0% found this document useful (0 votes)

3 views553 pages

Class Verilog

Uploaded by

chetan.jeerankalagi.2002

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

3 views553 pages

Class Verilog

Uploaded by

chetan.jeerankalagi.2002

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 553

An Introduction to

Formal Methods

Gisselquist Daniel E. Gisselquist, Ph.D.

Technology, LLC
Lessons
Ź Welcome Day one
Motivation
1. Motivation
Basics
2. Basic Operators
Clocked and $past

k Induction
3. Clocked Operators
Bus Properties
4. Induction
Free Variables 5. Bus Properties
Abstraction
Day two
Invariants

Multiple-Clocks 6. Free Variables

Cover 7. Abstraction
Sequences 8. Invariants
Quizzes 9. Multiple-Clocks
10. Cover
11. Sequences
12. Final Thoughts

2 / 462
Course Structure
Ź Welcome ˝ We’ll be primarily using the immediate assertion subset of the
Motivation full SystemVerilog assertion language
Basics
– It’s easier to understand
Clocked and $past

k Induction
– Concurrent assertions are built on top of immediate
Bus Properties
assertions under the hood
Free Variables
˝ Each lesson will be followed by an exercise
Abstraction
There are 12 exercises
Invariants
˝ My goal is to have 50% lecture, 50% exercises
Multiple-Clocks
˝ Leading up to building a bus arbiter
Cover

Sequences
and testing an synchronous FIFO
Quizzes

3 / 462
Welcome

Ź Motivation
Intro

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables Motivation

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

4 / 462
Lesson Overview
Welcome 1. Why are you here?
Motivation 2. What can I provide?
Ź Intro
3. What have I learned from formal methods?
Basics

Clocked and $past Our Objectives

k Induction

Bus Properties
˝ Get to know a little bit about each other
Free Variables ˝ Motivate further discussion
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

5 / 462
Your expectations
Welcome What do you want to learn and get out of this course?
Motivation
Ź Intro

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

6 / 462
From an ARM dev.
Welcome ˝ “I think the main difference between FPGA and ASIC
Motivation development is the level of verification you have to go
Ź Intro
through. Shipping a CPU or GPU to Samsung or whoever,
Basics
and then telling them once they’ve taped out that you have a
Clocked and $past

k Induction
Cat1 bug that requires a respin is going to set them back
Bus Properties
$1M per mask.
Free Variables ˝ “. . . But our main verification is still done with constrained
Abstraction random test benches written in SV.
Invariants ˝ “Overall, you are looking at 50 man years per project
Multiple-Clocks minimum for an average project size.”
Cover

Sequences

Quizzes

7 / 462
Would not exist
Welcome “If we would not do formal verification, we would
Motivation no longer exist.”
Ź Intro

Basics
– Shahar Ariel, now the former Head of VLSI design at Mellanox
Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

8 / 462
Pentium FDIV
Welcome One little mistake . . .
Motivation
Ź Intro

Basics

Clocked and $past . . . $475M later.

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

9 / 462
Personal Experience
Welcome I have proven such things as,
Motivation
Ź Intro
˝ Formal bus properties (Wishbone, Avalon, AXI, etc.)
Basics ˝ Bus bridges (WB-AXI, Avalon-WB)
Clocked and $past ˝ AXI DMA’s, firewalls, crossbars
k Induction ˝ Prefetches, cache controllers, memory controllers, MMU
Bus Properties ˝ SPI slaves and masters
Free Variables
˝ UART, both TX and RX
Abstraction
˝ FIFO’s, signal processing flows, FFT
Invariants
˝ Display (VGA) Controller
Multiple-Clocks
˝ Flash controllers
Cover

Sequences
˝ Formal proof of the ZipCPU
Quizzes

10 / 462
Some Examples
Welcome I’ve found bugs in things I thought were working.
Motivation
Ź Intro
1. FIFO
Basics 2. Pre-fetch and Instruction cache
Clocked and $past 3. SDRAM
k Induction 4. A peripheral timer
Bus Properties Just how hard can a timer be to get right? It’s just a
Free Variables
counter!
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

11 / 462
Ex: FIFO
Welcome ˝ It worked in my test bench
Motivation ˝ Failed when reading and writing on the same clock while
Ź Intro
empty
Basics

Clocked and $past – Write first then read worked

k Induction
– R+W on full FIFO is okay
Bus Properties
– R+W on an empty FIFO
Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

12 / 462
Ex: FIFO
Welcome ˝ It worked in my test bench
Motivation ˝ Failed when reading and writing on the same clock while
Ź Intro
empty
Basics

Clocked and $past – Write first then read worked

k Induction
– R+W on full FIFO is okay
Bus Properties
– R+W on an empty FIFO . . . not so much
Free Variables

Abstraction ˝ My test bench didn’t check that, formal did

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

12 / 462
Ex: Prefetch
Welcome ˝ It worked in my test bench
Motivation ˝ Ugliest bug I ever came across was in the prefetch cache
Ź Intro
It passed test-bench muster, but failed in the hardware with a
Basics
strange set of symptoms
Clocked and $past
˝ When I learned formal, it was easy to prove that this would
k Induction

Bus Properties
never happen again.
Free Variables ˝ Low logic has always been one of my goals.
Abstraction Always asking, “will it work if I get rid of this condition?”
Invariants Formal helps to answer that question for me.
Multiple-Clocks

Cover

Sequences

Quizzes

13 / 462
Ex: SDRAM
Welcome ˝ It worked in my test bench
Motivation ˝ It passed my hardware testing
Ź Intro

Basics – Test S/W: Week+, no bugs

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

14 / 462
Ex: SDRAM
Welcome ˝ It worked in my test bench
Motivation ˝ It passed my hardware testing
Ź Intro

Basics – Test S/W: Week+, no bugs

Clocked and $past – Formal methods found the bug
k Induction – Full proof took less than ă 30 min
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

14 / 462
Ex: SDRAM
Welcome ˝ It worked in my test bench
Motivation ˝ It passed my hardware testing
Ź Intro
˝ Background
Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

15 / 462
Ex: SDRAM
Welcome ˝ It worked in my test bench
Motivation ˝ It passed my hardware testing
Ź Intro
˝ Background
Basics

Clocked and $past – SDRAM’s are organized into separate banks, each having
k Induction rows and columns
Bus Properties – A row must be “activated” before it can be used.
Free Variables
– The controller must keep track of which row is activated.
Abstraction
– If a request comes in for a row that isn’t activated, the
Invariants
active row must be deactivated, and the proper row must
Multiple-Clocks
be activated.
Cover

Sequences ˝ A subtle bug in my SDRAM controller compared the active

Quizzes row address against the immediately previous (1-clock ago)
required row address, not the currently requested address.
This bug had lived in my design for years. Formal methods
caught it.

15 / 462
Problem with Test Benches
Welcome

Motivation
Ź Intro

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
˝ Only examines a known good branch
Quizzes
˝ Cannot check for every out of bounds conditions

16 / 462
Problem with Test Benches
Welcome ˝ Demonstrate design works
Motivation ˝ Through a normal working path
Ź Intro

Basics – or a limited number of extraneous paths

Clocked and $past
˝ Never rigorous enough to check everything
k Induction
˝ Not uniform in rigour
Bus Properties

Free Variables For the FIFO,

Abstraction

Invariants
˝ I only read when I knew it wasn’t empty
Multiple-Clocks For the Prefetch,
Cover

Sequences
˝ I never tested jumping to the last location in a cache line
Quizzes For the SDRAM,
˝ The error was so obscure, it would be hard to trigger

17 / 462
Before Formal
Welcome This was my method before starting to work with formal.
Motivation
Ź Intro
˝ After . . .
Basics
– Proving my design with test
Clocked and $past
benches
k Induction
– Directed simulation
Bus Properties

Free Variables ˝ I was still chasing bugs in hard-

Abstraction ware
Invariants

Multiple-Clocks I still use this approach for DSP al-

Cover gorithms.
Sequences

Quizzes

18 / 462
Design Approach
Welcome

Motivation
Ź Intro

Basics

Clocked and $past ˝ After finding the bug in my

k Induction FIFO . . . I was hooked.
Bus Properties
˝ Rebuilding everything
Free Variables
. . . now using formal
Abstraction
˝ Formal found more bugs
Invariants

Multiple-Clocks
. . . in example after example
Cover
˝ I’m hooked!
Sequences

Quizzes

19 / 462
When to use it?
Welcome

Motivation
Ź Intro

Basics

Clocked and $past

k Induction
˝ Bus component
Bus Properties
I would not build a bus compo-
Free Variables nent without formal any more
Abstraction ˝ Multiplies
Invariants Formal struggles with multipli-
Multiple-Clocks cation
Cover

Sequences

Quizzes

20 / 462
Welcome

Motivation

Ź Basics
Basics
General Rule
Assert
Assume
BMC
Ex: Counter
Formal Verification
Sol’n

Clocked and $past

k Induction
Basics: assert and assume
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

21 / 462
Lesson Overview
Welcome Let’s start at the beginning, and look at the very basics of formal
Motivation verification.
Basics Our Objective:
Ź Basics
General Rule ˝ To learn the basic two operators used in formal verification,
Assert
Assume
BMC
– assert()
Ex: Counter – assume()
Sol’n

Clocked and $past ˝ To understand how these affect a design from a state space
k Induction perspective
Bus Properties ˝ We’ll also look at several examples
Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

22 / 462
Basic Premise
Welcome Formal methods are built around looking for redundancies.
Motivation
˝ Basic difference between mediocre and excellent:
Basics
Ź Basics Double checking your work
General Rule ˝ Two separate and distinct fashions
Assert
Assume
BMC
– First method calculates the answer
Ex: Counter – Second method proved it was right
Sol’n

Clocked and $past ˝ Example: Division

k Induction
– 89, 321{499 “ 179
Bus Properties
– Does it? Let’s check: 179 ˚ 499 “ 89, 321 — Yes
Free Variables

Abstraction ˝ Formal methods are similar

Invariants
– Your design is the first method
Multiple-Clocks

Cover
– Formal properties describe the second
Sequences

Quizzes

23 / 462
Basic Operators
Welcome Let’s start with the two basic operators
Motivation
1. assume()
Basics
Ź Basics An assume(X) statement will limit the state space that the
General Rule formal verification engine examines.
Assert
Assume 2. assert()
BMC
Ex: Counter
An assert(X) statement indicates that X must be true, or the
Sol’n design will fail to prove.
Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

24 / 462
Two basic forms
Welcome always @ ( ∗ )
Motivation assert (X ) ;
Basics
Ź Basics
// Use when y o u r p r o p e r t y h a s c l o c k d e p e n d e n c i e s ,
General Rule
Assert // s u c h a s r e f e r e n c i n g an i t e m s v a l u e i n t h e p a s t
Assume always @ ( posedge clk )
BMC
Ex: Counter assert (X ) ;
Sol’n

Clocked and $past As an example,

k Induction
always @ ( ∗ )
Bus Properties
a s s e r t ( counter < 2 0 ) ;
Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

25 / 462
General Rule
Welcome

Motivation

Basics
Basics
Ź General Rule
Assert
Assume
BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

26 / 462
Assert
Welcome

Motivation

Basics
Basics
General Rule
Ź Assert
Assume
BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction ˝ Assertions define the illegal state space.

Invariants
˝ Additional assertions will increase the size of the illegal state
Multiple-Clocks
space.
Cover

Sequences

Quizzes

27 / 462
Assume
Welcome

Motivation

Basics
Basics
General Rule
Assert
Ź Assume
BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction ˝ Assumptions limit the universe of all possibilities

Invariants
˝ Additional assumptions will decrease the size of the total
Multiple-Clocks
state space
Cover
˝ Caution: One careless assumption can void the proof
Sequences

Quizzes

28 / 462
The Careless Assumption
Welcome reg [15:0] counter ;
Motivation

Basics i n i t i a l counter = 0 ;
Basics
General Rule
always @ ( posedge clk )
Assert counter <= counter + 1 ’ b1 ;
Ź Assume
BMC
Ex: Counter always @ ( ∗ )
Sol’n begin
Clocked and $past a s s e r t ( counter <= 1 0 0 ) ;
k Induction assume ( counter <= 9 0 ) ;
Bus Properties end
Free Variables

Abstraction Question: Will counter ever reach 120?

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

29 / 462
restrict vs assume
Welcome restrict () is very similar to assume()
Motivation

Basics
Basics
Operator Formal Verification Traditional Simulation
General Rule
Assert
restrict () Restricts search Ignored
Ź Assume assume() space Halts simulation
BMC
Ex: Counter assert() Illegal state with an error
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

30 / 462
restrict vs assume
Welcome restrict () is very similar to assume()
Motivation

Clocked and $past

k Induction ˝ restrict () : Like assume(X), it also limits the state space

Bus Properties ˝ But in a traditional simulation . . .
Free Variables

Abstraction
– restrict () is ignored
Invariants
– assume() is turned into an assert()
Multiple-Clocks

Cover

Sequences

Quizzes

30 / 462
Bounded Model Checking
Welcome

Motivation

Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables
For bounded model checking,
Abstraction

Invariants 1. Start at the initial state

Multiple-Clocks 2. Examine all possible states for N clocks
Cover
3. Try to find a way to make an assert (); fail
Sequences
4. If it’s not possible in N clocks, then pass
Quizzes

31 / 462
No Solution
Welcome

Motivation

Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Problem: initial assume(!initial_state);
Invariants
Model fails, no line number given.
Multiple-Clocks

Cover

Sequences

Quizzes

32 / 462
No Solution
Welcome

Motivation

Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Problem: assume(!reachable_state);
Invariants
Model fails, no line number given.
Multiple-Clocks

Cover

Sequences

Quizzes

33 / 462
Further thoughts
Welcome Unlike the rest of your digital design, formal properties . . .
Motivation
˝ don’t need to meet timing
Basics
Basics ˝ don’t need to meet a minimum logic requirement
General Rule
Assert We’ll discuss this more as we go along.
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

34 / 462
Example Bus Slave
Welcome Here’s an example of a bus slave
Motivation

Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover
˝ Inputs are assumed
Sequences
˝ Outputs are asserted
Quizzes

35 / 462
Example Bus Master
Welcome Question: How would a bus master be different?
Motivation

Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

36 / 462
Example Bus Master
Welcome Question: How would a bus master be different?
Motivation

Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks The slave’s outputs are the master’s inputs

Cover
˝ assume() the inputs from the slave
Sequences
˝ assert() the outputs from the master
Quizzes

36 / 462
Internal Bus
Welcome Question: What if both slave and master signals were part of the
Motivation same design?
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

37 / 462
Internal Bus
Welcome Question: What if both slave and master signals were part of the
Motivation same design?
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks ˝ All of the wires are now internal

Cover ˝ They should therefore be assert() ed
Sequences

Quizzes

37 / 462
Serial Port Transmitter
Welcome ˝ Whenever the serial port is idle, the output line should be
Motivation high
Basics
Basics i f ( state == IDLE )
General Rule a s s e r t ( o_uart_tx ) ;
Assert
Assume
Ź BMC ˝ Whenever the serial port is not idle, busy should be high
Ex: Counter
Sol’n i f ( state != IDLE )
Clocked and $past a s s e r t ( o_busy ) ;
k Induction else
Bus Properties a s s e r t ( ! o_busy ) ;
Free Variables

Abstraction ˝ The design can only ever be in a valid state

Invariants
a s s e r t ( ( state <= TXUL_STOP )
Multiple-Clocks
| | ( state == TXUL_IDLE ) ) ;
Cover

Sequences

Quizzes

38 / 462
Bus Arbiter
Welcome ˝ Arbiter cannot grant both A and B access
Motivation
always @ ( ∗ )
Basics
Basics
a s s e r t ( ( ! grant_A ) | | ( ! grant_B ) ) ;
General Rule
Assert ˝ While one has access, the other must be stalled
Assume
Ź BMC
always @ ( ∗ )
Ex: Counter
Sol’n i f ( grant_A )
Clocked and $past a s s e r t ( stall_B ) ;
k Induction

Bus Properties always @ ( ∗ )

Free Variables i f ( grant_B )
Abstraction a s s e r t ( stall_A ) ;
Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

39 / 462
Bus Arbiter
Welcome ˝ While one is stalled, its outstanding requests must be zero
Motivation
always @ ( ∗ )
Basics
Basics
i f ( grant_A )
General Rule begin
Assert
a s s e r t ( f_nreqs_B == 0 ) ;
Assume
Ź BMC a s s e r t ( f_nacks_B == 0 ) ;
Ex: Counter a s s e r t ( f_outstanding_B == 0 ) ;
Sol’n
end
Clocked and $past

k Induction

Bus Properties I use the prefix f_ to indicate a variable that is

Free Variables
˝ Not part of the design
Abstraction
˝ But only used for Formal Verification
Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

40 / 462
Avalon bus
Welcome ˝ Avalon bus: will never issue a read and write request at the
Motivation same time
Basics
Basics always @ ( ∗ )
General Rule assume ( ( ! i_av_read ) | | ( ! i_av_write ) ) ;
Assert
Assume
Ź BMC ˝ The bus is initially idle
Ex: Counter
Sol’n initial assume ( ! i_av_read ) ;
Clocked and $past initial assume ( ! i_av_write ) ;
k Induction initial assume ( ! i_av_lock ) ;
Bus Properties initial a s s e r t ( ! o_av_readdatavalid ) ;
Free Variables initial a s s e r t ( ! o_av_writeresponsevalid ) ;
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

41 / 462
Avalon bus
Welcome ˝ Cannot respond to both read and write in the same clock
Motivation
always @ ( ∗ )
Basics
Basics
assume ( ( ! i_av_readdatavalid )
General Rule | | ( ! i_av_writeresponsevalid ) ) ;
Assert
Assume
Ź BMC Remember ! (A&&B) is equivalent to (!A )||(! B)
Ex: Counter ˝ Cannot respond if no request is outstanding
Sol’n

Clocked and $past always @ ( ∗ )

k Induction begin
Bus Properties i f ( f_wr_outstanding == 0 )
Free Variables a s s e r t ( ! o_av_writeresponsevalid ) ;
Abstraction i f ( f_rd_outstanding == 0 )
Invariants a s s e r t ( ! o_av_readdatavalid ) ;
Multiple-Clocks end
Cover

Sequences

Quizzes

42 / 462
Wishbone
Welcome ˝ o_STB can only be high if o_CYC is also high
Motivation
always @ ( ∗ )
Basics
Basics
i f ( o_STB )
General Rule a s s e r t ( o_CYC ) ;
Assert
Assume
Ź BMC ˝ Count the number of outstanding requests:
Ex: Counter
Sol’n assign f_outstanding = ( i_reset ) ? 0
Clocked and $past : f_nreqs ´ f_nacks ;
k Induction

Bus Properties ˝ Acks can only respond to valid requests

Free Variables
i f ( f_outstanding == 0 )
Abstraction
assume ( ! i_wb_ack ) ;
Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

43 / 462
Wishbone
Welcome ˝ Well, what if a request is being made now?
Motivation
i f ( ( f_outstanding == 0 )
Basics
Basics
&&((! o_wb_stb ) | | ( i_wb_stall ) ) )
General Rule assume ( ! i_wb_ack ) ;
Assert
Assume
Ź BMC ˝ If not within a bus request, the ACK and ERR lines must be
Ex: Counter low
Sol’n

Clocked and $past i f ( ! o_CYC )

k Induction begin
Bus Properties assume ( ! i_ACK ) ;
Free Variables assume ( ! i_ERR ) ;
Abstraction end
Invariants

Multiple-Clocks ˝ Following any reset, the bus will be idle

Cover ˝ Requests remain unchanged until accepted
Sequences

Quizzes

44 / 462
Cache
Welcome Want a guarantee that the cache response is consistent?
Motivation
˝ A valid cache entry must ...
Basics
Basics
always @ ( posedge i_clk )
General Rule
Assert i f ( o_valid )
Assume begin
Ź BMC
// Be marked v a l i d i n t h e c a c h e
Ex: Counter
Sol’n a s s e r t ( cache_valid [ f_addr [ CW ´1: LW ] ] ) ;
Clocked and $past // Have t h e same c a c h e t a g a s a d d r e s s
k Induction a s s e r t ( f_addr [ AW ´1: LW ] ==
Bus Properties cache_tag [ f_addr [ CW ´1: LW ] ] ) ;
Free Variables // Match t h e v a l u e i n t h e c a c h e
Abstraction a s s e r t ( o_data ==
Invariants cache_data [ f_addr [ CW ´ 1 : 0 ] ) ;
Multiple-Clocks // Must be i n r e s p o n s e t o a v a l i d
Cover
// r e q u e s t
Sequences
a s s e r t ( waiting_requests != 0 ) ;
Quizzes
end

45 / 462
Multiply
Welcome Consider a multiply
Motivation
˝ Just because an algorithm doesn’t meet timing
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

46 / 462
Multiply
Welcome Consider a multiply
Motivation
˝ Just because an algorithm doesn’t meet timing, or
Basics
Basics ˝ Just because it take up logic your FPGA doesn’t have
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

46 / 462
Multiply
Welcome Consider a multiply
Motivation
˝ Just because an algorithm doesn’t meet timing, or
Basics
Basics ˝ Just because it take up logic your FPGA doesn’t have,
General Rule doesn’t mean you can’t use it now
Assert
Assume
Ź BMC
always @ ( posedge i_clk )
Ex: Counter begin
Sol’n f_answer = 0 ;
Clocked and $past f o r ( k=0; k<NA ; k=k+1)
k Induction begin
Bus Properties i f ( i_a [ k ] )
Free Variables f_answer = f_answer + ( i_b<<k ) ;
Abstraction end
Invariants

Multiple-Clocks a s s e r t ( o_result == f_answer ) ;

Cover end
Sequences

Quizzes

46 / 462
Multiply
Welcome Let’s talk about that multiply some more . . .
Motivation
˝ The one thing formal solver’s don’t handle well is multiplies
Basics
Basics
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

47 / 462
Multiply
Welcome Let’s talk about that multiply some more . . .
Motivation
˝ The one thing formal solver’s don’t handle well is multiplies
Basics
Basics Abstraction offers alternatives
General Rule
Assert
Assume
Ź BMC
Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

47 / 462
Memory Management Unit
Welcome ˝ For a page result to be valid, it must match the TLB
Motivation
always @ ( ∗ )
Basics
Basics
i f ( last_page_valid )
General Rule begin
Assert
a s s e r t ( tlb_valid [ f_last_page ] ) ;
Assume
Ź BMC a s s e r t ( last_ppage ==
Ex: Counter tlb_pdata [ f_last_page ] ) ;
Sol’n
a s s e r t ( last_vpage ==
Clocked and $past
tlb_vdata [ f_last_page ] ) ;
k Induction
a s s e r t ( last_ro ==
Bus Properties
tlb_flags [ f_last_page ] [ ROFLAG ] ) ;
Free Variables
a s s e r t ( last_exe ==
Abstraction
tlb_flags [ f_last_page ] [ EXEFLG ] ) ;
Invariants a s s e r t ( r_context_word [ LGCTXT ´ 1 : 1 ]
Multiple-Clocks == tlb_cdata [ f_last_page ] ) ;
Cover end
Sequences

Quizzes

48 / 462
SDRAM
Welcome ˝ Writing requires the right row of the right bank to be
Motivation activated
Basics
Basics always @ ( posedge i_clk )
General Rule i f ( ( f_past_valid )&&(! maintenance_mode ) )
Assert
Assume
case ( f_cmd )
Ź BMC // . . .
Ex: Counter
F_WRITE : begin
Sol’n
// R e s p o n s e t o a w r i t e r e q u e s t
Clocked and $past
a s s e r t ( f_we ) ;
k Induction
// Bank i n q u e s t i o n must be a c t i v e
Bus Properties
a s s e r t ( bank_active [ o_ram_bs ] == 3 ’ b111 ) ;
Free Variables
// A c t i v e row must be f o r t h i s a d d r e s s
Abstraction
a s s e r t ( bank_row [ o_ram_bs ]
Invariants
== f_addr [ 2 2 : 1 0 ] ) ;
Multiple-Clocks
// Must be s e l e c t i n g t h e r i g h t bank
Cover
a s s e r t ( o_ram_bs == f_addr [ 9 : 8 ] ) ;
Sequences
end
Quizzes
// . . .
49 / 462
Ex: Counter
Welcome Let’s work through a counter as an example.
Motivation
exercise-01/ Contains two files
Basics
Basics counter.v This will be the HDL source for
General Rule
our demo.
Assert
Assume counter.sby This is the SymbiYosys script
BMC
Ź Ex: Counter
for the demo
Sol’n
Our Objectives:
Clocked and $past

k Induction ˝ Walk through the steps in the tool-flow

Bus Properties ˝ Hands on experience with SymbiYosys
Free Variables ˝ Ensure everyone has a working version of SymbiYosys
Abstraction ˝ Find and fix a design bug
Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

50 / 462
Ex: Counter
Welcome parameter [15:0] MAX_AMOUNT = 2 2 ;
Motivation reg [15:0] counter ;
Basics
Basics
General Rule
always @ ( posedge i_clk )
Assert i f ( ( i_start_signal)&&(counter == 0 ) )
Assume counter <= MAX_AMOUNT ´1’b1 ;
BMC
Ź Ex: Counter e l s e i f ( counter != 0 )
Sol’n counter <= counter ´ 1 ’ b1 ;
Clocked and $past

k Induction always @ ( ∗ )
Bus Properties o_busy = ( counter != 0 ) ;
Free Variables

Abstraction ‘ i f d e f FORMAL
Invariants always @ ( ∗ )
Multiple-Clocks a s s e r t ( counter < MAX_AMOUNT ) ;
Cover ‘endif
Sequences

Quizzes

51 / 462
Example: SymbiYosys
Welcome In the file, exercise-01/counter.sby, you’ll find:
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule
Assert
[ engines ]
Assume
BMC smtbmc
Ź Ex: Counter
Sol’n
[ script ]
Clocked and $past
read ´formal counter . v
k Induction
# . . . o t h e r f i l e s would go h e r e
Bus Properties
prep ´top counter
Free Variables

Abstraction
[ files ]
Invariants counter . v
Multiple-Clocks

Cover

Sequences

Quizzes

52 / 462
Example: SymbiYosys
Welcome In the file, exercise-01/counter.sby, you’ll find:
Motivation
[ options ]
Basics
Basics
mode bmc Bounded model checking mode
General Rule
Assert
[ engines ]
Assume
BMC smtbmc
Ź Ex: Counter
Sol’n
[ script ]
Clocked and $past
read ´formal counter . v
k Induction
# . . . o t h e r f i l e s would go h e r e
Bus Properties
prep ´top counter
Free Variables

Abstraction
[ files ]
Invariants counter . v
Multiple-Clocks

Cover

Sequences

Quizzes

52 / 462
Example: SymbiYosys
Welcome In the file, exercise-01/counter.sby, you’ll find:
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule
Assert
[ engines ]
Assume
BMC smtbmc Run, using yosys-smtbmc
Ź Ex: Counter
Sol’n
[ script ]
Clocked and $past
read ´formal counter . v
k Induction
# . . . o t h e r f i l e s would go h e r e
Bus Properties
prep ´top counter
Free Variables

Abstraction
[ files ]
Invariants counter . v
Multiple-Clocks

Cover

Sequences

Quizzes

52 / 462
Example: SymbiYosys
Welcome In the file, exercise-01/counter.sby, you’ll find:
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule
Assert
[ engines ]
Assume
BMC smtbmc
Ź Ex: Counter
Sol’n
[ script ] Yosys commands
Clocked and $past
read ´formal counter . v
k Induction
# . . . o t h e r f i l e s would go h e r e
Bus Properties
prep ´top counter
Free Variables

Abstraction
[ files ]
Invariants counter . v
Multiple-Clocks

Cover

Sequences

Quizzes

52 / 462
Example: SymbiYosys
Welcome In the file, exercise-01/counter.sby, you’ll find:
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule
Assert
[ engines ]
Assume
BMC smtbmc
Ź Ex: Counter
Sol’n
[ script ]
Clocked and $past
read ´formal counter . v Read file
k Induction
# . . . o t h e r f i l e s would go h e r e
Bus Properties
prep ´top counter
Free Variables

Abstraction
[ files ]
Invariants counter . v
Multiple-Clocks

Cover

Sequences

Quizzes

52 / 462
Example: SymbiYosys
Welcome In the file, exercise-01/counter.sby, you’ll find:
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule
Assert
[ engines ]
Assume
BMC smtbmc
Ź Ex: Counter
Sol’n
[ script ]
Clocked and $past
read ´formal counter . v
k Induction
# . . . o t h e r f i l e s would go h e r e
Bus Properties
prep ´top counter Prepare the file for formal
Free Variables

Abstraction
[ files ]
Invariants counter . v
Multiple-Clocks

Cover

Sequences

Quizzes

52 / 462
Example: SymbiYosys
Welcome In the file, exercise-01/counter.sby, you’ll find:
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule
Assert
[ engines ]
Assume
BMC smtbmc
Ź Ex: Counter
Sol’n
[ script ]
Clocked and $past
read ´formal counter . v
k Induction
# . . . o t h e r f i l e s would go h e r e
Bus Properties
prep ´top counter
Free Variables

Abstraction
[ files ] List of files to be used
Invariants counter . v
Multiple-Clocks

Cover

Sequences

Quizzes

52 / 462
Example: SymbiYosys
Welcome Other usefull yosys commands
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule depth 20
Assert
[ engines ]
Assume
BMC smtbmc yices
Ź Ex: Counter # smtbmc b o o l e c t o r
Sol’n
# smtbmc z3
Clocked and $past
[ script ]
k Induction
read ´formal counter . v
Bus Properties
# . . . o t h e r f i l e s would go h e r e
Free Variables
prep ´top counter
Abstraction
opt_merge ´share_all
Invariants [ files ]
Multiple-Clocks counter . v
Cover

Sequences

Quizzes

53 / 462
Example: SymbiYosys
Welcome Other usefull yosys commands
Motivation
[ options ]
Basics
Basics
mode bmc Other modes: prove, cover, live
General Rule depth 20
Assert
[ engines ]
Assume
BMC smtbmc yices
Ź Ex: Counter # smtbmc b o o l e c t o r
Sol’n
# smtbmc z3
Clocked and $past
[ script ]
k Induction
read ´formal counter . v
Bus Properties
# . . . o t h e r f i l e s would go h e r e
Free Variables
prep ´top counter
Abstraction
opt_merge ´share_all
Invariants [ files ]
Multiple-Clocks counter . v
Cover

Sequences

Quizzes

53 / 462
Example: SymbiYosys
Welcome Other usefull yosys commands
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule depth 20 # of Steps to examine
Assert
[ engines ]
Assume
BMC smtbmc yices
Ź Ex: Counter # smtbmc b o o l e c t o r
Sol’n
# smtbmc z3
Clocked and $past
[ script ]
k Induction
read ´formal counter . v
Bus Properties
# . . . o t h e r f i l e s would go h e r e
Free Variables
prep ´top counter
Abstraction
opt_merge ´share_all
Invariants [ files ]
Multiple-Clocks counter . v
Cover

Sequences

Quizzes

53 / 462
Example: SymbiYosys
Welcome Other usefull yosys commands
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule depth 20
Assert
[ engines ]
Assume
BMC smtbmc yices Yices theorem prover (default)
Ź Ex: Counter # smtbmc b o o l e c t o r
Sol’n
# smtbmc z3
Clocked and $past
[ script ]
k Induction
read ´formal counter . v
Bus Properties
# . . . o t h e r f i l e s would go h e r e
Free Variables
prep ´top counter
Abstraction
opt_merge ´share_all
Invariants [ files ]
Multiple-Clocks counter . v
Cover

Sequences

Quizzes

53 / 462
Example: SymbiYosys
Welcome Other usefull yosys commands
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule depth 20
Assert
[ engines ]
Assume
BMC smtbmc yices
Ź Ex: Counter # smtbmc b o o l e c t o r Other potential solvers
Sol’n
# smtbmc z3
Clocked and $past
[ script ]
k Induction
read ´formal counter . v
Bus Properties
# . . . o t h e r f i l e s would go h e r e
Free Variables
prep ´top counter
Abstraction
opt_merge ´share_all
Invariants [ files ]
Multiple-Clocks counter . v
Cover

Sequences

Quizzes

53 / 462
Example: SymbiYosys
Welcome Other usefull yosys commands
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule depth 20
Assert
[ engines ]
Assume
BMC smtbmc yices
Ź Ex: Counter # smtbmc b o o l e c t o r
Sol’n
# smtbmc z3
Clocked and $past
[ script ]
k Induction
read ´formal counter . v
Bus Properties
# . . . o t h e r f i l e s would go h e r e
Free Variables
prep ´top counter
Abstraction
opt_merge ´share_all We’ll discusss this later
Invariants [ files ]
Multiple-Clocks counter . v
Cover

Sequences

Quizzes

53 / 462
Example: SymbiYosys
Welcome Other usefull yosys commands
Motivation
[ options ]
Basics
Basics
mode bmc
General Rule depth 20
Assert
[ engines ]
Assume
BMC smtbmc yices
Ź Ex: Counter # smtbmc b o o l e c t o r
Sol’n
# smtbmc z3
Clocked and $past
[ script ]
k Induction
read ´formal counter . v
Bus Properties
# . . . o t h e r f i l e s would go h e r e
Free Variables
prep ´top counter
Abstraction
opt_merge ´share_all
Invariants [ files ]
Multiple-Clocks counter . v Full or relative pathnames go here
Cover

Sequences

Quizzes

53 / 462
Running SymbiYosys
Welcome Run: % sby -f counter.sby
Motivation

Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

54 / 462
Running SymbiYosys
Welcome Run: % sby -f counter.sby
Motivation

Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

54 / 462
BMC Failed
Welcome Run: % sby -f counter.sby
Motivation

Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

55 / 462
Where Next
Welcome Look at source line 63, and fire up gtkwave
Motivation

Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

56 / 462
GTKWave trace.vcd
Welcome Run: % gtkwave counter/engine 0/trace.vcd
Motivation

Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

57 / 462
Examine the source
Welcome Run: % gvim demo-rtl/counter.v
Motivation What did we do wrong?
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

58 / 462
Examine the source
Welcome Run: % gvim demo-rtl/counter.v
Motivation What did we do wrong?
Basics
Basics
General Rule
Assert
Assume
BMC
Ź Ex: Counter
Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes
Did you notice the missing initial statement?

58 / 462
Illegal Initial State
Welcome

Motivation

Basics
Basics
General Rule
Assert
Assume
BMC
Ex: Counter
Ź Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction ˝ Problem: No initial statement

Invariants
˝ Solver finds an invalid initial state
Multiple-Clocks
˝ Model fails
Cover

Sequences

Quizzes

59 / 462
Exercise
Welcome Try adding in the initial statement, will it work?
Motivation

Basics
Basics
General Rule
Assert
Assume
BMC
Ex: Counter
Ź Sol’n

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

60 / 462
Welcome

Motivation

Basics
Clocked and
Ź $past
Past
$past Rule

Clocked and $past

Past Assertions
Past Valid
Examples
Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

61 / 462
Lesson Overview
Welcome Our Objective:
Motivation
˝ To learn how to make assertions crossing time intervals
Basics

Clocked and $past – $past()

Ź Past
$past Rule ˝ Before the beginning of time
Past Assertions
Past Valid – Assumptions always hold
Examples
Ex: Busy Counter – Assertions rarely hold
k Induction
˝ How to get around this with f_past_valid
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

62 / 462
The $past operator
Welcome ˝ $past(X) Returns the value of X one clock ago.
Motivation ˝ $past(X,N) Returns the value of X N clocks ago.
Basics ˝ Depends upon a clock
Clocked and $past
Ź Past – This is illegal
$past Rule
Past Assertions
Past Valid
always @ ( ∗ )
Examples i f (X)
Ex: Busy Counter a s s e r t ( Y == $past ( Y ) ) ;
k Induction

Bus Properties No clock is associated with the $past operator.

