tmeissner
/
formal_hw_verification
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 6 Wiki Activity
Trying to verify Verilog/VHDL designs with formal methods and tools
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
60 Commits
3 Branches
324 KiB
Tree: 6a319686ac
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6a319686ac'
${ noResults }
formal_hw_verification/fifo/fifo.vhd

332 lines
9.3 KiB
Raw Normal View History

Add simple FIFO model incl. formal tests
4 years ago
Correct full & empty flag deassertion, fixes #2
3 years ago
Add simple FIFO model incl. formal tests
4 years ago
Correct full & empty flag deassertion, fixes #2
3 years ago
Add simple FIFO model incl. formal tests
4 years ago
Correct full & empty flag deassertion, fixes #2
3 years ago
Add simple FIFO model incl. formal tests
4 years ago
Correct full & empty flag deassertion, fixes #2
3 years ago
Add simple FIFO model incl. formal tests
4 years ago
Add data flow checks in fifo units
3 years ago
Add simple FIFO model incl. formal tests
4 years ago
Add data flow checks in fifo units
3 years ago
Add simple FIFO model incl. formal tests
4 years ago
Name assume & restrict directives
3 years ago
Add simple FIFO model incl. formal tests
4 years ago
Name assume & restrict directives
3 years ago
Add simple FIFO model incl. formal tests
4 years ago
Add data flow checks in fifo units
3 years ago
Add simple FIFO model incl. formal tests
4 years ago
Add data flow checks in fifo units
3 years ago
Add simple FIFO model incl. formal tests
4 years ago
Add data flow checks in fifo units
3 years ago
Add simple FIFO model incl. formal tests
4 years ago
Add data flow checks in fifo units
3 years ago
Add simple FIFO model incl. formal tests
4 years ago
Add data flow checks in fifo units
3 years ago
Add simple FIFO model incl. formal tests
4 years ago
Add data flow checks in fifo units
3 years ago
Add simple FIFO model incl. formal tests
4 years ago
Add data flow checks in fifo units
3 years ago
Add simple FIFO model incl. formal tests
4 years ago
Add data flow checks in fifo units
3 years ago
Add simple FIFO model incl. formal tests
4 years ago
Add data flow checks in fifo units
3 years ago
fifo: Add example for GHDL property replication * By replacing the goto operator with non-literal parameter by counting the read enabled with simple VHDL counters we can now replicate the properties instead of writing them all out. * Decrease the data width to decrease run-time of unbounded proofs
3 years ago
fifo: Fix SERE to also match cycles w/o ren after last write
3 years ago
fifo: Add example for GHDL property replication * By replacing the goto operator with non-literal parameter by counting the read enabled with simple VHDL counters we can now replicate the properties instead of writing them all out. * Decrease the data width to decrease run-time of unbounded proofs
3 years ago
Add simple FIFO model incl. formal tests
4 years ago
 
  1. library ieee;
  2. use ieee.std_logic_1164.all;
  3. use ieee.numeric_std.all;
  4. 

  5. 

  6. 

  7. entity fifo is
  8.   generic (
  9.     Formal : boolean := true;
  10.     Depth  : positive := 16;
  11.     Width  : positive := 16
  12.   );
  13.   port (
  14.     Reset_n_i    : in  std_logic;
  15.     Clk_i        : in  std_logic;
  16.     -- write
  17.     Wen_i        : in  std_logic;
  18.     Din_i        : in  std_logic_vector(Width-1 downto 0);
  19.     Full_o       : out std_logic;
  20.     Werror_o     : out std_logic;
  21.     -- read
  22.     Ren_i        : in  std_logic;
  23.     Dout_o       : out std_logic_vector(Width-1 downto 0);
  24.     Empty_o      : out std_logic;
  25.     Rerror_o     : out std_logic
  26.   );
  27. end entity fifo;
  28. 

  29. 

  30. architecture rtl of fifo is
  31. 

  32. 

  33.   subtype t_fifo_pnt is natural range 0 to Depth-1;
  34.   signal s_write_pnt : t_fifo_pnt;
  35.   signal s_read_pnt  : t_fifo_pnt;
  36. 

  37.   type t_fifo_mem is array (t_fifo_pnt'low to t_fifo_pnt'high) of std_logic_vector(Din_i'range);
  38.   signal s_fifo_mem : t_fifo_mem;
  39. 

