# TFE4171 Exercise 4 Report

Morten Paulsen Magnus Ramsfjell

March 29, 2020

# 1 Lab 1 - Formal verification of readserial

### 1.1 State Transition Graph

The **readserial** controller has two states: **IDLE** and **READDATA**. It transitions according to the graph in Figure 1.



Figure 1: State transition graph for the readserial controller

# 1.2 reset sequence

For the reset property we need to assert that all the control signals are in the correct state, so the signals we have to check are state\_s, valid, cnt\_en, and cnt\_s.

```
sequence reset_sequence;
23
             !reset_n;
24
25
    endsequence;
26
27
    property reset;
            reset_sequence |=>
28
29
        t ##0 (state_s == IDLE and !valid and !cnt_en and cnt_s == 0);
30
31
    endproperty;
32
    a_reset: assert property (@(posedge clk) reset);
```

Listing 1: Implementation of the **reset** property

# 1.3 stay in idle

For the stay\_in\_idle property we need to check that at the beginning we are in idle by checking the status signal state\_s and that we receive rxd = 1'b1 to stay in idle. After that we need to assert that we still are in idle by checking that the status signal is the same and that the valid signal is deasserted.

```
36
    sequence idle_sequence;
             state_s == IDLE;
37
38
    endsequence;
    property stay_in_idle;
40
            t ##0 (idle_sequence and rxd)
41
             implies
43
44
45
             t ##1 (idle_sequence and !valid);
46
    endproperty;
47
    a_stay_in_idle: assert property (@(posedge clk) stay_in_idle);
```

Listing 2: Implementation of the stay\_in\_idle property

# 1.4 read byte

For the read\_byte property we need to check the complete sequence from initiation to end. This is done by checking that we start in state\_s = IDLE and that we receive rxd = 1'b0. After this we store the values of rxd throughout the reading (8 cycles). In the implication part we check that the valid flag is deasserted and that state\_s = READDATA during the reading. In the last cycle we check that we have returned to state\_s = IDLE and that the read data is correct (data == tmp) and lastly we check that valid is asserted.

```
sequence idle_sequence;
48
             state_s == IDLE;
49
    endsequence;
51
    property read_byte;
52
             logic [7:0] tmp;
53
54
             t ##0 (idle_sequence and !rxd) and
55
             t ##8 set_freeze(tmp,
56
                              $past(rxd, 7),
58
                              $past(rxd, 6),
59
                              $past(rxd, 5),
60
                              $past(rxd, 4),
61
                              $past(rxd, 3),
62
                              $past(rxd, 2),
                              $past(rxd, 1),
64
                               rxd
65
                     })
66
67
             implies
68
69
             t ##1 (state_s == READDATA and !valid) [*8] and
70
71
             t ##9 (idle_sequence and valid and data == tmp);
    endproperty;
72
73
    a_read_byte: assert property (@(posedge clk) disable iff (!reset_n) read_byte);
```

Listing 3: Implementation of the **read** byte property

# 1.5 read byte, basic IPC solver

By using the basic IPC solver we need to include some additional sequences - in\_idle\_counter\_is\_0 and in\_idle\_counter\_not\_ - this is to assert that the internal counter signals are correct. This is done by asserting that in state\_s = IDLE we have cnt\_en = 1'b0 and cnt\_s = 3'b0.

```
sequence idle_sequence;
48
             state_s == IDLE;
49
    endsequence;
51
    sequence in_idle_counter_is_0;
52
             state_s == IDLE and cnt_s == 0;
53
    endsequence;
54
55
    sequence in_idle_counter_not_enabled;
56
             state_s == IDLE and !cnt_en;
57
    endsequence;
58
59
    property read_byte;
60
             logic [7:0] tmp;
61
62
             t ##0 (idle_sequence and !rxd) and
63
             t ##0 in_idle_counter_is_0 and
64
             t ##0 in_idle_counter_not_enabled and
65
             t ##8 set_freeze(tmp,
66
                     {
67
                              $past(rxd, 7),
68
                              $past(rxd, 6),
69
                              $past(rxd, 5),
70
                              $past(rxd, 4),
71
                              $past(rxd, 3),
72
73
                              $past(rxd, 2),
                              $past(rxd, 1),
                               rxd
75
                     })
76
             implies
78
79
             t ##1 (state_s == READDATA and !valid) [*8] and
80
             t ##9 (idle_sequence and valid and data == tmp);
81
    endproperty;
82
83
    a_read_byte: assert property (@(posedge clk) disable iff (!reset_n) read_byte);
```

Listing 4: Implementation of the updated read byte property

The sequence in\_idle\_counter\_is\_0 is added to prevent OneSpin from assuming that cnt\_s can be any value, and not only 0. The counterexample is shown in Fig. 2



Figure 2: Counterexample before adding in idle counter is 0.