Free Variables – But you can do this
Abstraction

Invariants
always @ ( posedge clk )
Multiple-Clocks
i f (X)
Cover
a s s e r t ( Y == $past ( Y ) ) ;
Sequences

Quizzes

63 / 462
$past Rule
Welcome

Motivation

Basics

Clocked and $past

Past
Ź $past Rule
Past Assertions
Past Valid
Examples
Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

64 / 462
Past Assertions
Welcome Let’s modify our counter, by creating some additional properties:
Motivation
always @ ( ∗ )
Basics
assume ( ! i_start_signal ) ;
Clocked and $past
Past
$past Rule always @ ( posedge clk )
Ź Past Assertions
a s s e r t ( $past ( counter == 0 ) ) ;
Past Valid
Examples
Ex: Busy Counter

k Induction
˝ i_start_signal is now never true, so the counter should
Bus Properties always be zero.
Free Variables ˝ assert(counter == 0);
Abstraction This should always be true, since counter starts at zero, and
Invariants is never changed from zero.
Multiple-Clocks ˝ Will assert($past(counter == 0)); succeed?
Cover

Sequences You can find this file in exercise-02/pastassert.v

Quizzes

65 / 462
Past Assertions
Welcome ˝ This fails
Motivation
always @ ( ∗ )
Basics
assume ( ! i_start_signal ) ;
Clocked and $past
Past
$past Rule always @ ( posedge clk )
Ź Past Assertions
a s s e r t ( $past ( counter == 0 ) ) ;
Past Valid
Examples
Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

66 / 462
Past Assertions
Welcome ˝ This fails
Motivation
always @ ( ∗ )
Basics
assume ( ! i_start_signal ) ;
Clocked and $past
Past
$past Rule always @ ( posedge clk )
Ź Past Assertions
a s s e r t ( $past ( counter == 0 ) ) ;
Past Valid
Examples
Ex: Busy Counter

k Induction
˝ Before time, counter is unconstrained.
Bus Properties
˝ The solver can make it take on any value it wants in order to
Free Variables
make things fail
Abstraction

Invariants
˝ This will not show in the VCD file
Multiple-Clocks

Cover

Sequences

Quizzes

66 / 462
Past Assertions
Welcome ˝ This succeeds
Motivation
always @ ( ∗ )
Basics
assume ( ! i_start_signal ) ;
Clocked and $past
Past
$past Rule always @ ( ∗ )
Ź Past Assertions
a s s e r t ( counter == 0 ) ;
Past Valid
Examples
Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

67 / 462
Past Assertions
Welcome Let’s try again:
Motivation
always @ ( posedge clk )
Basics
i f ( $past ( i_start_signal ) )
Clocked and $past
Past
a s s e r t ( counter == MAX_AMOUNT ´1’b1 ) ;
$past Rule
Ź Past Assertions This should work, right?
Past Valid
Examples
Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

68 / 462
Past Assertions
Welcome Let’s try again:
Motivation
always @ ( posedge clk )
Basics
i f ( $past ( i_start_signal ) )
Clocked and $past
Past
a s s e r t ( counter == MAX_AMOUNT ´1’b1 ) ;
$past Rule
Ź Past Assertions This should work, right? No, it fails.
Past Valid
Examples
Ex: Busy Counter ˝ i_start_signal is unconstrained before time
k Induction ˝ counter is initially constrained to zero
Bus Properties ˝ If i_start_signal is one before time,
Free Variables counter will still be zero when time begins
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

68 / 462
f past valid
Welcome We can fix this with a register I call, f_past_valid:
Motivation
reg f_past_valid ;
Basics

Clocked and $past

Past
i n i t i a l f_past_valid = 1 ’ b0 ;
$past Rule always @ ( posedge clk )
Past Assertions
f_past_valid <= 1 ’ b1 ;
Ź Past Valid
Examples
Ex: Busy Counter always @ ( posedge clk )
k Induction i f ( ( f_past_valid)&&( $past ( i_start_signal ) ) )
Bus Properties a s s e r t ( counter == MAX_AMOUNT ´1’b1 ) ;
Free Variables

Abstraction Will this work?

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

69 / 462
f past valid
Welcome We can fix this with a register I call, f_past_valid:
Motivation
reg f_past_valid ;
Basics

Clocked and $past

Abstraction Will this work? Almost, but not yet.

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

69 / 462
Fixing the counter
Welcome ˝ What about the case where i_start_signal is raised while
Motivation the counter isn’t zero?
Basics
reg f_past_valid ;
Clocked and $past
Past
$past Rule i n i t i a l f_past_valid = 1 ’ b0 ;
Past Assertions
Ź Past Valid
always @ ( posedge clk )
Examples f_past_valid <= 1 ’ b1 ;
Ex: Busy Counter

k Induction always @ ( posedge clk )

Bus Properties i f ( ( f_past_valid)&&( $past ( i_start_signal ) )
Free Variables &&($past ( counter == 0 ) ) )
Abstraction a s s e r t ( counter == MAX_AMOUNT ´1’b1 ) ;
Invariants

Multiple-Clocks ˝ Will this work?

Cover

Sequences

Quizzes

70 / 462
Fixing the counter
Welcome ˝ What about the case where i_start_signal is raised while
Motivation the counter isn’t zero?
Basics
reg f_past_valid ;
Clocked and $past
Past
$past Rule i n i t i a l f_past_valid = 1 ’ b0 ;
Past Assertions
Ź Past Valid
always @ ( posedge clk )
Examples f_past_valid <= 1 ’ b1 ;
Ex: Busy Counter

k Induction always @ ( posedge clk )

Bus Properties i f ( ( f_past_valid)&&( $past ( i_start_signal ) )
Free Variables &&($past ( counter == 0 ) ) )
Abstraction a s s e r t ( counter == MAX_AMOUNT ´1’b1 ) ;
Invariants

Multiple-Clocks ˝ Will this work? Yes, now it will work

Cover ˝ You’ll find lots of references to f_past_valid in my own
Sequences designs
Quizzes

70 / 462
Examples
Welcome Let’s look at some practical examples
Motivation

Basics

Clocked and $past

Past
$past Rule
Past Assertions
Past Valid
Ź Examples
Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

71 / 462
Reset example, #1
Welcome The rule: Every design should start in the reset state.
Motivation
i n i t i a l assume ( i_RESET ) ;
Basics

Clocked and $past

Past
always @ ( ∗ )
$past Rule i f ( ! f_past_valid )
Past Assertions
assume ( i_RESET ) ;
Past Valid
Ź Examples
Ex: Busy Counter What would be the difference between these two properties?
k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

72 / 462
Reset example, #2
Welcome The rule: On the clock following a reset, there should be no
Motivation outstanding bus requests.
Basics
always @ ( posedge clk )
Clocked and $past
Past i f ( ( f_past_valid)&&( $past ( i_RESET ) ) )
$past Rule a s s e r t ( ! o_CYC ) ;
Past Assertions
Past Valid
Ź Examples
Ex: Busy Counter

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

73 / 462
Reset example, #2
Welcome Two times registers must have their reset value
Motivation
˝ Initially
Basics
˝ Following a reset
Clocked and $past
Past
$past Rule always @ ( posedge clk )
Past Assertions
Past Valid
i f ( ( ! f_past_valid ) | | ( $past ( i_reset ) ) )
Ź Examples begin
Ex: Busy Counter a s s e r t ( ! o_CYC ) ;
k Induction a s s e r t ( ! o_STB ) ;
Bus Properties // e t c .
Free Variables end
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

74 / 462
Bus example
Welcome The rule: while a request is being made, the request cannot
Motivation change until it is accepted.
Basics
always @ ( posedge clk )
Clocked and $past
Past i f ( ( f_past_valid )
$past Rule &&($past ( o_STB ))&&( $past ( i_STALL ) ) )
Past Assertions
Past Valid
begin
Ź Examples a s s e r t ( o_STB ) ;
Ex: Busy Counter a s s e r t ( o_REQ == $past ( o_REQ ) ) ;
k Induction end
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

75 / 462
Ex: Busy Counter
Welcome Many of my projects include some type of “busy counter”
Motivation
˝ Serial port logic must wait for a baud clock
Basics
Transmit characters must wait for the port to be idle
Clocked and $past
Past ˝ I2C logic needs to slow the clock down
$past Rule
Past Assertions
˝ SPI logic may also need to slow the clock down
Past Valid
Examples Objectives:
Ex: Busy
Ź Counter ˝ Gain some confidence using formal methods to prove that
k Induction alternative designs are equivalent
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

76 / 462
Exercise: Busy Counter
Welcome Here’s the basic design. It should look familiar.
Motivation
parameter [ 1 5 : 0 ] MAX_AMOUNT = 2 2 ;
Basics

Clocked and $past

Past
reg [15:0] counter ;
$past Rule
Past Assertions
i n i t i a l counter = 0 ;
Past Valid
Examples always @ ( posedge i_clk )
Ex: Busy i f ( i_reset )
Ź Counter
counter <= 0 ;
k Induction
e l s e i f ( ( i_start_signal)&&(counter == 0 ) )
Bus Properties
counter <= MAX_AMOUNT ´1’b1 ;
Free Variables
e l s e i f ( counter != 0 )
Abstraction
counter <= counter ´ 1 ;
Invariants

Multiple-Clocks
always @ ( ∗ )
Cover
o_busy = ( counter != 0 ) ;
Sequences

Quizzes

77 / 462
Exercise: Busy Counter
Welcome You can find the design in exercise-03/busyctr.v.
Motivation Exercise: Create the following properties:
Basics
1. i_start_signal may be raised at any time
Clocked and $past
Past No property needed here
$past Rule
Past Assertions
2. Once raised, assume i_start_signal will remain high until
Past Valid it is high and the counter is no longer busy.
Examples
Ex: Busy 3. o_busy will always be true while the counter is non-zero
Ź Counter
Make sure you check o_busy both when counter == 0 and
k Induction
counter != 0
Bus Properties
This requires an assertion
Free Variables

Abstraction
4. If the counter is non-zero, it should always be counting down
Invariants Beware of the reset!
Multiple-Clocks This requires another assertion
Cover

Sequences

Quizzes

78 / 462
Exercise: Busy Counter
Welcome Let’s draw this requirement out
Motivation
2. Once raised, assume i_start_signal will remain high until
Basics
it is high and the counter is no longer busy.
Clocked and $past
Past
$past Rule
i clk
Past Assertions i start signal
Past Valid
Examples o busy
Ex: Busy
Ź Counter counter 5 4 3 2 1 0 21

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

79 / 462
Busy Counter, Part two
Welcome Exercise:
Motivation
1. Make o_busy a clocked register
Basics

Clocked and $past always @ ( posedge i_clk )

Past o_busy <= /∗ y o u r l o g i c g o e s h e r e ∗/ ;
$past Rule
Past Assertions
Past Valid 2. Prove that o_busy is true if and only if the counter is
Examples
Ex: Busy non-zero
Ź Counter

k Induction ˝ You can use this approach to adjust your design to meet
Bus Properties timing
Free Variables

Abstraction
– Shuffle logic from one clock to another, then
Invariants
– Prove the new design remains valid
Multiple-Clocks

Cover

Sequences

Quizzes

80 / 462
Welcome

Motivation

Basics

Clocked and $past

Ź k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
k Induction
Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

81 / 462
Lesson Overview
Welcome If you want to formally verify your design, BMC is insufficient
Motivation
˝ Bounded Model Checking (BMC) will only prove that your
Basics
design is correct for the first N clocks.
Clocked and $past
˝ It cannot prove that the design won’t fail on the next clock,
k Induction
Ź Lesson Overview clock N ` 1
vs BMC
General Rule
˝ This is the purpose of the induction step: proving correctness
The Trap for all time
Results
Examples
Our Goals
Bus Properties

Free Variables ˝ Be able to explain what induction is

Abstraction ˝ Be able to explain why induction is valuable
Invariants ˝ Know how to run induction
Multiple-Clocks ˝ What are the unique problems associated with induction
Cover

Sequences

Quizzes

82 / 462
From Pre-Calc
Welcome Proof by induction has two steps:
Motivation
1. Base case: Prove for N “ 0 (or one)
Basics
2. Inductive step: Assume true for N , prove true for N ` 1.
Clocked and $past
Nÿ
´1
k Induction 1 ´ xN
n
Ź Lesson Overview Example: Prove x “
vs BMC
n“0
1´x
General Rule
The Trap
Results
˝ For N “ 1, the sum is x0 or one
Examples
Nÿ
´1
Bus Properties 1´x
xn “ x0 “
Free Variables
n“0
1´x
Abstraction

Invariants
So this is true (for x ‰ 1).
Multiple-Clocks
˝ For the inductive step, we’ll
Cover

Sequences – Assume true for N , then prove for N ` 1

Quizzes

83 / 462
Proof, continued
Nÿ
´1
Welcome
n 1 ´ xN
Motivation Prove x “ for all N
n“0
1 ´ x
Basics

Clocked and $past ˝ Assume true for N , prove for N ` 1

N Nÿ´1 N
k Induction
Ź
ÿ 1 ´ x
Lesson Overview xn “ xN ` xn “ xN `
vs BMC
n“0 n“0
1´x
General Rule
The Trap ˝ Prove for N ` 1
Results
Examples N
ÿ
n 1 ´ x N 1 ´ xN
Bus Properties x “ x `
Free Variables n“0
1´x 1´x
Abstraction
xN ´ xN `1 ` 1 ´ xN 1 ´ xN `1
Invariants “ “
Multiple-Clocks
1´x 1´x
Cover
This proves the inductive case.
Sequences
˝ Hence this is true for all N (where N ą 0 and x ‰ 1)
Quizzes

84 / 462
k Induction
Welcome Suppose @n : P rns is what we wish to prove
Motivation
˝ Traditional induction
Basics

Clocked and $past – Base case: show P r0s

k Induction
Ź Lesson Overview
– Inductive case: show P rns Ñ P rn ` 1s
vs BMC
General Rule ˝ k induction
The Trap
N ´1
Results ľ
Examples – Base case: show P rks
Bus Properties k“0
Free Variables ˜ ¸
n
ľ
Abstraction
– k-induction step: P rks Ñ P rn ` 1s
Invariants
k“n´N `1
Multiple-Clocks

Cover

Sequences

Quizzes

85 / 462
k Induction
Welcome Suppose @n : P rns is what we wish to prove
Motivation
˝ Traditional induction
Basics

Clocked and $past – Base case: show P r0s

k Induction
Ź Lesson Overview
– Inductive case: show P rns Ñ P rn ` 1s
vs BMC
General Rule ˝ k induction
The Trap
N ´1
Results ľ
Examples – Base case: show P rks
Bus Properties k“0
Free Variables This is what we did
˜ with BMC ¸
ľn
Abstraction
– k-induction step: P rks Ñ P rn ` 1s
Invariants
k“n´N `1
Multiple-Clocks

Cover

Sequences

Quizzes

85 / 462
k Induction
Welcome Suppose @n : P rns is what we wish to prove
Motivation
˝ Traditional induction
Basics

Clocked and $past – Base case: show P r0s

Sequences

Quizzes

85 / 462
k Induction
Welcome Suppose @n : P rns is what we wish to prove
Motivation
˝ Traditional induction
Basics

Clocked and $past – Base case: show P r0s

Cover

Sequences
Why use k induction?
Quizzes

85 / 462
Induction in Verification
Welcome Formal verification uses k induction
Motivation
˝ Base case:
Basics
Assume the first N steps do not violate any assumptions, . . .
Clocked and $past

k Induction
Prove that the first N steps do not violate any assertions.
Ź Lesson Overview The is the BMC pass we’ve already done.
vs BMC
General Rule
˝ Inductive Step:
The Trap Assume N steps exist that neither violate any assumptions
Results
Examples nor any assertions, and
Bus Properties Assume the N ` 1 step violates no assumptions, . . .
Free Variables Prove that the N ` 1 step does not violate any assertions.
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

86 / 462
BMC vs Induction
Welcome BMC and induction are very different.
Motivation
˝ BMC, the base case
Basics

Clocked and $past

k Induction
Lesson Overview
Ź vs BMC ˝ Induction step
General Rule
The Trap
Results
Examples

Bus Properties

Free Variables
˝ The number of BMC time-steps steps must be more than the
Abstraction

Invariants
number of inductive time-steps
Multiple-Clocks
˝ Register values at the beginning of the inductive step can be
Cover anything allowed by your assertions and assumptions
Sequences ˝ This is where the work takes place.
Quizzes

87 / 462
General Rule
Welcome

Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
Ź General Rule
The Trap
Results
Examples

Bus Properties

Free Variables

Abstraction The general rule hasn’t changed:

Invariants

Multiple-Clocks
˝ assume inputs,
Cover
˝ assert internal states and any outputs.
Sequences
If you assume too much, your design will pass formal verification
Quizzes
and still not work.

88 / 462
Checkers
Welcome Some assertions:
Motivation
˝ Games are played on black squares
Basics
˝ Players will never have more than 12 pieces
Clocked and $past
˝ Only legal moves are possible
k Induction
Lesson Overview ˝ Game is over when one side can no longer move
vs BMC
Ź General Rule Where might the induction engine start?
The Trap
Results
Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

89 / 462
Checkers in the Library
Welcome

Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
Ź General Rule
The Trap
Results
Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Black’s going to move and win
Quizzes

90 / 462
Checkers in the Library
Welcome

Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
Ź General Rule
The Trap
Results
Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
White’s going to move and win
Quizzes

90 / 462
Checkers in the Library
Welcome

Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
Ź General Rule
The Trap
Results
Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Black’s going to . . . , huh?
Quizzes

90 / 462
Checkers in the Library
Welcome

Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
Ź General Rule
The Trap
Results
Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Would this pass our criteria?
Quizzes

90 / 462
Checkers and Induction
Welcome What can we learn from Checkers?
Motivation
˝ Inductive step starts in the middle of the game
Basics
Only the assumptions and asserts are used to validate the
Clocked and $past

k Induction
game
Lesson Overview ˝ All of the FF’s (variables) start in arbitrary states
vs BMC
Ź General Rule
These states are only constrained by your assumptions and
The Trap assertions.
Results
Examples ˝ Your formal constraints are required to limit the allowable
Bus Properties states
Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

91 / 462
The Trap
Welcome

Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
General Rule
Ź The Trap
Results
Examples

Bus Properties

Free Variables

Abstraction

Invariants ˝ If your formal properties are not strict enough,

Multiple-Clocks Induction may start in an unreachable state
Cover ˝ This is a common problem!
Sequences

Quizzes

92 / 462
The Solution
Welcome

Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
General Rule
Ź The Trap
Results
Examples

Bus Properties

Free Variables

Abstraction
To make induction work, you must . . .
Invariants

Multiple-Clocks ˝ assume unrealistic inputs will never happen

Cover ˝ assert any remaining unreachable states are illegal
Sequences ˝ Induction often requires more properties than BMC alone
Quizzes

93 / 462
Results
Welcome Unlike BMC, the results of induction might be inconclusive
Motivation

Basics Basecase (BMC)

k Induction
Clocked and $past FAIL PASS
k Induction FAIL Design UNKNOWN
Lesson Overview
vs BMC PASS Fails SUCCESS!
General Rule
The Trap
Ź Results The k induction pass will fail if your design doesn’t have enough
Examples assertions.
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

94 / 462
Results
Welcome There’s also a difference in when BMC and induction finish
Motivation
˝ BMC will finish early if the design FAILs
Basics
˝ Induction will finish early if the design PASSes
Clocked and $past
˝ In all other cases, they will take a full depth steps
k Induction
Lesson Overview
vs BMC
You can use this fact to trim the depth of your proof
General Rule
The Trap ˝ Once induction succeeds, trim your proof depth to that
Ź Results
length
Examples

Bus Properties
˝ This will immediately make your proof run that much faster
Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

95 / 462
Examples
Welcome ˝ Let’s look at some examples
Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

96 / 462
Another Counter
Welcome This design would pass many steps of BMC
Motivation
reg [15:0] counter ;
Basics

Clocked and $past

i n i t i a l counter = 0 ;
k Induction
Lesson Overview
always @ ( posedge clk )
vs BMC counter <= counter + 1 ’ b1 ;
General Rule
The Trap
Results always @ ( ∗ )
Ź Examples a s s e r t ( counter < 1 6 ’ d65000 ) ;
Bus Properties

Free Variables It will not pass induction.

Abstraction Can you explain why not?
Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

97 / 462
Another Counter
Welcome Here’s another counter that will pass BMC, but not induction
Motivation
reg [15:0] counter ;
Basics

Clocked and $past

i n i t i a l counter = 0 ;
k Induction
Lesson Overview
always @ ( posedge clk )
vs BMC i f ( counter == 1 6 ’ d22 )
General Rule counter <= 0 ;
The Trap
Results else
Ź Examples counter <= counter + 1 ’ b1 ;
Bus Properties

Free Variables always @ ( ∗ )

Abstraction a s s e r t ( counter != 1 6 ’ d500 ) ;
Invariants

Multiple-Clocks Can you explain why not?

Cover

Sequences

Quizzes

98 / 462
Another Counter
Welcome With one simple change, this design will now pass induction
Motivation
reg [15:0] counter ;
Basics

Clocked and $past

Free Variables always @ ( ∗ )

Abstraction a s s e r t ( counter <= 1 6 ’ d22 ) ;
Invariants

Multiple-Clocks See the difference?

Cover

Sequences

Quizzes

99 / 462
Shift Register Comparison
Welcome These shift registers will be equal during BMC, but require at
Motivation least sixteen steps to pass induction
Basics
reg [ 1 5 : 0 ] sa , sb ;
Clocked and $past
i n i t i a l sa = 0 ;
k Induction
Lesson Overview i n i t i a l sb = 0 ;
vs BMC always @ ( posedge clk )
General Rule
The Trap
Results sa <= { sa [ 1 4 : 0 ] , i_bit } ;
Ź Examples

Bus Properties always @ ( posedge clk )

Free Variables

Abstraction sb <= { sb [ 1 4 : 0 ] , i_bit } ;

Invariants

Multiple-Clocks always @ ( ∗ )
Cover a s s e r t ( sa [ 1 5 ] == sb [ 1 5 ] ) ;
Sequences

Quizzes Can you explain why it would take so long?

100 / 462
Shift Register Comparison
Welcome This design is almost identical to the last one, yet fails induction.
Motivation The key difference is the if (i_ce).
Basics
reg [ 1 5 : 0 ] sa , sb ;
Clocked and $past
i n i t i a l sa = 0 ;
k Induction
Lesson Overview i n i t i a l sb = 0 ;
vs BMC always @ ( posedge clk )
General Rule
The Trap
i f ( i_ce )
Results sa <= { sa [ 1 4 : 0 ] , i_bit } ;
Ź Examples

Bus Properties always @ ( posedge clk )

Free Variables i f ( i_ce )
Abstraction sb <= { sb [ 1 4 : 0 ] , i_bit } ;
Invariants

Multiple-Clocks always @ ( ∗ )
Cover a s s e r t ( sa [ 1 5 ] == sb [ 1 5 ] ) ;
Sequences

Quizzes Can you explain why this wouldn’t pass?

101 / 462
Fixing Shift Reg
Welcome Several approaches to fixing this:
Motivation
1. assume(i_ce);
Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

102 / 462
Fixing Shift Reg
Welcome Several approaches to fixing this:
Motivation
1. assume(i_ce);
Basics
Doesn’t really test the design
Clocked and $past

k Induction
2. opt_merge ´share_all, yosys option
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

102 / 462
Fixing Shift Reg
Welcome Several approaches to fixing this:
Motivation
1. assume(i_ce);
Basics
Doesn’t really test the design
Clocked and $past

k Induction
2. opt_merge ´share_all, yosys option
Lesson Overview Works for some designs
vs BMC
General Rule
3. assert(sa == sb);
The Trap
Results
Ź Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

102 / 462
Fixing Shift Reg
Welcome Several approaches to fixing this:
Motivation
1. assume(i_ce);
Basics
Doesn’t really test the design
Clocked and $past

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

102 / 462
Fixing Shift Reg
Welcome Several approaches to fixing this:
Motivation
1. assume(i_ce);
Basics
Doesn’t really test the design
Clocked and $past

k Induction
2. opt_merge ´share_all, yosys option
Lesson Overview Works for some designs
vs BMC
General Rule
3. assert(sa == sb);
The Trap Best, but only works when sa and sb are visible
Results
Ź Examples 4. Insist on no more than M clocks between i_ce’s
Bus Properties 5. Use a different prover, under the [engines] option
Free Variables
˝ smtbmc
Abstraction
˝ abc pdr
Invariants

Multiple-Clocks
˝ aiger suprove
Cover

Sequences

Quizzes

102 / 462
Fixing Shift Reg
Welcome Several approaches to fixing this:
Motivation
1. assume(i_ce);
Basics
Doesn’t really test the design
Clocked and $past

Invariants
˝ abc pdr Pass
Multiple-Clocks
˝ aiger suprove Pass
Cover

Sequences

Quizzes

102 / 462
Fixing Shift Reg
Welcome Several approaches to fixing this:
Motivation
1. assume(i_ce);
Basics
Doesn’t really test the design
Clocked and $past

Invariants
˝ abc pdr Pass
Multiple-Clocks
˝ aiger suprove Pass
Cover

Sequences
Most of these options work for some designs only
Quizzes

102 / 462
SymbiYosys
Welcome Here’s how we’ll change our sby file:
Motivation
[ options ]
Basics
mode prove
Clocked and $past

k Induction
Lesson Overview
[ engines ]
vs BMC smtbmc
General Rule
The Trap
Results [ script ]
Ź Examples read ´formal module . v
Bus Properties # . . . o t h e r f i l e s would go h e r e
Free Variables prep ´top module
Abstraction opt_merge ´share_all
Invariants

Multiple-Clocks [ files ]
Cover . . / path´to / module . v
Sequences

Quizzes

103 / 462
SymbiYosys
Welcome Here’s how we’ll change our sby file:
Motivation
[ options ]
Basics
mode prove Use BMC and k-induction
Clocked and $past

Multiple-Clocks [ files ]
Cover . . / path´to / module . v
Sequences

Quizzes

103 / 462
SymbiYosys
Welcome Here’s how we’ll change our sby file:
Motivation
[ options ]
Basics
mode prove
Clocked and $past

k Induction
Lesson Overview
[ engines ]
vs BMC smtbmc Other potential engines would go here
General Rule
The Trap
Results [ script ]
Ź Examples read ´formal module . v
Bus Properties # . . . o t h e r f i l e s would go h e r e
Free Variables prep ´top module
Abstraction opt_merge ´share_all
Invariants

Multiple-Clocks [ files ]
Cover . . / path´to / module . v
Sequences

Quizzes

103 / 462
SymbiYosys
Welcome Here’s how we’ll change our sby file:
Motivation
[ options ]
Basics
mode prove
Clocked and $past

Multiple-Clocks [ files ]
Cover . . / path´to / module . v
Sequences

Quizzes

103 / 462
Ex: DblPipe
Welcome Exercise #4: dblpipe.v
Motivation
module dblpipe ( i_clk ,
Basics
i_ce , i_data , o_data ) ;
Clocked and $past
// . . .
k Induction
Lesson Overview
vs BMC wire a_data , b_data ;
General Rule
The Trap
Results lfsr_fib one ( i_clk , 1 ’ b0 , i_ce ,
Ź Examples i_data , a_data ) ;
Bus Properties lfsr_fib two ( i_clk , 1 ’ b0 , i_ce ,
Free Variables i_data , b_data ) ;
Abstraction

Invariants i n i t i a l o_data = 1 ’ b0 ;
Multiple-Clocks always @ ( posedge i_clk )
Cover o_data <= a_data ˆ b_data ;
Sequences endmodule
Quizzes

104 / 462
Ex: DblPipe
Welcome Exercise #4: dblpipe.v
Motivation
˝ lfsr_fib just implements a Fibonacci linear feedback shift
Basics
register,
Clocked and $past

k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples

Bus Properties sreg [ ( LN ´ 2 ) : 0 ] <= sreg [ ( LN ´ 1 ) : 1 ] ;

Free Variables sreg [ ( LN ´1)] <= ( ˆ ( sreg & TAPS ) ) ˆ i_in ;
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

105 / 462
Ex: DblPipe
Welcome Exercise #4: dblpipe.v, lfsr fib.v
Motivation
reg [ ( LN ´ 1 ) : 0 ] sreg ;
Basics

Clocked and $past

i n i t i a l sreg = INITIAL_FILL ;
k Induction
Lesson Overview
always @ ( posedge i_clk )
vs BMC i f ( i_reset )
General Rule sreg <= INITIAL_FILL ;
The Trap
Results e l s e i f ( i_ce )
Ź Examples begin // B a s i c s h i f t r e g i s t e r u p d a t e o p e r a t i o n
Bus Properties sreg [ ( LN ´ 2 ) : 0 ] <= sreg [ ( LN ´ 1 ) : 1 ] ;
Free Variables sreg [ ( LN ´1)] <= ( ˆ ( sreg & TAPS ) ) ˆ i_in ;
Abstraction end
Invariants

Multiple-Clocks assign o_bit = sreg [ 0 ] ;

Cover

Sequences
˝ Both registers one and two use the exact same logic
Quizzes

106 / 462
Ex: DblPipe
Welcome Exercise #4:
Motivation
˝ Using dblpipe.v
Basics

Clocked and $past – Prove that the output, o_data, is zero

k Induction
Lesson Overview
vs BMC
General Rule
The Trap
Results
Ź Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

107 / 462
Ex: LFSRs
Welcome Galois and Fibonacci are supposedly identical
Motivation
˝ Galois
Basics

Clocked and $past

k Induction
Lesson Overview
˝ Fibonacci
vs BMC
General Rule
The Trap
Results
Ź Examples

Bus Properties

Free Variables
˝ Exercise #5 will be to prove these two implementations are
Abstraction identical
Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

108 / 462
Ex: LFSRs
Welcome Exercise #5:
Motivation
˝ exercise-05/ contains files lfsr equiv.v, lfsr gal.v,
Basics
and lfsr fib.v.
Clocked and $past
˝ lfsr gal.v contains a Galois version of an LFSR
k Induction
Lesson Overview ˝ lfsr fib.v contains a Fibonacci version of the same LFSR
vs BMC
General Rule
˝ lfsr equiv.v contains an assertion that these are equivalent
The Trap
Results Prove that these are truly equivalent shift registers.
Ź Examples

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

109 / 462
Where is the bug?
Welcome Following an induction failure, look over the trace
Motivation

Basics

Clocked and $past

k Induction
Lesson Overview
vs BMC
General Rule If you see a problem in section . . .
The Trap
Results A You have a missing one or more assertions
Ź Examples
You’ll only have this problem with induction.
Bus Properties

Free Variables
B You have a failing assert @(posedge clk)
Abstraction
C You have a failing assert @(∗)
Invariants These latter two indicate a potential logic failure, but they
Multiple-Clocks could still be caused by property failures.
Cover

Sequences

Quizzes

110 / 462
Welcome

Motivation

Basics

Clocked and $past

k Induction

Ź Bus Properties
Ex: WB Bus
AXI
Avalon
Bus Properties
Wishbone
WB Basics
WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

111 / 462
Ex: WB Bus
Welcome We have everything we need now to write formal properties for a
Motivation bus
Basics
˝ This lesson walks through an example the Wishbone Bus
Clocked and $past

k Induction Our Objectives:

Bus Properties
Ź Ex: WB Bus ˝ Learn to apply formal methods to something imminently
AXI
Avalon
practical
Wishbone ˝ Learn to build the formal description of a bus component
WB Basics
WB Basics
˝ Help lead up to a bus arbiter component
Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

112 / 462
AXI Channels
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
Ź AXI
Avalon
Wishbone
WB Basics
WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

113 / 462
Avalon Channels
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Ź Avalon
Wishbone
WB Basics
WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

114 / 462
Wishbone Channels
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI ˝ Why use the Wishbone? It’s simpler!
Avalon
Ź Wishbone
WB Basics
WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

115 / 462
WB Signals
Welcome From the master’s perspective:
Motivation Specification name My name
Basics CYC O o wb cyc
Clocked and $past STB O o wb stb
k Induction
WE O o wb we
Bus Properties
Ex: WB Bus
ADDR O o wb addr
AXI DATA O o wb data
Avalon
Wishbone SEL O o wb sel
Ź WB Basics
STALL I i wb stall
WB Basics

Free Variables ACK I i wb ack

Abstraction DATA I i wb data
Invariants
ERR I i wb err
Multiple-Clocks

Cover

Sequences

Quizzes

116 / 462
WB Signals
Welcome From the slave’s perspective:
Motivation Specification name My name
Basics CYC I i wb cyc
Clocked and $past STB I i wb stb
k Induction
WE I i wb we
Bus Properties
Ex: WB Bus
ADDR I i wb addr
AXI DATA I i wb data
Avalon
Wishbone SEL I i wb sel
Ź WB Basics
STALL O o wb stall
WB Basics

Free Variables ACK O o wb ack

Abstraction DATA O o wb data
Invariants
ERR O o wb err
Multiple-Clocks
To swap perspectives from master to slave . . .
Cover

Sequences ˝ Swap the port direction

Quizzes ˝ Swap the assume() statements for assert() s

117 / 462
Single Read
Welcome CLK
Motivation
o CYC
Basics
o STB
Clocked and $past

k Induction
o WE
Bus Properties o ADDR A0

Ex: WB Bus
AXI
o DATA
Avalon i STALL
Wishbone
Ź WB Basics i ACK
WB Basics
i DATA D0
Free Variables

Abstraction ˝ STB must be low when CYC is low

Invariants
˝ If CYC goes low mid-transaction, the transaction is aborted
Multiple-Clocks
˝ While STB and STALL are active, the request cannot change
Cover
˝ One request is made for every clock with STB and !STALL
Sequences

Quizzes

118 / 462
Single Read
Welcome CLK
Motivation
o CYC
Basics
o STB
Clocked and $past

k Induction
o WE
Bus Properties o ADDR A0

Ex: WB Bus
AXI
o DATA
Avalon i STALL
Wishbone
Ź WB Basics i ACK
WB Basics
i DATA D0
Free Variables

Abstraction ˝ One ACK response per request

Invariants
˝ No ACKs allowed when the bus is idle
Multiple-Clocks
˝ No way to stall the ACK line
Cover
˝ The bus result is in i DATA when i ACK is true
Sequences

Quizzes

119 / 462
Three Writes
Welcome CLK
Motivation
o CYC
Basics
o STB
Clocked and $past

k Induction
o WE
Bus Properties o ADDR A1 A2 A3

Ex: WB Bus
AXI
o DATA D1 D2 D3

Avalon i STALL
Wishbone
Ź WB Basics i ACK
WB Basics
i DATA
Free Variables

Abstraction Let’s start building some formal properties

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

120 / 462
CYC and STB
Welcome ˝ The bus starts out idle, and returns to idle after a reset
Motivation
always @ ( posedge i_clk )
Basics
i f ( ( ! f_past_valid ) | | ( $past ( i_reset ) ) )
Clocked and $past
begin
k Induction
assume ( ! i_wb_ack ) ;
Bus Properties
Ex: WB Bus
assume ( ! i_wb_err ) ;
AXI //
Avalon a s s e r t ( ! o_wb_cyc ) ;
Wishbone
Ź WB Basics a s s e r t ( ! o_wb_stb ) ;
WB Basics end
Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

121 / 462
CYC and STB
Welcome ˝ The bus starts out idle, and returns to idle after a reset
Motivation
always @ ( posedge i_clk )
Basics
i f ( ( ! f_past_valid ) | | ( $past ( i_reset ) ) )
Clocked and $past
begin
k Induction
assume ( ! i_wb_ack ) ;
Bus Properties
Ex: WB Bus
assume ( ! i_wb_err ) ;
AXI //
Avalon a s s e r t ( ! o_wb_cyc ) ;
Wishbone
Ź WB Basics a s s e r t ( ! o_wb_stb ) ;
WB Basics end
Free Variables

Abstraction ˝ STB is low whenever CYC is low

Invariants
always @ ( ∗ )
Multiple-Clocks
i f ( ! o_wb_cyc )
Cover
a s s e r t ( ! o_wb_stb ) ;
Sequences

Quizzes

121 / 462
The Master Waits
Welcome ˝ While STB and STALL are active, the request doesn’t change
Motivation
a s s i g n f_request = { o_stb , o_we , o_addr ,
Basics
o_data } ;
Clocked and $past
always @ ( posedge clk )
k Induction
i f ( $past ( o_wb_stb)&&( $past ( i_wb_stall ) ) )
Bus Properties
Ex: WB Bus
a s s e r t ( f_request == $past ( f_request ) ) ;
AXI
Avalon ˝ Did we get it?
Wishbone
Ź WB Basics
WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

122 / 462
The Master Waits
Welcome ˝ While STB and STALL are active, the request doesn’t change
Motivation
a s s i g n f_request = { o_stb , o_we , o_addr ,
Basics
o_data } ;
Clocked and $past
always @ ( posedge clk )
k Induction
i f ( $past ( o_wb_stb)&&( $past ( i_wb_stall ) ) )
Bus Properties
Ex: WB Bus
a s s e r t ( f_request == $past ( f_request ) ) ;
AXI
Avalon ˝ Did we get it? Well, not quite
Wishbone
Ź WB Basics o_data is a don’t care for any read request
WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

122 / 462
The Master Waits
Welcome ˝ While STB and STALL are active, the request doesn’t change
Motivation
a s s i g n f_rd_request = { o_stb , o_we , o_addr } ;
Basics
a s s i g n f_wr_request = { f_rd_request , o_data } ;
Clocked and $past

k Induction
always @ ( posedge clk )
Bus Properties
Ex: WB Bus
i f ( ( f_past_valid )
AXI &&($past ( o_wb_stb ))&&( $past ( i_wb_stall ) ) )
Avalon begin
Wishbone
Ź WB Basics // F i r s t , f o r r e a d s ´´o d a t a i s a don ’ t c a r e
WB Basics i f ( $past ( ! i_wb_we ) )
Free Variables a s s e r t ( f_rd_request == $past ( f_rd_request ) ) ;
Abstraction // Second , f o r w r i t e s ´´o d a t a must n o t c h a n ge
Invariants i f ( $past ( i_wb_we ) )
Multiple-Clocks a s s e r t ( f_wr_request == $past ( f_wr_request ) ) ;
Cover end
Sequences

Quizzes

123 / 462
CYC and STB
Welcome ˝ No acknowledgements without a request
Motivation ˝ No errors without a request
Basics ˝ Following any error, the bus cycle ends
Clocked and $past ˝ A bus cycle can be terminated early
k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

124 / 462
Bus example
Welcome The rule: the slave (external) cannot stall the master more than
Motivation F_OPT_MAXSTALL counts:
Basics

Clocked and $past

i n i t i a l f_stall_count = 0 ;
always @ ( posedge i_clk )
k Induction
i f ( ( i_reset ) | | ( ! o_CYC ) | | ( ( o_STB )&&(! i_STALL ) ) )
Bus Properties
Ex: WB Bus f_stall_count <= 0 ;
AXI e l s e i f ( o_STB )
Avalon
Wishbone
f_stall_count <= f_stall_count + 1 ’ b1 ;
WB Basics
Ź WB Basics always @ ( posedge i_clk )
Free Variables i f ( o_CYC )
Abstraction assume ( f_stall_count < F_OPT_MAXSTALL ) ;
Invariants

Multiple-Clocks This solves the i_ce problem, this time with the i_STALL signal
Cover

Sequences

Quizzes

125 / 462
Bus example
Welcome The rule: the slave can only respond to requests
Motivation
i n i t i a l f_nreqs = 0 ;
Basics
always @ ( posedge clk )
Clocked and $past
i f ( ( i_reset ) | | ( ! i_CYC ) )
k Induction
f_nreqs <= 1 ’ b0 ;
Bus Properties
Ex: WB Bus
e l s e i f ( ( i_STB )&&(! o_STALL ) )
AXI f_nreqs <= f_nreqs + 1 ’ b1 ;
Avalon // S i m i l a r c o u n t e r f o r a c k n o w l e d g e m e n t s
Wishbone
WB Basics always @ ( ∗ )
Ź WB Basics i f ( f_nreqs == f_nacks )
Free Variables a s s e r t ( ! o_ACK ) ;
Abstraction

Invariants The logic above almost works. Can any one spot the problems?
Multiple-Clocks

Cover

Sequences

Quizzes

126 / 462
Two Exercises
Welcome Let’s build up to proving a WB arbiter
Motivation
˝ Let’s prove (BMC + k-Induction) . . .
Basics

Clocked and $past 1. Exercise #6: A simple arbiter

k Induction exercise-06/reqarb.v
Bus Properties 2. Exercise #7: Then a Wishbone bus arbiter
Ex: WB Bus
AXI exercise-07/wbpriarbiter.v
Avalon
Wishbone ˝ Given a set of bus properties: fwb slave.v
WB Basics
Ź WB Basics

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

127 / 462
Simple Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
The basics
Free Variables ˝ *_req requests a transaction
Abstraction ˝ *_data, the contents of the transaction
Invariants
˝ *_busy, true if the source must wait
Multiple-Clocks

Cover

Sequences

Quizzes

128 / 462
Simple Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics ˝ If (∗_req)&&(!∗_busy),
Free Variables
the request is accepted
Abstraction
˝ If (∗_req)&&(∗_busy),
Invariants
the request may not change, except on reset
Multiple-Clocks

Cover

Sequences

Quizzes

129 / 462
Simple Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
To prove:
Free Variables ˝ No data will be lost, no requests will be dropped
Abstraction Assume all requests remain stable until accepted
Invariants
˝ Only one source ever gets access at a time
Multiple-Clocks
Assert one busy line is always high
Cover
˝ Therefore, all requests go through . . . eventually
Sequences

Quizzes
This is a natural consequence of the above. Don’t worry
about starvation here.
130 / 462
WB Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction Shall we try this with Wishbone?

