## Hands-on Manual to FormalCheck Version 2.3

## **Hardware Verification Group**



Concordia University Department of Electrical and Computer Engineering, Montreal, Quebec, Canada.

May 2000

|    | Pag                                                     | e No. |
|----|---------------------------------------------------------|-------|
|    | Preface                                                 | 5     |
|    | Audience                                                | 5     |
| 1. | Introduction                                            | 6     |
| 2  | Verifying Techniques used in FormalCheck                | 9     |
|    | FormalCheck Project                                     | 9     |
|    | Queries (properties + constraints)                      | 9     |
|    | Pros and Cons of using Constraints                      | 16    |
|    | Checking for Overconstraint                             | 16    |
| 3  | Stepwise Procedure of Verifying a Design in FormalCheck | 17    |
|    | <u>Step 1 (Initializing Step)</u>                       | 17    |
|    | Step 2 (Saving the Project)                             | 18    |
|    | Step 3 (Opening a file: optional)                       | 18    |
|    | Step 4 (Compiling the Verilog/VHDL design - BUILD)      | 18    |
|    | <u>Step 5 (Adding a Constraint).</u>                    | 19    |
|    | <u>Step 6 (Create/Edit Query)</u>                       | 20    |
|    | <u>Step 7 (Verify Query)</u>                            | 21    |
| 4  | Post-Processing Analysis                                | 22    |
| 5  | Advanced Options                                        | 24    |
|    | New Features                                            | 25    |
|    | AutoCheck                                               | 25    |
|    | Macro                                                   | 25    |
|    |                                                         |       |

### **TABLE OF CONTENTS**

| Page | No. |
|------|-----|
|      |     |

| Clock Extraction:                             | 25 |
|-----------------------------------------------|----|
| Script Interface                              | 25 |
| IMPORTANT BUILD OPTIONS                       | 26 |
| ADVANCED QUERY RUN OPTIONS:                   | 26 |
| THREE VERIFICATION ALGORITHMS                 | 26 |
| A Recommended Procedure for Verification      | 27 |
| References                                    | 28 |
| APPENDICES                                    | 29 |
| APPENDIX A                                    | 29 |
| The System Settings to Run FormalCheck        | 29 |
| <b>Running FormalCheck on NCD terminals</b>   | 30 |
| APPENDIX B                                    | 31 |
| FormalCheck File Description                  | 31 |
| Contents of the file README                   | 31 |
| Contents of the file verify.stdout.           | 32 |
| Contents of the file verify.out               | 34 |
| Contents of the file query.c                  | 35 |
| APPENDIX C                                    | 36 |
| <b>Design Tips (for verification purpose)</b> | 36 |
| APPENDIX D                                    | 37 |
| The "arbiter" example                         | 37 |
| Description of the Arbiter to be verified     | 37 |
| Arbiter Basic Specification                   | 39 |
| RTL design                                    | 39 |

Page No.

| VERIFICATION RESULTS | 49 |
|----------------------|----|
| <u>Query-1</u>       | 49 |
| <u>Query-2</u>       | 50 |
| Query-3              | 52 |
| Query-4              | 53 |
| Query-5              | 56 |

•

# Preface

### Audience:

This guide is written for research students and design engineers who will use FormalCheck as a tool of hardware verification for the first time. It summarizes the available material (FormalCheck User Guide, FormalCheck on-line Manual, etc.) that the manufacturer has provided with the tool.

### 1. Introduction

**Formal verification** means a mathematical proof which assures that a property holds of a design model. The need for "correct" designs in *safety-critical applications*, coupled with the major *cost associated with products delivered late*, are the two of the main reasons behind the recent popularity of **formal hardware verification**. The verification methods require considerable time and expertise to verify even fairly simple systems. As a result, practical application has been limited to a few domains, such as *security* and *safety-critical* systems, where ethical or legal requirements demand the highest assurance of correctness, regardless of the cost [1].

Two well-established approaches to verification are, model checking and theorem proving. Theorem proving means that, given a set of axioms and a theorem formulated in some logic, there exists a proof generated by the inference system. On the other hand, model checking is a technique that relies on building a finite model of a system and checking that a desired user-defined property holds in the model [2]. FormalCheck is a model checker, designed to help alleviate the functional verification bottleneck.



**FIG 1.1**: FormalCheck Verification procedure [3]

FormalCheck supports the synthesizable subsets of Verilog and VHDL hardware design languages. The source code does not need to be modified for the sake of verification. The user supplies FormalCheck with a set of queries to be verified on the design model. The queries are simply statements (formalizations) of important behaviors described in the specification.

FormalCheck aids the user by automatically back referencing each error to the offending line to the source code. The errors can be fixed and the source recompiled without leaving the tool. The tool explores all possible input scenarios, guaranteeing that no bugs are missed for lack of vectors.