  40.   signal s_almost_full  : boolean;
  41.   signal s_almost_empty : boolean;
  42. 

  43.   function incr_pnt (data : t_fifo_pnt) return t_fifo_pnt is
  44.   begin
  45.     if (data = t_fifo_mem'high) then
  46.       return 0;
  47.     end if;
  48.     return data + 1;
  49.   end function incr_pnt;
  50. 

  51. 

  52. begin
  53. 

  54. 

  55.   s_almost_full <= (s_write_pnt = s_read_pnt - 1) or
  56.                    (s_write_pnt = t_fifo_mem'high and s_read_pnt = t_fifo_mem'low);
  57. 

  58.   s_almost_empty <= (s_read_pnt = s_write_pnt - 1) or
  59.                     (s_read_pnt = t_fifo_mem'high and s_write_pnt = t_fifo_mem'low);
  60. 

  61.   WriteP : process (Reset_n_i, Clk_i) is
  62.   begin
  63.     if (Reset_n_i = '0') then
  64.       s_write_pnt <= 0;
  65.       Werror_o    <= '0';
  66.     elsif (rising_edge(Clk_i)) then
  67.       Werror_o <= Wen_i and Full_o;
  68.       if (Wen_i = '1' and Full_o = '0') then
  69.         s_fifo_mem(s_write_pnt) <= Din_i;
  70.         s_write_pnt <= incr_pnt(s_write_pnt);
  71.       end if;
  72.     end if;
  73.   end process WriteP;
  74. 

  75. 

  76.   ReadP : process (Reset_n_i, Clk_i) is
  77.   begin
  78.     if (Reset_n_i = '0') then
  79.       s_read_pnt <= 0;
  80.       Rerror_o   <= '0';
  81.     elsif (rising_edge(Clk_i)) then
  82.       Rerror_o <= Ren_i and Empty_o;
  83.       if (Ren_i = '1' and Empty_o = '0') then
  84.         Dout_o <= s_fifo_mem(s_read_pnt);
  85.         s_read_pnt <= incr_pnt(s_read_pnt);
  86.       end if;
  87.     end if;
  88.   end process ReadP;
  89. 

  90. 

  91.   FlagsP : process (Reset_n_i, Clk_i) is
  92.   begin
  93.     if (Reset_n_i = '0') then
  94.       Full_o  <= '0';
  95.       Empty_o <= '1';
  96.     elsif (rising_edge(Clk_i)) then
  97.       if (Wen_i = '1') then
  98.         if (Ren_i = '0' and s_almost_full) then
  99.           Full_o <= '1';
  100.         end if;
  101.         Empty_o <= '0';
  102.       end if;
  103.       if (Ren_i = '1') then
  104.         if (Wen_i = '0' and s_almost_empty) then
  105.           Empty_o <= '1';
  106.         end if;
  107.         Full_o <= '0';
  108.       end if;
  109.     end if;
  110.   end process FlagsP;
  111. 

  112. 

  113.   FormalG : if Formal generate
  114. 

  115.     attribute anyconst : boolean;
  116.     signal s_data : std_logic_vector(Width-1 downto 0);
  117.     attribute anyconst of s_data : signal is true;
  118. 

  119.     signal s_cnt : natural range 0 to Depth;
  120. 

  121.   begin
  122. 

  123. 

  124.     default clock is rising_edge(Clk_i);
  125. 

  126. 

  127.     -- Initial reset
  128.     RESTRICT_RESET : restrict
  129.       {not Reset_n_i[*3]; Reset_n_i[+]}[*1];
  130. 

  131.     -- Inputs are low during reset for simplicity
  132.     ASSUME_INPUTS_DURING_RESET : assume always
  133.       not Reset_n_i ->
  134.       not Wen_i and not Ren_i;
  135. 

  136. 

  137.     -- Asynchronous (unclocked) Reset asserts
  138.     FULL_RESET : process (all) is
  139.     begin
  140.       if (not Reset_n_i) then
  141.         RESET_FULL      : assert not Full_o;
  142.         RESET_EMPTY     : assert Empty_o;
  143.         RESET_WERROR    : assert not Werror_o;
  144.         RESET_RERROR    : assert not Rerror_o;
  145.         RESET_WRITE_PNT : assert s_write_pnt = 0;
  146.         RESET_READ_PNT  : assert s_read_pnt = 0;
  147.       end if;
  148.     end process;
  149. 

