

#### 9. Serial Port Receiver

Gisselquist Technology, LLC

Daniel E. Gisselquist, Ph.D.



#### **G** Lesson Overview

▷ Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware

Conclusion

- Let's build a Serial Port Receiver
- Like the transmitter, it will have
  - A constant baud rate,
  - 8 data bits, no parity, and one stop bit
- Building the serial port is not tremendously more complex than the transmitter
  - Verifying the serial port will be our biggest challenge
- Also build a UARTSIM transmitter in C++ for Verilator
   Objectives
- Know how to coordinate verification across files
- Experience the power of induction
- Gain more experience building Verilator Co-simulators
- Learn how to work with a Verilator serial port simulator

|                      | 1 |
|----------------------|---|
| Lesson Overview      | V |
| 🗁 Design Goal        |   |
| Receiver FSM         |   |
| Baud counter         |   |
| Receiver State       |   |
| Return Data          |   |
| Formal Verification  |   |
| Formal Contract      |   |
| Induction Properties |   |
| Induction            |   |
| Cover                |   |
| Formal Exercise      |   |
| Simulation           |   |
| UARTSIM              |   |
| Exercise!            |   |
| Hardware             |   |
| Conclusion           |   |
|                      |   |

#### We discussed building a serial port receiver before

i\_uart\_rx \_\_\_\_\_ d[0] ( d[1] ) d[2] ( d[3] ) d[4] ) d[5] ( d[6] ) d[7] )

Lesson Overview ▷ Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware Conclusion



- 1. Detect the start bit
  - This determines the timing of everything to follow

Lesson Overview ▷ Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware Conclusion

We discussed building a serial port receiver before



- 1. Detect the start bit
  - $\hfill\square$  This determines the timing of everything to follow
- 2. Wait a baud and a half
  - Centers our sample mid baud-interval

Lesson Overview ▷ Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware Conclusion

We discussed building a serial port receiver before i\_uart\_rx

- 1. Detect the start bit
  - $\hfill\square$  This determines the timing of everything to follow
- 2. Wait a baud and a half
  - Centers our sample mid baud-interval
- 3. Sample each remaining data bit mid-baud
  - Known baud rate determines the separation

Lesson Overview ▷ Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware Conclusion

We discussed building a serial port receiver before



- 1. Detect the start bit
  - $\hfill\square$  This determines the timing of everything to follow
- 2. Wait a baud and a half
  - Centers our sample mid baud-interval
- 3. Sample each remaining data bit mid-baud
  - Known baud rate determines the separation
- 4. Report our result when done

Lesson Overview ▷ Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware Conclusion



This also means that we'll be done halfway through the stop bit

- The transmitter will still be busy, even though
- The receiver is already looking for the next start bit

#### **G**<sup>-</sup> One more requirement

Lesson Overview ▷ Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware Conclusion

Since our last discussion (about simulation)



We've learned that we need to synchronize the incoming bit

□ This should be negligible to the rest of the algorithm

It will impact our formal verification properties

# G Receiver FSM

Lesson Overview Design Goal  $\triangleright$  Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware Conclusion

#### The receiver logic is just another state machine



- Each state will require multiple clocks
- States 2-9 are exactly one baud in length
- States 1 is half again as long
  - To account for the start bit, and
  - To make sure we timeout mid-baud interval
- The o\_stb signal will be one clock wide
- $\hfill\square$  When o\_stb is high, o\_data contains the received data
  - It is a don't care value otherwise

```
Lesson Overview
Design Goal
Receiver FSM
                           \triangleright Baud counter
Receiver State
Return Data
                           Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
Hardware
Conclusion
```

Let's work through timing all these transitions

 A counter, baud\_counter, will count down the time until the next state transition

While we are in idle, it will remain at zero

```
Lesson Overview
Design Goal
Receiver FSM
\triangleright Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
Hardware
Conclusion
```

Let's work through timing all these transitions

- A counter, baud\_counter, will count down the time until the next state transition
- □ While we are in idle, it will remain at zero
- On a start bit, it will start counting a baud and a half

```
initial baud_counter = 0;
always @(posedge i_clk)
if (state == IDLE)
begin
    baud_counter <= 0;
    if (!ck_uart)
        baud_counter
        <= CLOCKS_PER_BAUD - 1'b1
        + CLOCKS_PER_BAUD / 2;
    // ...
```

```
Lesson Overview
Design Goal
Receiver FSM
\triangleright Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
Hardware
Conclusion
```

