From ee769996d04809b3b9e2fe8bffa061f298dda98e Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Wed, 27 Apr 2022 09:02:16 +1200 Subject: [PATCH 01/38] Initial add of fifo example Has tests which pass, committing before messing with it while tidying. --- docs/examples/fifo/.gitignore | 1 + docs/examples/fifo/fifo.sby | 22 ++++ docs/examples/fifo/fifo.sv | 183 ++++++++++++++++++++++++++++++++++ 3 files changed, 206 insertions(+) create mode 100644 docs/examples/fifo/.gitignore create mode 100644 docs/examples/fifo/fifo.sby create mode 100644 docs/examples/fifo/fifo.sv diff --git a/docs/examples/fifo/.gitignore b/docs/examples/fifo/.gitignore new file mode 100644 index 0000000..22b7dbd --- /dev/null +++ b/docs/examples/fifo/.gitignore @@ -0,0 +1 @@ +fifo_* \ No newline at end of file diff --git a/docs/examples/fifo/fifo.sby b/docs/examples/fifo/fifo.sby new file mode 100644 index 0000000..586e7b3 --- /dev/null +++ b/docs/examples/fifo/fifo.sby @@ -0,0 +1,22 @@ +[tasks] +cover +prove + +[options] +cover: +mode cover +-- +prove: +mode prove +-- + +[engines] +cover: smtbmc +prove: abc pdr + +[script] +read -formal fifo.sv +prep -top fifo + +[files] +fifo.sv diff --git a/docs/examples/fifo/fifo.sv b/docs/examples/fifo/fifo.sv new file mode 100644 index 0000000..5d30883 --- /dev/null +++ b/docs/examples/fifo/fifo.sv @@ -0,0 +1,183 @@ +// Define our top level fifo entity +module fifo ( + input wen, ren, clk, rst_n, + input [7:0] wdata, + output [7:0] rdata, + output [3:0] count, + output full, empty +); + parameter MAX_DATA = 16; + + // internals + reg [3:0] data_count; + initial begin + data_count <= 0; + end + + // wire up our sub modules + wire [3:0] waddr, raddr; + wire wskip, rskip; + storage #(.MAX_DATA(MAX_DATA)) fifo_storage ( + .wen (wen ), + .ren (ren ), + .clk (clk ), + .rst_n (rst_n), + .waddr (waddr), + .raddr (raddr), + .wdata (wdata), + .rdata (rdata) + ); + + addr_gen #(.MAX_DATA(MAX_DATA)) fifo_writer ( + .en (wen || wskip), + .clk (clk ), + .rst_n (rst_n), + .addr (waddr) + ); + + addr_gen #(.MAX_DATA(MAX_DATA)) fifo_reader ( + .en (ren || rskip), + .clk (clk ), + .rst_n (rst_n), + .addr (raddr) + ); + + always @(posedge clk or negedge rst_n) begin + if (~rst_n) + data_count <= 0; + else if (wen && !ren && data_count < MAX_DATA-1) + data_count <= data_count + 1; + else if (ren && !wen && data_count > 0) + data_count <= data_count - 1; + else + data_count <= data_count; + end + + assign full = data_count == MAX_DATA-1; + assign empty = data_count == 0; + assign count = data_count; + + // write while full => overwrite oldest data, move read pointer + assign rskip = wen && !ren && data_count >= MAX_DATA-1; + // read while empty => read invalid data, keep write pointer in sync + assign wskip = ren && !wen && data_count == 0; + +`ifdef FORMAL + // observers + wire [4:0] addr_diff; + assign addr_diff = waddr >= raddr ? waddr - raddr : waddr + MAX_DATA - raddr; + + // tests should not run through a reset + // not entirely sure what this actually does + default clocking @(posedge clk); endclocking + default disable iff (~rst_n); + + // tests + always @(posedge clk or negedge rst_n) begin + // waddr and raddr are zero while reset is low + ap_reset: assert property (~rst_n |=> !waddr && !raddr); + wp_reset: cover property (rst_n); + + // waddr and raddr can only be non zero if reset is high + ap_nreset: assert property (waddr || raddr |=> $past(rst_n)); + wp_nreset: cover property (waddr || raddr); + + // count never less than zero, or more than max + ap_uflow: assert (count >= 0); + ap_uflow2: assert (raddr >= 0); + ap_oflow: assert (count < MAX_DATA); + ap_oflow2: assert (waddr < MAX_DATA); + + // count should be equal to the difference between writer and reader address + ap_count_diff: assert (count == addr_diff); + + // count should only be able to increase or decrease by 1 + ap_counts: assert (count == 0 + || count == $past(count) + || count == $past(count) + 1 + || count == $past(count) - 1); + + // read/write addresses can only increase (or stay the same) + ap_raddr: assert (raddr == 0 + || raddr == $past(raddr) + || raddr == $past(raddr + 1)); + ap_waddr: assert (waddr == 0 + || waddr == $past(waddr) + || waddr == $past(waddr + 1)); + + // read/write enables enable + ap_raddr2: assert property (ren |=> raddr != $past(raddr)); + ap_waddr2: assert property (wen |=> waddr != $past(waddr)); + + // read/write needs enable UNLESS full/empty + ap_raddr3: assert property (!ren && !full |=> raddr == $past(raddr)); + ap_waddr3: assert property (!wen && !empty |=> waddr == $past(waddr)); + + // full and empty work as expected + ap_full: assert property (wen && !ren && count == MAX_DATA-2 |=> full); + wp_full: cover property (wen && !ren && count == MAX_DATA-2); + ap_empty: assert property (ren && !wen && count == 1 |=> empty); + wp_empty: cover property (ren && !wen && count == 1); + + // can we corrupt our data? + ap_overfill: assert property (wen && full |=> raddr != $past(raddr)); + wp_overfill: cover property (wen && full); + ap_underfill: assert property (ren && empty |=> waddr != $past(waddr)); + wp_underfill: cover property (ren && empty); + end + + // assumptions + always @(posedge clk or negedge rst_n) begin + // when writing the write data will change (so that we can line up reads with writes) + assume property (wen |=> wdata != $past(wdata)); + assume (wdata); + end +`endif + +endmodule + +// Define the fifo storage +module storage ( + input wen, ren, clk, rst_n, + input [3:0] waddr, raddr, + input [7:0] wdata, + output [7:0] rdata +); + parameter MAX_DATA = 16; + + // 8 bit data, fifo depth 16 / 4 bit address + // reset not defined + reg [7:0] data [MAX_DATA-1:0]; + always @(posedge clk) begin + if (wen) + data[waddr] <= wdata; + end + + assign rdata = data[raddr]; +endmodule + +// address generator/counter +module addr_gen ( + input en, clk, rst_n, + output reg [3:0] addr +); + parameter MAX_DATA = 16; + + initial begin + addr <= 0; + end + + // async reset + // increment address when enabled + always @(posedge clk or negedge rst_n) begin + if (~rst_n) + addr <= 0; + else if (en) + if (addr == MAX_DATA-1) + addr <= 0; + else + addr <= addr + 1; + else + addr <= addr; + end +endmodule From 679df4d898b90525ac61b6d120d81d586b99c07b Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Wed, 27 Apr 2022 09:05:16 +1200 Subject: [PATCH 02/38] Fixing .gitignore to ignore just directories --- docs/examples/fifo/.gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/examples/fifo/.gitignore b/docs/examples/fifo/.gitignore index 22b7dbd..2bcf7d7 100644 --- a/docs/examples/fifo/.gitignore +++ b/docs/examples/fifo/.gitignore @@ -1 +1 @@ -fifo_* \ No newline at end of file +fifo_*/ \ No newline at end of file From ec02e25f5c289a90a6719a77e6113b2f849fbca4 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Wed, 27 Apr 2022 09:24:14 +1200 Subject: [PATCH 03/38] Split fifo.sv into two files fifo.sv contains the components, top.sv for toplevel design. --- docs/examples/fifo/fifo.sby | 4 +- docs/examples/fifo/fifo.sv | 138 ------------------------------------ docs/examples/fifo/top.sv | 137 +++++++++++++++++++++++++++++++++++ 3 files changed, 140 insertions(+), 139 deletions(-) create mode 100644 docs/examples/fifo/top.sv diff --git a/docs/examples/fifo/fifo.sby b/docs/examples/fifo/fifo.sby index 586e7b3..d6f6c27 100644 --- a/docs/examples/fifo/fifo.sby +++ b/docs/examples/fifo/fifo.sby @@ -15,8 +15,10 @@ cover: smtbmc prove: abc pdr [script] -read -formal fifo.sv +read -sv fifo.sv +read -formal top.sv prep -top fifo [files] fifo.sv +top.sv diff --git a/docs/examples/fifo/fifo.sv b/docs/examples/fifo/fifo.sv index 5d30883..5e7e6c8 100644 --- a/docs/examples/fifo/fifo.sv +++ b/docs/examples/fifo/fifo.sv @@ -1,141 +1,3 @@ -// Define our top level fifo entity -module fifo ( - input wen, ren, clk, rst_n, - input [7:0] wdata, - output [7:0] rdata, - output [3:0] count, - output full, empty -); - parameter MAX_DATA = 16; - - // internals - reg [3:0] data_count; - initial begin - data_count <= 0; - end - - // wire up our sub modules - wire [3:0] waddr, raddr; - wire wskip, rskip; - storage #(.MAX_DATA(MAX_DATA)) fifo_storage ( - .wen (wen ), - .ren (ren ), - .clk (clk ), - .rst_n (rst_n), - .waddr (waddr), - .raddr (raddr), - .wdata (wdata), - .rdata (rdata) - ); - - addr_gen #(.MAX_DATA(MAX_DATA)) fifo_writer ( - .en (wen || wskip), - .clk (clk ), - .rst_n (rst_n), - .addr (waddr) - ); - - addr_gen #(.MAX_DATA(MAX_DATA)) fifo_reader ( - .en (ren || rskip), - .clk (clk ), - .rst_n (rst_n), - .addr (raddr) - ); - - always @(posedge clk or negedge rst_n) begin - if (~rst_n) - data_count <= 0; - else if (wen && !ren && data_count < MAX_DATA-1) - data_count <= data_count + 1; - else if (ren && !wen && data_count > 0) - data_count <= data_count - 1; - else - data_count <= data_count; - end - - assign full = data_count == MAX_DATA-1; - assign empty = data_count == 0; - assign count = data_count; - - // write while full => overwrite oldest data, move read pointer - assign rskip = wen && !ren && data_count >= MAX_DATA-1; - // read while empty => read invalid data, keep write pointer in sync - assign wskip = ren && !wen && data_count == 0; - -`ifdef FORMAL - // observers - wire [4:0] addr_diff; - assign addr_diff = waddr >= raddr ? waddr - raddr : waddr + MAX_DATA - raddr; - - // tests should not run through a reset - // not entirely sure what this actually does - default clocking @(posedge clk); endclocking - default disable iff (~rst_n); - - // tests - always @(posedge clk or negedge rst_n) begin - // waddr and raddr are zero while reset is low - ap_reset: assert property (~rst_n |=> !waddr && !raddr); - wp_reset: cover property (rst_n); - - // waddr and raddr can only be non zero if reset is high - ap_nreset: assert property (waddr || raddr |=> $past(rst_n)); - wp_nreset: cover property (waddr || raddr); - - // count never less than zero, or more than max - ap_uflow: assert (count >= 0); - ap_uflow2: assert (raddr >= 0); - ap_oflow: assert (count < MAX_DATA); - ap_oflow2: assert (waddr < MAX_DATA); - - // count should be equal to the difference between writer and reader address - ap_count_diff: assert (count == addr_diff); - - // count should only be able to increase or decrease by 1 - ap_counts: assert (count == 0 - || count == $past(count) - || count == $past(count) + 1 - || count == $past(count) - 1); - - // read/write addresses can only increase (or stay the same) - ap_raddr: assert (raddr == 0 - || raddr == $past(raddr) - || raddr == $past(raddr + 1)); - ap_waddr: assert (waddr == 0 - || waddr == $past(waddr) - || waddr == $past(waddr + 1)); - - // read/write enables enable - ap_raddr2: assert property (ren |=> raddr != $past(raddr)); - ap_waddr2: assert property (wen |=> waddr != $past(waddr)); - - // read/write needs enable UNLESS full/empty - ap_raddr3: assert property (!ren && !full |=> raddr == $past(raddr)); - ap_waddr3: assert property (!wen && !empty |=> waddr == $past(waddr)); - - // full and empty work as expected - ap_full: assert property (wen && !ren && count == MAX_DATA-2 |=> full); - wp_full: cover property (wen && !ren && count == MAX_DATA-2); - ap_empty: assert property (ren && !wen && count == 1 |=> empty); - wp_empty: cover property (ren && !wen && count == 1); - - // can we corrupt our data? - ap_overfill: assert property (wen && full |=> raddr != $past(raddr)); - wp_overfill: cover property (wen && full); - ap_underfill: assert property (ren && empty |=> waddr != $past(waddr)); - wp_underfill: cover property (ren && empty); - end - - // assumptions - always @(posedge clk or negedge rst_n) begin - // when writing the write data will change (so that we can line up reads with writes) - assume property (wen |=> wdata != $past(wdata)); - assume (wdata); - end -`endif - -endmodule - // Define the fifo storage module storage ( input wen, ren, clk, rst_n, diff --git a/docs/examples/fifo/top.sv b/docs/examples/fifo/top.sv new file mode 100644 index 0000000..07f4004 --- /dev/null +++ b/docs/examples/fifo/top.sv @@ -0,0 +1,137 @@ +// Define our top level fifo entity +module fifo ( + input wen, ren, clk, rst_n, + input [7:0] wdata, + output [7:0] rdata, + output [3:0] count, + output full, empty +); + parameter MAX_DATA = 16; + + // internals + reg [3:0] data_count; + initial begin + data_count <= 0; + end + + // wire up our sub modules + wire [3:0] waddr, raddr; + wire wskip, rskip; + storage #(.MAX_DATA(MAX_DATA)) fifo_storage ( + .wen (wen ), + .ren (ren ), + .clk (clk ), + .rst_n (rst_n), + .waddr (waddr), + .raddr (raddr), + .wdata (wdata), + .rdata (rdata) + ); + + addr_gen #(.MAX_DATA(MAX_DATA)) fifo_writer ( + .en (wen || wskip), + .clk (clk ), + .rst_n (rst_n), + .addr (waddr) + ); + + addr_gen #(.MAX_DATA(MAX_DATA)) fifo_reader ( + .en (ren || rskip), + .clk (clk ), + .rst_n (rst_n), + .addr (raddr) + ); + + always @(posedge clk or negedge rst_n) begin + if (~rst_n) + data_count <= 0; + else if (wen && !ren && data_count < MAX_DATA-1) + data_count <= data_count + 1; + else if (ren && !wen && data_count > 0) + data_count <= data_count - 1; + else + data_count <= data_count; + end + + assign full = data_count == MAX_DATA-1; + assign empty = data_count == 0; + assign count = data_count; + + // write while full => overwrite oldest data, move read pointer + assign rskip = wen && !ren && data_count >= MAX_DATA-1; + // read while empty => read invalid data, keep write pointer in sync + assign wskip = ren && !wen && data_count == 0; + +`ifdef FORMAL + // observers + wire [4:0] addr_diff; + assign addr_diff = waddr >= raddr ? waddr - raddr : waddr + MAX_DATA - raddr; + + // tests should not run through a reset + // not entirely sure what this actually does + default clocking @(posedge clk); endclocking + default disable iff (~rst_n); + + // tests + always @(posedge clk or negedge rst_n) begin + // waddr and raddr are zero while reset is low + ap_reset: assert property (~rst_n |=> !waddr && !raddr); + wp_reset: cover property (rst_n); + + // waddr and raddr can only be non zero if reset is high + ap_nreset: assert property (waddr || raddr |=> $past(rst_n)); + wp_nreset: cover property (waddr || raddr); + + // count never less than zero, or more than max + ap_uflow: assert (count >= 0); + ap_uflow2: assert (raddr >= 0); + ap_oflow: assert (count < MAX_DATA); + ap_oflow2: assert (waddr < MAX_DATA); + + // count should be equal to the difference between writer and reader address + ap_count_diff: assert (count == addr_diff); + + // count should only be able to increase or decrease by 1 + ap_counts: assert (count == 0 + || count == $past(count) + || count == $past(count) + 1 + || count == $past(count) - 1); + + // read/write addresses can only increase (or stay the same) + ap_raddr: assert (raddr == 0 + || raddr == $past(raddr) + || raddr == $past(raddr + 1)); + ap_waddr: assert (waddr == 0 + || waddr == $past(waddr) + || waddr == $past(waddr + 1)); + + // read/write enables enable + ap_raddr2: assert property (ren |=> raddr != $past(raddr)); + ap_waddr2: assert property (wen |=> waddr != $past(waddr)); + + // read/write needs enable UNLESS full/empty + ap_raddr3: assert property (!ren && !full |=> raddr == $past(raddr)); + ap_waddr3: assert property (!wen && !empty |=> waddr == $past(waddr)); + + // full and empty work as expected + ap_full: assert property (wen && !ren && count == MAX_DATA-2 |=> full); + wp_full: cover property (wen && !ren && count == MAX_DATA-2); + ap_empty: assert property (ren && !wen && count == 1 |=> empty); + wp_empty: cover property (ren && !wen && count == 1); + + // can we corrupt our data? + ap_overfill: assert property (wen && full |=> raddr != $past(raddr)); + wp_overfill: cover property (wen && full); + ap_underfill: assert property (ren && empty |=> waddr != $past(waddr)); + wp_underfill: cover property (ren && empty); + end + + // assumptions + always @(posedge clk or negedge rst_n) begin + // when writing the write data will change (so that we can line up reads with writes) + assume property (wen |=> wdata != $past(wdata)); + assume (wdata); + end +`endif + +endmodule From e106d5c16186ec46b5121a592b721fcd8da45aab Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Wed, 27 Apr 2022 09:36:44 +1200 Subject: [PATCH 04/38] Adjusting assumptions --- docs/examples/fifo/top.sv | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/examples/fifo/top.sv b/docs/examples/fifo/top.sv index 07f4004..5e06692 100644 --- a/docs/examples/fifo/top.sv +++ b/docs/examples/fifo/top.sv @@ -128,9 +128,9 @@ module fifo ( // assumptions always @(posedge clk or negedge rst_n) begin - // when writing the write data will change (so that we can line up reads with writes) + // data will change when writing (and only when writing) so we can line up reads with writes assume property (wen |=> wdata != $past(wdata)); - assume (wdata); + assume property (!wen |=> wdata == $past(wdata)); end `endif From e8c5ae678d6cff315b057ad59ea3705f16eb343d Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Mon, 2 May 2022 10:31:51 +1200 Subject: [PATCH 05/38] Adding instructions for CAD Currently taken verbatim from this repo's README.md --- docs/source/install.rst | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/docs/source/install.rst b/docs/source/install.rst index 293ee71..7f198b2 100644 --- a/docs/source/install.rst +++ b/docs/source/install.rst @@ -1,5 +1,29 @@ -Installing -========== +CAD Suite(s) +============ + +SymbiYosys (sby) is part of the `Tabby CAD Suite +`_ and the `OSS CAD Suite +`_! The easiest way to use sby +is to install the binary software suite, which contains all required +dependencies, including all supported solvers. + +* `Contact YosysHQ `_ for a `Tabby CAD Suite + `_ Evaluation License and + download link +* OR go to https://github.com/YosysHQ/oss-cad-suite-build/releases to download + the free OSS CAD Suite +* Follow the `Install Instructions on GitHub + `_ + +Make sure to get a Tabby CAD Suite Evaluation License for extensive +SystemVerilog Assertion (SVA) support, as well as industry-grade SystemVerilog +and VHDL parsers! + +For more information about the difference between Tabby CAD Suite and the OSS +CAD Suite, please visit https://www.yosyshq.com/tabby-cad-datasheet. + +Installing from source +====================== Follow the instructions below to install SymbiYosys and its dependencies. Yosys, SymbiYosys, and Z3 are non-optional. The other packages are only From f33c2eda522214fe4a9371b368cbcbdc179c5aa2 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Mon, 2 May 2022 10:43:10 +1200 Subject: [PATCH 06/38] Updating/rearranging links --- docs/source/install.rst | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/docs/source/install.rst b/docs/source/install.rst index 7f198b2..98dcc11 100644 --- a/docs/source/install.rst +++ b/docs/source/install.rst @@ -45,7 +45,7 @@ Installing prerequisites (this command is for Ubuntu 16.04): Yosys, Yosys-SMTBMC and ABC --------------------------- -https://yosyshq.net/yosys/ +https://www.yosyshq.com/open-source https://people.eecs.berkeley.edu/~alanmi/abc/ @@ -53,7 +53,7 @@ Next install Yosys, Yosys-SMTBMC and ABC (``yosys-abc``): .. code-block:: text - git clone https://github.com/YosysHQ/yosys.git yosys + git clone https://github.com/YosysHQ/yosys cd yosys make -j$(nproc) sudo make install @@ -61,26 +61,12 @@ Next install Yosys, Yosys-SMTBMC and ABC (``yosys-abc``): SymbiYosys ---------- -https://github.com/YosysHQ/SymbiYosys +https://github.com/YosysHQ/sby .. code-block:: text - git clone https://github.com/YosysHQ/SymbiYosys.git SymbiYosys - cd SymbiYosys - sudo make install - -Yices 2 -------- - -http://yices.csl.sri.com/ - -.. code-block:: text - - git clone https://github.com/SRI-CSL/yices2.git yices2 - cd yices2 - autoconf - ./configure - make -j$(nproc) + git clone https://github.com/YosysHQ/sby + cd sby sudo make install Z3 @@ -90,13 +76,27 @@ https://github.com/Z3Prover/z3/wiki .. code-block:: text - git clone https://github.com/Z3Prover/z3.git z3 + git clone https://github.com/Z3Prover/z3 cd z3 python scripts/mk_make.py cd build make -j$(nproc) sudo make install +Yices 2 +------- + +http://yices.csl.sri.com/ + +.. code-block:: text + + git clone https://github.com/SRI-CSL/yices2 + cd yices2 + autoconf + ./configure + make -j$(nproc) + sudo make install + super_prove ----------- From 48d846d529485b0b5a02774609bc1530e482c236 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Mon, 2 May 2022 12:20:27 +1200 Subject: [PATCH 07/38] Adjusting for use with OSS i.e. doesn't use concurrent assertions --- docs/examples/fifo/top.sv | 108 +++++++++++++++++++------------------- 1 file changed, 55 insertions(+), 53 deletions(-) diff --git a/docs/examples/fifo/top.sv b/docs/examples/fifo/top.sv index 5e06692..e153a57 100644 --- a/docs/examples/fifo/top.sv +++ b/docs/examples/fifo/top.sv @@ -54,7 +54,7 @@ module fifo ( end assign full = data_count == MAX_DATA-1; - assign empty = data_count == 0; + assign empty = (data_count == 0) && rst_n; assign count = data_count; // write while full => overwrite oldest data, move read pointer @@ -65,72 +65,74 @@ module fifo ( `ifdef FORMAL // observers wire [4:0] addr_diff; - assign addr_diff = waddr >= raddr ? waddr - raddr : waddr + MAX_DATA - raddr; - - // tests should not run through a reset - // not entirely sure what this actually does - default clocking @(posedge clk); endclocking - default disable iff (~rst_n); + assign addr_diff = waddr >= raddr + ? waddr - raddr + : waddr + MAX_DATA - raddr; // tests - always @(posedge clk or negedge rst_n) begin - // waddr and raddr are zero while reset is low - ap_reset: assert property (~rst_n |=> !waddr && !raddr); - wp_reset: cover property (rst_n); + always @(posedge clk) begin + if (rst_n) begin + // waddr and raddr can only be non zero if reset is high + w_nreset: cover (waddr || raddr); - // waddr and raddr can only be non zero if reset is high - ap_nreset: assert property (waddr || raddr |=> $past(rst_n)); - wp_nreset: cover property (waddr || raddr); + // count never less than zero, or more than max + a_uflow: assert (count >= 0); + a_uflow2: assert (raddr >= 0); + a_oflow: assert (count < MAX_DATA); + a_oflow2: assert (waddr < MAX_DATA); - // count never less than zero, or more than max - ap_uflow: assert (count >= 0); - ap_uflow2: assert (raddr >= 0); - ap_oflow: assert (count < MAX_DATA); - ap_oflow2: assert (waddr < MAX_DATA); + // count should be equal to the difference between writer and reader address + a_count_diff: assert (count == addr_diff); - // count should be equal to the difference between writer and reader address - ap_count_diff: assert (count == addr_diff); + // count should only be able to increase or decrease by 1 + a_counts: assert (count == 0 + || count == $past(count) + || count == $past(count) + 1 + || count == $past(count) - 1); - // count should only be able to increase or decrease by 1 - ap_counts: assert (count == 0 - || count == $past(count) - || count == $past(count) + 1 - || count == $past(count) - 1); + // read/write addresses can only increase (or stay the same) + a_raddr: assert (raddr == 0 + || raddr == $past(raddr) + || raddr == $past(raddr + 1)); + a_waddr: assert (waddr == 0 + || waddr == $past(waddr) + || waddr == $past(waddr + 1)); - // read/write addresses can only increase (or stay the same) - ap_raddr: assert (raddr == 0 - || raddr == $past(raddr) - || raddr == $past(raddr + 1)); - ap_waddr: assert (waddr == 0 - || waddr == $past(waddr) - || waddr == $past(waddr + 1)); + // read/write enables enable + // ap_raddr2: assert property (ren |=> raddr != $past(raddr)); + // ap_waddr2: assert property (wen |=> waddr != $past(waddr)); - // read/write enables enable - ap_raddr2: assert property (ren |=> raddr != $past(raddr)); - ap_waddr2: assert property (wen |=> waddr != $past(waddr)); + // read/write needs enable UNLESS full/empty + // ap_raddr3: assert property (!ren && !full |=> raddr == $past(raddr)); + // ap_waddr3: assert property (!wen && !empty |=> waddr == $past(waddr)); - // read/write needs enable UNLESS full/empty - ap_raddr3: assert property (!ren && !full |=> raddr == $past(raddr)); - ap_waddr3: assert property (!wen && !empty |=> waddr == $past(waddr)); + // full and empty work as expected + a_full: assert (!full || full && count == MAX_DATA-1); + w_full: cover (wen && !ren && count == MAX_DATA-2); + a_empty: assert (!empty || empty && count == 0); + w_empty: cover property (ren && !wen && count == 1); + + // can we corrupt our data? + // ap_overfill: assert property (wen && full |=> raddr != $past(raddr)); + w_overfill: cover ($past(rskip) && raddr); + // ap_underfill: assert property (ren && empty |=> waddr != $past(waddr)); + w_underfill: cover ($past(wskip) && waddr); + end else begin + // waddr and raddr are zero while reset is low + a_reset: assert (!waddr && !raddr); + w_reset: cover (~rst_n); - // full and empty work as expected - ap_full: assert property (wen && !ren && count == MAX_DATA-2 |=> full); - wp_full: cover property (wen && !ren && count == MAX_DATA-2); - ap_empty: assert property (ren && !wen && count == 1 |=> empty); - wp_empty: cover property (ren && !wen && count == 1); - - // can we corrupt our data? - ap_overfill: assert property (wen && full |=> raddr != $past(raddr)); - wp_overfill: cover property (wen && full); - ap_underfill: assert property (ren && empty |=> waddr != $past(waddr)); - wp_underfill: cover property (ren && empty); + // outputs are zero while reset is low + a_zero_out: assert (!empty && !full && !count); + end end // assumptions - always @(posedge clk or negedge rst_n) begin + always @(posedge clk) begin // data will change when writing (and only when writing) so we can line up reads with writes - assume property (wen |=> wdata != $past(wdata)); - assume property (!wen |=> wdata == $past(wdata)); + assume ((wen && wdata != $past(wdata)) || (!wen && wdata == $past(wdata))); + // assume property (wen |=> wdata != $past(wdata)); + // assume property (!wen |=> wdata == $past(wdata)); end `endif From 60de15293dce8816a15c731d8c9fd943b230b881 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Mon, 2 May 2022 12:34:57 +1200 Subject: [PATCH 08/38] Now actually fills up properly As opposed to only storing MAX-1 --- docs/examples/fifo/top.sv | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/docs/examples/fifo/top.sv b/docs/examples/fifo/top.sv index e153a57..0db2ece 100644 --- a/docs/examples/fifo/top.sv +++ b/docs/examples/fifo/top.sv @@ -3,13 +3,13 @@ module fifo ( input wen, ren, clk, rst_n, input [7:0] wdata, output [7:0] rdata, - output [3:0] count, + output [4:0] count, output full, empty ); parameter MAX_DATA = 16; // internals - reg [3:0] data_count; + reg [4:0] data_count; initial begin data_count <= 0; end @@ -45,7 +45,7 @@ module fifo ( always @(posedge clk or negedge rst_n) begin if (~rst_n) data_count <= 0; - else if (wen && !ren && data_count < MAX_DATA-1) + else if (wen && !ren && data_count < MAX_DATA) data_count <= data_count + 1; else if (ren && !wen && data_count > 0) data_count <= data_count - 1; @@ -53,12 +53,12 @@ module fifo ( data_count <= data_count; end - assign full = data_count == MAX_DATA-1; + assign full = data_count == MAX_DATA; assign empty = (data_count == 0) && rst_n; assign count = data_count; // write while full => overwrite oldest data, move read pointer - assign rskip = wen && !ren && data_count >= MAX_DATA-1; + assign rskip = wen && !ren && data_count >= MAX_DATA; // read while empty => read invalid data, keep write pointer in sync assign wskip = ren && !wen && data_count == 0; @@ -78,11 +78,12 @@ module fifo ( // count never less than zero, or more than max a_uflow: assert (count >= 0); a_uflow2: assert (raddr >= 0); - a_oflow: assert (count < MAX_DATA); + a_oflow: assert (count <= MAX_DATA); a_oflow2: assert (waddr < MAX_DATA); // count should be equal to the difference between writer and reader address - a_count_diff: assert (count == addr_diff); + a_count_diff: assert (count == addr_diff + || count == MAX_DATA && addr_diff == 0); // count should only be able to increase or decrease by 1 a_counts: assert (count == 0 @@ -107,8 +108,8 @@ module fifo ( // ap_waddr3: assert property (!wen && !empty |=> waddr == $past(waddr)); // full and empty work as expected - a_full: assert (!full || full && count == MAX_DATA-1); - w_full: cover (wen && !ren && count == MAX_DATA-2); + a_full: assert (!full || full && count == MAX_DATA); + w_full: cover (wen && !ren && count == MAX_DATA-1); a_empty: assert (!empty || empty && count == 0); w_empty: cover property (ren && !wen && count == 1); From 8f227336980e14597c794626d84a3ccad9d1d8c9 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Wed, 4 May 2022 10:07:31 +1200 Subject: [PATCH 09/38] Revert change from yosyshq.net to yosyshq.com --- docs/source/install.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/install.rst b/docs/source/install.rst index 98dcc11..068736b 100644 --- a/docs/source/install.rst +++ b/docs/source/install.rst @@ -45,7 +45,7 @@ Installing prerequisites (this command is for Ubuntu 16.04): Yosys, Yosys-SMTBMC and ABC --------------------------- -https://www.yosyshq.com/open-source +https://yosyshq.net/yosys/ https://people.eecs.berkeley.edu/~alanmi/abc/ From 12b854b55457636daee615eb796d9d591b18bd6a Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Wed, 4 May 2022 10:50:38 +1200 Subject: [PATCH 10/38] Headings for optional/required installs --- docs/source/install.rst | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/docs/source/install.rst b/docs/source/install.rst index 068736b..686adfb 100644 --- a/docs/source/install.rst +++ b/docs/source/install.rst @@ -42,8 +42,11 @@ Installing prerequisites (this command is for Ubuntu 16.04): libboost-program-options-dev autoconf libgmp-dev \ cmake curl +Required components +------------------- + Yosys, Yosys-SMTBMC and ABC ---------------------------- +^^^^^^^^^^^^^^^^^^^^^^^^^^^ https://yosyshq.net/yosys/ @@ -59,7 +62,7 @@ Next install Yosys, Yosys-SMTBMC and ABC (``yosys-abc``): sudo make install SymbiYosys ----------- +^^^^^^^^^^ https://github.com/YosysHQ/sby @@ -70,7 +73,7 @@ https://github.com/YosysHQ/sby sudo make install Z3 --- +^^ https://github.com/Z3Prover/z3/wiki @@ -83,8 +86,11 @@ https://github.com/Z3Prover/z3/wiki make -j$(nproc) sudo make install +Optional components +------------------- + Yices 2 -------- +^^^^^^^ http://yices.csl.sri.com/ @@ -98,7 +104,7 @@ http://yices.csl.sri.com/ sudo make install super_prove ------------ +^^^^^^^^^^^ https://github.com/sterin/super-prove-build @@ -136,7 +142,7 @@ And make this wrapper script executable: sudo chmod +x /usr/local/bin/suprove Avy ---- +^^^ https://arieg.bitbucket.io/avy/ @@ -151,7 +157,7 @@ https://arieg.bitbucket.io/avy/ sudo cp avy/src/{avy,avybmc} /usr/local/bin/ Boolector ---------- +^^^^^^^^^ http://fmv.jku.at/boolector/ From 7468e7655d25f98d6ccc43b41e4d94157e85b512 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Tue, 10 May 2022 11:03:40 +1200 Subject: [PATCH 11/38] Alignment fixing --- docs/examples/fifo/top.sv | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/examples/fifo/top.sv b/docs/examples/fifo/top.sv index 0db2ece..428bf1f 100644 --- a/docs/examples/fifo/top.sv +++ b/docs/examples/fifo/top.sv @@ -108,10 +108,10 @@ module fifo ( // ap_waddr3: assert property (!wen && !empty |=> waddr == $past(waddr)); // full and empty work as expected - a_full: assert (!full || full && count == MAX_DATA); - w_full: cover (wen && !ren && count == MAX_DATA-1); + a_full: assert (!full || full && count == MAX_DATA); + w_full: cover (wen && !ren && count == MAX_DATA-1); a_empty: assert (!empty || empty && count == 0); - w_empty: cover property (ren && !wen && count == 1); + w_empty: cover (ren && !wen && count == 1); // can we corrupt our data? // ap_overfill: assert property (wen && full |=> raddr != $past(raddr)); From ee15ebd0f12bd727b4ce941868f9b49c851c35a1 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Tue, 10 May 2022 11:40:17 +1200 Subject: [PATCH 12/38] Title case for license.rst --- docs/source/license.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/license.rst b/docs/source/license.rst index e102ae1..786dc59 100644 --- a/docs/source/license.rst +++ b/docs/source/license.rst @@ -1,5 +1,5 @@ -SymbiYosys License +SymbiYosys license ================== SymbiYosys (sby) itself is licensed under the ISC license: From 7ec35dc4255bec380ecc619ff99cb0d8d6bae6f0 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Tue, 10 May 2022 11:41:01 +1200 Subject: [PATCH 13/38] Adding (small) intro to installation guide Also a cross reference link. --- docs/source/install.rst | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/docs/source/install.rst b/docs/source/install.rst index 686adfb..db55507 100644 --- a/docs/source/install.rst +++ b/docs/source/install.rst @@ -1,5 +1,12 @@ -CAD Suite(s) -============ +.. _install-doc: + +Installation guide +================== + +This document will guide you through the process of installing SymbiYosys. + +CAD suite(s) +************ SymbiYosys (sby) is part of the `Tabby CAD Suite `_ and the `OSS CAD Suite @@ -23,7 +30,7 @@ For more information about the difference between Tabby CAD Suite and the OSS CAD Suite, please visit https://www.yosyshq.com/tabby-cad-datasheet. Installing from source -====================== +********************** Follow the instructions below to install SymbiYosys and its dependencies. Yosys, SymbiYosys, and Z3 are non-optional. The other packages are only From 21dfd355169ea25158089a42823a9c6102d0cef6 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Tue, 10 May 2022 11:41:15 +1200 Subject: [PATCH 14/38] Adding new Getting started guide --- docs/source/index.rst | 2 +- docs/source/newstart.rst | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 docs/source/newstart.rst diff --git a/docs/source/index.rst b/docs/source/index.rst index 0527fb4..4ee57a4 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -20,7 +20,7 @@ at the moment.) :maxdepth: 3 install.rst - quickstart.rst + newstart.rst reference.rst verilog.rst verific.rst diff --git a/docs/source/newstart.rst b/docs/source/newstart.rst new file mode 100644 index 0000000..95921e0 --- /dev/null +++ b/docs/source/newstart.rst @@ -0,0 +1,9 @@ + +Getting started +=============== + +.. note:: This tutorial assumes sby installation as per the :ref:`install-doc`. + It is also recommended to install + `GTKWave `_, an open source VCD viewer. + + From fc9ff3d73323d900e1f5d44b7af121647818d372 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Tue, 10 May 2022 12:08:49 +1200 Subject: [PATCH 15/38] Initial FIFO description --- docs/source/newstart.rst | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/docs/source/newstart.rst b/docs/source/newstart.rst index 95921e0..0f13f2b 100644 --- a/docs/source/newstart.rst +++ b/docs/source/newstart.rst @@ -6,4 +6,31 @@ Getting started It is also recommended to install `GTKWave `_, an open source VCD viewer. +First In, First Out (FIFO) buffer +******************************** +From `Wikipedia `_, +a FIFO is + + a method for organizing the manipulation of a data structure (often, + specifically a data buffer) where the oldest (first) entry, or "head" of the + queue, is processed first. + + Such processing is analogous to servicing people in a queue area on a + first-come, first-served (FCFS) basis, i.e. in the same sequence in which + they arrive at the queue's tail. + +In hardware we can create such a construct by providing two addresses into a +register file. See the Verilog code below for the two main modules of an +example implementation. + +.. literalinclude:: ../examples/fifo/fifo.sv + :language: systemverilog + +Notice that this register design includes a synchronous write and asynchronous +read. Each word is 8 bits, and up to 16 words can be stored in the buffer. The +address generator module will be instantiated twice; once for the write address +and once for the read address. In both cases, the address will start at and +reset to 0, and will increment by 1 when an enable signal is received. When the +address pointers increment from the maximum storage value they reset back to 0, +providing a circular queue. From b18f22cf433dfd0f33d490611121856d84ac303c Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Tue, 31 May 2022 11:18:05 +1200 Subject: [PATCH 16/38] Removing install details for optional engines --- docs/source/install.rst | 78 +++++------------------------------------ 1 file changed, 8 insertions(+), 70 deletions(-) diff --git a/docs/source/install.rst b/docs/source/install.rst index db55507..418a0c5 100644 --- a/docs/source/install.rst +++ b/docs/source/install.rst @@ -95,87 +95,25 @@ https://github.com/Z3Prover/z3/wiki Optional components ------------------- +Additional solver engines can be installed as per their instructions, links are +provided below. Yices 2 ^^^^^^^ + http://yices.csl.sri.com/ -http://yices.csl.sri.com/ - -.. code-block:: text - - git clone https://github.com/SRI-CSL/yices2 - cd yices2 - autoconf - ./configure - make -j$(nproc) - sudo make install + https://github.com/SRI-CSL/yices2 super_prove ^^^^^^^^^^^ - -https://github.com/sterin/super-prove-build - -.. code-block:: text - - sudo apt-get install cmake ninja-build g++ python-dev python-setuptools \ - python-pip git - git clone --recursive https://github.com/sterin/super-prove-build - cd super-prove-build - mkdir build - cd build - cmake -DCMAKE_BUILD_TYPE=Release -G Ninja .. - ninja - ninja package - -This creates a .tar.gz archive for the target system. Extract it to -``/usr/local/super_prove`` - -.. code-block:: text - - sudo tar -C /usr/local -x super_prove-X-Y-Release.tar.gz - -Then create a wrapper script ``/usr/local/bin/suprove`` with the following contents: - -.. code-block:: text - - #!/bin/bash - tool=super_prove; if [ "$1" != "${1#+}" ]; then tool="${1#+}"; shift; fi - exec /usr/local/super_prove/bin/${tool}.sh "$@" - -And make this wrapper script executable: - -.. code-block:: text - - sudo chmod +x /usr/local/bin/suprove + https://github.com/sterin/super-prove-build Avy ^^^ - -https://arieg.bitbucket.io/avy/ - -.. code-block:: text - - git clone https://bitbucket.org/arieg/extavy.git - cd extavy - git submodule update --init - mkdir build; cd build - cmake -DCMAKE_BUILD_TYPE=Release .. - make -j$(nproc) - sudo cp avy/src/{avy,avybmc} /usr/local/bin/ + https://arieg.bitbucket.io/avy/ Boolector ^^^^^^^^^ + http://fmv.jku.at/boolector/ -http://fmv.jku.at/boolector/ - -.. code-block:: text - - git clone https://github.com/boolector/boolector - cd boolector - ./contrib/setup-btor2tools.sh - ./contrib/setup-lingeling.sh - ./configure.sh - make -C build -j$(nproc) - sudo cp build/bin/{boolector,btor*} /usr/local/bin/ - sudo cp deps/btor2tools/bin/btorsim /usr/local/bin/ - + https://github.com/boolector/boolector From f5257011f6ec9a4ad82925d1f73b81205670b160 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Tue, 31 May 2022 11:31:20 +1200 Subject: [PATCH 17/38] Specifying z3 to support minimum required install --- docs/examples/fifo/fifo.sby | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/examples/fifo/fifo.sby b/docs/examples/fifo/fifo.sby index d6f6c27..91cb3c5 100644 --- a/docs/examples/fifo/fifo.sby +++ b/docs/examples/fifo/fifo.sby @@ -11,7 +11,7 @@ mode prove -- [engines] -cover: smtbmc +cover: smtbmc z3 prove: abc pdr [script] From aed5a33bef3a2252a1c03359541f727559a2b620 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Tue, 7 Jun 2022 10:22:04 +1200 Subject: [PATCH 18/38] Add init check Prevent rst_n from going low once it has gone high. --- docs/examples/fifo/top.sv | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/examples/fifo/top.sv b/docs/examples/fifo/top.sv index 428bf1f..3e12601 100644 --- a/docs/examples/fifo/top.sv +++ b/docs/examples/fifo/top.sv @@ -69,6 +69,15 @@ module fifo ( ? waddr - raddr : waddr + MAX_DATA - raddr; + reg init = 0; + always @(posedge clk) begin + if (rst_n) + init <= 1; + // if init is low we don't care about the value of rst_n + // if init is high (rst_n has ben high), then rst_n must remain high + assume (!init || init && rst_n); + end + // tests always @(posedge clk) begin if (rst_n) begin From fef6d3a8a68aa66a090fe11357417c71280bab1f Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Tue, 7 Jun 2022 11:49:25 +1200 Subject: [PATCH 19/38] Adding USE_VERIFIC flag Adding variations in .sby file where tabby uses verific and oss doesn't. --- docs/examples/fifo/fifo.sby | 8 +++++-- docs/examples/fifo/top.sv | 45 ++++++++++++++++++++++++------------- 2 files changed, 35 insertions(+), 18 deletions(-) diff --git a/docs/examples/fifo/fifo.sby b/docs/examples/fifo/fifo.sby index 91cb3c5..ab063a9 100644 --- a/docs/examples/fifo/fifo.sby +++ b/docs/examples/fifo/fifo.sby @@ -1,6 +1,9 @@ [tasks] -cover -prove +prove_oss prove oss +prove_tabby prove tabby +cover_oss cover oss +cover_tabby cover tabby +prove_oss cover_oss : default [options] cover: @@ -16,6 +19,7 @@ prove: abc pdr [script] read -sv fifo.sv +tabby: read -define USE_VERIFIC=1 read -formal top.sv prep -top fifo diff --git a/docs/examples/fifo/top.sv b/docs/examples/fifo/top.sv index 3e12601..f9ba475 100644 --- a/docs/examples/fifo/top.sv +++ b/docs/examples/fifo/top.sv @@ -108,14 +108,6 @@ module fifo ( || waddr == $past(waddr) || waddr == $past(waddr + 1)); - // read/write enables enable - // ap_raddr2: assert property (ren |=> raddr != $past(raddr)); - // ap_waddr2: assert property (wen |=> waddr != $past(waddr)); - - // read/write needs enable UNLESS full/empty - // ap_raddr3: assert property (!ren && !full |=> raddr == $past(raddr)); - // ap_waddr3: assert property (!wen && !empty |=> waddr == $past(waddr)); - // full and empty work as expected a_full: assert (!full || full && count == MAX_DATA); w_full: cover (wen && !ren && count == MAX_DATA-1); @@ -123,9 +115,7 @@ module fifo ( w_empty: cover (ren && !wen && count == 1); // can we corrupt our data? - // ap_overfill: assert property (wen && full |=> raddr != $past(raddr)); w_overfill: cover ($past(rskip) && raddr); - // ap_underfill: assert property (ren && empty |=> waddr != $past(waddr)); w_underfill: cover ($past(wskip) && waddr); end else begin // waddr and raddr are zero while reset is low @@ -137,13 +127,36 @@ module fifo ( end end - // assumptions +`ifdef USE_VERIFIC + // if we have verific we can also do the following additional tests always @(posedge clk) begin - // data will change when writing (and only when writing) so we can line up reads with writes - assume ((wen && wdata != $past(wdata)) || (!wen && wdata == $past(wdata))); - // assume property (wen |=> wdata != $past(wdata)); - // assume property (!wen |=> wdata == $past(wdata)); + if (rst_n) begin + // read/write enables enable + ap_raddr2: assert property (ren |=> $changed(raddr)); + ap_waddr2: assert property (wen |=> $changed(waddr)); + + // read/write needs enable UNLESS full/empty + ap_raddr3: assert property (!ren && !full |=> $stable(raddr)); + ap_waddr3: assert property (!wen && !empty |=> $stable(waddr)); + + // can we corrupt our data? + ap_overfill: assert property (wen && full |=> $changed(raddr)); + ap_underfill: assert property (ren && empty |=> $changed(waddr)); + + // change data when writing (and only when writing) so we can line + // up reads with writes + assume property (wen |=> $changed(wdata)); + assume property (!wen |=> $stable(wdata)); + end end -`endif +`else // !USE_VERIFIC + // without verific we are more limited in describing the above assumption + always @(posedge clk) begin + assume ((wen && wdata != $past(wdata)) + || (!wen && wdata == $past(wdata))); + end +`endif // USE_VERIFIC + +`endif // FORMAL endmodule From 66ef51d846bcbebaee0579bafe728737f2bb269f Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Tue, 7 Jun 2022 11:50:26 +1200 Subject: [PATCH 20/38] Verification properties in doc --- docs/source/newstart.rst | 79 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 77 insertions(+), 2 deletions(-) diff --git a/docs/source/newstart.rst b/docs/source/newstart.rst index 0f13f2b..bf8dd19 100644 --- a/docs/source/newstart.rst +++ b/docs/source/newstart.rst @@ -7,7 +7,7 @@ Getting started `GTKWave `_, an open source VCD viewer. First In, First Out (FIFO) buffer -******************************** +********************************* From `Wikipedia `_, a FIFO is @@ -33,4 +33,79 @@ address generator module will be instantiated twice; once for the write address and once for the read address. In both cases, the address will start at and reset to 0, and will increment by 1 when an enable signal is received. When the address pointers increment from the maximum storage value they reset back to 0, -providing a circular queue. +providing a circular queue. The top level design implemented, can be found in +``top.sv``. + +Verification properties +*********************** + +In order to verify our design we must first define properties that it must +satisfy. For example, there must never be a negative number of values in the +FIFO. Similarly, there must never be more than there is memory available. By +assigning a signal to count the number of values in the buffer, we can make the +following assertions in the code: + +.. code-block:: systemverilog + + a_uflow: assert (count >= 0); + a_oflow: assert (count <= MAX_DATA); + +It is also possible to use the prior value of a signal for comparison. This can +be used, for example, to ensure that the count is only able to increase or +decrease by 1. A case must be added to handle resetting the count directly to +0, as well as if the count does not change. This can be seen in the following +code; at least one of these conditions must be true at all times if our design +is to be correct. + +.. code-block:: systemverilog + + a_counts: assert (count == 0 + || count == $past(count) + || count == $past(count) + 1 + || count == $past(count) - 1); + +As our count signal is used independently of the read and write pointers, we +must verify that the count is always correct. While the write pointer will +always be at the same point or *after* the read pointer, the circular buffer +means that the write *address* could wrap around and appear *less than* the read +address. So we must first perform some simple arithmetic to find the absolute +difference in addresses, and then compare with the count signal. + +.. code-block:: systemverilog + + assign addr_diff = waddr >= raddr + ? waddr - raddr + : waddr + MAX_DATA - raddr; + + a_count_diff: assert (count == addr_diff + || count == MAX_DATA && addr_diff == 0); + +Concurrent assertions +********************* + +Until this point, all of the properties described have been *immediate* +assertions. As the name suggests, immediate assertions are evaluated +immediately whereas concurrent assertions allow for the capture of sequences of +events which occur across time. The use of concurrent assertions requires a +more advanced parser, such as Verific. Verific is included for use in the +*Tabby CAD Suite*. + +With concurrent assertions we are able to verify more fully that our enables and +status flags work as desired. For example, we can assert that if the read +enable signal is high then the address of the read pointer *must* change. +Because of our earlier *immediate* assertions that the pointer address can only +increment or remain the same we do not need to specify that here. We can also +assert that if the enable is low, and the buffer is not full and potentially +requires a skip in the read address, then the read address will *not* change. + +.. code-block:: systemverilog + + ap_raddr2: assert property (ren |=> $changed(raddr)); + ap_raddr3: assert property (!ren && !full |=> $stable(raddr)); + + +Further information +******************* +For more information on the uses of assertions and the difference between +immediate and concurrent assertions, refer to appnote 109: Property Checking +with SystemVerilog Assertions. From 41e427640a0f54655f523dae9d53bdb04aacaf84 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Thu, 9 Jun 2022 14:26:17 +1200 Subject: [PATCH 21/38] Adding noskip task Demonstrate failing model check by disabling rskip and wskip. --- docs/examples/fifo/fifo.sby | 4 +++- docs/examples/fifo/top.sv | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/examples/fifo/fifo.sby b/docs/examples/fifo/fifo.sby index ab063a9..62e9d85 100644 --- a/docs/examples/fifo/fifo.sby +++ b/docs/examples/fifo/fifo.sby @@ -1,7 +1,8 @@ [tasks] prove_oss prove oss -prove_tabby prove tabby +noskip prove oss cover_oss cover oss +prove_tabby prove tabby cover_tabby cover tabby prove_oss cover_oss : default @@ -20,6 +21,7 @@ prove: abc pdr [script] read -sv fifo.sv tabby: read -define USE_VERIFIC=1 +noskip: read -define NOSKIP=1 read -formal top.sv prep -top fifo diff --git a/docs/examples/fifo/top.sv b/docs/examples/fifo/top.sv index f9ba475..f5eec51 100644 --- a/docs/examples/fifo/top.sv +++ b/docs/examples/fifo/top.sv @@ -57,10 +57,15 @@ module fifo ( assign empty = (data_count == 0) && rst_n; assign count = data_count; +`ifndef NOSKIP // write while full => overwrite oldest data, move read pointer assign rskip = wen && !ren && data_count >= MAX_DATA; // read while empty => read invalid data, keep write pointer in sync assign wskip = ren && !wen && data_count == 0; +`else + assign rskip = 0; + assign wskip = 0; +`endif // NOSKIP `ifdef FORMAL // observers From 069197aeaa4dace1032ffc8ca515bbc280e2239c Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Thu, 9 Jun 2022 14:29:21 +1200 Subject: [PATCH 22/38] Add section on sby to newstart List tasks and run through failing noskip example. Includes pictures (both fail and pass) plus .gtkw file for setting up. --- docs/examples/fifo/noskip.gtkw | 28 ++++++ docs/source/media/gtkwave_coverskip.png | Bin 0 -> 13487 bytes docs/source/media/gtkwave_noskip.png | Bin 0 -> 13593 bytes docs/source/newstart.rst | 111 ++++++++++++++++++++++++ 4 files changed, 139 insertions(+) create mode 100644 docs/examples/fifo/noskip.gtkw create mode 100644 docs/source/media/gtkwave_coverskip.png create mode 100644 docs/source/media/gtkwave_noskip.png diff --git a/docs/examples/fifo/noskip.gtkw b/docs/examples/fifo/noskip.gtkw new file mode 100644 index 0000000..df81a20 --- /dev/null +++ b/docs/examples/fifo/noskip.gtkw @@ -0,0 +1,28 @@ +[*] +[*] GTKWave Analyzer v3.4.0 (w)1999-2022 BSI +[*] Thu Jun 09 02:02:01 2022 +[*] +[timestart] 0 +[size] 1000 320 +[pos] -1 -1 +*-3.253757 18 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 +[sst_width] 246 +[signals_width] 200 +[sst_expanded] 1 +[sst_vpaned_height] 58 +@28 +fifo.clk +@22 +fifo.data_count[4:0] +fifo.addr_diff[4:0] +@28 +fifo.ren +fifo.wen +@22 +fifo.raddr[3:0] +fifo.waddr[3:0] +@28 +fifo.rskip +fifo.wskip +[pattern_trace] 1 +[pattern_trace] 0 diff --git a/docs/source/media/gtkwave_coverskip.png b/docs/source/media/gtkwave_coverskip.png new file mode 100644 index 0000000000000000000000000000000000000000..a0b4d4a414713738972ea59ce26f099d749fe1e3 GIT binary patch literal 13487 zcmeHucT`hpw|B6Cq9CH6QljFBs1#8t0*PY53Oay*l%Uul1rS0>2ujmIh>8w4G!>Om znxK$CAfYITAc!adk`P0S5J>0&LXvwzQ)ig>z3YD8de^tscmDtaob#Oh>}T)a-ut)r zxp~6UV%d_lOF$sdvcre={|W-lMKJksp%L@JcY1JP-dI6=y<||3?khK@y%58rfRleoo@|}zw8n-@P z($jnPpy5z1=jCeF_HxlG8fSYp+iZ=(Sd<|%2KquDX?qTGXZ%~zd!q*qgdEG3)W?sz zbwqseIDsq1j^dXu=Dw;?(IS_CRZRr`r!J;+}*!P^Qu%qpkP6Kc%a-6q(MNy8Qi>Qy^h{b zJl=2vKTvpq+>9M$iy*V}K@@_uwm?bsLgXuG!~#r5~xT}dy>3xGpA+*kIT zbI4x$dU<7poAi%_D_`-8)-D!fx5r2s& zU-jYPg4N&w_;`Q7O}ViV+-TYJn7B19F3Be1jnYR^@s*bsc4**>pTp((BH4yYbkaC@ zzZ&(H7Ph8}Tsg5(ItZuYCU8&&ft(80(Rr>F1pYPSEn$KpDj;UDnn$R>`SC{Z`KuP{ z*YdY!M3T}KBqo!yD1RTZiXa|qFsre-?A${D3>Fk!wYI&*f_}~0=CrcpvcBc%dksp3 zXo^4$)qf-#(Prl|h9KB)11+!z?^(l{-_56pg?rQY%AnVMrG`cOvlhOe`p1^v2I2qi z&&)s`&Nq+I(h@GKU<9=y#nUD(Cqw#?1*vv*39CvM#D4AWzKl*(K5$yTK-U@Su(d$< z40g}udyavHgH>n}Soi@Cd?RvO{P_$_Vomm<_4I4OFy-Ar!(YS@or3uI_{t3nYU=83 zHW*rEH6Wqb-A!3CicWXkmDzcxG9z?7l3SkmCTFf{kiK^?KWvnpnnBMVy2MemYf z$t{>D_?S)Z^ZKk7>$-wFcB8fP&YO}n=qS|p&+XWgChERDh|J-M?oDE@SJTe-*w^w`XT{oXLHF!3 zIC~(y)VZwXF>aN{*yn3xv8ILcwFd+4X9h;1HMrrEccol11Rj6xBGC|Ox)|({?f0pu z?iiaa^r$oQPkG=ZU3~{omwJsSrJ$fy744)d7$M^oa(B`1CocJldnq6HAPQwA-sH3l zNvq?N!bxW{611ZRHaABBx^CJ^k62C6!;Oq|j~ga=gqxsrCJN#*6-*)sZI?`R%Ih&Y z2+>7Angmb#xEj&SC`^3(#`0Acvvc!?3my}N>I6tSBfkrhw~KDaCeq4J=i999 zIQd#7(QTR6$LIQMxr#`r3iD={0-r#-=qrr5$atlhCwAcb{vmim;r5Wzed=2_czR7_`;wiBRhixO)!Dj9o#kx5eNNO_8w&0hnQlBw62|HL0|9mam*|78Vx8P>2C^G51y@#+^$XP=x+1E%B9m$E;}=-fRkLRmqm>{IHAdy1vf`cfOx8v1tqU)6tb7 z>CNm@vf;+3HT9eEj~U-o-ItfD$&C6uYQrjTLfr&V!hzoz&l)Bko86rP7aTOY9@Q^7 zhBNc-WkZ7XOVy5~nEvLQ;ysHcixnT<8kV}Jz&$Z@pE+^96tLBV-&JDsT_A_9D_g17 zR+c7KVRX|;bv?j`!@5(K#;ClpIJ|Ou@zZ|bXeKmvx|yOi(K#q~e!OndG1-&UIj!JXy00{ow#tY90DscRHD@5&M10#xbd^6tVd zHn&{{?eR5VWmYBA`}8{mr`l8vD;A}bw#f8jOBtQtgs=54=G3m?Qd{tqZFxR~^go7a z7vKEb4U}cuXRcj5kk|F%>*rW(X;EcrzKwGmf|R94uU7``W;^|RSvG5Z;xBFMWs&U@ zV_kN|r1W&xSkM=vs~6WYDiyem#omS+=#PF+ z)ZKj6;^VzH{d;{s$xE|dhqrotVAQXMl*oe!H`+T?1G73ZgJR&~D}g}UhG#_) z6iu8@L%sR#ct)+0vG9N3k`r%rv6@c7AQ`l)%IrbSdNP!sOD$U{6O5A1TR(I5v$1lt zgX$uyybe^V))+qHPv0S=7Q^|1lA5=UehohBEZK{U_2}`LIns^|B@mDLhAPp`)4o0` zAG)A5&oBmhFbTAgX(Fv8iGI?7-vONcdzB2 zmjlkLKN5=l-=f+a;ewBeGFLfH*~PmIn_46Xt3E*eERWR<;HAwk36>rGMb>6^PEVc<*}{t%BWG)Vh)e_gKb&QHpqeS11J znquOdu&lZfq~l9V^;)%EHG8*$=LedCi}}W_Nm=055qlQIKj_pEJnn`wK9?uZmj=w; zuYYfVj>~E7f;0||JATDJ6iEHzQysIUYt&eB-;rGcW0f0SC!WifSJ(#xV&BlCFM(Hc z1L@>yH6gzTyUg5vzIQT;na8AS(j!tPx^EXlP7!HA;-IDBGzD&2zeS7q5@B?r+szvr zs9{lW{gCN`EK)Z@|7E*oWkt{eZHq!fb3?6&-XMZ*yt)}vF9emmxsXEhz(hPofdkD% za=_U#r_WZF5|r&Y1oJ>F2q^8aU6Qc1RBf}ycQbAeN_}r1_f%N+TnCOLk8f;Q zVdngcxZ%!$f~a2F;0Voro25Aks)-}wv6lDOAdq+@JKc(l%tGl-2;T@xi!d*4F`nHO z8aHoH5_Q?NuuV+Tl2BJvILFLz#LBYh(D}TlCMyP8f*zf7ol2KCbEH@ z19L_b+KjpV!^Qa;^lLwcZ{G-$=vI3c#!g;1>MaSYP$6Szp|jbx!ZdDkkk2hRfy($o zTz8Z@pB;sge*c48ucs$VGPQl=c+}Fex^aK76s|?$VO20(gLX^24g|FI=M$Yqx_)Ky zL@%O0{`EH^id7mW8#`aen4XWyu4)P+2_HTayg#=E!c;L@B*`7{o5{Ic^MHe4>0D z^z&{eYm`mLg7q7ue{{Q9sVPH=f5*1zBuqr7y2$?{EXKkDwf~Me)3q6NFvITeaNBMi z5h!NzbUCg}h=7-d5g*U}_PYw%p)W0IgWCcR7O-9A!5BI@eHyW1pqML?C zwRG$Rts0-o+N>7vV3)e6LE`-LvoYH~M3r?Tke0i`T`7l?lCD&#Wl$m1BKO|A zyWIob%j+OovL0;EgP!`$6I-2Q#)CGk%^SNh-U&ZQ8qs_zsHMt#Ixc0*FB5*GFq3@E z8pzX5|5myy-|uqnx6Di=iIa9l0n&>=Bq9C^X45&T$Ng3h?Eb(z=EqAJ$-C=n!EOku zXzxxWSkQtSIKfg^%Z9e|0@6_gp-8xTDM5p7*M=_?*CG1HzEpIMj~tACmb!;h)DmEZ z;>w^O-ufPXZwH14*4sv|bpNnhMjN!4f1Ffm{7PWl_xWxY+URa6wr6+_p_ zd*leQEk{^a3Y(e86}3ffp@N!<=0WU(`GCVt+(biY+T`rhSD$Kdo^q~vTl{nu%F|4&mwoRtDO-?Ye)QGIDdx> z|4qSl-BI^U}{p=XI!tT{HL>4K{bMNn&(lshS zyNEdvs>$IUBZ9x0<`1J+$?%0^fIr1jMCp!&hRzt!sh>4BQ%&h&#%PRI!^?G^5{y&U zk#_PTdb7^PM#`cEdoB6*t86e3qnGltAXg*x{{YB&o<=xLf^trEC>xM8xD$csU*{;~3U5mR?)M!@|5BJO0uqWJlDg^4JT4Dj@GP^S z!>dl4W02rIU4u!k`#JxRl#BagS`$&y%YkI`dpw(|Hd3FTvdRqef;7XeMsm9UIAck> z`o&9l_+@%`W-mW?IERu+Nu*?~?mTF)ArU1Hwfs31o>^sE*udHBV^S?w;qfh&*-7GK zg6@?a`~JMBG@#WILGZrqn9d)J-@>THro^L|_J1*jnJRPs)-W%}Ec_Fzbo>iPqFogI z849NAnLGeE;y$O$;nk-`+z|Qy{6|VGp`d`DtbQ#=NoEJLK{W*3M{h|z?Bq^T% zX~9Q3omZLG#Vi-U{Ll~K!baGosn~$=qvYdDxU61MD8DZxN6{pDwD$gF>9iC`nEtNQ z>551n0G=Pxfay~B>!+zwQ^E{SQq*qkMr9pwu>bD&uI!XiH&jjsq~%V9TrQlSNi=0<^QXezf{6J92JB*`c@Sz zV<$+!v|4rz;66VDvFXC|_AagFT@91fP3?_;abof*H5PfwG4_ZTqQ$U=G*0ugv~hob zge@8lC1k`3eYA)IVdVKQyM#fzs-u?TnKo6Khz?(PBA4Vq!5*9{Zs&A8zja}H4Z)e# z_v9ZXIlN2t1Gm)dMP#?s5@;>MD`WNO5xVPYZv894QZ4J?XOi&b)I$iU2WgA=!HA=g zbh1q3+wngO!UXMCm2d?|d6Ps0==vPiW}0BTjn<_%e8q`#a`elv$lwYS#f(UNwj*EH z^1js9<$nj35b1MJ&=vNdjvkIzbyL@qcMm^Rt*uy!mK{EVaL1eF^LDgOGD?#sIvZJM zUHE-!+0xWMUpw!LmWIoH>sMSKR;0F&V10RLC|0#mt2u(eTgw~atm6fOCks0N^>eQC z9XkJK{?+z2{&I;F2=!2vTQZDSVg=0wyQ(J_Ou11sv2B_)n=RfOOBaBG_c;(PsBQW) z^uxP@#8=tbJ|<;m+B%6qi{X3&`pHO$eS5vf|#m)-7dGZ zzucBAXy(*E1nKQ|Ac`FZl1OrK51Ldxaa+f%griVRXjg^NmKnNsrok|lOPzWU`Pdb- zn%)jTBJte`YS0ApE~V%1*NdtNF3XhH1uKRN4DY&6-(Yta*Ha9(VSs5*>B|(wXF+CU`}X~b%-iN@ z_c&fN_!SC&7VU%GL1wJ%T(wKB>1=*3c-r6+F09l8q?i#*Yv|QVDu=u|cKu z=HRhEY>6~2edv*J>kFu>GlZDMrX&djpYA|;i zG1RF>_b|ssi?C(Ja{N5#6|z6&ct`YC0>DVpncIO(Jr6gGroZ+i$;$Kb!fxvreC>x1 z$3<502qaRIIzRT?IhKfD$+l}tOH1=)z^mu0XFC8z-HC3frcnMl1UtSn%b4aNgjZLT z%xtvXG@6)tyE^se6IZzQS!)kAbWn7vJnf?k_)eaT)%I=P+M(3c(w=4}ZG3bqtt`K{ zTND|xxjw5R(I<%OMF(lo3vxU&4RX?WmOlVwb2 zfplPKj|+?bEZAy2**nST6w&()_PyjR+lBaO3lYX>`3mAy&BbVe?QQYhAr7KApp0HU zc7wEmj^8&^mDZR79N6h6FX0V>Z70BRV!XLu>@iBn?Z#dn>P7Wl9aB1NbU3mtKM$hn zQBSyb)LSC{h?Owe%ZwGBZye!G*KQo+4tQRgX@2-e1V(?IPSBxmpX;NS@dGZy4lSk9 zgsGa|8iiGnOv`ts;!Gmf}J9&PfNJa+9PD%VvllK{)T1f96dPQjU6CqILH+- z&@ZJ^eYlj-K!fpd?}tN8IxiTo)F;%@0zQ0{UlU!R*vC(uk%aB}2D>Oa;Eh1;$NXJZ zdkn0qt?r?*Ay^SGvn}taF+q%F?v{io8VLUpa4TW$b30~!w_S692AyX$a~3ju_Bm`j zQ>fQfnL*jQhsdjy5GE7D7a6TZU9Iz9dQIwHS(scGTyiTfn346C}OYfJ|VI`Eb7fwO0?UB-DCi^5RS(G|e6 z*c!j-rYorhKaWxM1UIN~fmh9RVrF_-9-$^G zDvpF5^pvawsf2GgOi-IHc)wAr4V$?DV2LFi9k%L&r*r2)T_j+gG?TO z`E`b6?3#J%7PHnEDhOX$;8=#CisHfoSCY~=@%_Ee^s@duygp-aigbQjK~WUPU3@1o ztkHVA>F7r|4A~=9O-(OlSl$^ssh^-9k}}hTyX_DW$e`SC-)~?mmRi$V@Z9>6Jow3Z zyTcnVW`q%YkWO*DMyP30k$l^oK_F!->kSlyd#g@y%R%w))k=^YghM{XEr-(&7kBfB zm)m@m)wy87m()$*WT4|dk!%1o^er=`b?Pchg}j*Bta3X$yS4&aoV4lLS4+@>N1t() zs_FnIm~uh$kv<@LBr`PCe3i`cfADkYi}->fiHyX~WO;NF)4T z-*wj8d=lIRZ+%OKJZn;~=^c-}{gvm9A`1ArtQ&$e66bFX8FDIo9YD^^%JSa7H1f9c z4yS^cP*R4WBO14b`U@ueR{jH9B5wB>wS7k#0baCB+|oqBDh@RqCvn9!y zuqT{9e9oPI2x&$chV|(@2$Ei(O=Gfb9)vjg5h;Bf<$C3tX$RP4B?ed(;!YqMI3mTL z#adKFZd|;#Q3d0AB2VXs#l;cU*85M{g6}HbJGyvKwd9Lm^ATDyFX%Vx^W3#upCDWW zr&m-TldsUyVST=bXAiI~0>i~)>a3vE(=>~T$X6C<30Y4*3P%MV^{Pcr66U@V-Z$Ry z-SHs8WY)OGB1muZ)og1$;nz&eeBNC583i?Eoqi1#y&kNqFs_qNZuYw|m;p4by-)lL zEFTS_bO-a~s&4|C4C=~A>*pWl7<0?ytB*q<#bL&WiL?L#M`V?sgsPxdZ=#1V+Yn;1 z=|7ROA_zkhEbNNPE^*kG0f z{i$&|NvZsuftl=$9-FK>|AD(voGh>Y#>e;>9Y1fy%}JyAiHkb{_J)o=1_zSkj&5v# zI-Y+*QclkO$dCwIU37%NyY9&)s=XD`E~*ErA!)u&7JlDp&Y5D2kr5r26&-Hq`?@(P z9e~2NguJx0j?s-e^?v#3n*8mdfsR>h?N12}BdLDsNKSMxRd}aAz>kh0ZJF5M>cy-< zQH}>NHxb~RA&~)xFj+xwn&dmaD{-2*Kv@}QTHj862iL~XM76JLulqZs5(N1fAGAXQ z<#3TAb3cpJO#4FJw3TCR@K4H1VsuqUl*37Zu*vS_KQ1a-8FTYl+Q6Ou`TH*M^`w~C9>l4&_l0C$Sk=`p)K%i>)z&fJbs2F*^7knkAE7la%mZ;+ z06P7H^|+EBTc3X!4}ix%XhzQ}4JO@WQV-r>w(6gknVRg-Z8;_@2MV6wfs&tXm`}?+ zU1s0dFxleyv6}tQvq^s?RQou1tLe#^pSUk&fL7Ds0_0aTagfKDo(=eKF{abA40AI@ z>Xz0`F{GYugBIvZe}Grws~x2oI9uB>y!^*20xn6sO!DNpD3SGE1D54rDjw72`P`+6_nj3aIs zHm#!HMGg&gS7iSM;m0kh@do1(-DtL4JCoDcQ%s>oGIM~mS~v+M zbM$L#%9T7Mrac#FrQ-M!AWY`0j66I_Isp=Ju0gi{eb^6)f`r%mUp0QufBx4RCmT0E zlf(ZB0}-WwsVa3M=%=Y!?u%}+29mTPPBLXYl{bnzNIZC`K$jVa)R(Z}b6vvV1;w^8 zq6=wvd?S5HmcXp=a_$^ZAb1Iku{Skdm*6EppG@c6kByk+bFKSZD@H{!zK7p5Pcn$w zAOo;C&mL)yoClCgG8JpD0lZ!i7oOJ`J3Z3w8YOuJWNq_VSi?HUGDgs{4<-~0K~Tq> z@M}XKoyRT?>iuNGBddts|Kcop1E5&vDb70h-A5(heSxO6+>uIU?Adwj@*wn!Ag;it zWUUmar%D_@Z~x>Y-Zh}un>Xl$VKX^wGHmj8@&rX|&$&yHSceb~c|MrR(%gtb^x(AW zYq68k1!Kp4T0bM{o8k&1!x5P5Tuby!uxw-%qqnp=HJwxlyjD~zpPB=_w(x8Sxn%j8 z={>0tZGxO9-?`bo44$n!J$5XS6jZVE^;`1v{NY0P1;9*C{nW-}(4egaQ_4CcbmWVr Z+ET1skwe?;fmb3xhYwip&op&ub2-4ffnxDyZaCbB+mzdT#N*oXqc=tq-oZsjs%u_n)mj{7UA>wWE+9|P zFvAo5eiNEIAj`SYkf(G0lb@2=(tcQ9+IS^QHL@LZjy5h}i810>41Yq9x3&Kq zv=LF&6S``Ql*$pXx6Wjvh7@uZJ*A8U!T7GooC<|eyI z$zlvT8S4Q8AtU%lmdAe_ZLAas7VA~o?}6aD(+(9q5iJ~wEQB)m^w-&LyJK5oI!Ezwb@1049X*Zs# zDkOMm<%!zVsUE(pr5{Ek&YKI)cJ=!$3-mQgT}9s0!Y#pLnYu*SSWPaLJxCqxm1YL# z-%BD7oN)nxqSh#hULfE5=@~E{%MZ08+3L}+Lf;{EBmpeXG@VBTnp)@r@fNeh!YvQi z{z)BbH?8+GjC@_EF8+K@@|>SGxsCv${^+?d)g_uVk+NtdSe!BO)~7mSB&-S?S`y^q z{p7}}g%Nk4ws@?48DD>59hg=b%%(=@4torl=5Gdph|aQITW^^e<%-){cy&IQ%L{dU zxqCh3!x_k+8Kl6m^iA!?b5Tj&UPL?m%~5P{nJuMkWDBf(OlT(oujL&?Fsa4Z@D?D5 zlRURE@FUm3O?I>cL9ehAl?Yqh%hw}=V#cV4x#LCpYugP5;PVQ$KH)?)*3_|08WVzZ#`}GWPxhoJH{8M_2{v~Ti4Kg5u zN*i4~T^Jq-vY5GL{K|^r5;@j@<@;yu=ed!M<$*nSZds)U?NUw2cw2fBcr1!~a$$iw zA2V8qh>CZ(8mxs8WWzq@<>rDE9Kk!5^X7blO$@=*+!pR4&XFT;4tlNcdjFb0?p8kZ ze!3Z}dPOu+Q9jb;;~l$l*~13z=pEMnqy%FnwyMHd>AwaP!D9^_#bsq>NL_g@_dF&% z3D(=BDD{~bv$$8d>rUrlX9TR@Z!mo?Z>Q)H&%?`FwDyUbK|+8RRun0ToEVxIh?jE7 z=ft883=Dw}e6mvswW^aAlgNq~BHP6Cg~E_xr3-<>mbYK^4e_th^; za&9LNXwkWZ$4stQj6m*@z3&5QM%q|VH=!S6l_kQ|xe8LuzCgI0tOWPoQy%s00$o3&LQ6dl+bBUa;R;&np?av%` zZtoG$L_GRA#XCA&d=F_w@`khewfI+`1r%?uogOp~33g{t#$J|X^H}GLm-C;OeCD~4 z_VljoNX_UYE^8PnA&y>(!C+|p0k8AE*#jgj@O zO(RUrh8B1~qWn&5X-vdbQO}vqwL`pJ)QGORwNt^pKg05BNCpsAuC_#&)@nxLYjP;+ zUUL72SoH9`8ujy2&kL_;0-2{fJJ~=b(-yy6G{-I)p=nY4vUoJ1dtLX-JDTpU*UoR5 z`k^B~i2IwuX-5E^3x@fm{h)pSCFE)R$+kozFjj!`tgvmo=KVtdhi(jScqH zj&1*AOyy54@A}VmkE<`DiQxEf6_i$9SH+tFC{uWR{^<5J#KD*D1AsXPMx&pq47t6I z-(px@zD)Lm%O}f(L4)>$`uut3ALAg%^|BB+1l8@OOnpB6V3LL1jQ!JTl{Bb)O7kzK zl)XE@;)8vW)|U`3zh$RXW;8REY^c^p^-TuYbmqsEUW+K&N+ZD!IB3mv$SZ)4k56#G zu{6%sS!e7aPW1U<=4?&{T(|DmsI4uE2lo(vnfZ7cHnyCS2LL8&D@A*DgQgeQ6u>EX zR|ntsxn>D9umH&|V5snX3y4T=z}xse=a=^F;l7_YV87UU0n!t&c?%+1;~JO$-d2Ne ziK=@UXnNe4IK;r+`p%PSuO^>VLV0(VBroD0oHF{RRuz2T(k;&)$^0C#+Q}%j?4}+g z{{q){*UX}AeHVe(+E;Zdd+~ba-2bgKVcf?@l11w2rm-Ao@6bnc_}jwD1K9v(jqWZ! zX^GN@6W!-DFr$&NZzp}0!dL~}pC0$3iDvxax^I?VOt^U6DdDo752d%qJ*x6lw1=*E zzX;{qCL*cxQp=Rts*k23rDSKst=;OEsP6^sVm3#W8aoFDt+&+hH{KNPa z1ah=`7i0X;M<~AbJz_I@Z#n*8-iIy6@B>7156XYyIGg$Jd#)5KrPZG&3^BQ2g$+D2 z8ceZdMc%E|7)?pwb+roY+Ry)P<3UN)|8A~1&MPJ>XTe-f3B;VDtrf~&7Y+GA6!uab zH?}YXtQ)v7wQL>diPQOf+vzNr-YMdC07OPk!rV$o%c^L|BH5BP z)`37PYbjQxI!XIxa@>T1OGwCJE$26)>Op2*s@|3AD1#ZCV8>0p7_EG;8W>dR%O|>w z3sGN^wfGehvzDj|e=vhr(-R^_+eMXgm7nO10}H% z8xxVXuf)BtgS=Gc*CyE5o=A**>u%zlGw~{@_>g$fIk3*JGqdyktE^%=FR(j~1heMR z(&Et_P!&L(Q-S%kFZ3pCbY{e!5>i~@)2;C0Zm*?c8 zZmHdDYrj#FU4*&TJ76#}A}$gbdBipNV~*liY5QUx-5@p4Owfbv%aMu@L^o zl)UpPy*{y1lke_8#QJ%iE@uKO6HTw|Q$I|vKaD5t7Uq(95-Fdbi6ISzb(X91ceHg; z#!)qz)Fe)x7me01BtT>8Xr*&z5c^dklCak<-#|S@?|evA1rKt?I35AcrDON@lg3T5 zKi*#T%y0W!Q;_?PZoRg`JI-iM<3dBHr}a7w+Q#)eH}ua5w*)^|Gw({x19OCqY-o7o zvHe&~oD23@Kd(SRwjrM~hMmhvCxU3EsPQ)fqEecOKxiPis--|E+6GQXh;*8{Buw8>#T`ksqi@1z=p>>;!$7DPuVbIQVDFqL}n5S?V`s}n{5r$0K}tg>;u~c_go%o_89o% zW6#f{d5O-C=&d9xKXSs$u8l>pfrC^@EBDCV0ikdtq+Z-B70wq?==wSu{11oE^qM?l z3Tq@jFagv%e#0rbLjRW#U<&yWYMT+`zdkI$g|*$cVXFr9JeqLCZfN@yt_+sfMKfK0@-uV9#yqqSPV2kZz}Pb|Bj? zt-^PG`B3@N`{L3MAR9mG$lyjkp&Z?m5`>^rj@#XBOEE2P$UxflCdUl=P|e{=qSG|@ zzM;~M7XZ|W98aP(v7S|sN?g*0Q0OL>4VOrz&EX~@6>Bwq;tPZM9+l*t4=xCrlBjYv zCizIJ{mKm~{k(iIM%D)mcwnxR9wbZkOL)UISqLAL>A0Y1)d66fgz0hct5~ufP0md= zk&i@t>3GO%cp0MDvF+?-)fs|1sJygb6xcaa(s(*qe3CQ*da?+}kaP-@RF4iEF>S{x z&cwq^BV>pf4i(c+m^1O ziVN;C_#Tbx+R#W{14@(yoJAKj635{&Yi3arJ_X6eMslFegBtus0rA(FB?DZ}+uM7* z9*HFd&U>zoI+<*(?N68qOM#HEdFJ-H5{(Z>BX*{qKcgq=n9wS3pvb6Nf0Qo7I#}pW@1L2!^FR7{#2{BpaWoRcTc>M_X$KMP*l-!`@3sG+w#&5@W?S#qE;`69_i6nO4^ z@%o2?$fi1J^1Q)wsZyI$)<+uUMz;d;$V*RKt;5ITa zNxzZ}G;{K}<2mE~o{?o}5=pJ|#-^VcrjfcSc_?b;OksnYb#(}ERVgvOVuL5v0rN{d zF<1Q{k5130yGRtxa}O(J?tP8D?dA+F^lp&Y6<^Mr`x`R3CU<;ak90`jKBkc_=|sYY z`{+$j>?3?#iWd=qzSTjZIrwn|Z(J~eR-`xUS6<$0;G&jNb~Cyx$J7axcA~=B6%m<} zFZ^7z@n?ol#ejhS@Gl)?@&18gXgbbqQvx0-!XH~Ogm0xk!z_J6r;42=z@(#j+=U;q?{a5~LleRq5C{o_y7`N_ih$IH?_$A!0z>95?!h9;`Nl~}e^ zoAXsZ06YOP%JCWx&F!n!e-f0RbbyA9|H;fjUl|B)%rXFvlW0i^u?eBimlP2L86rni zL`4~FCO6JI61gXH@J+``*%6|{DL)62KSqf0wXc_^htnT#4M{%1r*)8yJF6wC^MMK1 zMoaWNBxA$0O(xJ&{tEJ%{55P}ULQ?{sDtAD?ukT>GEiXqOZX#UD9mh#cOE{oQHkns zKP#E^#;|VvPmPAL?V$^pIg;4?B{80jR(!-9^RXqdi)m#-Y)DLD>efPYzX&UiK{2e+ zk<@3#Rbr=lhd&vWP;kczjbs&GfN-_LtmcWkL(sk~fepqKH>8P}-cCZ=LZA@V@w^s@ zPJusH0oy5Z{)@@x6hpilm^z;;3G1aIWR3P%8~CB0Egp6wn8|9*d#eV!M^4o^-2=2U zxHXJEyPYJQw+m{0du;aL9?MSU6M%uw_{A<*moG?%+1CQQ8`=g>r@@Y{Vu-jh!D&Po zA1T!@09~_P%rEXBnU87pDQdXcv+GMC<}>b}fu=zknT8l&zsX{=GciRvD5`3q>&IeB zkjFo-jg>6k{G_Z2u^B-9vx2lOKjEl``?~yP{XoR-f!iP5RiE!mBw~39!Lcz;@6=H( z%)epxzlD8dx*q@eT}R;Ul$0r|>v#!SHA&3fDGGo_2RbuLKO8Rs6-?FxELk@x;OWh9 zE$WQ4XST@{Fr&Oz#=2wF92b8}94G0>ohVSPZAcX^ICk5PZG`t_|&=gObuaQBa{@u3MIf4NB<>pl#!ZW zcgTY2Zv*_#H+@RDk(0Y6t1$~UB2-14Vb1HOGHlxD&bP93xf!F3oF|j<;C~C*R*C{B z>X+k0_+OQ$!u)&zq|!=UzZ?X#K|TNlo~6wz{ikGXBe_Xsa8_lRCDcFU#oc+epfma^ zsLjsxoxfM&RFc@~Ukfx--2Yb~x`Ag}wCjPH|0-rg9pC`)qO1f2>)*F`($XIVi;)XW z=yO5Zt^qmY0U1{?y%+2_BdRQnW`)n{UrohOsAt#xn z)g5AE?3}bKycKh_84c-m;4oh8dANknmM8<`c>nTEns?p^vbo9+;fRZK#hFeC$xA=D z|LLJIxW0p$6nNd~iP}(Kv09=p#mYGfq=Y)D^(~5E@%tKmPNiZ=4k6nsc)T&ccE3~L zh*i!mIoK>GA}xpEp<8O+1(iYZ4}4{r+T0in(at=cpk+0mT-w3f)2GE()MZSI1b-8e z;ts8$g(Q~76wD1YRvT!3Y?zF1x~3$O$fUj>0FsV9RQs$Y9$25J<)?shJFwFF-oChU z-2Mza`F*I}3oBAY+UL~BEyw!Iy2wZVVLvt}$P|@TGKCYsf&blr;ADgGa}_&3tY-Mn z`xX$Ub3@x+p&kUB$IK2s3+MlLawFueU|>H|`zfG5P3u~-g$47$i={TzsAt!tE#B;` z5mCdgkBN7A%QgPCa8d{z9oOcA+G;4{2Wk}g7AH@Aout!JlV7>u*c1cFe&|n=Q<;s# z*~60oE=h8B>Jjoy29XyPGrRjTKcsm|+B@z}k^;;9EKqu4C@0y0Wom8-5XH-=N(5lO?ko zn?LV(1d$;4lt8$ilIZLZ%t{PwUl$`BvCR^nSZ&VRSak-&qeM`pI4rEyG=+ogznsyX zETXsYl_F`wNBcUePt!PbX)~SZ$qCWa;pa)E+X_VueSJPsyJS9}f0i~U>Emg(wCsI+ z_JBYjDB_!R%h@ga3IVw?$?G)KX3bnL5A|d>$V9RTwbeC7D2^+#4!wHnu9t2(^ry2l z>5CRB0;oeStOcxRslKEbW4D zueirR;0&&83MzDLB>S+-2T;Ew39z}N+|!OIy%w!MF3DY=$0SohV9(jD-@X>?OrAG(AdDU9%m=8>exq}q^Xuzt&$vI#ZG+mRT#Z5 zue5?At#HL}7jnzex{lnHTn<0nX1bUo2$|@qVJP(vKHe%cX$c?;#cy^+?jV9?GV!F) zf?-|+`ZI>iczRwe=0n&wD~yRP)3#?tz|Rp+JWZt0(@qp2q(wuG_@)Et2%Su^g=iL`jSX12YyJJH||#+>pM zO64}co}9YjGB7no`@mP}^XmLce?(M<&HyQv8aXz3=#e(QQ@rPZR1qGpNRLzM+|BmI z%pdFn{K~o4~V)E!YKSmh@iY-85bE#*hPFjG?Pe6LOyYo<&!-sL(qLyg;E7mK_)?)w} z^!`mNd}pdXXj@&0V{I~D{w;dd(n#Ph`fhVHxjX3Iet}sRwiN}V>F?0SmRF84hj9#FFpk+l+F&bkF~-qh<@F&fEr}{&Jik5`s87;iHS!Hs z8pvcy1!kr*yR6z{zf!o+zszUmoFaK)UQ?{*Gn)l{!vRir9NuMKZyB9DzPj|513ukA zwNR8r;WGriLr)X#IT82Nlr$-s-7tj@|7(G(4rZ9d-`r^&cA9<{gN9vQ#3zb2i)z#q--m zSp+p=jPsIKa^fT;Y_RILm}hsEv%1LcH_o!D*(cRip@4rlz=g6ii_`e^N#Oa~drMnF zY(rI9OK;$;eWj>7H@gDRRhBXSE9}^OyYXe+c3VolCJgRzd#7NKI;mWb10>j^%IcTAY3E+fE`!o}YRaHsSb{IvtT(g||H$L`osQQvkvFS+zyYSqsP*;#j) z)Mb2^!c^4l?x14W%b_4AltTIP#A~J;PB*=oZ7NqN38|L&H1SNzd}t481Q&9|o_|=F zVy!>!qNTO32b&IvWoV7pM{m07bcdJ_7V*u;Hi=c(+PG4;0oUgBgLwKwzolncX1#_B zP@>XQm48_Og|YSPw)r5qdYldRceo?P<{Hv~il1Z4;`^$)#fP0IPxcj8eNSYWK#WkBcRK1t60F4EK$i36`++BUxS z?O_>L{J}7jF*wkSZMrxI)Vaf)af#=DcPd+^Z!t^}fAe&u$*V5^g9b)+Iz$I_z1cf5 z09TS-y8H3%8RaFDclTyRxY=uKuhT9md`~cwn1-pZmK=`>r#<1e^+D)qUFS=4Ao8TJu^=bNeke0nm8^V+ zN!Zrmm+VSt^C??bLFyBK*w!Ue9=>lY4(oeO_nJr-w({Ezm96UQPr;hf0&{`6)ip~yMy>WJ+ZCz;+r2R@gD9f zCNi+T13L3W?MtM~F5KY~Hp$Kag>PI=~fvb$9BmTXEWpNKbokzMs%9f=z(Qtt0f`pPN60l?