Clocks           | dblpipe.vhd                                            |  |
| Cover                     | dblpipe_vhd.sv                                         |  |
| Sequences                 |                                                        |  |
| Parting Thoughts          |                                                        |  |
|                           |                                                        |  |

|                           | SymbiYosys                                     | ٨ |
|---------------------------|------------------------------------------------|---|
| Welcome                   | Here's how we'll change our sby file:          | • |
| Motivation                | [options]                                      |   |
| Basics                    | mode prove                                     |   |
| Clocked and \$past        | [engines]                                      |   |
| <u>k</u> Induction        | smtbmc - Other potential engines would go here |   |
| Lesson Overview<br>vs BMC | [script]                                       |   |
| General Rule              | read -vhdl lfsr_fib.vhd                        |   |
| The Trap<br>Results       | read -vhdl dblpipe.vhd                         |   |
| ▷ Examples                | <pre>read -formal dblpipe_vhd.sv</pre>         |   |
| Bus Properties            | <pre>prep -top dblpipe</pre>                   |   |
| Free Variables            | opt_merge -share_all                           |   |
| Abstraction               | [files]                                        |   |
| Invariants                | lfsr_fib.vhd                                   |   |
| Multiple-Clocks           | dblpipe.vhd                                    |   |
| Cover                     | dblpipe_vhd.sv                                 |   |
| Sequences                 |                                                |   |
| Parting Thoughts          |                                                |   |
|                           |                                                |   |

|                           | SymbiYosys                                             |
|---------------------------|--------------------------------------------------------|
| Welcome                   | Here's how we'll change our sby file:                  |
| Motivation                | [options]                                              |
| Basics                    | mode prove                                             |
| Clocked and \$past        | [engines]                                              |
| k Induction               | smtbmc                                                 |
| Lesson Overview<br>vs BMC | [script]                                               |
| General Rule              | read -vhdl lfsr_fib.vhd                                |
| The Trap                  | read -vhdl dblpipe.vhd                                 |
| Results<br>▷ Examples     | read -formal dblpipe_vhd.sv                            |
| Bus Properties            | prep -top dblpipe                                      |
| Free Variables            | opt_merge -share_all - Here's where opt_merge would go |
| Abstraction               | [files]                                                |
| Invariants                | lfsr_fib.vhd                                           |
|                           | dblpipe.vhd                                            |
| Multiple-Clocks           | dblpipe_vhd.sv                                         |
| Cover                     |                                                        |
| Sequences                 |                                                        |
| Parting Thoughts          |                                                        |

# G Ex: DblPipe

```
Welcome
Motivation
Basics
Clocked and $past
k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
\triangleright Examples
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
```

Parting Thoughts

#### Exercise #4: dblpipe.vhd

```
one: lfsr_fib port map (
    i_clk => i_clk, i_reset => '0',
    i_ce => i_ce, i_in => i_data,
    o_bit => a_data);
```

```
two: lfsr_fib port map (
    i_clk => i_clk, i_reset => '0',
    i_ce => i_ce, i_in => i_data,
    o_bit => b_data);
```

```
process(a_data, b_data)
begin
```

```
o_data <= a_data xor b_data;
```

```
end process;
```

107 / 285

# **G** Ex: DblPipe

Exercise #4: dblpipe.vhd

#### Welcome

Motivation

Basics

Clocked and \$past

k Induction

Lesson Overview

vs BMC

General Rule

The Trap

Results

 $\triangleright$  Examples

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

 lfsr\_fib just implements a Fibonacci linear feedback shift register,



| sreg(LN-2  downto  0) <= sreg(LN-1  downto  1) | 1);   |
|------------------------------------------------|-------|
| sreg(LN-1) <= (xor (sreg and TAPS)) xor i      | l_in; |

# **GTEx:** DblPipe

| Welcome                | Exercise #4: dblpipe.vhd, lfsr_fib.vhd              |
|------------------------|-----------------------------------------------------|
| Motivation             | <pre>process(i_clk)</pre>                           |
| Basics                 | begin                                               |
| Clocked and \$past     | if (rising_edge(i_clk)) then                        |
| k Induction            | if (i_reset = '1') then                             |
| Lesson Overview        | sreg <= INITIAL_FILL;                               |
| vs BMC<br>General Rule | elsif (i_ce = '1') then                             |
| The Trap               |                                                     |
| Results                | sreg(LN-2  downto  0) <= sreg(LN-1  downto  1);     |
| ▷ Examples             | $sreg(LN-1) \ll (xor (sreg and TAPS))$              |
| Bus Properties         | xor i_in;                                           |
| Free Variables         | end if;                                             |
| Abstraction            | end if;                                             |
| Invariants             | end process;                                        |
| Multiple-Clocks        |                                                     |
| Cover                  | $o_bit \leq sreg(0);$                               |
| Sequences              |                                                     |
| Parting Thoughts       | Both registers one and two use the exact same logic |

# **G** Ex: DblPipe

| Wel | come |
|-----|------|
|     |      |

Motivation

Basics

Clocked and \$past

k Induction

Lesson Overview

vs BMC

General Rule

The Trap

Results

▷ Examples

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Exercise #4:

- Using dblpipe.vhd
  - Prove that the output, o\_data, is zero

# **G** Ex: LFSRs

| Welcome                                                                                                                                                             | Galois and Fibonacci are supposedly identical                                                                                     |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|
| Motivation<br>Basics<br>Clocked and \$past                                                                                                                          | □ Galois<br><u>Input</u> → ↓ → ↓ → ↓ → ↓ → ↓ → ↓ → ↓ → ↓ → ↓ →                                                                    |
| k InductionLesson Overviewvs BMCGeneral RuleThe TrapResults▷ ExamplesBus PropertiesFree VariablesAbstractionInvariantsMultiple-ClocksCoverSequencesParting Thoughts | <ul> <li>Fibonacci</li> <li>Input Output</li> <li>Exercise #5 will be to prove these two implementations are identical</li> </ul> |

# **G** Ex: LFSRs

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Lesson Overview

vs BMC

General Rule

The Trap

Results

 $\triangleright$  Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Exercise #5:

- exercise-05/ contains files lfsr\_equiv.vhd, lfsr\_gal.vhd, and lfsr\_fib.vhd.
- Ifsr\_gal.vhd contains a Galois version of an LFSR
- lfsr\_fib.vhd contains a Fibonacci version of the same LFSR
- □ lfsr\_equiv.vhd contains an assertion that these are equivalent

Prove that these are truly equivalent shift registers.

# G Where is the bug?

|                           | $\sim$                                                        |
|---------------------------|---------------------------------------------------------------|
| Welcome                   | Following an induction failure, look over the trace           |
| Motivation                | Signals Wyves 100 ns 1200 ts                                  |
| Basics                    | i_areset_n<br>i_fast_clk                                      |
| Clocked and \$past        | i_slow_clk<br>i_pin A B C                                     |
| k Induction               | o_word[9:0] 180 180 30                                        |
| Lesson Overview           |                                                               |
| vs BMC<br>General Rule    | If you see a problem in section                               |
| The Trap                  |                                                               |
| Results                   | A You have a missing one or more assertions                   |
| $\triangleright$ Examples |                                                               |
| Bus Properties            | You'll only have this problem with induction.                 |
| Free Variables            | B You have a failing assert @(posedge clk)                    |
|                           | C You have a failing assert @(*)                              |
| Abstraction               |                                                               |
| Invariants                | These latter two indicate a potential logic failure, but they |
| Multiple-Clocks           | could still be caused by property failures.                   |
| Cover                     |                                                               |
| Sequences                 |                                                               |
| Parting Thoughts          |                                                               |

### G

### M

#### Welcome

Motivation

Basics

Clocked and \$past

k Induction

 $\triangleright$  Bus Properties

Ex: WB Bus

AXI

Avalon

Wishbone

WB Basics

WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

### **Bus Properties**

# GT Ex: WB Bus

| Welcome<br>Motivation                                                                                                                         | We have everyt<br>bus                                                                |
|-----------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------|
| Basics Clocked and \$past k Induction                                                                                                         | <ul> <li>This lesson w</li> <li>Our Objectives:</li> </ul>                           |
| Bus Properties▷ Ex: WB BusAXIAvalonWishboneWB BasicsWB BasicsFree VariablesAbstractionInvariantsMultiple-ClocksCoverSequencesParting Thoughts | <ul> <li>Learn to appractical</li> <li>Learn to bui</li> <li>Help lead up</li> </ul> |

le have everything we need now to write formal properties for a

- This lesson walks through an example the Wishbone Bus Our Objectives:
- Learn to apply formal methods to something imminently practical
- Learn to build the formal description of a bus componentHelp lead up to a bus arbiter component

# G AXI Channels



# G Avalon Channels



# GT Wishbone Channels

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

 $\mathsf{Ex:}\ \mathsf{WB}\ \mathsf{Bus}$ 

AXI Avalon

Avaion

▷ Wishbone

WB Basics

WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts



Why use the Wishbone? *It's simpler!* 

# **G** WB Signals

|                              | VVB Sigi      | nals               |            |
|------------------------------|---------------|--------------------|------------|
| Welcome                      | From the mast | er's perspective:  |            |
| Motivation                   |               | Specification name | My name    |
| Basics                       |               | CYC_O              | o_wb_cyc   |
| Clocked and \$past           |               | STB_O              | o_wb_stb   |
| k Induction                  |               | WE_O               | o_wb_we    |
| Bus Properties<br>Ex: WB Bus |               | ADDR_0             | o_wb_addr  |
| AXI                          |               | DATA_O             | o_wb_data  |
| Avalon<br>Wishbone           |               | SEL_O              | o_wb_sel   |
| → WB Basics                  |               |                    |            |
| WB Basics                    |               | STALL_I            | i_wb_stall |
| Free Variables               |               | ACK_I              | i_wb_ack   |
| Abstraction                  |               | DATA_I             | i_wb_data  |
| Invariants                   |               | ERR_I              | i_wb_err   |
| Multiple-Clocks              |               |                    |            |
| Cover                        |               |                    |            |
| Sequences                    |               |                    |            |
| Parting Thoughts             |               |                    |            |
|                              |               |                    |            |

# **G** WB Signals

|                              | <b>VVB</b> Sigr                            | nals                   |            |     |
|------------------------------|--------------------------------------------|------------------------|------------|-----|
| Welcome                      | From the slave                             | 's perspective:        |            | VV° |
| Motivation                   |                                            | Specification name     | My name    |     |
| Basics                       | -                                          | CYC_I                  | i_wb_cyc   |     |
| Clocked and \$past           |                                            | STB_I                  | i_wb_stb   |     |
| k Induction                  |                                            | WE_I                   | i_wb_we    |     |
| Bus Properties<br>Ex: WB Bus |                                            | ADDR_I                 | i_wb_addr  |     |
| AXI                          |                                            | DATA_I                 | i_wb_data  |     |
| Avalon<br>Wishbone           |                                            | SEL_I                  | i_wb_sel   |     |
| ▷ WB Basics                  | =                                          | STALL_O                | o_wb_stall |     |
| WB Basics                    |                                            | ACK_O                  | o_wb_ack   |     |
| Free Variables               |                                            | DATA_O                 | o_wb_data  |     |
| Invariants                   |                                            |                        |            |     |
| Multiple-Clocks              | <b>–</b>                                   | ERR_O                  | o_wb_err   |     |
| Cover                        | Io swap perspe                             | ectives from master to | slave      |     |
| Sequences                    | <ul> <li>Swap the p</li> </ul>             | ort direction          |            |     |
| Parting Thoughts             | Swap the assume() statements for assert()s |                        |            |     |

# G Single Read

Abstraction

Invariants

Sequences

Cover

Multiple-Clocks

Parting Thoughts



- STB must be low when CYC is low
- If CYC goes low mid-transaction, the transaction is aborted
- While STB and STALL are active, the request cannot change
- One request is made for every clock with STB and !STALL

# G Single Read



# **G** Three Writes

| Welcome                       | CLK            |                                 |
|-------------------------------|----------------|---------------------------------|
| Motivation                    | o_CYC          |                                 |
| Basics                        | o_STB          |                                 |
| Clocked and \$past            | o_WE           |                                 |
| k Induction<br>Bus Properties | o_ADDR         | A1 A2 A3                        |
| Ex: WB Bus<br>AXI             | o_DATA         | D1 D2 D3                        |
| Avalon                        | i_STALL        |                                 |
| Wishbone<br>▷ WB Basics       | i₋ACK          |                                 |
| WB Basics                     | i_DATA         |                                 |
| Free Variables                |                |                                 |
|                               | l et's start l | puilding some formal properties |

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Let's start building some formal properties

Λ Λ

# G CYC and STB

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Ex: WB Bus

AXI

Avalon

Wishbone

▷ WB Basics

WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

The bus starts out idle, and returns to idle after a reset

end

# G CYC and STB

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Ex: WB Bus

AXI

Avalon

Wishbone

▷ WB Basics

WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

The bus starts out idle, and returns to idle after a reset

end

STB is low whenever CYC is low

```
always @(*)
if (!o_wb_cyc)
    assert(!o_wb_stb);
```

# **G**<sup>T</sup> The Master Waits

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Ex: WB Bus

AXI

Avalon

Wishbone

▷ WB Basics

WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

While STB and STALL are active, the request doesn't change

Did we get it?

# **G**<sup>T</sup> The Master Waits

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Ex: WB Bus

AXI

Avalon

Wishbone

▷ WB Basics

WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

While STB and STALL are active, the request doesn't change

Did we get it? Well, not quite
 o\_data is a don't care for any read request

# **G**<sup>T</sup> The Master Waits

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Ex: WB Bus

AXI

Avalon

Wishbone

▷ WB Basics

WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

While STB and STALL are active, the request doesn't change

```
assign f_rd_request = { o_stb, o_we, o_addr };
assign f_wr_request = { f_rd_request, o_data };
```

```
always @(posedge clk)
if ((f_past_valid)
    &&($past(o_wb_stb))&&($past(i_wb_stall)))
begin
    // First, for reads—o_data is a don't care
    if ($past(!i_wb_we))
        assert(f_rd_request == $past(f_rd_request))
        // Second, for writes—o_data must not change
    if ($past(i_wb_we))
```

assert(f\_wr\_request == \$past(f\_wr\_request))
end

# G CYC and STB

| WelcomeMotivationBasicsClocked and \$pastk InductionBus PropertiesEx: WB BusAXIAvalonWishboneWB Basics▷ WB BasicsFree VariablesAbstractionInvariants | <ul> <li>No acknowledgements without a request</li> <li>No errors without a request</li> <li>Following any error, the bus cycle ends</li> <li>A bus cycle can be terminated early</li> </ul> | M |
|------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|
| Multiple-Clocks                                                                                                                                      |                                                                                                                                                                                              |   |
| Cover                                                                                                                                                |                                                                                                                                                                                              |   |
| Sequences                                                                                                                                            |                                                                                                                                                                                              |   |
| Parting Thoughts                                                                                                                                     |                                                                                                                                                                                              |   |

# **G** Bus example

```
Welcome
```

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Ex: WB Bus

AXI

Avalon

Wishbone

WB Basics

 $\triangleright$  WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

The rule: the slave (external) cannot stall the master more than F\_OPT\_MAXSTALL counts:

```
if (rising_edge(i_clk)) then
    if ((i_reset = '1') or (o_CYC = '0')
            or ((o_STB='1')
                 and (i_stall = '0'))) then
        f_stall_count <= 0;
    else
        f_stall_count <= f_stall_count + 1;
    end if;
end if;</pre>
```

```
always @(posedge clk)
if (o_CYC)
    assume(f_stall_count < F_OPT_MAXSTALL);</pre>
```

This solves the i\_ce problem, this time with the i\_STALL signal

#### **G**<sup>T</sup> Bus example

| Welcome                                                                                                                  | The rule: the slave can only respond to requests                                                                                                                                                                                             |
|--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| MotivationBasicsClocked and \$pastk InductionBus PropertiesEx: WB BusAXIAvalonWishboneWB Basics▷ WB BasicsFree Variables | <pre>process(i_clk) begin     if (rising_edge(i_clk)) then         f_nreqs &lt;= to_unsigned(0,F_LGDEPTH);         elsif ((i_STB = '1') and (o_STALL = '0')) then         f_nreqs &lt;= f_nreqs + 1;         end if; end process;     </pre> |
| Abstraction<br>Invariants<br>Multiple-Clocks<br>Cover<br>Sequences<br>Parting Thoughts                                   | <pre>always @(*) if (f_nreqs == f_nacks)     assert(!o_ACK); The logic above almost works. Can any one spot the problems?</pre>                                                                                                              |

 $\sqrt{\Lambda}$ 

#### GT Two Exercises

| Welcome            |
|--------------------|
| Motivation         |
| Basics             |
| Clocked and \$past |
| k Induction        |
| Bus Properties     |
| Ex: WB Bus         |
| AXI                |
| Avalon             |
| Wishbone           |
| WB Basics          |
| ▷ WB Basics        |
| Free Variables     |
| Abstraction        |
| Invariants         |
| Multiple-Clocks    |
| Cover              |
| Sequences          |
| Parting Thoughts   |

Let's build up to proving a WB arbiter

Let's prove  $(BMC + k-Induction) \dots$ 

- Exercise #6: A simple arbiter exercise-06/reqarb.vhd
- 2. Exercise #7: Then a Wishbone bus arbiter exercise-07/wbpriarbiter.vhd

Given a set of bus properties: fwb\_slave.v

#### **G** Simple Arbiter



#### **G** Simple Arbiter



#### **G** Simple Arbiter



about starvation here.