The sequence in\_idle\_counter\_not\_enabled is added to prevent OneSpin from assuming that cnt\_en can be

enabled when state\_s is IDLE. The counterexample is shown in Fig. 3.



Figure 3: Counterexample before adding in idle counter not enabled.

# 1.6 read byte, inductive proof for in idle counter not enabled

To be able to use the sequence in\_idle\_counter\_not\_enabled we have to prove that it actually holds for all time steps. This can be done by using an inductive proof, show that it holds after a reset and that it holds in any arbitrary time step too. These two properties are shown in in\_idle\_counter\_not\_enabled\_\_step and in\_idle\_counter\_not\_enabled\_\_base.

### 1.6.1 in idle counter not enabled step

property in\_idle\_counter\_not\_enabled\_\_step;

93

```
t ##0 (in_idle_counter_not_enabled and rxd)

implies

t ##1 in_idle_counter_not_enabled;

endproperty;

a_in_idle_counter_not_enabled_step: assert property (@(posedge clk) disable iff (!reset_n) in_idle_counter_not_enabled_step);
```

Listing 5: Step proof for in idle counter not enabled.

### 1.6.2 in\_idle\_counter\_not\_enabled\_\_base

```
property in_idle_counter_not_enabled_base;

t ##0 reset_sequence

implies

t ##1 in_idle_counter_not_enabled;
endproperty;

a_in_idle_counter_not_enabled_base: assert property (@(posedge clk) in_idle_counter_not_enabled_base);
```

Listing 6: Base proof for in idle counter not enabled.

# 1.7 read byte, inductive proof for in idle counter is 0

We also have to do the same for in\_idle\_counter\_is\_not\_0 as we did for in\_idle\_counter\_not\_enabled. Our first attempt is shown below in section 1.7.1. Here we only use a single time frame to try to prove the validity of the sequence, but it fails as described in the section. Our second attempt uses multiple time frames (2) and it succeeds, as explained in section 1.7.2.

### 1.7.1 in\_idle\_counter\_is\_0, first attempt

125

```
property in_idle_counter_is_0__step;
109
              t ##0 (in_idle_counter_is_0 and rxd)
110
111
              implies
112
113
              t ##1 in_idle_counter_is_0;
114
     endproperty;
115
116
     a_in_idle_counter_is_0__step: assert property (@(posedge clk) disable iff (!reset_n) in_idle_counter_is_0__step);
                      Listing 7: Step proof for in idle counter is 0.
   117
         property in_idle_counter_is_0__base;
                 t ##0 reset_sequence
   118
   119
                 implies
   120
   121
                 t ##1 in_idle_counter_is_0;
   122
         endproperty;
   123
   124
```

Listing 8: Base proof for in idle counter is 0.

a\_in\_idle\_counter\_is\_0\_base: assert property (@(posedge clk) in\_idle\_counter\_is\_0\_base);

The counterexample given by OneSpin when we used the single-step inductive proof is shown in Fig. 4.



Figure 4: Counterexample for the inductive proof for in idle counter is 0 step.

The counterexample shows an example where <code>cnt\_s</code> is incremented when <code>state\_s == IDLE</code>. This happens since the assumption is only based on one clock cycle and there is not made any assumption that <code>cnt\_s</code> is to be stable between cycles. This can be prevented by introducing an extra step in the assumption, if we assume that the sequence holds in two cycles (<code>##0</code> and <code>##1</code>) it must also hold in cycle <code>##2</code>, as the only way to find a counterexample to the implication is to break the assumption.