``D`eQKx`)IPapC0J( zn!ji{-3`&Q%BhkG9Z6UFwUg1xvTeqq$(tSZKvC$?y!AUyd&i@XU-DjvN?hG_sFhk8 z*(;e`O>Z5>MsD@gbm7E_bY overwrite oldest data, move read pointer + assign rskip = wen && !ren && data_count >= MAX_DATA; + // read while empty => read invalid data, keep write pointer in sync + assign wskip = ren && !wen && data_count == 0; + `endif // NOSKIP + +The last few lines of output for the noskip task should be similar to the +following: + +.. code-block:: text + + SBY [fifo_noskip] engine_0: ## 0:00:00 BMC failed! + SBY [fifo_noskip] engine_0: ## 0:00:00 Assert failed in fifo: a_count_diff + SBY [fifo_noskip] engine_0: ## 0:00:00 Writing trace to VCD file: engine_0/trace.vcd + SBY [fifo_noskip] engine_0: ## 0:00:00 Writing trace to Verilog testbench: engine_0/trace_tb.v + SBY [fifo_noskip] engine_0: ## 0:00:00 Writing trace to constraints file: engine_0/trace.smtc + SBY [fifo_noskip] engine_0: ## 0:00:00 Status: FAILED + SBY [fifo_noskip] engine_0: finished (returncode=1) + SBY [fifo_noskip] summary: Elapsed clock time [H:MM:SS (secs)]: 0:00:01 (1) + SBY [fifo_noskip] summary: Elapsed process time unvailable on Windows + SBY [fifo_noskip] summary: engine_0 (abc pdr) returned FAIL + SBY [fifo_noskip] summary: counterexample trace: fifo_noskip/engine_0/trace.vcd + SBY [fifo_noskip] DONE (FAIL, rc=2) + SBY The following tasks failed: ['noskip'] + +Using the ``noskip.gtkw`` file provided, use the below command to examine the +error trace. + + gtkwave fifo_noskip/engine_0/trace.vcd noskip.gtkw + +This should result in something similar to the below image. We can immediately +see that ``data_count`` and ``addr_diff`` are different. Looking a bit deeper +we can see that in order to reach this state the read enable signal was high in +the first clock cycle while write enable is low. This leads to an underfill +where a value is read while the buffer is empty and the read address increments +to a higher value than the write address. + +.. image:: media/gtkwave_noskip.png + +During correct operation, the ``w_underfill`` witness will cover the underflow +case. Examining ``fifo_cover_oss/logfile.txt`` will reveal which trace file +includes the witness we are looking for. If this file doesn't exist, run the +code below. + + sby fifo.sby fifo_cover_oss + +Searching the file for ``w_underfill`` will reveal the below. + +.. code-block:: text + + $ grep "w_underfill" fifo_cover_oss/logfile.txt -A 1 + SBY [fifo_cover_oss] engine_0: ## 0:00:00 Reached cover statement at w_underfill in step 2. + SBY [fifo_cover_oss] engine_0: ## 0:00:00 Writing trace to VCD file: engine_0/trace2.vcd + +We can then run gtkwave with the trace file indicated to see the correct +operation as in the image below. When the buffer is empty, a read with no write +will result in the ``wksip`` signal going high, incrementing *both* read and +write addresses and avoiding underflow. + + gtkwave fifo_cover_oss/engine_0/trace2.vcd noskip.gtkw + +.. image:: media/gtkwave_coverskip.png + +For more on using the .sby file, see the :ref:`.sby reference page `. + Concurrent assertions ********************* From 907db48ac90e8118343cd8085bf0e3af998c15a1 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Thu, 30 Jun 2022 12:06:12 +1200 Subject: [PATCH 23/38] Updating from feedback Primarily addressing Nak's comments on the PR first. Of note is the change from separate files to a single file. Changed to boolector engine and bmc by default. Updated install instructions to move z3 to optional and boolector to recommended. Literal code includes use :lines: option. --- docs/examples/fifo/fifo.sby | 23 ++--- docs/examples/fifo/fifo.sv | 188 +++++++++++++++++++++++++++++++----- docs/examples/fifo/top.sv | 167 -------------------------------- docs/source/install.rst | 56 ++++++----- docs/source/newstart.rst | 119 ++++++++++++----------- 5 files changed, 268 insertions(+), 285 deletions(-) delete mode 100644 docs/examples/fifo/top.sv diff --git a/docs/examples/fifo/fifo.sby b/docs/examples/fifo/fifo.sby index 62e9d85..22ebcdd 100644 --- a/docs/examples/fifo/fifo.sby +++ b/docs/examples/fifo/fifo.sby @@ -1,10 +1,8 @@ [tasks] -prove_oss prove oss -noskip prove oss -cover_oss cover oss -prove_tabby prove tabby -cover_tabby cover tabby -prove_oss cover_oss : default +basic bmc +nofullskip prove +cover +basic cover : default [options] cover: @@ -13,18 +11,17 @@ mode cover prove: mode prove -- +bmc: +mode bmc +-- [engines] -cover: smtbmc z3 -prove: abc pdr +smtbmc boolector [script] -read -sv fifo.sv -tabby: read -define USE_VERIFIC=1 -noskip: read -define NOSKIP=1 -read -formal top.sv +nofullskip: read -define NO_FULL_SKIP=1 +read -formal fifo.sv prep -top fifo [files] fifo.sv -top.sv diff --git a/docs/examples/fifo/fifo.sv b/docs/examples/fifo/fifo.sv index 5e7e6c8..9d32a43 100644 --- a/docs/examples/fifo/fifo.sv +++ b/docs/examples/fifo/fifo.sv @@ -1,23 +1,3 @@ -// Define the fifo storage -module storage ( - input wen, ren, clk, rst_n, - input [3:0] waddr, raddr, - input [7:0] wdata, - output [7:0] rdata -); - parameter MAX_DATA = 16; - - // 8 bit data, fifo depth 16 / 4 bit address - // reset not defined - reg [7:0] data [MAX_DATA-1:0]; - always @(posedge clk) begin - if (wen) - data[waddr] <= wdata; - end - - assign rdata = data[raddr]; -endmodule - // address generator/counter module addr_gen ( input en, clk, rst_n, @@ -39,7 +19,171 @@ module addr_gen ( addr <= 0; else addr <= addr + 1; - else - addr <= addr; end endmodule + +// Define our top level fifo entity +module fifo ( + input wen, ren, clk, rst_n, + input [7:0] wdata, + output [7:0] rdata, + output [4:0] count, + output full, empty +); + parameter MAX_DATA = 16; + + // wire up our sub modules + wire [3:0] waddr, raddr; + wire wskip, rskip; + + // fifo storage + // 8 bit data, fifo depth 16 / 4 bit address + // reset not defined + reg [7:0] data [MAX_DATA-1:0]; + always @(posedge clk) begin + if (wen) + data[waddr] <= wdata; + end + assign rdata = data[raddr]; + + addr_gen #(.MAX_DATA(MAX_DATA)) fifo_writer ( + .en (wen || wskip), + .clk (clk ), + .rst_n (rst_n), + .addr (waddr) + ); + + addr_gen #(.MAX_DATA(MAX_DATA)) fifo_reader ( + .en (ren || rskip), + .clk (clk ), + .rst_n (rst_n), + .addr (raddr) + ); + + // internals + reg [4:0] data_count; + initial begin + data_count <= 0; + end + + always @(posedge clk or negedge rst_n) begin + if (~rst_n) + data_count <= 0; + else if (wen && !ren && data_count < MAX_DATA) + data_count <= data_count + 1; + else if (ren && !wen && data_count > 0) + data_count <= data_count - 1; + end + + assign full = data_count == MAX_DATA; + assign empty = (data_count == 0) && rst_n; + assign count = data_count; + +`ifndef NO_FULL_SKIP + // write while full => overwrite oldest data, move read pointer + assign rskip = wen && !ren && data_count >= MAX_DATA; + // read while empty => read invalid data, keep write pointer in sync + assign wskip = ren && !wen && data_count == 0; +`else + assign rskip = 0; + assign wskip = 0; +`endif // NO_FULL_SKIP + +`ifdef FORMAL + // observers + wire [4:0] addr_diff; + assign addr_diff = waddr >= raddr + ? waddr - raddr + : waddr + MAX_DATA - raddr; + + reg init = 0; + always @(posedge clk) begin + if (rst_n) + init <= 1; + // if init is low we don't care about the value of rst_n + // if init is high (rst_n has ben high), then rst_n must remain high + assume (!init || init && rst_n); + end + + // tests + always @(posedge clk) begin + if (rst_n) begin + // waddr and raddr can only be non zero if reset is high + w_nreset: cover (waddr || raddr); + + // count never less than zero, or more than max + a_uflow: assert (count >= 0); + a_uflow2: assert (raddr >= 0); + a_oflow: assert (count <= MAX_DATA); + a_oflow2: assert (waddr < MAX_DATA); + + // count should be equal to the difference between writer and reader address + a_count_diff: assert (count == addr_diff + || count == MAX_DATA && addr_diff == 0); + + // count should only be able to increase or decrease by 1 + a_counts: assert (count == 0 + || count == $past(count) + || count == $past(count) + 1 + || count == $past(count) - 1); + + // read/write addresses can only increase (or stay the same) + a_raddr: assert (raddr == 0 + || raddr == $past(raddr) + || raddr == $past(raddr + 1)); + a_waddr: assert (waddr == 0 + || waddr == $past(waddr) + || waddr == $past(waddr + 1)); + + // full and empty work as expected + a_full: assert (!full || full && count == MAX_DATA); + w_full: cover (wen && !ren && count == MAX_DATA-1); + a_empty: assert (!empty || empty && count == 0); + w_empty: cover (ren && !wen && count == 1); + + // can we corrupt our data? + w_overfill: cover ($past(rskip) && raddr); + w_underfill: cover ($past(wskip) && waddr); + end else begin + // waddr and raddr are zero while reset is low + a_reset: assert (!waddr && !raddr); + w_reset: cover (~rst_n); + + // outputs are zero while reset is low + a_zero_out: assert (!empty && !full && !count); + end + end + +`ifdef VERIFIC + // if we have verific we can also do the following additional tests + always @(posedge clk) begin + if (rst_n) begin + // read/write enables enable + ap_raddr2: assert property (ren |=> $changed(raddr)); + ap_waddr2: assert property (wen |=> $changed(waddr)); + + // read/write needs enable UNLESS full/empty + ap_raddr3: assert property (!ren && !full |=> $stable(raddr)); + ap_waddr3: assert property (!wen && !empty |=> $stable(waddr)); + + // can we corrupt our data? + ap_overfill: assert property (wen && full |=> $changed(raddr)); + ap_underfill: assert property (ren && empty |=> $changed(waddr)); + + // change data when writing (and only when writing) so we can line + // up reads with writes + assume property (wen |=> $changed(wdata)); + assume property (!wen |=> $stable(wdata)); + end + end +`else // !VERIFIC + // without verific we are more limited in describing the above assumption + always @(posedge clk) begin + assume ((wen && wdata != $past(wdata)) + || (!wen && wdata == $past(wdata))); + end +`endif // VERIFIC + +`endif // FORMAL + +endmodule diff --git a/docs/examples/fifo/top.sv b/docs/examples/fifo/top.sv deleted file mode 100644 index f5eec51..0000000 --- a/docs/examples/fifo/top.sv +++ /dev/null @@ -1,167 +0,0 @@ -// Define our top level fifo entity -module fifo ( - input wen, ren, clk, rst_n, - input [7:0] wdata, - output [7:0] rdata, - output [4:0] count, - output full, empty -); - parameter MAX_DATA = 16; - - // internals - reg [4:0] data_count; - initial begin - data_count <= 0; - end - - // wire up our sub modules - wire [3:0] waddr, raddr; - wire wskip, rskip; - storage #(.MAX_DATA(MAX_DATA)) fifo_storage ( - .wen (wen ), - .ren (ren ), - .clk (clk ), - .rst_n (rst_n), - .waddr (waddr), - .raddr (raddr), - .wdata (wdata), - .rdata (rdata) - ); - - addr_gen #(.MAX_DATA(MAX_DATA)) fifo_writer ( - .en (wen || wskip), - .clk (clk ), - .rst_n (rst_n), - .addr (waddr) - ); - - addr_gen #(.MAX_DATA(MAX_DATA)) fifo_reader ( - .en (ren || rskip), - .clk (clk ), - .rst_n (rst_n), - .addr (raddr) - ); - - always @(posedge clk or negedge rst_n) begin - if (~rst_n) - data_count <= 0; - else if (wen && !ren && data_count < MAX_DATA) - data_count <= data_count + 1; - else if (ren && !wen && data_count > 0) - data_count <= data_count - 1; - else - data_count <= data_count; - end - - assign full = data_count == MAX_DATA; - assign empty = (data_count == 0) && rst_n; - assign count = data_count; - -`ifndef NOSKIP - // write while full => overwrite oldest data, move read pointer - assign rskip = wen && !ren && data_count >= MAX_DATA; - // read while empty => read invalid data, keep write pointer in sync - assign wskip = ren && !wen && data_count == 0; -`else - assign rskip = 0; - assign wskip = 0; -`endif // NOSKIP - -`ifdef FORMAL - // observers - wire [4:0] addr_diff; - assign addr_diff = waddr >= raddr - ? waddr - raddr - : waddr + MAX_DATA - raddr; - - reg init = 0; - always @(posedge clk) begin - if (rst_n) - init <= 1; - // if init is low we don't care about the value of rst_n - // if init is high (rst_n has ben high), then rst_n must remain high - assume (!init || init && rst_n); - end - - // tests - always @(posedge clk) begin - if (rst_n) begin - // waddr and raddr can only be non zero if reset is high - w_nreset: cover (waddr || raddr); - - // count never less than zero, or more than max - a_uflow: assert (count >= 0); - a_uflow2: assert (raddr >= 0); - a_oflow: assert (count <= MAX_DATA); - a_oflow2: assert (waddr < MAX_DATA); - - // count should be equal to the difference between writer and reader address - a_count_diff: assert (count == addr_diff - || count == MAX_DATA && addr_diff == 0); - - // count should only be able to increase or decrease by 1 - a_counts: assert (count == 0 - || count == $past(count) - || count == $past(count) + 1 - || count == $past(count) - 1); - - // read/write addresses can only increase (or stay the same) - a_raddr: assert (raddr == 0 - || raddr == $past(raddr) - || raddr == $past(raddr + 1)); - a_waddr: assert (waddr == 0 - || waddr == $past(waddr) - || waddr == $past(waddr + 1)); - - // full and empty work as expected - a_full: assert (!full || full && count == MAX_DATA); - w_full: cover (wen && !ren && count == MAX_DATA-1); - a_empty: assert (!empty || empty && count == 0); - w_empty: cover (ren && !wen && count == 1); - - // can we corrupt our data? - w_overfill: cover ($past(rskip) && raddr); - w_underfill: cover ($past(wskip) && waddr); - end else begin - // waddr and raddr are zero while reset is low - a_reset: assert (!waddr && !raddr); - w_reset: cover (~rst_n); - - // outputs are zero while reset is low - a_zero_out: assert (!empty && !full && !count); - end - end - -`ifdef USE_VERIFIC - // if we have verific we can also do the following additional tests - always @(posedge clk) begin - if (rst_n) begin - // read/write enables enable - ap_raddr2: assert property (ren |=> $changed(raddr)); - ap_waddr2: assert property (wen |=> $changed(waddr)); - - // read/write needs enable UNLESS full/empty - ap_raddr3: assert property (!ren && !full |=> $stable(raddr)); - ap_waddr3: assert property (!wen && !empty |=> $stable(waddr)); - - // can we corrupt our data? - ap_overfill: assert property (wen && full |=> $changed(raddr)); - ap_underfill: assert property (ren && empty |=> $changed(waddr)); - - // change data when writing (and only when writing) so we can line - // up reads with writes - assume property (wen |=> $changed(wdata)); - assume property (!wen |=> $stable(wdata)); - end - end -`else // !USE_VERIFIC - // without verific we are more limited in describing the above assumption - always @(posedge clk) begin - assume ((wen && wdata != $past(wdata)) - || (!wen && wdata == $past(wdata))); - end -`endif // USE_VERIFIC - -`endif // FORMAL - -endmodule diff --git a/docs/source/install.rst b/docs/source/install.rst index 4110d63..a232c86 100644 --- a/docs/source/install.rst +++ b/docs/source/install.rst @@ -3,12 +3,12 @@ Installation guide ================== -This document will guide you through the process of installing SymbiYosys. +This document will guide you through the process of installing sby. CAD suite(s) ************ -SymbiYosys (sby) is part of the `Tabby CAD Suite +Sby (SymbiYosys) is part of the `Tabby CAD Suite `_ and the `OSS CAD Suite `_! The easiest way to use sby is to install the binary software suite, which contains all required @@ -32,9 +32,9 @@ CAD Suite, please visit https://www.yosyshq.com/tabby-cad-datasheet. Installing from source ********************** -Follow the instructions below to install SymbiYosys and its dependencies. -Yosys, SymbiYosys, and Z3 are non-optional. The other packages are only -required for some engine configurations. +Follow the instructions below to install sby and its dependencies. Yosys and sby +are non-optional. Boolector is recommended to install but not required. The +other packages are only required for some engine configurations. Prerequisites ------------- @@ -59,7 +59,7 @@ https://yosyshq.net/yosys/ https://people.eecs.berkeley.edu/~alanmi/abc/ -Next install Yosys, Yosys-SMTBMC and ABC (``yosys-abc``): +Note that this will install Yosys, Yosys-SMTBMC and ABC (as ``yosys-abc``): .. code-block:: text @@ -68,8 +68,8 @@ Next install Yosys, Yosys-SMTBMC and ABC (``yosys-abc``): make -j$(nproc) sudo make install -SymbiYosys -^^^^^^^^^^ +sby +^^^ https://github.com/YosysHQ/sby @@ -79,25 +79,38 @@ https://github.com/YosysHQ/sby cd sby sudo make install -Z3 -^^ +Recommended components +---------------------- -https://github.com/Z3Prover/z3/wiki +Boolector +^^^^^^^^^ + +https://boolector.github.io .. code-block:: text + git clone https://github.com/boolector/boolector + cd boolector + ./contrib/setup-btor2tools.sh + ./contrib/setup-lingeling.sh + ./configure.sh + make -C build -j$(nproc) + sudo cp build/bin/{boolector,btor*} /usr/local/bin/ + sudo cp deps/btor2tools/bin/btorsim /usr/local/bin/ - git clone https://github.com/Z3Prover/z3 - cd z3 - python scripts/mk_make.py - cd build - make -j$(nproc) - sudo make install +To use the ``btor`` engine you will need to install btor2tools from +`commit c35cf1c `_ or +newer. Optional components ------------------- Additional solver engines can be installed as per their instructions, links are provided below. +Z3 +^^^ + + https://github.com/Z3Prover/z3 + Yices 2 ^^^^^^^ http://yices.csl.sri.com/ @@ -111,12 +124,3 @@ super_prove Avy ^^^ https://arieg.bitbucket.io/avy/ - -Boolector -^^^^^^^^^ - http://fmv.jku.at/boolector/ - - https://github.com/boolector/boolector - - To use the ``btor`` engine you additionally need a newer version of btorsim - than the boolector setup script builds: https://github.com/boolector/btor2tools diff --git a/docs/source/newstart.rst b/docs/source/newstart.rst index eac65a8..ebc443f 100644 --- a/docs/source/newstart.rst +++ b/docs/source/newstart.rst @@ -2,8 +2,9 @@ Getting started =============== -.. note:: This tutorial assumes sby installation as per the :ref:`install-doc`. - It is also recommended to install +.. note:: + This tutorial assumes sby and boolector installation as per the + :ref:`install-doc`. For this tutorial, it is also recommended to install `GTKWave `_, an open source VCD viewer. First In, First Out (FIFO) buffer @@ -21,33 +22,40 @@ a FIFO is they arrive at the queue's tail. In hardware we can create such a construct by providing two addresses into a -register file. See the Verilog code below for the two main modules of an -example implementation. +register file. This tutorial will use an example implementation provided in +`fifo.sv`. + +First, the address generator module: .. literalinclude:: ../examples/fifo/fifo.sv :language: systemverilog + :lines: 1-23 + +This module is instantiated twice; once for the write address and once for the +read address. In both cases, the address will start at and reset to 0, and will +increment by 1 when an enable signal is received. When the address pointers +increment from the maximum storage value they reset back to 0, providing a +circular queue. + +Next, the register file: + +.. literalinclude:: ../examples/fifo/fifo.sv + :language: systemverilog + :lines: 39-47 Notice that this register design includes a synchronous write and asynchronous -read. Each word is 8 bits, and up to 16 words can be stored in the buffer. The -address generator module will be instantiated twice; once for the write address -and once for the read address. In both cases, the address will start at and -reset to 0, and will increment by 1 when an enable signal is received. When the -address pointers increment from the maximum storage value they reset back to 0, -providing a circular queue. The top level design implemented, can be found in -``top.sv``. +read. Each word is 8 bits, and up to 16 words can be stored in the buffer. Verification properties *********************** In order to verify our design we must first define properties that it must -satisfy. For example, there must never be a negative number of values in the -FIFO. Similarly, there must never be more than there is memory available. By -assigning a signal to count the number of values in the buffer, we can make the -following assertions in the code: +satisfy. For example, there must never be more than there is memory available. +By assigning a signal to count the number of values in the buffer, we can make +the following assertion in the code: .. code-block:: systemverilog - a_uflow: assert (count >= 0); a_oflow: assert (count <= MAX_DATA); It is also possible to use the prior value of a signal for comparison. This can @@ -86,36 +94,30 @@ SymbiYosys SymbiYosys (sby) uses a .sby file to define a set of tasks used for verification. -**prove_oss** - Prove mode (unbounded model check), for use with OSS CAD Suite. +**basic** + Bounded model check of design. -**noskip** - Demonstration of failing model check with OSS CAD Suite. +**nofullskip** + Demonstration of failing model using an unbounded model check. -**cover_oss** - Cover mode (testing cover statements), for use with OSS CAD Suite. +**cover** + Cover mode (testing cover statements). -**prove_tabby** - Prove mode, for use with Tabby CAD Suite. - -**cover_tabby** - Cover mode, for use with Tabby CAD Suite. - -The use of the ``:default`` tag indicates that by default, prove_oss and -cover_oss should be run if no tasks are specified, such as when running the -command below. +The use of the ``:default`` tag indicates that by default, basic and cover +should be run if no tasks are specified, such as when running the command below. sby fifo.sby -.. note:: The default set of tests should all pass. If this is not the case - there may be a problem with the installation of sby or one of its solvers. +.. note:: + The default set of tests should all pass. If this is not the case there may + be a problem with the installation of sby or one of its solvers. To see what happens when a test fails, the below command can be used. Note the use of the ``-f`` flag to automatically overwrite existing task output. While this may not be necessary on the first run, it is quite useful when making adjustments to code and rerunning tests to validate. - sby -f fifo.sby noskip + sby -f fifo.sby nofullskip The noskip task disables the code shown below. Because the count signal has been written such that it cannot exceed MAX_DATA, removing this code will lead @@ -125,36 +127,38 @@ overflow occur and the oldest data be written. .. code-block:: systemverilog - `ifndef NOSKIP + `ifndef NO_FULL_SKIP // write while full => overwrite oldest data, move read pointer assign rskip = wen && !ren && data_count >= MAX_DATA; // read while empty => read invalid data, keep write pointer in sync assign wskip = ren && !wen && data_count == 0; - `endif // NOSKIP + `endif // NO_FULL_SKIP The last few lines of output for the noskip task should be similar to the following: .. code-block:: text - SBY [fifo_noskip] engine_0: ## 0:00:00 BMC failed! - SBY [fifo_noskip] engine_0: ## 0:00:00 Assert failed in fifo: a_count_diff - SBY [fifo_noskip] engine_0: ## 0:00:00 Writing trace to VCD file: engine_0/trace.vcd - SBY [fifo_noskip] engine_0: ## 0:00:00 Writing trace to Verilog testbench: engine_0/trace_tb.v - SBY [fifo_noskip] engine_0: ## 0:00:00 Writing trace to constraints file: engine_0/trace.smtc - SBY [fifo_noskip] engine_0: ## 0:00:00 Status: FAILED - SBY [fifo_noskip] engine_0: finished (returncode=1) - SBY [fifo_noskip] summary: Elapsed clock time [H:MM:SS (secs)]: 0:00:01 (1) - SBY [fifo_noskip] summary: Elapsed process time unvailable on Windows - SBY [fifo_noskip] summary: engine_0 (abc pdr) returned FAIL - SBY [fifo_noskip] summary: counterexample trace: fifo_noskip/engine_0/trace.vcd - SBY [fifo_noskip] DONE (FAIL, rc=2) + SBY [fifo_nofullskip] engine_0.basecase: ## 0:00:00 Assert failed in fifo: a_count_diff + SBY [fifo_nofullskip] engine_0.basecase: ## 0:00:00 Assert failed in fifo: ap_underfill + SBY [fifo_nofullskip] engine_0.basecase: ## 0:00:00 Writing trace to VCD file: engine_0/trace.vcd + SBY [fifo_nofullskip] engine_0.basecase: ## 0:00:00 Writing trace to Verilog testbench: engine_0/trace_tb.v + SBY [fifo_nofullskip] engine_0.basecase: ## 0:00:00 Writing trace to constraints file: engine_0/trace.smtc + SBY [fifo_nofullskip] engine_0.basecase: ## 0:00:00 Status: failed + SBY [fifo_nofullskip] engine_0.basecase: finished (returncode=1) + SBY [fifo_nofullskip] engine_0: Status returned by engine for basecase: FAIL + SBY [fifo_nofullskip] engine_0.induction: terminating process + SBY [fifo_nofullskip] summary: Elapsed clock time [H:MM:SS (secs)]: 0:00:02 (2) + SBY [fifo_nofullskip] summary: Elapsed process time unvailable on Windows + SBY [fifo_nofullskip] summary: engine_0 (smtbmc boolector) returned FAIL for basecase + SBY [fifo_nofullskip] summary: counterexample trace: fifo_nofullskip/engine_0/trace.vcd + SBY [fifo_nofullskip] DONE (FAIL, rc=2) SBY The following tasks failed: ['noskip'] Using the ``noskip.gtkw`` file provided, use the below command to examine the error trace. - gtkwave fifo_noskip/engine_0/trace.vcd noskip.gtkw + gtkwave fifo_nofullskip/engine_0/trace.vcd noskip.gtkw This should result in something similar to the below image. We can immediately see that ``data_count`` and ``addr_diff`` are different. Looking a bit deeper @@ -166,26 +170,26 @@ to a higher value than the write address. .. image:: media/gtkwave_noskip.png During correct operation, the ``w_underfill`` witness will cover the underflow -case. Examining ``fifo_cover_oss/logfile.txt`` will reveal which trace file +case. Examining ``fifo_cover/logfile.txt`` will reveal which trace file includes the witness we are looking for. If this file doesn't exist, run the code below. - sby fifo.sby fifo_cover_oss + sby fifo.sby cover Searching the file for ``w_underfill`` will reveal the below. .. code-block:: text - $ grep "w_underfill" fifo_cover_oss/logfile.txt -A 1 - SBY [fifo_cover_oss] engine_0: ## 0:00:00 Reached cover statement at w_underfill in step 2. - SBY [fifo_cover_oss] engine_0: ## 0:00:00 Writing trace to VCD file: engine_0/trace2.vcd + $ grep "w_underfill" fifo_cover/logfile.txt -A 1 + SBY [fifo_cover] engine_0: ## 0:00:00 Reached cover statement at w_underfill in step 2. + SBY [fifo_cover] engine_0: ## 0:00:00 Writing trace to VCD