Let's work through timing all these transitions

- A counter, baud\_counter, will count down the time until the next state transition
- □ While we are in idle, it will remain at zero
- On a start bit, it will start counting a baud and a half
- When it is not zero, it will count down to zero

| Lesson Overview      | Le  | et'        |
|----------------------|-----|------------|
| Design Goal          |     |            |
| Receiver FSM         |     | F          |
| ⊳ Baud counter       |     |            |
| Receiver State       |     | ľ          |
| Return Data          |     |            |
| Formal Verification  |     |            |
| Formal Contract      |     | C          |
| Induction Properties | П   | \          |
| Induction            |     | ,          |
| Cover                |     | \          |
| Formal Exercise      |     |            |
| Simulation           | :   | . :        |
| UARTSIM              |     |            |
| Exercise!            | alw |            |
| Hardware             | if  |            |
| Conclusion           |     |            |
|                      | be  | 9 <b>g</b> |
|                      |     |            |

Let's work through timing all these transitions

- A counter, baud\_counter, will count down the time until the next state transition
- While we are in idle, it will remain at zero
- On a start bit, it will start counting a baud and a half
  - When it is not zero, it will count down to zero
  - When it reaches zero, we count down the next baud

| Lesson Overview                                                                                                                                                                                         | Let's work through timing all t                                                                                                                                                                                                              |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Design Goal<br>Receiver FSM<br>▷ Baud counter<br>Receiver State<br>Return Data<br>Formal Verification<br>Formal Contract<br>Induction Properties<br>Induction<br>Cover<br>Formal Exercise<br>Simulation | <ul> <li>A counter, baud_counter, we next state transition</li> <li>While we are in idle, it will</li> <li>On a start bit, it will start of</li> <li>When it is not zero, it will of</li> <li>When it reaches zero, we conduct of</li> </ul> |
| UARTSIM<br>Exercise!<br>Hardware<br>Conclusion                                                                                                                                                          | <pre>// end else if (baud_cour begin baud_counter &lt;     if (state &gt;=</pre>                                                                                                                                                             |

hese transitions

- vill count down the time until the
- remain at zero
- counting a baud and a half
- count down to zero
- ount down the next baud the word

```
nter = 0)
     <= CLOCKS_PER_BAUD - 1'b1;
     STOP)
baud_counter <= 0;
```

... where it will remain at zero 

#### **G** Receiver State

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
▷ Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
Hardware
Conclusion
```

The receiver state follows the same conditions

We start in IDLE, and remain in IDLE while ck\_uart is high

#### **G** Receiver State

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
Hardware
Conclusion
```

The receiver state follows the same conditions

We start in IDLE, and remain in IDLE while ck\_uart is high
 When ck\_uart goes low, we switch states

#### **G** Receiver State

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
Hardware
```

Conclusion

Once we've seen a start bit

- We cycle through and receive each bit following, and
- Return to idle when we get to the stop bit

```
always @(posedge i_clk)
//
end else if (baud_counter == 0)
begin
    state <= state + 1;
    if (state >= STOP_BIT)
        state <= IDLE;
end</pre>
```

See any assertions you might need to make about the state?

# G Return Data

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
▷ Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
Hardware
```

Conclusion

#### On every state change

Shift in one more bit of the answer

always @(posedge i\_clk) if ((baud\_counter == 0)&&(state != STOP\_BIT))  $o_data \ll \{ ck_uart, o_data[7:1] \};$ 

### **G** Return Strobe

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
▷ Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
Hardware
```

Conclusion

#### On the last and final transition

- Notify our environment of a received bit
- Just as we return to IDLE

### G Return Strobe

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
▷ Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
Hardware
Conclusion
```

#### On the last and final transition

- Notify our environment of a received bit
- $\hfill\square$  Just as we return to IDLE

This should all be quite straight forward

This isn't really any harder than the transmitter

#### **G** Formal Verification

Lesson Overview Design Goal Receiver FSM Baud counter Receiver State Return Data Formal  $\triangleright$  Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware Conclusion

Formally verifying this receiver ... that's harder Let's reflect upon the two basic types of properties we've created

#### Contract properties

- Verify that a design does what it was intended to do
- These can be black-box properties

#### Induction properties

- Verify that a design remains within the set of legal states
- These will always be white-box properties

#### And our two rules

- assume any input properties
- assert any local state and output properties

#### **G** Formal Contract

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification ▷ Formal Contract Induction Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware Conclusion

The contract for a serial port is straight forward

- If you send it a known transmission
- It should set o\_wr when done, and
- o\_data should match any expected result
- We can use our transmitter to send a known transmission

