# Protocol Compliance Verification Using The AMBA AXI Properties

Diego Hdez (diego@yosyshq.com)

| Revision | Comment                         | Date     |  |
|----------|---------------------------------|----------|--|
| 0.1      | Initial draft.                  | 16/11/20 |  |
| 0.2      | Updated full working properties | 20/11/20 |  |
| 0.3      | Minimal edits                   | 25/02/21 |  |

# Contents

| Ι  | Introduction                                                                                                                                                                                                                                                                                             | 4                                                        |
|----|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|
| II | I Technical Specification                                                                                                                                                                                                                                                                                | 4                                                        |
| 1  | Architecture                                                                                                                                                                                                                                                                                             | 4                                                        |
| 2  | Environment 2.1 Directory Organisation                                                                                                                                                                                                                                                                   | 6<br>6<br>6<br>8                                         |
| 3  | Execution                                                                                                                                                                                                                                                                                                | 9                                                        |
| II | II Results                                                                                                                                                                                                                                                                                               | 10                                                       |
| 4  | 4.1 Satisfiability (cover) 4.2 Validity (assert) 4.3 Issue I: Assert failed in assert_SRC_OPTIONAL_TUSER_TIEOFF 4.3.1 CEX 4.3.2 Description 4.4 Issue II: Assert failed in assert_SRC_TKEEP_TSTRB_RESERVED 4.4.1 CEX 4.4.2 Description 4.5 Issue III: Assert failed in assert_SRC_STABLE_TDATA 4.5.1 CEX | 10<br>10<br>10<br>11<br>11<br>13<br>13<br>13<br>14<br>14 |
| 5  | Improvements 5.1 Fix I: Assert failed in assert_SRC_OPTIONAL_TUSER_TIEOFF                                                                                                                                                                                                                                | 16                                                       |

## Part I

# Introduction

The new AMBA AXI Properties for AXI4-Stream can be used to verify protocol compliance of digital designs that uses the AXI4-Stream bus, as well as to check another Verification IP (VIP) implementations. The goal of this example is to show how to instantiate and use the new AMBA AXI Properties component to verify and measure improvements over the current solution of the AXI4-Stream that is currently integrated in Symbiotic EDA Suite.

Three problems where found using the new AMBA AXI Properties in the current AXI4-Stream VIP that comes in the official release of Symbiotic EDA Suite, two of them can be classified as mild, while a third can be classified as severe (failure to detect lost packets during transmission). This demonstrates the value of the new VIP.

## Part II

# Technical Specification

### 1 Architecture

One simple method to verify the current implementation of the AXI4-Stream VIP (named, faxis\_slave component) is to connect the new AMBA AXI Properties in the "opposite direction", that is, since the faxis\_slave component behaves as sink element (provides constraints or assumptions), this constraint model can be used to restrict the behavior at the input of the new AMBA AXI Properties connected as source. The source component therefore will validate that the constrains behave as intended or if assumptions are missing (the source can also verify over-constraint by checking the vacuity of the assertions).

The Figure 1 shows a block diagram of the architecture for this demonstration.



Figure 1: Block diagram representing the architecture of the test.

This method can be seen as a way to measure the differences that exist in two formal models, as the constraints of the sink that influences the cone of logic of the assertions of the source will make such assertions to pass trivially (as they are tautologies). The solver will find a path to a counter example in each of the assertions of the source if there exists logical differences such as divergent property density (more variables affecting the COI of the properties in the source compared with the sink) or missing behaviors that are affected by primary inputs, among others.

## 2 Environment

## 2.1 Directory Organisation

The demo files are organised as follows:

- doc/: The source of this document.
- src/: The HDL source files such as the wrapper to instantiate both verification components, and the scripts for SymbiYosys.