Parting Thoughts



Parting Thoughts



### G Multiple Files

| Welcome            |   |
|--------------------|---|
| Motivation         |   |
| Basics             |   |
| Clocked and \$past |   |
| k Induction        |   |
| Bus Properties     |   |
| Ex: WB Bus         |   |
| AXI                |   |
| Avalon             |   |
| Wishbone           |   |
| WB Basics          | П |
| ▷ WB Basics        |   |
| Free Variables     |   |
| Abstraction        |   |
| Invariants         |   |
| Multiple-Clocks    |   |
| Cover              |   |
| Sequences          |   |
| Parting Thoughts   |   |



- Design with multiple files
- They were each formally correct
- Problems?

# G Multiple Files

| Welcome            |  |
|--------------------|--|
| Motivation         |  |
| Basics             |  |
| Clocked and \$past |  |
| k Induction        |  |
| Bus Properties     |  |
| Ex: WB Bus         |  |
| AXI                |  |
| Avalon             |  |
| Wishbone           |  |
| WB Basics          |  |
| ▷ WB Basics        |  |
| Free Variables     |  |
| Abstraction        |  |
| Invariants         |  |
| Multiple-Clocks    |  |
| Cover              |  |
| Sequences          |  |
| Parting Thoughts   |  |



- Design with multiple files
- They were each formally correct
- Problems? Yes! In induction
- State variables needed to be formally synchronized (assert())

#### G Multiple Files



#### G

#### $\mathcal{M}$

#### Welcome

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

 $\triangleright$  Free Variables

Lesson Overview

Formal

Formal

Memory

So what?

Rule

Discussion

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

#### **Free Variables**

#### **Lesson Overview**

| Welcome                                                                                                                                  | When dealing wi                                                                                                            |
|------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|
| Motivation         Basics         Clocked and \$past         k Induction         Bus Properties                                          | <ul> <li>Testing the end</li> <li>Testing an ar</li> <li>It's time to discu</li> <li>Objectives</li> </ul>                 |
| Free Variables▷Lesson OverviewFormalFormalMemorySo what?RuleDiscussionAbstractionInvariantsMultiple-ClocksCoverSequencesParting Thoughts | <ul> <li>Understand w</li> <li>Understand h</li> <li>used to create</li> <li>Learn how yo</li> <li>memory inter</li> </ul> |

ith memory, ... ntire memory is not required

bitrary value is

```
ISS (* anyconst *) and (* anyseq *)
```

- vhat a free variable is
- now (\* anyconst \*) and (\* anyseq \*) can be e free variables
- ou can use free variables to validate memory and faces

| GT                                                                                                                                           | any*                                                                                                                       |
|----------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|
| Welcome<br><u>Motivation</u><br>Basics                                                                                                       | <pre>     (* anyconst *)     (* anyconst *) wire [N-1:0] cval; </pre>                                                      |
| Clocked and \$past         k Induction         Bus Properties         Free Variables         Lesson Overview         ▷ Formal         Formal | <ul> <li>Can be anything</li> <li>Defined at the beginning of time</li> <li>Never changed</li> <li>(* anyseq *)</li> </ul> |
| Memory<br>So what?<br>Rule<br>Discussion                                                                                                     | (* anyseq *) wire $[N-1:0]$ sval;                                                                                          |
| Abstraction<br>Invariants                                                                                                                    | <ul> <li>Can change from one timestep to the next</li> </ul>                                                               |
| Multiple-Clocks<br>Cover                                                                                                                     | Both can still be constrained via assume() statements                                                                      |
| Sequences Parting Thoughts                                                                                                                   |                                                                                                                            |

#### **G** VHDL any\* attributes

```
These properties can be used from within VHDL as well:
Welcome
Motivation
                    These are VHDL attributes in Yosys
                Basics
                    anyconst
                Clocked and $past
                    signal cval : std_logic_vector(N-1 downto 0);
k Induction
Bus Properties
                    attribute anyconst : bit;
Free Variables
Lesson Overview
                    attribute anyconst of cval : signal is '1';
Formal
▷ Formal
Memory
                    anyseq
                So what?
Rule
                    signal sval : std_logic_vector(N-1 downto 0);
Discussion
Abstraction
                    attribute anyseq : bit;
Invariants
                    attribute anyseq of sval : signal is '1';
Multiple-Clocks
Cover
Sequences
Parting Thoughts
```

# G Memory

```
Welcome
```

Motivation

Basics

Clocked and \$past

k Induction

```
Bus Properties
```

Free Variables

Lesson Overview

Formal

Formal

 $\triangleright$  Memory

So what?

Rule

Discussion

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

How might you verify a memory with this?

```
(* \text{ anyconst } *) \text{ wire } [AW-1:0] \text{ f_const_addr}; \\ \text{reg } [DW-1:0] \text{ f_mem_value};
```

### **G** So what?

| Wel | come |
|-----|------|
|     |      |

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

```
Free Variables
```

Lesson Overview

Formal

Formal

Memory

 $\triangleright$  So what?

Rule

Discussion

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Consider the specification of a prefetch

• The contract

You'll also need to assume a bus input

#### **G** Rule of Free Variables

| Welcome               |
|-----------------------|
| Motivation            |
| Basics                |
| Clocked and \$past    |
| k Induction           |
| Bus Properties        |
| Free Variables        |
| Lesson Overview       |
| Formal                |
| Formal                |
| Memory                |
| So what?              |
| $\triangleright$ Rule |
| Discussion            |
| Abstraction           |
| Invariants            |
| Multiple-Clocks       |
| Cover                 |
| Sequences             |

Parting Thoughts

How would our general rule apply here?

- Assume inputs, assert internal state and outputs
- Both (\* anyconst \*) and (\* anyseq \*) act like inputs
  - You could have written

```
port( .... i_value : in ...; ...);
```

```
always @(posedge i_clk)
    assume(i_value == $past(i_value));
```

```
for the same effect as (* anyconst *)
assume() them therefore, and not assert()
```

#### **Ex: Flash Controller**

```
Welcome
Motivation
Basics
Clocked and $past
k Induction
                        always @(*)
Bus Properties
Free Variables
Lesson Overview
Formal
Formal
Memory
So what?
                        always Q(*)
\triangleright Rule
Discussion
Abstraction
Invariants
Multiple-Clocks
                        ... or something similar
Cover
Sequences
Parting Thoughts
```

This works for a flash (or other ROM) controller too:

```
attribute anyconst of f_addr: signal is '1';
attribute anyconst of f_valid: signal is '1';
```

```
if ((o_wb_ack)&&(f_request_addr == f_addr))
        assert(o_wb_data == f_value);
```

```
Don't forget the corollary assumptions!
```

```
if (f_request_addr == f_addr)
        assume(i_spi_miso
                == f_data[controller_state]);
```

#### G Ex: Serial Port

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Lesson Overview

Formal

Formal

Memory

So what?

 $\triangleright$  Rule

Discussion

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

You can use this to build a serial port transmitter

| attribute | anyseq | of | f_tx_start: | signal | is | '1'; |
|-----------|--------|----|-------------|--------|----|------|
| attribute | anyseq | of | f_tx_data:  | signal | is | '1'; |

```
always @(*)
if (f_tx_busy)
     assume(!f_tx_start);
```

```
always @(posedge f_txclk)
if (f_tx_busy)
        assume(f_tx_data == $past(f_tx_data));
```

You can then

Tie assertions to partially received data

In the second second

#### **G** Discussion

|                    | DISCUSSION                                         | ٨٨  |
|--------------------|----------------------------------------------------|-----|
| Welcome            | How would you use free variables to verify a cache | ۷۷° |
| Motivation         | implementation?                                    |     |
| Basics             |                                                    |     |
| Clocked and \$past |                                                    |     |
| k Induction        |                                                    |     |
| Bus Properties     |                                                    |     |
| Free Variables     |                                                    |     |
| Lesson Overview    |                                                    |     |
| Formal             |                                                    |     |
| Formal             |                                                    |     |
| Memory             |                                                    |     |
| So what?           |                                                    |     |
| Rule               |                                                    |     |
| Discussion         |                                                    |     |
| Abstraction        |                                                    |     |
| Invariants         |                                                    |     |
| Multiple-Clocks    |                                                    |     |
| Cover              |                                                    |     |
| Sequences          |                                                    |     |
| Parting Thoughts   |                                                    |     |

#### **G** Discussion

| Welcome            | How would   |
|--------------------|-------------|
| Motivation         | implementat |
| Basics             |             |
| Clocked and \$past | Hint: you   |
| k Induction        |             |
| Bus Properties     |             |
| Free Variables     |             |
| Lesson Overview    |             |
| Formal             |             |
| Formal             |             |
| Memory             |             |
| So what?           |             |
| Rule               |             |
| Discussion         |             |
| Abstraction        |             |
| Invariants         |             |
| Multiple-Clocks    |             |
| Cover              |             |
| Sequences          |             |
| Parting Thoughts   |             |

How would you use free variables to verify a cache mplementation?

Hint: you only need three properties for the cache contract

#### G

#### $\mathcal{M}$

#### Welcome

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

▷ Abstraction

Lesson Overview

Formal

Proof

Pictures

Examples

Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

#### Abstraction

#### **G** Lesson Overview

| Welcome            |
|--------------------|
| Motivation         |
| Basics             |
| Clocked and \$past |
| k Induction        |
| Bus Properties     |
| Free Variables     |
| Abstraction        |
| ▷ Lesson Overview  |
| Formal             |
| Proof              |
| Pictures           |
| Examples           |
| Exercise           |
| Invariants         |
| Multiple-Clocks    |
| Cover              |
| Sequences          |
| Parting Thoughts   |
|                    |

Proving simple modules is easy.
 What about large and complex ones?

It's time to discus *abstraction*. Objectives

Understand what abstraction is

- Gain confidence in the idea of abstraction
- Understand how to reduce a design via abstraction

#### G Abstraction Formally

Welcome

#### Formally, if

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Lesson Overview

▷ Formal

Proof

Pictures

Examples

Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

 $A \to C$ 

#### then we can also say that

 $(AB) \to C$ 

#### G Formal Proof

| Welcome            | Shall we go over the p | roof?     |
|--------------------|------------------------|-----------|
| Motivation         |                        |           |
| Basics             | $A \to C \Rightarrow$  | $\neg A$  |
| Clocked and \$past |                        | True      |
| k Induction        |                        | (         |
| Bus Properties     |                        | $(\neg A$ |
| Free Variables     |                        | Rea       |
| Abstraction        |                        | $\neg A$  |
| Lesson Overview    |                        |           |
| Formal             |                        |           |
| ▷ Proof            |                        | (-        |
| Pictures           |                        | Exp       |
| Examples           |                        | •         |
| Exercise           |                        | (AE       |
| Invariants         |                        | × ·       |
| Multiple-Clocks    | Q.E.D.!                |           |
| Cover              |                        |           |
| Sequences          |                        |           |
| Parting Thoughts   |                        |           |

 $\Rightarrow \neg A \lor C = \text{True}$ True or anything is still true, so  $(\neg A \lor C) \lor \neg B$ Rearranging terms  $\neg A \lor \neg B \lor C$  $\neg (AB) \lor C$ Expressing as an implication  $(AB) \rightarrow C$ 

# **G** So what?

| Welcome                                             |  |  |  |
|-----------------------------------------------------|--|--|--|
| Motivation                                          |  |  |  |
| Basics                                              |  |  |  |
| Clocked and \$past                                  |  |  |  |
| k Induction                                         |  |  |  |
| Bus Properties                                      |  |  |  |
| Free Variables                                      |  |  |  |
| Abstraction<br>Lesson Overview<br>Formal<br>D Proof |  |  |  |
| Pictures                                            |  |  |  |
| Examples<br>Exercise                                |  |  |  |
| Invariants                                          |  |  |  |
| Multiple-Clocks                                     |  |  |  |
| Cover                                               |  |  |  |
| Sequences                                           |  |  |  |
| Parting Thoughts                                    |  |  |  |

#### With every additional module,

- Formal verification becomes more difficult
- Complexity increases exponentially
- You only have so many hours and dollars
- On the other hand,
- Anything you can simplify by abstraction ...
   is one less thing you need to prove

#### GT In Pictures

| Welcome |  |
|---------|--|
|---------|--|

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Lesson Overview

Formal

Proof

 $\triangleright$  Pictures

Examples

Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts



Suppose your state space looked like this

It takes many transitions required to get to interesting states

#### GT In Pictures

| Welcome | W | el | come |
|---------|---|----|------|
|---------|---|----|------|

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Lesson Overview

Formal

Proof

 $\triangleright$  Pictures

Examples

Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts



Suppose we added to this design ...

- Some additional states, and
  - Additional transitions

The *real* states and transitions must still remain

#### GT In Pictures

Welcome

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Lesson Overview

Formal

Proof

 $\triangleright$  Pictures

Examples

Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts



If this new design still passes, then ...

Since the original design is a subset ...

The original design must also still pass

If done well, the new design will require less effort to prove

# GT A CPU



## GT A CPU



## G Prefetch

П

| Welcome |  |
|---------|--|
|         |  |

Motivation

Basics

Clocked and \$past

k Induction

```
Bus Properties
```

```
Free Variables
```

```
Abstraction
```

Lesson Overview

Formal

Proof

 $\triangleright$  Pictures

Examples

Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Let's consider a prefetch module as an example.



If you do this right,

- Any internally consistent Prefetch,
- that properly responds to the CPU, and
- interacts properly with the bus,
  - must work!

Care to try a different prefetch approach?