It is common to wait for the test bench to be completed before starting simulation and a complete test bench is only created at the chip level. With FormalCheck, verification can be started as soon as the first block is designed and the first query is written. This speeds up the design cycle by catching the bugs at an earlier stage and also reduce the verification effort. In short, "Formal-Check model checker can be used when the design is fluid or only partially defined" [3].



FIG 1.2: Localization Reduction algorithm[3]

"It is of paramount importance that the tool be able to reduce the model automatically relative to the property under check, to the greatest extent possible" [3]. FormalCheck uses two approaches of reduction algorithm (*1-step* and *iterative*). Most of the reductions tend to be property-dependent *localization reductions* [5], in which the part of the design model that are irrelevant to the property being checked, are abstracted away. In FormalCheck, localization reduction is applied dynamically. At each step of the algorithm, the model is adjusted by advancing its "free fence"

(please refer to the Figure 1.2) of induced primary inputs, in order to discard spurious counter examples to the stated query [5].

*1-step reduction* looks at the dependency graph and removes any portion of the design from the verification proof that cannot affect the outcome of the query. This algorithm propagates constants contained in the design or in the input assumptions to further reduce the design.

An additional level of reduction can be achieved by *Iterative Reduction* algorithm. It takes an attempt to find a small portion of the design that can be used to verify the current query. This technique guarantees that queries proven to be true on the small portion of the design would also be true for the entire design. This algorithm can be run with or without a user-supplied starting point (reduction seed) and can reduce the *state space* of the design by several orders of magnitude, allowing *larger designs* to be verified.

This tool checks if a change (by the user) could affect the outcome of the verification. If not, it marks the query as proven by the previous runs. This unique capability reduces the *regression time*. Through FormalCheck's Back-Reference utility, a click on an error in the waveform pops up the source with the cursor on the line that caused the error.



**FIG 1.3**: FormalCheck Verification Cycle [6]

### 2. Verifying Techniques used in FormalCheck

To use either the Graphical User Interface (GUI) or the Command Line Version, one must aware of the functionality of the each step to wisely use the different advanced options provided by FormalCheck. The following literature refers to the GUI version of FormalCheck tool.

**Note:** If anyone already has some experience with FormalCheck, can skip this chapter and can have a look at the chapter 4 (stepwise procedure) in order to just remind him/herself of the tool

### **FormalCheck Project:**

A FormalCheck *project* is a container (directory structure) that holds all information relevant to the verification [6]. One may start the tool either by opening an existing project or by creating a new one. A project (.fpj) file contains the following information:

- pointer to the model design.
- necessary information to compile the design (i.e. HDL language, top level entity/module name, hierarchical dependencies, etc.).
- data structure built for the verification.
- queries (properties + constraints)
- result of the verification of the queries.

### **Queries** (properties + constraints):

Existing model-checkers use some form of CTL (Computation Tree Logic) to define properties [3]. The idea of using a logic was discarded my FormalCheck, because this approach is sometimes hard to be defined for the general users. In FormalCheck, each **property** is defined using one of a small set of templates, *each with a clear intuitive and simple semantics* and correctly as impressive as the class of **omega** ( $\omega$ ) **automata**. Of course, what is gained in simplicity is lost in flexibility [3].

A property is verified if and only if no failures are found after exploring all reachable states and possible input combinations [6].

| Query Query Query Name: traffic_light2 Notes                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |                         |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|
| Property Contract Con | ENABLING<br>CONDITION   |
| Type: Safety - Vever Always<br>Liveness - Eventually EvAlways Strong Liveness                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                         |
| ENSURE After: traffic_light.cars[1] == 0 Clear                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | FULFILLING<br>CONDITION |
| Eventually:       traffic_light.direction[1] == 1       Clear         Unless:       traffic_light.initval != 1       Clear                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                         |
| Options: Fulfill Delay: Duration: Clear<br>Of Edge:<br>OK Clear All View Cancel Help                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | DISCHARGING             |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |                         |

**FIG 2.1**: *Property Panel*, showing essential features.

The above figure defines a property which checks that after each time the designated *enabling condition* is enabled, the designated *fulfilling condition* holds continuously unless the *discharging condition* becomes true [3].

"**Fulfill at Discharge**" option is used when it is necessary to require the Fulfilling Condition concurrently with the Discharging Condition.

| Table 1: Explanatio | n of the option | "Fulfill at Discharge" |
|---------------------|-----------------|------------------------|
|---------------------|-----------------|------------------------|

| Regular Fulfil and Discharge condition                                         | With option: Fulfill at Discharge (Figure 2.1)                                                             |
|--------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------|
| Example: Always (A) Fulfilling Condition<br>Unless (B=1) Discharging Condition | Example: Always (A) Fulfilling Condition<br>Unless After (B=1) Discharging Condition                       |
| Explanation: The Fulfilling Condition will discharge when B=1.                 | Explanation: The Fulfilling Condition will<br>discharge when B becomes equal to 1,<br>while A still holds. |

Property (safety, liveness):

1. **Safety**-This kind of property ensures that nothing "bad" happens. The Safety property fails if the undesired behavior is exhibited in any state which is reachable with the phase state active [6].