### 2.2 Configuration Parameters

Two HDL models are needed for this test, the faxis\_slave component and the amba\_axi4\_stream VIP as well as a wrapper to connect both VIPs. The following table sumarises the parameter configuration of both components for this specific test.

| Component | Parameter       | Value         | Component   | Parameter  | Value |
|-----------|-----------------|---------------|-------------|------------|-------|
|           | AXI_BUS_TYPE    | 1             |             | F_MAX_     | 0     |
|           |                 | (source)      |             | PACKET     |       |
|           | GEN_WITNESS     | 0             |             | F_MIN_     | 0     |
| AMBA AXI4 |                 |               | faxis slave | PACKET     |       |
| Stream    | ARM_RECOMMENDED | 1             | laxis_slave | F_MAX_     | 0     |
|           |                 |               |             | STALL      |       |
|           | MAXWAITS        | 16            |             | C_S_AXI_   | 8     |
|           |                 |               |             | DATA_WIDTH |       |
|           | CHECK_SETUP     | 1             |             | C_S_AXI_   | 1     |
|           |                 |               |             | ID_WIDTH   |       |
|           | RESET_CHECKS    | 1             |             | C_S_AXI_   | 4     |
|           |                 |               |             | ADDR_WIDTH |       |
|           | CHECK_XPROP     | 0 (not        |             | C_S_AXI_   | 0     |
|           |                 | supported yet |             | USER_WIDTH |       |
|           |                 | by Tabby      |             |            |       |
|           |                 | CAD)          |             |            |       |
|           | VERIFY_VIP      | 1             |             | F_         | 32    |
|           |                 |               |             | LGDEPTH    |       |

## 2.3 The HDL Wrapper

The Figure 2 shows the amba\_axi4\_stream\_verify.sv wrapper that will be used for this example. It instantiates the faxis\_slave as a sink element, and the amba\_axi4\_stream component as a source element.

```
'default_nettype none
   import amba_axi4_stream_seda_pkg::*;
2
3
   module amba_axi4_stream_seda_verify
     (input wire axi4s_aclk
                                 ACLK,
      input wire axi4s_aresetn ARESETn,
6
7
      input wire axi4s_data
                                  TDATA,
      input wire axi4s_strb
                                  TSTRB,
8
      input wire axi4s_keep
                                 TKEEP,
9
      input wire axi4s_last
                                 TLAST,
10
      input wire axi4s_id
                                 TID,
11
      input wire axi4s_dest
                                 TDEST,
12
      input wire axi4s_user
                                 TUSER,
13
      input wire axi4s_valid
                                  TVALID,
14
      input wire axi4s_ready
                                  TREADY);
15
16
      faxis_slave
17
        #(.F_MAX_PACKET(0),
           .F_MIN_PACKET(0),
19
20
           .F_MAX_STALL(0),
           .C_S_AXI_DATA_WIDTH(AXI4_STREAM_DATA_WIDTH_BYTES*8),
21
           .C_S_AXI_ID_WIDTH(AXI4_STREAM_ID_WIDTH),
22
           .C_S_AXI_ADDR_WIDTH(AXI4_STREAM_DEST_WIDTH), // ???
23
           .C_S_AXI_USER_WIDTH(AXI4_STREAM_USER_WIDTH),
24
25
           .F_LGDEPTH(32))
      faxis_slave_top
26
        (.i_aclk(ACLK),
27
          .i_aresetn(ARESETn),
28
          .i_tvalid(TVALID),
29
          .i_tready(TREADY),
30
          .i_tdata(TDATA),
31
          .i_tstrb(TSTRB),
32
33
          .i_tkeep(TKEEP),
          .i_tlast(TLAST),
34
          .i_tid(TID),
35
          .i_tdest(TDEST),
36
          .i_tuser(TUSER),
37
38
          .f_bytecount(), // free
39
          .f_routecheck()); // free
40
      // New Symbiotic EDA VIP
41
      amba_axi4_stream_seda
42
        #(.BUS_TYPE(1))
43
44
      source_checker_helper (.*);
   endmodule // amba_axi4_stream_seda_top
```

Figure 2: The amba\_axi4\_stream\_verify HDL wrapper for this example.