For this counterexample specifically, the in\_idle\_counter\_is\_0 sequence holds for the first cycle (t ##0), but fails at the next cycle because cnt\_s has increased. This counterexample is found by having the internal signal cnt\_en set high—which has not been proved to be unreachable in this property—which started the counter. The counter then increments to 1 at t ##1, causing the property to fail. Solving this requires either appending and !cnt\_en to the in\_idle\_counter\_is\_0 sequence (which somewhat defeats the purpose of the in\_idle\_counter\_not\_enabled), adding the

in\_idle\_counter\_not\_enabled sequence to the in\_idle\_counter\_is\_0\_\_step property assumption, or by assuming that the in\_idle\_counter\_is\_0 sequence holds for two consecutive cycles. The former could be regarded

as the "proper" solution, as it implicitly captures the fact that the count signal is not enabled (which it never should have been in this case) by using two cycles where cnt\_s did not change.

#### 1.7.2 in idle counter is 0, second attempt

```
property in_idle_counter_is_0__step;
109
             t ##0 (in_idle_counter_is_0 and rxd) and
110
             t ##1 (in_idle_counter_is_0 and rxd)
112
             implies
113
114
115
             t ##2 in_idle_counter_is_0;
     endproperty;
116
117
     a_in_idle_counter_is_0__step: assert property (@(posedge clk) disable iff (!reset_n) in_idle_counter_is_0__step);
                      Listing 9: Step proof for in idle counter is 0.
         property in_idle_counter_is_0__base;
   118
                 t ##0 reset_sequence and
   119
                 t ##1 rxd
   120
   121
                 implies
   122
                 t ##1 in_idle_counter_is_0 and
   124
                 t ##2 in_idle_counter_is_0;
   125
   126
         endproperty;
   127
         a_in_idle_counter_is_0__base: assert property (@(posedge clk) in_idle_counter_is_0__base);
   128
```

Listing 10: Base proof for in idle counter is 0.

To prove the properties we need to have n=2 as this ensures that cnt\_s is kept at 0. cnt\_s has no change between t ##0 and t ##1 nor t ##1 and t ##2. This was not taken consideration in the first attempt.

# 2 Lab 2 - Completeness checking of readserial

In Lab 2 we are to use a completeness checker to assert that we actually have included a property for every possible operation in the module. The completeness checker does not use the RTL code at all, but only uses the properties to conclude.

```
// @lang=vli @ts=2
2
    completeness readserial;
3
    disable iff: (!reset_n);
4
    inputs: reset_n, rxd;
    determination_requirements:
      determined(valid):
      if (valid) determined(data); endif;
9
10
11
   reset_property:
      sva/inst_readserial_properties/ops/a_reset;
12
13
    property_graph:
      sva/inst_readserial_properties/ops/a_reset -> sva/inst_readserial_properties/ops/a_read_byte;
14
      sva/inst_readserial_properties/ops/a_reset -> sva/inst_readserial_properties/ops/a_stay_in_idle;
15
      sva/inst_readserial_properties/ops/a_stay_in_idle -> sva/inst_readserial_properties/ops/a_read_byte;
      sva/inst_readserial_properties/ops/a_stay_in_idle -> sva/inst_readserial_properties/ops/a_stay_in_idle;
17
      sva/inst_readserial_properties/ops/a_read_byte -> sva/inst_readserial_properties/ops/a_read_byte;
18
      sva/inst_readserial_properties/ops/a_read_byte -> sva/inst_readserial_properties/ops/a_stay_in_idle;
    end completeness;
```

Listing 11: The modified completeness.gfv

In Listing 11 we added the following pairs of operation property and direct successor operation property:

```
sva/inst_readserial_properties/ops/a_reset -> sva/inst_readserial_properties/ops/a_stay_in_idle;
sva/inst_readserial_properties/ops/a_stay_in_idle -> sva/inst_readserial_properties/ops/a_read_byte;
sva/inst_readserial_properties/ops/a_stay_in_idle -> sva/inst_readserial_properties/ops/a_stay_in_idle;
sva/inst_readserial_properties/ops/a_read_byte -> sva/inst_readserial_properties/ops/a_stay_in_idle;
```

These pairs makes the set of possible property transitions complete.

We also had to make some modifications to the properties themselves for the end point of a operation property to align with the start point of the direct successor operation property. The modifications was to make sure that the signals state\_s, cnt\_en and cnt\_s was explicitly set both at the beginning and at the end of the properties reset, stay\_in\_idle and read\_byte. This was achieved by simply modifying idle\_sequence to include cnt\_en and cnt\_s. The modification is shown in Listing 12.

```
sequence idle_sequence;
state_s == IDLE and !cnt_en and cnt_s == 0;
endsequence:
```

Listing 12: The modifications done for the completeness checker.