  150. 

  151.     -- No write pointer change when writing into full fifo
  152.     WRITE_PNT_STABLE_WHEN_FULL : assert always
  153.       Wen_i and Full_o ->
  154.       next stable(s_write_pnt);
  155. 

  156.     -- No read pointer change when reading from empty fifo
  157.     READ_PNT_STABLE_WHEN_EMPTY : assert always
  158.       Ren_i and Empty_o ->
  159.       next stable(s_read_pnt);
  160. 

  161.     -- Full when write and no read and write pointer ran up to read pointer
  162.     FULL : assert always
  163.       Wen_i and not Ren_i and
  164.       (s_write_pnt = s_read_pnt - 1 or s_write_pnt = t_fifo_pnt'high and s_read_pnt = t_fifo_pnt'low) ->
  165.       next Full_o;
  166. 

  167.     -- Not full when read
  168.     NOT_FULL : assert always
  169.       Ren_i ->
  170.       next not Full_o;
  171. 

  172.     -- Empty when read and no write and read pointer ran up to write pointer
  173.     EMPTY : assert always
  174.       not Wen_i and Ren_i and
  175.       (s_read_pnt = s_write_pnt - 1 or s_read_pnt = t_fifo_pnt'high and s_write_pnt = t_fifo_pnt'low) ->
  176.       next Empty_o;
  177. 

  178.     -- Not empty when write
  179.     NOT_EMPTY : assert always
  180.       Wen_i ->
  181.       next not Empty_o;
  182. 

  183.     -- Write error when writing into full fifo
  184.     WERROR : assert always
  185.       Wen_i and Full_o ->
  186.         next Werror_o;
  187. 

  188.     -- No write error when fifo not full
  189.     NO_WERROR : assert always
  190.       not Full_o ->
  191.         next not Werror_o;
  192. 

  193.     -- Read error when reading from empty fifo
  194.     RERROR : assert always
  195.       Ren_i and Empty_o ->
  196.       next Rerror_o;
  197. 

  198.     -- No read error when fifo not empty
  199.     NO_RERROR : assert always
  200.       not Empty_o ->
  201.       next not Rerror_o;
  202. 

  203.     -- Write pointer increment when writing into not full fifo
  204.     -- and write pointer isn't at end value
  205.     WRITE_PNT_INCR : assert always
  206.       Wen_i and not Full_o and s_write_pnt /= t_fifo_pnt'high ->
  207.       next s_write_pnt = prev(s_write_pnt) + 1;
  208. 

  209.     -- Write pointer wraparound when writing into not full fifo
  210.     -- and write pointer is at end value
  211.     WRITE_PNT_WRAP : assert always
  212.       Wen_i and not Full_o and s_write_pnt = t_fifo_pnt'high ->
  213.       next s_write_pnt = 0;
  214. 

  215.     -- Read pointer increment when reading from not empty fifo
  216.     -- and read pointer isn't at end value
  217.     READ_PNT_INCR  : assert always
  218.       Ren_i and not Empty_o and s_read_pnt /= t_fifo_pnt'high ->
  219.       next s_read_pnt = prev(s_read_pnt) + 1;
  220. 

  221.     -- Read pointer wraparound when reading from not empty fifo
  222.     -- and read pointer is at end value
  223.     READ_PNT_WRAP  : assert always
  224.       Ren_i and not Empty_o and s_read_pnt = t_fifo_pnt'high ->
  225.       next s_read_pnt = 0;
  226. 

  227.     -- Correct input data stored after valid write access
  228.     DIN_VALID : assert always
  229.       Wen_i and not Full_o ->
  230.       next s_fifo_mem(s_write_pnt - 1) = prev(Din_i);
  231. 

  232.     -- Correct output data after valid read access
  233.     DOUT_VALID : assert always
  234.       Ren_i and not Empty_o ->
  235.       next Dout_o = s_fifo_mem(s_read_pnt - 1);
  236. 