## G Prefetch

|                                                                                                                                                                                                                                                                                 | Prefetch                                                                                                                                                                                                               |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Welcome<br>Motivation<br>Basics<br>Clocked and \$past<br>k Induction<br>Bus Properties<br>Free Variables<br>Abstraction<br>Lesson Overview<br>Formal<br>Proof<br>D> Pictures<br>Examples<br>Exercise<br>Invariants<br>Multiple-Clocks<br>Cover<br>Sequences<br>Parting Thoughts | Suppose the prefetch was just a shell<br>CPU Interface<br>No connection<br>Wishbone Bus<br>It would still interact properly with<br>The bus, and<br>The CPU<br>It just might not return values from the bus to the CPU |

## G Prefetch

Suppose the prefetch was just a shell Welcome **CPU** Interface Motivation Basics No connection Clocked and \$past Wishbone Bus k Induction **Bus Properties** If the CPU still acted "correctly" Free Variables With either the right, or the wrong instructions, then Abstraction Lesson Overview The CPU must act correctly with the right instructions Formal Proof  $\triangleright$  Pictures Examples Exercise Invariants Multiple-Clocks Cover Sequences Parting Thoughts

### **GTExamples**

| Welcome                                                                                                 | Consider these statements: |
|---------------------------------------------------------------------------------------------------------|----------------------------|
| Motivation<br>Basics                                                                                    |                            |
| Clocked and \$past          k       Induction         Bus       Properties         Free       Variables | lf<br>And<br>Then          |
| Abstraction<br>Lesson Overview<br>Formal<br>Proof<br>Pictures<br>▷ Examples<br>Exercise                 |                            |
| Invariants<br>Multiple-Clocks<br>Cover                                                                  |                            |
| Sequences<br>Parting Thoughts                                                                           |                            |

 $\mathcal{M}$ 

| Welcome                   | Co  |
|---------------------------|-----|
|                           |     |
| Motivation                |     |
| Basics                    |     |
| Clocked and \$past        |     |
| k Induction               | ۸   |
| Bus Properties            | An  |
| Free Variables            | The |
| Abstraction               |     |
| Lesson Overview           |     |
| Formal                    |     |
| Proof                     |     |
| Pictures                  |     |
| $\triangleright$ Examples |     |
| Exercise                  |     |
| Invariants                |     |
| Multiple-Clocks           |     |
| Cover                     |     |
| Sequences                 |     |
| Parting Thoughts          |     |

Consider these statements:

Prefetch is bus master, interfaces w/CPU

If (Prefetch responds to CPU insn requests) ad (Prefetch produces the right instructions) en (The prefetch works within the design)

|                    | 6    |
|--------------------|------|
| Welcome            | Con  |
| Motivation         |      |
| Basics             |      |
| Clocked and \$past | 14   |
| k Induction        | 11   |
| Bus Properties     | And  |
| Free Variables     | Then |
| Abstraction        |      |
| Lesson Overview    |      |
| Formal             |      |
| Proof              |      |
| Pictures           |      |
| ▷ Examples         |      |
| Exercise           |      |
| Invariants         |      |
| Multiple-Clocks    |      |
| Cover              |      |
| Sequences          |      |
| Parting Thoughts   |      |

consider these statements:

The CPU is just a wishbone master within a design

```
f (The CPU is valid bus master)
d (CPU properly executes instructions)
n (CPU works within a design)
```

| Welcome            |
|--------------------|
| Motivation         |
| Basics             |
| Clocked and \$past |
| k Induction        |
| Bus Properties     |
| Free Variables     |
| Abstraction        |
| Lesson Overview    |
| Formal             |
| Proof              |
| Disturge           |

Pictures ▷ Examples Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Consider these statements:

The ALU must return a calculated number

If (ALU returns a value when requested) And (It is the right value) Then (The ALU works within the design)

| Welcome            |   |
|--------------------|---|
| Motivation         |   |
| Basics             |   |
| Clocked and \$past |   |
| k Induction        |   |
| Bus Properties     | _ |
| Free Variables     |   |
| Abstraction        |   |
| Lesson Overview    |   |
| Formal             |   |
| Proof              |   |
| Pictures           |   |
| ▷ Examples         |   |
| Exercise           |   |
| Invariants         |   |
| Multiple-Clocks    |   |
| Cover              |   |
| Sequences          |   |
| Parting Thoughts   |   |

Consider these statements:

- A flash device responds in 8-80 clocks
- If (Bus master reads/responds to a request) And (The response comes back in 8-80 clocks) Then (The CPU can interact with a flash memory)

| Motivation                |
|---------------------------|
| Basics                    |
| Clocked and \$past        |
| k Induction               |
| Bus Properties            |
| Free Variables            |
| Abstraction               |
| Lesson Overview           |
| Formal                    |
| Proof                     |
| Pictures                  |
| $\triangleright$ Examples |
| Exercise                  |
| Invariants                |
| Multiple-Clocks           |
| Cover                     |
| Sequences                 |

Parting Thoughts

Welcome

Consider these statements:

- The divide must return a calculated number
- If (Divide returns a value when requested) And (It is the right value) Then (The divide works within the design)

| Welcome            |   |
|--------------------|---|
| Motivation         |   |
| Basics             |   |
| Clocked and \$past |   |
| k Induction        |   |
| Bus Properties     |   |
| Free Variables     | - |
| Abstraction        |   |
| Lesson Overview    |   |
| Formal             |   |
| Proof              |   |
| Pictures           |   |
| ▷ Examples         |   |
| Exercise           |   |
| Invariants         |   |
| Multiple-Clocks    |   |
| Cover              |   |
| Sequences          |   |
| Parting Thoughts   |   |

Consider these statements:

- Formal solvers break down when applied to multiplies
- If (Multiply unit returns an answer N clocks later) And (It is the right value) Then (The multiply works within the design)

# G Abstracted CPU components

| Welcome                                | Looking at the CPU again,                                                                                                       | • V v |
|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-------|
| Motivation                             | CPU                                                                                                                             |       |
| Basics Clocked and \$past              | Register Bus<br>File Arbiter                                                                                                    |       |
| k Induction                            |                                                                                                                                 |       |
| Bus Properties<br>Free Variables       | Instruction Memory<br>Decoder Component                                                                                         |       |
| Abstraction<br>Lesson Overview         |                                                                                                                                 |       |
| Formal<br>Proof                        | ALU Pre-Fetch                                                                                                                   |       |
| Pictures<br>▷ Examples                 | Divide FPU                                                                                                                      |       |
| Exercise                               |                                                                                                                                 |       |
| Invariants<br>Multiple-Clocks          | Formal section                                                                                                                  |       |
| Cover<br>Sequences<br>Parting Thoughts | <ul> <li>Replace all the components with abstract shells</li> <li> shells that <i>might</i> produce the same answers</li> </ul> |       |

#### Back to the Counter

```
Let's consider a fractional counter:
Welcome
Motivation
Basics
Clocked and $past
k Induction
                       begin
Bus Properties
Free Variables
Abstraction
                           end if:
Lesson Overview
                       end process;
Formal
Proof
Pictures
\triangleright Examples
Exercise
                       Invariants
                       Multiple-Clocks
Cover
Sequences
Parting Thoughts
```

```
signal r_count : unsigned(31 downto 0) := 0;
process(i_clk)
  if (rising_edge(i_clk)) then
    (o_pps, r_count) \leq resize(r_count, 33) + 43;
```

#### The problem with this counter

It will take  $100 \times 10^6$  clocks to roll over and set o\_pps Formally checking  $100 \times 10^6$  clocks is prohibitive

We'll need a better way, or we'll never deal with this

#### **G** Back to the Counter

```
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Lesson Overview
Formal
Proof
Pictures
\triangleright Examples
Exercise
Invariants
Multiple-Clocks
Cover
Sequences
```

Parting Thoughts

How might we build an abstract counter?

• First, create an arbitrary counter increment

```
signal increment : unsigned(31 downto 0)
                       := to_unsigned(1, 32);
attribute anyseq of increment : signal is '1';
process(i_clk)
begin
  if (rising_edge(i_clk)) then
    (o_pps, r_count) <= resize(r_count, 33)
                           + increment:
  end if;
end process;
rollover \leq -r_count;
```

We'll constrain this increment next

#### Back to the Counter

Basics

Formal

Proof

Cover

Sequences

Multiple-Clocks

Parting Thoughts

How might we build an abstract counter? Welcome Motivation First, create an arbitrary counter increment Then constrain the arbitrary increment Clocked and \$past always Q(\*) k Induction begin **Bus Properties assume**(increment > 0); Free Variables  $assume(increment < \{ 2'h1, 30'h0 \});$ Abstraction if (rollover < 32'd43) Lesson Overview assume(increment == 32'd43);else Pictures  $\triangleright$  Examples assume(increment < rollover);</pre> Exercise end Invariants

The correct increment, 43, must be a possibility

#### **G** Back to the Counter

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Lesson Overview

Formal

Proof

Pictures

▷ Examples

Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

```
Will this work?
```

Let's try this to see!

```
always @(posedge i_clk)
if (f_past_valid)
    assert(r_count != $past(r_count));
```

#### **G**<sup>T</sup> Other Possibilities

| Welcome                   |  |
|---------------------------|--|
| Motivation                |  |
| Basics                    |  |
| Clocked and \$past        |  |
| k Induction               |  |
| Bus Properties            |  |
| Free Variables            |  |
| Abstraction               |  |
| Lesson Overview           |  |
| Formal                    |  |
| Proof                     |  |
| Pictures                  |  |
| $\triangleright$ Examples |  |
| Exercise                  |  |
| Invariants                |  |
| Multiple-Clocks           |  |
| Cover                     |  |
| Sequences                 |  |
| Parting Thoughts          |  |

How else might you use this?

- Bypassing the runup for an external peripheral
- Testing a real-time clock or date
- Or ... how about that CPU?

#### **Exercise** Welcome o\_carry (On rollover) 32-bit Counter Motivation Basics Clocked and \$past k Induction Clock **Bus Properties** Free Variables Let's modify this abstract counter Abstraction Increment by one, rather than fractionally Lesson Overview Formal

Exercise Objectives:

Prove a design works both with and without abstraction
 Gain some confidence using abstraction

Multiple-Clocks

 $\triangleright$  Exercise

Invariants

Cover

Proof Pictures Examples

Sequences

Parting Thoughts

## **G** Exercise #8

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Lesson Overview

Formal

Proof

Pictures

Examples

⊳ Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Your task:

- Rebuild the counter
- Make it increment by one
  - Build it so that ...

```
always @(*)
    assert(o_carry == (r_count == 0));
// and
always @(posedge i_clk)
if ((f_past_valid)&&(!$past(&r_count)))
    assert(!o_carry);
```

Prove that this abstracted counter works

## **G** Exercise #8

#### Welcome

#### Motivation

- Basics
- Clocked and \$past
- k Induction
- Bus Properties
- Free Variables
- Abstraction
- Lesson Overview
- Formal
- Proof
- Pictures
- Examples
- ▷ Exercise
- Invariants
- Multiple-Clocks
- Cover
- Sequences
- Parting Thoughts

- Your task:
- Rebuild the counter
- Make it increment by one
  - Prove that this abstracted counter works

## **G** Exercise #8

Welcome

Motivation

Basics

Clocked and \$past

 $\boldsymbol{k}$  Induction

Bus Properties

Free Variables

Abstraction

Lesson Overview

Formal

Proof

Pictures

Examples

▷ Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Parting Thoughts

Your task:

- Rebuild the counter
- Make it increment by one
- Prove that this abstracted counter works

#### Hints:

- &r\_count must take place before r\_count==0
- You cannot skip &r\_count
- Neither can you skip  $r\_count == 0$

#### G



#### Welcome

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

▷ Invariants

Lesson Removed

Multiple-Clocks

Cover

Sequences

Parting Thoughts

#### Invariants

## G Lesson Removed

| Welcome       This lesson is currently being revised, and will be released again shortly         Basics       Clocked and \$past         & Induction       Bus Properties         Free Variables       Abstraction         Invariants       D         D       Lesson Removed         Multiple-Clocks       Cover         Sequences       Parting Thoughts |  |  |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|
|                                                                                                                                                                                                                                                                                                                                                           |  |  |

#### G

#### $\mathcal{M}$

#### Welcome

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

 $\triangleright$  Multiple-Clocks

Basics

SBY File

(\* gclk \*)

\$rose

\$stable

Examples

Exercises

Cover

Sequences

Parting Thoughts

#### Multiple-Clocks

#### **G** Lesson Overview

| Wel | come   |  |
|-----|--------|--|
|     | 001110 |  |

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

(\* gclk \*) \$rose

\$stable

Examples

Exercises

Cover

Sequences

Parting Thoughts

The SymbiYosys option multiclock ...

- Used to process systems with dissimilar clocks
- Examples

- A serial port, with a formally generated transmitter coming from a different clock domain
- A SPI controller that needs both high speed and low speed logic

#### Our Objective:

- Dearn how to handle multiple clocks within a design
  - (\* gclk \*)
  - \$stable, \$changed
  - \$rose, \$fell

#### **G** SymbiYosys config change

| Welcome              | [options]                             |
|----------------------|---------------------------------------|
| Motivation           | mode prove                            |
| Basics               | multiclock on                         |
| Clocked and \$past   |                                       |
| k Induction          | [engines]                             |
| Bus Properties       | smtbmc                                |
| Free Variables       |                                       |
| Abstraction          | [script]                              |
| Invariants           | read -vhdl module.vhd                 |
| Multiple-Clocks      | <pre>read -formal module_vhd.sv</pre> |
| Basics               | prep -top module                      |
| SBY File             |                                       |
| (* gclk *)<br>\$rose | [files]                               |
| \$stable             | # file list                           |
| Examples             | # The fist                            |
| Exercises            |                                       |
| Cover                |                                       |
| Sequences            |                                       |
| Parting Thoughts     |                                       |

## **G** SymbiYosys config change

| Welcome              | [options]                                         |
|----------------------|---------------------------------------------------|
| Motivation           | mode prove                                        |
| Basics               | multiclock on - Multiple clocks require this line |
| Clocked and \$past   |                                                   |
| k Induction          | [engines]                                         |
| Bus Properties       | smtbmc                                            |
| Free Variables       |                                                   |
| Abstraction          | [script]                                          |
| Invariants           | <pre>read -vhdl module.vhd</pre>                  |
| Multiple-Clocks      | <pre>read -formal module_vhd.sv</pre>             |
| Basics               | <pre>prep -top module</pre>                       |
| SBY File             |                                                   |
| (* gclk *)<br>\$rose | [files]                                           |
| \$stable             | # file list                                       |
| Examples             | # The Tist                                        |
| Exercises            |                                                   |
| Cover                |                                                   |
| Sequences            |                                                   |
| Parting Thoughts     |                                                   |

 $\Lambda$ 

## **Five Tools**

```
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Exercises
Cover
Sequences
Parting Thoughts
```

(\* gclk \*)

Provides access to the global formal time-step

**\$stable** 

True if a signal is stable (i.e. doesn't change) with this clock. Equivalent to A == **\$past**(A)

**\$changed** 

True if a signal has changed since the last clock tick. Equivalent to A :=

#### **Srose**

True if the signal rises on this formal time-step This is very useful for positive edged clocks transitions **\$rose**(A) is equivalent to (A[0])&&(!**\$past**(A[0])) **\$fell** 

True if a signal falls on this time-step, creating a negative edge

**\$fell** (A) is equivalent to (!A[0])&&(**\$past**(A[0]))

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

▷ (\* gclk \*)

\$rose

\$stable

Examples

Exercises

Cover

Sequences

Parting Thoughts

```
    A global formal time step
```

(\* gclk \*) wire gbl\_clk;

You can use this to describe clock properties

Welcome

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

▷ (\* gclk \*)

\$rose

\$stable

 $\mathsf{Examples}$ 

Exercises

Cover

Sequences

Parting Thoughts

#### always @(posedge gbl\_clk)

#### begin

```
f_last_clk <= !f_last_clk;
assume(i_clk == f_last_clk);
```

end

### $f\_last\_clk \frown \last\_clk \_ \last\_clk \frown \last\_clk \_ \la$

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

▷ (\* gclk \*)

\$rose

\$stable

Examples

Exercises

Cover

Sequences

Parting Thoughts

Used to gain access to the formal time-step

(\* gclk \*) wire gbl\_clk;

You can use this to describe clock properties

|                    | The clock logic on the last slide forces these two clocks to be in |
|--------------------|--------------------------------------------------------------------|
| Welcome            | The clock logic on the last side forces these two clocks to be in  |
| Motivation         | sync                                                               |
| Basics             | f_clk_counter 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0                  |
| Clocked and \$past |                                                                    |
| k Induction        | i_clk_slow                                                         |
| Bus Properties     |                                                                    |
| Free Variables     |                                                                    |
| Abstraction        |                                                                    |
| Invariants         |                                                                    |
| Multiple-Clocks    |                                                                    |
| Basics             |                                                                    |
| SBY File           |                                                                    |
| ▷ (* gclk *)       |                                                                    |
| \$rose             |                                                                    |
| \$stable           |                                                                    |
| Examples           |                                                                    |
| Exercises          |                                                                    |
| Cover              |                                                                    |
| Sequences          |                                                                    |
| Parting Thoughts   |                                                                    |

```
Used to gain access to the formal time-step
                Welcome
                You can use this to describe clock properties
Motivation
Basics
                   // Assume two clocks , same speed ,
Clocked and $past
                   // unknown constant phase offset
k Induction
                   (* gclk *) wire gbl_clk;
Bus Properties
                   (* anyconst *) wire [2:0] f_clk_offset;
Free Variables
Abstraction
                   initial f_clk_counter= 0;
Invariants
                   always @(posedge gbl_clk)
Multiple-Clocks
                   begin
Basics
                              f_clk_counter <= f_clk_counter + 1'b1;</pre>
SBY File
\triangleright (* gclk *)
                              f clk two <= f clk counter
$rose
                                                  + f clk offset:
$stable
                              assume(i_clk_one == f_clk_counter[2]);
Examples
Exercises
                              assume(i_clk_two == f_clk_two[2]);
Cover
                   end
Sequences
Parting Thoughts
```

| Welcome                  | The formal tool will pick the phase offset between these two                                    |
|--------------------------|-------------------------------------------------------------------------------------------------|
| Motivation               | generated clock waveforms                                                                       |
| Basics                   | $f_clk_counter \ 0 \ 1 \ 2 \ 3 \ 4 \ 5 \ 6 \ 7 \ 8 \ 9 \ 10 \ 11 \ 12 \ 13 \ 14 \ 15 \ 16 \ 17$ |
| Clocked and \$past       | i_clk_one                                                                                       |
| k Induction              |                                                                                                 |
| Bus Properties           | i_clk_two                                                                                       |
| Free Variables           |                                                                                                 |
| Abstraction              |                                                                                                 |
| Invariants               |                                                                                                 |
| Multiple-Clocks          |                                                                                                 |
| Basics                   |                                                                                                 |
| SBY File<br>▷ (* gclk *) |                                                                                                 |
| \$rose                   |                                                                                                 |
| \$stable                 |                                                                                                 |
| Examples                 |                                                                                                 |
| Exercises                |                                                                                                 |
| Cover                    |                                                                                                 |
| Sequences                |                                                                                                 |
| Parting Thoughts         |                                                                                                 |

|                       | How might you describe two unrelated clocks? |
|-----------------------|----------------------------------------------|
| Welcome               | How might you describe two unrelated clocks? |
| Motivation            |                                              |
| Basics                |                                              |
| Clocked and \$past    |                                              |
| k Induction           |                                              |
| Bus Properties        |                                              |
| Free Variables        |                                              |
| Abstraction           |                                              |
| Invariants            |                                              |
| Multiple-Clocks       |                                              |
| Basics                |                                              |
| SBY File              |                                              |
| ▷ (* gclk *)          |                                              |
| \$rose                |                                              |
| \$stable              |                                              |
| Examples<br>Exercises |                                              |
|                       |                                              |
| Cover                 |                                              |
| Sequences             |                                              |
| Parting Thoughts      |                                              |

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

▷ (\* gclk \*)

\$rose

\$stable

Examples

Exercises

Cover

Sequences

Parting Thoughts

How might you describe two unrelated clocks?