## 2.4 The SBY Script

In the SBY script amba\_axi4\_stream\_verify.sby, two main tasks are defined: **provemode** and **covermode**. The **provemode** task uses the smtbmc and boolector engines for K-induction for validity (checking assertions). The **covermode** uses the smtbmc engine for satisfiability (reachability of cover points). The amba\_axi4\_stream\_verify defines some cover scenarios for the VALID/READY handshaking process and the position bytes and null bytes defined in the AXI4-Stream spec, whose reachability analysis is performed in the **covermode** task. The validity is performed in the **provemode** task.

```
[tasks]
2
   provemode
   covermode
4
   [options]
5
6
   provemode: mode prove
   covermode: mode cover
9
   [engines]
   provemode: smtbmc boolector
10
11
   covermode: smtbmc
12
   provemode: read -sv amba_axi4_stream_seda_pkg.sv
14
15
   provemode: read -sv amba axi4 stream seda.sv
   provemode: read -sv amba_axi4_stream_seda_verify.sv
16
17
   provemode: read -sv faxis_slave.v
18
   provemode: prep -flatten -top amba_axi4_stream_seda_verify
19
20
   covermode: read -sv amba_axi4_stream_seda_pkg.sv
   covermode: read -sv amba_axi4_stream_seda.sv
21
   covermode: read -sv amba_axi4_stream_seda_verify.sv
23
   covermode: read -sv faxis_slave.v
24
   covermode: \ verific \ -import \ -autocover \ amba\_axi4\_stream\_seda\_verify
25
   covermode: prep -flatten -top amba_axi4_stream_seda_verify
26
27
   ../../amba_axi4_stream_seda_pkg.sv
28
29
    \dots / \dots / \dots / amba_axi4_stream_seda.sv
   amba_axi4_stream_seda_verify.sv
   faxis_slave.v
```

Figure 3: The amba\_axi4\_stream\_verify.sby script.

## 3 Execution

The only requisite for this demonstration is license of Symbiotic EDA Suite version, that is needed to synthesize the SVA assertions of the amba\_axi4\_stream VIP. The execution of the test is done by executing the command shown in Figure 4.

```
1 sby -f amba_axi4_stream_seda_verify.sby
```

Figure 4: Command to perform Formal Property Verification with SBY for this example.

For users with no previous experience in Formal Property Verification, Figure 5 shows a flowchart that can be used as reference to identify and fix issues that could exists.



Figure 5: Debug flow.

## Part III

# Results

## 4 Protocol Violations

## 4.1 Satisfiability (cover)

All cover scenarios are reachable.

## 4.2 Validity (assert)

The table below shows some of the protocol violations (missing/not implemented constraints) that the AMBA VIP found in the faxis\_slave component.

| Issue                            | Reference in the          | Details                     |
|----------------------------------|---------------------------|-----------------------------|
|                                  | AMBA Specification        |                             |
| Assert failed in                 | If TUSER is not present,  | Not implemented in current  |
| assert_SRC_OPTIONAL_TUSER_TIEOFF | TUSER must be stable      | VIP.                        |
|                                  | (3.1.4 Optional TID,      |                             |
|                                  | TDEST, and TUSER,         |                             |
|                                  | p3-3).                    |                             |
| Assert failed in                 | A combination of TKEEP    | The current constraint      |
| assert_SRC_TKEEP_TSTRB_RESERVED  | LOW and TSTRB HIGH        | using i_tvalid as           |
|                                  | must not be used (2.4.3   | antecedent. Although this   |
|                                  | TKEEP and TSTRB           | is partially correct, the   |
|                                  | combinations, p2-9, Table | solver found a trace where, |
|                                  | 2-2).                     | after exiting reset, the    |
|                                  |                           | TKEEP and TSTRB             |
|                                  |                           | invalid signals propagated. |
| Assert failed in                 | Once the master has       | Not implemented in current  |
| $assert\_SRC\_STABLE\_TDATA$     | asserted TVALID, data and | VIP for TDATA.              |
|                                  | control information from  |                             |
|                                  | master must remain stable |                             |
|                                  | [TDATA] (2.2.1, p2-3,     |                             |
|                                  | Figure 2-1).              |                             |

## 4.3 Issue I: Assert failed in assert\_SRC\_OPTIONAL\_TUSER\_TIEOFF

#### 4.3.1 CEX

The Figure 6 shows the point where the sideband port TUSER is able to change its state despite of not being used (as defined in the test parameter AXI4 STREAM USER WIDTH = 0).