file: engine_0/trace2.vcd We can then run gtkwave with the trace file indicated to see the correct operation as in the image below. When the buffer is empty, a read with no write will result in the ``wksip`` signal going high, incrementing *both* read and write addresses and avoiding underflow. - gtkwave fifo_cover_oss/engine_0/trace2.vcd noskip.gtkw + gtkwave fifo_cover/engine_0/trace2.vcd noskip.gtkw .. image:: media/gtkwave_coverskip.png @@ -198,8 +202,9 @@ Until this point, all of the properties described have been *immediate* assertions. As the name suggests, immediate assertions are evaluated immediately whereas concurrent assertions allow for the capture of sequences of events which occur across time. The use of concurrent assertions requires a -more advanced parser, such as Verific. Verific is included for use in the -*Tabby CAD Suite*. +more advanced series of checks. Using a parser such as Verific supports these +checks *without* having to write out potentially complicated state machines. +Verific is included for use in the *Tabby CAD Suite*. With concurrent assertions we are able to verify more fully that our enables and status flags work as desired. For example, we can assert that if the read From 7ba67ef260a901a5d8c209275d3724251e27fa51 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Fri, 1 Jul 2022 11:15:47 +1200 Subject: [PATCH 24/38] Removing unnecessary underflow assertions --- docs/examples/fifo/fifo.sv | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/examples/fifo/fifo.sv b/docs/examples/fifo/fifo.sv index 9d32a43..1a32187 100644 --- a/docs/examples/fifo/fifo.sv +++ b/docs/examples/fifo/fifo.sv @@ -111,9 +111,7 @@ module fifo ( // waddr and raddr can only be non zero if reset is high w_nreset: cover (waddr || raddr); - // count never less than zero, or more than max - a_uflow: assert (count >= 0); - a_uflow2: assert (raddr >= 0); + // count never more than max a_oflow: assert (count <= MAX_DATA); a_oflow2: assert (waddr < MAX_DATA); From aab2c3c2e0360d316f69aa2c519bf56981703203 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Fri, 1 Jul 2022 11:19:01 +1200 Subject: [PATCH 25/38] New exercise section Worked exercise using the MAX_DATA parameter, highlighting its incompleteness. Includes completed examples in /golden subdirectory. Also some formatting changes for spacing and extra links. --- docs/examples/fifo/golden/fifo.sby | 32 +++++ docs/examples/fifo/golden/fifo.sv | 192 +++++++++++++++++++++++++++++ docs/source/newstart.rst | 66 ++++++++-- 3 files changed, 279 insertions(+), 11 deletions(-) create mode 100644 docs/examples/fifo/golden/fifo.sby create mode 100644 docs/examples/fifo/golden/fifo.sv diff --git a/docs/examples/fifo/golden/fifo.sby b/docs/examples/fifo/golden/fifo.sby new file mode 100644 index 0000000..d94789c --- /dev/null +++ b/docs/examples/fifo/golden/fifo.sby @@ -0,0 +1,32 @@ +[tasks] +basic bmc +nofullskip prove +cover +bigtest cover +basic cover : default + +[options] +cover: +mode cover +-- +prove: +mode prove +-- +bmc: +mode bmc +-- +bigtest: depth 120 +~bigtest: depth 10 + +[engines] +smtbmc boolector + +[script] +nofullskip: read -define NO_FULL_SKIP=1 +read -formal fifo.sv +bigtest: hierarchy -check -top fifo -chparam MAX_DATA 100 -chparam ADDR_BITS 7 +~bigtest: hierarchy -check -top fifo -chparam MAX_DATA 5 -chparam ADDR_BITS 3 +prep -top fifo + +[files] +fifo.sv diff --git a/docs/examples/fifo/golden/fifo.sv b/docs/examples/fifo/golden/fifo.sv new file mode 100644 index 0000000..014563d --- /dev/null +++ b/docs/examples/fifo/golden/fifo.sv @@ -0,0 +1,192 @@ +// address generator/counter +module addr_gen ( + input en, clk, rst_n, + output reg [ADDR_BITS-1:0] addr +); + parameter MAX_DATA = 16; + parameter ADDR_BITS = 5; + + initial begin + addr <= 0; + end + + // async reset + // increment address when enabled + always @(posedge clk or negedge rst_n) begin + if (~rst_n) + addr <= 0; + else if (en) + if (addr == MAX_DATA-1) + addr <= 0; + else + addr <= addr + 1; + end +endmodule + +// Define our top level fifo entity +module fifo ( + input wen, ren, clk, rst_n, + input [7:0] wdata, + output [7:0] rdata, + output [ADDR_BITS:0] count, + output full, empty +); + parameter MAX_DATA = 16; + parameter ADDR_BITS = 5; + + // wire up our sub modules + // ADDR_BITS=5 gives 5 bits of address, [4:0] + // supporting MAX_DATA up to 2**5=32 + wire [ADDR_BITS-1:0] waddr, raddr; + wire wskip, rskip; + + // fifo storage + // reset not defined + reg [7:0] data [MAX_DATA-1:0]; + always @(posedge clk) begin + if (wen) + data[waddr] <= wdata; + end + assign rdata = data[raddr]; + + addr_gen #(.MAX_DATA(MAX_DATA), .ADDR_BITS(ADDR_BITS)) + fifo_writer ( + .en (wen || wskip), + .clk (clk ), + .rst_n (rst_n), + .addr (waddr) + ); + + addr_gen #(.MAX_DATA(MAX_DATA), .ADDR_BITS(ADDR_BITS)) + fifo_reader ( + .en (ren || rskip), + .clk (clk ), + .rst_n (rst_n), + .addr (raddr) + ); + + // internals + reg [ADDR_BITS:0] data_count; + initial begin + data_count <= 0; + end + + always @(posedge clk or negedge rst_n) begin + if (~rst_n) + data_count <= 0; + else if (wen && !ren && data_count < MAX_DATA) + data_count <= data_count + 1; + else if (ren && !wen && data_count > 0) + data_count <= data_count - 1; + end + + assign full = data_count == MAX_DATA; + assign empty = (data_count == 0) && rst_n; + assign count = data_count; + +`ifndef NO_FULL_SKIP + // write while full => overwrite oldest data, move read pointer + assign rskip = wen && !ren && data_count >= MAX_DATA; + // read while empty => read invalid data, keep write pointer in sync + assign wskip = ren && !wen && data_count == 0; +`else + assign rskip = 0; + assign wskip = 0; +`endif // NO_FULL_SKIP + +`ifdef FORMAL + // observers + wire [ADDR_BITS:0] addr_diff; + assign addr_diff = waddr >= raddr + ? waddr - raddr + : waddr + MAX_DATA - raddr; + + reg init = 0; + always @(posedge clk) begin + if (rst_n) + init <= 1; + // if init is low we don't care about the value of rst_n + // if init is high (rst_n has ben high), then rst_n must remain high + assume (!init || init && rst_n); + end + + // tests + always @(posedge clk) begin + if (rst_n) begin + // waddr and raddr can only be non zero if reset is high + w_nreset: cover (waddr || raddr); + + // count never more than max + a_oflow: assert (count <= MAX_DATA); + a_oflow2: assert (waddr < MAX_DATA); + + // count should be equal to the difference between writer and reader address + a_count_diff: assert (count == addr_diff + || count == MAX_DATA && addr_diff == 0); + + // count should only be able to increase or decrease by 1 + a_counts: assert (count == 0 + || count == $past(count) + || count == $past(count) + 1 + || count == $past(count) - 1); + + // read/write addresses can only increase (or stay the same) + a_raddr: assert (raddr == 0 + || raddr == $past(raddr) + || raddr == $past(raddr + 1)); + a_waddr: assert (waddr == 0 + || waddr == $past(waddr) + || waddr == $past(waddr + 1)); + + // full and empty work as expected + a_full: assert (!full || full && count == MAX_DATA); + w_full: cover (wen && !ren && count == MAX_DATA-1); + a_empty: assert (!empty || empty && count == 0); + w_empty: cover (ren && !wen && count == 1); + + // can we corrupt our data? + w_overfill: cover ($past(rskip) && raddr); + w_underfill: cover ($past(wskip) && waddr); + end else begin + // waddr and raddr are zero while reset is low + a_reset: assert (!waddr && !raddr); + w_reset: cover (~rst_n); + + // outputs are zero while reset is low + a_zero_out: assert (!empty && !full && !count); + end + end + +`ifdef VERIFIC + // if we have verific we can also do the following additional tests + always @(posedge clk) begin + if (rst_n) begin + // read/write enables enable + ap_raddr2: assert property (ren |=> $changed(raddr)); + ap_waddr2: assert property (wen |=> $changed(waddr)); + + // read/write needs enable UNLESS full/empty + ap_raddr3: assert property (!ren && !full |=> $stable(raddr)); + ap_waddr3: assert property (!wen && !empty |=> $stable(waddr)); + + // can we corrupt our data? + ap_overfill: assert property (wen && full |=> $changed(raddr)); + ap_underfill: assert property (ren && empty |=> $changed(waddr)); + + // change data when writing (and only when writing) so we can line + // up reads with writes + assume property (wen |=> $changed(wdata)); + assume property (!wen |=> $stable(wdata)); + end + end +`else // !VERIFIC + // without verific we are more limited in describing the above assumption + always @(posedge clk) begin + assume ((wen && wdata != $past(wdata)) + || (!wen && wdata == $past(wdata))); + end +`endif // VERIFIC + +`endif // FORMAL + +endmodule diff --git a/docs/source/newstart.rst b/docs/source/newstart.rst index ebc443f..2828cb6 100644 --- a/docs/source/newstart.rst +++ b/docs/source/newstart.rst @@ -3,9 +3,13 @@ Getting started =============== .. note:: + This tutorial assumes sby and boolector installation as per the :ref:`install-doc`. For this tutorial, it is also recommended to install `GTKWave `_, an open source VCD viewer. + `Source files used in this tutorial + `_ can be + found on the sby git, under ``docs/examples/fifo``. First In, First Out (FIFO) buffer ********************************* @@ -109,6 +113,7 @@ should be run if no tasks are specified, such as when running the command below. sby fifo.sby .. note:: + The default set of tests should all pass. If this is not the case there may be a problem with the installation of sby or one of its solvers. @@ -139,12 +144,12 @@ following: .. code-block:: text - SBY [fifo_nofullskip] engine_0.basecase: ## 0:00:00 Assert failed in fifo: a_count_diff - SBY [fifo_nofullskip] engine_0.basecase: ## 0:00:00 Assert failed in fifo: ap_underfill - SBY [fifo_nofullskip] engine_0.basecase: ## 0:00:00 Writing trace to VCD file: engine_0/trace.vcd - SBY [fifo_nofullskip] engine_0.basecase: ## 0:00:00 Writing trace to Verilog testbench: engine_0/trace_tb.v - SBY [fifo_nofullskip] engine_0.basecase: ## 0:00:00 Writing trace to constraints file: engine_0/trace.smtc - SBY [fifo_nofullskip] engine_0.basecase: ## 0:00:00 Status: failed + SBY [fifo_nofullskip] engine_0.basecase: ## Assert failed in fifo: a_count_diff + SBY [fifo_nofullskip] engine_0.basecase: ## Assert failed in fifo: ap_underfill + SBY [fifo_nofullskip] engine_0.basecase: ## Writing trace to VCD file: engine_0/trace.vcd + SBY [fifo_nofullskip] engine_0.basecase: ## Writing trace to Verilog testbench: engine_0/trace_tb.v + SBY [fifo_nofullskip] engine_0.basecase: ## Writing trace to constraints file: engine_0/trace.smtc + SBY [fifo_nofullskip] engine_0.basecase: ## Status: failed SBY [fifo_nofullskip] engine_0.basecase: finished (returncode=1) SBY [fifo_nofullskip] engine_0: Status returned by engine for basecase: FAIL SBY [fifo_nofullskip] engine_0.induction: terminating process @@ -181,8 +186,8 @@ Searching the file for ``w_underfill`` will reveal the below. .. code-block:: text $ grep "w_underfill" fifo_cover/logfile.txt -A 1 - SBY [fifo_cover] engine_0: ## 0:00:00 Reached cover statement at w_underfill in step 2. - SBY [fifo_cover] engine_0: ## 0:00:00 Writing trace to VCD file: engine_0/trace2.vcd + SBY [fifo_cover] engine_0: ## Reached cover statement at w_underfill in step 2. + SBY [fifo_cover] engine_0: ## Writing trace to VCD file: engine_0/trace2.vcd We can then run gtkwave with the trace file indicated to see the correct operation as in the image below. When the buffer is empty, a read with no write @@ -193,7 +198,45 @@ write addresses and avoiding underflow. .. image:: media/gtkwave_coverskip.png -For more on using the .sby file, see the :ref:`.sby reference page `. +Exercise +******** + +Adjust the ``[script]`` section of ``fifo.sby`` so that it looks like the below. + +.. code-block:: text + + [script] + nofullskip: read -define NO_FULL_SKIP=1 + read -formal fifo.sv + hierarchy -check -top fifo -chparam MAX_DATA 17 + prep -top fifo + +The ``hierarchy`` command we added changes the ``MAX_DATA`` parameter of the top +module to be 17. Now run the ``basic`` task and see what happens. It should +fail and give an error like ``Assert failed in fifo: a_count_diff``. Can you +modify the verilog code so that it works with larger values of ``MAX_DATA`` +while still passing all of the tests? + +.. note:: + + If you need a **hint**, try increasing the width of the address wires. 4 bits + supports up to :math:`2^4=16` addresses. Are there other signals that + need to be wider? Can you make the width parameterisable to support + arbitrarily large buffers? + +Once the tests are passing with ``MAX_DATA=17``, try something bigger, like 64, +or 100. Does the ``basic`` task still pass? What about ``cover``? By default, +``bmc & cover`` modes will run to a depth of 20 cycles. If a maximum of one +value can be loaded in each cycle, how many cycles will it take to load 100 +values? Using the :ref:`.sby reference page `, +try to increase the cover mode depth to be at least a few cycles larger than the +``MAX_DATA``. + +.. note:: + + Reference files are provided in the ``fifo/golden`` directory, showing how + the verilog could have been modified and how a ``bigtest`` task could be + added. Concurrent assertions ********************* @@ -223,5 +266,6 @@ requires a skip in the read address, then the read address will *not* change. Further information ******************* For more information on the uses of assertions and the difference between -immediate and concurrent assertions, refer to appnote 109: Property Checking -with SystemVerilog Assertions. +immediate and concurrent assertions, refer to appnote 109: `Property Checking +with SystemVerilog Assertions +`_. From de5b9b782175e7ada189f4c5c9357d449dc3b87f Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Fri, 1 Jul 2022 11:29:33 +1200 Subject: [PATCH 26/38] Changed phrasing to avoid confusion on witnesses --- docs/source/newstart.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/source/newstart.rst b/docs/source/newstart.rst index 2828cb6..f421fe2 100644 --- a/docs/source/newstart.rst +++ b/docs/source/newstart.rst @@ -174,10 +174,10 @@ to a higher value than the write address. .. image:: media/gtkwave_noskip.png -During correct operation, the ``w_underfill`` witness will cover the underflow +During correct operation, the ``w_underfill`` statement will cover the underflow case. Examining ``fifo_cover/logfile.txt`` will reveal which trace file -includes the witness we are looking for. If this file doesn't exist, run the -code below. +includes the cover statment we are looking for. If this file doesn't exist, run +the code below. sby fifo.sby cover From c9fbfa36841bf6608b3d218d85f54fd7040299ed Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Mon, 4 Jul 2022 10:32:55 +1200 Subject: [PATCH 27/38] Adding makefile for fifo --- docs/examples/fifo/Makefile | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 docs/examples/fifo/Makefile diff --git a/docs/examples/fifo/Makefile b/docs/examples/fifo/Makefile new file mode 100644 index 0000000..c22f5f1 --- /dev/null +++ b/docs/examples/fifo/Makefile @@ -0,0 +1,3 @@ +SUBDIR=../docs/examples/fifo +TESTDIR=../../../tests +include $(TESTDIR)/make/subdir.mk From cc27d27c0540799722e26de02d7fb6471febde0b Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Mon, 4 Jul 2022 11:53:40 +1200 Subject: [PATCH 28/38] More literalincludes Tidying up of newstart.rst and fifo.sv to include as much code as possible by reference. Should reduce repetition and make it easier if changes occur in source. --- docs/examples/fifo/fifo.sv | 71 ++++++++++++++----------------- docs/examples/fifo/golden/fifo.sv | 69 +++++++++++++----------------- docs/source/newstart.rst | 67 +++++++++++++++-------------- 3 files changed, 99 insertions(+), 108 deletions(-) diff --git a/docs/examples/fifo/fifo.sv b/docs/examples/fifo/fifo.sv index 1a32187..0a35f14 100644 --- a/docs/examples/fifo/fifo.sv +++ b/docs/examples/fifo/fifo.sv @@ -1,17 +1,14 @@ // address generator/counter -module addr_gen ( - input en, clk, rst_n, +module addr_gen +#( parameter MAX_DATA=16 +) ( input en, clk, rst_n, output reg [3:0] addr ); - parameter MAX_DATA = 16; - - initial begin - addr <= 0; - end + initial addr <= 0; // async reset // increment address when enabled - always @(posedge clk or negedge rst_n) begin + always @(posedge clk or negedge rst_n) if (~rst_n) addr <= 0; else if (en) @@ -19,52 +16,47 @@ module addr_gen ( addr <= 0; else addr <= addr + 1; - end endmodule // Define our top level fifo entity -module fifo ( - input wen, ren, clk, rst_n, +module fifo +#( parameter MAX_DATA=16 +) ( input wen, ren, clk, rst_n, input [7:0] wdata, output [7:0] rdata, output [4:0] count, output full, empty ); - parameter MAX_DATA = 16; - - // wire up our sub modules - wire [3:0] waddr, raddr; - wire wskip, rskip; - // fifo storage - // 8 bit data, fifo depth 16 / 4 bit address - // reset not defined + // async read, sync write + wire [3:0] waddr, raddr; reg [7:0] data [MAX_DATA-1:0]; - always @(posedge clk) begin + always @(posedge clk) if (wen) data[waddr] <= wdata; - end assign rdata = data[raddr]; + // end storage - addr_gen #(.MAX_DATA(MAX_DATA)) fifo_writer ( + // addr_gen for both write and read addresses + addr_gen #(.MAX_DATA(MAX_DATA)) + fifo_writer ( .en (wen || wskip), .clk (clk ), .rst_n (rst_n), .addr (waddr) ); - addr_gen #(.MAX_DATA(MAX_DATA)) fifo_reader ( + addr_gen #(.MAX_DATA(MAX_DATA)) + fifo_reader ( .en (ren || rskip), .clk (clk ), .rst_n (rst_n), .addr (raddr) ); - // internals + // status signals reg [4:0] data_count; - initial begin - data_count <= 0; - end + initial data_count <= 0; always @(posedge clk or negedge rst_n) begin if (~rst_n) @@ -79,6 +71,8 @@ module fifo ( assign empty = (data_count == 0) && rst_n; assign count = data_count; + // overflow protection + wire wskip, rskip; `ifndef NO_FULL_SKIP // write while full => overwrite oldest data, move read pointer assign rskip = wen && !ren && data_count >= MAX_DATA; @@ -116,22 +110,22 @@ module fifo ( a_oflow2: assert (waddr < MAX_DATA); // count should be equal to the difference between writer and reader address - a_count_diff: assert (count == addr_diff - || count == MAX_DATA && addr_diff == 0); + a_count_diff: assert (count == addr_diff + || count == MAX_DATA && addr_diff == 0); // count should only be able to increase or decrease by 1 a_counts: assert (count == 0 - || count == $past(count) - || count == $past(count) + 1 - || count == $past(count) - 1); + || count == $past(count) + || count == $past(count) + 1 + || count == $past(count) - 1); // read/write addresses can only increase (or stay the same) - a_raddr: assert (raddr == 0 - || raddr == $past(raddr) - || raddr == $past(raddr + 1)); - a_waddr: assert (waddr == 0 - || waddr == $past(waddr) - || waddr == $past(waddr + 1)); + a_raddr: assert (raddr == 0 + || raddr == $past(raddr) + || raddr == $past(raddr + 1)); + a_waddr: assert (waddr == 0 + || waddr == $past(waddr) + || waddr == $past(waddr + 1)); // full and empty work as expected a_full: assert (!full || full && count == MAX_DATA); @@ -165,6 +159,7 @@ module fifo ( ap_waddr3: assert property (!wen && !empty |=> $stable(waddr)); // can we corrupt our data? + // these should already be covered by ap_{r,w}addr2 ap_overfill: assert property (wen && full |=> $changed(raddr)); ap_underfill: assert property (ren && empty |=> $changed(waddr)); diff --git a/docs/examples/fifo/golden/fifo.sv b/docs/examples/fifo/golden/fifo.sv index 014563d..f92b33a 100644 --- a/docs/examples/fifo/golden/fifo.sv +++ b/docs/examples/fifo/golden/fifo.sv @@ -1,18 +1,15 @@ // address generator/counter -module addr_gen ( - input en, clk, rst_n, +module addr_gen +#( parameter MAX_DATA=16, + parameter ADDR_BITS=5 +) ( input en, clk, rst_n, output reg [ADDR_BITS-1:0] addr ); - parameter MAX_DATA = 16; - parameter ADDR_BITS = 5; - - initial begin - addr <= 0; - end + initial addr <= 0; // async reset // increment address when enabled - always @(posedge clk or negedge rst_n) begin + always @(posedge clk or negedge rst_n) if (~rst_n) addr <= 0; else if (en) @@ -20,35 +17,29 @@ module addr_gen ( addr <= 0; else addr <= addr + 1; - end endmodule // Define our top level fifo entity -module fifo ( - input wen, ren, clk, rst_n, +module fifo +#( parameter MAX_DATA=16, + parameter ADDR_BITS=5 +) ( input wen, ren, clk, rst_n, input [7:0] wdata, output [7:0] rdata, output [ADDR_BITS:0] count, output full, empty ); - parameter MAX_DATA = 16; - parameter ADDR_BITS = 5; - - // wire up our sub modules - // ADDR_BITS=5 gives 5 bits of address, [4:0] - // supporting MAX_DATA up to 2**5=32 - wire [ADDR_BITS-1:0] waddr, raddr; - wire wskip, rskip; - // fifo storage - // reset not defined + // async read, sync write + wire [3:0] waddr, raddr; reg [7:0] data [MAX_DATA-1:0]; - always @(posedge clk) begin + always @(posedge clk) if (wen) data[waddr] <= wdata; - end assign rdata = data[raddr]; + // end storage + // addr_gen for both write and read addresses addr_gen #(.MAX_DATA(MAX_DATA), .ADDR_BITS(ADDR_BITS)) fifo_writer ( .en (wen || wskip), @@ -65,11 +56,9 @@ module fifo ( .addr (raddr) ); - // internals + // status signals reg [ADDR_BITS:0] data_count; - initial begin - data_count <= 0; - end + initial data_count <= 0; always @(posedge clk or negedge rst_n) begin if (~rst_n) @@ -84,6 +73,8 @@ module fifo ( assign empty = (data_count == 0) && rst_n; assign count = data_count; + // overflow protection + wire wskip, rskip; `ifndef NO_FULL_SKIP // write while full => overwrite oldest data, move read pointer assign rskip = wen && !ren && data_count >= MAX_DATA; @@ -121,22 +112,22 @@ module fifo ( a_oflow2: assert (waddr < MAX_DATA); // count should be equal to the difference between writer and reader address - a_count_diff: assert (count == addr_diff - || count == MAX_DATA && addr_diff == 0); + a_count_diff: assert (count == addr_diff + || count == MAX_DATA && addr_diff == 0); // count should only be able to increase or decrease by 1 a_counts: assert (count == 0 - || count == $past(count) - || count == $past(count) + 1 - || count == $past(count) - 1); + || count == $past(count) + || count == $past(count) + 1 + || count == $past(count) - 1); // read/write addresses can only increase (or stay the same) - a_raddr: assert (raddr == 0 - || raddr == $past(raddr) - || raddr == $past(raddr + 1)); - a_waddr: assert (waddr == 0 - || waddr == $past(waddr) - || waddr == $past(waddr + 1)); + a_raddr: assert (raddr == 0 + || raddr == $past(raddr) + || raddr == $past(raddr + 1)); + a_waddr: assert (waddr == 0 + || waddr == $past(waddr) + || waddr == $past(waddr + 1)); // full and empty work as expected a_full: assert (!full || full && count == MAX_DATA); diff --git a/docs/source/newstart.rst b/docs/source/newstart.rst index f421fe2..214a3af 100644 --- a/docs/source/newstart.rst +++ b/docs/source/newstart.rst @@ -33,7 +33,8 @@ First, the address generator module: .. literalinclude:: ../examples/fifo/fifo.sv :language: systemverilog - :lines: 1-23 + :start-at: address generator + :end-at: endmodule This module is instantiated twice; once for the write address and once for the read address. In both cases, the address will start at and reset to 0, and will @@ -45,7 +46,9 @@ Next, the register file: .. literalinclude:: ../examples/fifo/fifo.sv :language: systemverilog - :lines: 39-47 + :start-at: fifo storage + :end-before: end storage + :dedent: Notice that this register design includes a synchronous write and asynchronous read. Each word is 8 bits, and up to 16 words can be stored in the buffer. @@ -58,9 +61,11 @@ satisfy. For example, there must never be more than there is memory available. By assigning a signal to count the number of values in the buffer, we can make the following assertion in the code: -.. code-block:: systemverilog - - a_oflow: assert (count <= MAX_DATA); +.. literalinclude:: ../examples/fifo/fifo.sv + :language: systemverilog + :start-at: a_oflow + :end-at: ; + :dedent: It is also possible to use the prior value of a signal for comparison. This can be used, for example, to ensure that the count is only able to increase or @@ -69,12 +74,11 @@ decrease by 1. A case must be added to handle resetting the count directly to code; at least one of these conditions must be true at all times if our design is to be correct. -.. code-block:: systemverilog - - a_counts: assert (count == 0 - || count == $past(count) - || count == $past(count) + 1 - || count == $past(count) - 1); +.. literalinclude:: ../examples/fifo/fifo.sv + :language: systemverilog + :start-at: a_counts + :end-at: ; + :dedent: As our count signal is used independently of the read and write pointers, we must verify that the count is always correct. While the write pointer will @@ -83,14 +87,17 @@ means that the write *address* could wrap around and appear *less than* the read address. So we must first perform some simple arithmetic to find the absolute difference in addresses, and then compare with the count signal. -.. code-block:: systemverilog +.. literalinclude:: ../examples/fifo/fifo.sv + :language: systemverilog + :start-at: assign addr_diff + :end-at: ; + :dedent: - assign addr_diff = waddr >= raddr - ? waddr - raddr - : waddr + MAX_DATA - raddr; - - a_count_diff: assert (count == addr_diff - || count == MAX_DATA && addr_diff == 0); +.. literalinclude:: ../examples/fifo/fifo.sv + :language: systemverilog + :start-at: a_count_diff + :end-at: ; + :dedent: SymbiYosys ********** @@ -130,14 +137,11 @@ to the ``a_count_diff`` assertion failing. Without this assertion, there is no guarantee that data will be read in the same order it was written should an overflow occur and the oldest data be written. -.. code-block:: systemverilog - - `ifndef NO_FULL_SKIP - // write while full => overwrite oldest data, move read pointer - assign rskip = wen && !ren && data_count >= MAX_DATA; - // read while empty => read invalid data, keep write pointer in sync - assign wskip = ren && !wen && data_count == 0; - `endif // NO_FULL_SKIP +.. literalinclude:: ../examples/fifo/fifo.sv + :language: systemverilog + :start-at: NO_FULL_SKIP + :end-at: endif + :lines: 1-5,9 The last few lines of output for the noskip task should be similar to the following: @@ -257,11 +261,12 @@ increment or remain the same we do not need to specify that here. We can also assert that if the enable is low, and the buffer is not full and potentially requires a skip in the read address, then the read address will *not* change. -.. code-block:: systemverilog - - ap_raddr2: assert property (ren |=> $changed(raddr)); - ap_raddr3: assert property (!ren && !full |=> $stable(raddr)); - +.. literalinclude:: ../examples/fifo/fifo.sv + :language: systemverilog + :start-at: ap_raddr2 + :end-at: ap_raddr3 + :dedent: + :lines: 1,5 Further information ******************* From ed9b291d2becc9d8bfa21588fbc6da34de188e34 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Mon, 1 Aug 2022 20:36:19 +1200 Subject: [PATCH 29/38] Remove redundancies in certain logic checks A | A' === True, A | (A' & B) === A | B --- docs/examples/fifo/fifo.sv | 11 ++++++----- docs/examples/fifo/golden/fifo.sv | 17 +++-------------- 2 files changed, 9 insertions(+), 19 deletions(-) diff --git a/docs/examples/fifo/fifo.sv b/docs/examples/fifo/fifo.sv index 0a35f14..15522b8 100644 --- a/docs/examples/fifo/fifo.sv +++ b/docs/examples/fifo/fifo.sv @@ -96,7 +96,7 @@ module fifo init <= 1; // if init is low we don't care about the value of rst_n // if init is high (rst_n has ben high), then rst_n must remain high - assume (!init || init && rst_n); + assume (!init || rst_n); end // tests @@ -128,9 +128,9 @@ module fifo || waddr == $past(waddr + 1)); // full and empty work as expected - a_full: assert (!full || full && count == MAX_DATA); + a_full: assert (!full || count == MAX_DATA); w_full: cover (wen && !ren && count == MAX_DATA-1); - a_empty: assert (!empty || empty && count == 0); + a_empty: assert (!empty || count == 0); w_empty: cover (ren && !wen && count == 1); // can we corrupt our data? @@ -165,8 +165,9 @@ module fifo // change data when writing (and only when writing) so we can line // up reads with writes - assume property (wen |=> $changed(wdata)); - assume property (!wen |=> $stable(wdata)); + //TODO: this but with a cover statement + // assume property (wen |=> $changed(wdata)); + // assume property (!wen |=> $stable(wdata)); end end `else // !VERIFIC diff --git a/docs/examples/fifo/golden/fifo.sv b/docs/examples/fifo/golden/fifo.sv index f92b33a..18eb984 100644 --- a/docs/examples/fifo/golden/fifo.sv +++ b/docs/examples/fifo/golden/fifo.sv @@ -98,7 +98,7 @@ module fifo init <= 1; // if init is low we don't care about the value of rst_n // if init is high (rst_n has ben high), then rst_n must remain high - assume (!init || init && rst_n); + assume (!init || rst_n); end // tests @@ -130,9 +130,9 @@ module fifo || waddr == $past(waddr + 1)); // full and empty work as expected - a_full: assert (!full || full && count == MAX_DATA); + a_full: assert (!full || count == MAX_DATA); w_full: cover (wen && !ren && count == MAX_DATA-1); - a_empty: assert (!empty || empty && count == 0); + a_empty: assert (!empty || count == 0); w_empty: cover (ren && !wen && count == 1); // can we corrupt our data? @@ -163,19 +163,8 @@ module fifo // can we corrupt our data? ap_overfill: assert property (wen && full |=> $changed(raddr)); ap_underfill: assert property (ren && empty |=> $changed(waddr)); - - // change data when writing (and only when writing) so we can line - // up reads with writes - assume property (wen |=> $changed(wdata)); - assume property (!wen |=> $stable(wdata)); end end -`else // !VERIFIC - // without verific we are more limited in describing the above assumption - always @(posedge clk) begin - assume ((wen && wdata != $past(wdata)) - || (!wen && wdata == $past(wdata))); - end `endif // VERIFIC `endif // FORMAL From b2d0368e2680962419fdc9314f3987a84601ef90 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Mon, 1 Aug 2022 22:06:03 +1200 Subject: [PATCH 30/38] Testing fifo things in CI Turns out the bigtest golden ref is failing a_count_diff, need to fix that before removing the default statement. Base example code is fine. New shell script to run default case and then nofullskip. Expects returncode=2 after running nofullskip. --- docs/examples/fifo/fifo.sh | 8 ++++++++ docs/examples/fifo/golden/fifo.sby | 1 + 2 files changed, 9 insertions(+) create mode 100644 docs/examples/fifo/fifo.sh diff --git a/docs/examples/fifo/fifo.sh b/docs/examples/fifo/fifo.sh new file mode 100644 index 0000000..adfe6d2 --- /dev/null +++ b/docs/examples/fifo/fifo.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +python3 $SBY_MAIN -f fifo.sby && python3 $SBY_MAIN -f fifo.sby nofullskip + +if [[ $? -ne 2 ]] ; then + echo "Unexpected result" + exit 1 +fi diff --git a/docs/examples/fifo/golden/fifo.sby b/docs/examples/fifo/golden/fifo.sby index d94789c..605307b 100644 --- a/docs/examples/fifo/golden/fifo.sby +++ b/docs/examples/fifo/golden/fifo.sby @@ -17,6 +17,7 @@ mode bmc -- bigtest: depth 120 ~bigtest: depth 10 +nofullskip: expect fail [engines] smtbmc boolector From 93d8ef966323bf00c734704f0e4edc14f8a85be4 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Tue, 2 Aug 2022 10:12:33 +1200 Subject: [PATCH 31/38] Fixed bigtest Accidentally broke it in cc27d27 (this is why regular testing is important). --- docs/examples/fifo/golden/fifo.sby | 1 - docs/examples/fifo/golden/fifo.sv | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/examples/fifo/golden/fifo.sby b/docs/examples/fifo/golden/fifo.sby index 605307b..824f359 100644 --- a/docs/examples/fifo/golden/fifo.sby +++ b/docs/examples/fifo/golden/fifo.sby @@ -3,7 +3,6 @@ basic bmc nofullskip prove cover bigtest cover -basic cover : default [options] cover: diff --git a/docs/examples/fifo/golden/fifo.sv b/docs/examples/fifo/golden/fifo.sv index 18eb984..2ef5cca 100644 --- a/docs/examples/fifo/golden/fifo.sv +++ b/docs/examples/fifo/golden/fifo.sv @@ -31,7 +31,7 @@ module fifo ); // fifo storage // async read, sync write - wire [3:0] waddr, raddr; + wire [ADDR_BITS-1:0] waddr, raddr; reg [7:0] data [MAX_DATA-1:0]; always @(posedge clk) if (wen) From a76286ed3448e6e9c58f805f78afda3896cf91cd Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Tue, 2 Aug 2022 10:28:06 +1200 Subject: [PATCH 32/38] Check output of fifo.sby False positive exit 0 if fifo.sby was giving returncode=2. --- docs/examples/fifo/fifo.sh | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/docs/examples/fifo/fifo.sh b/docs/examples/fifo/fifo.sh index adfe6d2..74f05c1 100644 --- a/docs/examples/fifo/fifo.sh +++ b/docs/examples/fifo/fifo.sh @@ -1,8 +1,13 @@ #!/bin/bash -python3 $SBY_MAIN -f fifo.sby && python3 $SBY_MAIN -f fifo.sby nofullskip +python3 $SBY_MAIN -f fifo.sby -if [[ $? -ne 2 ]] ; then - echo "Unexpected result" +if [[ $? -ne 0 ]] ; then + exit 1 +fi + +python3 $SBY_MAIN -f fifo.sby nofullskip + +if [[ $? -ne 2 ]] ; then exit 1 fi From cfa4352bae6352df8428d9dfff7d9b3b7d359b46 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Tue, 2 Aug 2022 12:11:09 +1200 Subject: [PATCH 33/38] Changes to reset Active high. Removed init. Better over/underfill cover properties for verific. Moved basic cover statement to only be used when there is no verific. Other general tidy up. Also updated/fixed a couple minor things in newstart.rst. --- docs/examples/fifo/fifo.sv | 100 +++++++++++++----------------- docs/examples/fifo/golden/fifo.sv | 93 +++++++++++++-------------- docs/source/newstart.rst | 13 ++-- 3 files changed, 97 insertions(+), 109 deletions(-) diff --git a/docs/examples/fifo/fifo.sv b/docs/examples/fifo/fifo.sv index 15522b8..9beafdf 100644 --- a/docs/examples/fifo/fifo.sv +++ b/docs/examples/fifo/fifo.sv @@ -1,32 +1,36 @@ // address generator/counter module addr_gen #( parameter MAX_DATA=16 -) ( input en, clk, rst_n, +) ( input en, clk, rst, output reg [3:0] addr ); initial addr <= 0; // async reset // increment address when enabled - always @(posedge clk or negedge rst_n) - if (~rst_n) + always @(posedge clk or posedge rst) + if (rst) addr <= 0; - else if (en) + else if (en) begin if (addr == MAX_DATA-1) addr <= 0; else addr <= addr + 1; + end endmodule // Define our top level fifo entity module fifo #( parameter MAX_DATA=16 -) ( input wen, ren, clk, rst_n, +) ( input wen, ren, clk, rst, input [7:0] wdata, output [7:0] rdata, output [4:0] count, output full, empty ); + wire wskip, rskip; + reg [4:0] data_count; + // fifo storage // async read, sync write wire [3:0] waddr, raddr; @@ -42,7 +46,7 @@ module fifo fifo_writer ( .en (wen || wskip), .clk (clk ), - .rst_n (rst_n), + .rst (rst), .addr (waddr) ); @@ -50,16 +54,15 @@ module fifo fifo_reader ( .en (ren || rskip), .clk (clk ), - .rst_n (rst_n), + .rst (rst), .addr (raddr) ); // status signals - reg [4:0] data_count; initial data_count <= 0; - always @(posedge clk or negedge rst_n) begin - if (~rst_n) + always @(posedge clk or posedge rst) begin + if (rst) data_count <= 0; else if (wen && !ren && data_count < MAX_DATA) data_count <= data_count + 1; @@ -68,11 +71,10 @@ module fifo end assign full = data_count == MAX_DATA; - assign empty = (data_count == 0) && rst_n; + assign empty = (data_count == 0) && ~rst; assign count = data_count; // overflow protection - wire wskip, rskip; `ifndef NO_FULL_SKIP // write while full => overwrite oldest data, move read pointer assign rskip = wen && !ren && data_count >= MAX_DATA; @@ -90,19 +92,10 @@ module fifo ? waddr - raddr : waddr + MAX_DATA - raddr; - reg init = 0; - always @(posedge clk) begin - if (rst_n) - init <= 1; - // if init is low we don't care about the value of rst_n - // if init is high (rst_n has ben high), then rst_n must remain high - assume (!init || rst_n); - end - // tests always @(posedge clk) begin - if (rst_n) begin - // waddr and raddr can only be non zero if reset is high + if (~rst) begin + // waddr and raddr can only be non zero if reset is low w_nreset: cover (waddr || raddr); // count never more than max @@ -132,49 +125,44 @@ module fifo w_full: cover (wen && !ren && count == MAX_DATA-1); a_empty: assert (!empty || count == 0); w_empty: cover (ren && !wen && count == 1); - - // can we corrupt our data? - w_overfill: cover ($past(rskip) && raddr); - w_underfill: cover ($past(wskip) && waddr); - end else begin - // waddr and raddr are zero while reset is low - a_reset: assert (!waddr && !raddr); - w_reset: cover (~rst_n); - // outputs are zero while reset is low + // reading/writing non zero values + w_nzero_write: cover (wen && wdata); + w_nzero_read: cover (ren && rdata); + end else begin + // waddr and raddr are zero while reset is high + a_reset: assert (!waddr && !raddr); + w_reset: cover (rst); + + // outputs are zero while reset is high a_zero_out: assert (!empty && !full && !count); end end `ifdef VERIFIC // if we have verific we can also do the following additional tests - always @(posedge clk) begin - if (rst_n) begin - // read/write enables enable - ap_raddr2: assert property (ren |=> $changed(raddr)); - ap_waddr2: assert property (wen |=> $changed(waddr)); + // read/write enables enable + ap_raddr2: assert property (@(posedge clk) disable iff (rst) ren |=> $changed(raddr)); + ap_waddr2: assert property (@(posedge clk) disable iff (rst) wen |=> $changed(waddr)); - // read/write needs enable UNLESS full/empty - ap_raddr3: assert property (!ren && !full |=> $stable(raddr)); - ap_waddr3: assert property (!wen && !empty |=> $stable(waddr)); - - // can we corrupt our data? - // these should already be covered by ap_{r,w}addr2 - ap_overfill: assert property (wen && full |=> $changed(raddr)); - ap_underfill: assert property (ren && empty |=> $changed(waddr)); - - // change data when writing (and only when writing) so we can line - // up reads with writes - //TODO: this but with a cover statement - // assume property (wen |=> $changed(wdata)); - // assume property (!wen |=> $stable(wdata)); - end - end + // read/write needs enable UNLESS full/empty + ap_raddr3: assert property (@(posedge clk) disable iff (rst) !ren && !full |=> $stable(raddr)); + ap_waddr3: assert property (@(posedge clk) disable iff (rst) !wen && !empty |=> $stable(waddr)); + + // can we corrupt our data? + w_underfill: cover property (@(posedge clk) disable iff (rst) !wen |=> $changed(waddr)); + // look for an overfill where the value in memory changes + let d_change = (wdata != rdata); + w_overfill: cover property (@(posedge clk) disable iff (rst) !ren && d_change |=> $changed(raddr)); `else // !VERIFIC - // without verific we are more limited in describing the above assumption always @(posedge clk) begin - assume ((wen && wdata != $past(wdata)) - || (!wen && wdata == $past(wdata))); + if (~rst) begin + // this is less reliable because $past() can sometimes give false + // positives in the first cycle + w_overfill: cover ($past(rskip) && raddr); + w_underfill: cover ($past(wskip) && waddr); + + end end `endif // VERIFIC diff --git a/docs/examples/fifo/golden/fifo.sv b/docs/examples/fifo/golden/fifo.sv index 2ef5cca..194db62 100644 --- a/docs/examples/fifo/golden/fifo.sv +++ b/docs/examples/fifo/golden/fifo.sv @@ -2,33 +2,37 @@ module addr_gen #( parameter MAX_DATA=16, parameter ADDR_BITS=5 -) ( input en, clk, rst_n, +) ( input en, clk, rst, output reg [ADDR_BITS-1:0] addr ); initial addr <= 0; // async reset // increment address when enabled - always @(posedge clk or negedge rst_n) - if (~rst_n) + always @(posedge clk or posedge rst) + if (rst) addr <= 0; - else if (en) + else if (en) begin if (addr == MAX_DATA-1) addr <= 0; else addr <= addr + 1; + end endmodule // Define our top level fifo entity module fifo #( parameter MAX_DATA=16, parameter ADDR_BITS=5 -) ( input wen, ren, clk, rst_n, +) ( input wen, ren, clk, rst, input [7:0] wdata, output [7:0] rdata, output [ADDR_BITS:0] count, output full, empty ); + wire wskip, rskip; + reg [ADDR_BITS:0] data_count; + // fifo storage // async read, sync write wire [ADDR_BITS-1:0] waddr, raddr; @@ -44,7 +48,7 @@ module fifo fifo_writer ( .en (wen || wskip), .clk (clk ), - .rst_n (rst_n), + .rst (rst), .addr (waddr) ); @@ -52,16 +56,15 @@ module fifo fifo_reader ( .en (ren || rskip), .clk (clk ), - .rst_n (rst_n), + .rst (rst), .addr (raddr) ); // status signals - reg [ADDR_BITS:0] data_count; initial data_count <= 0; - always @(posedge clk or negedge rst_n) begin - if (~rst_n) + always @(posedge clk or posedge rst) begin + if (rst) data_count <= 0; else if (wen && !ren && data_count < MAX_DATA) data_count <= data_count + 1; @@ -70,11 +73,10 @@ module fifo end assign full = data_count == MAX_DATA; - assign empty = (data_count == 0) && rst_n; + assign empty = (data_count == 0) && ~rst; assign count = data_count; // overflow protection - wire wskip, rskip; `ifndef NO_FULL_SKIP // write while full => overwrite oldest data, move read pointer assign rskip = wen && !ren && data_count >= MAX_DATA; @@ -89,22 +91,13 @@ module fifo // observers wire [ADDR_BITS:0] addr_diff; assign addr_diff = waddr >= raddr - ? waddr - raddr - : waddr + MAX_DATA - raddr; - - reg init = 0; - always @(posedge clk) begin - if (rst_n) - init <= 1; - // if init is low we don't care about the value of rst_n - // if init is high (rst_n has ben high), then rst_n must remain high - assume (!init || rst_n); - end + ? waddr - raddr + : waddr + MAX_DATA - raddr; // tests always @(posedge clk) begin - if (rst_n) begin - // waddr and raddr can only be non zero if reset is high + if (~rst) begin + // waddr and raddr can only be non zero if reset is low w_nreset: cover (waddr || raddr); // count never more than max @@ -134,35 +127,43 @@ module fifo w_full: cover (wen && !ren && count == MAX_DATA-1); a_empty: assert (!empty || count == 0); w_empty: cover (ren && !wen && count == 1); - - // can we corrupt our data? - w_overfill: cover ($past(rskip) && raddr); - w_underfill: cover ($past(wskip) && waddr); - end else begin - // waddr and raddr are zero while reset is low - a_reset: assert (!waddr && !raddr); - w_reset: cover (~rst_n); - // outputs are zero while reset is low + // reading/writing non zero values + w_nzero_write: cover (wen && wdata); + w_nzero_read: cover (ren && rdata); + end else begin + // waddr and raddr are zero while reset is high + a_reset: assert (!waddr && !raddr); + w_reset: cover (rst); + + // outputs are zero while reset is high a_zero_out: assert (!empty && !full && !count); end end `ifdef VERIFIC // if we have verific we can also do the following additional tests - always @(posedge clk) begin - if (rst_n) begin - // read/write enables enable - ap_raddr2: assert property (ren |=> $changed(raddr)); - ap_waddr2: assert property (wen |=> $changed(waddr)); + // read/write enables enable + ap_raddr2: assert property (@(posedge clk) disable iff (rst) ren |=> $changed(raddr)); + ap_waddr2: assert property (@(posedge clk) disable iff (rst) wen |=> $changed(waddr)); + + // read/write needs enable UNLESS full/empty + ap_raddr3: assert property (@(posedge clk) disable iff (rst) !ren && !full |=> $stable(raddr)); + ap_waddr3: assert property (@(posedge clk) disable iff (rst) !wen && !empty |=> $stable(waddr)); + + // can we corrupt our data? + w_underfill: cover property (@(posedge clk) disable iff (rst) !wen |=> $changed(waddr)); + // look for an overfill where the value in memory changes + let d_change = (wdata != rdata); + w_overfill: cover property (@(posedge clk) disable iff (rst) !ren && d_change |=> $changed(raddr)); +`else // !VERIFIC + always @(posedge clk) begin + if (~rst) begin + // this is less reliable because $past() can sometimes give false + // positives in the first cycle + w_overfill: cover ($past(rskip) && raddr); + w_underfill: cover ($past(wskip) && waddr); - // read/write needs enable UNLESS full/empty - ap_raddr3: assert property (!ren && !full |=> $stable(raddr)); - ap_waddr3: assert property (!wen && !empty |=> $stable(waddr)); - - // can we corrupt our data? - ap_overfill: assert property (wen && full |=> $changed(raddr)); - ap_underfill: assert property (ren && empty |=> $changed(waddr)); end end `endif // VERIFIC diff --git a/docs/source/newstart.rst b/docs/source/newstart.rst index 214a3af..98468ae 100644 --- a/docs/source/newstart.rst +++ b/docs/source/newstart.rst @@ -131,7 +131,7 @@ adjustments to code and rerunning tests to validate. sby -f fifo.sby nofullskip -The noskip task disables the code shown below. Because the count signal has +The nofullskip task disables the code shown below. Because the count signal has been written such that it cannot exceed MAX_DATA, removing this code will lead to the ``a_count_diff`` assertion failing. Without this assertion, there is no guarantee that data will be read in the same order it was written should an @@ -143,13 +143,12 @@ overflow occur and the oldest data be written. :end-at: endif :lines: 1-5,9 -The last few lines of output for the noskip task should be similar to the +The last few lines of output for the nofullskip task should be similar to the following: .. code-block:: text SBY [fifo_nofullskip] engine_0.basecase: ## Assert failed in fifo: a_count_diff - SBY [fifo_nofullskip] engine_0.basecase: ## Assert failed in fifo: ap_underfill SBY [fifo_nofullskip] engine_0.basecase: ## Writing trace to VCD file: engine_0/trace.vcd SBY [fifo_nofullskip] engine_0.basecase: ## Writing trace to Verilog testbench: engine_0/trace_tb.v SBY [fifo_nofullskip] engine_0.basecase: ## Writing trace to constraints file: engine_0/trace.smtc @@ -162,7 +161,7 @@ following: SBY [fifo_nofullskip] summary: engine_0 (smtbmc boolector) returned FAIL for basecase SBY [fifo_nofullskip] summary: counterexample trace: fifo_nofullskip/engine_0/trace.vcd SBY [fifo_nofullskip] DONE (FAIL, rc=2) - SBY The following tasks failed: ['noskip'] + SBY The following tasks failed: ['nofullskip'] Using the ``noskip.gtkw`` file provided, use the below command to examine the error trace. @@ -189,16 +188,16 @@ Searching the file for ``w_underfill`` will reveal the below. .. code-block:: text - $ grep "w_underfill" fifo_cover/logfile.txt -A 1 + $ grep "w_underfill" fifo_cover/logfile.txt -A 2 SBY [fifo_cover] engine_0: ## Reached cover statement at w_underfill in step 2. - SBY [fifo_cover] engine_0: ## Writing trace to VCD file: engine_0/trace2.vcd + SBY [fifo_cover] engine_0: ## Writing trace to VCD file: engine_0/trace4.vcd We can then run gtkwave with the trace file indicated to see the correct operation as in the image below. When the buffer is empty, a read with no write will result in the ``wksip`` signal going high, incrementing *both* read and write addresses and avoiding underflow. - gtkwave fifo_cover/engine_0/trace2.vcd noskip.gtkw + gtkwave fifo_cover/engine_0/trace4.vcd noskip.gtkw .. image:: media/gtkwave_coverskip.png From ad8730fa44e73cb7b6f9566873db71228ca60e30 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Mon, 8 Aug 2022 21:30:31 +1200 Subject: [PATCH 34/38] Fix typo --- docs/source/newstart.