That's the contract. That's the easy part

#### **G**<sup>-</sup> Induction Properties

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction  $\triangleright$  Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware Conclusion

The difficult part is setting up the induction properties

- We need to make certain our design remains in a consistent state
  - That includes not only the state of the receiver, and
  - The state of the transmitter, but
  - The two states must match!
- That means the transmitter can't be sending bit two while we are receiving bit six
- That also means that after the transmitter has sent four bits the receiver must have received those same four bits

Coordinating the state between the receiver and the transmitter is the challenging part

#### **G** Adjusting the transmitter

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction  $\triangleright$  Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware Conclusion

We'll add two output ports to our transmitter for this purpose

- □ f\_data
  - This is the data the transmitter is sending
  - We'll need to match our received data with this at every step of the way
- □ f\_counter
  - This will count clocks since the beginning of transmission
  - We'll use this to match the receiver's state
- We'll call this adjusted transmitter f\_txuart
- Since these extra ports are only necessary for formally verifying the receiver
- They are inappropriate for an independent transmitter

# **G** f\_data

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction  $\triangleright$  Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware

Conclusion

Capturing the data being sent is easy

```
always @(posedge i_clk)
if ((i_wr)&&(!o_busy))
      f_data <= i_data;</pre>
```

It's even easier, since ...

- The transmitter already contained this value internally
   The transmitter verified its internal state against this value
   The transmitter finishes after the receiver
  - So this value should be valid when we examine it
- We'll just make this value an output

# **G**<sup>T</sup> f\_counter

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction  $\triangleright$  Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware

```
Conclusion
```

The transmit counter is conceptually simple

```
always @(posedge i_clk)
if (!o_busy)
        f_counter <= 0;
else
        f_counter <= f_counter + 1;</pre>
```

Only we must now assert that

This counter matches our transmitter's internal state

# **G** f\_counter

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction  $\triangleright$  Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware Conclusion

Matching f\_counter to the transmitter's count-down counter

Let's look at this a little deeper

# **G**<sup>T</sup> f<sub>-</sub>counter

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction  $\triangleright$  Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware Conclusion

```
Let's discuss these assertions
```

```
BIT_ZERO: assert(f_counter
== 2*CLOCKS_PER_BAUD-1-counter);
```



You may find this easier to understand if you draw it out

- f\_counter starts at the beginning of time and counts up
- Our baud interval counter, counter, counts down each interval

# **G**<sup>T</sup> f<sub>-</sub>counter

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction  $\triangleright$  Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware Conclusion

Let's discuss these assertions

```
BIT_ZERO: assert(f_counter
== 2*CLOCKS_PER_BAUD-1-counter);
```

Notice the multiply for a moment

- Multiplies are normally bad
  - Formal tools struggle to verify multiplies
  - This multiplies two constants, so the result is constant
  - So this works

That handles the internal values

What about the inputs to f\_txuart?

# GT anyseq

| Lesson Overview     |  |  |  |  |
|---------------------|--|--|--|--|
| Design Goal         |  |  |  |  |
| Receiver FSM        |  |  |  |  |
| Baud counter        |  |  |  |  |
| Receiver State      |  |  |  |  |
| Return Data         |  |  |  |  |
| Formal Verification |  |  |  |  |
| Formal Contract     |  |  |  |  |
| Induction           |  |  |  |  |
|                     |  |  |  |  |
| Properties          |  |  |  |  |
| Induction           |  |  |  |  |
| Cover               |  |  |  |  |
| Formal Exercise     |  |  |  |  |
| Simulation          |  |  |  |  |
| UARTSIM             |  |  |  |  |
| Exercise!           |  |  |  |  |
| Hardware            |  |  |  |  |
| Conclusion          |  |  |  |  |

Our receiver doesn't have inputs for the formal transmitter

- We need to generate inputs for f\_txuart
- □ (\* anyseq \*) can be used for that purpose

```
    (* anyseq *) is like (* anyconst *)
```

- The solver gets to pick the values
- Only (\* anyseq \*) values can change from clock to clock
  - (\* anyconst \*) values are required to be constant
- Both types of values may be constrained by assumptions
   We'll pass two inputs to the transmitter

| // The write | request input    |             |
|--------------|------------------|-------------|
| (* anyseq *) | reg              | f_tx_iwr;   |
| // The write | data input       |             |
| (* anyseq *) | <b>reg</b> [7:0] | f_tx_idata; |