There are two kinds of Safety property in FormalCheck: a) Never b) Always



FIG 2.2: A property in FormalCheck: "Light is never green in both directions"

a) <u>Never</u>: "FormalCheck will explore all possible inputs and reachable states to verify that the condition can NEVER occur" [6].

Figure 2.2 shows, how one can specify a property in FormalCheck. This can be done either my writing manually or with the help of buttons (signal selection).

- b) <u>Always</u>: "FormalCheck will explore all possible inputs and reachable states to verify that the condition can NEVER be false" [6].
- 2. Liveness- This type of property guarantees that eventually something "good" happens. "A Liveness property fails if there exists a sequence of inputs which can postpone the required behavior indefinitely. Since all designs are finite state, a liveness failure amounts to finding a cycle of reachable states where the required behavior does not occur" [6]. FormalCheck defines three kinds of liveness property:
  - a) Eventuallyb) Eventually Alwaysc) Strong Liveness

|                         | Property                                                             |          |
|-------------------------|----------------------------------------------------------------------|----------|
| Property Name:<br>Type: | Evantuality_Test Safety - 🐼 Never 🐼 Always                           |          |
|                         | Liveness - <u>Eventually</u> <u>EvAlways</u> <u>Strong</u><br>ENSURE | Liveness |
| After:                  | traffic_light.direction[0] == 0                                      | Clear    |
| Eventually:             | traffic_light.direction[0] == 1                                      | Clear    |
| Unless:                 |                                                                      | Clear    |
| Options:                | Fulfill at Discharge                                                 |          |
|                         | Of Edge:                                                             | Clear    |
| ОК                      | Clear All View Cancel H                                              | lelp     |

FIG 2.3: Property panel with an Eventual Property.

a) Eventually: The Fulfilling Condition must eventually become true. However, it does not have to remain true all the time. The above eventual liveness property can be written in words as follows:

After (direction(0) = GREEN) Eventually (direction (0) = RED)

- b) Eventually Always: This is like steady state "Eventually" property. The Fulfilling Condition must remain true (Steady State) at the time of discharging. "It does not have to reach steady state within any time limit and may become true and then false several times before it reaches the steady state" [6].
- c) Strong Liveness: Strong liveness differs from the other liveness property by its Enabling Condition. Here, the Enabling Condition is allowed to be checked repeatedly upon the failure of fulfilling condition.

| Strong Liveness                                                                                           | Eventually                                                                                                                                                       |
|-----------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Format: If Repeatedly (event A)<br>(Enabling Condition)<br>Eventually (event B)<br>(Fulfilling Condition) | Format: After (event A)<br>(Enabling Condition)<br>Eventually (event B)<br>(Fulfilling Condition)                                                                |
| The Enabling Condition need to be satis-<br>fied along the failure cycles.                                | The Enabling Condition need not be satis-<br>fied along the failure cycles. The Enabling<br>Condition may be satisfied before the fail-<br>ure cycle is entered. |
| Both Enabling and Fulfilling Condition<br>are required for Strong Liveness property.                      | When Enabling Condition is absent, the<br>Fulfilling Condition is active until it is dis-<br>charged (if ever).                                                  |
| Computationally not simple                                                                                | Computationally simpler.                                                                                                                                         |

Table 2: The Difference Between Strong Liveness and Eventually

<u>Constraint</u>: In FormalCheck, design constraints are defined using a companion set of templates (property templates and constraint templates are paired), and each check on a design model is performed in the context of a set of properties and constraints, termed "query"
[3]. All the constraints belonging to the project are listed in the Constraint Library panel (please refer to Figure 3.3). Constraints limit the state space of a design model.



FIG 2.4: The Effect of Constraints in the Reachable State Space [6]

Let us assume that, the Figure 2.4 is the total reachable space of a variable X for some design model. The constraint to be added as "X is true always". The area with the thick boundary is then excluded from verification as it belongs to negative X. If we put constraints to some signals which includes a feature of the design, then that will not be verified and this situation is called "Overconstrained".

WARNING: We should be careful about the model being not OVERCONSTRAINED.

There are 2 types of general constraints:

- i) <u>Safety</u> (never, always)
- ii) Fairness (eventually, strong fairness)

Safety constraints are the constraints applied with the safety property and the fairness constraints are applied with the liveness property of the query.