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

131 / 462
WB Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction This request side is almost identical

Invariants
˝ If (STB)&&(!STALL)
Multiple-Clocks
the request is accepted
Cover
˝ If (STB)&&(STALL)
Sequences

Quizzes
the request must not change

132 / 462
WB Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction The difference is the acknowledgements

Invariants
˝ The arbiter cannot change during an active transaction
Multiple-Clocks
˝ All requests get responses
Cover
˝ No response can be returned without a request
Sequences

Quizzes

133 / 462
WB Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction Now, prove that exercise-07/wbpriarbiter.v works.

Invariants
˝ Use both BMC and k-induction (mode prove)
Multiple-Clocks
˝ You’ll need to build fwb master.v properties
Cover

Sequences

Quizzes

134 / 462
WB Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction The fwb slave.v properties will

Invariants
˝ Assume a behaving master
Multiple-Clocks
˝ Assert a behaving slave
Cover

Sequences

Quizzes

135 / 462
WB Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction You’ll write the fwb master.v properties

Invariants
˝ Swapping inputs with outputs
Multiple-Clocks

Cover – Port names need not change

Sequences
˝ Swapping assumptions with assertions
Quizzes

136 / 462
WB Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction The magic is in how the files are connected

Invariants
˝ If one interface is connected, both master and slave. . .
Multiple-Clocks

Cover – Should see the same number of requests

Sequences – Should see the same number of acknowledgements
Quizzes

137 / 462
WB Arbiter
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction The magic is in how the files are connected

Invariants
˝ If one interface is connected, the other . . .
Multiple-Clocks

Cover – Should not have made any successful requests

Sequences – Should not have received any acknowledgements
Quizzes

138 / 462
File Structure
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables
˝ Traditional test-bench file structure
Abstraction

Invariants
˝ Doesn’t work with yosys formal
Multiple-Clocks
˝ Why not?
Cover

Sequences

Quizzes

139 / 462
Single File
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables
˝ Formal Properties can be placed at the bottom
Abstraction
˝ This works well for testing some modules
Invariants

Multiple-Clocks
˝ What’s the limitation?
Cover

Sequences

Quizzes

140 / 462
Multiple Files
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
˝ Design with multiple files
Free Variables
˝ They were each formally correct
Abstraction ˝ Problems?
Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

141 / 462
Multiple Files
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics
˝ Design with multiple files
Free Variables
˝ They were each formally correct
Abstraction ˝ Problems? Yes! In induction
Invariants ˝ State variables needed to be formally synchronized (assert() )
Multiple-Clocks

Cover

Sequences

Quizzes

141 / 462
Multiple Files
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties
Ex: WB Bus
AXI
Avalon
Wishbone
WB Basics
Ź WB Basics

Free Variables

Abstraction

Invariants
Proving properties for many components together can quickly
Multiple-Clocks get out of hand!
Cover

Sequences

Quizzes

142 / 462
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Ź Free Variables
Lesson Overview
Formal
Free Variables
Memory
So what?
Rule
Discussion

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

143 / 462
Lesson Overview
Welcome When dealing with memory, ...
Motivation
˝ Testing the entire memory is not required
Basics
˝ Testing an arbitrary value is
Clocked and $past

k Induction It’s time to discuss (∗ anyconst ∗) and (∗ anyseq ∗)

Bus Properties Objectives
Free Variables
Ź Lesson Overview ˝ Understand what a free variable is
Formal
Memory
˝ Understand how (∗ anyconst ∗) and (∗ anyseq ∗) can be
So what? used to create free variables
Rule
Discussion ˝ Learn how you can use free variables to validate memory and
Abstraction memory interfaces
Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

144 / 462
any*
Welcome ˝ (∗ anyconst ∗)
Motivation
( ∗ anyconst ∗ ) wire [ N ´ 1 : 0 ] cval ;
Basics

Clocked and $past

k Induction – Can be anything

Bus Properties – Defined at the beginning of time
Free Variables – Never changed
Lesson Overview
Ź Formal
Memory ˝ (∗ anyseq ∗)
So what?
Rule ( ∗ anyseq ∗ ) wire [ N ´ 1 : 0 ] sval ;
Discussion

Abstraction

Invariants – Can change from one timestep to the next

Multiple-Clocks
Both can still be constrained via assume() statements
Cover

Sequences

Quizzes

145 / 462
Memory
Welcome How might you verify a memory with this?
Motivation
( ∗ anyconst ∗ ) w i r e [ AW ´ 1 : 0 ] f_const_addr ;
Basics
reg [ DW ´ 1 : 0 ] f_mem_value ;
Clocked and $past

k Induction

Bus Properties
// Han d l e w r i t e s
Free Variables
always @ ( posedge i_clk )
Lesson Overview i f ( ( i_stb)&&(i_we)&&(i_addr == f_const_addr ) )
Formal
f_mem_value <= i_data ;
Ź Memory
So what?
Rule // Han d l e r e a d s
Discussion
always @ ( posedge i_clk )
Abstraction
i f ( ( f_past_valid)&&( $past ( i_stb ))&&(! $past ( i_we ) )
Invariants
&&($past ( i_addr == f_const_addr ) ) )
Multiple-Clocks
a s s e r t ( o_data == f_mem_value ) ;
Cover

Sequences

Quizzes

146 / 462
So what?
Welcome Consider the specification of a prefetch
Motivation
˝ The contract
Basics

Clocked and $past ( ∗ anyconst ∗ ) wire [31:0] f_const_data ;

k Induction

Bus Properties always @ ( posedge i_clk )

Free Variables i f ( ( o_valid)&&(o_pc == f_const_addr ) )
Lesson Overview a s s e r t ( o_insn == f_const_data ) ;
Formal
Memory
Ź So what? ˝ You’ll also need to assume a bus input
Rule
Discussion always @ ( posedge i_clk )
Abstraction i f ( ( i_ack)&&(ackd_address == f_const_addr ) )
Invariants assume ( i_data == f_const_data ) ;
Multiple-Clocks

Cover

Sequences

Quizzes

147 / 462
Rule of Free Variables
Welcome How would our general rule apply here?
Motivation
˝ Assume inputs, assert internal state and outputs
Basics
˝ Both (∗ anyconst ∗) and (∗ anyseq ∗) act like inputs
Clocked and $past
˝ You could have written
k Induction

Bus Properties input w i r e i_value ;

Free Variables
Lesson Overview
Formal
always @ ( posedge i_clk )
Memory assume ( i_value == $past ( i_value ) ) ;
So what?
Ź Rule
Discussion for the same effect as (∗ anyconst ∗)
Abstraction ˝ assume() them therefore, and not assert()
Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

148 / 462
Ex: Flash Controller
Welcome This works for a flash (or other ROM) controller too:
Motivation
( ∗ anyconst ∗ ) w i r e [ AW ´ 1 : 0 ] f_addr ;
Basics
( ∗ anyconst ∗ ) w i r e [ DW ´ 1 : 0 ] f_data ;
Clocked and $past

k Induction
always @ ( ∗ )
Bus Properties
i f ( ( o_wb_ack)&&(f_request_addr == f_addr ) )
Free Variables
Lesson Overview
a s s e r t ( o_wb_data == f_data ) ;
Formal
Memory Don’t forget the corollary assumptions!
So what?
Ź Rule
always @ ( ∗ )
Discussion
i f ( f_request_addr == f_addr )
Abstraction
assume ( i_spi_miso
Invariants
== f_data [ controller_state ] ) ;
Multiple-Clocks

Cover
. . . or something similar
Sequences

Quizzes

149 / 462
Ex: Serial Port
Welcome You can use this to build a serial port transmitter
Motivation
( ∗ anyseq ∗ ) w i r e f_tx_start ;
Basics
( ∗ anyseq ∗ ) w i r e [ 7 : 0 ] f_tx_data ;
Clocked and $past
always @ ( ∗ )
k Induction
i f ( f_tx_busy )
Bus Properties
assume ( ! f_tx_start ) ;
Free Variables
Lesson Overview
Formal always @ ( posedge f_txclk )
Memory i f ( f_tx_busy )
So what?
Ź Rule
assume ( f_tx_data == $past ( f_tx_data ) ) ;
Discussion

Abstraction You can then

Invariants
˝ Tie assertions to partially received data
Multiple-Clocks
˝ . . . and pass induction
Cover

Sequences

Quizzes

150 / 462
Discussion
Welcome How would you use free variables to verify a cache
Motivation implementation?
Basics

Clocked and $past

k Induction

Bus Properties

Free Variables
Lesson Overview
Formal
Memory
So what?
Rule
Ź Discussion

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

151 / 462
Discussion
Welcome How would you use free variables to verify a cache
Motivation implementation?
Basics

Clocked and $past Hint: you only need three properties for the cache contract
k Induction

Bus Properties

Free Variables
Lesson Overview
Formal
Memory
So what?
Rule
Ź Discussion

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

151 / 462
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Ź Abstraction Abstraction
Lesson Overview
Formal
Proof
Pictures
Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

152 / 462
Lesson Overview
Welcome ˝ Proving simple modules is easy.
Motivation ˝ What about large and complex ones?
Basics

Clocked and $past It’s time to discus abstraction.

k Induction Objectives
Bus Properties
˝ Understand what abstraction is
Free Variables
˝ Gain confidence in the idea of abstraction
Abstraction
Ź Lesson Overview ˝ Understand how to reduce a design via abstraction
Formal
Proof
Pictures
Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

153 / 462
Abstraction Formally
Welcome Formally, if
Motivation

Basics AÑC
Clocked and $past

k Induction then we can also say that

Bus Properties

Free Variables pABq Ñ C

Abstraction
Lesson Overview
Ź Formal
Proof
Pictures
Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

154 / 462
Formal Proof
Welcome Shall we go over the proof?
Motivation

Basics AÑC ñ A _ C “ True

Clocked and $past
True or anything is still true, so
k Induction

Bus Properties
p A _ Cq _ B
Free Variables Rearranging terms
Abstraction
Lesson Overview
A_ B_C
Formal
pABq _ C
Ź Proof
Pictures Expressing as an implication
Examples
Exercise pABq Ñ C
Invariants

Multiple-Clocks Q.E.D.!
Cover

Sequences

Quizzes

155 / 462
So what?
Welcome With every additional module,
Motivation
˝ Formal verification becomes more difficult
Basics
˝ Complexity increases exponentially
Clocked and $past
˝ You only have so many hours and dollars
k Induction

Bus Properties On the other hand,

Free Variables

Abstraction
˝ Anything you can simplify by abstraction . . .
Lesson Overview ˝ is one less thing you need to prove
Formal
Ź Proof
Pictures
Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

156 / 462
In Pictures
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
Suppose your state space looked like this
Exercise

Invariants ˝ It takes many transitions required to get to interesting states

Multiple-Clocks

Cover

Sequences

Quizzes

157 / 462
In Pictures
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
Suppose we added to this design . . .
Exercise

Invariants ˝ Some additional states, and

Multiple-Clocks ˝ Additional transitions
Cover

Sequences
The real states and transitions must still remain
Quizzes

158 / 462
In Pictures
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
If this new design still passes, then . . .
Exercise

Invariants ˝ Since the original design is a subset . . .

Multiple-Clocks ˝ The original design must also still pass
Cover

Sequences
If done well, the new design will require less effort to prove
Quizzes

159 / 462
A CPU
Welcome Where would you start?
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

160 / 462
A CPU
Welcome Where would you start?
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Lesson Overview
Formal
Proof
Ź Pictures
Examples
Exercise

Invariants

Multiple-Clocks

Cover At the interfaces!

Sequences

Quizzes

160 / 462
Prefetch
Welcome Let’s consider a prefetch module as an example.
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables
If you do this right,
Abstraction ˝ Any internally consistent Prefetch,
Lesson Overview
Formal ˝ that properly responds to the CPU, and
Proof ˝ interacts properly with the bus,
Ź Pictures
Examples ˝ must work!
Exercise

Invariants
Care to try a different prefetch approach?
Multiple-Clocks

Cover

Sequences

Quizzes

161 / 462
Prefetch
Welcome Suppose the prefetch was just a shell
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables
It would still interact properly with
Abstraction ˝ The bus, and
Lesson Overview
Formal ˝ The CPU
Proof ˝ It just might not return values from the bus to the CPU
Ź Pictures
Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

162 / 462
Prefetch
Welcome Suppose the prefetch was just a shell
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables
If the CPU still acted “correctly”
Abstraction ˝ With either the right, or the wrong instructions, then
Lesson Overview
Formal ˝ The CPU must act correctly with the right instructions
Proof
Ź Pictures
Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

163 / 462
Examples
Welcome Consider these statements:
Motivation
˝
Basics

Clocked and $past

k Induction
If
Bus Properties
And
Free Variables Then
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

164 / 462
Examples
Welcome Consider these statements:
Motivation
˝ Prefetch is bus master, interfaces w/CPU
Basics

Clocked and $past

k Induction
If (Prefetch responds to CPU insn requests)
Bus Properties
And (Prefetch produces the right instructions)
Free Variables Then (The prefetch works within the design)
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

164 / 462
Examples
Welcome Consider these statements:
Motivation
˝ The CPU is just a wishbone master within a design
Basics

Clocked and $past

k Induction
If (The CPU is valid bus master)
Bus Properties
And (CPU properly executes instructions)
Free Variables Then (CPU works within a design)
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

164 / 462
Examples
Welcome Consider these statements:
Motivation
˝ The ALU must return a calculated number
Basics

Clocked and $past

k Induction
If (ALU returns a value when requested)
Bus Properties
And (It is the right value)
Free Variables Then (The ALU works within the design)
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

164 / 462
Examples
Welcome Consider these statements:
Motivation
˝ A flash device responds in 8-80 clocks
Basics

Clocked and $past

k Induction
If (Bus master reads/responds to a request)
Bus Properties
And (The response comes back in 8-80 clocks)
Free Variables Then (The CPU can interact with a flash memory)
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

164 / 462
Examples
Welcome Consider these statements:
Motivation
˝ The divide must return a calculated number
Basics

Clocked and $past

k Induction
If (Divide returns a value when requested)
Bus Properties
And (It is the right value)
Free Variables Then (The divide works within the design)
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

164 / 462
Examples
Welcome Consider these statements:
Motivation
˝ Formal solvers break down when applied to multiplies
Basics

Clocked and $past

k Induction
If (Multiply unit returns an answer N clocks later)
Bus Properties
And (It is the right value)
Free Variables Then (The multiply works within the design)
Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

164 / 462
Abstracted CPU components
Welcome Looking at the CPU again,
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover
˝ Replace all the components with abstract shells
Sequences
˝ . . . shells that might produce the same answers
Quizzes

165 / 462
Back to the Counter
Welcome Let’s consider a fractional counter:
Motivation
reg [ 3 1 : 0 ] r_count ;
Basics
i n i t i a l r_count = 0 ;
Clocked and $past
i n i t i a l o_pps = 0;
k Induction
always @ ( posedge i_clk )
Bus Properties
{ o_pps , r_count } <= r_count + 3 2 ’ d43 ;
Free Variables

Abstraction The problem with this counter

Lesson Overview
Formal
Proof
˝ It will take 100 ˆ 106 clocks to roll over and set o_pps
Pictures ˝ Formally checking 100 ˆ 106 clocks is prohibitive
Ź Examples
Exercise We’ll need a better way, or we’ll never deal with this
Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

166 / 462
Back to the Counter
Welcome How might we build an abstract counter?
Motivation
˝ First, create an arbitrary counter increment
Basics

Clocked and $past ( ∗ anyseq ∗ ) w i r e [ 3 1 : 0 ] increment ;

k Induction a s s i g n rollover = ´ r_count ;
Bus Properties always @ ( ∗ )
Free Variables begin
Abstraction assume ( increment > 0 ) ;
Lesson Overview assume ( increment < { 2 ’ h1 , 3 0 ’ h0 } ) ;
Formal
Proof
i f ( rollover < 3 2 ’ d43 )
Pictures assume ( increment == 3 2 ’ d43 ) ;
Ź Examples
else
Exercise
assume ( increment < rollover ) ;
Invariants
end
Multiple-Clocks

Cover

Sequences The correct increment, 32’d43, must be a possibility

Quizzes

167 / 462
Back to the Counter
Welcome We can now increment our counter by this arbitrary increment
Motivation
always @ ( posedge i_clk )
Basics
{ o_pps , r_count } <= r_count + increment ;
Clocked and $past

k Induction
Will this work?
Bus Properties

Free Variables ˝ Let’s try this to see!

Abstraction
Lesson Overview
always @ ( posedge i_clk )
Formal i f ( f_past_valid )
Proof a s s e r t ( r_count != $past ( r_count ) ) ;
Pictures
Ź Examples
Exercise always @ ( posedge i_clk )
Invariants i f ( ( f_past_valid)&&(r_count < $past ( r_count ) ) )
Multiple-Clocks a s s e r t ( o_pps ) ;
Cover

Sequences

Quizzes

168 / 462
Other Possibilities
Welcome How else might you use this?
Motivation
˝ Bypassing the runup for an external peripheral
Basics
˝ Testing a real-time clock or date
Clocked and $past

k Induction Or . . . how about that CPU?

Bus Properties

Free Variables

Abstraction
Lesson Overview
Formal
Proof
Pictures
Ź Examples
Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

169 / 462
Exercise
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables Let’s modify this abstract counter

Abstraction
Lesson Overview ˝ Increment by one, rather than fractionally
Formal
Proof Exercise Objectives:
Pictures
Examples
Ź Exercise
˝ Prove a design works both with and without abstraction
Invariants
˝ Gain some confidence using abstraction
Multiple-Clocks

Cover

Sequences

Quizzes

170 / 462
Exercise #8
Welcome Your task:
Motivation
˝ Rebuild the counter
Basics
˝ Make it increment by one
Clocked and $past
˝ Build it so that . . .
k Induction

Bus Properties always @ ( ∗ )

Free Variables a s s e r t ( o_carry == ( r_count == 0 ) ) ;
Abstraction
Lesson Overview
Formal
// and
Proof
Pictures always @ ( posedge i_clk )
Examples
Ź Exercise i f ( ( f_past_valid )&&(! $past (&r_count ) ) )
Invariants a s s e r t ( ! o_carry ) ;
Multiple-Clocks

Cover
˝ Prove that this abstracted counter works
Sequences

Quizzes

171 / 462
Exercise #8
Welcome Your task:
Motivation
˝ Rebuild the counter
Basics
˝ Make it increment by one
Clocked and $past
˝ Prove that this abstracted counter works
k Induction

Bus Properties

Free Variables

Abstraction
Lesson Overview
Formal
Proof
Pictures
Examples
Ź Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

172 / 462
Exercise #8
Welcome Your task:
Motivation
˝ Rebuild the counter
Basics
˝ Make it increment by one
Clocked and $past
˝ Prove that this abstracted counter works
k Induction

Bus Properties Hints:

Free Variables

Abstraction
˝ &r_count must take place before r_count==0
Lesson Overview ˝ You cannot skip &r_count
Formal
Proof ˝ Neither can you skip r_count == 0
Pictures
Examples
Ź Exercise

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

172 / 462
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Invariants
Ź Invariants
Lesson Removed

Multiple-Clocks

Cover

Sequences

Quizzes

173 / 462
Lesson Removed
Welcome This lesson is currently being revised, and will be released again
Motivation shortly
Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants
Ź Lesson Removed

Multiple-Clocks

Cover

Sequences

Quizzes

174 / 462
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Multiple-Clocks
Invariants

Ź Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Exercises

Cover

Sequences

Quizzes

175 / 462
Lesson Overview
Welcome The SymbiYosys option multiclock . . .
Motivation
˝ Used to process systems with dissimilar clocks
Basics
˝ Examples
Clocked and $past

k Induction – A serial port, with a formally generated transmitter

Bus Properties coming from a different clock domain
Free Variables
– A SPI controller that needs both high speed and low
Abstraction
speed logic
Invariants

Multiple-Clocks
Ź Basics
Our Objective:
SBY File
(* gclk *)
˝ To learn how to handle multiple clocks within a design
$rose
$stable – (∗ gclk ∗)
Examples – $stable, $changed
Exercises

Cover
– $rose, $fell
Sequences

Quizzes

176 / 462
SymbiYosys config change
Welcome [ options ]
Motivation mode prove
Basics m u l t i c l o c k on
Clocked and $past

k Induction [ engines ]
Bus Properties smtbmc
Free Variables

Abstraction [ script ]
Invariants read ´formal module . v
Multiple-Clocks prep ´top module
Basics
Ź SBY File
[ files ]
(* gclk *)
$rose # file list
$stable
Examples
Exercises

Cover

Sequences

Quizzes

177 / 462
SymbiYosys config change
Welcome [ options ]
Motivation mode prove
Basics m u l t i c l o c k on Multiple clocks require this line
Clocked and $past

k Induction [ engines ]
Bus Properties smtbmc
Free Variables

Abstraction [ script ]
Invariants read ´formal module . v
Multiple-Clocks prep ´top module
Basics
Ź SBY File
[ files ]
(* gclk *)
$rose # file list
$stable
Examples
Exercises

Cover

Sequences

Quizzes

177 / 462
Five Tools
Welcome ˝ (∗ gclk ∗)
Motivation Provides access to the global formal time-step
Basics ˝ $stable
Clocked and $past True if a signal is stable (i.e. doesn’t change) with this clock.
k Induction
Equivalent to A == $past(A)
Bus Properties
˝ $changed
Free Variables
True if a signal has changed since the last clock tick.
Abstraction

Invariants
Equivalent to A != $past(A)
Multiple-Clocks
˝ $rose
Basics True if the signal rises on this formal time-step
Ź SBY File
(* gclk *) This is very useful for positive edged clocks transitions
$rose
$rose(A) is equivalent to (A[0])&&(!$past(A[0]))
$stable
Examples ˝ $fell
Exercises
True if a signal falls on this time-step, creating a negative
Cover
edge
Sequences
$fell (A) is equivalent to (!A[0])&&($past(A[0]))
Quizzes

178 / 462
(* gclk *)
Welcome ˝ A global formal time step
Motivation
( ∗ gclk ∗ ) w i r e gbl_clk ;
Basics

Clocked and $past

˝ You can use this to describe clock properties
k Induction

Bus Properties // Assume a s i n g l e c l o c k s i g n a l

Free Variables //
Abstraction reg f_last_clk ;
Invariants

Multiple-Clocks
i n i t i a l f_last_clk = 0 ;
Basics always @ ( posedge gbl_clk )
SBY File
Ź (* gclk *)
begin
$rose f_last_clk <= ! f_last_clk ;
$stable assume ( i_clk == f_last_clk ) ;
Examples
Exercises
end
Cover

Sequences

Quizzes

179 / 462
(* gclk *)
Welcome always @ ( posedge gbl_clk )
Motivation begin
Basics f_last_clk <= ! f_last_clk ;
Clocked and $past assume ( i_clk == f_last_clk ) ;
k Induction end
Bus Properties

Free Variables f last clk

Abstraction
i clk
Invariants

Multiple-Clocks
Basics
SBY File
Ź (* gclk *)
$rose
$stable
Examples
Exercises

Cover

Sequences

Quizzes

180 / 462
(* gclk *)
Welcome ˝ Used to gain access to the formal time-step
Motivation
( ∗ gclk ∗ ) w i r e gbl_clk ;
Basics

Clocked and $past

˝ You can use this to describe clock properties
k Induction

Bus Properties // Assume two r e l a t e d c l o c k s i g n a l s

Free Variables //
Abstraction reg [2:0] f_clk_counter ;
Invariants

Multiple-Clocks
i n i t i a l f_clk_counter = 0 ;
Basics always @ ( posedge gbl_clk )
SBY File
Ź (* gclk *)
begin
$rose f_clk_counter <= f_clk_counter + 1 ’ b1 ;
$stable assume ( i_clk_fast == f_clk_counter [ 0 ] ) ;
Examples
Exercises
assume ( i_clk_slow == f_clk_counter [ 2 ] ) ;
Cover
end
Sequences

Quizzes

181 / 462
(* gclk *)
Welcome The clock logic on the last slide forces these two clocks to be in
Motivation sync
Basics f clk counter 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0
Clocked and $past
i clk fast
k Induction
i clk slow
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
Ź (* gclk *)
$rose
$stable
Examples
Exercises

Cover

Sequences

Quizzes

182 / 462
(* gclk *)
Welcome ˝ Used to gain access to the formal time-step
Motivation ˝ You can use this to describe clock properties
Basics
// Assume two c l o c k s , same sp eed ,
Clocked and $past
// unknown c o n s t a n t p h a s e o f f s e t
k Induction
(∗ gclk ∗ ) wire gbl_clk ;
Bus Properties
(∗ anyconst ∗ ) w i r e [ 2 : 0 ] f_clk_offset ;
Free Variables

Abstraction
i n i t i a l f_clk_counter= 0 ;
Invariants
always @ ( posedge gbl_clk )
Multiple-Clocks
Basics
begin
SBY File f_clk_counter <= f_clk_counter + 1 ’ b1 ;
Ź (* gclk *) f_clk_two <= f_clk_counter
$rose
$stable + f_clk_offset ;
Examples assume ( i_clk_one == f_clk_counter [ 2 ] ) ;
Exercises
assume ( i_clk_two == f_clk_two [ 2 ] ) ;
Cover
end
Sequences

Quizzes

183 / 462
(* gclk *)
Welcome The formal tool will pick the phase offset between these two
Motivation generated clock waveforms
Basics f clk counter 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
Clocked and $past
i clk one
k Induction
i clk two
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
Ź (* gclk *)
$rose
$stable
Examples
Exercises

Cover

Sequences

Quizzes

184 / 462
(* gclk *)
Welcome How might you describe two unrelated clocks?
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
Ź (* gclk *)
$rose
$stable
Examples
Exercises

Cover

Sequences

Quizzes

185 / 462
(* gclk *)
Welcome How might you describe two unrelated clocks?
Motivation
( ∗ gclk ∗ ) wire gbl_clk ;
Basics
( ∗ anyconst ∗ ) w i r e [ 7 : 0 ] f_a_step ;
Clocked and $past
always @ ( ∗ )
k Induction
assume ( ( f_a_step > 0 ) &&(f_a_step [ 7 ] == 1 ’ b0 ) ) ;
Bus Properties

Free Variables
always @ ( posedge gbl_clk )
Abstraction
begin
Invariants
f_a_counter <= f_a_counter + f_a_step ;
Multiple-Clocks
Basics
SBY File assume ( i_clk_a == f_a_counter [ 7 ] ) ;
Ź (* gclk *) end
$rose
$stable
Examples
Exercises ˝ The (∗ anyconst ∗) register may take on any constant value
Cover ˝ You can repeat this logic for the second clock.
Sequences

Quizzes

185 / 462
(* gclk *)
Welcome The timing relationship between these two clocks can be
Motivation anything
Basics
˝ Each clock can have an arbitrary frequency
Clocked and $past
˝ Each clock can have an arbitrary phase
k Induction

Bus Properties Here’s a theoretical example trace

Free Variables

Abstraction
i_clk_a
Invariants
i_clk_b
Multiple-Clocks
Basics Don’t be surprised by the appearance of phase noise
SBY File
Ź (* gclk *)
$rose
$stable
Bonus: The trace above isn’t realistic. Why not?
Examples
Exercises

Cover

Sequences

Quizzes

186 / 462
$rose
Welcome Synchronous logic has some requirements
Motivation
˝ Inputs should only change on a clock edge
Basics
They should be stable otherwise
Clocked and $past
˝ $rose(i_clk) can be used to express this
k Induction

Bus Properties Here’s an example using $rose(i_clk) . . .

Free Variables

Abstraction
always @ ( posedge gbl_clk )
Invariants
i f ( ! $ros e ( i_clk ) )
Multiple-Clocks
assume ( i_input == $past ( i_input ) ) ;
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Quizzes

187 / 462
$fell
Welcome $fell is like $rose, only it describes a negative edge
Motivation

Basics i_clk
Clocked and $past
$rose(i_clk)
k Induction
$fell (i_clk)
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Quizzes

188 / 462
$rose
Welcome Let’s go back to the synchronous logic requirements
Motivation
˝ Inputs only change on clock edges
Basics
˝ $rose(i_clk) and $fell (i_clk) can be used to express this
Clocked and $past
˝ Let’s try this out
k Induction

Bus Properties Would this work?

Free Variables

Abstraction
always @ ( posedge gbl_clk )
Invariants
i f ( ! $ros e ( i_clk ) )
Multiple-Clocks
a s s e r t ( i_input == $past ( i_input ) ) ;
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Quizzes

189 / 462
$rose
Welcome Let’s go back to the synchronous logic requirements
Motivation
˝ Inputs only change on clock edges
Basics
˝ $rose(i_clk) and $fell (i_clk) can be used to express this
Clocked and $past
˝ Let’s try this out
k Induction

Bus Properties Would this work?

Free Variables

Abstraction
always @ ( posedge gbl_clk )
Invariants
i f ( ! $ros e ( i_clk ) )
Multiple-Clocks
a s s e r t ( i_input == $past ( i_input ) ) ;
Basics
SBY File
(* gclk *) ˝ No. The general rule hasn’t changed
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Quizzes

189 / 462
$rose
Welcome Could we do it this way?
Motivation
always @ ( posedge gbl_clk )
Basics
i f ( $ f e l l ( i_clk ) )
Clocked and $past
a s s e r t ( state == $past ( state ) ) ;
k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Quizzes

190 / 462
$rose
Welcome Could we do it this way?
Motivation
always @ ( posedge gbl_clk )
Basics
i f ( $ f e l l ( i_clk ) )
Clocked and $past
a s s e r t ( state == $past ( state ) ) ;
k Induction

Bus Properties

Free Variables ˝ No, this doesn’t work either

Abstraction
i_clk
Invariants
state Stable Unconstrained Stable Unconstrained
Multiple-Clocks
Basics $fell (i_clk)
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Quizzes

190 / 462
$rose
Welcome Is this equivalent?
Motivation
always @ ( posedge gbl_clk )
Basics
i f ( ! $past ( i_clk ) )
Clocked and $past
a s s e r t ( state == $past ( state ) ) ;
k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Quizzes

191 / 462
$rose
Welcome Is this equivalent?
Motivation
always @ ( posedge gbl_clk )
Basics
i f ( ! $past ( i_clk ) )
Clocked and $past
a s s e r t ( state == $past ( state ) ) ;
k Induction

Bus Properties

Free Variables ˝ Why not?

Abstraction

Invariants
i_clk
state Unconstrained Stable Uncon No change Uncon
Multiple-Clocks
Basics
!$past(i_clk)
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Quizzes

191 / 462
$rose
Welcome This fixes our problems. Will this work?
Motivation
always @ ( posedge gbl_clk )
Basics
i f ( ! $ros e ( i_clk ) )
Clocked and $past
a s s e r t ( state == $past ( state ) ) ;
k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Quizzes

192 / 462
$rose
Welcome This fixes our problems. Will this work?
Motivation
always @ ( posedge gbl_clk )
Basics
i f ( ! $ros e ( i_clk ) )
Clocked and $past
a s s e r t ( state == $past ( state ) ) ;
k Induction

Bus Properties

Free Variables ˝ Not quite. Can you see the problem?