The (\* anyconst \*) register may take on any constant value You can repeat this logic for the second clock.

# **G**<sup>-</sup> (\* gclk \*)

|                                                                                                                                                                                                                                                                     | (* gclk *)                                                                                                                                                                                                                                                                                                                                                                                    |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Welcome<br>Motivation<br>Basics<br>Clocked and \$past<br>k Induction<br>Bus Properties<br>Free Variables<br>Abstraction<br>Invariants<br>Multiple-Clocks<br>Basics<br>SBY File<br>▷ (* gclk *)<br>\$rose<br>\$stable<br>Examples<br>Exercises<br>Cover<br>Sequences | <ul> <li>The timing relationship between these two clocks can be anything</li> <li>Each clock can have an arbitrary frequency</li> <li>Each clock can have an arbitrary phase</li> <li>Here's a theoretical example trace</li> <li>i_clk_a</li> <li>i_clk_b</li> <li>Don't be surprised by the appearance of phase noise</li> <li>Bonus: The trace above isn't realistic. Why not?</li> </ul> |
| Parting Thoughts                                                                                                                                                                                                                                                    |                                                                                                                                                                                                                                                                                                                                                                                               |

```
Welcome

<u>Motivation</u>

Basics

<u>Clocked and $past</u>

<u>k Induction</u>

<u>Bus Properties</u>

Free Variables
```

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

(\* gclk \*)

⊳ \$rose

\$stable

Examples

Exercises

Cover

Sequences

Parting Thoughts

Synchronous logic has some requirements

Inputs should *only* change on a clock edge
 They should be stable otherwise

\$rose(i\_clk) can be used to express this

Here's an example using **\$rose**(i\_clk) ...

```
always @(posedge gbl_clk)
if (!$rose(i_clk))
            assume(i_input == $past(i_input));
```

# G \$fell

| Welcome            | <b>\$fell</b> is like <b>\$rose</b> , only it describes a negative edge |
|--------------------|-------------------------------------------------------------------------|
| Motivation         |                                                                         |
| Basics             | i_clk L                                                                 |
| Clocked and \$past | <pre>\$rose(i_clk)</pre>                                                |
| k Induction        |                                                                         |
| Bus Properties     | <b>\$fell</b> (i_clk)                                                   |
| Free Variables     |                                                                         |
| Abstraction        |                                                                         |
| Invariants         |                                                                         |
| Multiple-Clocks    |                                                                         |
| Basics             |                                                                         |
| SBY File           |                                                                         |
| (* gclk *)         |                                                                         |
| ▷ \$rose           |                                                                         |
| \$stable           |                                                                         |
| Examples           |                                                                         |
| Exercises          |                                                                         |
| Cover              |                                                                         |
| Sequences          |                                                                         |
| Parting Thoughts   |                                                                         |

| V | Ve | elco | me |  |
|---|----|------|----|--|
|   |    |      |    |  |

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

(\* gclk \*)

⊳ \$rose

\$stable

Examples

Exercises

Cover

Sequences

Parting Thoughts

Let's go back to the synchronous logic requirements

- Inputs only change on clock edges
- \$rose(i\_clk) and \$fell(i\_clk) can be used to express this
   Let's try this out

Would this work?

```
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

(* gclk *)
```

> \$rose \$stable Examples Exercises

Cover

Sequences

Parting Thoughts

Let's go back to the synchronous logic requirements

- Inputs only change on clock edges
- \$rose(i\_clk) and \$fell(i\_clk) can be used to express this
   Let's try this out

Would this work?

```
always @(posedge gbl_clk)
if (!$rose(i_clk))
            assert(i_input == $past(i_input));
```

No. The general rule hasn't changed

| come |
|------|
|      |
|      |

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

(\* gclk \*)

▷ \$rose

\$stable

Examples

Exercises

Cover

Sequences

Parting Thoughts

Could we do it this way?

| Wel | come   |
|-----|--------|
|     | 001110 |

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

(\* gclk \*)

⊳ \$rose

\$stable

Examples

Exercises

Cover

Sequences

Parting Thoughts

Could we do it this way?

No, this doesn't work either



Is this equivalent?

| Welcom | e |
|--------|---|
|        |   |

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

(\* gclk \*)

▷ \$rose

\$stable

Examples

Exercises

Cover

Sequences

Parting Thoughts

| Welcome |
|---------|
|---------|

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

(\* gclk \*)

⊳ \$rose

\$stable

Examples

Exercises

Cover

Sequences

Parting Thoughts

#### 

□ Why not?

Is this equivalent?



| Wel | come |
|-----|------|
|     | come |

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

(\* gclk \*)

▷ \$rose

\$stable

Examples

Exercises

Cover

Sequences

Parting Thoughts

This fixes our problems. Will this work?

|                                                     | <b>+</b> ····                                            | ^   |
|-----------------------------------------------------|----------------------------------------------------------|-----|
| Welcome                                             | This fixes our problems. Will this work?                 | vvv |
| Motivation<br>Basics<br>Clocked and \$past          | <pre>always @(posedge gbl_clk) if (!\$rose(i_clk))</pre> |     |
| k Induction Bus Properties Free Variables           | <ul> <li>Not quite. Can you see the problem?</li> </ul>  |     |
| Abstraction<br>Invariants                           |                                                          |     |
| Multiple-Clocks<br>Basics<br>SBY File<br>(* gclk *) |                                                          |     |
| > \$rose<br>\$stable<br>Examples                    |                                                          |     |
| Exercises<br>Cover                                  |                                                          |     |

Sequences

Parting Thoughts

Welcome

Motivation

Basics

Clocked and \$past

k Induction

```
Bus Properties
```

Free Variables

```
Abstraction
```

Invariants

Multiple-Clocks

Basics

SBY File

(\* gclk \*) ▷ \$rose

\$stable

**PSLADIE** 

Examples Exercises

Cover

Sequences

Parting Thoughts

State/outputs should be clock synchronous

With f\_past\_valid this works



\$rose requires a clock, such as
 always @(posedge gbl\_clk)

# **GT** \$stable

| Welcome                          | D |
|----------------------------------|---|
| Motivation                       | 2 |
| Basics                           | a |
| Clocked and \$past               |   |
| k Induction                      |   |
| Bus Properties                   |   |
| Free Variables                   |   |
| Abstraction                      |   |
| Invariants                       |   |
| Multiple-Clocks                  |   |
| Basics<br>SBY File<br>(* gclk *) |   |
| \$rose                           |   |
| ▷> \$stable                      |   |
| Examples                         |   |
| Exercises                        |   |
| Cover                            |   |
| Sequences                        |   |

Parting Thoughts

Describes a signal which has not changed

Requires a clock edge

```
always @(posedge gbl_clk)
always @(posedge i_clk)
```

This is basically the same as state == **\$past**(state)

# GT \$stable

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

(\* gclk \*)

\$rose

▷ \$stable

Examples Exercises

- - -

Cover

Sequences

Parting Thoughts

Caution: **\$stable**(X) might still change between clock edges

```
always @(posedge i_clk)
    assume($stable(i_value));
```

The waveform below would satisfy the assumption above



The key to understanding what's going on is to realize ....

- The assumption is only evaluated on @(posedge i\_clk)
- \$past(i\_value) is only sampled @(posedge i\_clk)

... and not on the formal (\* gclk \*) time step.

# **GTExamples**

|                                                 | Examples                                                                                                                            |
|-------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
| Welcome<br>Motivation<br>Basics                 | <ul> <li>Most logic doesn't need the multiclock option</li> <li>To help with logic that might need it, I use a parameter</li> </ul> |
| <u>Clocked and \$past</u><br><u>k</u> Induction | <pre>parameter [0:0] F_OPT_CLK2FFLOGIC = 1'b0;</pre>                                                                                |
| Bus Properties<br>Free Variables                | <pre>generate if (F_OPT_CLK2FFLOGIC) begin</pre>                                                                                    |
| Abstraction<br>Invariants                       | (* gclk *) wire gbl_clk;                                                                                                            |
| Multiple-Clocks                                 | always @(posedge gbl_clk)                                                                                                           |
| Basics<br>SBY File                              | <pre>if ((f_past_valid)&amp;&amp;(!\$rose(i_clk)))</pre>                                                                            |
| (* gclk *)                                      | begin                                                                                                                               |
| \$rose                                          | <pre>assume(\$stable(i_axi_awready));</pre>                                                                                         |
| \$stable<br>▷ Examples                          | <pre>assume(\$stable(i_axi_wready));</pre>                                                                                          |
| Exercises                                       |                                                                                                                                     |
| Cover                                           | end                                                                                                                                 |
| Sequences                                       | end endgenerate                                                                                                                     |
| Parting Thoughts                                |                                                                                                                                     |

| Welcome |
|---------|
|---------|

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

(\* gclk \*)

\$rose

\$stable

▷ Examples

Exercises

Cover

Sequences

Parting Thoughts

| o_CS_n |  |  |  | V | /V <sup>~</sup> |
|--------|--|--|--|---|-----------------|
| o_SCK  |  |  |  |   |                 |
| o_MOSI |  |  |  |   |                 |
| i_MISO |  |  |  |   |                 |

How would you formally describe the o\_SCK and o\_CS\_n relationship?

ΛΛ.

| Welcome<br><u>Motivation</u><br>Basics<br>Clocked and \$past                                                     | o_CS_n \                                                                                               |
|------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|
| k       Induction         Bus       Properties         Free       Variables         Abstraction       Invariants | <ul> <li>i_MISO</li> <li>How would you formally describe the o_SCK and o_CS_n relationship?</li> </ul> |
| Multiple-Clocks<br>Basics<br>SBY File<br>(* gclk *)<br>\$rose                                                    | <pre>initial assert(o_CS_n);<br/>initial assert(o_SCK);<br/>always @(*)</pre>                          |
| \$stable<br>▷ Examples<br>Exercises<br>Cover                                                                     | <pre>if (!o_SCK)     assert(!o_CS_n);</pre>                                                            |
| Sequences Parting Thoughts                                                                                       |                                                                                                        |

# **Ex SPI Port**

|                    | $\sim 100$ | Λ. |
|--------------------|------------|----|
| Welcome            | o_CS_n     |    |
| Motivation         |            |    |
| Basics             |            |    |
| Clocked and \$past |            |    |
| k Induction        |            |    |
| Bus Properties     |            |    |

How would you formally describe the o\_SCK and o\_CS\_n relationship?

```
always @(posedge gbl_clk)
if ((f_past_valid)
        &&(($rose(o_CS_n))||($fell(o_CS_n))))
    assert ((o_SCK)&&($stable(o_SCK)));
```

Λ

Parting Thoughts

Free Variables

Multiple-Clocks

Abstraction

Invariants

**Basics** 

\$rose \$stable

SBY File

(\* gclk \*)

Exercises

Sequences

Cover

 $\triangleright$  Examples

| Welcome                | o_CS_n                         |
|------------------------|--------------------------------|
| Motivation             |                                |
| Basics                 |                                |
| Clocked and \$past     |                                |
| k Induction            |                                |
| Bus Properties         | How would you describe o_MOSI? |
| Free Variables         | How would you describe o_MOS1? |
| Abstraction            |                                |
| nvariants              |                                |
| Multiple-Clocks        |                                |
| Basics<br>SBY File     |                                |
| (* gclk *)             |                                |
| \$rose                 |                                |
| \$stable<br>▷ Examples |                                |

Exercises

Cover

Sequences

Parting Thoughts

| Welcome   Motivation   Basics   Clocked and \$past   k Induction   Bus Properties   Free Variables   Abstraction   Invariants   Multiple-Clocks   Basics   SBY File   (* gclk *)   Srose   Sstable   D > Examples   Exercises   Course | (<br><br><br>(o_SCK))) |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|
| Cover<br>Sequences<br>Parting Thoughts                                                                                                                                                                                                 |                        |

| Welcome                | o_CS_n 7                       |
|------------------------|--------------------------------|
| Motivation             |                                |
| Basics                 |                                |
| Clocked and \$past     |                                |
| k Induction            |                                |
| Bus Properties         |                                |
| Free Variables         | How would you describe i_MISO? |
| Abstraction            |                                |
| Invariants             |                                |
| Multiple-Clocks        |                                |
| Basics<br>SBY File     |                                |
| (* gclk *)             |                                |
| \$rose                 |                                |
| \$stable<br>▷ Examples |                                |
| Exercises              |                                |
| Cover                  |                                |
| Sequences              |                                |
| Parting Thoughts       |                                |

| Welcome<br><u>Motivation</u><br>Basics<br><u>Clocked and \$past</u><br><u>k Induction</u><br><u>Bus Properties</u><br>Free Variables | o_CS_n \                                                                                           |
|--------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|
| Abstraction<br>Invariants<br>Multiple-Clocks<br>Basics<br>SBY File                                                                   | <pre>always @(posedge gbl_clk) if ((!o_CS_n)&amp;&amp;(o_SCK))     assume(\$stable(i_MISO));</pre> |
| (* gclk *)<br>\$rose<br>\$stable<br>▷ Examples<br>Exercises<br><u>Cover</u><br><u>Sequences</u><br>Parting Thoughts                  |                                                                                                    |

|        |        | . ^ ^ ^ |
|--------|--------|---------|
|        | o_CS_n | ~VV.    |
| \$past | o_MOSI |         |

Should the i\_MISO be able to change more than once per clock?