- **Constraint SHORTCUTS**: Constraint Shortcuts are provided by the tool to use as readymade constraints. There is also "general" constraint in order to define any other kind of constraints. Shortcuts are only allowed for the primary inputs.
  - i) Assignment
  - ii) Clock
  - iii) Constant
  - iv) Reset/Repeat
- i) <u>Assignment</u>: An input signal always takes the value of an expression. The expression may contain internal signals, but the signal must be a primary input.
- ii) <u>Clock</u>: This is a very important constraint. It is an oscillating signal and FormalCheck detects the rising and falling edge of the signal. Example, <u>design.CLK == rising</u> (Verilog)

| Root module. sig | nal_name         |              |
|------------------|------------------|--------------|
|                  | Clock            | <u>inini</u> |
|                  | Signal: main.clk | Select       |
|                  | Name: clk        |              |
|                  | Start: Low       |              |
|                  | 1st Duration: 1  |              |
|                  | 2nd Duration: 1  | 📕 Default    |
|                  | OK Notes Cancel  | Help         |

**FIG 2.5**: The usage of Clock Constraint

During the verification, this constraint can simulate the behavior of the clock ticks.

- iii) Constant: It assumes a signal to have a constant value.
- iv) <u>Reset/Repeat</u>: This a very useful constraint. It is used to constrain a signal to a userdefined waveform. The waveform may be an one shot waveform or a repeat (periodic) one. A signal is first selected, then a waveform is specified. Each state in which the selected signal matches, the specified waveform is excluded from the verification. This constraint can wisely be used for the initialization of all the input signals. But to do that one should always remember that it is going to be needed to add some lines code to the original design model.

*Example*: The following is a Verilog example (portion of a design). The reset/repeat constrain can be applied to the signal reset\_elevator (please refer to the Figure 2.6) to initialize the signals "direction" and "movement".

```
// initialization block
always @(reset_elevator)
begin
    if (reset_elevator)
    begin
        direction = 'UP;
        movement = 'STOPPED;
        end
end
```

|   |    |                                            | Reset/1      | Repeat |                                          |
|---|----|--------------------------------------------|--------------|--------|------------------------------------------|
|   | Na | ınal: main.res<br>ıme: reset<br>tart: High | set          |        | Select                                   |
|   |    | Transition                                 | Duration     | Value  | Deraut                                   |
|   |    | Start                                      | 2<br>forever |        | Add<br>Delete Last<br>Cycle/Set<br>Clear |
| l |    | Duration                                   | ı: 🕅 🗌       | Clear  |                                          |
|   |    | ок                                         | Notes        | . Canc | cel Help                                 |

FIG 2.6: The usage of Reset/Repeat Constraint

The settings on Figure 2.6 will produce a **main\_reset** signal (passed as a parameter while instantiating another module instance, and thus, is equivalent to **reset\_elevator**) which is "high" (logic value 1) for 2 cranks (unit of time) and "low" (logic value 0) for the rest of the verification period. As the block is active only at positive values of the signal reset\_elevator, all the input signals in the block are initialized to the desired values.

Cranks: This is the term FormalCheck uses for "unit of time".

### **Pros and Cons of using Constraints:**

- (+) Constraints limit the state space of a design to be verified.
- (+) Constraints can significantly reduce the run time.
- (+) One can limit the input by using constraint on it, and thus restrict the design. Any error in the restricted design is also an error for the total design. So, running a severely restricted design can give a good *early warning* concerning the computational complexity of the unrestricted design.
- (-) *Mutually inconsistent* constraints can compromise the verification by preventing an important design flaw being exposed.

<u>Mutually inconsistent</u>: While individually taken, works fine. But simultaneous use impose contradictory results.

#### **Checking for Overconstraint:**

When the properties are overconstraint, the verification result comes as "Vacuous". It means, the Enabling Condition of the property was never satisfied. Because,

- 1. The Enabling Condition was wrongly formed.
- 2. The verification engine could not reach a state where the Enabling Condition was satisfied.
- 3. Inconsistent definitions while forming constraints. Like, X=1 && X=0.

The following are some procedures to solve problems with constraints:

- The only conclusive way to check that a design is not overconstraint is to convert all constraints to their corresponding properties and verify these properties on the model that derives the inputs of the given design,
- If -DVACCHECK (please refer to page 8-8 on FormalCheck User's Guide, reference no. 6) fails, one can apply -DVACCHECK "**run option**" (Query panel) to successive subsets of the constraints until a small mutually inconsistent subset is identified.
- One can check "Missing value Report" for values some signals never attain.