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
(* gclk *)
Ź $rose
$stable
Examples
Exercises

Cover

Sequences

Quizzes

192 / 462
$rose
Welcome ˝ State/outputs should be clock synchronous
Motivation
always @ ( posedge gbl_clk )
Basics
i f ( ( f_past_valid )&&(! $ros e ( i_clk ) )
Clocked and $past
a s s e r t ( state == $past ( state ) ) ;
k Induction

Bus Properties
˝ With f_past_valid this works
Free Variables

Abstraction
i_clk
Invariants
state Stable Stable Stable
Multiple-Clocks
Basics f_past_valid
SBY File
(* gclk *) !$rose(i_clk)
Ź $rose
$stable ˝ $rose requires a clock, such as
Examples
Exercises
always @(posedge gbl_clk)
Cover

Sequences

Quizzes

193 / 462
$stable
Welcome Describes a signal which has not changed
Motivation
always @ ( posedge gbl_clk )
Basics
i f ( ( f_past_valid )&&(! $ros e ( i_clk ) ) )
Clocked and $past
a s s e r t ( $ s t a b l e ( state ) ) ;
k Induction

Bus Properties

Free Variables ˝ Requires a clock edge

Abstraction
always @(posedge gbl_clk)
Invariants
always @(posedge i_clk)
Multiple-Clocks
Basics
SBY File
˝ This is basically the same as state == $past(state)
(* gclk *)
$rose
Ź $stable
Examples
Exercises

Cover

Sequences

Quizzes

194 / 462
$stable
Welcome Caution: $stable(X) might still change between clock edges
Motivation
always @ ( posedge i_clk )
Basics
assume ( $ s t a b l e ( i_value ) ) ;
Clocked and $past

k Induction
The waveform below would satisfy the assumption above
Bus Properties

Free Variables i_clk

Abstraction i_value 0 1 0 1 0 1 0 1 0 1 0

Invariants 0 0 0
$past(i_value)
Multiple-Clocks
Basics
$stable(i_value)
SBY File
(* gclk *) The key to understanding what’s going on is to realize . . .
$rose
Ź $stable ˝ The assumption is only evaluated on @(posedge i_clk)
Examples
˝ $past(i_value) is only sampled @(posedge i_clk)
Exercises

Cover
˝ . . . and not on the formal (∗ gclk ∗) time step.
Sequences

Quizzes

195 / 462
Examples
Welcome ˝ Most logic doesn’t need the multiclock option
Motivation ˝ To help with logic that might need it, I use a parameter
Basics

Clocked and $past parameter [ 0 : 0 ] F_OPT_CLK2FFLOGIC = 1 ’ b0 ;

k Induction

Bus Properties generate i f ( F_OPT_CLK2FFLOGIC )

Free Variables begin
Abstraction ( ∗ gclk ∗ ) w i r e gbl_clk ;
Invariants

Multiple-Clocks always @ ( posedge gbl_clk )

Basics
SBY File
i f ( ( f_past_valid )&&(! $ros e ( i_clk ) ) )
(* gclk *) begin
$rose assume ( $ s t a b l e ( i_axi_awready ) ) ;
$stable
Ź Examples
assume ( $ s t a b l e ( i_axi_wready ) ) ;
Exercises // . . .
Cover end
Sequences end endgenerate
Quizzes

196 / 462
Ex SPI Port
Welcome o CS n
Motivation
o SCK
Basics
o MOSI
Clocked and $past

k Induction
i MISO
Bus Properties

Free Variables
˝ How would you formally describe the o_SCK and o_CS_n
Abstraction relationship?
Invariants

Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Ź Examples
Exercises

Cover

Sequences

Quizzes

197 / 462
Ex SPI Port
Welcome o CS n
Motivation
o SCK
Basics
o MOSI
Clocked and $past

k Induction
i MISO
Bus Properties

Free Variables
˝ How would you formally describe the o_SCK and o_CS_n
Abstraction relationship?
Invariants

Multiple-Clocks i n i t i a l a s s e r t ( o_CS_n ) ;
Basics
i n i t i a l a s s e r t ( o_SCK ) ;
SBY File
(* gclk *)
$rose always @ ( ∗ )
$stable
Ź Examples
i f ( ! o_SCK )
Exercises a s s e r t ( ! o_CS_n ) ;
Cover

Sequences

Quizzes

197 / 462
Ex SPI Port
Welcome o CS n
Motivation
o SCK
Basics
o MOSI
Clocked and $past

k Induction
i MISO
Bus Properties

Free Variables
˝ How would you formally describe the o_SCK and o_CS_n
Abstraction relationship?
Invariants

Multiple-Clocks always @ ( posedge gbl_clk )

Basics
i f ( ( f_past_valid )
SBY File
(* gclk *) &&(( $ros e ( o_CS_n ) ) | | ( $ f e l l ( o_CS_n ) ) ) )
$rose a s s e r t ( ( o_SCK)&&( $ s t a b l e ( o_SCK ) ) ) ;
$stable
Ź Examples
Exercises

Cover

Sequences

Quizzes

198 / 462
Ex SPI Port
Welcome o CS n
Motivation
o SCK
Basics
o MOSI
Clocked and $past

k Induction
i MISO
Bus Properties

Free Variables
˝ How would you describe o_MOSI?
Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Ź Examples
Exercises

Cover

Sequences

Quizzes

199 / 462
Ex SPI Port
Welcome o CS n
Motivation
o SCK
Basics
o MOSI
Clocked and $past

k Induction
i MISO
Bus Properties

Free Variables
˝ How would you describe o_MOSI?
Abstraction

Invariants always @ ( posedge gbl_clk )

Multiple-Clocks i f ( ( f_past_valid )&&(! o_CS_n )&&(! $ f e l l ( o_SCK ) ) )
Basics a s s e r t ( $ s t a b l e ( o_MOSI ) ) ;
SBY File
(* gclk *)
$rose
$stable
Ź Examples
Exercises

Cover

Sequences

Quizzes

199 / 462
Ex SPI Port
Welcome o CS n
Motivation
o SCK
Basics
o MOSI
Clocked and $past

k Induction
i MISO
Bus Properties

Free Variables
˝ How would you describe i_MISO?
Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Ź Examples
Exercises

Cover

Sequences

Quizzes

200 / 462
Ex SPI Port
Welcome o CS n
Motivation
o SCK
Basics
o MOSI
Clocked and $past

k Induction
i MISO
Bus Properties

Free Variables
˝ How would you describe i_MISO?
Abstraction

Invariants always @ ( posedge gbl_clk )

Multiple-Clocks i f ( ( ! o_CS_n)&&(o_SCK ) )
Basics assume ( $ s t a b l e ( i_MISO ) ) ;
SBY File
(* gclk *)
$rose
$stable
Ź Examples
Exercises

Cover

Sequences

Quizzes

200 / 462
Ex SPI Port
Welcome o CS n
Motivation
o SCK
Basics
o MOSI
Clocked and $past

k Induction
i MISO
Bus Properties

Free Variables
˝ Should the i_MISO be able to change more than once per
Abstraction clock?
Invariants

Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Ź Examples
Exercises

Cover

Sequences

Quizzes

201 / 462
Ex SPI Port
Welcome ˝ A little logic will force i_MISO to have only one transition per
Motivation clock
Basics
always @ ( posedge gbl_clk )
Clocked and $past
i f ( ( o_CS_n ) | | ( o_SCK ) )
k Induction
f_chgd <= 1 ’ b0 ;
Bus Properties
e l s e i f ( i_MISO != $past ( i_MISO ) )
Free Variables
f_chgd <= 1 ’ b1 ;
Abstraction

Invariants
always @ ( posedge gbl_clk )
Multiple-Clocks
Basics
i f ( ( f_past_valid)&&(f_chgd ) )
SBY File assume ( $ s t a b l e ( i_MISO ) ) ;
(* gclk *)
$rose
$stable
˝ How would we force exactly 8 o_SCK clocks?
Ź Examples
Exercises

Cover

Sequences

Quizzes

202 / 462
Ex SPI Port
Welcome ˝ Forcing exactly 8 clocks
Motivation
always @ ( posedge gbl_clk )
Basics
i f ( o_CS_n )
Clocked and $past
f_spi_bits <= 0 ;
k Induction
e l s e i f ( $ros e ( o_SCK ) )
Bus Properties
f_spi_bits <= f_spi_bits + 1 ’ b1 ;
Free Variables

Abstraction
always @ ( posedge gbl_clk )
Invariants
i f ( ( f_past_valid)&&( $ros e ( o_CS_n ) ) )
Multiple-Clocks a s s e r t ( f_spi_bits == 8 ) ;
Basics
SBY File
(* gclk *) ˝ Don’t forget the induction requirement
$rose
$stable always @ ( ∗ )
Ź Examples
a s s e r t ( f_spi_bits <= 8 ) ;
Exercises

Cover

Sequences

Quizzes

203 / 462
Exercises
Welcome Three exercises, chose one to verify:
Motivation
1. Input serdes
Basics
exercises-09/iserdes.v
Clocked and $past

k Induction
2. Clock gate
Bus Properties
exercises-10/clkgate.v
Free Variables 3. Clock Switch
Abstraction exercises-11/clkswitch.v
Invariants

Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Quizzes

204 / 462
Ex: Input Serdes
Welcome Getting a SERDES right is a good example of multiple clocks
Motivation

Basics i fast clk

Clocked and $past
i pin
k Induction
i slow clk
Bus Properties

Free Variables
o word 0x0b

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Quizzes

205 / 462
Ex: Input Serdes
Welcome Getting a SERDES right is a good example of multiple clocks
Motivation
˝ Two clocks, one fast and one slow
Basics

Clocked and $past Clocks must be synchronous

k Induction $rose(slow_clk) implies $rose(fast_clk)
Bus Properties
˝ exercise-09/ Contains the file iserdes.v
Free Variables

Abstraction
˝ Can you formally verify that it works?
Invariants

Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Quizzes

206 / 462
Ex: Input Serdes
Welcome Be aware of the asynchronous reset signal!
Motivation

Basics i areset n
Clocked and $past
i fast clk
k Induction
i pin
Bus Properties

Free Variables
i slow clk
Abstraction o word Prior value RESET RESET

Invariants

Multiple-Clocks ˝ Can be asserted at any time

Basics
SBY File
˝ Can only be de-asserted on $rose(i_slow_clk)
(* gclk *) ˝ assume() these properties, since the reset is an input
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Quizzes

207 / 462
Ex: Clock Gate
Welcome The goal: a clock that can be gated, that doesn’t glitch
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
˝ exercise-10/ Contains the file clkgate.v
Invariants

Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Quizzes

208 / 462
Ex: Clock Gate
Welcome The goal: a clock that can be gated, that doesn’t glitch
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants
i clk
Multiple-Clocks i en
Basics
SBY File
o clk
(* gclk *)
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Quizzes

209 / 462
Ex: Clock Gate
Welcome The goal: a clock that can be gated, that doesn’t glitch
Motivation
˝ One clock, one unrelated enable
Basics
˝ Prove that the output clock
Clocked and $past

k Induction – is always high for the full width, but

Bus Properties – . . . never longer.
Free Variables
– For any clock rate
Abstraction

Invariants See exercise-10/clkgate.v

Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Quizzes

210 / 462
Ex: Clock Gate
Welcome Hints:
Motivation
˝ The output clock should only rise if the incoming clock rises
Basics
˝ The output clock should only fall if the incoming clock fall
Clocked and $past
˝ If the output clock is ever high, it should always fall with the
k Induction

Bus Properties
incoming clock
Free Variables
Be aware of the reset! The output clock might fall mid-clock
Abstraction
period due to the asynchronous reset.
Invariants

Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Quizzes

211 / 462
Ex: Clock Switch
Welcome Goal: To safely switch from one clock frequency to another
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Quizzes

212 / 462
Ex: Clock Switch
Welcome Goal: To safely switch from one clock frequency to another
Motivation
˝ Inputs
Basics

Clocked and $past – Two arbitrary clocks

k Induction – One select line
Bus Properties

Free Variables Prove that the output clock

Abstraction
˝ Is always high (or low) for at least the duration of one of the
Invariants

Multiple-Clocks
clocks
Basics ˝ Doesn’t stop
SBY File
(* gclk *) You may need to constrain the select line.
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Quizzes

213 / 462
Ex: Clock Switch
Welcome Hints:
Motivation
˝ You may assume the reset is only ever initially true
Basics
˝ Only one set of FF’s should ever change at any time
Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
Basics
SBY File
(* gclk *)
$rose
$stable
Examples
Ź Exercises

Cover

Sequences

Quizzes

214 / 462
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Cover
Invariants

Multiple-Clocks

Ź Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Counter

Sequences

Quizzes

215 / 462
Lesson Overview
Welcome The cover element is used to make certain something remains
Motivation possible
Basics
˝ BMC and induction test safety properties
Clocked and $past

k Induction
They prove that something will not happen
Bus Properties
˝ Cover tests a liveness property
Free Variables It proves that something may happen
Abstraction
Objectives
Invariants

Multiple-Clocks ˝ Understand why cover is important

Cover ˝ Understand how to use cover
Ź Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Counter

Sequences

Quizzes

216 / 462
Why Cover
Welcome Personal examples:
Motivation
˝ Forgot to set f_past_valid to one
Basics
Many assertions were ignored
Clocked and $past
˝ Av to WB bridge, passed FV, but couldn’t handle writes
k Induction

Bus Properties
˝ Error analysis
Free Variables The simulation trace doesn’t make sense. Can it be
Abstraction reproduced?
Invariants ˝ As an anti-assertion
Multiple-Clocks Can this situation actually happen?
Cover
Ź Lesson Overview What is cover good for? Catching the careless assumption!
BMC vs Cover
Cover in Verilog
What else? Ad hoc simulation traces!
State Space
SymbiYosys
Examples
Counter

Sequences

Quizzes

217 / 462
BMC vs Cover
Welcome Cover is more like BMC than Induction is
Motivation
˝ BMC
Basics

Clocked and $past

k Induction

Bus Properties ˝ Cover

Free Variables

Abstraction

Invariants

Multiple-Clocks ˝ BMC searches for failures

Cover ˝ Cover searches for a success
Lesson Overview
Ź BMC vs Cover Formally, we might say . . .
Cover in Verilog
State Space
SymbiYosys
˝ BMC + k-Induction: proof for all
Examples @assume()ñ @assert()
Counter
˝ Cover: there exists one
Sequences
@assume()ñ Dcover()
Quizzes

218 / 462
Cover in Verilog
Welcome Just like an assumption or an assertion
Motivation
// Make s u r e a w r i t e i s p o s s i b l e
Basics
always @ ( posedge i_clk )
Clocked and $past
cover ( ( o_wb_stb )&&(! i_wb_stall)&&(o_wb_we ) ) ;
k Induction

Bus Properties
// Or
Free Variables

Abstraction
// What h a p p e n s when a bus c y c l e i s a b o r t e d ?
Invariants
always @ ( posedge i_clk )
Multiple-Clocks i f ( i_reset )
Cover cover ( ( o_wb_cyc)&&(f_wb_outstanding > 0 ) ) ;
Lesson Overview
BMC vs Cover
Ź Cover in Verilog Well, almost but not quite.
State Space
SymbiYosys
Examples
Counter

Sequences

Quizzes

219 / 462
Cover in Verilog
Welcome Assert and cover handle surrounding logic differently
Motivation
˝ Assert logic
Basics

Clocked and $past always @ ( posedge i_clk )

k Induction i f (A)
Bus Properties assert (B ) ;
Free Variables

Abstraction is equivalent to,

Invariants
always @ ( posedge i_clk )
Multiple-Clocks
assert ( (! A) | | (B) ) ;
Cover
Lesson Overview
BMC vs Cover This is not true of cover.
Ź Cover in Verilog
State Space
SymbiYosys
Examples
Counter

Sequences

Quizzes

220 / 462
Cover in Verilog
Welcome Assert and cover handle surrounding logic differently
Motivation
˝ Assert logic
Basics
˝ Cover logic
Clocked and $past

k Induction always @ ( posedge i_clk )

Bus Properties i f (A)
Free Variables cover ( B ) ;
Abstraction

Invariants is equivalent to,

Multiple-Clocks
always @ ( posedge i_clk )
Cover
Lesson Overview
cover ( ( A ) && ( B ) ) ;
BMC vs Cover // NOT t h e same a s
Ź Cover in Verilog // a s s e r t ( ( ! A) | | (B) ) ;
State Space
SymbiYosys
Examples
Counter

Sequences

Quizzes

221 / 462
State Space
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover
Lesson Overview
BMC vs Cover
Cover in Verilog ˝ Goal is to prove certain state’s are reachable
Ź State Space
˝ Prover solves for example traces
SymbiYosys
Examples
Counter

Sequences

Quizzes

222 / 462
SymbiYosys
Welcome The SymbiYosys script for cover needs to change as well
Motivation
˝ SymbiYosys needs the option: mode cover
Basics
˝ Produces one trace per cover() statement
Clocked and $past

k Induction
. . . or fail
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter

Sequences

Quizzes

223 / 462
SymbiYosys cover config
Welcome [ options ]
Motivation mode cover
Basics depth 40
Clocked and $past append 20
k Induction

Bus Properties [ engines ]

Free Variables smtbmc
Abstraction

Invariants [ script ]
Multiple-Clocks read ´formal module . v
Cover prep ´top module
Lesson Overview
BMC vs Cover
Cover in Verilog
[ files ]
State Space # file list
Ź SymbiYosys
Examples
Counter

Sequences

Quizzes

224 / 462
SymbiYosys cover config
Welcome [ options ]
Motivation mode cover Run a coverage analysis
Basics depth 40
Clocked and $past append 20
k Induction

Bus Properties [ engines ]

Free Variables smtbmc
Abstraction

Invariants [ script ]
Multiple-Clocks read ´formal module . v
Cover prep ´top module
Lesson Overview
BMC vs Cover
Cover in Verilog
[ files ]
State Space # file list
Ź SymbiYosys
Examples
Counter

Sequences

Quizzes

224 / 462
SymbiYosys cover config
Welcome [ options ]
Motivation mode cover
Basics depth 40 How far to look for a covered state
Clocked and $past append 20
k Induction

Bus Properties [ engines ]

Free Variables smtbmc
Abstraction

Invariants [ script ]
Multiple-Clocks read ´formal module . v
Cover prep ´top module
Lesson Overview
BMC vs Cover
Cover in Verilog
[ files ]
State Space # file list
Ź SymbiYosys
Examples
Counter

Sequences

Quizzes

224 / 462
SymbiYosys cover config
Welcome [ options ]
Motivation mode cover
Basics depth 40
Clocked and $past append 20 Follow each trace with 20 extra clocks
k Induction

Bus Properties [ engines ]

Free Variables smtbmc
Abstraction

Invariants [ script ]
Multiple-Clocks read ´formal module . v
Cover prep ´top module
Lesson Overview
BMC vs Cover
Cover in Verilog
[ files ]
State Space # file list
Ź SymbiYosys
Examples
Counter

Sequences

Quizzes

224 / 462
SymbiYosys tasks
Welcome [ tasks ]
Motivation prf
Basics cvr
Clocked and $past

k Induction [ options ]
Bus Properties prf : mode prove
Free Variables cvr : mode cover
Abstraction depth 40
Invariants

Multiple-Clocks # ...
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter

Sequences

Quizzes

225 / 462
SymbiYosys tasks
Welcome [ tasks ]
Motivation prf Run two tasks: prf and cvr
Basics cvr
Clocked and $past

k Induction [ options ]
Bus Properties prf : mode prove
Free Variables cvr : mode cover
Abstraction depth 40
Invariants

Multiple-Clocks # ...
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter

Sequences

Quizzes

225 / 462
SymbiYosys tasks
Welcome [ tasks ]
Motivation prf
Basics cvr
Clocked and $past

k Induction [ options ]
Bus Properties prf : mode prove The prf tasks runs induction
Free Variables cvr : mode cover
Abstraction depth 40
Invariants

Multiple-Clocks # ...
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter

Sequences

Quizzes

225 / 462
SymbiYosys tasks
Welcome [ tasks ]
Motivation prf
Basics cvr
Clocked and $past

k Induction [ options ]
Bus Properties prf : mode prove
Free Variables cvr : mode cover The cvr tasks runs in cover mode
Abstraction depth 40
Invariants

Multiple-Clocks # ...
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter

Sequences

Quizzes

225 / 462
SymbiYosys tasks
Welcome [ tasks ]
Motivation prf
Basics cvr
Clocked and $past

k Induction [ options ]
Bus Properties prf : mode prove
Free Variables cvr : mode cover
Abstraction depth 40 The same depth can apply to both
Invariants

Multiple-Clocks # ...
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter

Sequences

Quizzes

225 / 462
SymbiYosys tasks
Welcome [ tasks ]
Motivation prf
Basics cvr
Clocked and $past

k Induction [ options ]
Bus Properties prf : mode prove
Free Variables cvr : mode cover
Abstraction depth 40
Invariants

Multiple-Clocks # ...
Cover
Lesson Overview % sby -f sbyfil.sby now runs both modes
BMC vs Cover
Cover in Verilog
State Space
Ź SymbiYosys
Examples
Counter

Sequences

Quizzes

225 / 462
SymbiYosys tasks
Welcome [ tasks ]
Motivation prf
Basics cvr
Clocked and $past

k Induction [ options ]
Bus Properties prf : mode prove
Free Variables cvr : mode cover
Abstraction depth 40
Invariants

Multiple-Clocks # ...
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog % sby -f sbyfil.sby cvr will run the cover mode alone
State Space
Ź SymbiYosys
Examples
Counter

Sequences

Quizzes

225 / 462
Cover Failures
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover
Lesson Overview Two basic types of cover failures
BMC vs Cover
Cover in Verilog 1. Covered state is unreachable
State Space
Ź SymbiYosys
No VCD file will be generated upon failure
Examples 2. Covered state is reachable, but only by breaking assertions
Counter

Sequences
VCD file will be generated
Quizzes

226 / 462
Ex: I-Cache
Welcome Consider a CPU I-cache:
Motivation
always @ ( posedge i_clk )
Basics
cover ( o_valid ) ;
Clocked and $past

k Induction
With no other formal logic, what will this trace look like?
Bus Properties

Free Variables ˝ CPU must provide a PC address

Abstraction ˝ Design must fill the appropriate cache line
Invariants ˝ Design returns an item from that cache line
Multiple-Clocks
That’s a lot of trace for two lines of HDL!
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Ź Examples
Counter

Sequences

Quizzes

227 / 462
Ex: Flash
Welcome Consider a Flash controller:
Motivation
always @ ( posedge i_clk )
Basics
cover ( o_wb_ack ) ;
Clocked and $past

k Induction
With no other formal logic, what will this trace look like?
Bus Properties
The controller must,
Free Variables

Abstraction ˝ Initialize the flash device

Invariants ˝ Accept a bus request
Multiple-Clocks ˝ Request a read from the flash
Cover ˝ Accumulate the result to return on the bus
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Ź Examples
Counter

Sequences

Quizzes

228 / 462
Ex: MMU
Welcome Consider a Memory Management Unit (MMU):
Motivation
always @ ( posedge i_clk )
Basics
cover ( o_wb_ack ) ;
Clocked and $past

k Induction
The MMU must,
Bus Properties

Free Variables ˝ Be told a TLB entry

Abstraction ˝ Accept a bus request
Invariants ˝ Look the request up in the TLB
Multiple-Clocks ˝ Forward the modified request downstream
Cover
Lesson Overview
˝ Wait for a return
BMC vs Cover ˝ Forward the value returned upstream
Cover in Verilog
State Space
SymbiYosys
Ź Examples
Counter

Sequences

Quizzes

229 / 462
Ex: SDRAM
Welcome How about an SDRAM controller?
Motivation
always @ ( posedge i_clk )
Basics
cover ( o_wb_ack ) ;
Clocked and $past

k Induction
The controller must,
Bus Properties

Free Variables ˝ Initialize the SDRAM

Abstraction ˝ Accept a bus request
Invariants ˝ Activate a row on a bank
Multiple-Clocks ˝ Issue a read (or write) command from that row
Cover ˝ Wait for a return value
Lesson Overview
BMC vs Cover ˝ Return the result
Cover in Verilog
State Space
SymbiYosys
Ź Examples
Counter

Sequences

Quizzes

230 / 462
Counter
Welcome Remember our counter?
Motivation
i n i t i a l counter = 0 ;
Basics
always @ ( posedge i_clk )
Clocked and $past
i f ( ( i_start_signal)&&(counter == 0 ) )
k Induction
counter <= MAX_AMOUNT ´1’b1 ;
Bus Properties
e l s e i f ( counter != 0 )
Free Variables
counter <= counter ´ 1 ’ b1 ;
Abstraction

Invariants
always @ ( ∗ )
Multiple-Clocks o_busy = ( counter != 0 ) ;
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Quizzes

231 / 462
Examples
Welcome Let’s add some cover statements. . .
Motivation
// T r a n s i t i o n t o b u s y
Basics
always @ ( posedge i_clk )
Clocked and $past
i f ( ( f_past_valid )&&(! $past ( o_busy ) ) )
k Induction
cover ( o_busy ) ;
Bus Properties

Free Variables
// T r a n s i t i o n back t o i d l e
Abstraction
always @ ( posedge i_clk )
Invariants
i f ( ( f_past_valid)&&( $past ( o_busy ) ) )
Multiple-Clocks cover ( ! o_busy ) ;
Cover
Lesson Overview
BMC vs Cover // Mid´c y c l e
Cover in Verilog always @ ( posedge i_clk )
State Space
SymbiYosys
cover ( counter == 3 ) ;
Examples
Ź Counter Will SymbiYosys find traces?
Sequences

Quizzes

232 / 462
Examples
Welcome How about now?
Motivation
always @ ( posedge i_clk )
Basics
cover ( ( o_busy)&&(counter == 0 ) ) ;
Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Quizzes

233 / 462
Examples
Welcome How about now?
Motivation
always @ ( posedge i_clk )
Basics
cover ( ( o_busy)&&(counter == 0 ) ) ;
Clocked and $past

k Induction
Or this one,
Bus Properties

Free Variables always @ ( posedge i_clk )

Abstraction cover ( counter == MAX_AMOUNT ) ;
Invariants

Multiple-Clocks
Will these succeed?
Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Quizzes

233 / 462
Examples
Welcome How about now?
Motivation
always @ ( posedge i_clk )
Basics
cover ( ( o_busy)&&(counter == 0 ) ) ;
Clocked and $past

k Induction
Or this one,
Bus Properties

Free Variables always @ ( posedge i_clk )

Abstraction cover ( counter == MAX_AMOUNT ) ;
Invariants

Multiple-Clocks
Will these succeed? No. Both will fail
Cover ˝ These are outside the reachable state space
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Quizzes

233 / 462
Examples
Welcome What if the state is unreachable?
Motivation
// Keep t h e c o u n t e r from e v e r s t a r t i n g
Basics
always @ ( ∗ )
Clocked and $past
assume ( ! i_start_signal ) ;
k Induction

Bus Properties
always @ ( posedge i_clk )
Free Variables
cover ( counter != 0 ) ;
Abstraction

Invariants Will this succeed?

Multiple-Clocks

Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Quizzes

234 / 462
Examples
Welcome What if the state is unreachable?
Motivation
// Keep t h e c o u n t e r from e v e r s t a r t i n g
Basics
always @ ( ∗ )
Clocked and $past
assume ( ! i_start_signal ) ;
k Induction

Bus Properties
always @ ( posedge i_clk )
Free Variables
cover ( counter != 0 ) ;
Abstraction

Invariants Will this succeed? No. This will fail with no trace.
Multiple-Clocks

Cover
˝ If i_start_signal is never true, the cover cannot be reached
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Quizzes

234 / 462
Examples
Welcome What if an assertion needs to be violated?
Motivation
always @ ( ∗ )
Basics
a s s e r t ( counter != 1 0 ) ;
Clocked and $past

k Induction
always @ ( posedge i_clk )
Bus Properties
cover ( counter == 4 ) ;
Free Variables

Abstraction What will happen here?

Invariants

Multiple-Clocks

Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Quizzes

235 / 462
Examples
Welcome What if an assertion needs to be violated?
Motivation
always @ ( ∗ )
Basics
a s s e r t ( counter != 1 0 ) ;
Clocked and $past

k Induction
always @ ( posedge i_clk )
Bus Properties
cover ( counter == 4 ) ;
Free Variables

Abstraction What will happen here?

Invariants

Multiple-Clocks
˝ Cover statement is reachable
Cover ˝ But requires an assertion failure, so a trace is generated
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Quizzes

235 / 462
Clock Switch
Welcome Covering the clock switch
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants
˝ Shows the clock switching from fast to slow,
Multiple-Clocks

Cover
˝ and again from slow to fast
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Quizzes

236 / 462
Ex #7 Revisited
Welcome Return to your Wishbone arbiter. Let’s cover four cases:
Motivation
1. Cover both A and B receiving the bus
Basics
2. Cover how B will get the bus after A gets an
Clocked and $past

k Induction
acknowledgement
Bus Properties
3. Cover how A will get the bus after B gets an
Free Variables acknowledgement
Abstraction 4. Add to the last cover
Invariants
˝ B must request while A still holds the bus
Multiple-Clocks

Cover Plot and examine traces for each cases. Do they look right?
Lesson Overview
BMC vs Cover ˝ If everything works, the first case showing both A and B
Cover in Verilog
State Space receiving the bus will FAIL
SymbiYosys ˝ No trace is needed from that case
Examples
Ź Counter ˝ After getting this failure, you may want to remove it from
Sequences your cover checks
Quizzes

237 / 462
Ex #7 Revisited
Welcome Notice what we just proved:
Motivation
1. The arbiter will allow both sources to master the bus
Basics
2. The arbiter will transition from one source to another
Clocked and $past

k Induction
3. The arbiter won’t starve A or B
Bus Properties This wasn’t possible with just the safety properties (assert
Free Variables
statements)
Abstraction

Invariants

Multiple-Clocks

Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Quizzes

238 / 462
Discussion
Welcome When should you use cover?
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover
Lesson Overview
BMC vs Cover
Cover in Verilog
State Space
SymbiYosys
Examples
Ź Counter

Sequences

Quizzes

239 / 462
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Sequences
Invariants

Multiple-Clocks

Cover

Ź Sequences
Overview
Clocking
Bind
Sequences
Questions?

Quizzes

240 / 462
Lesson Overview
Welcome SystemVerilog has some amazing formal properties
Motivation
˝ property can be assumed or asserted
Basics
By rewriting our assert’s and assume’s as properties, we can
Clocked and $past

k Induction
then control when they are asserted or assumed better.
Bus Properties
˝ bind formal properties to a subset of your design
Free Variables Allows us to (finally) separate the properties from the module
Abstraction they support
Invariants ˝ sequence – A standard property description language
Multiple-Clocks
Objectives
Cover

Sequences ˝ Learn the basics of SystemVerilog Assertions

Ź Overview
Clocking ˝ Gain confidence with yosys+verific
Bind
Sequences
Questions?

Quizzes

241 / 462
Building on the past
Welcome Much of what we’ve written can easily be rewritten in SVA
Motivation
always @ ( ∗ )
Basics
i f (A)
Clocked and $past
assert (B ) ;
k Induction

Bus Properties
can be rewritten as,
Free Variables

Abstraction a s s e r t p r o p e r t y ( @ ( posedge i_clk )

Invariants A |´> B ) ;
Multiple-Clocks

Cover
Note that this is now a clocked assertion, but otherwise it’s
Sequences
equivalent
Ź Overview
Clocking
Bind
Sequences
Questions?

Quizzes

242 / 462
Building on the past
Welcome Much of what we’ve written can easily be rewritten in SVA
Motivation
always @ ( posedge i_clk )
Basics
i f ( ( f_past_valid)&&( $past ( A ) ) )
Clocked and $past
assert (B ) ;
k Induction

Bus Properties
Can be rewritten as,
Free Variables

Abstraction a s s e r t p r o p e r t y ( @ ( posedge i_clk )

Invariants A |=> B ) ;
Multiple-Clocks

Cover

Sequences
Ź Overview
Clocking
Bind
Sequences
Questions?

Quizzes

243 / 462
Building on the past
Welcome Much of what we’ve written can easily be rewritten in SVA
Motivation
always @ ( posedge i_clk )
Basics
i f ( ( f_past_valid)&&( $past ( A ) ) )
Clocked and $past
assert (B ) ;
k Induction

Bus Properties
Can be rewritten as,
Free Variables

Abstraction a s s e r t p r o p e r t y ( @ ( posedge i_clk )

Invariants A |=> B ) ;
Multiple-Clocks

Cover
˝ Read this as A implies B on the next clock tick.
Sequences
Ź Overview
˝ No f_past_valid required anymore. This is a statement
Clocking about the next clock tick, not the last one.
Bind
Sequences
Questions? These equivalencies apply to assume() as well
Quizzes

243 / 462
Properties
Welcome You can also declare properties:
Motivation
p r o p e r t y SIMPLE_PROPERTY ;
Basics
@ ( posedge i_clk ) a |=> b ;
Clocked and $past
endproperty
k Induction

Bus Properties
a s s e r t p r o p e r t y ( SIMPLE_PROPERTY ) ;
Free Variables

Abstraction This would be the same as

Invariants

Multiple-Clocks
always @ ( posedge i_clk )
Cover
i f ( ( f_past_valid)&&( $past ( a ) ) )
Sequences
assert (b ) ;
Ź Overview
Clocking
Bind
Sequences
Questions?

Quizzes

244 / 462
Assume vs Assert
Welcome You could also do something like:
Motivation
parameter [ 0 : 0 ] F_SUBMODULE = 1 ’ b0 ;
Basics

Clocked and $past

generate i f ( F_SUBMODULE )
k Induction
begin
Bus Properties
assume p r o p e r t y ( INPUT_PROP ) ;
Free Variables
end e l s e begin
Abstraction
a s s e r t p r o p e r t y ( INPUT_PROP ) ;
Invariants
end endgenerate
Multiple-Clocks

Cover a s s e r t p r o p e r t y ( LOCAL_PROP ) ;
Sequences a s s e r t p r o p e r t y ( OUTPUT_PROP ) ;
Ź Overview
Clocking
Bind This would work quite nicely for a bus property file
Sequences
Questions?

Quizzes

245 / 462
Parameterized Properties
Welcome Properties can also accept parameters
Motivation
p r o p e r t y IMPLIES ( a , b ) ;
Basics
@ ( posedge i_clk )
Clocked and $past
a |´> b ;
k Induction
endproperty
Bus Properties

Free Variables
a s s e r t p r o p e r t y ( IMPLIES ( x , y ) ) ;
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Ź Overview
Clocking
Bind
Sequences
Questions?

Quizzes

246 / 462
Parameterized Properties
Welcome Properties can also accept parameters
Motivation
p r o p e r t y IMPLIES_NEXT ( a , b ) ;
Basics
@ ( posedge i_clk ) a |=> b ;
Clocked and $past
endproperty
k Induction

Bus Properties
a s s e r t p r o p e r t y ( IMPLIES_NEXT ( x , y ) ) ;
Free Variables

Abstraction Remember, if you want to use |=>, $past, etc., you need to
Invariants
define a clock.
Multiple-Clocks

Cover

Sequences
Ź Overview
Clocking
Bind
Sequences
Questions?

Quizzes

247 / 462
Clocking
Welcome Getting tired of writing @(posedge i_clk)?
Motivation
˝ You can set a default clock
Basics

Clocked and $past d e f a u l t c l o c k i n g @ ( posedge i_clk ) ;

k Induction endclocking
Bus Properties

Free Variables Assumes i_clk if no clock is given.

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Overview
Ź Clocking
Bind
Sequences
Questions?

Quizzes

248 / 462
Clocking
Welcome Getting tired of writing @(posedge i_clk)?
Motivation
˝ You can set a default clock
Basics
˝ You can set a default clock within a given block
Clocked and $past

k Induction c l o c k i n g @ ( posedge i_clk ) ;

Bus Properties // Your p r o p e r t i e s can go h e r e
Free Variables // As w i t h a s s e r t , assume ,
Abstraction // s e q u e n c e , e t c .
Invariants endclocking
Multiple-Clocks

Cover Assumes i_clk for all of the properties within the clocking
Sequences block.
Overview
Ź Clocking
Bind
Sequences
Questions?

Quizzes

249 / 462
Global Clocking
Welcome When using verific, $global clock must first be defined
Motivation
( ∗ gclk ∗ ) w i r e gbl_clk ;
Basics
g l o b a l c l o c k i n g @ ( posedge gbl_clk ) ; e n d c l o c k i n g
Clocked and $past

k Induction
This defines the $global clock . . .
Bus Properties

Free Variables ˝ as a positive edge transition of gbl_clk.

Abstraction ˝ The (∗ gclk ∗) attribute turns it into a formal timestep
Invariants

Multiple-Clocks

Cover

Sequences
Overview
Ź Clocking
Bind
Sequences
Questions?

Quizzes

250 / 462
Bind
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction ˝ Common bench testing works on black boxes

Invariants
˝ This doesn’t work well with formal methods
Multiple-Clocks

Cover

Sequences
Overview
Clocking
Ź Bind
Sequences
Questions?

Quizzes

251 / 462
Bind
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction ˝ Common bench testing works on black boxes

Invariants
˝ This doesn’t work well with formal methods
Multiple-Clocks
˝ Placing properties within a module doesn’t separate the two
Cover

Sequences
Overview
Clocking
Ź Bind
Sequences
Questions?

Quizzes

251 / 462
Bind
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction ˝ Common bench testing works on black boxes

Invariants
˝ This doesn’t work well with formal methods
Multiple-Clocks
˝ Placing properties within a module doesn’t separate the two
Cover

Sequences Using the SVA bind command, we can

Overview
Clocking ˝ Separate properties from a design
Ź Bind
˝ Maintains the necessary “white box” perspective
Sequences
Questions?