  237.     -- Fillstate calculation
  238.     process (Clk_i) is
  239.     begin
  240.       if Reset_n_i = '0' then
  241.         s_cnt <= 0;
  242.       elsif rising_edge(Clk_i) then
  243.         if Wen_i = '1' and Full_o = '0' and (Ren_i = '0' or Empty_o = '1') then
  244.           s_cnt <= s_cnt + 1;
  245.         elsif Ren_i = '1' and Empty_o = '0' and (Wen_i = '0' or Full_o = '1') then
  246.           s_cnt <= s_cnt - 1;
  247.         end if;
  248.       end if;
  249.     end process;
  250. 

  251.     -- Data flow checks
  252.     -- GHDL only allows numerals in repetition operators
  253.     -- so we have to use separate checks for each fill state 
  254.     DATA_FLOW_0 : assert always
  255.       {{s_cnt = 0 and Wen_i = '1' and Din_i = s_data} ; {Ren_i[->1]}}
  256.       |=> {Dout_o = s_data};
  257. 

  258.     DATA_FLOW_1 : assert always
  259.       {{s_cnt = 1 and Wen_i = '1' and Din_i = s_data} : {Ren_i[->2]}}
  260.       |=> {Dout_o = s_data};
  261. 

  262.     DATA_FLOW_2 : assert always
  263.       {{s_cnt = 2 and Wen_i = '1' and Din_i = s_data} : {Ren_i[->3]}}
  264.       |=> {Dout_o = s_data};
  265. 

  266.     DATA_FLOW_3 : assert always
  267.       {{s_cnt = 3 and Wen_i = '1' and Din_i = s_data} : {Ren_i[->4]}}
  268.       |=> {Dout_o = s_data};
  269. 

  270.     DATA_FLOW_4 : assert always
  271.       {{s_cnt = 4 and Wen_i = '1' and Din_i = s_data} : {Ren_i[->5]}}
  272.       |=> {Dout_o = s_data};
  273. 

  274.     DATA_FLOW_5 : assert always
  275.       {{s_cnt = 5 and Wen_i = '1' and Din_i = s_data} : {Ren_i[->6]}}
  276.       |=> {Dout_o = s_data};
  277. 

  278.     DATA_FLOW_6 : assert always
  279.       {{s_cnt = 6 and Wen_i = '1' and Din_i = s_data} : {Ren_i[->7]}}
  280.       |=> {Dout_o = s_data};
  281. 

  282.     DATA_FLOW_7 : assert always
  283.       {{s_cnt = 7 and Wen_i = '1' and Din_i = s_data} : {Ren_i[->8]}}
  284.       |=> {Dout_o = s_data};
  285. 

  286. 

  287.     -- An alternative for GHDL: Replacing the [->] goto operator
  288.     -- by counting Ren_i starting when s_data is written into fifo.
  289.     -- The properties have to be slightly modified only.
  290.     -- Sadly proving these needs much more (engine dependend) time than
  291.     -- the separate checks above. I assume the counters are the reason.
  292.     gen_data_checks : for i in 0 to Depth-1 generate
  293. 

  294.     begin
  295. 

  296.       GEN : if i = 0 generate
  297. 

  298.         DATA_FLOW_GEN : assert always
  299.           {{s_cnt = i and Wen_i = '1' and Din_i = s_data} ; {not Ren_i[*]; Ren_i}}
  300.           |=> {Dout_o = s_data};
  301. 

  302.       else generate
  303. 

  304.         signal s_ren_cnt : integer range -1 to i+1 := -1;
  305. 

  306.       begin
  307. 

  308.         process (Reset_n_i, Clk_i) is
  309.         begin
  310.           if not Reset_n_i then
  311.             s_ren_cnt <= -1;
  312.           elsif (rising_edge(Clk_i)) then
  313.             if s_cnt = i and Wen_i = '1' and Din_i = s_data then
  314.               s_ren_cnt <= 1 when Ren_i else 0;
  315.             else
  316.               s_ren_cnt <= s_ren_cnt + 1 when Ren_i = '1' and s_ren_cnt >= 0;
  317.             end if;
  318.           end if;
  319.         end process;
  320. 

  321.         DATA_FLOW_GEN : assert always
  322.           {{s_cnt = i and Wen_i = '1' and Din_i = s_data} : {Ren_i[*]; s_ren_cnt = i+1}}
  323.           |-> {Dout_o = s_data};
  324. 

  325.       end generate GEN;
  326. 

  327.     end generate gen_data_checks;
  328. 

  329.   end generate FormalG;
  330. 

  331. 

  332. end architecture rtl;