### **3. Stepwise Procedure of Verifying a Design in FormalCheck**

| Elle Ellet | Project | Guery |                        |              |           |              |
|------------|---------|-------|------------------------|--------------|-----------|--------------|
|            |         | Be    | Labs Design Automation |              |           |              |
|            |         |       |                        | Design Hodel | 11. 19989 |              |
|            |         | 11    | Project File:          |              |           |              |
|            |         | -11   | Tille:                 |              |           |              |
|            |         | 18    | Source Files:          |              |           | feld         |
|            |         | - 11  |                        |              |           | Append List. |
|            |         | - 11  |                        |              |           | 1-Shoe Lint_ |
|            |         | - 11  |                        |              |           | CHIN .       |
|            |         | - 11  |                        |              |           |              |
|            |         | -11   |                        |              |           | VP           |
|            |         |       | Language: UNDL         |              | м         |              |
|            |         |       | · Verling              | 1            |           |              |
|            |         | 18    | Root Module:           | -            |           |              |
|            |         |       | auld Options:          |              |           |              |
|            |         |       |                        |              |           |              |
|            |         |       | OK                     | Hotes C      | acel      | Help         |

Step 1 (Initializing Step).

**FIG 3.1:** Design Model Panel (for *Step 1*)

### PROJECT

### **NEW/OPEN**

### This will invoke "Design Model Panel".

- Name of the project has to be provided. ("Title").
- Design language has to be chosen (VHDL or Verilog).
- For VHDL (.vhd/.vhdl): Root Entity (mandatory)

Architecture (mandatory)

• For Verilog (.v): Root Module (mandatory)

Build Option (optional)

### ADD

This will invoke "Select Design File Panel".

- A design file (same language chosen before) has to be selected.
- Option "SAVE LIST": This will create a text file that contains a list of file names of the design model files that are currently displayed on the panel.
- Option "NOTES": This will allow to write notes about the project.

### Step 2 (Saving the Project).

#### **PROJECT**

### SAVE / SAVE AS

FormalCheck uses the extension "**.fpj**" for the files containing the project. The user has to enter a name for the file.

### Step 3 (Opening a file: optional).

### FILE

### **OPEN**

This is not a mandatory step for the verification process. But, it allows to debug syntax error (edit) the design (Verilog/VHDL).

| Formal Ch                                                                                    | eck 🔽                   |
|----------------------------------------------------------------------------------------------|-------------------------|
| <u>F</u> ile <u>E</u> dit <u>P</u> roject <u>Q</u> uery <u>W</u> ind                         | ow <u>H</u> elp         |
|                                                                                              | test                    |
| 'define RED 1'b0<br>'define GREEN 1'b1<br>'define WAITING 1'b0<br>'define PASSING 1'b1       |                         |
| <pre>module traffic_light (     cars,     reset,     initval,     direction);</pre>          |                         |
| <pre>input [1:0] cars;<br/>input reset;<br/>input initval;<br/>output [1:0] direction;</pre> |                         |
| reg [1:0] direction;                                                                         | $\overline{\mathbf{v}}$ |
| /project/hvg/mi_khan/MY_formalCheck/EX/                                                      | MPLES/tic.v             |
| *** Post-processing Netlist For Netw                                                         | ork traffic_light       |
| *** Processing behavioral description                                                        | ns                      |
| *** Processing network traffic_light                                                         | <u>-</u> ····           |
| Build completed successfully                                                                 | V                       |
| Build completed successfully                                                                 |                         |

FIG 3.2: Running the Build option on an example (for *Step 4*)

### Step 4 (Compiling the Verilog/VHDL design - BUILD).

#### PROJECT BUILD

"Build" option is the first main step towards verification. Whenever any change in the design is made, BUILD is necessary, so as FILE-SAVE.

The following three actions are performed implicitly by "Build":

- i) Compilation of the design (Verilog or VHDL)
- ii) Post-Processing of the netlist.
- iii) Processing of the behavioral description.

Compilation errors are highlighted in the Diagnostic region, and then are hyperlinks. Clicking on an error will highlight the source line in the edit region that caused the error.

|                                                     |                 | FormalCheck                |                         | ान           |
|-----------------------------------------------------|-----------------|----------------------------|-------------------------|--------------|
| <u>F</u> ile <u>E</u> dit <u>P</u> rojec            | t <u>Q</u> uery | <u>W</u> indow             |                         | <u>H</u> elp |
| le l            | -               | Quer                       | ¢γ                      |              |
| 'define RED 1'.<br>'define GREEN<br>'define WAITING | Query I         | Name: traffic_light2       |                         | Notes        |
| 'define PASSING                                     | Properties      | : waiting_car - eventually | y 🔺                     | New:         |
| <pre>module traffic_l</pre>                         |                 |                            |                         | Property     |
| reset,<br>initval,<br>directio:                     |                 |                            | $\overline{\mathbf{v}}$ | Constraint   |
| input [1:0] ca                                      | Constraints     | : reset                    |                         | Update:      |
| Co                                                  | onstraints      | : -> Query                 |                         | Edit         |
| reset (Reset)                                       | -> default      |                            | New 🛃                   | View         |
|                                                     |                 |                            | Edit                    | Remove       |
|                                                     |                 |                            | Delete .                |              |
| -                                                   |                 |                            | Default                 |              |
|                                                     |                 |                            | Usage                   | Help         |
|                                                     |                 |                            | Notes                   |              |
| Use                                                 | Save            | Dismiss                    | Help                    |              |
|                                                     |                 |                            |                         |              |
| -                                                   |                 |                            |                         |              |

# Note: At the end of this Step 4, the project has to be saved once more (repetition of Step 2

**FIG 3.3**: The Constraint Library Panel (for *Step 5*)

### **Step 5 (Adding a Constraint).**

### PROJECT

### **CONSTRAINT LIBRARY**

This will invoke "**Constraint Library**" panel (Figure 3.3). Constraints limits the state place of a design model that is verified [6].