#### G Assumed Transmitter

Here's our transmitter instantiation

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
    Induction
\triangleright Properties
Induction
Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
Hardware
Conclusion
```

(\* anyseq \*) **reg** f tx iwr: (\* anyseq \*) reg [7:0] f\_tx\_idata; wire f tx uart: /\* ignored\*/ wire f\_tx\_busy; wire [7:0] f\_txdata; wire [24-1:0] f\_tx\_counter; f\_txuart #(CLOCKS\_PER\_BAUD) tx(i\_clk, f\_tx\_iwr, f\_tx\_idata, f\_tx\_uart, f\_tx\_busy, f\_txdata, f\_tx\_counter); // Assume our input matches the txuart's output always Q(\*)assume(i\_uart\_tx == f\_tx\_uart);

We'll be working with f\_txdata and f\_tx\_counter

# G Contract

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction  $\triangleright$  Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware Conclusion

We can now assert our receiver contract

o\_wr goes high once at the end of every word

o\_data has a copy of the transmitted information

```
always @(*)
if (o_wr)
    assert(o_data == f_txdata);
```

Problem: that's not enough to pass induction!

# G Induction

Lesson Overview Design Goal Receiver FSM Baud counter Receiver State Return Data Formal Verification Formal Contract Induction Properties  $\triangleright$  Induction Cover Formal Exercise Simulation UARTSIM Exercise! Hardware Conclusion

Now we need to synchronize our partial results

```
always @(*)
case(state)
4'h2: assert(o_data[7] == f_txdata[0]);
4'h3: assert(o_data[7:6] == f_txdata[1:0]);
4'h4: assert(o_data[7:5] == f_txdata[2:0]);
4'h5: assert(o_data[7:4] == f_txdata[3:0]);
// ... etc
4'h9: assert(o_data[7:0] == f_txdata[7:0]);
endcase
```

Even this isn't enough, we need to match counters as well

# G Induction

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
\triangleright Induction
Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
Hardware
Conclusion
```

Matching the two counters is harder

- Following the end condition, the transmitter may have a half clock period left
- After the transmitter starts, it can go two clocks through the synchronizer before we leave IDLE

# G Induction

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
\triangleright Induction
Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
Hardware
Conclusion
```

Matching the two counters is harder

 While waiting for the first bit, the two counters should be off by a baud and a half

```
always @(*)
case(state)
// ...
4'h1: begin // Start state
assert(CLOCKS_PER_BAUD+CLOCKS_PER_BAUD/2
-baud_counter == f_tx_counter -2);
```

Remember the two stage FF synchronizer, and
 The receiver is off cut from the transmitter by half a baud
## G Induction

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
\triangleright Induction
Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
Hardware
Conclusion
```

### Matching the two counters is harder

- While waiting for the first bit, the two counters should be off by a baud and a half
- The rest of the bits/states follow the same pattern

```
always @(*)
case(state)
// ...
4'h2: begin // Start state
assert(2*CLOCKS_PER_BAUD+CLOCKS_PER_BAUD/2
- baud_counter == f_tx_counter -2);
```

- Don't forget that baud\_counter counts down,
- While f\_tx\_counter counts up

## G Formal

| Lesson Overview            |
|----------------------------|
| Design Goal                |
| Receiver FSM               |
| Baud counter               |
| Receiver State             |
| Return Data                |
| Formal Verification        |
| Formal Contract            |
| Induction Properties       |
| $\triangleright$ Induction |
| Cover                      |
| Formal Exercise            |
| Simulation                 |
| UARTSIM                    |
| Exercise!                  |
| Hardware                   |
| Conclusion                 |

Beginners often struggle to understand how the transmitter and receiver can get out of synch during induction

- This gives them no end of trouble
- This doesn't happen in a bounded check, but
- A bounded check can't handle 10 periods of 868 clocks
- Induction is the key to verifying our contract
- Several extra assertions were required to get there

Synchronizing the two modules is key to success

- We'll discuss cover() next
- Then you should be able to finish the proof

## G Cover

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction ▷ Cover Formal Exercise Simulation UARTSIM Exercise! Hardware Conclusion

### We should cover our solution as well

But how shall we cover something that takes 10 \* 868 clocks? Solution: Lower the clocks per baud, but just for cover

This can be done in the SymbiYosys file

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
\triangleright Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
Hardware
Conclusion
```

Remember tasks?

You can use tasks to selectively adjust parameter values