Welcome

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

(\* gclk \*)

\$rose

\$stable

 $\triangleright$  Examples

Exercises

Cover

Sequences

Parting Thoughts

# **Ex SPI Port**

Welcome clock Motivation Basics always @(posedge gbl\_clk) Clocked and \$past **if** ((o\_CS\_n)||(o\_SCK)) k Induction  $f_chgd \ll 1'b0;$ **Bus Properties** else if (i\_MISO != \$past(i\_MISO)) Free Variables  $f_chgd \ll 1'b1;$ Abstraction Invariants always @(posedge gbl\_clk) Multiple-Clocks if ((f\_past\_valid)&&(f\_chgd)) **Basics** assume(\$stable(i\_MISO)); SBY File (\* gclk \*) \$rose How would we force exactly 8 o\_SCK clocks? \$stable  $\triangleright$  Examples Exercises Cover Sequences Parting Thoughts

A little logic will force i\_MISO to have only one transition per

```
205 / 285
```

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

(\* gclk \*)

\$rose

\$stable

 $\triangleright$  Examples

Exercises

Cover

Sequences

Parting Thoughts

```
always @(posedge gbl_clk)
if (o_CS_n)
            f_spi_bits <= 0;
else if ($rose(o_SCK))
            f_spi_bits <= f_spi_bits + 1'b1;
always @(posedge gbl_clk)
if ((f_past_valid)&&($rose(o_CS_n)))
            assert(f_spi_bits == 8);</pre>
```

Don't forget the induction requirement

Forcing exactly 8 clocks

always @(\*)
 assert(f\_spi\_bits <= 8);</pre>

# **G** Exercises

|                                                                                                                                                                                                  | LACICISCS                                                                                                                                                                               | ^ ^ ^ ^ |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|
| Welcome<br>Motivation<br>Basics<br>Clocked and \$past<br>k Induction<br>Bus Properties<br>Free Variables<br>Free Variables<br>Abstraction<br>Invariants<br>Multiple-Clocks<br>Basics<br>CDM File | <pre>Three exercises, chose one to verify: 1. Input serdes     exercises-09/iserdes.vhd 2. Clock gate     exercises-10/clkgate.vhd 3. Clock Switch     exercises-11/clkswitch.vhd</pre> |         |
| Basics<br>SBY File<br>(* gclk *)<br>\$rose<br>\$stable                                                                                                                                           |                                                                                                                                                                                         |         |
| Examples<br>Exercises<br><u>Cover</u><br><u>Sequences</u><br>Parting Thoughts                                                                                                                    |                                                                                                                                                                                         |         |

# **G** Ex: Input Serdes

| WelcomeMotivationBasicsClocked and \$pastk InductionBus PropertiesFree VariablesAbstractionInvariantsMultiple-ClocksBasicsSBY File(* gclk *)\$rose\$stableExamples▷ ExercisesCover | Getting a SERDES right is a good example of multiple clu<br>i_fast_clk |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|
| <u>Cover</u><br>Sequences<br>Parting Thoughts                                                                                                                                      |                                                                        |
| i arting i noughts                                                                                                                                                                 |                                                                        |

 $\backslash \land$ 

#### **G** Ex: Input Serdes

| M/alaama           | Get |
|--------------------|-----|
| Welcome            |     |
| Motivation         | _   |
| Basics             |     |
| Clocked and \$past |     |
| k Induction        |     |
| Bus Properties     |     |
| Free Variables     |     |
| Abstraction        |     |
| Invariants         |     |
| Multiple-Clocks    |     |
| Basics             |     |
| SBY File           |     |
| (* gclk *)         |     |
| \$rose             |     |
| \$stable           |     |
| Examples           |     |
| ▷ Exercises        |     |
| Cover              |     |
| Sequences          |     |
| Parting Thoughts   |     |

etting a SERDES right is a good example of multiple clocks

- Two clocks, one fast and one slow
  - Clocks must be synchronous \$rose(slow\_clk) implies \$rose(fast\_clk)
- exercise-09/ Contains the file iserdes.v
- Can you formally verify that it works?

#### **G**<sup>-</sup> Ex: Input Serdes

| Welcome            | Be aware of the asynchronous reset signal!                        |
|--------------------|-------------------------------------------------------------------|
| Motivation         |                                                                   |
| Basics             | i_areset_n                                                        |
| Clocked and \$past | i_fast_clk                                                        |
| k Induction        | i_pin                                                             |
| Bus Properties     | i_slow_clk                                                        |
| Free Variables     |                                                                   |
| Abstraction        | o_word <u> </u>                                                   |
| Invariants         |                                                                   |
| Multiple-Clocks    | <ul> <li>Can be asserted at any time</li> </ul>                   |
| Basics<br>SBY File | <ul> <li>Can only be de-asserted on \$rose(i_slow_clk)</li> </ul> |
| (* gclk *)         | assume() these properties, since the reset is an input            |
| \$rose<br>\$stable |                                                                   |
| Examples           |                                                                   |
| ▷ Exercises        |                                                                   |
| Cover              |                                                                   |
| Sequences          |                                                                   |
| Parting Thoughts   |                                                                   |

 $\mathbb{V}$ 

# G Ex: Clock Gate

| Welcome<br>Motivation | The goal: a clock that can be gated, that doesn't glitch<br>Clock Enable |
|-----------------------|--------------------------------------------------------------------------|
| Basics                | Latch Gated                                                              |
| Clocked and \$past    | Clock                                                                    |
| k Induction           |                                                                          |
| Bus Properties        | Clock                                                                    |
| Free Variables        |                                                                          |
| Abstraction           | exercise-10/ Contains the file clkgate.vhd                               |
| Invariants            |                                                                          |
| Multiple-Clocks       |                                                                          |
| Basics                |                                                                          |
| SBY File              |                                                                          |
| (* gclk *)<br>\$rose  |                                                                          |
| \$stable              |                                                                          |
| Examples              |                                                                          |
| ▷ Exercises           |                                                                          |
| Cover                 |                                                                          |
| Sequences             |                                                                          |
| Parting Thoughts      |                                                                          |

# GT Ex: Clock Gate

| Welcome<br><u>Motivation</u><br>Basics<br><u>Clocked and \$past</u><br><i>k</i> Induction                                                               | The goal: a clock that can be gated, that doesn't glitch<br>Clock Enable<br>Latch<br>Clock |
|---------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|
| Bus PropertiesFree VariablesAbstractionInvariantsMultiple-ClocksBasicsSBY File(* gclk *)\$rose\$stableExamples▷ ExercisesCoverSequencesParting Thoughts | Clock                                                                                      |

## G Ex: Clock Gate

|                    | The goal  |
|--------------------|-----------|
| Welcome            | The goal: |
| Motivation         | □ One c   |
| Basics             | -         |
| Clocked and \$pact | Prove     |
| Clocked and \$past |           |
| k Induction        | — İS      |
| Bus Properties     |           |
| Free Variables     | – Fo      |
| Abstraction        |           |
| Invariants         | See exer  |
| Multiple-Clocks    |           |
| Basics             |           |
| SBY File           |           |
| (* gclk *)         |           |
| \$rose             |           |
| \$stable           |           |
| Examples           |           |
| ▷ Exercises        |           |
| Cover              |           |
| Sequences          |           |
| Parting Thoughts   |           |

he goal: a clock that can be gated, that doesn't glitch

- One clock, one unrelated enable
- Prove that the output clock
  - is always high for the full width, but
  - ... never longer.
  - For any clock rate

```
ee exercise-10/clkgate.v
```

# G Ex: Clock Gate

Hints:

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

(\* gclk \*)

\$rose

\$stable

Examples

▷ Exercises

Cover

Sequences

Parting Thoughts

The output clock should only rise if the incoming clock rises The output clock should only fall if the incoming clock fall If the output clock is ever high, it should always fall with the incoming clock

Be aware of the reset! The output clock might fall mid-clock period due to the asynchronous reset.

#### **G** Ex: Clock Switch

| Welcome |  |
|---------|--|
|---------|--|

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Basics

SBY File

(\* gclk \*)

\$rose

\$stable

 $\mathsf{Examples}$ 

▷ Exercises

Cover

Sequences

Parting Thoughts



## **G** Ex: Clock Switch

|                         | Goal: To safely switch from one clock frequency to another      |
|-------------------------|-----------------------------------------------------------------|
| Welcome                 | Goal. To safely switch nom one clock nequency to another        |
| Motivation              | Inputs                                                          |
| Basics                  |                                                                 |
| Clocked and \$past      | <ul> <li>Two arbitrary clocks</li> </ul>                        |
| k Induction             | <ul> <li>One select line</li> </ul>                             |
| Bus Properties          |                                                                 |
| Free Variables          | Prove that the output clock                                     |
| Abstraction             | Is always high (or low) for at least the duration of one of the |
| Invariants              |                                                                 |
| Multiple-Clocks         | clocks                                                          |
| Basics                  | Doesn't stop                                                    |
| SBY File                |                                                                 |
| (* gclk *)              | You may need to constrain the select line.                      |
| \$rose                  |                                                                 |
| \$stable                |                                                                 |
| Examples<br>▷ Exercises |                                                                 |
| Exercises               |                                                                 |
| Cover                   |                                                                 |
| Sequences               |                                                                 |
| Parting Thoughts        |                                                                 |

 $\mathcal{M}$ 

#### GT Ex: Clock Switch

| Welcome            | Hints: |    |
|--------------------|--------|----|
| Motivation         | П      | Yo |
| Basics             |        |    |
| Clocked and \$past |        | Or |
| k Induction        |        |    |
| Bus Properties     |        |    |
| Free Variables     |        |    |
| Abstraction        |        |    |
| Invariants         |        |    |
| Multiple-Clocks    |        |    |
| Basics             |        |    |
| SBY File           |        |    |
| (* gclk *)         |        |    |
| \$rose             |        |    |
| \$stable           |        |    |
| Examples           |        |    |
| ▷ Exercises        |        |    |
| Cover              |        |    |
| Sequences          |        |    |
| Parting Thoughts   |        |    |

You may assume the reset is only ever initially true Only one set of FF's should ever change at any time

#### G



#### Welcome

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

⊳ Cover

Lesson Overview

BMC vs Cover

Cover in Verilog

State Space

SymbiYosys

Examples

Counter

Sequences

Parting Thoughts

#### Cover

# **G** Lesson Overview

| Welcome<br>Motivation                                                                                                                               | The cover element is used to make certain something remains possible                                                                                                                                                              |
|-----------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| BasicsClocked and \$pastk InductionBus PropertiesFree Variables                                                                                     | <ul> <li>BMC and induction test <i>safety</i> properties</li> <li>They prove that something <i>will not</i> happen</li> <li>Cover tests a <i>liveness</i> property</li> <li>It proves that something <i>may</i> happen</li> </ul> |
| AbstractionInvariantsMultiple-ClocksCover▷ Lesson OverviewBMC vs CoverCover in VerilogState SpaceSymbiYosysExamplesCounterSequencesParting Thoughts | <ul> <li>Objectives</li> <li>Understand why cover is important</li> <li>Understand how to use cover</li> </ul>                                                                                                                    |

# GI Why Cover

valid to one ignored sed FV, but couldn't handle writes doesn't make sense. Can it be ually happen? Catching the *careless assumption*! ation traces!

#### G BMC vs Cover



#### **Cover in Verilog**

|                        | · · · · · · · · · · · · · · · · · · ·                                                               |
|------------------------|-----------------------------------------------------------------------------------------------------|
| Welcome                | Just like an assumption or an assertion                                                             |
| Motivation             | // Make sure a write is possible                                                                    |
| Basics                 | always @(posedge i_clk)                                                                             |
| Clocked and \$past     | <b>cover</b> ((o_wb_stb)&&(!i_wb_stall)&&(o_wb_we));                                                |
| k Induction            |                                                                                                     |
| Bus Properties         | // Or                                                                                               |
| Free Variables         |                                                                                                     |
| Abstraction            | // What happens when a bus cycle is aborted?                                                        |
| Invariants             | always @(posedge i_clk)                                                                             |
| Multiple-Clocks        | if (i_reset)                                                                                        |
| Cover                  | $\frac{cover((o_wb_cyc)\&\&(f_wb_outstanding > 0));}{cover((o_wb_cyc)\&\&(f_wb_outstanding > 0));}$ |
| Lesson Overview        |                                                                                                     |
| BMC vs Cover           | Wall almost but not quite                                                                           |
| Cover in Verilog       | Well, almost but not quite.                                                                         |
| State Space            |                                                                                                     |
| SymbiYosys<br>Examples |                                                                                                     |
| Examples<br>Counter    |                                                                                                     |
| Counter                |                                                                                                     |
| Sequences              |                                                                                                     |
| Parting Thoughts       |                                                                                                     |

### G Cover in Verilog

| come |
|------|
|      |
|      |

Motivation

k Induction

**Bus Properties** 

Free Variables

Multiple-Clocks

Lesson Overview

 $\triangleright$  Cover in Verilog

BMC vs Cover

State Space SymbiYosys Examples Counter

Sequences

Parting Thoughts

Abstraction

Invariants

Cover

Clocked and \$past

Basics

Assert and cover handle surrounding logic differently

• Assert logic

is equivalent to,

```
always @(posedge i_clk)
    assert((!A) || (B));
```

This is not true of cover.

## G Cover in Verilog

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Lesson Overview

BMC vs Cover

Cover in Verilog

State Space

SymbiYosys

Examples

Counter

Sequences

Parting Thoughts

Assert and cover handle surrounding logic differently

- Assert logic
- Cover logic

is equivalent to,

# G State Space



# SymbiYosys

| The SymbiƳ<br>□ SymbiƳo<br>□ Produces |
|---------------------------------------|
| -                                     |
| or fai                                |
|                                       |
|                                       |
|                                       |

Yosys script for cover needs to change as well

- osys needs the option: mode cover
- s one trace per cover() statement

| Welcome                  | [options]                             |
|--------------------------|---------------------------------------|
| Motivation               | mode cover                            |
| Basics                   | depth 40                              |
| Clocked and \$past       | append 20                             |
| k Induction              |                                       |
| Bus Properties           | [engines]                             |
| Free Variables           | smtbmc                                |
| Abstraction              |                                       |
| Invariants               | [script]                              |
| Multiple-Clocks          | read -vhdl module.vhd                 |
| Cover                    | <pre>read -formal module_vhd.sv</pre> |
| Lesson Overview          | prep -top module                      |
| BMC vs Cover             |                                       |
| Cover in Verilog         | [files]                               |
| State Space              | [files]                               |
| ▷ SymbiYosys<br>Examples | # file list                           |
| Counter                  |                                       |
| Counter                  |                                       |
| Sequences                |                                       |
| Parting Thoughts         |                                       |

 $\Lambda$ 

| Welcome                         | [options]                             |
|---------------------------------|---------------------------------------|
| Motivation                      | mode cover ← Run a coverage analysis  |
| Basics                          | depth 40                              |
| Clocked and \$past              | append 20                             |
| k Induction                     |                                       |
| Bus Properties                  | [engines]                             |
| Free Variables                  | smtbmc                                |
| Abstraction                     |                                       |
| Invariants                      | [script]                              |
| Multiple-Clocks                 | read -vhdl module.vhd                 |
| Cover                           | <pre>read -formal module_vhd.sv</pre> |
| Lesson Overview                 | <pre>prep -top module</pre>           |
| BMC vs Cover                    |                                       |
| Cover in Verilog<br>State Space | [files]                               |
| State Space                     | # file list                           |
| Examples                        |                                       |
| Counter                         |                                       |
| Sequences                       |                                       |
| Parting Thoughts                |                                       |

 $\sqrt{N}$ 

| Welcome                         | [options]                                      |
|---------------------------------|------------------------------------------------|
| Motivation                      | mode cover                                     |
| Basics                          | depth 40 ← How far to look for a covered state |
| Clocked and \$past              | append 20                                      |
| k Induction                     |                                                |
| Bus Properties                  | [engines]                                      |
| Free Variables                  | smtbmc                                         |
| Abstraction                     |                                                |
| Invariants                      | [script]                                       |
| Multiple-Clocks                 | <pre>read -vhdl module.vhd</pre>               |
| Cover                           | <pre>read -formal module_vhd.sv</pre>          |
| Lesson Overview                 | prep -top module                               |
| BMC vs Cover                    |                                                |
| Cover in Verilog<br>State Space | [files]                                        |
| ▷ SymbiYosys                    | # file list                                    |
| Examples                        |                                                |
| Counter                         |                                                |
| Sequences                       |                                                |
| Parting Thoughts                |                                                |

| Welcome                     | [options]                             | _ |
|-----------------------------|---------------------------------------|---|
| Motivation                  | mode cover                            |   |
| Basics                      | depth 40                              |   |
| Clocked and \$past          | append 20                             |   |
| k Induction                 |                                       |   |
| Bus Properties              | [engines]                             |   |
| Free Variables              | smtbmc                                |   |
| Abstraction                 |                                       |   |
| Invariants                  | [script]                              |   |
| Multiple-Clocks             | read -vhdl module.vhd                 |   |
| Cover                       | <pre>read -formal module_vhd.sv</pre> |   |
| Lesson Overview             | prep -top module                      |   |
| BMC vs Cover                |                                       |   |
| Cover in Verilog            | [files]                               |   |
| State Space<br>▷ SymbiYosys |                                       |   |
| Examples                    | # file list                           |   |
| Counter                     |                                       |   |
| Sequences                   |                                       |   |
| Parting Thoughts            |                                       |   |