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/newstart.rst b/docs/source/newstart.rst index 98468ae..79604f7 100644 --- a/docs/source/newstart.rst +++ b/docs/source/newstart.rst @@ -229,7 +229,7 @@ while still passing all of the tests? Once the tests are passing with ``MAX_DATA=17``, try something bigger, like 64, or 100. Does the ``basic`` task still pass? What about ``cover``? By default, -``bmc & cover`` modes will run to a depth of 20 cycles. If a maximum of one +``bmc`` & ``cover`` modes will run to a depth of 20 cycles. If a maximum of one value can be loaded in each cycle, how many cycles will it take to load 100 values? Using the :ref:`.sby reference page `, try to increase the cover mode depth to be at least a few cycles larger than the From 1d4716a5f9e701814dad0d928b753b7d752f83b6 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Tue, 9 Aug 2022 11:29:19 +1200 Subject: [PATCH 35/38] Add noverific task to test the non verific code Mostly for CI to ensure fallback code still functions as intended.a Also reverted the change in the grep command to 1 line after. --- docs/examples/fifo/fifo.sby | 2 ++ docs/examples/fifo/fifo.sh | 2 +- docs/examples/fifo/golden/fifo.sby | 2 ++ docs/source/newstart.rst | 4 +++- 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/examples/fifo/fifo.sby b/docs/examples/fifo/fifo.sby index 22ebcdd..4ca4bc6 100644 --- a/docs/examples/fifo/fifo.sby +++ b/docs/examples/fifo/fifo.sby @@ -2,6 +2,7 @@ basic bmc nofullskip prove cover +noverific cover basic cover : default [options] @@ -20,6 +21,7 @@ smtbmc boolector [script] nofullskip: read -define NO_FULL_SKIP=1 +noverific: read -noverific read -formal fifo.sv prep -top fifo diff --git a/docs/examples/fifo/fifo.sh b/docs/examples/fifo/fifo.sh index 74f05c1..1024222 100644 --- a/docs/examples/fifo/fifo.sh +++ b/docs/examples/fifo/fifo.sh @@ -1,6 +1,6 @@ #!/bin/bash -python3 $SBY_MAIN -f fifo.sby +python3 $SBY_MAIN -f fifo.sby basic cover noverific if [[ $? -ne 0 ]] ; then exit 1 diff --git a/docs/examples/fifo/golden/fifo.sby b/docs/examples/fifo/golden/fifo.sby index 824f359..10f2d85 100644 --- a/docs/examples/fifo/golden/fifo.sby +++ b/docs/examples/fifo/golden/fifo.sby @@ -2,6 +2,7 @@ basic bmc nofullskip prove cover +noverific cover bigtest cover [options] @@ -23,6 +24,7 @@ smtbmc boolector [script] nofullskip: read -define NO_FULL_SKIP=1 +noverific: read -noverific read -formal fifo.sv bigtest: hierarchy -check -top fifo -chparam MAX_DATA 100 -chparam ADDR_BITS 7 ~bigtest: hierarchy -check -top fifo -chparam MAX_DATA 5 -chparam ADDR_BITS 3 diff --git a/docs/source/newstart.rst b/docs/source/newstart.rst index 79604f7..9792bd8 100644 --- a/docs/source/newstart.rst +++ b/docs/source/newstart.rst @@ -114,6 +114,7 @@ verification. **cover** Cover mode (testing cover statements). + The use of the ``:default`` tag indicates that by default, basic and cover should be run if no tasks are specified, such as when running the command below. @@ -188,7 +189,7 @@ Searching the file for ``w_underfill`` will reveal the below. .. code-block:: text - $ grep "w_underfill" fifo_cover/logfile.txt -A 2 + $ grep "w_underfill" fifo_cover/logfile.txt -A 1 SBY [fifo_cover] engine_0: ## Reached cover statement at w_underfill in step 2. SBY [fifo_cover] engine_0: ## Writing trace to VCD file: engine_0/trace4.vcd @@ -210,6 +211,7 @@ Adjust the ``[script]`` section of ``fifo.sby`` so that it looks like the below. [script] nofullskip: read -define NO_FULL_SKIP=1 + noverific: read -noverific read -formal fifo.sv hierarchy -check -top fifo -chparam MAX_DATA 17 prep -top fifo From d6d7119cd5edd99aa494b6df5d042db2ba4249ea Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Tue, 9 Aug 2022 11:33:29 +1200 Subject: [PATCH 36/38] Rewrite of non verific underfill/overfill w_underfill should provide identical results regardless of whether or not Verific is used. w_overfill doesn't have the extra check for prettiness without Verific because I'm too lazy to do it. Replaced $past function with past_nwen register to ensure correct operation. Expanded w_underfill under Verific to use a property block to more easily compare the two versions side by side. Changed Concurrent assertions section of doc to compare the two implementations of w_underfill. Should provide a better example for why using verific makes it easier. --- docs/examples/fifo/fifo.sv | 50 ++++++++++++++++++++------- docs/examples/fifo/golden/fifo.sv | 49 ++++++++++++++++++++------- docs/source/newstart.rst | 56 ++++++++++++++++++++++++------- 3 files changed, 118 insertions(+), 37 deletions(-) diff --git a/docs/examples/fifo/fifo.sv b/docs/examples/fifo/fifo.sv index 9beafdf..ba4d8e7 100644 --- a/docs/examples/fifo/fifo.sv +++ b/docs/examples/fifo/fifo.sv @@ -149,19 +149,45 @@ module fifo ap_raddr3: assert property (@(posedge clk) disable iff (rst) !ren && !full |=> $stable(raddr)); ap_waddr3: assert property (@(posedge clk) disable iff (rst) !wen && !empty |=> $stable(waddr)); - // can we corrupt our data? - w_underfill: cover property (@(posedge clk) disable iff (rst) !wen |=> $changed(waddr)); - // look for an overfill where the value in memory changes - let d_change = (wdata != rdata); - w_overfill: cover property (@(posedge clk) disable iff (rst) !ren && d_change |=> $changed(raddr)); -`else // !VERIFIC - always @(posedge clk) begin - if (~rst) begin - // this is less reliable because $past() can sometimes give false - // positives in the first cycle - w_overfill: cover ($past(rskip) && raddr); - w_underfill: cover ($past(wskip) && waddr); + // use block formatting for w_underfill so it's easier to describe in docs + // and is more readily comparable with the non SVA implementation + property write_skip; + @(posedge clk) disable iff (rst) + !wen |=> $changed(waddr); + endproperty + w_underfill: cover property (write_skip); + // look for an overfill where the value in memory changes + // the change in data makes certain that the value is overriden + let d_change = (wdata != rdata); + property read_skip; + @(posedge clk) disable iff (rst) + !ren && d_change |=> $changed(raddr); + endproperty + w_overfill: cover property (read_skip); +`else // !VERIFIC + // implementing w_underfill without properties + // can't use !$past(wen) since it will always trigger in the first cycle + reg past_nwen; + initial past_nwen <= 0; + always @(posedge clk) begin + if (rst) past_nwen <= 0; + if (!rst) begin + w_underfill: cover (past_nwen && $changed(waddr)); + past_nwen <= !wen; + end + end + // end w_underfill + + // w_overfill does the same, but has been separated so that w_underfill + // can be included in the docs more cleanly + reg past_nren; + initial past_nren <= 0; + always @(posedge clk) begin + if (rst) past_nren <= 0; + if (!rst) begin + w_overfill: cover (past_nren && $changed(raddr)); + past_nren <= !ren; end end `endif // VERIFIC diff --git a/docs/examples/fifo/golden/fifo.sv b/docs/examples/fifo/golden/fifo.sv index 194db62..1d44dae 100644 --- a/docs/examples/fifo/golden/fifo.sv +++ b/docs/examples/fifo/golden/fifo.sv @@ -151,19 +151,44 @@ module fifo ap_raddr3: assert property (@(posedge clk) disable iff (rst) !ren && !full |=> $stable(raddr)); ap_waddr3: assert property (@(posedge clk) disable iff (rst) !wen && !empty |=> $stable(waddr)); - // can we corrupt our data? - w_underfill: cover property (@(posedge clk) disable iff (rst) !wen |=> $changed(waddr)); - // look for an overfill where the value in memory changes - let d_change = (wdata != rdata); - w_overfill: cover property (@(posedge clk) disable iff (rst) !ren && d_change |=> $changed(raddr)); -`else // !VERIFIC - always @(posedge clk) begin - if (~rst) begin - // this is less reliable because $past() can sometimes give false - // positives in the first cycle - w_overfill: cover ($past(rskip) && raddr); - w_underfill: cover ($past(wskip) && waddr); + // use block formatting for w_underfill so it's easier to describe in docs + // and is more readily comparable with the non SVA implementation + property write_skip; + @(posedge clk) disable iff (rst) + !wen |=> $changed(waddr); + endproperty + w_underfill: cover property (write_skip); + // look for an overfill where the value in memory changes + // the change in data makes certain that the value is overriden + property read_skip; + @(posedge clk) disable iff (rst) + !ren && d_change |=> $changed(raddr); + endproperty + w_overfill: cover property (read_skip); +`else // !VERIFIC + // implementing w_underfill without properties + // can't use !$past(wen) since it will always trigger in the first cycle + reg past_nwen; + initial past_nwen <= 0; + always @(posedge clk) begin + if (rst) past_nwen <= 0; + if (!rst) begin + w_underfill: cover (past_nwen && $changed(waddr)); + past_nwen <= !wen; + end + end + // end w_underfill + + // w_overfill does the same, but has been separated so that w_underfill + // can be included in the docs more cleanly + reg past_nren; + initial past_nren <= 0; + always @(posedge clk) begin + if (rst) past_nren <= 0; + if (!rst) begin + w_overfill: cover (past_nren && $changed(raddr)); + past_nren <= !ren; end end `endif // VERIFIC diff --git a/docs/source/newstart.rst b/docs/source/newstart.rst index 9792bd8..6b4c1ef 100644 --- a/docs/source/newstart.rst +++ b/docs/source/newstart.rst @@ -114,6 +114,8 @@ verification. **cover** Cover mode (testing cover statements). +**noverific** + Test fallback to default Verilog frontend. The use of the ``:default`` tag indicates that by default, basic and cover should be run if no tasks are specified, such as when running the command below. @@ -202,6 +204,12 @@ write addresses and avoiding underflow. .. image:: media/gtkwave_coverskip.png +.. note:: + + Implementation of the ``w_underfill`` cover statement depends on whether + Verific is used or not. See the `Concurrent assertions`_ section for more + detail. + Exercise ******** @@ -250,24 +258,46 @@ Until this point, all of the properties described have been *immediate* assertions. As the name suggests, immediate assertions are evaluated immediately whereas concurrent assertions allow for the capture of sequences of events which occur across time. The use of concurrent assertions requires a -more advanced series of checks. Using a parser such as Verific supports these -checks *without* having to write out potentially complicated state machines. -Verific is included for use in the *Tabby CAD Suite*. +more advanced series of checks. -With concurrent assertions we are able to verify more fully that our enables and -status flags work as desired. For example, we can assert that if the read -enable signal is high then the address of the read pointer *must* change. -Because of our earlier *immediate* assertions that the pointer address can only -increment or remain the same we do not need to specify that here. We can also -assert that if the enable is low, and the buffer is not full and potentially -requires a skip in the read address, then the read address will *not* change. +Compare the difference in implementation of ``w_underfill`` depending on the +presence of Verific. ``w_underfill`` looks for a sequence of events where the +write enable is low but the write address changes in the following cycle. This +is the expected behaviour for reading while empty and implies that the +``w_skip`` signal went high. Verific enables elaboration of SystemVerilog +Assertions (SVA) properties. Here we use such a property, ``write_skip``. .. literalinclude:: ../examples/fifo/fifo.sv :language: systemverilog - :start-at: ap_raddr2 - :end-at: ap_raddr3 + :start-at: property write_skip + :end-at: w_underfill :dedent: - :lines: 1,5 + +This property describes a *sequence* of events which occurs on the ``clk`` +signal and are disabled/restarted when the ``rst`` signal is high. The property +first waits for a low ``wen`` signal, and then a change in ``waddr`` in the +following cycle. ``w_underfill`` is then a cover of this property to verify +that it is possible. Now look at the implementation without Verific. + +.. literalinclude:: ../examples/fifo/fifo.sv + :language: systemverilog + :start-at: reg past_nwen; + :end-before: end w_underfill + :dedent: + +In this case we do not have access to SVA properties and are more limited in the +tools available to us. Ideally we would use ``$past`` to read the value of +``wen`` in the previous cycle and then check for a change in ``waddr``. However, +in the first cycle of simulation, reading ``$past`` will return a value of +``X``. This results in false triggers of the property so we instead implement +the ``past_nwen`` register which we can initialise to ``0`` and ensure it does +not trigger in the first cycle. + +As verification properties become more complex and check longer sequences, the +additional effort of hand-coding without SVA properties becomes much more +difficult. Using a parser such as Verific supports these checks *without* +having to write out potentially complicated state machines. Verific is included +for use in the *Tabby CAD Suite*. Further information ******************* From df2610d598cee6025c86ab5be60696fbd7c5970f Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Mon, 22 Aug 2022 21:18:40 +1200 Subject: [PATCH 37/38] Fixes before merge --- docs/source/index.rst | 5 ----- docs/source/install.rst | 1 + docs/source/newstart.rst | 2 +- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/docs/source/index.rst b/docs/source/index.rst index 7e8948b..43c8185 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -10,11 +10,6 @@ formal tasks: * Unbounded verification of safety properties * Generation of test benches from cover statements * Verification of liveness properties - * Formal equivalence checking [TBD] - * Reactive Synthesis [TBD] - -(Items marked [TBD] are features under construction and not available -at the moment.) .. toctree:: :maxdepth: 3 diff --git a/docs/source/install.rst b/docs/source/install.rst index a232c86..604737b 100644 --- a/docs/source/install.rst +++ b/docs/source/install.rst @@ -88,6 +88,7 @@ Boolector https://boolector.github.io .. code-block:: text + git clone https://github.com/boolector/boolector cd boolector ./contrib/setup-btor2tools.sh diff --git a/docs/source/newstart.rst b/docs/source/newstart.rst index 6b4c1ef..604d04c 100644 --- a/docs/source/newstart.rst +++ b/docs/source/newstart.rst @@ -233,7 +233,7 @@ while still passing all of the tests? .. note:: If you need a **hint**, try increasing the width of the address wires. 4 bits - supports up to :math:`2^4=16` addresses. Are there other signals that + supports up to 2\ :sup:`4`\ =16 addresses. Are there other signals that need to be wider? Can you make the width parameterisable to support arbitrarily large buffers? From 82a6edf295d794d337fc285b58dfe426c5c53982 Mon Sep 17 00:00:00 2001 From: KrystalDelusion Date: Mon, 22 Aug 2022 21:20:59 +1200 Subject: [PATCH 38/38] Moving newstart to replace quickstart --- docs/source/index.rst | 2 +- docs/source/newstart.rst | 307 ------------------------------- docs/source/quickstart.rst | 364 ++++++++++++++++++++++++++++--------- 3 files changed, 277 insertions(+), 396 deletions(-) delete mode 100644 docs/source/newstart.rst diff --git a/docs/source/index.rst b/docs/source/index.rst index 43c8185..fbe43c5 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -15,7 +15,7 @@ formal tasks: :maxdepth: 3 install.rst - newstart.rst + quickstart.rst reference.rst autotune.rst verilog.rst diff --git a/docs/source/newstart.rst b/docs/source/newstart.rst deleted file mode 100644 index 604d04c..0000000 --- a/docs/source/newstart.rst +++ /dev/null @@ -1,307 +0,0 @@ - -Getting started -=============== - -.. note:: - - This tutorial assumes sby and boolector installation as per the - :ref:`install-doc`. For this tutorial, it is also recommended to install - `GTKWave `_, an open source VCD viewer. - `Source files used in this tutorial - `_ can be - found on the sby git, under ``docs/examples/fifo``. - -First In, First Out (FIFO) buffer -********************************* - -From `Wikipedia `_, -a FIFO is - - a method for organizing the manipulation of a data structure (often, - specifically a data buffer) where the oldest (first) entry, or "head" of the - queue, is processed first. - - Such processing is analogous to servicing people in a queue area on a - first-come, first-served (FCFS) basis, i.e. in the same sequence in which - they arrive at the queue's tail. - -In hardware we can create such a construct by providing two addresses into a -register file. This tutorial will use an example implementation provided in -`fifo.sv`. - -First, the address generator module: - -.. literalinclude:: ../examples/fifo/fifo.sv - :language: systemverilog - :start-at: address generator - :end-at: endmodule - -This module is instantiated twice; once for the write address and once for the -read address. In both cases, the address will start at and reset to 0, and will -increment by 1 when an enable signal is received. When the address pointers -increment from the maximum storage value they reset back to 0, providing a -circular queue. - -Next, the register file: - -.. literalinclude:: ../examples/fifo/fifo.sv - :language: systemverilog - :start-at: fifo storage - :end-before: end storage - :dedent: - -Notice that this register design includes a synchronous write and asynchronous -read. Each word is 8 bits, and up to 16 words can be stored in the buffer. - -Verification properties -*********************** - -In order to verify our design we must first define properties that it must -satisfy. For example, there must never be more than there is memory available. -By assigning a signal to count the number of values in the buffer, we can make -the following assertion in the code: - -.. literalinclude:: ../examples/fifo/fifo.sv - :language: systemverilog - :start-at: a_oflow - :end-at: ; - :dedent: - -It is also possible to use the prior value of a signal for comparison. This can -be used, for example, to ensure that the count is only able to increase or -decrease by 1. A case must be added to handle resetting the count directly to -0, as well as if the count does not change. This can be seen in the following -code; at least one of these conditions must be true at all times if our design -is to be correct. - -.. literalinclude:: ../examples/fifo/fifo.sv - :language: systemverilog - :start-at: a_counts - :end-at: ; - :dedent: - -As our count signal is used independently of the read and write pointers, we -must verify that the count is always correct. While the write pointer will -always be at the same point or *after* the read pointer, the circular buffer -means that the write *address* could wrap around and appear *less than* the read -address. So we must first perform some simple arithmetic to find the absolute -difference in addresses, and then compare with the count signal. - -.. literalinclude:: ../examples/fifo/fifo.sv - :language: systemverilog - :start-at: assign addr_diff - :end-at: ; - :dedent: - -.. literalinclude:: ../examples/fifo/fifo.sv - :language: systemverilog - :start-at: a_count_diff - :end-at: ; - :dedent: - -SymbiYosys -********** - -SymbiYosys (sby) uses a .sby file to define a set of tasks used for -verification. - -**basic** - Bounded model check of design. - -**nofullskip** - Demonstration of failing model using an unbounded model check. - -**cover** - Cover mode (testing cover statements). - -**noverific** - Test fallback to default Verilog frontend. - -The use of the ``:default`` tag indicates that by default, basic and cover -should be run if no tasks are specified, such as when running the command below. - - sby fifo.sby - -.. note:: - - The default set of tests should all pass. If this is not the case there may - be a problem with the installation of sby or one of its solvers. - -To see what happens when a test fails, the below command can be used. Note the -use of the ``-f`` flag to automatically overwrite existing task output. While -this may not be necessary on the first run, it is quite useful when making -adjustments to code and rerunning tests to validate. - - sby -f fifo.sby nofullskip - -The nofullskip task disables the code shown below. Because the count signal has -been written such that it cannot exceed MAX_DATA, removing this code will lead -to the ``a_count_diff`` assertion failing. Without this assertion, there is no -guarantee that data will be read in the same order it was written should an -overflow occur and the oldest data be written. - -.. literalinclude:: ../examples/fifo/fifo.sv - :language: systemverilog - :start-at: NO_FULL_SKIP - :end-at: endif - :lines: 1-5,9 - -The last few lines of output for the nofullskip task should be similar to the -following: - -.. code-block:: text - - SBY [fifo_nofullskip] engine_0.basecase: ## Assert failed in fifo: a_count_diff - SBY [fifo_nofullskip] engine_0.basecase: ## Writing trace to VCD file: engine_0/trace.vcd - SBY [fifo_nofullskip] engine_0.basecase: ## Writing trace to Verilog testbench: engine_0/trace_tb.v - SBY [fifo_nofullskip] engine_0.basecase: ## Writing trace to constraints file: engine_0/trace.smtc - SBY [fifo_nofullskip] engine_0.basecase: ## Status: failed - SBY [fifo_nofullskip] engine_0.basecase: finished (returncode=1) - SBY [fifo_nofullskip] engine_0: Status returned by engine for basecase: FAIL - SBY [fifo_nofullskip] engine_0.induction: terminating process - SBY [fifo_nofullskip] summary: Elapsed clock time [H:MM:SS (secs)]: 0:00:02 (2) - SBY [fifo_nofullskip] summary: Elapsed process time unvailable on Windows - SBY [fifo_nofullskip] summary: engine_0 (smtbmc boolector) returned FAIL for basecase - SBY [fifo_nofullskip] summary: counterexample trace: fifo_nofullskip/engine_0/trace.vcd - SBY [fifo_nofullskip] DONE (FAIL, rc=2) - SBY The following tasks failed: ['nofullskip'] - -Using the ``noskip.gtkw`` file provided, use the below command to examine the -error trace. - - gtkwave fifo_nofullskip/engine_0/trace.vcd noskip.gtkw - -This should result in something similar to the below image. We can immediately -see that ``data_count`` and ``addr_diff`` are different. Looking a bit deeper -we can see that in order to reach this state the read enable signal was high in -the first clock cycle while write enable is low. This leads to an underfill -where a value is read while the buffer is empty and the read address increments -to a higher value than the write address. - -.. image:: media/gtkwave_noskip.png - -During correct operation, the ``w_underfill`` statement will cover the underflow -case. Examining ``fifo_cover/logfile.txt`` will reveal which trace file -includes the cover statment we are looking for. If this file doesn't exist, run -the code below. - - sby fifo.sby cover - -Searching the file for ``w_underfill`` will reveal the below. - -.. code-block:: text - - $ grep "w_underfill" fifo_cover/logfile.txt -A 1 - SBY [fifo_cover] engine_0: ## Reached cover statement at w_underfill in step 2. - SBY [fifo_cover] engine_0: ## Writing trace to VCD file: engine_0/trace4.vcd - -We can then run gtkwave with the trace file indicated to see the correct -operation as in the image below. When the buffer is empty, a read with no write -will result in the ``wksip`` signal going high, incrementing *both* read and -write addresses and avoiding underflow. - - gtkwave fifo_cover/engine_0/trace4.vcd noskip.gtkw - -.. image:: media/gtkwave_coverskip.png - -.. note:: - - Implementation of the ``w_underfill`` cover statement depends on whether - Verific is used or not. See the `Concurrent assertions`_ section for more - detail. - -Exercise -******** - -Adjust the ``[script]`` section of ``fifo.sby`` so that it looks like the below. - -.. code-block:: text - - [script] - nofullskip: read -define NO_FULL_SKIP=1 - noverific: read -noverific - read -formal fifo.sv - hierarchy -check -top fifo -chparam MAX_DATA 17 - prep -top fifo - -The ``hierarchy`` command we added changes the ``MAX_DATA`` parameter of the top -module to be 17. Now run the ``basic`` task and see what happens. It should -fail and give an error like ``Assert failed in fifo: a_count_diff``. Can you -modify the verilog code so that it works with larger values of ``MAX_DATA`` -while still passing all of the tests? - -.. note:: - - If you need a **hint**, try increasing the width of the address wires. 