```
[tasks]
cvr
prf
[options]
prf: mode prove
cvr: mode cover
cvr: depth 192
prf: depth
             4
[script]
read -formal f txuart.v
read -formal rxuart.v
cvr: hierarchy -top rxuart
        -chparam CLOCKS_PER_BAUD 8
prep -top rxuart
```

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
\triangleright Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
Hardware
Conclusion
```

```
Remember tasks?
```

You can use tasks to selectively adjust parameter values

|                 | [tasks]                                                                                                                |
|-----------------|------------------------------------------------------------------------------------------------------------------------|
|                 | cvr                                                                                                                    |
|                 | <pre>prf [options] prf: mode prov</pre> This changes our CLOCKS_PER_BAUD pa- rameter to 8, but only for our cover task |
|                 | cvr: <b>mode</b> cover                                                                                                 |
|                 | cvr: <b>depth</b> 192                                                                                                  |
|                 | prf: depth 4                                                                                                           |
|                 | [script]                                                                                                               |
|                 | read -formal f_txuart.v                                                                                                |
|                 | read -formal rxuart.v                                                                                                  |
|                 | cvr: hierarchy —top rxuart \                                                                                           |
| $\triangleleft$ | -chparam CLOCKS_PER_BAUD 8                                                                                             |
|                 | prep -top rxuart                                                                                                       |

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
\triangleright Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
Hardware
Conclusion
```

Remember tasks?

You can use tasks to selectively adjust parameter values

| [tasks]                                                                                   |
|-------------------------------------------------------------------------------------------|
| cvr                                                                                       |
| prf[options]prf: mode provThis adjusts our depth to 192, but againonly for the cover task |
| cvr: <b>mode</b> cover                                                                    |
| cvr: <b>depth</b> 192                                                                     |
| prf <b>depth</b> 4                                                                        |
| [script]                                                                                  |
| read -formal f_txuart.v                                                                   |
| read -formal rxuart.v                                                                     |
| cvr: hierarchy —top rxuart $\setminus$                                                    |
| -chparam CLOCKS_PER_BAUD 8                                                                |
| prep -top rxuart                                                                          |

### **G**<sup>T</sup> Cover Properties

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
▷ Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
Hardware
Conclusion
```

What might we want to cover?

A successful result

A second successful result? Two 8'hf9s received in a row?

```
initial f_first_hit = 1'b0;
always @(posedge i_clk)
if ((o_wr)&&(o_data == 8'hf9));
       f_first_hit <= 1'b1;
always @(posedge i_clk)
```

| Lesson Overview      |
|----------------------|
| Design Goal          |
| Receiver FSM         |
| Baud counter         |
| Receiver State       |
| Return Data          |
| Formal Verification  |
| Formal Contract      |
| Induction Properties |
| Induction            |
| ▷ Cover              |
| Formal Exercise      |
| Simulation           |
| UARTSIM              |
| Exercise!            |
| Hardware             |
| Conclusion           |
|                      |

### Cover is important, don't skip it!

- Using cover() on this project, I discovered a bug in our transmitter
- The transmitter should be able to transmit two characters in 20\*CLOCKS\_PER\_BAUD
- Our original transmitter took one clock too long
  - Two characters took  $20*CLOCKS\_PER\_BAUD+1$  at first
- I found the bug by examining the cover trace

You now know enough to finish the rest of the formal proof on your own

### **G** Formal Exercise

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Eormal Exercise
Simulation
UARTSIM
Exercise!
Hardware
```

Conclusion

Formally verify that your receiver works!

As always, some bugs have been hidden in the example code

Then, make it better

Create a register called zero\_baud\_counter

reg zero\_baud\_counter;

Make it change on @(posedge i\_clk) clock only
 Verify that it is true only if baud\_counter == 0

You may start with the (mostly correct) receiver in exercise 9

### **G** Formal Exercise

| Lesson Overview      |
|----------------------|
| Design Goal          |
| Receiver FSM         |
| Baud counter         |
| Receiver State       |
| Return Data          |
| Formal Verification  |
| Formal Contract      |
| Induction Properties |
| Induction            |
| Cover                |
| ▷ Formal Exercise    |
| Simulation           |
| UARTSIM              |
| Exercise!            |
| Hardware             |
| Conclusion           |

Question for thought:

- Imagine you wanted to build a receiver that could handle multiple baud rates
  - For example, all 24-bit divisions of your clock rate
- How would you verify such a receiver?

### **G** Simulation

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise  $\triangleright$  Simulation UARTSIM Exercise! Hardware Conclusion

Simulation outline

- We'll read from one file
- "Transmit" the data to our serial port
  - The UARTSIM accepts data to transmit on STDIN
- $\hfill\square$  Read the results from the port
  - We'll dump these out STDOUT, and
- Verify the result matches the original file

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
▷ UARTSIM
Exercise!
Hardware
Conclusion
```