 $\sqrt{\sqrt{2}}$ 

|                    | • V V                  |  |
|--------------------|------------------------|--|
| Welcome            | [tasks]                |  |
| Motivation         | prf                    |  |
| Basics             | cvr                    |  |
| Clocked and \$past |                        |  |
| k Induction        | [options]              |  |
| Bus Properties     | prf: <b>mode</b> prove |  |
| Free Variables     | cvr: <b>mode</b> cover |  |
| Abstraction        | depth 40               |  |
| Invariants         |                        |  |
| Multiple-Clocks    | #                      |  |
| Cover              |                        |  |
| Lesson Overview    |                        |  |
| BMC vs Cover       |                        |  |
| Cover in Verilog   |                        |  |
| State Space        |                        |  |
| ⊳ SymbiYosys       |                        |  |
| Examples           |                        |  |
| Counter            |                        |  |
| Sequences          |                        |  |
| Parting Thoughts   |                        |  |

|                    |                        | <u> </u> |
|--------------------|------------------------|----------|
| Welcome            | [tasks]                |          |
| Motivation         | prf                    |          |
| Basics             | cvr                    |          |
| Clocked and \$past |                        |          |
| k Induction        | [options]              |          |
| Bus Properties     | prf: <b>mode</b> prove |          |
| Free Variables     | cvr: <b>mode</b> cover |          |
| Abstraction        | depth 40               |          |
| Invariants         |                        |          |
| Multiple-Clocks    | #                      |          |
| Cover              |                        |          |
| Lesson Overview    |                        |          |
| BMC vs Cover       |                        |          |
| Cover in Verilog   |                        |          |
| State Space        |                        |          |
| ⊳ SymbiYosys       |                        |          |
| Examples           |                        |          |
| Counter            |                        |          |
| Sequences          |                        |          |
| Parting Thoughts   |                        |          |

|                    |                        | <u> </u> |
|--------------------|------------------------|----------|
| Welcome            | [tasks]                |          |
| Motivation         | prf                    |          |
| Basics             | cvr                    |          |
| Clocked and \$past |                        |          |
| k Induction        | [options]              |          |
| Bus Properties     | prf: mode prove        |          |
| Free Variables     | cvr: <b>mode</b> cover |          |
| Abstraction        | depth 40               |          |
| Invariants         |                        |          |
| Multiple-Clocks    | #                      |          |
| Cover              |                        |          |
| Lesson Overview    |                        |          |
| BMC vs Cover       |                        |          |
| Cover in Verilog   |                        |          |
| State Space        |                        |          |
| ▷ SymbiYosys       |                        |          |
| Examples           |                        |          |
| Counter            |                        |          |
| Sequences          |                        |          |
| Parting Thoughts   |                        |          |

 $\neg \Lambda \Lambda \land$ 

| Welcome            | [tasks]                                            |
|--------------------|----------------------------------------------------|
| Motivation         | prf                                                |
| Basics             | cvr                                                |
| Clocked and \$past |                                                    |
| k Induction        | [options]                                          |
| Bus Properties     | prf: <b>mode</b> prove                             |
| Free Variables     | cvr: mode cover - The cvr tasks runs in cover mode |
| Abstraction        | depth 40                                           |
| Invariants         |                                                    |
| Multiple-Clocks    | #                                                  |
| Cover              |                                                    |
| Lesson Overview    |                                                    |
| BMC vs Cover       |                                                    |
| Cover in Verilog   |                                                    |
| State Space        |                                                    |
| ⊳ SymbiYosys       |                                                    |
| Examples           |                                                    |
| Counter            |                                                    |
| Sequences          |                                                    |

Parting Thoughts

M

| Welcome            | [tasks]                | _ |
|--------------------|------------------------|---|
| Motivation         | prf                    |   |
| Basics             | cvr                    |   |
| Clocked and \$past |                        |   |
| k Induction        | [options]              |   |
| Bus Properties     | prf: <b>mode</b> prove |   |
| Free Variables     | cvr: <b>mode</b> cover |   |
| Abstraction        | <b>depth</b> 40        |   |
| Invariants         |                        |   |
| Multiple-Clocks    | #                      |   |
| Cover              |                        |   |
| Lesson Overview    |                        |   |
| BMC vs Cover       |                        |   |
| Cover in Verilog   |                        |   |
| State Space        |                        |   |
| ⊳ SymbiYosys       |                        |   |
| Examples           |                        |   |
| Counter            |                        |   |
| Sequences          |                        |   |
| Parting Thoughts   |                        |   |

|                                 |                                         | <u> </u> |
|---------------------------------|-----------------------------------------|----------|
| Welcome                         | [tasks]                                 | _        |
| Motivation                      | prf                                     |          |
| Basics                          | cvr                                     |          |
| Clocked and \$past              |                                         |          |
| $\underline{k}$ Induction       | [options]                               |          |
| Bus Properties                  | prf: <b>mode</b> prove                  |          |
| Free Variables                  | cvr: <b>mode</b> cover                  |          |
| Abstraction                     | depth 40                                |          |
| Invariants                      |                                         |          |
| Multiple-Clocks                 | #                                       |          |
| Cover                           | ···                                     |          |
| Lesson Overview                 | % sby -f sbyfil.sby now runs both modes |          |
| BMC vs Cover                    |                                         |          |
| Cover in Verilog<br>State Space |                                         |          |
| State Space                     |                                         |          |
| Examples                        |                                         |          |
| Counter                         |                                         |          |
| Sequences                       |                                         |          |
| Parting Thoughts                |                                         |          |

Parting Thoughts

| Welcome                         | [tasks]                                               |
|---------------------------------|-------------------------------------------------------|
| Motivation                      | prf                                                   |
| Basics                          | cvr                                                   |
| Clocked and \$past              |                                                       |
| k Induction                     | [options]                                             |
| Bus Properties                  | prf: <b>mode</b> prove                                |
| Free Variables                  | cvr: <b>mode</b> cover                                |
| Abstraction                     | depth 40                                              |
| Invariants                      |                                                       |
| Multiple-Clocks                 | $\# \dots$                                            |
| Cover                           |                                                       |
| Lesson Overview                 |                                                       |
| BMC vs Cover                    | % sby -f sbyfil.sby cvr will run the cover mode alone |
| Cover in Verilog<br>State Space |                                                       |
| State Space                     |                                                       |
| Examples                        |                                                       |
| Counter                         |                                                       |
| Sequences                       |                                                       |

### **G** Cover Failures



Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Lesson Overview

 $\mathsf{BMC} \mathsf{ vs} \mathsf{ Cover}$ 

Cover in Verilog

State Space

SymbiYosys

Examples

Counter

Sequences

Parting Thoughts



Two basic types of cover failures

- Covered state is unreachable No VCD file will be generated upon failure
- 2. Covered state is reachable, but only by breaking assertions VCD file will be generated

### **G** Ex: I-Cache

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Lesson Overview

BMC vs Cover

Cover in Verilog

State Space

SymbiYosys

Examples

Counter

Sequences

Parting Thoughts

Consider a CPU I-cache:

With no other formal logic, what will this trace look like?

- CPU must provide a PC address
  - Design must fill the appropriate cache line
- Design returns an item from that cache line

That's a lot of trace for two lines of HDL!

# G Ex: Flash

Welcome

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Lesson Overview

BMC vs Cover

Cover in Verilog

State Space

SymbiYosys

Examples

Counter

Sequences

Parting Thoughts

Consider a Flash controller:

With no other formal logic, what will this trace look like? The controller must,

Initialize the flash device

Accept a bus request

Request a read from the flash

Accumulate the result to return on the bus

# GT Ex: MMU

| Welcome                                       | Consider a Memory Management Unit (MMU):                                               |
|-----------------------------------------------|----------------------------------------------------------------------------------------|
| Motivation<br>Basics<br>Clocked and \$past    | <pre>always @(posedge i_clk)</pre>                                                     |
| <u>k</u> Induction<br>Bus Properties          | The MMU must,                                                                          |
| Free Variables                                | $\square Be told a TLB entry$                                                          |
| Abstraction<br>Invariants                     | <ul> <li>Accept a bus request</li> <li>Look the request up in the TLB</li> </ul>       |
| Multiple-Clocks                               | <ul> <li>Forward the modified request downstream</li> <li>Wait for a return</li> </ul> |
| Lesson Overview<br>BMC vs Cover               | <ul> <li>Valt for a return</li> <li>Forward the value returned upstream</li> </ul>     |
| Cover in Verilog<br>State Space<br>SymbiYosys |                                                                                        |
| <ul> <li>Examples</li> <li>Counter</li> </ul> |                                                                                        |
| Sequences<br>Parting Thoughts                 |                                                                                        |

 $\bigwedge$ 

# GT Ex: SDRAM

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Lesson Overview

BMC vs Cover

Cover in Verilog

State Space

SymbiYosys

Examples

Counter

Sequences

Parting Thoughts

#### How about an SDRAM controller?

The controller must,

- Initialize the SDRAM
- Accept a bus request
- Activate a row on a bank
- Issue a read (or write) command from that row
- Wait for a return value
- Return the result

### G Counter

```
Remember our counter?
Welcome
Motivation
                          counts : unsigned(15 downto 0)
                 signal
Basics
                                                := to_unsigned(0, 16);
Clocked and $past
k Induction
                 process(i_clk)
Bus Properties
                 begin
Free Variables
                    if (rising_edge(i_clk)) then
Abstraction
                       if ((i_start_signal = '1')
Invariants
                            and (0 = counts)) then
                         counts \leq  to_unsigned(MAX_AMOUNT-1, 16);
Multiple-Clocks
Cover
                       else
Lesson Overview
                         counts \leq counts -1:
BMC vs Cover
                      end if;
Cover in Verilog
State Space
                    end if;
SymbiYosys
                 end process;
Examples
\triangleright Counter
                 o_busy \leq '1' when (0 = counts) else '0';
Sequences
Parting Thoughts
```

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Lesson Overview BMC vs Cover Cover in Verilog State Space SymbiYosys Examples ▷ Counter

Sequences

Parting Thoughts

Let's add some cover statements...

Will SymbiYosys find traces?

How about now?

| Wel    | come |
|--------|------|
| V V CI | COME |

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Lesson Overview

BMC vs Cover

Cover in Verilog

State Space

SymbiYosys

Examples

⊳ Counter

Sequences

Parting Thoughts

always @(posedge i\_clk)
 cover((o\_busy)&&(counter == 0));

```
Welcome
```

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Lesson Overview

BMC vs Cover

Cover in Verilog

State Space

SymbiYosys

Examples

▷ Counter

Sequences

Parting Thoughts

always @(posedge i\_clk)
 cover((o\_busy)&&(counter == 0));

Or this one,

How about now?

#### Will these succeed?

```
Welcome
```

```
Motivation
```

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Lesson Overview

BMC vs Cover

Cover in Verilog

State Space

SymbiYosys

Examples

▷ Counter

Sequences

Parting Thoughts

Or this one,

How about now?

Will these succeed? No. Both will fail

These are outside the reachable state space

Welcome

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Lesson Overview

BMC vs Cover

Cover in Verilog

State Space

SymbiYosys

Examples

▷ Counter

Sequences

Parting Thoughts

```
What if the state is unreachable?
```

```
// Keep the counter from ever starting
always @(*)
    assume(!i_start_signal);
```

#### Will this succeed?

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Lesson Overview

BMC vs Cover

Cover in Verilog

State Space

SymbiYosys

Examples

▷ Counter

Sequences

Parting Thoughts

```
What if the state is unreachable?
```

```
// Keep the counter from ever starting
always @(*)
    assume(!i_start_signal);
```

Will this succeed? No. This will fail with no trace.

If i\_start\_signal is never true, the cover cannot be reached

Welcome

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

```
Abstraction
```

Invariants

Multiple-Clocks

Cover

Lesson Overview

BMC vs Cover

Cover in Verilog

State Space

SymbiYosys

Examples

⊳ Counter

Sequences

Parting Thoughts

What if an assertion needs to be violated?

```
always @(*)
assert(counter != 10);
```

#### What will happen here?

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Lesson Overview

BMC vs Cover

Cover in Verilog

State Space

SymbiYosys

Examples

▷ Counter

Sequences

Parting Thoughts

```
What if an assertion needs to be violated?
```

```
always @(*)
assert(counter != 10);
```

What will happen here?

- Cover statement is reachable
- But requires an assertion failure, so a trace is generated

### **Clock Switch**

| Welcome            | Covering the clock switch |                                     |     |
|--------------------|---------------------------|-------------------------------------|-----|
| Motivation         | Signals Time              | Waves         300 ns         400 ns |     |
| Motivation         | i_areset_n                |                                     |     |
| Basics             | i_clk_a<br>i clk b        |                                     |     |
| Clocked and \$past | i_sel<br>o_clk            |                                     |     |
| k Induction        | Signals                   | Waves                               |     |
|                    | Time                      | 100 ns 200 ns 300 ns 400 ns         | 500 |
| Bus Properties     | i_areset_n=<br>i_clk_a=   |                                     |     |
| Free Variables     | i_clk_b=                  |                                     |     |
| Abstraction        | o_clk=                    |                                     |     |

Shows the clock switching from fast to slow, and again from slow to fast 

Cover

Invariants

Lesson Overview

Multiple-Clocks

BMC vs Cover

Cover in Verilog

State Space

**SymbiYosys** 

Examples

 $\triangleright$  Counter

Sequences

Parting Thoughts

# **G**<sup>T</sup> Ex #7 Revisited

| Welcome            | R  |
|--------------------|----|
|                    |    |
| Motivation         | 1. |
| Basics             | 2  |
| Clocked and \$past | ۷. |
| k Induction        | 2  |
| Bus Properties     | 3. |
| Free Variables     |    |
| Abstraction        | 4. |
| Invariants         |    |
| Multiple-Clocks    |    |
| Cover              | Ρ  |
| Lesson Overview    |    |
| BMC vs Cover       |    |
| Cover in Verilog   |    |
| State Space        |    |
| SymbiYosys         |    |
| Examples           |    |
| ▷ Counter          |    |
| Sequences          |    |
| Parting Thoughts   |    |

Return to your Wishbone arbiter. Let's cover four cases:

- . Cover both A and B receiving the bus
- Cover how B will get the bus after A gets an acknowledgement
  - Cover how A will get the bus after B gets an acknowledgement
- 1. Add to the last cover
  - B must request while A still holds the bus

Plot and examine traces for each cases. Do they look right?

- If everything works, the first case showing both A and B receiving the bus will FAIL
- No trace is needed from that case
- After getting this failure, you may want to remove it from your cover checks

## **G** Ex #7 Revisited

| Welcome | Э |
|---------|---|
|         | - |

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Lesson Overview

BMC vs Cover

Cover in Verilog

State Space

SymbiYosys

Examples

▷ Counter

Sequences

Parting Thoughts

Notice what we just proved:

1. The arbiter will allow both sources to master the bus

- 2. The arbiter will transition from one source to another
- 3. The arbiter won't starve A or B

This wasn't possible with just the safety properties (assert statements)

## **G** Discussion

|                    | DISCUSSION                 |     |
|--------------------|----------------------------|-----|
|                    | When should you use cover? | VV~ |
| Welcome            | When should you use cover: |     |
| Motivation         |                            |     |
| Basics             |                            |     |
| Clocked and \$past |                            |     |
| k Induction        |                            |     |
| Bus Properties     |                            |     |
| Free Variables     |                            |     |
| Abstraction        |                            |     |
| Invariants         |                            |     |
| Multiple-Clocks    |                            |     |
| Cover              |                            |     |
| Lesson Overview    |                            |     |
| BMC vs Cover       |                            |     |
| Cover in Verilog   |                            |     |
| State Space        |                            |     |
| SymbiYosys         |                            |     |
| Examples           |                            |     |
| ⊳ Counter          |                            |     |
| Sequences          |                            |     |
| Parting Thoughts   |                            |     |

### G



#### Welcome

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

▷ Sequences

Overview

Clocking

Sequences

Exercise

Parting Thoughts

#### Sequences

## **G** Lesson Overview

| Welcome            |
|--------------------|
| Motivation         |
| Basics             |
| Clocked and \$past |
| k Induction        |
| Bus Properties     |
| Free Variables     |
| Abstraction        |
| Invariants         |
| Multiple-Clocks    |
| Cover              |
| Sequences          |
| ▷ Overview         |
| Clocking           |
| Sequences          |
| Exercise           |
| Parting Thoughts   |

SystemVerilog has some amazing formal properties

- property can be assumed or asserted By rewriting our assert's and assume's as properties, we can then control when they are asserted or assumed better.
   bind formal properties to a subset of your design Allows us to (finally) separate the properties from the module they support
- sequence A standard property description language

#### Objectives

Learn the basics of SystemVerilog Assertions
 Gain confidence with yosys+verific

## **G** Building on the past

Welcome

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

▷ Overview

Clocking

Sequences

Exercise

Parting Thoughts

Much of what we've written can easily be rewritten in SVA

always @(\*)
if (A)
 assert(B);

can be rewritten as,

```
assert property (@(posedge i_clk)
        A |-> B);
```

Note that this is now a *clocked* assertion, but otherwise it's equivalent

### **G** Building on the past

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

▷ Overview

Clocking

Sequences

Exercise

Parting Thoughts

Much of what we've written can easily be rewritten in SVA

Can be rewritten as,

```
assert property (@(posedge i_clk)
        A |=> B);
```

## **G** Building on the past

Motivation

Basics

Clocked and \$past

k Induction

```
Bus Properties
```

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

▷ Overview

Clocking

Sequences

Exercise

Parting Thoughts

Much of what we've written can easily be rewritten in SVA

Can be rewritten as,

```
assert property (@(posedge i_clk)
        A |=> B);
```

Read this as A implies B on the next clock tick.