Figure 6: Not stable TUSER when is not used.

#### 4.3.2 Description

The faxis\_slave does not seems to implement optional AXI4-Stream signal checks that are defined in the spec. This assertion failed because the test defined that TUSER is not used, but faxis\_slave does not have those rules implemented such, therefore creating a window for a structural bug to escape.

• The USER\_WIDTH parameter is defined in amba\_axi4\_stream\_pkg.sv as:

```
* control and data AXI-Stream ports.
```

Figure 7: Definition of the TUSER width port in the AMBA AXI4-Stream VIP.

• An propagated to the test amba\_axi4\_stream\_verify.sv wrapper as:

```
.i_tvalid(TVALID),
```

Figure 8: The TUSER width parameter in the amba\_axi4\_stream\_verify component.

• But the only rule for stable signals defined in faxis\_slave.v is this one, that is different from the optional checks:

```
//\ \mbox{If TVALID} but not TREADY, then the master isn't allowed to change
           // anything until the slave asserts TREADY.
2
           always @(posedge i_aclk)
3
           if ((f_past_valid)&&($past(i_aresetn))
                    &&($past(i_tvalid))&&(!$past(i_tready)))
6
           begin
                    'SLAVE_ASSUME(i_tvalid);
                    'SLAVE_ASSUME($stable(i_tstrb));
8
                    'SLAVE_ASSUME($stable(i_tkeep));
9
                    'SLAVE_ASSUME($stable(i_tlast));
10
                    'SLAVE_ASSUME($stable(i_tid));
11
                    'SLAVE_ASSUME($stable(i_tdest));
12
                    'SLAVE_ASSUME($stable(i_tuser));
13
           end
14
```

Figure 9: The TUSER width parameter in the faxis\_slave component.

## 4.4 Issue II: Assert failed in assert\_SRC\_TKEEP\_TSTRB\_RESERVED

#### 4.4.1 CEX



Figure 10: A possible scenario where invalid TKEEP/TSTRB combination is present.

#### 4.4.2 Description

The solver found a way to propagate a reserved AXI state due to the antecedent requirement of i\_tvalid in the following assertion:

• Invalid combination of TKEEP and TSTRB defined in the faxis\_slave:

```
// TKEEP == LOW and TSTRB == HIGH is reserved per the spec, and
// must not be used
always @(posedge i_aclk)
if (i_tvalid)
'SLAVE_ASSUME((~i_tkeep & i_tstrb)==0);
```

Figure 11: Antecedent for the rule of TKEEP/TSTRB reserved scenario in the faxis slave component.

The AMBA AXI4 Stream protocol spec does not explicitly mention that the TKEEP and TSTRB combinations depends on the TVALID/TREADY handshake (it can be argued that is an obvious assumption, but the spec is clear mentioning that behaviors that are not explicitly declared shall not be assumed). For a protocol checker, it is better to enforce that no reserved behaviors occur at any time, regardless of the time window where it appears, and if that time window is a valid data meant to be propagated or not.

#### 4.5 Issue III: Assert failed in assert\_SRC\_STABLE\_TDATA

#### 4.5.1 CEX

As can be seen in the CEX of Figure 12, the optional TDATA is used and it changed the information that the source intended to transmit, but the sink did not capture any of the packets because it was not in a ready state. In other words, a valid packet was dropped. This is an important issue and the faxis\_slave must have enforced the check for this data drop packet problem correctly.



Figure 12: The source is able to change (drop) a valid packet (TDATA) while the sink is not ready (TREADY).

#### 4.5.2 Description

The faxis\_slave **does no implement a very critical check** that is defined from the spec as follows: "Once the master has asserted TVALID, <u>the data</u> or control information from the master must remain unchanged until the slave drives the TREADY signal HIGH, indicating that it can accept the data and control information".