Note: Please refer to the previous chapter for more details on CONSTRAINTS.

### Step 6 (Create/Edit Query).

#### **QUERY**

### **NEW / EDIT**

A query must contain one or more properties. The procedure to write properties are explained in the previous chapter. A new query also automatically contains any constraints marked as default in the constraint library. Additional constraints can be added or removed manually.

**Default Constraint**: "A default constraint is a constraint that will be automatically applied to all new queries in a project. A constraint marked as default will not be applied to any pre-existing queries unless specified manually. A non-default constraint can be manually added to any query" [6].



#### Allows to keep notes on Project, Query , Constraints and State Variab

**FIG 3.4**: The "Query" Panel and Its Features (for *Step 6*)

Four main steps in the "Query" panel to remember:

- 1. Name of the property.
- 2. Type of property.
- 3. Insertion of logic in Enabling Condition, Fulfilling Condition and/or Discharging Condition.
- 4. Taking care of Constraints.
- **"Fulfill Delay**": A delay can be added between the Enabling Condition and the checking of the Fulfilling Condition. This delay is specified as an integer that counts the occurrences of an event which is again specified by a boolean expression written into the **"Of Edge"** field (please refer to Figure 3.3, "Property" panel).
- **"Duration"**: The verification windows terminates after a given duration of the Discharging condition becomes true, whichever comes first. The duration is measured by an integer, same way as the "Fulfill Delay".

|    |                | Query 1     | Manager |           |         | [r [      |
|----|----------------|-------------|---------|-----------|---------|-----------|
| lī | Name           | Description |         | Result    | Status  | [         |
| Ш  | traffic_light  | · ·         |         | VERIFIED! | Current | New       |
| Ш  | traffic_light2 |             |         | Failed    | Current | Edit      |
| Ш  |                |             |         |           |         | Report    |
| Ш  |                |             |         |           |         | Result    |
| Ш  |                |             |         |           |         | Signals   |
| Ш  |                |             |         |           |         | Waveform  |
| Ш  |                |             |         |           |         | Missing   |
| L  |                |             |         |           |         | Reduction |
| Ш  |                |             |         |           |         | Verify!   |
| L  |                |             |         |           |         | Stop      |
| Ш  |                |             |         |           |         | Copy to   |
| Ш  |                |             |         |           |         | Delete    |
| Ш  |                |             |         |           |         | Up        |
| Ш  |                |             |         |           |         | Down      |
| Ľ  |                |             |         |           |         |           |
|    | S              | chedule     | Dismiss | 1         | Help    |           |
|    |                |             |         |           |         |           |

**FIG 3.5**: The "Query Manager" panel (for *Step 7*).

### Step 7 (Verify Query).

Before starting to verify the query, the user has to save the query as well as the project (Step 2).

### QUERY

#### QUERY MANAGER Verify!

The user has to select the desired query from the "Name" column (Figure 3.5) and press the "**verify!**" button. FormalCheck will do the rest about verification.

### 4. Post-Processing Analysis

The "**Result**" column of the "Query Manager" may contain eight possible outcomes. The following is the short description:

- (1) New: Indicates a new query, no attempt has been taken to verify it.
- (2) Failed: Error has been found in the design and an error track is available for debugging.
- (3) Verified!: The query was previously verified.
- (4) Running: A verification procedure is currently being processed.
- (5) Terminated: The verification process is incomplete (user or some other intervention).
- (6) **Scheduled**: The verification is scheduled by the "Schedule Manager" (refer to the Query pull down menu).
- (7) No Error: No failures have been found, but this is not same as verification. It sometimes happens while using the auto-restrict algorithm to quickly verify the design.
- (8) Vacuous: The Enabling condition is never satisfied, the reason why the Fulfilling condition was never checked.

|           | odan wersion fc_2.0 Fri Feb 27 16:25:46 687 1990                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
|-----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|           |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| t Signals | Back Reference) Domand                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
|           | Quit Signal Env r Exec Files r Help r Print r Bedraw r Scroll r Golor r Wave r Grid Vector Suce                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|           | 0_04                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
|           | Stop   Fervard Back Bown Bp Top Bot z   zmas   Vin Heas   Volt   Cort                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
|           | Trace, Back Bef Girmit Smer of Updated: 8-Jul-99 17(0):37 File: query 0.1 - ELL.0 - E-                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
|           |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|           |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|           | cond(1)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|           | directive(0)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
|           | direction(1)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
|           | 1 (June 1 ) 2 ) 1 (June 2 ) 1 |
|           | *direction(1.0) 0 0                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
|           | 0 0 0                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
|           | arts ( ) much d                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|           | ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |

**FIG 4.1**: The Wave Form Window (ODAN).

If the result is "Failed", then the waveform viewer (the Output Display / Analysis Tool - ODAN) is very useful to finish the post-verification analysis. FormalCheck creates 2 files

(.HDR and .REC) in the query directory for each failed query and ODAN uses those files to offer the following capabilities:

- Interactively select a subset to the signals for display.
- Zoom-in on critical areas.
- Select a specific time region to view signal activity in detail.
- Group signals under one label.

If the result is "Vacuous", then there may be a possibility that it was over-constraint (please refer to Chapter 2 of this manual).

### 5. Advanced Options

| Reduction Options                                                                             | Run Options                                                                                                                    |
|-----------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|
| Reduction: 1 - Step<br>Iterated<br>Reduction Seed: Empty<br>Continue<br>New Reduction Manager | Algorithm: Symbolic (BDD)<br>Explicit State<br>Auto-Restrict<br>Deadlocks: Treat as errors<br>Run Time: Limited<br>CPU Minutes |
|                                                                                               | Advanced Options:                                                                                                              |
| OK Cancel Help                                                                                | OK Cancel Help                                                                                                                 |

**FIG 5.1**: Reduction Options panel & Run Options panel

FormalCheck uses a patented localized reduction algorithm to reduce the size of the design model relative to the property being tested [6]. Among the two algorithms **1-step** is used by default and the **iterated algorithm** is used for complex designs, because it takes *less memory* (more time) to verify the design. This reduction technique finds a portion of the design model on which it is sufficient to run the verification.

|         | Use Recommended Gear All                          |
|---------|---------------------------------------------------|
|         | Deflection                                        |
| tart As | → Make Input. ←                                   |
|         | Clear                                             |
|         |                                                   |
|         |                                                   |
|         | $\operatorname{Shau} \rightarrow \leftrightarrow$ |
|         | Show:                                             |

**FIG 5.2**: Reduction Manager panel

A reduction seed can be provided by the user to further speed up the verification process. The user designates a candidate portion of the design model by marking its boundary signals **Start As Input**. This option disconnects all signals marked as "Start As Input" from the driving expressions and turns them into primary inputs. If some driving expressions really in need of some of these signals, the algorithm will reinstate them, cutting the design model signals at an alternate point instead [6].

### Note: Iterated reduction does not support Auto-Restrict verification algorithm Reduction Seed is recommended when Iterated Algorithm is used.

Through the "**Make Input**" option some signals can be disconnected almost permanently from their driving expressions, and thus treated as primary inputs. This is the way to isolate a portion of the design model. In such a condition, if FormalCheck verifies a query, it means that the same query would also be verified in the full design model.

# Note: "<u>Make Input</u>" sometimes creates problems in error tracing if FormalCheck returns <u>failure.</u>

Through the option "**Keep Active**", one can make sure that the signal is not going to be excluded from the verification, no matter what.

Note: If "Keep Alive" is used, it increases the computational cost.

"Clear" option removes any reduction designation from a design element.

### **New Features:**

**AutoCheck:** AutoCheck is applied as a preverification procedure. It is used in the early design stages to quickly run on queries in order to find early design bugs. AutoCheck is not a complete verification procedure as it does not cover the entire state space. (further reference: page 5-9 in user's manual: command "formalreadthemanual").

**Macro**: Macro is the shorthand version of any expression. It is done by the expression editor. The procedure is to type or insert any expression and give it a name after pressing "MakeMacro".

**Clock Extraction**: While imposing clock constraints, the feature "Clock Extraction" can be used to reduce verification time in some cases. This option should be tried if the design is synchronous with respect to a single clock edge.

**Script Interface**: FormalCheck supports user-defined UNIX script to perform tasks, like automatically generating constraints. (see page 8-7 in users' manual).

### **IMPORTANT BUILD OPTIONS**:

#### [ -D <parameter>=<value> ]

Allows the value of a Verilog parameter to be set to a different (smaller) value to reduce the state space. This is necessary for parenthesized RAMs, ROMs, FIFOs, and queues.

[ -W<path> ]

Specifies a single directory to which all the files will be created by FormalCheck.

#### ADVANCED QUERY RUN OPTIONS:

[ -L<mb>]

Specifies a limit on memory used. "mb" is memory in megabyte, represented in floating point notation. 80% limit of user accessible memory is recommended. The verification begins a wrap up sequence (time consuming) when the memory is finished to generate reports.