No f\_past\_valid required anymore. This is a statement about the next clock tick, not the last one.

```
These equivalencies apply to as well
```

# **G** Properties

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

▷ Overview

Clocking

Sequences

Exercise

Parting Thoughts

```
You can also declare properties:
```

```
property SIMPLE_PROPERTY;
     @(posedge i_clk) a |=> b;
endproperty
```

assert property(SIMPLE\_PROPERTY);

This would be the same as

## G Assume vs Assert

```
You could also do something like:
Welcome
Motivation
                 parameter [0:0] F_SUBMODULE = 1'b0;
Basics
Clocked and $past
                 generate if (F_SUBMODULE)
k Induction
                 begin
Bus Properties
                            assume property(INPUT_PROP);
Free Variables
                 end else begin
Abstraction
                            assert property(INPUT_PROP);
Invariants
                 end endgenerate
Multiple-Clocks
                 assert property(LOCAL_PROP);
Cover
                 assert property(OUTPUT_PROP);
Sequences
\triangleright Overview
Clocking
                 This would work quite nicely for a bus property file
Sequences
```

Parting Thoughts

Exercise

### **G** Parameterized Properties

| Wel | come |
|-----|------|
|     |      |
|     |      |

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

⊳ Overview

Clocking

Sequences

Exercise

Parting Thoughts

#### Properties can also accept parameters

```
property IMPLIES(a,b);
  @(posedge i_clk)
  a |-> b;
```

endproperty

**assert property**(IMPLIES(x, y));

### **G** Parameterized Properties

```
Welcome
```

```
Motivation
```

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

▷ Overview

Clocking

Sequences

Exercise

Parting Thoughts

```
Properties can also accept parameters
```

```
property IMPLIES_NEXT(a,b);
     @(posedge i_clk) a |=> b;
endproperty
```

```
assert property(IMPLIES_NEXT(x, y));
```

Remember, if you want to use |=>, **\$past**, etc., you need to define a clock.

## GT Clocking

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Overview

 $\triangleright$  Clocking

Sequences

Exercise

Parting Thoughts

Getting tired of writing @(posedge i\_clk)?

You can set a default clock

```
default clocking @(posedge i_clk);
endclocking
```

Assumes i\_clk if no clock is given.

# GT Clocking

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Overview

 $\triangleright$  Clocking

Sequences

Exercise

Parting Thoughts

Getting tired of writing @(posedge i\_clk)?

- You can set a default clock
- $\hfill\square$  You can set a default clock within a given block

```
clocking @(posedge i_clk);
    // Your properties can go here
    // As with assert, assume,
    // sequence, etc.
```

#### endclocking

Assumes i\_clk for all of the properties within the clocking block.

| Welcome            | S |
|--------------------|---|
|                    | • |
| Motivation         |   |
| Basics             |   |
| Clocked and \$past |   |
| k Induction        | S |
| Bus Properties     |   |
| Free Variables     |   |
| Abstraction        |   |
| Invariants         |   |
| Multiple-Clocks    |   |
| Cover              |   |
| Sequences          |   |
| Overview           |   |
| Clocking           |   |
| Sequences          |   |
| Exercise           |   |

Parting Thoughts

So far with properties,

- We haven't done anything really all that new.
- We've just rewritten what we've done before in a new form.

Sequences are something new

| Welcome |
|---------|
|---------|

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Overview

Clocking

▷ Sequences

Exercise

Parting Thoughts

With sequences, you can

Specify a series of actions

```
sequence EXAMPLE;
```

```
O(posedge i_clk) a ##1 b ##1 c ##1 d;
endsequence
```

In this example, b always follows a by one clock, c follows b, and d follows c

With sequences, you can

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Overview

Clocking

▷ Sequences

Exercise

Parting Thoughts

Specify a series of actions, separated by some number of clocks

```
sequence EXAMPLE;
     @(posedge i_clk) a ##2 b ##5 c;
endsequence
```

In this example, b always follows a two clocks later, and c follows five clocks after b

| VVelcome           |
|--------------------|
| Motivation         |
| Basics             |
| Clocked and \$past |
| k Induction        |
| Bus Properties     |
| Free Variables     |
| Abstraction        |
| Invariants         |
| Multiple-Clocks    |
| Cover              |
| Sequences          |
| Overview           |

Clocking

▷ Sequences

Exercise

Parting Thoughts

With sequences, you can

Specify a series of predicates, separated in time

Can express range(s) of repeated values

```
sequence EXAMPLE;
    @(posedge i_clk) b[*2:3] ##1 c;
endsequence
// is equivalent to ...
sequence EXAMPLE_A_2x; // 2x
    @(posedge i_clk) b ##1 b ##1 c;
endsequence
// or
sequence EXAMPLE_A_3x; // 3x
    @(posedge i_clk) b ##1 b ##1 b ##1 c;
endsequence
```

| Welcome            |
|--------------------|
| Motivation         |
| Basics             |
| Clocked and \$past |
| k Induction        |
| Bus Properties     |
| Free Variables     |
|                    |
| Abstraction        |
| Invariants         |
| Multiple-Clocks    |
| Cover              |
| Sequences          |
| Overview           |
| Clocking           |
| Sequences          |
|                    |

Exercise

Parting Thoughts

With sequences, you can

- Specify a series of predicates, separated in time
- Can express range(s) of repeated values
  - [\*0:M] Predicate may be skipped
  - [\*N:M] specifies from N to M repeats
  - [\*N:\$] Repeats at least N times, with no maximum

Ranges can include empty sequences, such as ##[\*0:4]Compose multiple sequences together

- AND, seq\_1 and seq\_2
- OR, seq\_1 or seq\_2
- NOT, <mark>not</mark> seq

## G And vs Intersect

#### Welcome Motivation Basics Clocked and \$past k Induction **Bus Properties** Free Variables Abstraction Invariants Multiple-Clocks Cover Sequences Overview Clocking $\triangleright$ Sequences Exercise Parting Thoughts

The and and intersect operators are very similar

- and is only true if both sequences are true
- **intersect** is only true if both sequences are true *and* have the same length

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Overview

Clocking

▷ Sequences

Exercise

Parting Thoughts

```
sequence A;
@(posedge i_clk)
(EXP) [*0:$] intersect SEQ;
```

endsequence

Throughout

is equivalent to

```
sequence B;
@(posedge i_clk)
(EXP) throughout SEQ;
```

#### endsequence

The EXP expression must be true from now until SEQ ends

| Wel  | come   |
|------|--------|
|      | 001110 |
| vvei | come   |

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Overview

Clocking

Sequences

Exercise

Parting Thoughts

```
property A;
    @(posedge i_clk)
    (E1) [*0:$] ##1 (E2);
```

#### endproperty

Throughout

Until

is equivalent to

```
property B;
     @(posedge i_clk)
     (E1) until E2;
endproperty
```

until can only be used in a property, not within a sequence

| come |
|------|
|      |
|      |

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Overview

Clocking

▷ Sequences

Exercise

Parting Thoughts

```
property A;
    @(posedge i_clk)
    (E1) [*0:$] ##1 (E2);
```

#### endproperty

Throughout

Until

is equivalent to

```
property B;
     @(posedge i_clk)
     (E1) until E2;
endproperty
```

**until** can only be used in a **property**, not within a **sequence** There is an ugly subtlety here

– Must E2 ever take place?

| Wel    | come |
|--------|------|
| V V CI | come |

Motivation

Basics

#### Throughout

Until

Within

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Overview

Clocking

▷ Sequences

Exercise

Parting Thoughts

#### endsequence

is equivalent to

```
sequence B;
@(posedge i_clk)
(S1) within S2;
```

#### endsequence



### **G** Returning to Properties

| Welcome            | P |
|--------------------|---|
| Motivation         | П |
| Basics             |   |
| Clocked and \$past |   |
| k Induction        |   |
| Bus Properties     |   |
| Free Variables     |   |
| Abstraction        |   |
| Invariants         |   |
| Multiple-Clocks    |   |
| Cover              |   |
| Sequences          |   |
| Overview           |   |
| Clocking           |   |
| ▷ Sequences        |   |
| Exercise           |   |

Parting Thoughts

```
Properties can reference sequences
```

Directly

```
assert property (seq);
assert property (expr |-> seq);
```

Implication: sequences can imply properties

assert property (seq |-> some\_other\_property);
assert property (seq |=> another\_property);

### **G** Returning to Properties

| Welcome |
|---------|
|---------|

Properties can include . . .

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Overview

Clocking

▷ Sequences

Exercise

Parting Thoughts

if statements

assert property (if (A) P1 else P2);

not, and, or even or statements

```
assert property (not P1);
assert property (P1 and P2);
assert property (P1 or P2);
```

### **G** Ex. Bus Request

| Wel | come |
|-----|------|
|     | come |

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

```
Abstraction
```

Invariants

Multiple-Clocks

Cover

Sequences

Overview

Clocking

▷ Sequences

Exercise

Parting Thoughts

```
A bus request will not change until it is accepted
```

```
property BUS_REQUEST_HOLD;
  @(posedge i_clk)
    (STB)&&(STALL)
    |=> (STB)&&($stable(REQUEST));
endproperty
```

assert property (BUS\_REQUEST\_HOLD);

### **G** Ex. Bus Request

| Welcome                                                                   | A request persists until it is accepted                                                                                                                                             |
|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| MotivationBasicsClocked and \$pastk InductionBus PropertiesFree Variables | <pre>sequence BUS_REQUEST;<br/>@(posedge i_clk)<br/>// Repeat up to MAX_STALL clks<br/>(STB)&amp;&amp;(STALL) [*0:MAX_STALL]<br/>##1 (STB)&amp;&amp;(!STALL);<br/>endsequence</pre> |
| Abstraction<br>Invariants<br>Multiple-Clocks                              | assert property (STB  -> BUS_REQUEST);                                                                                                                                              |
| Cover<br>Sequences<br>Overview<br>Clocking<br>▷ Sequences<br>Exercise     | You no longer need to count stalls yourself.                                                                                                                                        |
| Parting Thoughts                                                          |                                                                                                                                                                                     |

### **Ex. Bus Request**

| Welcome            | A request persists until it is accepted      |
|--------------------|----------------------------------------------|
| Motivation         | <pre>sequence BUS_REQUEST;</pre>             |
| Basics             | <pre>@(posedge i_clk)</pre>                  |
| Clocked and \$past |                                              |
| k Induction        | // Repeat up to MAX<br>(STB)&&(STALL) [*0:MA |
| Bus Properties     | ##1 (STB)&&(!STALL);                         |
| Free Variables     | endsequence                                  |
| Abstraction        |                                              |
| Invariants         | <b>assert property</b> (STB $ ->$ BUS        |
| Multiple-Clocks    |                                              |
| Cover              | You no longer need to count stalls yo        |
| Sequences          | Could we do this with an until stater        |
| Overview           |                                              |
| Clocking           |                                              |
| Sequences          |                                              |
| Exercise           |                                              |
| Parting Thoughts   |                                              |

```
UEST;
e i_clk)
at up to MAX_STALL clks
STALL) [*0:MAX_STALL]
)&&(!STALL);
```

```
(STB | -> BUS_REQUEST);
```

to count stalls yourself. h an **until** statement?

## **G**<sup>T</sup> Ex. Bus Request

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Overview

Clocking

Sequences

Exercise

Parting Thoughts

```
A request persists until it is accepted
```

```
sequence BUS_REQUEST;
@(posedge i_clk)
(STB)&&(STALL) until (STB)&&(!STALL);
```

endsequence

**assert property** (STB  $| \rightarrow$  BUS\_REQUEST);

What is the difference?

## **G**<sup>T</sup> Ex. Bus Request

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Overview

Clocking

Sequences

Exercise

Parting Thoughts

```
A request persists until it is accepted
```

```
sequence BUS_REQUEST;
    @(posedge i_clk)
    (STB)&&(STALL) until (STB)&&(!STALL);
endsequence
```

**assert property** (STB |-> BUS\_REQUEST);

What is the difference? The **until** statement goes forever, our prior example was limited to MAX\_STALL clock cycles.

## **G**<sup>T</sup> Ex. Bus Request

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Overview

Clocking

▷ Sequences

Exercise

Parting Thoughts

```
A request persists until it is accepted
```

```
sequence BUS_REQUEST;
@(posedge i_clk)
(STB)&&(STALL) until (STB)&&(!STALL);
```

endsequence

**assert property** (STB | - > BUS\_REQUEST);

What is the difference?

But ... what happens if RESET is asserted?

## **G** Bus Request

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

```
Abstraction
```

Invariants

Multiple-Clocks

Cover

Sequences

Overview

Clocking

▷ Sequences

Exercise

Parting Thoughts

```
A property can be conditionally disabled
```

```
sequence BUS_REQUEST;
    // Repeat up to MAX_STALL clks
    (STB)&&(STALL) [*0:MAX_STALL]
    ##1 (STB)&&(!STALL);
```

#### endsequence

```
assert property (
    @(posedge i_clk)
    disable iff (i_reset)
    STB |-> BUS_REQUEST);
```

The assertion will no longer fail if i\_reset clears the request What if the request is aborted?

## **G** Ex. Bus Request

```
A property can be conditionally disabled
Welcome
Motivation
                 sequence BUS_REQUEST;
Basics
                            @(posedge i_clk)
Clocked and $past
                            // Repeat up to MAX_STALL clks
k Induction
                             (STB)\&\&(STALL) [*0:MAX_STALL]
Bus Properties
                            ##1 (STB)&&(!STALL);
Free Variables
                 endsequence
Abstraction
Invariants
                 assert property (
Multiple-Clocks
                            @(posedge i_clk)
                             disable iff ((i_reset)||(!CYC))
Cover
                            STB |-> BUS_REQUEST);
Sequences
Overview
Clocking
                 Will this work?
\triangleright Sequences
Exercise
Parting Thoughts
```

## **G** Ex. Bus Request

```
A property can be conditionally disabled
Welcome
Motivation
                 sequence BUS_REQUEST;
Basics
                            @(posedge i_clk)
Clocked and $past
                            // Repeat up to MAX_STALL clks
k Induction
                             (STB)\&\&(STALL) [*0:MAX_STALL]
Bus Properties
                            ##1 (STB)&&(!STALL);
Free Variables
                 endsequence
Abstraction
Invariants
                 assert property (
Multiple-Clocks
                            @(posedge i_clk)
                             disable iff ((i_reset)||(!CYC))
Cover
                            STB |-> BUS_REQUEST);
Sequences
Overview
Clocking
                 Will this work? Yes!
\triangleright Sequences
Exercise
Parting Thoughts
```

## GT Ex. Bus ACKs

```
Welcome
```

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

```
Abstraction
```

Invariants

Multiple-Clocks

Cover

Sequences

Overview

Clocking

Sequences

Exercise

Parting Thoughts

```
Some peripherals will only ever accept one request
```

```
sequence SINGLE_ACK(MAX_DELAY);
@(posedge i_clk)
 (!ACK)&&(STALL) [*0:MAX_DELAY]
##1 (ACK)&&(!STALL);
```

endsequence

```
assert property (
    disable iff ((i_reset)||(!CYC))
    (STB)&&(!STALL) |=> SINGLE_ACK(32);
    );
```

This peripheral will

Stall up to 32 clocks following any accepted request, until it

- Acknowledges the request, and
- Releases the bus on the same cycle

## **G** Ex. Bus ACKs

Motivation

k Induction

**Bus Properties** 

Free Variables

Multiple-Clocks

Abstraction

Invariants

Sequences Overview Clocking

Cover

Clocked and \$past

Basics

#### Some peripherals will

- $\hfill\square$  Never stall the bus, and
- Acknowledge every request after a fixed number of clock ticks

```
property NEVER_STALL(DELAY);
    @(posedge i_clk)
    disable iff ((i_reset)||(!CYC))
    (STB) |-> ##[*DELAY] (ACK);
endproperty
```

```
assert property (NEVER_STALL(DELAY)
and (!STALL));
```

This is illegal. Can you spot the bug?