Quizzes

251 / 462
Bind
Welcome ˝ Can bind to specific named variables
Motivation
module mut ( i n p u t i , output o ) ;
Basics
reg r;
Clocked and $past
// Your l o g i c h e r e
k Induction
endmodule
Bus Properties

Free Variables
module mut_formal ( i n p u t a , i n p u t b , i n p u t r ) ;
Abstraction
// Your f o r m a l p r o p e r t i e s go h e r e
Invariants
endmodule
Multiple-Clocks

Cover bind mut mut_formal mut_instance (

Sequences // Bind i n p u t s t o g e t h e r
Overview
Clocking
. a(i) , . b(o) , . r(r)
Ź Bind // The g e n e r a l f o r m a t i s
Sequences
Questions?
. mut_formal_name ( mut_name ) ) ;
Quizzes
˝ Note all mut_formal ports must be inputs

252 / 462
Bind
Welcome ˝ Can bind to specific named variables
Motivation ˝ Can also make all variables available to your properties
Basics
module mut ( i n p u t i , output o ) ;
Clocked and $past
reg r;
k Induction
// Your l o g i c h e r e
Bus Properties
endmodule
Free Variables

Abstraction
module mut_formal ( i n p u t i , i n p u t o , i n p u t r ) ;
Invariants
// Your f o r m a l p r o p e r t i e s go h e r e
Multiple-Clocks
endmodule
Cover

Sequences
Overview
// Make e v e r y mut v a r i a b l e a v a i l a b l e i n
Clocking // m u t f o r m a l w i t h a v a r i a b l e o f t h e same
Ź Bind // name
Sequences
Questions?
bind mut mut_formal mut_instance ( . ∗ ) ;
Quizzes
˝ In order to use .∗ , names must match

253 / 462
Bind
Welcome ˝ Can bind to specific named variables
Motivation ˝ Can also make all variables available to your properties
Basics ˝ Can pass parameters through as well
Clocked and $past

k Induction
module mut ( i n p u t i , output o ) ;
Bus Properties
parameter ONE = 5 ;
Free Variables
// Your l o g i c h e r e
endmodule
Abstraction

Invariants
module mut_formal ( i n p u t i , i n p u t o , i n p u t r ) ;
Multiple-Clocks
parameter TWO = 1 4 ;
Cover
// Your f o r m a l p r o p e r t i e s go h e r e
Sequences
Overview
endmodule
Clocking
Ź Bind
bind mut mut_formal #(. TWO ( ONE ) )
Sequences
Questions? mut_instance ( . ∗ ) ;
Quizzes

254 / 462
Sequences
Welcome So far with properties,
Motivation
˝ We haven’t done anything really all that new.
Basics
˝ We’ve just rewritten what we’ve done before in a new form.
Clocked and $past

k Induction Sequences are something new

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

255 / 462
Sequence
Welcome With sequences, you can
Motivation
˝ Specify a series of actions
Basics

Clocked and $past sequence EXAMPLE ;

k Induction @ ( posedge i_clk ) a ##1 b ##1 c ##1 d ;
Bus Properties endsequence
Free Variables

Abstraction In this example, b always follows a by one clock, c follows b,

Invariants and d follows c
Multiple-Clocks

Cover

Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

256 / 462
Sequence
Welcome With sequences, you can
Motivation
˝ Specify a series of actions, separated by some number of
Basics
clocks
Clocked and $past

k Induction sequence EXAMPLE ;

Bus Properties @ ( posedge i_clk ) a ##2 b ##5 c ;
Free Variables endsequence
Abstraction

Invariants In this example, b always follows a two clocks later, and c

Multiple-Clocks follows five clocks after b
Cover

Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

257 / 462
Sequence
Welcome With sequences, you can
Motivation
˝ Specify a series of predicates, separated in time
Basics
˝ Can express range(s) of repeated values
Clocked and $past

k Induction sequence EXAMPLE ;

Bus Properties @ ( posedge i_clk ) b [ ∗ 2 : 3 ] ##1 c ;
Free Variables endsequence
Abstraction // i s e q u i v a l e n t t o . . .
Invariants sequence EXAMPLE_A_2x ; // 2 x
Multiple-Clocks @ ( posedge i_clk ) b ##1 b ##1 c ;
Cover endsequence
Sequences // o r
Overview sequence EXAMPLE_A_3x ; // 3 x
Clocking
Bind
@ ( posedge i_clk ) b ##1 b ##1 b ##1 c ;
Ź Sequences endsequence
Questions?

Quizzes

258 / 462
Sequence
Welcome With sequences, you can
Motivation
˝ Specify a series of predicates, separated in time
Basics
˝ Can express range(s) of repeated values
Clocked and $past

k Induction – [∗0: M] Predicate may be skipped

Bus Properties – [∗N:M] specifies from N to M repeats
Free Variables
– [∗N:$] Repeats at least N times, with no maximum
Abstraction

Invariants
Ranges can include empty sequences, such as ##[∗0:4]
Multiple-Clocks ˝ Compose multiple sequences together
Cover
– AND, seq_1 and seq_2
Sequences
Overview – OR, seq_1 or seq_2
Clocking – NOT, not seq
Bind
Ź Sequences
Questions?

Quizzes

259 / 462
And vs Intersect
Welcome The and and intersect operators are very similar
Motivation
˝ and is only true if both sequences are true
Basics
˝ intersect is only true if both sequences are true and have the
Clocked and $past

k Induction
same length
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

260 / 462
Equivalences
Welcome ˝ Throughout
Motivation
sequence A ;
Basics
@ ( posedge i_clk )
Clocked and $past
( EXP ) [ ∗ 0 : $ ] i n t e r s e c t SEQ ;
k Induction
endsequence
Bus Properties

Free Variables
is equivalent to
Abstraction

Invariants sequence B ;
Multiple-Clocks
@ ( posedge i_clk )
Cover
( EXP ) throughout SEQ ;
Sequences
endsequence
Overview
Clocking The EXP expression must be true from now until SEQ ends
Bind
Ź Sequences
Questions?

Quizzes

261 / 462
Equivalences
Welcome ˝ Throughout
Motivation ˝ Until
Basics
property A ;
Clocked and $past
@ ( posedge i_clk )
k Induction
( E1 ) [ ∗ 0 : $ ] ##1 ( E2 ) ;
Bus Properties
endproperty
Free Variables

Abstraction
is equivalent to
Invariants

Multiple-Clocks property B ;
Cover @ ( posedge i_clk )
Sequences ( E1 ) u n t i l E2 ;
Overview endproperty
Clocking
Bind
Ź Sequences ˝ until can only be used in a property, not within a sequence
Questions?

Quizzes

262 / 462
Equivalences
Welcome ˝ Throughout
Motivation ˝ Until
Basics
property A ;
Clocked and $past
@ ( posedge i_clk )
k Induction
( E1 ) [ ∗ 0 : $ ] ##1 ( E2 ) ;
Bus Properties
endproperty
Free Variables

Abstraction
is equivalent to
Invariants

262 / 462
Equivalences
Welcome ˝ Throughout
Motivation ˝ Until
Basics ˝ Within
Clocked and $past

k Induction
sequence A ;
Bus Properties
@ ( posedge i_clk )
Free Variables
( 1 [ ∗ 0 : $ ] ##1 S1 ##1 1 [ ∗ 0 : $ ] )
i n t e r s e c t S2 ;
Abstraction
endsequence
Invariants

Multiple-Clocks
is equivalent to
Cover

Sequences sequence B ;
Overview @ ( posedge i_clk )
Clocking
Bind ( S1 ) w i t h i n S2 ;
Ź Sequences endsequence
Questions?

Quizzes

263 / 462
Returning to Properties
Welcome Properties can reference sequences
Motivation
˝ Directly
Basics

Clocked and $past a s s e r t p r o p e r t y ( seq ) ;

k Induction a s s e r t p r o p e r t y ( expr |´> seq ) ;
Bus Properties

Free Variables ˝ Implication: sequences can imply properties

Abstraction
a s s e r t p r o p e r t y ( seq |´> some_other_property ) ;
Invariants
a s s e r t p r o p e r t y ( seq |=> another_property ) ;
Multiple-Clocks

Cover

Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

264 / 462
Returning to Properties
Welcome Properties can include . . .
Motivation
˝ if statements
Basics

Clocked and $past a s s e r t p r o p e r t y ( i f ( A ) P1 e l s e P2 ) ;

k Induction

Bus Properties ˝ not, and, or even or statements

Free Variables
a s s e r t p r o p e r t y ( not P1 ) ;
Abstraction
a s s e r t p r o p e r t y ( P1 and P2 ) ;
Invariants
a s s e r t p r o p e r t y ( P1 or P2 ) ;
Multiple-Clocks

Cover

Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

265 / 462
Ex. Bus Request
Welcome A bus request will not change until it is accepted
Motivation
p r o p e r t y BUS_REQUEST_HOLD ;
Basics
@ ( posedge i_clk )
Clocked and $past
( STB)&&(STALL )
k Induction
|=> ( STB)&&( $ s t a b l e ( REQUEST ) ) ;
Bus Properties
endproperty
Free Variables

Abstraction
a s s e r t p r o p e r t y ( BUS_REQUEST_HOLD ) ;
Invariants

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

266 / 462
Ex. Bus Request
Welcome A request persists until it is accepted
Motivation
sequence BUS_REQUEST ;
Basics
@ ( posedge i_clk )
Clocked and $past
// R e p e a t up t o MAX STALL c l k s
k Induction
( STB)&&(STALL ) [ ∗ 0 : MAX_STALL ]
Bus Properties
##1 ( STB )&&(! STALL ) ;
Free Variables
endsequence
Abstraction

Invariants
a s s e r t p r o p e r t y ( STB |´> BUS_REQUEST ) ;
Multiple-Clocks

Cover You no longer need to count stalls yourself.

Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

267 / 462
Ex. Bus Request
Welcome A request persists until it is accepted
Motivation
sequence BUS_REQUEST ;
Basics
@ ( posedge i_clk )
Clocked and $past
// R e p e a t up t o MAX STALL c l k s
k Induction
( STB)&&(STALL ) [ ∗ 0 : MAX_STALL ]
Bus Properties
##1 ( STB )&&(! STALL ) ;
Free Variables
endsequence
Abstraction

Invariants
a s s e r t p r o p e r t y ( STB |´> BUS_REQUEST ) ;
Multiple-Clocks

Cover You no longer need to count stalls yourself.

Sequences Could we do this with an until statement?
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

267 / 462
Ex. Bus Request
Welcome A request persists until it is accepted
Motivation
sequence BUS_REQUEST ;
Basics
@ ( posedge i_clk )
Clocked and $past
( STB)&&(STALL ) u n t i l ( STB )&&(! STALL ) ;
k Induction
endsequence
Bus Properties

Free Variables
a s s e r t p r o p e r t y ( STB |´> BUS_REQUEST ) ;
Abstraction

Invariants What is the difference?

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

268 / 462
Ex. Bus Request
Welcome A request persists until it is accepted
Motivation
sequence BUS_REQUEST ;
Basics
@ ( posedge i_clk )
Clocked and $past
( STB)&&(STALL ) u n t i l ( STB )&&(! STALL ) ;
k Induction
endsequence
Bus Properties

Free Variables
a s s e r t p r o p e r t y ( STB |´> BUS_REQUEST ) ;
Abstraction

Invariants What is the difference? The until statement goes forever, our
Multiple-Clocks
prior example was limited to MAX_STALL clock cycles.
Cover

Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

Free Variables
a s s e r t p r o p e r t y ( STB |´> BUS_REQUEST ) ;
Abstraction

Invariants What is the difference?

Multiple-Clocks

Cover
But . . . what happens if RESET is asserted?
Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

268 / 462
Bus Request
Welcome A property can be conditionally disabled
Motivation
sequence BUS_REQUEST ;
Basics
// R e p e a t up t o MAX STALL c l k s
Clocked and $past
( STB)&&(STALL ) [ ∗ 0 : MAX_STALL ]
k Induction
##1 ( STB )&&(! STALL ) ;
Bus Properties
endsequence
Free Variables

Abstraction
assert property (
Invariants
@ ( posedge i_clk )
Multiple-Clocks d i s a b l e iff ( i_reset )
Cover STB |´> BUS_REQUEST ) ;
Sequences
Overview
Clocking
The assertion will no longer fail if i_reset clears the request
Bind What if the request is aborted?
Ź Sequences
Questions?

Quizzes

269 / 462
Ex. Bus Request
Welcome A property can be conditionally disabled
Motivation
sequence BUS_REQUEST ;
Basics
@ ( posedge i_clk )
Clocked and $past
// R e p e a t up t o MAX STALL c l k s
k Induction
( STB)&&(STALL ) [ ∗ 0 : MAX_STALL ]
Bus Properties
##1 ( STB )&&(! STALL ) ;
Free Variables
endsequence
Abstraction

Invariants
assert property (
Multiple-Clocks @ ( posedge i_clk )
Cover d i s a b l e iff ( ( i_reset ) | | ( ! CYC ) )
Sequences STB |´> BUS_REQUEST ) ;
Overview
Clocking
Bind Will this work?
Ź Sequences
Questions?

Quizzes

270 / 462
Ex. Bus Request
Welcome A property can be conditionally disabled
Motivation
sequence BUS_REQUEST ;
Basics
@ ( posedge i_clk )
Clocked and $past
// R e p e a t up t o MAX STALL c l k s
k Induction
( STB)&&(STALL ) [ ∗ 0 : MAX_STALL ]
Bus Properties
##1 ( STB )&&(! STALL ) ;
Free Variables
endsequence
Abstraction

Quizzes

270 / 462
Ex. Bus ACKs
Welcome Some peripherals will only ever accept one request
Motivation
sequence SINGLE_ACK ( MAX_DELAY ) ;
Basics
@ ( posedge i_clk )
Clocked and $past
( ! ACK)&&(STALL ) [ ∗ 0 : MAX_DELAY ]
k Induction
##1 ( ACK )&&(! STALL ) ;
Bus Properties
endsequence
Free Variables

Abstraction
assert property (
Invariants
d i s a b l e iff ( ( i_reset ) | | ( ! CYC ) )
Multiple-Clocks ( STB )&&(! STALL ) |=> SINGLE_ACK ( 3 2 ) ;
Cover );
Sequences
Overview
Clocking
This peripheral will
Bind
Ź Sequences ˝ Stall up to 32 clocks following any accepted request, until it
Questions? ˝ Acknowledges the request, and
Quizzes
˝ Releases the bus on the same cycle

271 / 462
Ex. Bus ACKs
Welcome Some peripherals will
Motivation
˝ Never stall the bus, and
Basics
˝ Acknowledge every request after a fixed number of clock ticks
Clocked and $past

k Induction p r o p e r t y NEVER_STALL ( DELAY ) ;

Bus Properties @ ( posedge i_clk )
Free Variables d i s a b l e iff ( ( i_reset ) | | ( ! CYC ) )
Abstraction ( STB ) |´> ##[∗DELAY ] ( ACK ) ;
Invariants endproperty
Multiple-Clocks

Cover a s s e r t p r o p e r t y ( NEVER_STALL ( DELAY )

Sequences and ( ! STALL ) ) ;
Overview
Clocking
Bind This is illegal. Can you spot the bug?
Ź Sequences
Questions?

Quizzes

272 / 462
Ex. Bus ACKs
Welcome Some peripherals will
Motivation
˝ Never stall the bus, and
Basics
˝ Acknowledge every request after a fixed number of clock ticks
Clocked and $past

k Induction p r o p e r t y NEVER_STALL ( DELAY ) ;

Bus Properties @ ( posedge i_clk )
Free Variables d i s a b l e iff ( ( i_reset ) | | ( ! CYC ) )
Abstraction ( STB ) |´> ##[∗DELAY ] ( ACK ) ;
Invariants endproperty
Multiple-Clocks

Cover a s s e r t p r o p e r t y ( NEVER_STALL ( DELAY )

Sequences and ( ! STALL ) ) ;
Overview
Clocking
Bind This is illegal. Can you spot the bug? What logic does the
Ź Sequences
Questions? disable iff apply to?
Quizzes

272 / 462
Ex. Bus ACKs
Welcome Some peripherals will
Motivation
˝ Never stall the bus, and
Basics
˝ Acknowledge every request after a fixed number of clock ticks
Clocked and $past

k Induction p r o p e r t y NEVER_STALL ( DELAY ) ;

Bus Properties @ ( posedge i_clk )
Free Variables d i s a b l e iff ( ( i_reset ) | | ( ! CYC ) )
Abstraction ( STB ) |´> ##[∗DELAY ] ( ACK ) ;
Invariants endproperty
Multiple-Clocks

Cover a s s e r t p r o p e r t y ( NEVER_STALL ( DELAY ) ) ;

Sequences a s s e r t p r o p e r t y ( ! STALL ) ;
Overview
Clocking
Bind This is valid
Ź Sequences
Questions?

Quizzes

273 / 462
Ex. Bus ACKs
Welcome Cannot ACK or ERR when no request is pending
Motivation
a s s e r t p r o p e r t y ( @ ( posedge i_clk )
Basics
( ( ! i_CYC ) | | ( i_reset ) )
Clocked and $past
##1 ( ( ! i_CYC ) | | ( i_reset ) )
k Induction
|´> ( ( ! o_ACK )&&(! o_ERR ) ) ;
Bus Properties

Free Variables
Or as we did it before
Abstraction

Invariants always @ ( posedge i_clk )

Multiple-Clocks
i f ( ( f_past_valid )
Cover
&&(( $past ( i_reset ) ) | | ( ! $past ( i_CYC ) ) )
Sequences
&&((i_reset ) | | ( ! i_CYC ) )
Overview a s s e r t ( ( ! o_ACK )&&(! o_ERR ) ) ;
Clocking
Bind
Ź Sequences
Which is simpler to understand?
Questions?

Quizzes

274 / 462
Ex. UART Tx
Welcome Let’s look at an serial port transmitter example.
Motivation A baud interval is CKS clocks . . .
Basics
˝ Output data is constant
Clocked and $past
˝ Logic doesn’t change state
k Induction

Bus Properties
˝ Internal shift register value is known
Free Variables ˝ Ends with zero_baud_counter
Abstraction

Invariants sequence BAUD_INTERVAL ( CKS , DAT , SR , ST ) ;

Multiple-Clocks
( ( o_uart_tx == DAT)&&(state == ST )
Cover
&&(lcl_data == SR )
Sequences
&&(! zero_baud_counter ) ) [ ∗ ( CKS ´1)]
Overview ##1 ( o_uart_tx == DAT)&&(state == ST )
Clocking &&(lcl_data == SR )
Bind
Ź Sequences &&(zero_baud_counter ) )
Questions? endsequence
Quizzes

275 / 462
Ex. UART Tx
Welcome A byte consists of 10 Baud intervals
Motivation
sequence SEND ( CKS , DATA ) ;
Basics
BAUD_INTERVAL ( CKS , 1 ’ b0 , DATA , 4 ’ h0 )
Clocked and $past
##1 BAUD_INTERVAL ( CKS , DATA [ 0 ] ,
k Induction
{ { ( 1 ) { 1 ’ b1 } } , DATA [ 7 : 1 ] } , 4 ’ h1 )
Bus Properties
##1 BAUD_INTERVAL ( CKS , DATA [ 1 ] ,
Free Variables
{ { ( 2 ) { 1 ’ b1 } } , DATA [ 7 : 2 ] } , 4 ’ h2 )
Abstraction
//
Invariants
##1 BAUD_INTERVAL ( CKS , DATA [ 6 ] ,
Multiple-Clocks { { ( 7 ) { 1 ’ b1 } } , DATA [ 7 ] } , 4 ’ h7 )
Cover ##1 BAUD_INTERVAL ( CKS , DATA [ 7 ] ,
Sequences { 7 ’ h7f , DATA [ 7 ] } , 4 ’ h8 )
Overview
Clocking
##1 BAUD_INTERVAL ( CKS , 1 ’ b1 , 8 ’ hff , 4 ’ h9 ) ;
Bind endsequence
Ź Sequences
Questions?

Quizzes

276 / 462
Ex. UART Tx
Welcome Transmitting a byte requires
Motivation
always @ ( posedge i_clk )
Basics
i f ( ( i_wr )&&(! o_busy ) )
Clocked and $past
fsv_data <= i_data ;
k Induction

Bus Properties
a s s e r t p r o p e r t y ( @ ( posedge i_clk )
Free Variables
( i_wr )&&(! o_busy )
Abstraction
|=> ( ( o_busy ) throughout
Invariants
SEND ( CLOCKS_PER_BAUD , fsv_data ) )
Multiple-Clocks ##1 ( ( ! o_busy)&&(o_uart_tx )
Cover &&(zero_baud_counter ) ) ;
Sequences
Overview
Clocking
Bind
˝ A transmit request is received
Ź Sequences ˝ The data is sent
Questions?
˝ The controller returns to idle
Quizzes

277 / 462
Ex. UART Tx
Welcome Transmitting a byte requires
Motivation
a s s e r t p r o p e r t y ( @ ( posedge i_clk )
Basics
( i_wr )&&(! o_busy )
Clocked and $past
|=> ( ( o_busy ) throughout
k Induction
SEND ( CLOCKS_PER_BAUD , fsv_data ) )
Bus Properties
##1 ( ( ! o_busy)&&(o_uart_tx )
Free Variables
&&(zero_baud_counter ) ) ;
Abstraction

Invariants Make sure . . .

Multiple-Clocks

Cover
˝ The sequence has a defined beginning
Sequences Only ever triggered once at a time
Overview ˝ Doesn’t reference changing data
Clocking
Bind ˝ throughout is within parenthesis
Ź Sequences
˝ You tie all relevant state information together
Questions?

Quizzes

278 / 462
SymbiYosys
Welcome Using SystemVerilog Assertions with Yosys requires Verific
Motivation
[ options ]
Basics
mode prove
Clocked and $past
[ engines ]
k Induction
smtbmc
Bus Properties
[ script ]
Free Variables
#
Abstraction
#
Invariants
read ´formal module . v
Multiple-Clocks # . . . o t h e r f i l e s would go h e r e
Cover prep ´top module
Sequences opt_merge ´share_all
Overview
Clocking
Bind [ files ]
Ź Sequences
. . / demo´rtl / module . v
Questions?

Quizzes

279 / 462
SymbiYosys
Welcome Using SystemVerilog Assertions with Yosys requires Verific
Motivation
[ options ]
Basics
mode prove
Clocked and $past
[ engines ]
k Induction
smtbmc
Bus Properties
[ script ]
Free Variables
# The read command works both with and without Verific
Abstraction
# SymbiYosys script doesn’t change therefore
Invariants
read ´formal module . v
Multiple-Clocks # . . . o t h e r f i l e s would go h e r e
Cover prep ´top module
Sequences opt_merge ´share_all
Overview
Clocking
Bind [ files ]
Ź Sequences
. . / demo´rtl / module . v
Questions?

Quizzes

279 / 462
SysVerilog Conclusions
Welcome SystemVerilog Concurrent Assertions . . .
Motivation
˝ can be very powerful
Basics
˝ can be very confusing
Clocked and $past
˝ can be used with immediate assertions
k Induction

Bus Properties
You can keep using the simpler property form we’ve been
Free Variables using
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

280 / 462
Last Exercise
Welcome Let’s formally verify a synchronous FIFO
Motivation
module sfifo ( i_clk , i_reset ,
Basics
i_wr , i_data , o_full ,
Clocked and $past
i_rd , o_data , o_empty ,
k Induction
o_err ) ;
Bus Properties
// . . .
Free Variables
‘ i f d e f FORMAL
Abstraction
// P r o p e r t i e s u n d e r s t o o d by e i t h e r
Invariants
// Y o s y s o r V e r i f i c
Multiple-Clocks // . . . .
Cover ‘endif
Sequences ‘ i f d e f VERIFIC_SVA
Overview
Clocking
// V e r i f i c ´o n l y p r o p e r t i e s
Bind // . . . .
Ź Sequences
‘endif
Questions?
endmodule
Quizzes

281 / 462
Last Exercise
Welcome Let’s formally verify a synchronous FIFO
Motivation What properties do you think would be appropriate?
Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

282 / 462
Last Exercise
Welcome Let’s formally verify a synchronous FIFO
Motivation What properties do you think would be appropriate?
Basics
˝ Should never go from full to empty
Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

282 / 462
Last Exercise
Welcome Let’s formally verify a synchronous FIFO
Motivation What properties do you think would be appropriate?
Basics
˝ Should never go from full to empty except on a reset
Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

Bus Properties
˝ The two outputs, o_empty and o_full, should properly reflect
Free Variables the size of the FIFO
Abstraction
– o_empty means the FIFO is currently empty
Invariants
– o_full means the FIFO has 2N elements within it
Multiple-Clocks

Cover

Sequences
Overview
Clocking
Bind
Ź Sequences
Questions?

Quizzes

Cover ˝ Challenge: Use sequences to prove that

Sequences
Overview – Given any two values written successfully
Clocking – Verify that those two values can (some time later) be read
Bind
Ź Sequences successfully, and in the right order
Questions?
(Unless a reset takes place in the meantime)
Quizzes

282 / 462
Hint
Welcome When using sequences,. . .
Motivation
˝ It can be very difficult to figure out what part of the
Basics
sequence failed.
Clocked and $past

k Induction
The assertion that fails will reference the entire failing
Bus Properties
sequence.
Free Variables
Suggestions:
Abstraction

Invariants
˝ Sequences must be triggered
Multiple-Clocks Be aware of what triggers a sequence
Cover ˝ Use combinational logic to define wires that will then
Sequences represent steps in the sequence
Overview
Clocking ˝ Build the sequences out of these wires
Bind
Ź Sequences
Questions?

Quizzes

283 / 462
Hint continued
Welcome Here’s an example:
Motivation
w i r e f_a , f_b , f_c ;
Basics
//
Clocked and $past
a s s i g n f_a = // y o u r l o g i c
k Induction
a s s i g n f_b = // y o u r l o g i c
Bus Properties
a s s i g n f_c = // y o u r l o g i c
Free Variables
//
Abstraction
sequence ARBITRARY_EXAMPLE_SEQUENCE
Invariants
f_a [ ∗ 0 : 4 ] ##1 f_b ##1 f_c [ ∗ 1 2 : 1 6 ] ;
Multiple-Clocks endsequence
Cover

Sequences If you use this approach

Overview
Clocking ˝ Interpreting the wave file will be much easier
Bind
Ź Sequences ˝ The f_a, etc., lines will be in the trace
Questions?

Quizzes

284 / 462
Questions?
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences
Overview
Clocking
Bind
Sequences
Ź Questions?

Quizzes

285 / 462
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction
Quizzes
Invariants

Multiple-Clocks

Cover

Sequences

Ź Quizzes

286 / 462
Quiz #1
Welcome Will the assertion below ever fail?
Motivation
reg [15:0] counter ;
Basics

Clocked and $past

i n i t i a l counter = 0 ;
k Induction
always @ ( posedge clk )
Bus Properties
counter <= counter + 1 ’ b1 ;
Free Variables

Abstraction
always @ ( ∗ )
Invariants
begin
Multiple-Clocks a s s e r t ( counter <= 1 0 0 ) ;
Cover assume ( counter <= 9 0 ) ;
Sequences end
Quizzes

287 / 462
Answer #1
Welcome No, it will never fail.
Motivation The assumption will prohibit the assertion from being evaluated.
Basics
always @ ( ∗ )
Clocked and $past
begin
k Induction
a s s e r t ( counter <= 1 0 0 ) ;
Bus Properties
assume ( counter <= 9 0 ) ;
Free Variables
end
Abstraction

Invariants
This is an example of what I call a careless asumption.
Multiple-Clocks

Cover

Sequences

Quizzes

288 / 462
Quiz #2
Welcome Will this simple counter ever pass formal verification?
Motivation
parameter [ 1 5 : 0 ] MAX_AMOUNT = 2 2 ;
Basics
reg [ 1 5 : 0 ] counter ;
Clocked and $past

k Induction
always @ ( posedge i_clk )
Bus Properties
i f ( ( i_start_signal)&&(counter == 0 ) )
Free Variables
counter <= MAX_AMOUNT ´1’b1 ;
Abstraction
e l s e i f ( counter != 0 )
Invariants
counter <= counter ´ 1 ;
Multiple-Clocks

Cover always @ ( ∗ )
Sequences o_busy = ( counter != 0 ) ;
Quizzes

‘ifdef FORMAL
always @ ( ∗ )
a s s e r t ( counter < MAX_AMOUNT ) ;
‘endif

289 / 462
Answer #2
Welcome This design just needs an initial counter value to pass
Motivation
parameter [ 1 5 : 0 ] MAX_AMOUNT = 2 2 ;
Basics
reg [ 1 5 : 0 ] counter = 0 ;
Clocked and $past

Cover always @ ( ∗ )
Sequences o_busy = ( counter != 0 ) ;
Quizzes

‘ifdef FORMAL
always @ ( ∗ )
a s s e r t ( counter < MAX_AMOUNT ) ;
‘endif

290 / 462
Quiz #3
Welcome Will the following design pass formal verification?
Motivation
reg [15:0] counter ;
Basics

Clocked and $past

i n i t i a l counter = 0 ;
k Induction
always @ ( posedge clk )
Bus Properties
i f ( counter == 1 6 ’ d22 )
Free Variables
counter <= 0 ;
Abstraction
else
Invariants
counter <= counter + 1 ’ b1 ;
Multiple-Clocks

Cover always @ ( ∗ )
Sequences a s s e r t ( counter != 1 6 ’ d500 ) ;
Quizzes

291 / 462
Answer #3
Welcome The following approach will pass both BMC and induction.
Motivation
reg [15:0] counter ;
Basics

Clocked and $past

i n i t i a l counter = 0 ;
k Induction
always @ ( posedge i_clk )
Bus Properties
i f ( i_reset ) // Keep ASIC d e s i g n e r s happy
Free Variables
counter <= 0 ;
Abstraction
e l s e i f ( counter == 1 6 ’ d22 )
Invariants
counter <= 0 ;
Multiple-Clocks else
Cover counter <= counter + 1 ’ b1 ;
Sequences

Quizzes // The c o r r e c t a s s e r t i o n s h o u l d r e f e r e n c e
// a l l o f t h e u n r e a c h a b l e c o u n t e r v a l u e s
always @ ( ∗ )
a s s e r t ( counter <= 1 6 ’ d22 ) ;

292 / 462
Quiz #4
Welcome Will the following design pass formal verification?
Motivation
i n i t i a l counter = 0 ;
Basics
always @ ( posedge i_clk )
Clocked and $past
i f ( ( i_start_signal)&&(counter == 0 ) )
k Induction
counter <= 2 3 ;
Bus Properties
e l s e i f ( counter != 0 )
Free Variables
counter <= counter ´ 1 ’ b1 ;
Abstraction

Invariants
always @ ( ∗ )
Multiple-Clocks a s s e r t ( counter < 2 4 ) ;
Cover always @ ( ∗ )
Sequences assume ( ! i_start_signal ) ;
Quizzes

always @ ( posedge i_clk )

a s s e r t ( $past ( counter == 0 ) ) ;

293 / 462
Answer #4
Welcome If you replace assert($past(counter==0)); with
Motivation assert(counter==0);, then this design passes.
Basics
i n i t i a l counter = 0 ;
Clocked and $past
always @ ( posedge i_clk )
k Induction
i f ( ( i_start_signal)&&(counter == 0 ) )
Bus Properties
counter <= 2 3 ;
Free Variables
e l s e i f ( counter != 0 )
Abstraction
counter <= counter ´ 1 ’ b1 ;
Invariants

Multiple-Clocks
always @ ( ∗ )
Cover
a s s e r t ( counter < 2 4 ) ;
Sequences
always @ ( ∗ )
Quizzes
assume ( ! i_start_signal ) ;

always @ ( posedge i_clk )

a s s e r t ( counter == 0 ) ;

294 / 462
Quiz #5
Welcome How are the following two assertions different?
Motivation
i n i t i a l f_past_valid = 1 ’ b0 ;
Basics
always @ ( posedge i_clk )
Clocked and $past
f_past_valid <= 1 ’ b1 ;
k Induction

Bus Properties
always @ ( posedge i_clk )
Free Variables
i f ( ( f_past_valid)&&( $past ( o_wb_stb ) )
Abstraction
&&($past ( i_wb_stall ) ) )
Invariants
a s s e r t ( ( o_wb_stb )
Multiple-Clocks &&($ s t a b l e ( { i_wb_addr , i_wb_we } ) ) ) ;
Cover

Sequences
a s s e r t p r o p e r t y ( @ ( posedge i_clk )
Quizzes
( o_wb_stb)&&(i_wb_stall )
|=> o_wb_stb
&&($ s t a b l e ( { i_wb_addr , i_wb_we } ) ) ) ;

295 / 462
Answer #5
Welcome ˝ The first assertion was an “immediate” assertion, the second
Motivation a “concurrent assertion”.
Basics ˝ While the Symbiotic EDA Suite supports both assertions, the
Clocked and $past free version of Yosys only supports immediate assertions
k Induction
˝ The second assertion is more compact, and perhaps even
Bus Properties
easier to read
Free Variables

Abstraction

Invariants
a s s e r t p r o p e r t y ( @ ( posedge i_clk )
( o_wb_stb)&&(i_wb_stall )
Multiple-Clocks
|=> o_wb_stb
Cover
&&($ s t a b l e ( { i_wb_addr , i_wb_we } ) ) ) ;
Sequences

Quizzes
Functionally, the two assertions are identical!

296 / 462
Quiz #6
Welcome When using multiclock techniques, which of the below
Motivation descriptions describes a signal that only changes on the positive
Basics edge of a clock?
Clocked and $past

k Induction
( ∗ gclk ∗ ) reg gbl_clk ;
Bus Properties
always @ ( posedge gbl_clk )
Free Variables
i f ( $ f e l l ( i_clk ) )
a s s e r t ( $ s t a b l e ( signal ) ) ;
Abstraction

Invariants

Multiple-Clocks always @ ( posedge gbl_clk )

Cover i f ( ! $ros e ( i_clk ) )
Sequences a s s e r t ( $ s t a b l e ( signal ) ) ;
Quizzes

always @ ( posedge gbl_clk )

i f ( ! $past ( i_clk ) )
a s s e r t ( $ s t a b l e ( signal ) ) ;

297 / 462
Answer #6
Welcome The correct way to assert that a signal will only change on a
Motivation positive clock edge requires asserting that the signal will be
Basics stable in all other cases.
Clocked and $past

k Induction
always @ ( posedge gbl_clk )
Bus Properties
i f ( ( f_past_valid_gbl )&&(! $ros e ( i_clk ) ) )
Free Variables
a s s e r t ( $ s t a b l e ( signal ) ) ;
Abstraction
Be aware, $rose() depends upon the $past(), so don’t forget an
Invariants
f_past_valid signal!
Multiple-Clocks

Cover
With (∗ gclk ∗), I like to call it f_past_valid_gbl, and define it
Sequences as,
Quizzes
reg f_past_valid_gbl = 1 ’ b0 ;
always @ ( posedge gbl_clk )
f_past_valid_gbl <= 1 ’ b1 ;

298 / 462
Quiz #7
Welcome Will this simple counter ever pass formal verification?
Motivation
reg [ 1 5 : 0 ] counter = 0 ;
Basics

Clocked and $past

always @ ( posedge i_clk )
k Induction
i f ( ( i_start_signal)&&(counter == 0 ) )
Bus Properties
counter <= 2 1 ;
Free Variables
e l s e i f ( counter != 0 )
Abstraction
counter <= counter ´ 1 ;
Invariants

Multiple-Clocks always @ ( ∗ )
Cover o_busy = ( counter != 0 ) ;
Sequences

Quizzes always @ ( posedge i_clk )

i f ( $past ( i_start_signal ) )
a s s e r t ( counter == 2 1 ) ;

299 / 462
Answer #7
Welcome No, the assertion would not pass: it neither checked for the past
Motivation counter == 0, nor did it make sure $past() was valid.
Basics The modified assertion, below, will pass.
Clocked and $past

k Induction
always @ ( posedge i_clk )
Bus Properties
i f ( ( f_past_valid )
Free Variables
&&($past ( i_start_signal ) )
&&($past ( counter ) == 0 ) )
Abstraction
a s s e r t ( counter == 2 1 ) ;
Invariants

Multiple-Clocks
Alternatively, the following concurrent assertion would also work:
Cover

Sequences a s s e r t p r o p e r t y @ ( posedge i_clk )

Quizzes ( i_start_signal)&&(counter == 0 )
|=> ( counter == 2 1 ) ;

This exercise is a good example of how formal methods force you

to look just a little harder at a problem.

300 / 462
Quiz #8
Welcome Will this design pass a Bounded Model Check (BMC)?
Motivation
reg [15:0] counter ;
Basics

Clocked and $past

i n i t i a l counter = 0 ;
k Induction
always @ ( posedge clk )
Bus Properties
counter <= counter + 1 ’ b1 ;
Free Variables

Abstraction
always @ ( ∗ )
Invariants
a s s e r t ( counter < 1 6 ’ d65000 ) ;
Multiple-Clocks

Cover

Sequences

Quizzes

301 / 462
Answer #8
Welcome Will this design pass a Bounded Model Check (BMC)?
Motivation
reg [15:0] counter ;
Basics

Clocked and $past

i n i t i a l counter = 0 ;
k Induction
always @ ( posedge clk )
Bus Properties
counter <= counter + 1 ’ b1 ;
Free Variables

Abstraction
always @ ( ∗ )
Invariants
a s s e r t ( counter < 1 6 ’ d65000 ) ;
Multiple-Clocks

Cover Not unless you prove it with a depth of over 65,000!

Sequences
This is a classic example of a proof that is easier to do with
Quizzes
induction. Less than five steps of induction would find this
problem.