Let's dig into this UART Co-simulator

- Anytime we are idle,
- Check for a character to transmit on STDIN

```
if (m_tx_state == TXIDLE) {
    ch = getchar();
    // ...
```

- Problem: this will hang our simulation if no character is available
- We need to check if there's a character available first
- But without stopping if not

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation ▷ UARTSIM Exercise! Hardware Conclusion

```
The poll () system call provides what we need
```

```
if (m_tx_state == TXIDLE) {
        struct pollfd
                       pb:
        pb.fd = STDIN_FILENO;
        pb.events = POLLIN;
        if (poll(&pb, 1, 0) < 0)
                 perror("Polling_error:");
          (pb.revents & POLLIN) {
        if
                char
                         buf[1];
                nr=read(STDIN_FILENO, buf, 1);
                 if (1 == nr) {
                // ...
```

- This solves the hanging problem
- Now we just need to transmit the character to our receiver

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
▷ UARTSIM
Exercise!
Hardware
Conclusion
```

The transmit logic follows what we've rehearsed already

- On new data, set two shift registers
  - One containing the data plus a stop bit
  - One containing a bit mask of 10 busy intervals (One interval is implied, so 0x1ff)
  - Then clear the start bit and start a baud counter

```
if (m_tx_state == TXIDLE) {
    // on start
    m_tx_data = 0x100 | (buf[0]&0x0ff);

    m_tx_busy = 0x1ff; // Busy reg
    m_tx_state = TXDATA; // New state
    o_rx = 0; // Clear UART signal
    m_tx_baudcounter = m_baud_counts-1;
```

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
▷ UARTSIM
Exercise!
Hardware
Conclusion
```

The transmit logic follows what we've rehearsed already

- Whenever our timer runs out
  - Shift everything over, and
  - Restart the counter

```
} else if (m_tx_baudcounter <= 0) {
    m_tx_data >>= 1;
    m_tx_busy >>= 1;
    m_tx_baudcounter = m_baud_counts-1;
    o_rx = m_tx_data&1;
```

But ... how do we leave this loop?

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
▷ UARTSIM
Exercise!
Hardware
Conclusion
```

The transmit logic follows what we've rehearsed already

Except . . .

- When we are no longer busy, and
- When restarting the last counter

Wait, why is there one less clock on the last step?

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
▷ UARTSIM
Exercise!
Hardware
Conclusion
```

The transmit logic follows what we've rehearsed already

- One less clock on the last step is required because
  - It takes a clock to recognize the idle, and then to
  - Return m\_tx\_state to IDLE

The last piece is simple

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
▷ UARTSIM
Exercise!
Hardware
Conclusion
```

The transmit logic follows what we've rehearsed already

- Finally, if we are not IDLE, then the counter is not zero
  - Decrement the baud counter
  - Return a bit to the simulation

That's the logic in the (simulated) transmitter

## G Verilator TB

| Lesson Overview      |
|----------------------|
| Design Goal          |
| Receiver FSM         |
| Baud counter         |
| Receiver State       |
| Return Data          |
| Formal Verification  |
| Formal Contract      |
| Induction Properties |
| Induction            |
| Cover                |
| Formal Exercise      |
| Simulation           |
| ▷ UARTSIM            |
| Exercise!            |
| Hardware             |
| Conclusion           |
|                      |

### We need a test bench that can

- Create a known input stream into our receiver
  - We can use another psalm.txt file for this
- Produce an output
- Compare the output with the input

The fact that UARTSIM uses stdin will make this problematic

## G The setup



#### 49 / 67

## G Verilator TB

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation ▷ UARTSIM Exercise! Hardware Conclusion

Let's create two pipes, then split our test bench into two:

- 1. The first process, the parent, will
  - Read the test data from a file
  - Write it into the pipe, sending it to the child's **stdin**
  - Read the results back from the pipe
  - Compare the results with the original file
- 2. The second process will run our simulation
  - Accept data from stdin
  - Write it to the serial port via the UARTSIM
  - Receive the results from the receiver
  - Write the results out to the parent via stdout

It's time to learn about the fork() system call

# GT fork()

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation ▷ UARTSIM Exercise! Hardware Conclusion

The fork () system call splits a process into two

- One process will be called the parent
  - This process maintains the identity of the original process

The other process is the child