Exercise

Parting Thoughts

 $\triangleright$  Sequences

```
270 / 285
```

# **G** Ex. Bus ACKs

| 9 |
|---|
| - |
|   |

Motivation

k Induction

**Bus Properties** 

Free Variables

Multiple-Clocks

 $\triangleright$  Sequences

Parting Thoughts

Abstraction

Invariants

Sequences Overview Clocking

Exercise

Cover

Clocked and \$past

Basics

#### Some peripherals will

- Never stall the bus, and
- Acknowledge every request after a fixed number of clock ticks

```
property NEVER_STALL(DELAY);
    @(posedge i_clk)
    disable iff ((i_reset)||(!CYC))
    (STB) |-> ##[*DELAY] (ACK);
endproperty
```

```
assert property (NEVER_STALL(DELAY)
and (!STALL));
```

This is illegal. Can you spot the bug? What logic does the disable iff apply to?

# GT Ex. Bus ACKs

| Weld | come |
|------|------|
|      |      |
|      |      |

Motivation

#### Some peripherals will

- Never stall the bus, and
- Acknowledge every request after a fixed number of clock ticks

```
property NEVER_STALL(DELAY);
    @(posedge i_clk)
    disable iff ((i_reset)||(!CYC))
    (STB) |-> ##[*DELAY] (ACK);
endproperty
assert property (NEVER_STALL(DELAY));
```

```
assert property (!STALL);
```

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Overview

Clocking

▷ Sequences

Exercise

Parting Thoughts

This is valid

# **G** Ex. Bus ACKs

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

```
Free Variables
```

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Overview

Clocking

Sequences

Exercise

Parting Thoughts

Cannot ACK or ERR when no request is pending

Or as we did it before

Which is simpler to understand?

```
Let's look at an serial port transmitter example.
Welcome
                 A baud interval is CKS clocks ...
Motivation
Basics
                    Output data is constant
                 Clocked and $past
                    Logic doesn't change state
                 k Induction
                    Internal shift register value is known
                 Bus Properties
                    Ends with zero_baud_counter
                 П
Free Variables
Abstraction
                 sequence BAUD_INTERVAL(CKS, DAT, SR, ST);
Invariants
                            ((o_uart_tx = DAT)\&\&(state = ST))
Multiple-Clocks
                                       \&\&(lcl_data = SR)
Cover
                                       \&\&(!zero_baud_counter))[*(CKS-1)]
Sequences
                           ##1 (o_uart_tx == DAT)&&(state == ST)
Overview
                                       \&\&(lcl_data = SR)
Clocking
\triangleright Sequences
                                       &&(zero_baud_counter))
Exercise
                 endsequence
Parting Thoughts
```

Welcome

Motivation

Basics

Clocked and \$past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Overview

Clocking

▷ Sequences

Exercise

Parting Thoughts

```
A byte consists of 10 Baud intervals
```

```
sequence SEND(CKS, DATA);
        BAUD_INTERVAL(CKS, 1'b0, DATA, 4'h0)
        ##1 BAUD_INTERVAL(CKS, DATA[0],
                 \{\{(1), \{1, b1\}\}, DATA[7:1], 4, h1\}
        ##1 BAUD_INTERVAL(CKS, DATA[1],
                  \{\{(2), \{1, b1\}\}, DATA[7:2], 4, h2\}
        ##1 BAUD_INTERVAL(CKS, DATA[6],
                  \{\{(7), \{1'b1\}\}, DATA[7], 4'h7\}
        ##1 BAUD_INTERVAL(CKS, DATA[7],
                 7'hff, DATA [7], 4'h8)
        ##1 BAUD_INTERVAL(CKS, 1'b1, 8'hff, 4'h9);
endsequence
```

Welcome Motivation Basics Clocked and \$past k Induction **Bus Properties** Free Variables Abstraction Invariants Multiple-Clocks Cover Sequences Overview Clocking  $\triangleright$  Sequences Exercise Parting Thoughts

#### Transmitting a byte requires

```
always @(posedge i_clk)
if ((i_wr)&&(!o_busy))
            fsv_data <= i_data;</pre>
```

```
assert property (@(posedge i_clk)
  (i_wr)&&(!o_busy)
  |=> ((o_busy) throughout
        SEND(CLOCKS_PER_BAUD,fsv_data))
  ##1 ((!o_busy)&&(o_uart_tx)
        &&(zero_baud_counter));
```

- A transmit request is received
- The data is sent
- The controller returns to idle

```
Welcome
```

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

```
Abstraction
```

Invariants

Multiple-Clocks

Cover

Sequences

Overview

Clocking

▷ Sequences

Exercise

```
Parting Thoughts
```

```
Transmitting a byte requires
```

```
assert property (@(posedge i_clk)
  (i_wr)&&(!o_busy)
  |=> ((o_busy) throughout
        SEND(CLOCKS_PER_BAUD,fsv_data))
  ##1 ((!o_busy)&&(o_uart_tx)
        &&(zero_baud_counter));
```

#### Make sure . . .

- The sequence has a defined beginning Only ever triggered once at a time
- Doesn't reference changing data
- throughout is within parenthesis
  - You tie all relevant state information together

# **SysVerilog Conclusions**

| Welcome            |
|--------------------|
| Motivation         |
| Basics             |
| Clocked and \$past |
| k Induction        |
| Bus Properties     |
| Free Variables     |
| Abstraction        |
| Invariants         |
| Multiple-Clocks    |
| Cover              |

SystemVerilog Concurrent Assertions ....

- can be very powerful
- can be very confusing
  - can be used with immediate assertions You can keep using the simpler property form we've been using

Sequences

Overview

Clocking

 $\triangleright$  Sequences

Exercise

Parting Thoughts

| Welcome                                                      | Let's formally verify a synchronous FIFO                                                                                                                 |
|--------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
| MotivationBasicsClocked and \$pastk Induction                | <pre>entity sfifo is generic(BW : natural := 8; LGFLEN : natural := 4);</pre>                                                                            |
| Bus Properties<br>Free Variables<br>Abstraction              | <pre>port(i_clk, i_reset : in std_logic;</pre>                                                                                                           |
| Invariants<br>Multiple-Clocks<br>Cover                       | <pre>i_data : in std_logic_vector(BW-1 downto 0);<br/>o_full : out std_logic := '0';<br/> The outgoing (read) interface</pre>                            |
| Sequences<br>Overview<br>Clocking<br>Sequences<br>▷ Exercise | <pre>i_rd : in std_logic;<br/>o_data : out std_logic_vector(BW-1 downto 0);<br/>o_empty : out std_logic := '1';<br/>o_err : out std_logic := '0');</pre> |
| Parting Thoughts                                             | <pre>end entity sfifo;</pre>                                                                                                                             |

• •

```
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Sequences
▷ Exercise
Parting Thoughts
```

```
Let's formally verify a synchronous FIFO
architecture behavior of sfifo is
  constant FLEN : natural := 2 ** LGFLEN:
  type data_type is
            std_logic_vetor (BW-1 downto 0);
  type mem_type is
            array (FLEN-1 downto 0) of data_type;
  type ptr_type is
            unsigned (LGFLEN downto 0);
  signal
          mem : mem_type;
  signal r_first: ptr_type
            := to_unsigned(0,LGFLEN+1);
```

See the problem?

```
Welcome
Motivation
Basics
Clocked and $past
k Induction
Bus Properties
Free Variables
Abstraction
Invariants
Multiple-Clocks
Cover
Sequences
Overview
Clocking
Sequences
▷ Exercise
Parting Thoughts
```

```
Let's formally verify a synchronous FIFO
architecture behavior of sfifo is
  constant FLEN : natural := 2 ** LGFLEN:
  type data_type is
            std_logic_vetor (BW-1 downto 0);
  type mem_type is
            array (FLEN-1 downto 0) of data_type;
  type ptr_type is
            unsigned (LGFLEN downto 0);
  signal
          mem : mem_type;
  signal r_first: ptr_type
            := to_unsigned(0,LGFLEN+1);
```

See the problem? You can't pass memories through ports!

| Welcome            |
|--------------------|
| Motivation         |
| Basics             |
| Clocked and \$past |
| k Induction        |
| Bus Properties     |
| Free Variables     |
| Abstraction        |
| Invariants         |
| Multiple-Clocks    |
|                    |

Cover

Sequences

Overview

Clocking

Sequences

▷ Exercise

Parting Thoughts

How will you pass the memory to the formal tool?

You might pass an arbitrary address and value instead

|                    | _ |
|--------------------|---|
| Welcome            |   |
| Motivation         | ١ |
| Basics             |   |
| Clocked and \$past |   |
| k Induction        |   |
| Bus Properties     |   |
| Free Variables     |   |
| Abstraction        |   |
| Invariants         |   |
| Multiple-Clocks    |   |
| Cover              |   |
| Sequences          |   |
| Overview           |   |
| Clocking           |   |
| Sequences          |   |
| ▷ Exercise         |   |
| Parting Thoughts   |   |

Let's formally verify a synchronous FIFO What properties do you think would be appropriate?

| Welcome            | Le |
|--------------------|----|
| Motivation         | W  |
| Basics             | _  |
| Clocked and \$past |    |
| k Induction        |    |
| Bus Properties     |    |
| Free Variables     |    |
| Abstraction        |    |
| Invariants         |    |
| Multiple-Clocks    |    |
| Cover              |    |
| Sequences          |    |
| Overview           |    |
| Clocking           |    |
| Sequences          |    |
| ▷ Exercise         |    |
| Parting Thoughts   |    |
|                    |    |
|                    |    |

et's formally verify a synchronous FIFO What properties do you think would be appropriate?

Should never go from full to empty

| Welcome            |   |
|--------------------|---|
| Motivation         |   |
| Basics             |   |
| Clocked and \$past | [ |
| k Induction        |   |
| Bus Properties     |   |
| Free Variables     |   |
| Abstraction        |   |
| Invariants         |   |
| Multiple-Clocks    |   |
| Cover              |   |
| Sequences          |   |
| Overview           |   |
| Clocking           |   |
| Sequences          |   |
| ▷ Exercise         |   |
| Parting Thoughts   |   |

Let's formally verify a synchronous FIFO What properties do you think would be appropriate?

Should never go from full to empty except on a reset

| Welcome            | L |
|--------------------|---|
| Motivation         | V |
| Basics             |   |
| Clocked and \$past |   |
| k Induction        |   |
| Bus Properties     |   |
| Free Variables     |   |
| Abstraction        |   |
| Invariants         |   |
| Multiple-Clocks    |   |
| Cover              |   |
| Sequences          |   |
| Overview           |   |
| Clocking           |   |
| Sequences          |   |
| ▷ Exercise         |   |
| Parting Thoughts   |   |

Let's formally verify a synchronous FIFO What properties do you think would be appropriate?

Should never go from full to empty except on a reset
 Should never go from empty to full

| Welcome            | Le |
|--------------------|----|
| Motivation         | W  |
| Basics             |    |
| Clocked and \$past |    |
| k Induction        |    |
| Bus Properties     |    |
| Free Variables     |    |
| Abstraction        |    |
| Invariants         |    |
| Multiple-Clocks    |    |
| Cover              |    |
| Sequences          |    |
| Overview           |    |
| Clocking           |    |
| Sequences          |    |
| ▷ Exercise         |    |

#### Parting Thoughts

Let's formally verify a synchronous FIFO What properties do you think would be appropriate?

- Should never go from full to empty except on a reset
   Should never go from empty to full
  - The two outputs, o\_empty and o\_full, should properly reflect the size of the FIFO
    - o\_empty means the FIFO is currently empty
    - o\_full means the FIFO has  $2^N$  elements within it

| Welcome            | Le | et's f |
|--------------------|----|--------|
| Motivation         | W  | hat    |
| Basics             |    | Sh     |
| Clocked and \$past | П  | Sh     |
| k Induction        |    |        |
| Bus Properties     |    | Th     |
| Free Variables     |    | the    |
| Abstraction        |    | _      |
| Invariants         |    | _      |
| Multiple-Clocks    |    |        |
| Cover              |    | Ch     |
| Sequences          |    | _      |
| Overview           |    |        |
| Clocking           |    | —      |
| Sequences          |    |        |
| ▷ Exercise         |    |        |
| Parting Thoughts   |    |        |

Let's formally verify a synchronous FIFO What properties do you think would be appropriate?

- Should never go from full to empty except on a reset
   Should never go from empty to full
  - The two outputs, o\_empty and o\_full, should properly reflect the size of the FIFO
    - o\_empty means the FIFO is currently empty
    - o\_full means the FIFO has  $2^N$  elements within it
  - Challenge: Use sequences to prove that
    - Given any two values written successfully
    - Verify that those two values can (some time later) be read successfully, and in the right order (Unless a reset takes place in the meantime)

# GT Hint

| Welcome                           |
|-----------------------------------|
| Motivation                        |
| Basics                            |
| Clocked and \$past                |
| k Induction                       |
| Bus Properties                    |
| Free Variables                    |
| Abstraction                       |
| Invariants                        |
| Multiple-Clocks                   |
| _                                 |
| Cover                             |
| <u>Cover</u><br>Sequences         |
|                                   |
| Sequences                         |
| Sequences<br>Overview             |
| Sequences<br>Overview<br>Clocking |

When using sequences,...

 It can be very difficult to figure out what part of the sequence failed.

The assertion that fails will reference the entire failing sequence.

Suggestions:

- Sequences must be triggered
   Be aware of what triggers a sequence
- Use combinational logic to define wires that will then represent steps in the sequence
- Build the sequences out of these wires

# G Hint continued

| Welcome                                                                                                       | Here's an example:                                                                                                                                                                                                                        |  |  |  |
|---------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|
| MotivationBasicsClocked and \$pastk InductionBus PropertiesFree VariablesAbstractionInvariantsMultiple-Clocks | <pre>wire f_a, f_b, f_c;<br/>//<br/>assign f_a = // your logic<br/>assign f_b = // your logic<br/>assign f_c = // your logic<br/>//<br/>sequence ARBITRARY_EXAMPLE_SEQUENCE<br/>f_a [*0:4] ##1 f_b ##1 f_c[*12:16];<br/>endsequence</pre> |  |  |  |
| Cover<br>Sequences<br>Overview<br>Clocking<br>Sequences<br>▷ Exercise<br>Parting Thoughts                     | <ul> <li>If you use this approach</li> <li>Interpreting the wave file will be much easier</li> <li>The f_a, etc., lines will be in the trace</li> </ul>                                                                                   |  |  |  |

#### G

#### M

#### Welcome

Motivation

Basics

Clocked and \$past

k Induction

**Bus Properties** 

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Parting ▷ Thoughts

Questions?

#### **Parting Thoughts**

# **G** Questions?

|                    | Questions: |     |
|--------------------|------------|-----|
|                    |            | VV* |
| Welcome            |            | •   |
| Motivation         |            |     |
| Basics             |            |     |
| Clocked and \$past |            |     |
| k Induction        |            |     |
| Bus Properties     |            |     |
| Free Variables     |            |     |
| Abstraction        |            |     |
| Invariants         |            |     |
| Multiple-Clocks    |            |     |
| Cover              |            |     |
| Sequences          |            |     |
| Parting Thoughts   |            |     |
| ▷ Questions?       |            |     |
|                    |            |     |
|                    |            |     |
|                    |            |     |
|                    |            |     |