302 / 462
Quiz #9
Welcome Will the following design pass formal verification?
Motivation
reg [15:0] counter ;
Basics

Clocked and $past

always @ ( ∗ )
k Induction
begin
Bus Properties
counter = 2 ;
Free Variables
a s s e r t ( counter == 5 ) ;
Abstraction
counter = counter + 3 ;
Invariants
end
Multiple-Clocks

Cover

Sequences

Quizzes

303 / 462
Answer #9
Welcome Will the following design pass formal verification?
Motivation
always @ ( ∗ )
Basics
begin
Clocked and $past
counter = 2 ;
k Induction
a s s e r t ( counter == 5 ) ;
Bus Properties
counter = counter + 3 ;
Free Variables
end
Abstraction

Invariants No, it will not pass.

Multiple-Clocks

Cover
˝ counter = 2 is a blocking statement. It is completed before
Sequences the assert() .
Quizzes ˝ counter==2 when the assert is applied
˝ Only after the assert is counter set to 5.
˝ Were the assert the last line of the block, it would’ve passed
˝ This is one reason why I separate my assertions from my logic

304 / 462
Quiz #10
Welcome Goal: to prove that whenever a request is being made, the
Motivation request will stay stable until it is accepted.
Basics Will this assertion capture what we want?
Clocked and $past

k Induction
i f ( ( $past ( o_REQUEST ))&&( $past ( i_STALL ) ) )
Bus Properties
begin
Free Variables
a s s e r t ( o_REQUEST ) ;
a s s e r t ( $ s t a b l e ( o_REQUEST_DETAILS ) ) ;
Abstraction
end
Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

305 / 462
Answer #10
Welcome Not quite, there’s a couple of things missing
Motivation Two examples would be i_reset and f_past_valid
Basics Here’s an updated assertion that should fix those lacks
Clocked and $past

k Induction
i f ( ( f_past_valid )&&(! $past ( i_reset ) )
Bus Properties
&&($past ( o_REQUEST ))&&( $past ( i_STALL ) ) )
Free Variables
begin
a s s e r t ( o_REQUEST ) ;
Abstraction
a s s e r t ( $ s t a b l e ( o_REQUEST_DETAILS ) ) ;
Invariants
end
Multiple-Clocks

Cover
Alternatively, we could have written,
Sequences

Quizzes a s s e r t p r o p e r t y @ ( posedge i_clk )

d i s a b l e iff ( i_reset )
( o_REQUEST)&&(i_STALL )
|=> ( o_REQUEST )
&&($ s t a b l e ( o_REQUEST_DETAILS ) ) ;

306 / 462
Quiz #11
Welcome The following design fails induction. How would you adjust it so
Motivation that it would pass?
Basics
reg [15:0] sa = 0 , sb = 0 ;
Clocked and $past

k Induction
always @ ( posedge i_clk )
Bus Properties
i f ( i_ce )
Free Variables
begin
Abstraction
sa <= { sa [ 1 4 : 0 ] , i_bit } ;
Invariants
sb <= { i_bit , sb [ 1 5 : 1 ] } ;
Multiple-Clocks
end
Cover

Sequences
always @ ( ∗ )
Quizzes
a s s e r t ( sa [ 1 5 ] == sb [ 0 ] ) ;

307 / 462
Answer #11
Welcome There are many solutions to this problem
Motivation
1. Use a non-smtbmc engine, such as abc pdr
Basics
2. Force i_ce
Clocked and $past

k Induction always @ ( posedge i_clk )

Bus Properties i f ( ! $past ( i_ce ) )
Free Variables assume ( i_ce ) ;
Abstraction

Invariants 3. Assert all bits

Multiple-Clocks
always @ ( ∗ )
Cover
begin
Sequences
a s s e r t ( sa [ 1 4 ] == sb [ 1 ] ) ;
Quizzes
a s s e r t ( sa [ 1 3 ] == sb [ 2 ] ) ;
a s s e r t ( sa [ 1 2 ] == sb [ 3 ] ) ;
a s s e r t ( sa [ 1 1 ] == sb [ 4 ] ) ;
// . . . t h r o u g h a l l c o m b i n a t i o n s

308 / 462
Quiz #12
Welcome The logic below is designed to ensure that the design will only
Motivation acknowledge requests and nothing more: one acknowledgment
Basics per request. It almost works. Can you spot any problem(s)?
Clocked and $past

k Induction
i n i t i a l f_nreqs = 0 ;
Bus Properties
always @ ( posedge i_clk )
Free Variables
i f ( ( i_reset ) | | ( ! i_wb_cyc ) )
f_nreqs <= 1 ’ b0 ;
Abstraction
e l s e i f ( ( i_wb_stb )&&(! o_wb_stall ) )
Invariants
f_nreqs <= f_nreqs + 1 ’ b1 ;
Multiple-Clocks
// f n a c k i s a s i m i l a r l y d e f i n e d c o u n t e r ,
Cover
// o n l y one t h a t c o u n t s a c k n o w l e d g m e n t s
Sequences
always @ ( ∗ )
Quizzes
i f ( f_nreqs == f_nacks )
a s s e r t ( ! o_wb_ack ) ;

Assume a sufficient number of bits in f_nreqs and f_nacks.

309 / 462
Answer #12
Welcome No, it will not pass. The problem is that it may be possible to
Motivation ACK a request on the same clock it is received. The following
Basics updated assertion will fix this.
Clocked and $past

k Induction
always @ ( ∗ )
Bus Properties
i f ( ( f_nreqs == f_nacks )
Free Variables
&&((! i_wb_stb ) | | ( o_wb_stall ) ) )
a s s e r t ( ! o_wb_ack ) ;
Abstraction

Invariants
Originally, I disallowed ACK’s on the same clock as the STB.
Multiple-Clocks
Then I tried formally verifying someone else’s design. When it
Cover

Sequences
didn’t pass, I went back and re-read the WB-spec only to
Quizzes discover the error in my ways.

310 / 462
Quiz #13
Welcome Given that X is defined somehow, which of the following
Motivation assertions will fail?
Basics
always @ ( posedge i_clk )
Clocked and $past
i f ( f_past_valid )
k Induction
begin
Bus Properties
assert ( $stable (X)
Free Variables
== ( X == $past ( X ) ) ) ;
Abstraction
a s s e r t ( $changed ( X )
Invariants
== ( X != $past ( X ) ) ) ;
Multiple-Clocks
a s s e r t ( $ros e ( X )
Cover
== ( ( X )&&(! $past ( X ) ) ) ) ;
Sequences
assert ( $ f e l l (X)
Quizzes
== ( ( ! X)&&( $past ( X ) ) ) ) ;
end

311 / 462
Answer #13
Welcome Two of these assertions will fail if X is wider than one bit
Motivation
a s s e r t ( $ros e ( X ) == ( ( X )&&(! $past ( X ) ) ) ) ;
Basics
a s s e r t ( $ f e l l ( X ) == ( ( ! X)&&( $past ( X ) ) ) ) ;
Clocked and $past

k Induction
From the 2012 SystemVerilog standard,
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks
These updated assertions will succeed,
Cover

Sequences a s s e r t ( $ros e ( X ) == ( ( X [ 0 ] ) & & ( ! $past ( X [ 0 ] ) ) ) ) ;

Quizzes a s s e r t ( $ f e l l ( X ) == ( ( ! X [ 0 ] ) & & ( $past ( X [ 0 ] ) ) ) ) ;

312 / 462
Quiz #14
Welcome The following logic creates two clocks with nearly identical
Motivation frequencies. Can you spot any missing assumptions?
Basics
( ∗ gclk ∗ ) reg gbl_clk ;
Clocked and $past
( ∗ anyconst ∗ ) reg [ 7 : 0 ] f_step_one , f_step_two ;
k Induction
always @ ( ∗ )
Bus Properties
i f ( f_step_one > f_step_two )
Free Variables
assume ( f_step_one ´ f_step_two < 8 ’ h2 ) ;
Abstraction
else
Invariants
assume ( f_step_two ´ f_step_one < 8 ’ h2 ) ;
Multiple-Clocks
always @ ( posedge gbl_clk ) begin
Cover
f_counter_one <= f_counter_one + f_step_one ;
Sequences
f_counter_two <= f_counter_two + f_step_two ;
Quizzes
//
assume ( i_clk_one == f_counter_one [ 7 ] ) ;
assume ( i_clk_two == f_counter_two [ 7 ] ) ;
end

313 / 462
Answer #14
Welcome The step sizes cannot ever be zero, and steps greater than 8’h80
Motivation will alias.
Basics
always @ ( ∗ )
Clocked and $past
begin
k Induction
assume ( f_step_one != 0);
Bus Properties
assume ( f_step_two != 0);
Free Variables
assume ( f_step_one <= 8 ’ h80 ) ;
Abstraction
assume ( f_step_two <= 8 ’ h80 ) ;
Invariants
end
Multiple-Clocks

Cover
For performance reasons, you may choose to assume the speed
Sequences
of the fastest clock.
Quizzes
always @ ( ∗ )
assume ( ( f_step_one == 8 ’ h80 )
| | ( f_step_two == 8 ’ h80 ) ) ;

314 / 462
Quiz #15
Welcome Will the following assertion pass?
Motivation
always @ ( posedge i_clk )
Basics
begin
Clocked and $past
i f ( i_write )
k Induction
mem [ i_waddr ] <= i_data ;
Bus Properties
i f ( i_read )
Free Variables
o_data <= mem [ i_raddr ] ;
Abstraction
end
Invariants

Multiple-Clocks always @ ( posedge i_clk )

Cover i f ( ( f_past_valid )
Sequences &&($past ( i_write ))&&( $past ( i_read ) )
Quizzes &&($past ( i_waddr)==$past ( i_raddr ) ) )
a s s e r t ( o_data == $past ( i_data ) ) ;

315 / 462
Answer #15
Welcome Will the following assertion pass?
Motivation
always @ ( posedge i_clk )
Basics
begin
Clocked and $past
i f ( i_write )
k Induction
mem [ i_waddr ] <= i_data ;
Bus Properties
i f ( i_read )
Free Variables
o_data <= mem [ i_raddr ] ;
Abstraction
end
Invariants

Multiple-Clocks always @ ( posedge i_clk )

Cover i f ( ( f_past_valid )
Sequences &&($past ( i_write ))&&( $past ( i_read ) )
Quizzes &&($past ( i_waddr)==$past ( i_raddr ) ) )
a s s e r t ( o_data == $past ( i_data ) ) ;

No.
How would you describe a write–through block RAM?

316 / 462
Quiz #16
Welcome The formal property below was written for the case of a
Motivation synchronous reset. How would you adjust it so that it accurately
Basics reflects the behavior of the flip-flop under an asynchronous reset?
Clocked and $past

k Induction
always @ ( posedge i_clk , negedge i_areset_n )
Bus Properties
i f ( ! i_areset_n )
Free Variables
a <= 0 ;
else
Abstraction
a <= something ;
Invariants

Multiple-Clocks
always @ ( posedge i_clk )
Cover
i f ( ( f_past_valid)&&( $past ( i_areset_n ) )
Sequences
a s s e r t ( a == $past ( something ) ) ;
Quizzes

317 / 462
Answer #16
Welcome The following assertion can be used to describe the response of
Motivation logic to a negative logic asynchronous reset.
Basics
always @ ( posedge i_clk , negedge i_areset_n )
Clocked and $past
i f ( ! i_areset_n )
k Induction
a <= 0 ;
Bus Properties
else
Free Variables
a <= something ;
Abstraction

Invariants
always @ ( posedge i_clk )
Multiple-Clocks
i f ( ! i_areset_n )
Cover
a s s e r t ( a == 0 ) ;
Sequences
e l s e i f ( ( f_past_valid)&&( $past ( i_areset_n ) )
Quizzes
a s s e r t ( a == $past ( something ) ) ;

Don’t forget to assume an initial reset!

i n i t i a l assume ( ! i_areset_n ) ;

318 / 462
Quiz #17
Welcome Your design passes a bounded model check (BMC), but fails
Motivation during induction. Upon inspection, you find a failure in section A
Basics (below) of your trace.
Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants
How should you address this problem?
Multiple-Clocks

Cover

Sequences

Quizzes

319 / 462
Answer #17
Welcome Your design passes a bounded model check (BMC), but fails
Motivation during induction. Upon inspection, you find a failure in section A
Basics (below) of your trace.
Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants
How should you address this problem?
Multiple-Clocks
This is not a problem with your logic. Rather, the formal
Cover

Sequences
properties that are constraining your logic are insufficient
Quizzes ˝ You need more properties to keep the design from failing
˝ If an input is out of bounds, assume it will be within bounds
˝ If your design starts in an invalid state, assert such invalid
states will never happen
˝ initial statements will not help during induction

320 / 462
Quiz #18
Welcome Your design fails in section C (below) of your trace.
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables Upon inspection, you discover an

Abstraction
always @(posedge i_clk) assume(X); property is not getting
Invariants
applied.
Multiple-Clocks
How would you fix this situation?
Cover

Sequences

Quizzes

321 / 462
Answer #18
Welcome An always @(posedge i_clk) assume(X); property is not getting
Motivation applied, causing your design to fail in section C of your trace
Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction The problem is that always @(posedge i_clk) properties are not
Invariants
applied until the the next clock edge (i.e. section B of the trace)
Multiple-Clocks

Cover ˝ This can cause an always @(∗) assert(Y); to fail in section C

Sequences
How would you fix this situation?
Quizzes
˝ You can make the always @(∗) property a clocked property
˝ You can evaluate the always @(posedge i_clk) assumption as
an always @(∗) assumption instead
– You might need to create your own $past value to do this

322 / 462
Quiz #19
Welcome Will the following design pass formal verification?
Motivation
reg [ 1 5 : 0 ] counter = 0 ;
Basics
always @ ( posedge i_clk )
Clocked and $past
i f ( i_reset )
k Induction
counter <= 0 ;
Bus Properties
else
Free Variables
counter <= counter + 1 ;
Abstraction

Invariants
always @ ( ∗ )
Multiple-Clocks i f ( counter > 2 )
Cover assume ( i_reset ) ;
Sequences

Quizzes a s s e r t p r o p e r t y ( @ ( posedge i_clk )

d i s a b l e iff ( i_reset )
( counter < 2 ) ) ;

323 / 462
Answer #19
Welcome Much to my own surprise, this design will pass a formal check.
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover
This is roughly equivalent to:
Sequences

Quizzes reg check = 1 ;

always @ ( posedge i_clk )
check <= ( counter < 2 ) | | ( i_reset ) ;
always @ ( ∗ )
i f ( ! i_reset ) a s s e r t ( check ) ;

324 / 462
Quiz #20
Welcome Consider the following trace from an asynchronous context:
Motivation

Basics i clk
Clocked and $past f past valid
k Induction
o value
Bus Properties

Free Variables

Abstraction
Will this formal stability assertion pass or fail?
Invariants always @ ( posedge i_clk )
Multiple-Clocks i f ( f_past_valid )
Cover a s s e r t ( $ s t a b l e ( o_value ) ) ;
Sequences

Quizzes

325 / 462
Answer #20
Welcome Yes, this stability assertion will hold.
Motivation

Basics
i clk
Clocked and $past f past valid
k Induction o value
Bus Properties

Free Variables ˝ Note that everytime $rose(i_clk) is true, $past(o_value) is

Abstraction
also true.
Invariants
˝ Since the check is only accomplished on the positive edge of
Multiple-Clocks
i_clk, o_value is only checked at this time.
Cover
˝ Since $past(o_value) is always true just prior to
Sequences

Quizzes
@(posedge i_clk), the assertion passes

always @ ( posedge i_clk )

i f ( f_past_valid )
a s s e r t ( $ s t a b l e ( o_value ) ) ;

326 / 462
Quiz #21
Welcome Your design contains the following generate block:
Motivation
parameter [ 0 : 0 ] A = 1 ;
Basics
parameter [ 0 : 0 ] B = 1 ;
Clocked and $past
// . . .
k Induction
generate i f ( A )
Bus Properties
begin : A_BLOCK
Free Variables
// Some l o g i c
Abstraction
end e l s e i f ( B )
Invariants
begin : B_BLOCK
Multiple-Clocks // Some o t h e r l o g i c
Cover end e l s e begin : ELSE_BLOCK
Sequences // Some f i n a l s e t o f l o g i c
Quizzes end endgenerate

How should this impact the design of your SymbiYosys

configuration file?

327 / 462
Answer #21
Welcome How should conditional generate blocks be handled?
Motivation
˝ By creating a separate task for each parameter set
Basics
˝ Each set of parameters can then be verified independently
Clocked and $past

k Induction
[ tasks ]
Bus Properties
A
Free Variables
B
Abstraction
Other
Invariants
[ script ]
Multiple-Clocks
read ´formal toplvl . v
Cover
´´pycode´begin´´
Sequences
cmd=” h i e r a r c h y ´t o p t o p l v l ”
Quizzes
cmd+=” ćhparam A %d” % ( 1 if ”A” in tags else 0 )
cmd+=” ćhparam B %d” % ( 1 if ”B” in tags else 0 )
output ( cmd )
´´pycodeénd´´
prep ´top toplvl

328 / 462
Quiz #22
Welcome When working with cover(), how do you handle a failure?
Motivation
˝ On a cover() success a trace is generated.
Basics
No trace is generated on a cover() failure.
Clocked and $past
˝ At first glance, you have nothing to go with
k Induction

Bus Properties How do you debug your design in this situation?

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

329 / 462
Answer #22
Welcome When working with cover(), how do you handle a failure?
Motivation
˝ Suppose your design needs to accomplish a sequence of steps,
Basics
and then cover the last one.
Clocked and $past

k Induction always @ ( ∗ )
Bus Properties cover ( step_24 ) ;
Free Variables

Abstraction ˝ How shall you debug this failure?

Invariants
Solution: cover the intermediate steps
Multiple-Clocks

Cover always @ ( ∗ )
Sequences begin
Quizzes cover ( step_01 ) ;
// . . .
cover ( step_23 ) ;
end

This will lead you to the failing clock cycle

330 / 462
Quiz #23
Welcome Consider the following design:
Motivation
i n p u t w i r e [ 3 1 : 0 ] i_v ;
Basics
output w i r e o_v ;
Clocked and $past

k Induction
assign o_v = ( i_v == 3 2 ’ hdeadbeef ) ;
Bus Properties

Free Variables
always @ ( ∗ )
Abstraction
a s s e r t ( i_v != 3 2 ’ hdeadbeef ) ;
Invariants

Multiple-Clocks always @ ( ∗ )
Cover assume ( ! o_v ) ;
Sequences

Quizzes Given that the solver can pick any value for i_v, will the
assertion ever fail?

331 / 462
Answer #23
Welcome Consider the following design:
Motivation
a s s i g n o_v = ( i_v == 3 2 ’ hdeadbeef ) ;
Basics
always @ ( ∗ )
Clocked and $past
a s s e r t ( i_v != 3 2 ’ hdeadbeef ) ;
k Induction
always @ ( ∗ )
Bus Properties
assume ( ! o_v ) ;
Free Variables

Abstraction

Invariants ˝ The assumption is forced to be true before evaluating any

Multiple-Clocks assertions
Cover ˝ !o_v will only ever be true if i_v != 32’hdeadbeef
Sequences ˝ Therefore, the solver will never even consider the case where
Quizzes
i_v == 32’hdeadbeef
˝ The assertion can never fail

332 / 462
Quiz #24
Welcome Consider the following trace from an AXI read interaction:
Motivation

Basics S AXI ACLK

Clocked and $past S AXI ARESETN
k Induction
S AXI ARVALID
Bus Properties

Free Variables S AXI ARID

Abstraction S AXI RVALID
Invariants

Multiple-Clocks
S AXI RID
Cover

Sequences
˝ Assume all of the relevant xREADY lines are high
Quizzes
Can you spot the bug?

333 / 462
Answer #24
Welcome Can you spot the bug?
Motivation

Basics S AXI ACLK

Clocked and $past S AXI ARESETN
k Induction
S AXI ARVALID
Bus Properties

Free Variables S AXI ARID

Abstraction S AXI RVALID
Invariants

Multiple-Clocks
S AXI RID
Cover

Sequences
The request response has the wrong ID
Quizzes ˝ Request was made for ID=1, response has ID=0
˝ The cause? Xilinx’s example core doesn’t register the ID

The trace above was found by applying the Symbiotic EDA Suite
to Xilinx’s example AXI4 core

334 / 462
Quiz #25
Welcome Consider the following trace from an AXI write interaction,
Motivation ending in a steady state
Basics

Clocked and $past S AXI ACLK

k Induction
S AXI ARESETN
Bus Properties

Free Variables
S AXI AWVALID
Abstraction S AXI AWREADY
Invariants
S AXI WVALID
Multiple-Clocks

Cover
S AXI WREADY
Sequences S AXI WLAST
Quizzes
S AXI BVALID
S AXI BREADY

What sort of formal property would catch this bug?

335 / 462
Answer #25
Welcome A transaction timeout can find this bug
Motivation
always @ ( posedge i_clk )
Basics
i f ( ( ! i_axi_reset_n ) | | ( ! i_axi_awvalid )
Clocked and $past
| | ( i_axi_awready )
k Induction
| | ( f_axi_wr_pending > 0 ) )
Bus Properties
f_axi_awstall <= 0 ;
Free Variables
e l s e i f ( ( ! i_axi_bvalid ) | | ( i_axi_bready ) )
Abstraction
f_axi_awstall <= f_axi_awstall + 1 ’ b1 ;
Invariants

Multiple-Clocks always @ ( ∗ )
Cover a s s e r t ( f_axi_awstall < F_AXI_MAXWAIT ) ;
Sequences

Quizzes where f_axi_wr_pending is a reference to the number of

remaining write data transactions in this burst
The bug in this question was found by applying the Symbiotic
EDA Suite to Xilinx’s example AXI4 core

336 / 462
Answer #25b
Welcome Oops, the last timeout logic captured when the incoming write
Motivation address channel was stalled, not the delay on the write response
Basics channel.
Clocked and $past

k Induction
˝ Here’s the timeout logic that actually found this bug.
Bus Properties
always @ ( posedge i_clk )
Free Variables
i f ( ( ! i_reset_n ) | | ( i_bvalid ) | | ( i_wvalid )
Abstraction
| | ( ( f_awr_nbursts == 1 )
Invariants
&&(f_wr_pending >0))
Multiple-Clocks
| | ( f_awr_nbursts == 0 ) )
Cover
f_awr_ack_delay <= 0 ;
Sequences
else
Quizzes
f_awr_ack_delay <= f_awr_ack_delay + 1 ’ b1 ;

always @ ( posedge i_clk )

a s s e r t ( f_awr_ack_delay < F_AXI_MAXDELAY ) ;

337 / 462
Quiz #26
Welcome Consider the following trace drawn from an AXI interconnect I
Motivation had the opportunity to verify. It had never seen a formal check
Basics before.
Clocked and $past

k Induction S AXI ACLK

Bus Properties S AXI ARESETN
Free Variables

Abstraction
S AXI AWVALID
3
Invariants S AXI AWLEN
Multiple-Clocks
S AXI WVALID
Cover

Sequences
S AXI WLAST
Quizzes S AXI BVALID

Assume all ∗READY signals are true

Can anyone see the bug? What formal property would catch this
bug?

338 / 462
Answer #26
Welcome Correctly identifying the bug is important, otherwise you’ll “fix”
Motivation the wrong “bug”
Basics

Clocked and $past S AXI ACLK

k Induction
S AXI ARESETN
Bus Properties

Free Variables
S AXI AWVALID
3
Abstraction S AXI AWLEN
Invariants
S AXI WVALID
Multiple-Clocks

Cover
S AXI WLAST
Sequences S AXI BVALID
Quizzes

In this case, there is no missing S_AXI_WLAST signal. According

to spec, the burst is S_AXI_AWLEN+1 beats long, so there’s still a
missing write beat. The bus master just hasn’t sent the final
beat yet.

339 / 462
Answer #26b
Welcome The bug? You can’t return a BVALID response until the first
Motivation write burst has completed.
Basics To verify this, you need to count items remaining in the burst, I
Clocked and $past use f_wr_pending, as well as the number of bursts outstanding,
k Induction
something I call f_awr_nbursts. You can then check,
Bus Properties

Free Variables always @ ( ∗ )

Abstraction i f ( f_awr_nbursts == 0 )
Invariants // I f t h e r e a r e no b u r s t s o u t s t a n d i n g
Multiple-Clocks // t h e n no BVALID can be r e t u r n e d
Cover
a s s e r t ( ! S_AXI_BVALID ) ;
Sequences
e l s e i f ( f_awr_nbursts == 1 )
Quizzes
// I f t h e w r i t e c h a n n e l i s s t i l l s e n d i n g
// data , t h e n t h e BVALID c a n n o t ( y e t ) be
// r e t u r n e d .
a s s e r t ( ( f_wr_pending == 0 )
| | ! S_AXI_BVALID ) ;

340 / 462
Quiz #27
Welcome Can you explain why the following cover statement fails?
Motivation
reg read_counter ;
Basics
i n i t i a l read_counter = 0 ;
Clocked and $past
always @ ( posedge i_clk )
k Induction
i f ( i_reset )
Bus Properties
read_counter <= 0 ;
Free Variables
e l s e i f ( some_event )
Abstraction
read_counter <= read_counter + 1 ;
Invariants

Multiple-Clocks always @ ( ∗ )
Cover cover ( read_counter > 4 ) ;
Sequences

Quizzes

341 / 462
Answer #27
Welcome Can you explain why the following cover statement fails?
Motivation
reg read_counter ;
Basics
i n i t i a l read_counter = 0 ;
Clocked and $past
always @ ( posedge i_clk )
k Induction
i f ( i_reset )
Bus Properties
read_counter <= 0 ;
Free Variables
e l s e i f ( some_event )
Abstraction
read_counter <= read_counter + 1 ;
Invariants

Multiple-Clocks always @ ( ∗ )
Cover cover ( read_counter > 4 ) ;
Sequences

Quizzes Did you notice the number of bits in the read_counter? At only
one bit, read_counter can never be more than one.

342 / 462
Quiz #28
Welcome Let NM be the number of masters, and NS the number of slaves.
Motivation You want to cover a full set of write grants.
Basics
reg cvr_property ;
Clocked and $past
always @ ( ∗ )
k Induction
begin
Bus Properties
cvr_property = 1 ;
Free Variables
f o r ( iN =0; iN < ( NM > NS ) ? NS : NM ; iN=iN+1)
Abstraction
i f ( ! write_grant [ iN ] )
Invariants
cvr_property = 0 ;
Multiple-Clocks
end
Cover

Sequences
always @ ( ∗ )
Quizzes
cover ( cvr_property ) ;

Much to my surprise, yosys ran out of memory while elaborating

this design.
Can anyone see why?

343 / 462
Answer #28
Welcome This is an order of operations issue. The example design is
Motivation equivalent to
Basics
always @ ( ∗ )
Clocked and $past
begin
k Induction
cvr_property = 1 ;
Bus Properties
f o r ( iN =0; ( iN < ( NM > NS ) ) ? NS : NM ;
Free Variables
iN=iN+1)
Abstraction
i f ( ! write_grant [ iN ] )
Invariants
cvr_property = 0 ;
Multiple-Clocks
end
Cover

Sequences The end condition will therefore elaborate to either NM or NS,

Quizzes
both of which are non-zero and therefore “true”.
As for the out-of-memory error, remember this is hardware.
Yosys is elaborating new hardware circuits every time through
the loop, and the loop doesn’t have an end.

344 / 462
Quiz #29
Welcome There are three steps required to verify an AXI-lite interface:
Motivation
1. First, attach the formal interface property file
Basics

Clocked and $past ‘ i f d e f FORMAL

k Induction faxil_slave #(
Bus Properties . C_AXI_ADDR_WIDTH ( C_S_AXI_ADDR_WIDTH ) )
Free Variables properties (
Abstraction . i_clk ( S_AXI_ACLK ) ,
Invariants . i_axi_reset_n ( S_AXI_ARESETN ) ,
Multiple-Clocks // . . .
Cover

Sequences
2. If using SymbiYosys, you’ll also need to create an SBY file
Quizzes What’s the missing step that’s required to formally verify an
AXI-lite slave interface matches bus requirements for all time?

345 / 462
Answer #29
Welcome 3. Reference the state information from the property file,
Motivation
‘ i f d e f FORMAL
Basics
faxil_slave #(/∗ . . . ∗/ )
Clocked and $past
properties ( // . . .
k Induction
. f_axi_rd_outstanding ( rd_inproc ) ,
Bus Properties
// . . .
Free Variables

Abstraction and use it to assert() that the state maches your logic
Invariants

Multiple-Clocks
always @ ( ∗ )
Cover
a s s e r t ( rd_inproc == ( axi_rvalid ? 1 : 0 )
Sequences
+(axi_arready ? 0 : 1 ) ) ;
Quizzes
// . . .

The example above is from one of my own designs, as this step

can be very design dependent.

346 / 462
Quiz #30
Welcome The following illustrates a common FIFO mistake
Motivation
always @ ( posedge i_clk )
Basics
i f ( i_reset )
Clocked and $past
{ rd_addr , wr_addr } <= 0 ;
k Induction
e l s e i f ( i_rd )
Bus Properties
rd_addr <= rd_addr + 1 ;
Free Variables
e l s e i f ( i_wr )
Abstraction
wr_addr <= wr_addr + 1 ;
Invariants

Multiple-Clocks Can you identify the bug, and suggest a way of fixing it?
Cover

Sequences

Quizzes

347 / 462
Answer #30
Welcome The first bug is not setting the pointers initially
Motivation
i n i t i a l { rd_addr , wr_addr } = 0 ;
Basics

Clocked and $past

The next bug is not checking for underflow or overflow
k Induction

Bus Properties always @ ( posedge i_clk )

Free Variables i f ( i_reset )
Abstraction { rd_addr , wr_addr } <= 0 ;
Invariants e l s e i f ( i_rd && ! o_empty )
Multiple-Clocks
rd_addr <= rd_addr + 1 ;
Cover
e l s e i f ( i_wr && ! o_full )
Sequences
wr_addr <= wr_addr + 1 ;
Quizzes
That leaves at least one more bug

348 / 462
Answer #30b
Welcome The real problem is that the whole structure is wrong.
Motivation
˝ This really needs ot be handled in either two logic blocks, or
Basics
˝ Using a case statement, as shown below
Clocked and $past

k Induction
i n i t i a l { rd_addr , wr_addr } = 0 ;
Bus Properties
always @ ( posedge i_clk )
Free Variables
i f ( i_reset )
Abstraction
{ rd_addr , wr_addr } <= 0 ;
Invariants
e l s e case ( { i_rd & ! o_empty , i_wr && ! o_full } )
Multiple-Clocks
2 ’ b10 : rd_addr <= rd_addr + 1 ;
Cover
2 ’ b01 : wr_addr <= wr_addr + 1 ;
Sequences
2 ’ b11 : begin
Quizzes
rd_addr <= rd_addr + 1 ;
wr_addr <= wr_addr + 1 ;
end
endcase

349 / 462
Quiz #31
Welcome The following proof passes.
Motivation
reg f_past_valid = 0 ;
Basics
always @ ( posedge i_clk )
Clocked and $past
f_past_valid <= 1 ;
k Induction

Bus Properties
always @ ( ∗ )
Free Variables
i f ( f_past_valid )
Abstraction
assume ( i_reset ) ;
Invariants

Multiple-Clocks always @ ( posedge i_clk )

Cover counter <= really_complex_logic ;
Sequences

Quizzes always @ ( ∗ )
i f ( f_past_valid && ! i_reset )
a s s e r t ( counter == counter + 1 ) ;

Can you spot the bug?

350 / 462
Answer #31
Welcome Did you notice the assumption that i_reset is held high?
Motivation
always @ ( ∗ )
Basics
i f ( f_past_valid )
Clocked and $past
assume ( i_reset ) ;
k Induction

Bus Properties
The assertion never got checked!
Free Variables

Abstraction always @ ( ∗ )
Invariants i f ( f_past_valid && ! i_reset )
Multiple-Clocks
a s s e r t ( counter == counter + 1 ) ;
Cover

Sequences
A basic cover test would find this problem
Quizzes always @ ( ∗ )
cover ( f_past_valid && ! i_reset ) ;
// o r e v e n
always @ ( posedge i_clk )
cover ( counter == $past ( counter + 1 ) ) ;

351 / 462
Quiz #32
Welcome How would you verify the o_empty and o_full properties of a
Motivation FIFO, given the read and write addresses?
Basics
˝ The o_empty flag
Clocked and $past

k Induction a s s i g n fill = wr_addr ´ rd_addr ;

Bus Properties always @ ( ∗ )
Free Variables begin
Abstraction a s s e r t ( o_empty == ( fill == 0 ) ) ;
Invariants

Multiple-Clocks ˝ The o_full flag, given a FIFO with FIFO_SIZE elements

Cover
a s s e r t ( o_full == ( fill >= FIFO_SIZE ) ) ;
Sequences
// . . .
Quizzes
end

What property is missing?

352 / 462
Answer #32
Welcome The missing property?
Motivation
˝ We checked the o_empty flag
Basics
˝ We checked the o_full flag
Clocked and $past
˝ Don’t forget to check that the fill never exceeds the capacity
k Induction

Bus Properties
of the FIFO
Free Variables
a s s e r t ( fill <= FIFO_SIZE ) ;
Abstraction

Invariants
Checking the data content of the FIFO still requires the twin
Multiple-Clocks

Cover
write followed by twin read test. You can read more about that
Sequences
in my on-line tutorial.
Quizzes

353 / 462
Quiz #33
Welcome Formally verifying a cache requires three properties
Motivation
First, let the solver to pick an arbitrary address and value
Basics

Clocked and $past ( ∗ anyconst ∗ ) reg [ AW ´ 1 : 0 ] f_const_addr ;

k Induction ( ∗ anyconst ∗ ) reg [ DW ´ 1 : 0 ] f_const_data ;
Bus Properties

Free Variables 1. Then when the bus returns a value for the given address,
Abstraction assume the known value.
Invariants
i f ( i_wb_ack && ackd_address == f_const_addr )
Multiple-Clocks
assume ( i_wb_data == f_const_data ) ;
Cover

Sequences
2. Whenever the cache returns the value for the special
Quizzes
address, assert that the known value is returned
i f ( o_valid && o_address == f_const_addr )
a s s e r t ( o_value == f_const_data ) ;

3. What’s missing?
354 / 462
Answer #33
Welcome Formally verifying a cache requires three properties
Motivation
First, allow the solver to pick an arbitrary address, and an
Basics
arbitrary data word at that address.
Clocked and $past

k Induction
1. assume a known bus response from the given address
Bus Properties
2. assert that same response from the cache when that same
Free Variables address is requested
Abstraction
The missing property?
Invariants

Multiple-Clocks 3. Assert that, if the known address is validly within the cache,
Cover that the value associated with that address matches the
Sequences solver chosen value
Quizzes
always @ ( ∗ )
i f ( cache_valid [ f_const_addr ] )
a s s e r t ( cache [ f_const_addr [ CW ´ 1 : 0 ] ]
== f_const_data ) ;

355 / 462
Quiz #34
Welcome The following design illustrates a common AXI coding mistake:
Motivation
always @ ( posedge S_AXI_ACLK )
Basics
i f ( ! S_AXI_ARESETN )
Clocked and $past
// Do s o m e t h i n g
k Induction
e l s e i f ( S_AXI_AWVALID && S_AXI_AWREADY
Bus Properties
&& something_else )
Free Variables
// W r i t e l o g i c
Abstraction
e l s e i f ( S_AXI_BREADY )
Invariants
// L a s t c o n d i t i o n
Multiple-Clocks // . . . .
Cover

Sequences Can you identify the bug, and suggest one or two fixes?
Quizzes

356 / 462
Answer #34
Welcome The following design illustrates a common AXI coding mistake:
Motivation
always @ ( posedge S_AXI_ACLK )
Basics
// . . .
Clocked and $past
i f ( S_AXI_AWVALID && S_AXI_AWREADY
k Induction
&& something_else )
Bus Properties
// . . .
Free Variables

Abstraction The mistake? Checking for something_else when processing

Invariants
information from the bus. To fix it,
Multiple-Clocks

Cover 1. Adjust the logic for S_AXI_AWREADY

Sequences 2. Prove that every time something_else is false, then
Quizzes S_AXI_AWREADY is will also be false
a s s e r t p r o p e r t y ( @ ( posedge S_AXI_ACLK )
! something_else |´> ! S_AXI_AWREADY ) ;

357 / 462
Quiz #35
Welcome Will the following logic pass formal verification?
Motivation
reg [15:0] counter , last ;
Basics

Clocked and $past

i n i t i a l counter = 1 ;
k Induction
i n i t i a l last = 0;
Bus Properties

Free Variables
always @ ( posedge i_clk )
Abstraction
begin
Invariants
counter <= counter + 1 ;
Multiple-Clocks last <= counter ;
Cover end
Sequences

Quizzes always @ ( ∗ )
a s s e r t ( last + 1 == counter ) ;

358 / 462
Answer #35
Welcome The problem is that last+1 is a 32-bit value, whereas counter is
Motivation a 16-bit unsigned value. This assertion will always fail when
Basics counter rolls over.
Clocked and $past

k Induction i clk
Bus Properties 16’hfffd 16’hfffe 16’hffff 16’h0000
counter
Free Variables
16’hfffc 16’hfffd 16’hfffe 16’hffff
Abstraction last
32’h0fffd 32’hfffe 32’h0ffff 32’h10000
Invariants last`1
Multiple-Clocks
failing timestep
Cover

Sequences

Quizzes If you map last+1 to a 16-bit value, the assetion will pass
wire [ 1 5 : 0 ] last_plus_one = last + 1 ;
always @ ( ∗ )
a s s e r t ( last_plus_one == counter ) ;

359 / 462
Quiz #36
Welcome The following design generates a warmup failure.
Motivation
input wire [31:0] i_a , i_b , i_c ;
Basics

Clocked and $past

always @ ( ∗ )
k Induction
begin
Bus Properties
assume ( i_a+ i_b == 3 2 ’ h4 ) ;
Free Variables
assume ( i_b +i_c == 3 2 ’ h8 ) ;
Abstraction
assume ( i_a+{ i_b , 1 ’ b0}+i_c == 3 2 ’ h7 ) ;
Invariants
end
Multiple-Clocks

Cover Which assumption is at fault?