```
if ((child_pid == fork()) != 0) {
    // Code to run in the parent
    // (the original process)
} else {
    // Code to run in the child
}
```

Before we **fork**(), we'll need to create two **pipe**()s to communicate between processes

# GT pipe()

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation ▷ UARTSIM Exercise! Hardware Conclusion

The **pipe**() system call creates a pipe

We'll need two: one for each direction

We'll replace the child's stdin/stdout with these pipes

The parent will thus control the child's stdin/stdout

# GT pipe()

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation ▷ UARTSIM Exercise! Hardware Conclusion

The **pipe**() system call creates a unidirectional pipe

- Data written to childs\_stdin [1] can be read from childs\_stdin [0], same for childs\_stdout
- □ The parent closes the read end of the childs\_stdin

close(childs\_stdin[0]);

- Only the child will read from this pipe
- The parent also closes the write end of childs\_stdout

close(childs\_stdout[1]);

- Only the child will write to this pipe
- The child will do the opposite

# GT pipe()

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation ▷ UARTSIM Exercise! Hardware Conclusion

The child also needs to map these pipes to stdin/stdout

- First, map childs\_stdin [0] to stdin
- Done by first closing the file descriptor to be replaced
- Then duplicating the pipe's file descriptor

### close(STDIN\_FILENO); dup(childs\_stdin[0]);

- The duplicated file descriptor naturally replaces the one that was just closed
- We'll repeat this for stdout

close(STDOUT\_FILENO); dup(childs\_stdout[1]);

We can now build and run our test!

## **G**<sup>T</sup> The setup



- These will be inter-process pipes
- The parent's **stdin**/**stdout** will remain unchanged

### G In the parent

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation ▷ UARTSIM Exercise! Hardware Conclusion

In the parent, we send the message to the slave

```
write(childs_stdin[1], string, flen);
```

### And read it back out

```
rd = read(childs_stdout[0], rdbuf, flen);
for(i=0; i<rd; i++) {
    putchar(rdbuf[i]);
    if (rdbuf[i] != string[i]) {
        fail=i;
            break;
    }
}</pre>
```

Don't forget to check for errors!

## G In the Slave

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
▷ UARTSIM
Exercise!
Hardware
Conclusion
```

The slave's code looks like what we've done with Verilator before

```
First the setup
```

```
// Create a test bench
tb = new TESTB<Vrxuart>;
// Start a VCD trace
tb->opentrace("rxuart.vcd");
// Create a UART simulator
uart = new UARTSIM();
// Set the baud rate
// ...
// and make sure the port starts idle
tb->m_core->i_uart_rx = 1;
```

Now we can build our test

## G In the Slave

```
Lesson Overview
Design Goal
Receiver FSM
                          Baud counter
                          П
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
▷ UARTSIM
Exercise!
Hardware
Conclusion
```

The slave matches what we've done with Verilator before

- First the setup
- Then run the testbench

```
while ((testcount++ < LARGE_NUMBER))
         &&(num_received < flen)) {</pre>
         tb->tick();
         tb \rightarrow m_core \rightarrow i_uart_rx = (*uart)(1);
         // Any time we receive a character
         if (tb->m_core->o_wr) {
                  num_received++;
                  // Send it to stdout, and
                  // thus to the parent via
                  // the pipe
                  putchar(tb->m_core->o_data);
 exit(EXIT_SUCCESS);
```

## **G** Exercise!

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation UARTSIM  $\triangleright$  Exercise! Hardware Conclusion

Does your component simulation work?

- If not, debug as necessary
- Once you get to real hardware
  - You will no longer have access to every internal signal
    - You might only ever get an LED, sometimes not even that
  - Debugging only gets harder in the next step
  - Many student's have asked, why doesn't my serial port work?
  - The secret they were missing?
    - Avoid debugging on the hardware! Formal first, then simulation, then hardware once the bugs are gone
  - If you know your design works, that will eliminate many possible causes of error in hardware

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise!  $\triangleright$  Hardware Conclusion

Let's build a design and get it to work with your hardware



Debugging this design in hardware can be a challenge!