4 bits - supports up to 2\ :sup:`4`\ =16 addresses. Are there other signals that - need to be wider? Can you make the width parameterisable to support - arbitrarily large buffers? - -Once the tests are passing with ``MAX_DATA=17``, try something bigger, like 64, -or 100. Does the ``basic`` task still pass? What about ``cover``? By default, -``bmc`` & ``cover`` modes will run to a depth of 20 cycles. If a maximum of one -value can be loaded in each cycle, how many cycles will it take to load 100 -values? Using the :ref:`.sby reference page `, -try to increase the cover mode depth to be at least a few cycles larger than the -``MAX_DATA``. - -.. note:: - - Reference files are provided in the ``fifo/golden`` directory, showing how - the verilog could have been modified and how a ``bigtest`` task could be - added. - -Concurrent assertions -********************* - -Until this point, all of the properties described have been *immediate* -assertions. As the name suggests, immediate assertions are evaluated -immediately whereas concurrent assertions allow for the capture of sequences of -events which occur across time. The use of concurrent assertions requires a -more advanced series of checks. - -Compare the difference in implementation of ``w_underfill`` depending on the -presence of Verific. ``w_underfill`` looks for a sequence of events where the -write enable is low but the write address changes in the following cycle. This -is the expected behaviour for reading while empty and implies that the -``w_skip`` signal went high. Verific enables elaboration of SystemVerilog -Assertions (SVA) properties. Here we use such a property, ``write_skip``. - -.. literalinclude:: ../examples/fifo/fifo.sv - :language: systemverilog - :start-at: property write_skip - :end-at: w_underfill - :dedent: - -This property describes a *sequence* of events which occurs on the ``clk`` -signal and are disabled/restarted when the ``rst`` signal is high. The property -first waits for a low ``wen`` signal, and then a change in ``waddr`` in the -following cycle. ``w_underfill`` is then a cover of this property to verify -that it is possible. Now look at the implementation without Verific. - -.. literalinclude:: ../examples/fifo/fifo.sv - :language: systemverilog - :start-at: reg past_nwen; - :end-before: end w_underfill - :dedent: - -In this case we do not have access to SVA properties and are more limited in the -tools available to us. Ideally we would use ``$past`` to read the value of -``wen`` in the previous cycle and then check for a change in ``waddr``. However, -in the first cycle of simulation, reading ``$past`` will return a value of -``X``. This results in false triggers of the property so we instead implement -the ``past_nwen`` register which we can initialise to ``0`` and ensure it does -not trigger in the first cycle. - -As verification properties become more complex and check longer sequences, the -additional effort of hand-coding without SVA properties becomes much more -difficult. Using a parser such as Verific supports these checks *without* -having to write out potentially complicated state machines. Verific is included -for use in the *Tabby CAD Suite*. - -Further information -******************* -For more information on the uses of assertions and the difference between -immediate and concurrent assertions, refer to appnote 109: `Property Checking -with SystemVerilog Assertions -`_. diff --git a/docs/source/quickstart.rst b/docs/source/quickstart.rst index 1e66039..604d04c 100644 --- a/docs/source/quickstart.rst +++ b/docs/source/quickstart.rst @@ -1,119 +1,307 @@ -Getting Started +Getting started =============== -The example files used in this chapter can be downloaded from `here -`_. +.. note:: -First step: A simple BMC example --------------------------------- + This tutorial assumes sby and boolector installation as per the + :ref:`install-doc`. For this tutorial, it is also recommended to install + `GTKWave `_, an open source VCD viewer. + `Source files used in this tutorial + `_ can be + found on the sby git, under ``docs/examples/fifo``. -Here is a simple example design with a safety property (assertion). +First In, First Out (FIFO) buffer +********************************* -.. literalinclude:: ../examples/quickstart/demo.sv +From `Wikipedia `_, +a FIFO is + + a method for organizing the manipulation of a data structure (often, + specifically a data buffer) where the oldest (first) entry, or "head" of the + queue, is processed first. + + Such processing is analogous to servicing people in a queue area on a + first-come, first-served (FCFS) basis, i.e. in the same sequence in which + they arrive at the queue's tail. + +In hardware we can create such a construct by providing two addresses into a +register file. This tutorial will use an example implementation provided in +`fifo.sv`. + +First, the address generator module: + +.. literalinclude:: ../examples/fifo/fifo.sv :language: systemverilog + :start-at: address generator + :end-at: endmodule -The property in this example is true. We'd like to verify this using a bounded -model check (BMC) that is 100 cycles deep. +This module is instantiated twice; once for the write address and once for the +read address. In both cases, the address will start at and reset to 0, and will +increment by 1 when an enable signal is received. When the address pointers +increment from the maximum storage value they reset back to 0, providing a +circular queue. -SymbiYosys is controlled by ``.sby`` files. The following file can be used to -configure SymbiYosys to run a BMC for 100 cycles on the design: +Next, the register file: -.. literalinclude:: ../examples/quickstart/demo.sby - :language: text +.. literalinclude:: ../examples/fifo/fifo.sv + :language: systemverilog + :start-at: fifo storage + :end-before: end storage + :dedent: -Simply create a text file ``demo.sv`` with the example design and another text -file ``demo.sby`` with the SymbiYosys configuration. Then run:: +Notice that this register design includes a synchronous write and asynchronous +read. Each word is 8 bits, and up to 16 words can be stored in the buffer. - sby demo.sby +Verification properties +*********************** -This will run a bounded model check for 100 cycles. The last few lines of the -output should look something like this: +In order to verify our design we must first define properties that it must +satisfy. For example, there must never be more than there is memory available. +By assigning a signal to count the number of values in the buffer, we can make +the following assertion in the code: + +.. literalinclude:: ../examples/fifo/fifo.sv + :language: systemverilog + :start-at: a_oflow + :end-at: ; + :dedent: + +It is also possible to use the prior value of a signal for comparison. This can +be used, for example, to ensure that the count is only able to increase or +decrease by 1. A case must be added to handle resetting the count directly to +0, as well as if the count does not change. This can be seen in the following +code; at least one of these conditions must be true at all times if our design +is to be correct. + +.. literalinclude:: ../examples/fifo/fifo.sv + :language: systemverilog + :start-at: a_counts + :end-at: ; + :dedent: + +As our count signal is used independently of the read and write pointers, we +must verify that the count is always correct. While the write pointer will +always be at the same point or *after* the read pointer, the circular buffer +means that the write *address* could wrap around and appear *less than* the read +address. So we must first perform some simple arithmetic to find the absolute +difference in addresses, and then compare with the count signal. + +.. literalinclude:: ../examples/fifo/fifo.sv + :language: systemverilog + :start-at: assign addr_diff + :end-at: ; + :dedent: + +.. literalinclude:: ../examples/fifo/fifo.sv + :language: systemverilog + :start-at: a_count_diff + :end-at: ; + :dedent: + +SymbiYosys +********** + +SymbiYosys (sby) uses a .sby file to define a set of tasks used for +verification. + +**basic** + Bounded model check of design. + +**nofullskip** + Demonstration of failing model using an unbounded model check. + +**cover** + Cover mode (testing cover statements). + +**noverific** + Test fallback to default Verilog frontend. + +The use of the ``:default`` tag indicates that by default, basic and cover +should be run if no tasks are specified, such as when running the command below. + + sby fifo.sby + +.. note:: + + The default set of tests should all pass. If this is not the case there may + be a problem with the installation of sby or one of its solvers. + +To see what happens when a test fails, the below command can be used. Note the +use of the ``-f`` flag to automatically overwrite existing task output. While +this may not be necessary on the first run, it is quite useful when making +adjustments to code and rerunning tests to validate. + + sby -f fifo.sby nofullskip + +The nofullskip task disables the code shown below. Because the count signal has +been written such that it cannot exceed MAX_DATA, removing this code will lead +to the ``a_count_diff`` assertion failing. Without this assertion, there is no +guarantee that data will be read in the same order it was written should an +overflow occur and the oldest data be written. + +.. literalinclude:: ../examples/fifo/fifo.sv + :language: systemverilog + :start-at: NO_FULL_SKIP + :end-at: endif + :lines: 1-5,9 + +The last few lines of output for the nofullskip task should be similar to the +following: .. code-block:: text - SBY [demo] engine_0: ## 0 0:00:00 Checking asserts in step 96.. - SBY [demo] engine_0: ## 0 0:00:00 Checking asserts in step 97.. - SBY [demo] engine_0: ## 0 0:00:00 Checking asserts in step 98.. - SBY [demo] engine_0: ## 0 0:00:00 Checking asserts in step 99.. - SBY [demo] engine_0: ## 0 0:00:00 Status: PASSED - SBY [demo] engine_0: Status returned by engine: PASS - SBY [demo] engine_0: finished (returncode=0) - SBY [demo] summary: Elapsed clock time [H:MM:SS (secs)]: 0:00:00 (0) - SBY [demo] summary: Elapsed process time [H:MM:SS (secs)]: 0:00:00 (0) - SBY [demo] summary: engine_0 (smtbmc) returned PASS - SBY [demo] DONE (PASS) + SBY [fifo_nofullskip] engine_0.basecase: ## Assert failed in fifo: a_count_diff + SBY [fifo_nofullskip] engine_0.basecase: ## Writing trace to VCD file: engine_0/trace.vcd + SBY [fifo_nofullskip] engine_0.basecase: ## Writing trace to Verilog testbench: engine_0/trace_tb.v + SBY [fifo_nofullskip] engine_0.basecase: ## Writing trace to constraints file: engine_0/trace.smtc + SBY [fifo_nofullskip] engine_0.basecase: ## Status: failed + SBY [fifo_nofullskip] engine_0.basecase: finished (returncode=1) + SBY [fifo_nofullskip] engine_0: Status returned by engine for basecase: FAIL + SBY [fifo_nofullskip] engine_0.induction: terminating process + SBY [fifo_nofullskip] summary: Elapsed clock time [H:MM:SS (secs)]: 0:00:02 (2) + SBY [fifo_nofullskip] summary: Elapsed process time unvailable on Windows + SBY [fifo_nofullskip] summary: engine_0 (smtbmc boolector) returned FAIL for basecase + SBY [fifo_nofullskip] summary: counterexample trace: fifo_nofullskip/engine_0/trace.vcd + SBY [fifo_nofullskip] DONE (FAIL, rc=2) + SBY The following tasks failed: ['nofullskip'] -This will also create a ``demo/`` directory tree with all relevant information, -such as a copy of the design source, various log files, and trace data in case -the proof fails. +Using the ``noskip.gtkw`` file provided, use the below command to examine the +error trace. -(Use ``sby -f demo.sby`` to re-run the proof. Without ``-f`` the command will -fail because the output directory ``demo/`` already exists.) + gtkwave fifo_nofullskip/engine_0/trace.vcd noskip.gtkw -Time for a simple exercise: Modify the design so that the property is false -and the offending state is reachable within 100 cycles. Re-run ``sby`` with -the modified design and see if the proof now fails. Inspect the counterexample -trace (``.vcd`` file) produced by ``sby``. (`GTKWave `_ -is an open source VCD viewer that you can use.) +This should result in something similar to the below image. We can immediately +see that ``data_count`` and ``addr_diff`` are different. Looking a bit deeper +we can see that in order to reach this state the read enable signal was high in +the first clock cycle while write enable is low. This leads to an underfill +where a value is read while the buffer is empty and the read address increments +to a higher value than the write address. -Selecting the right engine --------------------------- +.. image:: media/gtkwave_noskip.png -The ``.sby`` file for a project selects one or more engines. (When multiple -engines are selected, all engines are executed in parallel and the result -returned by the first engine to finish is the result returned by SymbiYosys.) +During correct operation, the ``w_underfill`` statement will cover the underflow +case. Examining ``fifo_cover/logfile.txt`` will reveal which trace file +includes the cover statment we are looking for. If this file doesn't exist, run +the code below. -Each engine has its strengths and weaknesses. Therefore it is important to -select the right engine for each project. The documentation for the individual -engines can provide some guidance for engine selection. (Trial and error can -also be a useful method for evaluating engines.) + sby fifo.sby cover -Let's consider the following example: +Searching the file for ``w_underfill`` will reveal the below. -.. literalinclude:: ../examples/quickstart/memory.sv +.. code-block:: text + + $ grep "w_underfill" fifo_cover/logfile.txt -A 1 + SBY [fifo_cover] engine_0: ## Reached cover statement at w_underfill in step 2. + SBY [fifo_cover] engine_0: ## Writing trace to VCD file: engine_0/trace4.vcd + +We can then run gtkwave with the trace file indicated to see the correct +operation as in the image below. When the buffer is empty, a read with no write +will result in the ``wksip`` signal going high, incrementing *both* read and +write addresses and avoiding underflow. + + gtkwave fifo_cover/engine_0/trace4.vcd noskip.gtkw + +.. image:: media/gtkwave_coverskip.png + +.. note:: + + Implementation of the ``w_underfill`` cover statement depends on whether + Verific is used or not. See the `Concurrent assertions`_ section for more + detail. + +Exercise +******** + +Adjust the ``[script]`` section of ``fifo.sby`` so that it looks like the below. + +.. code-block:: text + + [script] + nofullskip: read -define NO_FULL_SKIP=1 + noverific: read -noverific + read -formal fifo.sv + hierarchy -check -top fifo -chparam MAX_DATA 17 + prep -top fifo + +The ``hierarchy`` command we added changes the ``MAX_DATA`` parameter of the top +module to be 17. Now run the ``basic`` task and see what happens. It should +fail and give an error like ``Assert failed in fifo: a_count_diff``. Can you +modify the verilog code so that it works with larger values of ``MAX_DATA`` +while still passing all of the tests? + +.. note:: + + If you need a **hint**, try increasing the width of the address wires. 4 bits + supports up to 2\ :sup:`4`\ =16 addresses. Are there other signals that + need to be wider? Can you make the width parameterisable to support + arbitrarily large buffers? + +Once the tests are passing with ``MAX_DATA=17``, try something bigger, like 64, +or 100. Does the ``basic`` task still pass? What about ``cover``? By default, +``bmc`` & ``cover`` modes will run to a depth of 20 cycles. If a maximum of one +value can be loaded in each cycle, how many cycles will it take to load 100 +values? Using the :ref:`.sby reference page `, +try to increase the cover mode depth to be at least a few cycles larger than the +``MAX_DATA``. + +.. note:: + + Reference files are provided in the ``fifo/golden`` directory, showing how + the verilog could have been modified and how a ``bigtest`` task could be + added. + +Concurrent assertions +********************* + +Until this point, all of the properties described have been *immediate* +assertions. As the name suggests, immediate assertions are evaluated +immediately whereas concurrent assertions allow for the capture of sequences of +events which occur across time. The use of concurrent assertions requires a +more advanced series of checks. + +Compare the difference in implementation of ``w_underfill`` depending on the +presence of Verific. ``w_underfill`` looks for a sequence of events where the +write enable is low but the write address changes in the following cycle. This +is the expected behaviour for reading while empty and implies that the +``w_skip`` signal went high. Verific enables elaboration of SystemVerilog +Assertions (SVA) properties. Here we use such a property, ``write_skip``. + +.. literalinclude:: ../examples/fifo/fifo.sv :language: systemverilog + :start-at: property write_skip + :end-at: w_underfill + :dedent: -This example is expected to fail verification (see the BUG comment). -The following ``.sby`` file can be used to show this: +This property describes a *sequence* of events which occurs on the ``clk`` +signal and are disabled/restarted when the ``rst`` signal is high. The property +first waits for a low ``wen`` signal, and then a change in ``waddr`` in the +following cycle. ``w_underfill`` is then a cover of this property to verify +that it is possible. Now look at the implementation without Verific. -.. literalinclude:: ../examples/quickstart/memory.sby - :language: text - -This project uses the ``smtbmc`` engine, which uses SMT solvers to perform the -proof. This engine uses the array-theories provided by those solvers to -efficiently model memories. Since this example uses large memories, the -``smtbmc`` engine is a good match. - -(``smtbmc boolector`` selects Boolector as SMT solver, ``smtbmc z3`` selects -Z3, and ``smtbmc yices`` selects Yices 2. Yices 2 is the default solver when -no argument is used with ``smtbmc``.) - -Exercise: The engine ``abc bmc3`` does not provide abstract memory models. -Therefore SymbiYosys has to synthesize the memories in the example to FFs -and address logic. How does the performance of this project change if -``abc bmc3`` is used as engine instead of ``smtbmc boolector``? How fast -can either engine verify the design when the bug has been fixed? - -Beyond bounded model checks ---------------------------- - -Bounded model checks only prove that the safety properties hold for the first -*N* cycles (where *N* is the depth of the BMC). Sometimes this is insufficient -and we need to prove that the safety properties hold forever, not just the first -*N* cycles. Let us consider the following example: - -.. literalinclude:: ../examples/quickstart/prove.sv +.. literalinclude:: ../examples/fifo/fifo.sv :language: systemverilog + :start-at: reg past_nwen; + :end-before: end w_underfill + :dedent: -Proving this design in an unbounded manner can be achieved using the following -SymbiYosys configuration file: +In this case we do not have access to SVA properties and are more limited in the +tools available to us. Ideally we would use ``$past`` to read the value of +``wen`` in the previous cycle and then check for a change in ``waddr``. However, +in the first cycle of simulation, reading ``$past`` will return a value of +``X``. This results in false triggers of the property so we instead implement +the ``past_nwen`` register which we can initialise to ``0`` and ensure it does +not trigger in the first cycle. -.. literalinclude:: ../examples/quickstart/prove.sby - :language: text - -Note that ``mode`` is now set to ``prove`` instead of ``bmc``. The ``smtbmc`` -engine in ``prove`` mode will perform a k-induction proof. Other engines can -use other methods, e.g. using ``abc pdr`` will prove the design using the IC3 -algorithm. +As verification properties become more complex and check longer sequences, the +additional effort of hand-coding without SVA properties becomes much more +difficult. Using a parser such as Verific supports these checks *without* +having to write out potentially complicated state machines. Verific is included +for use in the *Tabby CAD Suite*. +Further information +******************* +For more information on the uses of assertions and the difference between +immediate and concurrent assertions, refer to appnote 109: `Property Checking +with SystemVerilog Assertions +`_.