Sequences

Quizzes

360 / 462
Answer #36
Welcome Which assumption is at fault?
Motivation
input wire [31:0] i_a , i_b , i_c ;
Basics

Clocked and $past

Cover Removing any one of these assumptions will resolve the warmup
Sequences failure.
Quizzes
˝ This illustrates one of the fundamental problems of warmup
failures: Since any one of several assumptions might cause
the design to fail, there’s no way for the solver to tell which
assumption was truly at fault.

361 / 462
Quiz #37
Welcome What are the three most common bus interface properties?
Motivation
1. Following a reset, the bus should return to an idle state and
Basics
any pending requests should be dropped
Clocked and $past

k Induction
2. If the bus is stalled, the request must not change
Bus Properties
3. ...
Free Variables
There’s one other basic, yet common, bus interface property
Abstraction
that’s missing. What is it?
Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

362 / 462
Answer #37
Welcome What are the three most common bus interface properties?
Motivation
1. Following a reset, the bus should return to an idle state and
Basics
any pending requests should be dropped
Clocked and $past

k Induction
2. If the bus is stalled, the request must not change
Bus Properties
3. There should be one and only one response for every bus
Free Variables request
Abstraction
I’ll ask about the “contract” property to insure that the bus
Invariants
actually works next week
Multiple-Clocks

Cover

Sequences

Quizzes

363 / 462
Quiz #38
Welcome None of the properties we examined last week truly expresses the
Motivation “contract” associated with bus transactions. How should that
Basics contract be expressed for a generic bus component?
Clocked and $past

k Induction
1. Let the solver pick an arbitrary address, and a value to be at
Bus Properties
that address
Free Variables 2. ...
Abstraction 3. Prove that reads from that address return the value from
Invariants within the slave found at that address
Multiple-Clocks
What’s the missing step?
Cover

Sequences

Quizzes

364 / 462
Answer #38
Welcome How should the formal contract be expressed for a bus slave?
Motivation
1. Let the solver pick an arbitrary address, and a value to be at
Basics
that address
Clocked and $past

k Induction
2. Adjust the value at that address following any write request
Bus Properties
3. Prove that reads from that address return the value from
Free Variables within the slave found at that address
Abstraction
You should find these basic property steps common across many
Invariants
bus components
Multiple-Clocks

Cover 1. Not-so-generic bus slaves may need to use a slightly different

Sequences approach, verifying instead that the result matches the value
Quizzes within the bus slave
2. Sequence is important, especially with AXI: the return value
might be waiting for a RREADY longer than that return
value accurately expresses the register’s value within the core

365 / 462
Quiz #39
Welcome Can you spot the AXI bug below?
Motivation

Basics
S AXI ACLK
Clocked and $past S AXI ARESETN
k Induction S AXI AWVALID
Bus Properties
S AXI AWREADY
Free Variables

Abstraction
S AXI AWADDR ’h....0

Invariants S AXI AWLEN 0

Multiple-Clocks
S AXI AWSIZE 3’h0
Cover

Sequences

Quizzes S AXI WVALID

S AXI WREADY
S AXI WDATA[31:0] ’h87654321

S AXI WSTRB[3:0] 4’h2

366 / 462
Answer #39
Welcome Take a closer look at AWADDR, AWSIZE, and WSTRB
Motivation

Basics S AXI ACLK

Clocked and $past S AXI AWVALID
k Induction ’h....0
S AXI AWADDR
Bus Properties
3’h0
Free Variables S AXI AWSIZE
Abstraction

Invariants
S AXI WVALID
Multiple-Clocks
4’h2
Cover S AXI WSTRB[3:0]
Sequences

Quizzes If AWADDR ends in 4’h0, for an 8-bit transfer (AWSIZE=0),

WSTRB can only be 4’h0 or 4’h1

367 / 462
Quiz #40
Welcome Consider the design below
Motivation
reg A, B, C, D, E, Z;
Basics
always @ ( posedge clk )
Clocked and $past
begin
k Induction
// A s s i g n t o A , B , C , D, E , and Z somehow
Bus Properties
end
Free Variables

Abstraction
a s s e r t p r o p e r t y ( @ ( posedge clk )
Invariants
Z |=> ( A && B && C && D && E ) ) ;
Multiple-Clocks

Cover Would you consider this to be a good or a bad assertion?

Sequences

Quizzes

368 / 462
Answer #40
Welcome While the assertion below is legal,
Motivation
a s s e r t p r o p e r t y ( @ ( posedge clk )
Basics
Z |=> ( A && B && C && D && E ) ) ;
Clocked and $past

k Induction
because the assertion tests for the and of many conditions, it can
Bus Properties
be difficult to tell from a trace which condition caused the
Free Variables
assertion failure. You might find that splitting it up makes it
Abstraction

Invariants
easier to work with.
Multiple-Clocks assert property ( @ ( posedge clk ) Z |=> A);
Cover assert property ( @ ( posedge clk ) Z |=> B);
Sequences assert property ( @ ( posedge clk ) Z |=> C);
Quizzes assert property ( @ ( posedge clk ) Z |=> D);
assert property ( @ ( posedge clk ) Z |=> E);

369 / 462
Quiz #41
Welcome Can you spot the AXI bug below?
Motivation

Basics S AXI ACLK

Clocked and $past S AXI ARESETN
k Induction
S AXI AWVALID
Bus Properties

Free Variables S AXI AWREADY

’h..1
Abstraction S AXI AWADDR
Invariants
0
Multiple-Clocks
S AXI AWLEN
3’h1
Cover S AXI AWSIZE
Sequences

Quizzes
S AXI WVALID
S AXI WREADY
’h87654321
S AXI WDATA[31:0]
4’hf
S AXI WSTRB[3:0]

370 / 462
Answer #41
Welcome Can you spot the AXI bug below?
Motivation

Basics S AXI AWVALID

’h..1
Clocked and $past S AXI AWADDR
k Induction
3’h1
S AXI AWSIZE
Bus Properties

Free Variables

Abstraction S AXI WVALID

Invariants
4’hf
Multiple-Clocks
S AXI WSTRB[3:0]
Cover

Sequences
1. If AWSIZE==1, then only two bits of WSTRB may ever be set
Quizzes on any given beat. These can either be 4’h3 or 4’hc for a
32-bit bus
2. If AWADDR[1:0]==2’b01, then only bit WSTRB[1] may be set
Note that AXI explicitly allows WVALID before AWVALID

371 / 462
Quiz #42
Welcome Consider the design below
Motivation
reg A, B, C, D, Z;
Basics
always @ ( posedge clk )
Clocked and $past
begin
k Induction
// A s s i g n t o A , B , C , D, and Z somehow
Bus Properties
end
Free Variables

Abstraction
a s s e r t p r o p e r t y ( @ ( posedge clk )
Invariants
Z |=> A
Multiple-Clocks ##1 B [ ∗ 0 : $ ]
Cover ##1 C
Sequences ##1 B [ ∗ 0 : $ ]
Quizzes ##1 D ) ;

Would you consider this to be a good or a bad assertion?

372 / 462
Answer #42
Welcome This assertion will never pass induction
Motivation
a s s e r t p r o p e r t y ( @ ( posedge clk )
Basics
Z |=> A ##1 B [ ∗ 0 : $ ] ##1 C
Clocked and $past
##1 B [ ∗ 0 : $ ] ##1 D ) ;
k Induction

Bus Properties
Why?
Free Variables

Abstraction ˝ Because the induction engine doesn’t start at t “ 0

Invariants
– There’s no way to tell if the design is in the first B state or
Multiple-Clocks
the second B state
Cover

Sequences ˝ Worse, if B & C might ever hold, then the induction engine
Quizzes doesn’t know how many times B was ever entered
– The design might start with B true, and then set B & C for
any number of clock ticks
– The same applies to D

373 / 462
Quiz #43
Welcome Is this a valid AXI read request?
Motivation

Basics S AXI ACLK

Clocked and $past S AXI ARVALID
k Induction
S AXI ARREADY
Bus Properties
20’h01000
Free Variables S AXI ARADDR
8’h4
Abstraction S AXI ARLEN
Invariants
WRAP
Multiple-Clocks
S AXI ARBURST
3’h1
Cover S AXI ARSIZE
Sequences

Quizzes You may assume the reset is inactive.

374 / 462
Answer #43
Welcome Is this a valid AXI read request?
Motivation

Basics S AXI ACLK

Clocked and $past S AXI ARVALID
k Induction
S AXI ARREADY
Bus Properties
20’h01000
Free Variables S AXI ARADDR
8’h4
Abstraction S AXI ARLEN
Invariants
WRAP
Multiple-Clocks
S AXI ARBURST
Cover

Sequences
No.
Quizzes ˝ When using wrapped addressing, the burst length must be
either 2, 4, 8 or 16.
AxLEN must be one less than that length
˝ In this case, ARLEN = 4, indicating a burst length of 5.

375 / 462
Answer #43 – Bonus
Welcome How would you detect this problem?
Motivation

Basics S AXI ARVALID

8’h4
Clocked and $past S AXI ARLEN
k Induction
WRAP
S AXI ARBURST
Bus Properties

Free Variables

Abstraction
The following property would capture this check
Invariants always @ ( ∗ )
Multiple-Clocks i f ( ( S_AXI_ARVALID)&&(S_AXI_ARBURST == WRAP ) )
Cover a s s e r t ( ( S_AXI_ARLEN == 8 ’ h1 )
Sequences | | ( S_AXI_ARLEN == 8 ’ h3 )
Quizzes | | ( S_AXI_ARLEN == 8 ’ h7 )
| | ( S_AXI_ARLEN == 8 ’ h15 ) ) ;

Be aware: Passing induction would take a bit more work

376 / 462
Quiz #44
Welcome Consider the following FIFO design that passed its testbench
Motivation
always @ ( posedge i_clk )
Basics
begin
Clocked and $past
i f ( i_rd && ! o_empty )
k Induction
rd_addr <= rd_addr + 1 ;
Bus Properties
i f ( i_wr && ! o_full )
Free Variables
wr_addr <= wr_addr + 1 ;
Abstraction
end
Invariants

Multiple-Clocks always @ ( posedge i_clk )

Cover i f ( i_rd && ! i_wr )
Sequences fifo_fill <= fifo_fill ´ 1 ;
Quizzes e l s e i f ( i_wr && ! i_rd )
fifo_fill <= fifo_fill + 1 ;

Ignoring the missing reset and initial states, and assuming

o_empty and o_full are suitably defined, do you see any bugs?

377 / 462
Answer #44
Welcome Bugs in the FIFO? What about the following sequence?
Motivation

Basics i clk
Clocked and $past i wr
k Induction
o full
Bus Properties

Free Variables i rd
Abstraction o empty
Invariants
0 -1
Multiple-Clocks
fifo fill
Cover

Sequences
Did you see any others? (There were more ...)
Quizzes

378 / 462
Answer #44 - Formal
Welcome What formal properties might have found these bugs?
Motivation
reg [ LGFIFO : 0 ] f_fifo_fill ;
Basics

Clocked and $past

always @ ( ∗ )
k Induction
f_fifo_fill = wr_addr ´ rd_addr ;
Bus Properties
always @ ( ∗ )
Free Variables
a s s e r t ( f_fifo_fill == fifo_fill ) ;
Abstraction

Invariants This one assertion would’ve caught these bugs. You could easily
Multiple-Clocks
pivot from here and catch any o_empty or o_full errors as well,
Cover

Sequences always @ ( ∗ )
Quizzes a s s e r t ( o_empty== ( f_fifo_fill == 0 ) ) ;
always @ ( ∗ )
a s s e r t ( o_full ==
( f_fifo_fill== (1<<LGFIFO ) ) ) ;

But this goes beyond what was in the quiz question.

379 / 462
Quiz #45
Welcome What addresses and in what order is this request asking for?
Motivation

Basics S AXI ACLK

Clocked and $past S AXI ARVALID
k Induction
’h1006
S AXI ARADDR
Bus Properties
8’h7
Free Variables S AXI ARLEN
WRAP
Abstraction S AXI ARBURST
Invariants
3’h1
Multiple-Clocks
S AXI ARSIZE
Cover

Sequences
Assume a 32’bit bus width
Quizzes

380 / 462
Answer #45
Welcome What address and in what order is this request asking for?
Motivation

Basics S AXI ACLK

Clocked and $past S AXI ARVALID
k Induction
’h1006
S AXI ARADDR
Bus Properties
8’h7
Free Variables S AXI ARLEN
WRAP
Abstraction S AXI ARBURST
Invariants
3’h1
Multiple-Clocks
S AXI ARSIZE
Cover

Sequences
The addresses read and returned will be 1006h, 1008h, 100Ah,
Quizzes 100Ch, 100Eh, 1000h, 1002h, 1004h in that order

381 / 462
Quiz #46
Welcome You’ve just built a new peripheral. You’d like to formally verify it.
Motivation What properties would you start with?
Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

382 / 462
Answer #46
Welcome This is a very open ended question, so there are many answers to
Motivation this question.
Basics Here are some of my own:
Clocked and $past

k Induction
1. Start with any bus interface formal property files
Bus Properties
This will immediately include a set of assumptions and
Free Variables assertions, which will then validate your bus interface
Abstraction 2. Consider assuming an initial reset
Invariants 3. cover() the end of every type of bus request you expect to
Multiple-Clocks respond to
Cover
Don’t forget to cover() the design returning back to idle!
Sequences
4. Create sequences (SVA or poor man’s) describing the actions
Quizzes
associated with each operation you expect to perform, and
ending with the bus response
Don’t forget the return to idle!

383 / 462
Quiz #47
Welcome There are three basic methods to include formal properties into a
Motivation design
Basics
1. Placing the formal properties within the design itself
Clocked and $past

k Induction module modulename ( /∗ . . . ∗/ ) ;

Bus Properties // D e s i g n l o g i c
Free Variables ‘ i f d e f FORMAL
Abstraction // P r o p e r t i e s
Invariants ‘ e n d i f // FORMAL
Multiple-Clocks endmodule
Cover

Sequences This works nicely with the open version of SymbiYosys.

Quizzes 2. Binding the properties from one file into the logic of another
bind designmodule propertymodule i n s t a n c e ( . ∗ ) ;

Can anyone think of a third method?

384 / 462
Answer #47
Welcome

Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction A third method of adding properties into a design is to wrap the

Invariants design with the properties like you would with a test bench.
Multiple-Clocks
˝ Without access to internal state values, passing induction can
Cover
be a challenge
Sequences

Quizzes
Remember, induction is a form of white-box verification
˝ State registers within the design may still be referenced using
dot notation
Dot notation support is currently only available when using
commercial formal tools, such as the SymbioticEDA Suite

385 / 462
Quiz #48
Welcome You are trying to verify a CPU.
Motivation
˝ How would you go about verifying that your instruction fetch
Basics
works?
Clocked and $past
˝ What formal properties would be appropriate to describe the
k Induction

Bus Properties
“contract” between the instruction fetch and the CPU?
Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

386 / 462
Answer #48
Welcome 1. Include a formal bus property file, to verify the bus
Motivation interaction
Basics 2. Pick an address in memory, pick a piece of data at that
Clocked and $past address, decide if the address will return a bus error or not
k Induction

Bus Properties
( ∗ anyconst ∗ ) reg [ AW ´ 1 : 0 ] f_fetch_addr ;
Free Variables
( ∗ anyconst ∗ ) reg [ DW ´ 1 : 0 ] f_fetch_data ;
Abstraction
( ∗ anyconst ∗ ) reg f_fetch_err ;
Invariants

Multiple-Clocks
3. assume() on the bus interface . . .
Cover ˝ That any request for f_fetch_addr returns f_fetch_data
Sequences ˝ That it also returns a bus error if and only if f_fetch_err
Quizzes
4. assert() within your CPU, that any time the instruction
address matches f_fetch_addr
˝ That the instruction matches f_fetch_data
˝ That an error condition exists if f_fetch_err is ever true

387 / 462
Quiz #49
Welcome The following design is used to read from either a control
Motivation register, or sequential elements from a block RAM.
Basics
always @ ( posedge i_clk ) begin
Clocked and $past
i f ( i_wb_stb && i_wb_we
k Induction
i_wb_addr == CONTROL )
Bus Properties
addr <= 0 ;
Free Variables
e l s e i f ( i_wb_stb && ! i_wb_we
Abstraction
&& i_wb_addr == DATA )
Invariants
addr <= addr + 1 ;
Multiple-Clocks
memv <= mem [ addr ] ;
Cover
case ( i_wb_addr )
Sequences
CONTROL : o_wb_data <= control_reg ;
Quizzes
DATA : o_wb_data <= memv ;
endcase
o_wb_ack <= i_wb_stb ; // . . .

See the bug?

388 / 462
Answer #49
Welcome Did you notice the time it takes to read a value?
Motivation
˝ Reads take two clocks: one to read the value from memory,
Basics
and a second to select the value read.
Clocked and $past
˝ By setting o_wb_ack immediately after o_wb_stb, the memory
k Induction

Bus Properties
value doesn’t make it into o_wb_data in time.
Free Variables ˝ Delaying o_wb_ack by one clock would fix this.
Abstraction
This bug was living in one of my cores for years.
Invariants

Multiple-Clocks ˝ Reading all ones or all zeros values never caught it

Cover ˝ Neither did slower serial port commanded reads.
Sequences ˝ I only caught this bug recently when reading from a DMA
Quizzes returned elements 0, 0, 1, 2, 3, etc.
What formal properties would you recommend adding to this
design in order to catch these bugs?

389 / 462
Answer #49b
Welcome Chances are the process of formal verification would catch this
Motivation
˝ Just putting the property together is likely to force you to
Basics
think through what you want your logic to do
Clocked and $past
˝ . . . and catch the bug
k Induction

Bus Properties Once thought out, the following property would double-check the
Free Variables
two clock read.
Abstraction

Invariants a s s e r t p r o p e r t y ( @ ( posedge i_clk )

Multiple-Clocks
d i s a b l e iff ( i_reset | | ! i_wb_cyc )
Cover
( i_wb_stb && ! o_wb_stall
Sequences
&& ! i_wb_we && i_wb_addr == DATA )
Quizzes
|=> ( addr == $past ( addr + 1 ) )
##1 o_wb_ack
&& ( o_wb_data == $past ( mem [ addr ] , 2 ) ) ) ;

Watch out for overflow in that addition!

390 / 462
Quiz #50
Welcome The following construct works well to make certain that initial
Motivation values and reset values match
Basics
reg f_past_valid = 0 ;
Clocked and $past
always @ ( posedge i_clk )
k Induction
f_past_valid <= 1 ;
Bus Properties

Free Variables
always @ ( posedge i_clk )
Abstraction
i f ( ! f_past_valid | | $past ( i_reset ) )
Invariants
begin
Multiple-Clocks
// Check f o r r e s e t p r o p e r t i e s
Cover
// For e x a m p l e . . .
Sequences
a s s e r t ( counter == 0 ) ;
Quizzes
end

How would you go about verifying the reset works on a design

with no initial values or for hardware that doesn’t support them?

391 / 462
Answer #50
Welcome The key to not having any initial value support lies in assuming
Motivation an initial reset
Basics
i n i t i a l assume ( i_reset ) ;
Clocked and $past

k Induction
always @ ( posedge i_clk )
Bus Properties
i f ( ! i_reset && $past ( i_reset ) )
Free Variables
begin
Abstraction
// Check r e s e t p r o p e r t i e s
Invariants
// For e x a m p l e . . .
Multiple-Clocks
a s s e r t ( counter == 0 ) ;
Cover
end
Sequences

Quizzes Bonus: How would you verify a design with an asynchronous

reset?

392 / 462
Quiz #51
Welcome Your design contains a FIFO. You want to assert a property of
Motivation its output. How do you go about it?
Basics
sfifo fifo ( i_clk , i_reset , i_wr , i_wval ,
Clocked and $past
i_rd , i_rval ) ;
k Induction

Bus Properties
always @ ( ∗ )
Free Variables
a s s e r t ( something_about_i_rval ) ;
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

393 / 462
Answer #51
Welcome FIFO’s are typically verified by following one or two items
Motivation through the FIFO process. These special values can be used to
Basics prove the assertion below.
Clocked and $past

k Induction
sfifo fifo ( i_clk , i_reset , i_wr , i_wval ,
Bus Properties
i_rd , i_rval ) ;
Free Variables
always @ ( ∗ )
Abstraction
i f ( rval_is_special_value )
Invariants
a s s e r t ( something_about_i_rval ) ;
Multiple-Clocks
e l s e // i f ( ! r v a l i s s p e c i a l v a l u e )
Cover
assume ( something_about_i_rval ) ;
Sequences
always @ ( ∗ )
Quizzes
i f ( special_value_in_fifo )
begin
// A s s e r t s o m e t h i n g a b o u t t h e s p e c i a l
// v a l u e w h i l e i t i s i n t h e FIFO

394 / 462
Quiz #52
Welcome You are trying to formally verify a CPU. How would you go
Motivation about verifying that your load/store unit works?
Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

395 / 462
Answer #52
Welcome 1. Start by including the formal bus property file
Motivation 2. As with the instruction fetch, let the solver pick a . . .
Basics
˝ Special address, f_lsu_addr,
Clocked and $past
˝ Special data value, f_lsu_data, and
k Induction

Bus Properties
˝ Whether the bus should return an error, f_lsu_err.
Free Variables
3. Track writes to f_lsu_addr using the data values
Abstraction

Invariants
˝ Any time a store instruction is issued for f_lsu_addr,
Multiple-Clocks adjust the value of f_lsu_data
Cover ˝ Any time a write is issued over the bus for f_lsu_addr,
Sequences assert() the value written is f_lsu_data
Quizzes
4. assume() reads from the address return f_lsu_data, and
return errors if and only if f_lsu_err
5. assert() within your CPU, that any time f_lsu_addr is read,
f_lsu_data is written to the register file

396 / 462
Quiz #53
Welcome Consider the VHDL design below controlling an AXI slave:
Motivation
AXI_READ_RLAST_P : p r o c e s s ( S_AXI_ACLK ) i s
Basics
begin
Clocked and $past
i f ( S_AXI_ACLK ’ event and S_AXI_ACLK = ’1 ’) then
k Induction
i f ( S_AXI_ARESETN = ’ 0 ’ ) then
Bus Properties
S_AXI_RLAST <= ’ 0 ’ ;
Free Variables
e l s i f S_AXI_RREADY = ’ 1 ’ then
Abstraction
S_AXI_RLAST <= s_axi_rlast_i and rvalid ;
Invariants
end i f ;
Multiple-Clocks end i f ;
Cover end p r o c e s s AXI_READ_RLAST_P ;
Sequences

Quizzes Can you spot any bugs in this snippet alone?

397 / 462
Answer #53
Welcome SymbiYosys found the following trace,
Motivation

Basics S AXI ACLK

Clocked and $past S AXI ARESETN
k Induction
S AXI ARVALID
Bus Properties

Free Variables S AXI ARREADY

0 3E AB
Abstraction S AXI ARLEN
Invariants

Multiple-Clocks
S AXI RVALID
Cover S AXI RREADY
Sequences S AXI RLAST ?
Quizzes

This bug lived for years in a piece of commercial IP that was

regularly checked by a “best in class” property checker. A first
ever formal AXI property check turned it up immediately.

398 / 462
Answer #53b
Welcome The correct check would include not only S_AXI_RREADY, but also
Motivation the possibility that !S_AXI_RVALID.
Basics
AXI_READ_RLAST_P : p r o c e s s ( S_AXI_ACLK ) i s
Clocked and $past
begin
k Induction
i f ( S_AXI_ACLK ’ event and S_AXI_ACLK = ’1 ’) then
Bus Properties
i f ( S_AXI_ARESETN = ’ 0 ’ ) then
Free Variables
S_AXI_RLAST <= ’ 0 ’ ;
Abstraction
e l s i f ( S_AXI_RVALID = ’ 0 ’ ´´ e x t r a c h e c k !
Invariants
or S_AXI_RREADY = ’ 1 ’ ) then
Multiple-Clocks
S_AXI_RLAST <= s_axi_rlast_i and rvalid ;
Cover
end i f ;
Sequences
end i f ;
Quizzes
end p r o c e s s AXI_READ_RLAST_P ;

399 / 462
Quiz #54
Welcome You are trying to verify a CPU. How can you go about verifying
Motivation that a single ALU instruction works? Let’s consider an ADD
Basics instruction for this example.
Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

400 / 462
Answer #54
Welcome How shall you verify an ADD instruction within a CPU?
Motivation
1. Generate a packet as the ADD instruction gets processed
Basics

Clocked and $past ˝ Capture the instruction word, current/next program

k Induction counter, register inputs, ALU output, etc.
Bus Properties
2. cover() an ADD instruction getting retired
Free Variables

Abstraction
3. When the instruction is retired, use assertions to check . . .
Invariants ˝ Is the output equal to the register inputs summed
Multiple-Clocks
together?
Cover
˝ Pick a register. If the input to the instruction is that
Sequences
register, does it match the value of the last time the
Quizzes
register was written?
˝ Is the current program counter equal to the next program
counter from the previous instruction?
˝ Is the next program counter the next location in memory?

401 / 462
Quiz #55
Welcome You are working on a bus component, and you want to know
Motivation how much throughput you can achieve per clock using that
Basics component
Clocked and $past How might you use formal tools to solve this problem?
k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

402 / 462
Answer #55
Welcome cover() makes a great way of measuring best case throughput.
Motivation The following formal logic will generate a trace demonstrating
Basics the maximum AXI write throughput within a design
Clocked and $past

k Induction
reg [3:0] cvr_writes ;
Bus Properties
i n i t i a l cvr_writes = 0 ;
Free Variables
always @ ( posedge i_clk )
i f ( ! S_AXI_ARESETN )
Abstraction
cvr_writes <= 0 ;
Invariants
e l s e i f ( S_AXI_BVALID && S_AXI_BREADY )
Multiple-Clocks
cvr_writes <= cvr_writes + 1 ;
Cover

Sequences
always @ ( ∗ )
Quizzes
cover ( cvr_writes > 4 ) ;

This logic will generate the earliest possible trace showing a

response to five separate write requests (each w/ AWLEN=0)

403 / 462
Quiz #56
Welcome You are working on an AXI bus slave, and you want to know how
Motivation much throughput you can achieve per clock. Moreover, your core
Basics is able to handle multiple burst sizes.
Clocked and $past How might you determine how fast your core can handle burst
k Induction
writes?
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

404 / 462
Answer #56
Welcome You can use cover() again! This time, create a flag, we’ll call it
Motivation cvr_wr_bursts, that will only be true if all write requests are of
Basics length four or greater.
Clocked and $past

k Induction
reg cvr_wr_bursts = 1 ;
Bus Properties
always @ ( posedge i_clk )
Free Variables
i f ( ! S_AXI_ARESETN )
cvr_wr_bursts <= 1 ;
Abstraction
e l s e i f ( S_AXI_AWVALID && S_AXI_AWLEN < 3 )
Invariants
cvr_wr_bursts <= 0 ;
Multiple-Clocks

Cover
// c v r w r i t e s c o u n t s BVALID & BREADY a s b e f o r e
Sequences
always @ ( ∗ )
Quizzes
cover ( cvr_wr_bursts && cvr_writes > 2 ) ;

The above example will generate a trace showing a response to

three separate write bursts, each with AWLEN=3.

405 / 462
Quiz #57
Welcome Many of the AXI bugs I’ve found have centered around the
Motivation inability of a slave design to handle backpressure.
Basics

Clocked and $past S AXI ACLK

k Induction
S AXI ARESETN
Bus Properties

Free Variables
S AXI ARVALID
Abstraction S AXI ARREADY
Invariants
S AXI RVALID Backpressure
Multiple-Clocks

Cover
S AXI RREADY
Sequences

Quizzes What simulation or cover() goals might you use to guarantee

your design doesn’t suffer from an inability to handle
backpressure?

406 / 462
Answer #57
Welcome A useful simulation or cover() goal might be to hold
Motivation S_AXI_ARVALID high while holding S_AXI_RREADY low, creating a
Basics maximum forward and backpressure. You could then examine
Clocked and $past the trace to see if it looks right.
k Induction

Bus Properties
˝ This still requires examining the trace to know if the core
Free Variables handled the backpressure correctly
Abstraction ˝ A formal property checker, given a bus property file, would
Invariants automatically check this setup by nature
Multiple-Clocks ˝ Such a checker would also examine the signals for you, to
Cover
find exactly where a request wasn’t properly given a response.
Sequences

Quizzes Of course, this is only one of the many possible simulation goals
˝ With simulation, you’ll never know if you’ve done enough

407 / 462
Quiz #58
Welcome You’ve built a complex state machine, and now want to verify
Motivation that without a start signal the state machine will remain idle.
Basics Worse, you want to verify several other consequences of
Clocked and $past remaining idle as well.
k Induction
How might you go about building such a proof using Yosys?
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

408 / 462
Answer #58
Welcome Here’s an approach that I’ve used on several projects
Motivation
˝ First, let the solver pick whether to do this check or not
Basics

Clocked and $past ( ∗ anyconst ∗ ) reg f_idle_check ;

k Induction

Bus Properties ˝ Then, if set, assume no start signal

Free Variables
always @ ( ∗ )
Abstraction
i f ( f_idle_check )
Invariants
begin
Multiple-Clocks
assume ( ! i_start_signal ) ;
Cover

Sequences ˝ Finally, assert your special case conditions

Quizzes
a s s e r t ( state == IDLE ) ;
a s s e r t ( consequence_one ) ;
// . . . e t c .
end

409 / 462
Quiz #59
Welcome You are trying to verify a hardware DMA
Motivation
˝ A DMA is essentially a hardware memory copy
Basics

Clocked and $past 1. It receives a source address, destination address, and

k Induction copy length from the bus
Bus Properties 2. Then copies (length) bytes of memory from source to
Free Variables
destination address
Abstraction

Invariants
˝ Ignoring the obvious undefined behavior associated with
Multiple-Clocks overlap between source and destination . . .
Cover
What formal properties would be appropriate to describe the
Sequences
“contract” that such a DMA is required to fulfill?
Quizzes

410 / 462
Answer #59
Welcome What formal properties would be appropriate to describe the
Motivation “contract” that a DMA is required to fulfill?
Basics
˝ The first step is easy: connect your bus properties to both
Clocked and $past

k Induction
control port and the data port.
Bus Properties That might just find most of your bugs, but for completeness
Free Variables
you’ll want to do one more:
Abstraction

Invariants
˝ Pick a value in memory, at some offset within the source
Multiple-Clocks region
Cover ˝ assume this value is returned by a read of that address
Sequences ˝ assert this value is written by a write to the same offset, but
Quizzes within the destination region
˝ If the solver can pick the value and offset arbitrarily, and the
resulting proof passes, then the entire DMA will therefore
work.

411 / 462
Quiz #60
Welcome You are trying to verify a CPU. How can you go about verifying
Motivation that a multiplication instruction works?
Basics
always @ ( posedge i_clk )
Clocked and $past
mpy_out <= i_a ∗ i_b ;
k Induction

Bus Properties
always @ ( posedge i_clk )
Free Variables
case ( insn_type )
Abstraction
ALU_INSN : result <= alu_out ;
Invariants
MPY_INSN : result <= mpy_out ;
Multiple-Clocks
DIV_INSN : result <= alu_out ;
Cover
LOD_INSN : result <= lsu_out ; // Load / S t o r e I n s n
Sequences
endcase
Quizzes

always @ ( ∗ ) // What a s s e r t i o n ( s ) might you u s e ?

i f ( insn_type == MPY_INSN )
a s s e r t ( mpy_out == ? ) ;

412 / 462
Answer #60
Welcome This issue is complicated by the fact that formally verifying the
Motivation result of a multiplication tends to be beyond the capability of the
Basics state of the art of formal verification. Given that, here are some
Clocked and $past things you can do:
k Induction

Bus Properties
˝ Replace the output of the multiply with a (constrained)
Free Variables arbitrary value
Abstraction
– Possible constraints include assuming the correct value in
Invariants
the case of multiplication by zero, one, or negative one
Multiple-Clocks
– Alternatively, you might XOR’ing the inputs together with
Cover

Sequences
another value
Quizzes Although these solutions don’t check the result of the
instruction, they can still catch bugs associated with the pipeline
timing, forwarding, etc.
˝ The actual multiply result can then be checked via simulation

413 / 462
Quiz #61
Welcome Just as formal tools struggle with multiplies, they also struggle
Motivation with divides. Worse, many divide instructions take many clocks
Basics to complete
Clocked and $past

k Induction
˝ How can you go about verifying a divide using either BMC or
Bus Properties
cover, but without processing all 32 (or more) steps of the
Free Variables divide?
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

414 / 462
Answer #61
Welcome Verifying that the divide pipeline works is still valuable
Motivation
˝ Consider using the approaches we used for a multiply to
Basics
verify that the divide is properly handled by its context
Clocked and $past
˝ You can capture the duration of the divide using a
k Induction

Bus Properties
(∗ anyseq ∗) “free variable.” Let this value range from only a
Free Variables couple of clocks in duration all the way to the correct length
Abstraction of the divide. This will keep things within the range of both
Invariants BMC and cover()
Multiple-Clocks
Verifying that the pipeline works for all durations of the divide
Cover

Sequences
effectively verifies that it works for the correct duration
Quizzes ˝ You can use simulation to actually verify the result of the
divide
˝ Alternatively, you can use formal to verify the individual
internal steps of the divide

415 / 462
Quiz #62
Welcome You have a counter that is supposed to count down from some
Motivation programmable value to zero. How can you assert that this
Basics counter will never be higher than the programmable value, given
Clocked and $past that the value might change mid count?
k Induction

Bus Properties
always @ ( posedge i_clk )
Free Variables
begin
Abstraction
i f ( set_value ) max_value <= new_value ;
Invariants

Multiple-Clocks
i f ( counter == 0 )
Cover
counter <= max_value ;
else
Sequences
counter <= counter ´ 1 ;
Quizzes

// T h i s f a i l s i f t h e m a x v a l u e e v e r
// c h a n g e s mid countdown !
a s s e r t ( counter <= max_value ) ;
end

416 / 462
Answer #62
Welcome Q: How can you assert that a counter will never be higher than
Motivation the programmable value, given that the value might change mid
Basics count?
Clocked and $past Answer: Capture a copy of the maximum value at the time the
k Induction
counter is set
Bus Properties

Free Variables always @ ( posedge i_clk )

Abstraction i f ( counter == 0 )
Invariants f_max_value <= max_value ;
Multiple-Clocks

Cover
always @ ( ∗ )
Sequences
a s s e r t ( counter <= f_max_value ) ;
Quizzes
Remember: you can use Verilog to your advantage!

417 / 462
Quiz #63
Welcome You have a CPU component of a larger design.
Motivation
cpu mycpu ( i_clk , i_reset ,
Basics
bus_master_outputs , // . . .
Clocked and $past
bus_master_inputs , // . . .
k Induction
interrupt_line ) ; // o r l i n e s
Bus Properties

Free Variables
Your CPU passes formal verification.
Abstraction
How would you go about formally verifying the rest of the
Invariants
design?
Multiple-Clocks

Cover

Sequences

Quizzes

418 / 462
Answer #63
Welcome How would you go about formally verifying the rest of the
Motivation design?
Basics Replace the CPU with a set of bus interface properties!
Clocked and $past

k Induction
˝ Assume the CPU is a generic bus master
Bus Properties
˝ This will disconnect any bus transactions from the CPU
Free Variables operation that would cause them
Abstraction On the other hand, you just proved the CPU would properly
Invariants execute its instructions
Multiple-Clocks ˝ You will want to do the same thing with your bus slaves as
Cover
well as the interconnect
Sequences

Quizzes This will then allow you to verify the top level of your design

419 / 462
Answer #63b
Welcome How would you go about formally verifying the rest of the
Motivation design?
Basics Replace the bus components with bus interface properties!
Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

420 / 462
Quiz #64
Welcome Consider the VHDL design below controlling an AXI slave:
Motivation
AXI_READ_VALID_P : p r o c e s s ( S_AXI_ACLK ) i s
Basics
begin
Clocked and $past
i f ( S_AXI_ACLK ’ event and S_AXI_ACLK = ’1 ’) then
k Induction
i f ( S_AXI_ARESETN = ’ 0 ’ ) then
Bus Properties
S_AXI_RVALID <= ’ 0 ’ ;
Free Variables
e l s i f S_AXI_RREADY = ’ 1 ’ then
Abstraction
S_AXI_RVALID <= rvalid ;
Invariants
end i f ;
Multiple-Clocks end i f ;
Cover end p r o c e s s AXI_READ_VALID_P ;
Sequences

Quizzes Can you spot any bugs in this snippet alone?