- A lot of things can go wrong–even if our code works
  - Subtle clock differences can be a challenge
  - Terminal setup can be an issue
- We'll can now use the button, the LED, and the UART output to debug
- You should also know how to fully simulate this design

Lesson Overview Design Goal Receiver FSM Baud counter **Receiver State** Return Data Formal Verification Formal Contract Induction Properties Induction Cover Formal Exercise Simulation UARTSIM Exercise!  $\triangleright$  Hardware Conclusion

Common problems include:

- The wrong baud rate
  - You may receive either nothing or perhaps garbage
- Setting hardware flow control (turn it off for now)
  - Nothing comes through at all
- Missing carriage returns
  - You'll see all the data, but it quickly vanishes off the edge of the screen

The message was carefully chosen to use the full 80 character width

This will make it easier to spot missing characters

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
\triangleright Hardware
```

Conclusion

### The rarer ugly problem

- One student saw only every other character of the message
- This was traced to a faster transmitter than the receiver
- ... and the following fragile logic

```
always @(*)
begin
    tx_wr = rx_stb;
    tx_data = rx_data;
end
```

If the transmitter was still busy when rx\_stb was true

- It would miss the incoming data
- Remember: o\_wr (rx\_stb above) is only high for a single cycle
- One solution: Adjust your terminal to produce two stop bits

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
\triangleright Hardware
Conclusion
```

A better solution to the rare but ugly problem

 A register between RX and TX will help smooth over subtle clock rate differences

Can you see any lingering problems with this solution?

## **G** Debugging

```
Lesson Overview
Design Goal
Receiver FSM
Baud counter
Receiver State
Return Data
Formal Verification
Formal Contract
Induction Properties
Induction
Cover
Formal Exercise
Simulation
UARTSIM
Exercise!
\triangleright Hardware
Conclusion
```

You can also set the LED on some internal condition:

```
\square if (rx_stb) for example, or
```

 $\square$  if (rx\_stb && (rx\_data == 'P')) as another

 This can help determine if your problem is a transmitter or receiver issue

## **G** Debugging

| Lesson Overview      |  |
|----------------------|--|
| Design Goal          |  |
| Receiver FSM         |  |
| Baud counter         |  |
| Receiver State       |  |
| Return Data          |  |
| Formal Verification  |  |
| Formal Contract      |  |
| Induction Properties |  |
| Induction            |  |
| Cover                |  |
| Formal Exercise      |  |
| Simulation           |  |
| UARTSIM              |  |
| Exercise!            |  |
| ▷ Hardware           |  |
| Conclusion           |  |

You can also use our transmit word design, txdata:

Using our button counter design, you can replace the transmitters output with any (useful) internal 32-bit value
 You did test the transmitter design and get it running, right?
 You should be able to guess and confirm potential problems
 This includes finding the cause of any missing characters
## **G** Debugging

| Lesson Overview           |  |
|---------------------------|--|
| Design Goal               |  |
| Receiver FSM              |  |
| Baud counter              |  |
| Receiver State            |  |
| Return Data               |  |
| Formal Verification       |  |
| Formal Contract           |  |
| Induction Properties      |  |
| Induction                 |  |
| Cover                     |  |
| Formal Exercise           |  |
| Simulation                |  |
| UARTSIM                   |  |
| Exercise!                 |  |
| $\triangleright$ Hardware |  |

Conclusion

Other means of debugging include:

- Sending internal logic wires to external ports
  - And examining them with logic analyzer, oscilloscope, or even another FPGA
- Connecting your device to another serial port / terminal
  Swapping USB cables
  - Much to my surprise, USB cables can and do break
  - If things aren't working, don't forget to try another cable
    - That this solution works sometimes has surprised more than one skeptic designer

## G Conclusion

| Lesson Overview             |
|-----------------------------|
| Design Goal                 |
| Receiver FSM                |
| Baud counter                |
| Receiver State              |
| Return Data                 |
| Formal Verification         |
| Formal Contract             |
| Induction Properties        |
| Induction                   |
| Cover                       |
| Formal Exercise             |
| Simulation                  |
| UARTSIM                     |
| Exercise!                   |
| Hardware                    |
| $\triangleright$ Conclusion |

## What did we learn this lesson?

- How to build and verify a serial port receiver
  - How to connect a formal-only transmitter to check if the receiver truly does work
  - A serial port requiring 868 clocks per baud will take 8,680 clocks per character. With induction, we can verify the serial port in less than 5 clocks
- How to build a simulated serial port transmitter
  - How to control items sent to the serial port co-simulator via stdin and stdout
- How important the fundamentals are to hardware debugging
  - Counters, LEDs, Buttons, hex data output, etc.