• The current implementation does not check for TDATA when the spec says that both data and control should remain stable:

```
//\ \mbox{If TVALID} but not TREADY, then the master isn't allowed to change
           // anything until the slave asserts TREADY.
2
           always @(posedge i_aclk)
3
           if ((f_past_valid)&&($past(i_aresetn))
                    &&($past(i_tvalid))&&(!$past(i_tready)))
6
           begin
                    'SLAVE_ASSUME(i_tvalid);
                    'SLAVE_ASSUME($stable(i_tstrb));
                    'SLAVE_ASSUME($stable(i_tkeep));
9
                    'SLAVE_ASSUME($stable(i_tlast));
10
                    'SLAVE_ASSUME($stable(i_tid));
11
                    'SLAVE_ASSUME($stable(i_tdest));
12
                    'SLAVE_ASSUME($stable(i_tuser));
13
14
```

Figure 13: Data and control information checks in the faxis\_slave component.

## 5 Improvements

The following patches have been implemented in the files amba\_axi4\_stream\_verify\_fixed.sby and faxis\_slave\_fixed.sv.

## 5.1 Fix I: Assert failed in assert\_SRC\_OPTIONAL\_TUSER\_TIEOFF

The faxis\_slave should implement the optional interface checks. For this specific issue the implementation could be as shown below, with all optional TDATA checks implemented (unoptimised):

Figure 14: The TUSER width parameter in the faxis slave component.

## 5.2 Fix II: Assert failed in assert\_SRC\_TKEEP\_TSTRB\_RESERVED

As discussed in Section 4.2 Issue II: Assert failed in assert\_SRC\_TKEEP\_TSTRB\_RESERVED, the rule should not involve any handshake signal:

```
always @(posedge i_aclk)
// Issue II: ssert failed in assert_SRC_TKEEP_TSTRB_RESERVED (FIX)
// if (i_tvalid)
'SLAVE_ASSUME((~i_tkeep & i_tstrb)==0);
```

Figure 15: The TUSER width parameter in the faxis\_slave component.

#### 5.3 Fix III: Assert failed in assert SRC STABLE TDATA

The assertion that manages stability of data and control needs to look for TDATA as well:

```
//
           // If TVALID but not TREADY, then the master isn't allowed to change
2
           // anything until the slave asserts TREADY.
3
           always @(posedge i_aclk)
           if ((f_past_valid)&&($past(i_aresetn))
                    &&($past(i_tvalid))&&(!$past(i_tready)))
6
           begin
                    'SLAVE_ASSUME(i_tvalid);
                    'SLAVE_ASSUME($stable(i_tstrb));
9
                    'SLAVE_ASSUME($stable(i_tkeep));
10
                    'SLAVE_ASSUME($stable(i_tlast));
11
                    'SLAVE_ASSUME($stable(i_tid));
12
                    'SLAVE_ASSUME($stable(i_tdest));
13
                    'SLAVE_ASSUME($stable(i_tuser));
14
                    // Issue III: Assert failed in assert_SRC_STABLE_TDATA (FIX)
15
                    'SLAVE_ASSUME($stable(i_tdata));
16
```

Figure 16: The TUSER width parameter in the faxis\_slave component.

# Appendix A: Differences of the Local Copy of faxis\_slave

The faxis\_slave used in this demonstration was obtained from symbiotic-20200902A SEDA release, and it was modified as shown below with the purpose of making it synthesizable, using Verific's feedback:

• Lines 1 to 14, comments of the errors shown by Verific:



• Lines 80, 82-83, 85-87, removing non-ansi port declaration:



• Lines 158 to 160, adding \$initstate, a Yosys extension to avoid looking traces generated during reset:



• Lines 255 to 256, declaring f\_tvalid and f\_tlast because they had not been declared anywhere:



• Line 246, renaming undeclared stall\_count to declared f\_stall\_count:

```
// F.MAX_STALL
// Another optional check, this time insisting that the READY flag can
// Another optional check, this time insisting that the READY flag can
// only be low for up to F.MAX_STALL clocks.
// generate if (F.MAX_STALL > 0)
begin: MAX_STALL CHECK
alvays @(*)

SLAVE ASSERT(stall count < F.MAX_STALL);
// Estall count, missing th
```