421 / 462
Answer #64
Welcome Can you spot any bugs in this snippet alone?
Motivation
AXI_READ_VALID_P : p r o c e s s ( S_AXI_ACLK ) i s
Basics
begin
Clocked and $past
i f ( S_AXI_ACLK ’ event and S_AXI_ACLK = ’1 ’) then
k Induction
i f ( S_AXI_ARESETN = ’ 0 ’ ) then
Bus Properties
S_AXI_RVALID <= ’ 0 ’ ;
Free Variables
e l s i f S_AXI_RREADY = ’ 1 ’ then
Abstraction
S_AXI_RVALID <= rvalid ;
Invariants
end i f ;
Multiple-Clocks end i f ;
Cover end p r o c e s s AXI_READ_VALID_P ;
Sequences

Quizzes Absolutely!
What happens if (!S_AXI_RVALID && !S_AXI_RREADY)?
If the master hasn’t set S_AXI_RREADY in anticipation of a
response, something it isn’t required to do, the design will hang.

422 / 462
Quiz #65
Welcome SymbiYosys extends Verilog, SV, and VHDL with several
Motivation attributes, including
Basics
˝ (∗ anyconst ∗), (∗ anyseq ∗), and (∗ gclk ∗)
Clocked and $past

k Induction Let’s discuss (∗ anyconst ∗): How might you achieve the same
Bus Properties result as
Free Variables

Abstraction
( ∗ anyconst ∗ ) w i r e A ;
Invariants
while only using one of the other two attributes?
Multiple-Clocks

Cover

Sequences

Quizzes

423 / 462
Answer #65
Welcome SymbiYosys extends Verilog, SV, and VHDL with several
Motivation attributes, including
Basics
˝ (∗ anyconst ∗), (∗ anyseq ∗), and (∗ gclk ∗)
Clocked and $past

k Induction Let’s discuss (∗ anyconst ∗): How might you achieve the same
Bus Properties result as
Free Variables

Abstraction
( ∗ anyconst ∗ ) w i r e A ;
Invariants
while only using one of the other two attributes?
Multiple-Clocks

Cover
The following declaration and property would be equivalent
Sequences ( ∗ anyseq ∗ ) w i r e A ;
Quizzes always @ ( posedge i_clk )
assume ( $ s t a b l e ( A ) ) ;

Bonus: How would you adjust this to handle multiple clocks?

424 / 462
Quiz #66
Welcome The following logic comes from a major vendor’s AXI stream
Motivation master implementation. Can you spot the bug?
Basics
always @ ( posedge ACLK )
Clocked and $past
i f ( ! ARESETN )
k Induction
// . . .
Bus Properties
e l s e begin
Free Variables
TVALID <= ( state == SEND_STREAM ) && rptr < MAX ;
Abstraction
TLAST <= ( rptr == MAX ´ 1 ) ;
Invariants

Multiple-Clocks
i f ( rptr < MAX ) begin
Cover
i f ( TVALID && TREADY ) begin
Sequences
done <= 0 ; rptr <= rptr + 1 ;
Quizzes
end end e l s e begin
done <= 1 ; rptr <= 0 ;
end end

Hint: the bug is not in the reset logic, nor is it in rptr or state

425 / 462
Answer #66
Welcome What happens when
Motivation TVALID && !TREADY && !TLAST && rptr == MAX´1?
Basics
˝ TLAST will change when things should’ve been stalled
Clocked and $past

k Induction

Bus Properties
ACLK
Free Variables TVALID
Abstraction
TREADY
Invariants

Multiple-Clocks
TLAST
M-2 M-1 M 0
Cover rptr
Sequences
done
Quizzes

426 / 462
Answer #66b
Welcome What happens when
Motivation TVALID && !TREADY && !TLAST && rptr == MAX?
Basics
˝ TVALID will change when things should’ve been stalled
Clocked and $past

k Induction

Bus Properties
ACLK
Free Variables TVALID
Abstraction
TREADY
Invariants

Multiple-Clocks
TLAST
M-1 M 0
Cover rptr
Sequences
done
Quizzes

427 / 462
Answer #66c
Welcome Adding a check for !TVALID || TREADY fixes both of these bugs
Motivation
// . . .
Basics
e l s e i f ( ! TVALID | | TREADY ) begin
Clocked and $past
TVALID <= ( state == SEND_STREAM ) && rptr < MAX ;
k Induction
TLAST <= ( rptr == MAX ´ 1 ) ;
Bus Properties

Free Variables
i f ( rptr < MAX ) begin
Abstraction
i f ( TVALID && TREADY ) begin
Invariants
done <= 0 ; rptr <= rptr + 1 ;
Multiple-Clocks end end e l s e begin
Cover done <= 1 ; rptr <= 0 ;
Sequences end end
Quizzes

428 / 462
Quiz #67
Welcome Can you spot the AXI-lite bug below?
Motivation
always @ ( posedge S_AXI_ACLK )
Basics
i f ( S_AXI_ARESETN == 1 ’ b0 )
Clocked and $past
axi_arready <= 1 ’ b0 ;
k Induction
e l s e i f ( ! axi_arready && S_AXI_ARVALID )
Bus Properties
axi_arready <= 1 ’ b1 ;
Free Variables
else
Abstraction
axi_arready <= 1 ’ b0 ;
Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

429 / 462
Answer #67
Welcome AWREADY, WREADY and ARREADY all need to be responsive to
Motivation backpressure from the master. In this case, if RREADY is low long
Basics enough then subsequent responses to consecutive requests will
Clocked and $past get dropped.
k Induction

Bus Properties ACLK

Free Variables
ARESETN
Abstraction

Invariants ARVALID
Multiple-Clocks ARREADY
Cover

Sequences
RVALID ?
Quizzes RREADY

Your design will then hang.

Example courtesy of Vivado, from 2016.3 to the present (2020.1)

430 / 462
Quiz #68
Welcome Here’s a second AXI4-lite bug, also courtesy of Vivado 2020.1.
Motivation Can you spot it?
Basics
always @ ( posedge S_AXI_ACLK )
Clocked and $past
i f ( S_AXI_ARESETN == 1 ’ b0 )
k Induction
axi_rvalid <= 0 ;
Bus Properties
e l s e i f ( axi_arready && S_AXI_ARVALID
Free Variables
&& ˜ axi_rvalid )
Abstraction
axi_rvalid <= 1 ’ b1 ;
Invariants
e l s e i f ( axi_rvalid && S_AXI_RREADY )
Multiple-Clocks
axi_rvalid <= 1 ’ b0 ;
Cover

Sequences Yes, let me assure you, there is a bug in this code.

Quizzes

431 / 462
Answer #68
Welcome Never transition on VALID && READY and anything thing else.
Motivation
˝ What happens if axi_arready && S_AXI_ARVALID
Basics
&& axi_rvalid? axi_rvalid is dropped.
Clocked and $past

k Induction

Bus Properties
ACLK
Free Variables ARESETN
Abstraction
ARVALID
Invariants

Multiple-Clocks
ARREADY
Cover RVALID ?
Sequences
RREADY
Quizzes

If your design isn’t ready to accept a transaction for some reason

or other, then it’s your responsibility to hold READY low.

432 / 462
Answer #68b
Welcome Several individuals have suggested that this answer depends
Motivation upon how axi_arready is assigned.
Basics
˝ Had it been combinatorially assigned, there would be no error.
Clocked and $past

k Induction assign axi_arready = ! axi_rvalid ;

Bus Properties

Free Variables This is true.

Abstraction ˝ Had it been assigned that way, the logic could’ve also been
Invariants simplified to the correct answer
Multiple-Clocks

Cover
always @ ( posedge S_AXI_ACLK )
Sequences
i f ( S_AXI_ARESETN == 1 ’ b0 )
Quizzes
axi_rvalid <= 0 ;
e l s e i f ( axi_arready && S_AXI_ARVALID )
axi_rvalid <= 1 ’ b1 ;
e l s e i f ( axi_rvalid && S_AXI_RREADY )
axi_rvalid <= 1 ’ b0 ;

433 / 462
Quiz #69
Welcome SymbiYosys extends Verilog, SV, and VHDL with several
Motivation attributes, including
Basics
˝ (∗ anyconst ∗), (∗ anyseq ∗), and (∗ gclk ∗)
Clocked and $past

k Induction To formally verify an asynchronous design, you need access to

Bus Properties the formal time-step. How might you use (∗ gclk ∗) for this
Free Variables
purpose? What other changes would be required in your design?
Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

434 / 462
Answer #69
Welcome The formal timestep can be described using (∗ gclk ∗) by first
Motivation declaring a global time-step,
Basics
( ∗ gclk ∗ ) w i r e gbl_clk ;
Clocked and $past

k Induction
and then using it in your design:
Bus Properties

Free Variables always @ ( posedge gbl_clk )

Abstraction

Invariants Don’t forget to add the SymbiYosys multiclock option:

Multiple-Clocks
[ options ]
Cover
# ...
Sequences
m u l t i c l o c k on
Quizzes

435 / 462
Quiz #70
Welcome Looking at the following vendor supplied AXI master design, do
Motivation you see any AXI protocol errors?
Basics
parameter AXI_BASE_ADDR = 3 2 ’ h4000_0000 ;
Clocked and $past
parameter BURST_LEN = 8 ;
k Induction
a s s i g n burst_size_bytes
Bus Properties
= BURST_LEN ∗ ( AXI_DATA_WIDTH / 8 ) ;
Free Variables

Abstraction
always @ ( posedge ACLK )
Invariants
i f ( ! M_AXI_ARESETN | | init_pulse )
Multiple-Clocks
axi_awaddr <= 0 ;
Cover
e l s e i f ( M_AXI_AWREADY && axi_awvalid )
Sequences
axi_awaddr <= axi_awaddr + burst_size_bytes ;
Quizzes

a s s i g n M_AXI_AWADDR = BASE_ADDR + axi_awaddr ;

a s s i g n M_AXI_AWLEN = BURST_LEN ´1;

You may assume init_pulse |´> !M_AXI_AWVALID.

436 / 462
Answer #70
Welcome This bug is rather subtle, if present at all. (We can argue that.)
Motivation
˝ As currently parameterized, there are no bugs.
Basics

Clocked and $past

˝ What happens if the parameters are overridden?
k Induction
˝ Specifically, what if BASE_ADDR[11:0] > 12’hfe0 for a 32-bit
Bus Properties bus?
Free Variables ˝ The AXI Spec prohibits bursts from crossing a 4kB boundary
Abstraction ˝ Nothing in the demo indicates that the address can not be
Invariants arbitrarily overridden
Multiple-Clocks

Cover
What do you think? Is this a bona fide “bug”?
Sequences ˝ It’s led to many broken user designs based upon this
Quizzes demonstration code

437 / 462
Quiz #71
Welcome Can you spot any bugs in the AXI4–lite code below?
Motivation
i n i t i a l BVALID = 0 ;
Basics
always @ ( posedge ACLK )
Clocked and $past
i f ( ! ARESETN )
k Induction
BVALID <= 0 ;
Bus Properties
e l s e i f ( AWVALID && AWREADY
Free Variables
&& WVALID && WREADY
Abstraction
&& ! BVALID )
Invariants
BVALID <= 1 ;
Multiple-Clocks e l s e i f ( BREADY && BVALID )
Cover BVALID <= 0 ;
Sequences

Quizzes
˝ Hint: Xilinx’s VIP won’t necessarily find these bugs
If you’re not sure if there is a bug, how would you find out?

438 / 462
Answer #71
Welcome What happens if . . .
Motivation
1. Either of AWVALID or WVALID but not both,
Basics
2. (AWVALID && WVALID) && AWREADY != WREADY, or even
Clocked and $past

k Induction
3. (AWVALID && WVALID) && AWREADY && BVALID?
Bus Properties A couple assertions can quickly determine if any of these
Free Variables
conditions would ever be a problem:
Abstraction

Invariants
˝ assert(AWREADY == WREADY);
Multiple-Clocks ˝ if (AWREADY) assert(AWVALID && WVALID);
Cover ˝ if (BVALID) assert(!AWREADY);
Sequences
Of course, if these assertions would pass, then the logic could’ve
Quizzes
been greatly simplified

439 / 462
Answer #71b
Welcome To fix this logic, I like using skid buffers and a combinatorial flag
Motivation
always @ ( ∗ )
Basics
write_ready = awskd_valid && wskd_valid
Clocked and $past
&& ( ! BVALID | | BREADY ) ;
k Induction

Bus Properties
always @ ( posedge ACLK )
Free Variables
i f ( ! ARESETN )
Abstraction
BVALID <= 0 ;
Invariants
e l s e i f ( write_ready )
Multiple-Clocks BVALID <= 1 ;
Cover e l s e i f ( BREADY )
Sequences BVALID <= 0 ;
Quizzes

Using the skidbuffer gets around the requirement that all AXI
outputs be registered, since the skid buffer ready input doesn’t
need to be registered.

440 / 462
Answer #71c
Welcome You could also fix this logic without the skid buffers but only at
Motivation a loss of 50% throughput
Basics
always @ ( posedge i_clk )
Clocked and $past
i f ( ! ARESETN )
k Induction
write_ready <= 0 ;
Bus Properties
e l s e begin
Free Variables
write_ready <= ( AWVALID && AWREADY ) ;
Abstraction
i f ( write_ready )
Invariants
write_ready <= 0 ;
Multiple-Clocks
// Note you ∗ must ∗ c h e c k f o r
Cover
// b a c k p r e s s u r e when u s i n g AXI
Sequences
i f ( BVALID && ! BREADY )
Quizzes
write_ready <= 0 ;
end

assign AWREADY = write_ready ;

assign WREADY = write_ready ;

441 / 462
Quiz #72
Welcome (∗ anyconst ∗) and (∗ anyseq ∗) can both be used to create
Motivation random values carefully chosen by the solver within your proof.
Basics If these values need to be constrained, what kind of constraints
Clocked and $past should be used on them?
k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

442 / 462
Answer #72
Welcome (∗ anyconst ∗) and (∗ anyseq ∗) can both be used to create
Motivation random values carefully chosen by the solver within your proof.
Basics If these values need additional constraints, what kind of
Clocked and $past constraints should be used on them?
k Induction

Bus Properties ˝ Because (∗ anyconst ∗) and (∗ anyseq ∗) values act like

Free Variables inputs, assumptions are appropriate for constraining them
Abstraction ˝ Beware, these two attributes will be ignored by a simulator
Invariants

Multiple-Clocks
– In simulation, assume() constraints will become assert() s
Cover – This will likely cause any simulation depending upon their
Sequences assumed values to fail
Quizzes – You might wish to ifdef out any free variable sections
when running simulations, or
– Arrange them so they’ll work without additional
constraints under simulation

443 / 462
Quiz #73
Welcome Let’s talk about the depth of a proof
Motivation
˝ For bounded and cover checks
Basics

Clocked and $past – The depth is the number of steps that get checked
k Induction
˝ For induction passes
Bus Properties

Free Variables – The depth is the number of steps where assertions are
Abstraction assumed to be valid
Invariants

Multiple-Clocks
˝ Be aware, the time required for the proof typically increases
Cover
exponentially with the depth
Sequences When building a full proof (i.e. with induction), what depth
Quizzes
should you start with?

444 / 462
Answer #73
Welcome I recommend the following rules for setting the depth
Motivation
˝ Start with the length of the longest operation the design
Basics
must accomplish before returning to idle – if possible
Clocked and $past

k Induction – Otherwise shorten to what you have the patience for

Bus Properties
˝ Start with the bounded check. Once it passes, add induction
Free Variables

Abstraction
˝ Once induction succeeds,
Invariants – Reduce the depth to the number of steps the induction
Multiple-Clocks
check took to succeed
Cover

Sequences Remember, a trace generated from a bounded check is easier to

Quizzes debug

445 / 462
Quiz #74
Welcome Can you see anything wrong with the following assertion?
Motivation
a s s e r t p r o p e r t y ( @ ( posedge i_clk )
Basics
A ##1 B ##1 C
Clocked and $past
);
k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

446 / 462
Answer #74
Welcome Can you see anything wrong with the following assertion?
Motivation
a s s e r t p r o p e r t y ( @ ( posedge i_clk )
Basics
A ##1 B ##1 C
Clocked and $past
);
k Induction

Bus Properties
Yes. Assertions need triggers. Without an trigger, this assertion
Free Variables
requires that A be true on every cycle, and that B and C follow.
Abstraction
Chances are what you mean to assert was something closer to,
Invariants

Multiple-Clocks a s s e r t p r o p e r t y ( @ ( posedge i_clk )

Cover A |=> B ##1 C
Sequences );
Quizzes
This says that if A is ever true, then B and then C must follow,
not that A must be true on every cycle.

447 / 462
Quiz #75
Welcome Will the following assertion pass a formal verification check?
Motivation
input wire A;
Basics

Clocked and $past

i n i t i a l assume ( A ) ;
k Induction
assume p r o p e r t y ( @ ( posedge CLK ) A ) ;
Bus Properties

Free Variables
always @ ( ∗ )
Abstraction
assert (A ) ;
Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

448 / 462
Answer #75
Welcome No, it will not. You’ll get something similar to the following
Motivation trace:
Basics

Clocked and $past

CLK
k Induction

Bus Properties

Free Variables
A
Abstraction

Invariants
It’s as though the assumption never took effect!
Multiple-Clocks What went wrong? Clocked properties require a clock edge
Cover before taking effect.
Sequences

Quizzes

449 / 462
Answer #75b
Welcome The assertion is equivalent to the following:
Motivation
reg p_assumption = 1 , f_initial = 1 ;
Basics

Clocked and $past

always @ ( posedge CLK ) begin
k Induction
f_initial <= 0 ;
Bus Properties
// R e g i s t e r t h e c l o c k e d a s s u m p t i o n
Free Variables
p_assumption <= A ;
Abstraction
end
Invariants

Multiple-Clocks always @ ( ∗ ) begin

Cover i f ( f_initial ) assume ( A ) ;
Sequences assume ( p_assumption ) ;
Quizzes assert (A ) ;
end

As you can see, p_assumption only gets checked after the clock
edge

450 / 462
Quiz #76
Welcome How do you know if your design has enough assertions?
Motivation

Basics

Clocked and $past

k Induction

Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

451 / 462
Answer #76
Welcome How do you know if your design has enough assertions?
Motivation Here are some tests you can use:
Basics
˝ Is every assumption made by a module depending on your
Clocked and $past

k Induction
design covered by an assertion?
Bus Properties
I like using shared interface property files for this, to make
Free Variables certain that assumptions don’t get lost.
Abstraction ˝ Is every output pinned down? Could you tell, for example via
Invariants an assertion failure, if an output had the wrong value?
Multiple-Clocks ˝ Does the design pass induction?
Cover

Sequences
You can also use mcy (mutation coverage with yosys) to find
Quizzes things that aren’t covered by any assertions.

452 / 462
Quiz #77
Welcome The following example was inspired by some endianness
Motivation adjustment logic.
Basics Will the following assertion pass?
Clocked and $past

k Induction
input wire [31:0] in ;
Bus Properties
input wire [2:0] shift ;
Free Variables
output reg [31:0] out ;
Abstraction
always @ ( ∗ )
Invariants
out = in >> 4 ∗ ( ˜ shift ) ;
Multiple-Clocks

Cover
a s s e r t p r o p e r t y ( @ ( posedge clk )
Sequences
in == 3 2 ’ hfeedbead && shift == 3 ’ h7
Quizzes
|´> out == 3 2 ’ hfeedbead ) ;

453 / 462
Answer #77
Welcome No, it will not pass.
Motivation
˝ When evaluating logic with multiple widths, the synthesis
Basics
tool is supposed to first expand every term to the maximum
Clocked and $past

k Induction
width used
Bus Properties
˝ shift[2:0] thus gets expanded to 32’h7
Free Variables ˝ ˜shift[2:0] becomes 32’hffff_fff8
Abstraction ˝ 32’d4 ∗ 32’hffff_fff8 is then 32’hffff_ff80, and
Invariants ˝ 32’dfeedbead >> 32’hffff_ff80 is zero, not 32’hfeedbead
Multiple-Clocks
Note: I didn’t get this right the first time either.
Cover

Sequences

Quizzes

454 / 462
Quiz #78
Welcome The following student cover() statement was intended to
Motivation generate a trace showing a FIFO go from empty to full and back
Basics again.
Clocked and $past

k Induction
cover p r o p e r t y ( @ ( posedge i_clk )
Bus Properties
o_empty ##1 1 [ ∗ 0 : $ ]
Free Variables
##1 o_full ##1 1 [ ∗ 0 : $ ]
##1 o_empty ) ;
Abstraction

Invariants
Much to the student’s surprise, the resulting trace wasn’t at all
Multiple-Clocks
what he was expecting.
Cover

Sequences
Judging from the cover() statement above, what do you think
Quizzes went wrong?

455 / 462
Answer #78
Welcome The student forgot to keep the reset low (inactive)
Motivation
˝ The solver jumped from full to empty on a reset
Basics
˝ This short-circuited his desired cover proof
Clocked and $past

k Induction

Bus Properties
i clk
Free Variables i reset
Abstraction
i wr
Invariants

Multiple-Clocks o full
Cover i rd
Sequences
o empty
Quizzes
0 1 2 3 4 5 6 7 0
o fill

456 / 462
Answer #78b
Welcome Disabling the cover() statement on a reset solves this problem
Motivation
cover p r o p e r t y ( @ ( posedge i_clk )
Basics
d i s a b l e iff ( i_reset )
Clocked and $past
o_empty ##1 1 [ ∗ 0 : $ ]
k Induction
##1 o_full ##1 1 [ ∗ 0 : $ ]
Bus Properties
##1 o_empty ) ;
Free Variables

Abstraction Since the student also wanted to see some non-zero data passing
Invariants
through the FIFO, we made the disable iff statement a touch
Multiple-Clocks
more complex.
Cover

Sequences cover p r o p e r t y ( @ ( posedge i_clk )

Quizzes d i s a b l e iff ( i_reset | | i_data != wr_addr )
o_empty ##1 1 [ ∗ 0 : $ ]
##1 o_full ##1 1 [ ∗ 0 : $ ]
##1 o_empty ) ;

457 / 462
Quiz #79
Welcome Your UART appears to be running at the wrong baud rate in
Motivation hardware. Tracing this problem down further, it appears as
Basics though your clock may be running at the wrong frequency.
Clocked and $past What’s an easy way to verify the frequency your clock is running
k Induction
at?
Bus Properties

Free Variables

Abstraction

Invariants

Multiple-Clocks

Cover

Sequences

Quizzes

458 / 462
Answer #79
Welcome Here’s my personal favorite approach to verifying a clock’s rate:
Motivation
reg [31:0] counter ;
Basics

Clocked and $past

always @ ( posedge i_clk )
k Induction
// 43 == 2ˆ32 / 100 MHz
Bus Properties
counter <= counter + 3 2 ’ d43 ;
Free Variables

Abstraction
always @ ( ∗ )
Invariants
o_led = counter [ 3 1 ] ;
Multiple-Clocks

Cover A 100MHz system clock will now cause this LED to blink at 1Hz.
Sequences

Quizzes

459 / 462
Answer #79b
Welcome For those in an engineering lab, there’s also the obvious
Motivation
˝ Forward the clock to a pin, and examine it with an external
Basics
oscilloscope
Clocked and $past

k Induction Other approaches to this problem deserve an honorable mention,

Bus Properties if for no other reason than for their creativity:
Free Variables

Abstraction
˝ Output a square wave to a piezo speaker and comare it to a
Invariants
tuning fork
Multiple-Clocks ˝ Causing a pin to transmit on the AM band (1MHz or so),
Cover look for it’s signal using a nearby radio receiver
Sequences ˝ Use a known frequency to count edges from the unknown
Quizzes clock
˝ Transmit a perpetual 0x55 over UART, and looking for the
resulting square wave with an oscilloscope

460 / 462
Quiz #80
Welcome Consider the following trace initiating an AXI write burst.
Motivation

Basics S AXI ACLK

Clocked and $past S AXI ARESETN
k Induction

Bus Properties S AXI AWVALID

Free Variables S AXI AWADDR ’b..01

Abstraction 1
S AXI AWLEN
Invariants 3’h1
S AXI AWSIZE
Multiple-Clocks

Cover
S AXI WVALID
Sequences
4’b0110
S AXI WSTRB[3:0]
Quizzes
S AXI WLAST

Assume that the C_AXI_DATA_WIDTH == 32, and

C_AXI_ADDR_WIDTH > 2. Is the first beat of this burst legal?

461 / 462
Answer #80
Welcome No. The WSTRB value in the write beat is not legal.
Motivation The burst exists to help illustrate this.
Basics
˝ It’s two beats long
Clocked and $past
˝ Each beat is 16-bits, or two bytes
k Induction

Bus Properties
˝ The second address is aligned on a 16-bit boundary
31 24 16 8 0
Free Variables

Abstraction 3 2 1 0
Invariants
3 2 1 0
Multiple-Clocks

Cover

Sequences ˝ This means that WSTRB[2] belongs to the second beat, not the
Quizzes first.
While the problem would exist without the burst, the burst
details help to illuminate the problem.

462 / 462

Springer SV Solutions Manual
89% (38)
Springer SV Solutions Manual
63 pages
AMD Previous Int Questions
No ratings yet
AMD Previous Int Questions
9 pages
William K Lam Hardware Design Verification Simulation and Formal Method Based Approaches Prentice Hall 2008
50% (2)
William K Lam Hardware Design Verification Simulation and Formal Method Based Approaches Prentice Hall 2008
837 pages
Introduction To Formal Hardware Verification-Springer-Verlag Berlin Heidelberg (1999)
No ratings yet
Introduction To Formal Hardware Verification-Springer-Verlag Berlin Heidelberg (1999)
308 pages
Clarity, Cohesion, and Coherence
No ratings yet
Clarity, Cohesion, and Coherence
2 pages
Class Verilog
No ratings yet
Class Verilog
435 pages
Course Formal Assertion Based Verification Session Formal Model Checking Meslinger
No ratings yet
Course Formal Assertion Based Verification Session Formal Model Checking Meslinger
29 pages
Functional Checking of Design Using Formal Verification Techniques
No ratings yet
Functional Checking of Design Using Formal Verification Techniques
31 pages
Overview Ch
No ratings yet
Overview Ch
35 pages
Course3 - Lecture video Transcripts
No ratings yet
Course3 - Lecture video Transcripts
50 pages
Formal_modeling_and_verification_of_microprocessors
No ratings yet
Formal_modeling_and_verification_of_microprocessors
19 pages
Lec03 Testbench and Pattern
No ratings yet
Lec03 Testbench and Pattern
54 pages
Dvcon Fv Bootcamp-1
No ratings yet
Dvcon Fv Bootcamp-1
80 pages
System Verilog Notes: Basics To Advance
No ratings yet
System Verilog Notes: Basics To Advance
37 pages
VLSI Design I VLSI Design I VLSI Design I VLSI Design I
No ratings yet
VLSI Design I VLSI Design I VLSI Design I VLSI Design I
23 pages
PDF_16MVE332
No ratings yet
PDF_16MVE332
5 pages
01 Introduction To Formal Methods
No ratings yet
01 Introduction To Formal Methods
21 pages
Advanced Testing With VHDL
No ratings yet
Advanced Testing With VHDL
43 pages
Tv Model Paper 20171
No ratings yet
Tv Model Paper 20171
2 pages
Week 14
No ratings yet
Week 14
48 pages
Book Systemverilog For Verification
No ratings yet
Book Systemverilog For Verification
326 pages
Thesis
No ratings yet
Thesis
47 pages
EEE 105 Lab Exercises 6 and 7: Multi-Cycle MIPS Processor I and II
No ratings yet
EEE 105 Lab Exercises 6 and 7: Multi-Cycle MIPS Processor I and II
4 pages
Array Attributes: Type ROM Is Array (0 To 15, 7 Downto 0) of Bit Signal ROM1: ROM
No ratings yet
Array Attributes: Type ROM Is Array (0 To 15, 7 Downto 0) of Bit Signal ROM1: ROM
14 pages
Verification Technology Spring 2008
No ratings yet
Verification Technology Spring 2008
8 pages
Integrating Formal Verification Into Computer Organization and Architecture Courses
No ratings yet
Integrating Formal Verification Into Computer Organization and Architecture Courses
8 pages
ARM Based SOC Verification: Test and Verification Solutions
No ratings yet
ARM Based SOC Verification: Test and Verification Solutions
28 pages
VLSI Ques For Testability
No ratings yet
VLSI Ques For Testability
6 pages
Extended
No ratings yet
Extended
124 pages
A Computational Model For SAT-based Verification of Hardware-Dependent Low-Level Embedded System Software
No ratings yet
A Computational Model For SAT-based Verification of Hardware-Dependent Low-Level Embedded System Software
25 pages
Implement Randc Function Using Rand in System Verilog ?
100% (1)
Implement Randc Function Using Rand in System Verilog ?
22 pages
Veri Log Tutorial
No ratings yet
Veri Log Tutorial
10 pages
Thiet Ke Vi Mach Voi HDL Pham Quoc Cuong Chapter5 Behavioralmodel Part2 (Cuuduongthancong - Com)
No ratings yet
Thiet Ke Vi Mach Voi HDL Pham Quoc Cuong Chapter5 Behavioralmodel Part2 (Cuuduongthancong - Com)
43 pages
Chapter 5 Behavioral Model Part2
No ratings yet
Chapter 5 Behavioral Model Part2
41 pages
Sbesc 2023
No ratings yet
Sbesc 2023
6 pages
Chapter 4 RTL Model
No ratings yet
Chapter 4 RTL Model
33 pages
Mehrdad Nourani: EEDG/CE 6303: Testing and Testable Design
No ratings yet
Mehrdad Nourani: EEDG/CE 6303: Testing and Testable Design
54 pages
Formal Verif Mentor WhitePaper
No ratings yet
Formal Verif Mentor WhitePaper
5 pages
Verification
No ratings yet
Verification
149 pages
Lect01-Intro To FM
No ratings yet
Lect01-Intro To FM
20 pages
tv-model-qp
No ratings yet
tv-model-qp
1 page
BCS402 IA2(Version a) Scheme 24-25
No ratings yet
BCS402 IA2(Version a) Scheme 24-25
10 pages
Vector Synthesis of Fault Testing Map For Logic
No ratings yet
Vector Synthesis of Fault Testing Map For Logic
14 pages
International Verilog Conference and VHDL International Users
No ratings yet
International Verilog Conference and VHDL International Users
5 pages
Formal Verification: Outline
No ratings yet
Formal Verification: Outline
14 pages
Preparing For An RTL Design Interview - An Exhaustive List of Topics - theDataBus
No ratings yet
Preparing For An RTL Design Interview - An Exhaustive List of Topics - theDataBus
19 pages
Baics of SystemVerilog
No ratings yet
Baics of SystemVerilog
4 pages
Dwyer99 Icse Patterns
No ratings yet
Dwyer99 Icse Patterns
10 pages
Final Exam Final Exam: - Verilog Coding, Analysis, Debugging - Short Answer (Text)
No ratings yet
Final Exam Final Exam: - Verilog Coding, Analysis, Debugging - Short Answer (Text)
5 pages
Verilog Chapter9 Testbench and Verification
No ratings yet
Verilog Chapter9 Testbench and Verification
73 pages
1993_IDTC_UsingMarchTestsToTestSrams (1)
No ratings yet
1993_IDTC_UsingMarchTestsToTestSrams (1)
7 pages
An Introduction To Formal Methods For The Development of Safety Critical Applications (Anne E. Haxthausen - 2010)
No ratings yet
An Introduction To Formal Methods For The Development of Safety Critical Applications (Anne E. Haxthausen - 2010)
16 pages
? Cracking RTL Design Interviews
No ratings yet
? Cracking RTL Design Interviews
17 pages
ECSE 324 MT Fall 2021 A With Solutions PDF
No ratings yet
ECSE 324 MT Fall 2021 A With Solutions PDF
10 pages
Formal Methods in Hardware Verification: Maciej Ciesielski
No ratings yet
Formal Methods in Hardware Verification: Maciej Ciesielski
96 pages
Verilog HDL
No ratings yet
Verilog HDL
51 pages
Wint05 Exam2
No ratings yet
Wint05 Exam2
40 pages
(Spring 2023) Final Exam
No ratings yet
(Spring 2023) Final Exam
4 pages
ECE 351 Table of Contents PDF
No ratings yet
ECE 351 Table of Contents PDF
24 pages
CS222 - COAL - SOLUTION - Final - Spring2023
No ratings yet
CS222 - COAL - SOLUTION - Final - Spring2023
12 pages
PyQt6 101: A Beginner’s guide to PyQt6
From Everand
PyQt6 101: A Beginner’s guide to PyQt6
Edward Chang
No ratings yet
Class 8
No ratings yet
Class 8
2 pages
Ignou 1st Sem Assignments
No ratings yet
Ignou 1st Sem Assignments
7 pages
Tutorial Letter 101/3/2020: Portuguese Language and Culture For Beginners
No ratings yet
Tutorial Letter 101/3/2020: Portuguese Language and Culture For Beginners
35 pages
Legend Meaning MISTAKE (Examples) CORRECTION (Examples)
No ratings yet
Legend Meaning MISTAKE (Examples) CORRECTION (Examples)
1 page
Run ASP On Your Computer
No ratings yet
Run ASP On Your Computer
7 pages
Exhaustion2 Archimedes Quadrature Parbola
No ratings yet
Exhaustion2 Archimedes Quadrature Parbola
6 pages
12345
No ratings yet
12345
12 pages
(Solution Manual) Principles of Marketing 16th Global Edition by Philip Kotler pdf download
100% (2)
(Solution Manual) Principles of Marketing 16th Global Edition by Philip Kotler pdf download
28 pages
English preposition
No ratings yet
English preposition
37 pages
Topic 1 - Personality Traits 1 - 11° 2023
No ratings yet
Topic 1 - Personality Traits 1 - 11° 2023
7 pages
Presentation - MIL-STD-31000 - A - Overview - Roy Whittenburg
No ratings yet
Presentation - MIL-STD-31000 - A - Overview - Roy Whittenburg
19 pages
Untitled
100% (2)
Untitled
10 pages
Alshahrani 2016
No ratings yet
Alshahrani 2016
17 pages
50 Verbs Form Full New form
No ratings yet
50 Verbs Form Full New form
7 pages
001 MBA Business Statistics Week 14 Parametric and Non Parametric Tests 17-06-2023 F1 SV
No ratings yet
001 MBA Business Statistics Week 14 Parametric and Non Parametric Tests 17-06-2023 F1 SV
109 pages
Co202 Dbms Lab Assignment - 04: Strong Entity
No ratings yet
Co202 Dbms Lab Assignment - 04: Strong Entity
5 pages
MCS Resume Template (Bullet Points)
No ratings yet
MCS Resume Template (Bullet Points)
2 pages
19 Dynamic Programming
No ratings yet
19 Dynamic Programming
11 pages
Pmscs 623p Lecture 6
No ratings yet
Pmscs 623p Lecture 6
47 pages
Activity Design
No ratings yet
Activity Design
2 pages
Scanning Strategies and Best Practices Training Labs
No ratings yet
Scanning Strategies and Best Practices Training Labs
44 pages
Complete Download Unravelling the Franklin Mystery Second Edition Inuit Testimony David C. Woodman PDF All Chapters
100% (3)
Complete Download Unravelling the Franklin Mystery Second Edition Inuit Testimony David C. Woodman PDF All Chapters
82 pages
Simple Present Exercises
No ratings yet
Simple Present Exercises
2 pages
OOAD Short Notes
No ratings yet
OOAD Short Notes
13 pages
A76XX Series - LBS - Application Note - V1.04
No ratings yet
A76XX Series - LBS - Application Note - V1.04
13 pages
Backward Design
No ratings yet
Backward Design
6 pages
Grade 8-TOS-Diagnostic Test
No ratings yet
Grade 8-TOS-Diagnostic Test
2 pages
0.2. In-Text Referencing Guidelines
No ratings yet
0.2. In-Text Referencing Guidelines
2 pages
Yet Just Already PPT 1ºM
No ratings yet
Yet Just Already PPT 1ºM
11 pages