[-#hardlimit=<mb> ] Stops verification without the warp up sequence.

### [-DVACCHECK ]

This option verifies if really a query is **vacuous**. If the result with this option is "verified!" then the query is vacuous. If a bad cycle is found then the query is not vacuous.

### THREE VERIFICATION ALGORITHMS:

- Symbolic State Enumeration (Ordered Binary Decision Diagrams / Symbolic BDD)
- Explicit State Enumeration.
- Auto-Restrict.

Symbolic BDD is generally useful for verifying models with a very large set of States. But, BDDs become extremely large for the design models with arithmetic expressions.

Explicit State Enumeration is recommended for designs with fewer than 1000 primary inputs/state and which contain a large number of arithmetic expressions. It can find error in the design faster than the symbolic BDD. This algorithm is preferable for liveness property.

Auto-Restrict attempts to narrow down the portion of the design where a failure is likely to be found. It speeds up the verification. But if may give the result "No Errors". In this case, the verification has to be performed again with any of the previous two algorithms.

### A Recommended Procedure for Verification:

At first Symbolic BDD should be used with a time limit. The verification can stop for three reasons. An error can be found, the time limit can be expired or the verification can be complete. For the first two reasons, one can do the following:

- Missing value report should be checked.
- Restriction should be added.
- Reduction Manager should be employed.
- Verification should be re-run with Auto-restrict or Explicit State Enumeration.

Note: "Missing Values": Show the design elements (signals) that are irrelevant to the specific query

### References

- A.J. Hu. Formal Hardware Verification with BDDs: An Introduction, IEEE Pacific Rim Conference on Communications, Computers, and Signal Processing (PACRIM), pp. 677-682, 1997.
- [2] E.M. Clarke and J.M. Wing. Formal Methods: State of Art and Future Directions, CMU Computer Science Technical Report CMU-CS-96-178, August 1996.
- [3] R.P. Kurshan. Formal Verification In a Commercial Setting, Bell laboratories, Murry Hill, NJ. In Design Automation Conference. June, 1997.
- [4] R.H. Hardin, Z. Har'EL, R. P. Kurshan, COSPAN, Springer LNCS 1102 (1996), pp. 61-67.
- [5] R. P. Kurshan, Computer-Aided Verification of Coordinating Processes, Princeton Univ. Press, 1994.
- [6] FormalCheck User's Guide. Cadence Design Systems. V2.3, August 1999.

### **APPENDIX A**

### **System Settings to Run FormalCheck**

- 1. To work on a UNIX machine, the system administrator has to activate user's privilege to the tool (FormalCheck).
- 2. The following lines had to be added to the .cshrc (startup file).

setenv LM\_LICENSE\_FILE /usr/local/etc/license/cadence/license.dat setenv CDS\_INST\_DIR /CMC/tools/formalcheck2.3 setenv CDS\_LIC\_FILE /usr/local/etc/license/cadence/license.dat setenv FCHECKDIR /CMC/tools/formalcheck2.3/SOLARIS setenv FCCC /opt/SUNWspro/bin/cc setenv NL\_DIRECTORY /usr/local/etc/license/cadence/license.dat setenv MANPATH \$FCHECKDIR/syscad/man:\$MANPATH setenv FCATHOME no set path = ( \$FCHECKDIR \$path ) alias formalreadthemanual '/CMC/tools/formalcheck2.3/tools.sun4v/bin/openbook'

Or, one can make a file called formalcheck.env (or any\_name.env) and source it everytime he wants to run formalcheck, as follows: source formalcheck.env

3. FormalCheck comes with an example, done as a tutorial for the new users. Before running the tutorial from the help menu ("Getting Started"). necessary files should be copied to the current directory by exeuting the following command on the UNIX prompt:

### > cp -r /CMC/tools/formalcheck2.3/SOLARIS/examples .

The online tutorial is the quickest way to learn formalcheck.

4. The tools comes with very useful sets of documents. The access to different documents can be done in following ways:

- SOURCE 1: By typing "formalreadthemanual" (without colons) in the command prompt. The prerequisite of this command is sourcing the .env file (explained before). This is the most extensive source of information one can get about formalcheck. The command "formalreadthemanual" will invoke openbook utility of unix and the user can read on just by clicking the mouse.
- SOURCE 2: The other documents are accessible after running the tool from the help menu. These documents contain comparatively short description of what explained in source 1.
- 5. At last, the command "**formalcheck**" will invoke the graphical user interface of the tool.

### **Running FormalCheck on NCD terminal:**

Before proceeding with the following steps, one should remember that it is not a complete solution concerning the problem of FormalCheck about executing on the NCD terminals. But, it allows one to run the tool for a certain amount of time or certain amount of activity (by removing the file called .formalcheck created by the tool on the current directory, which is done in step 2).

1. Place the appropriate lines/paths (mentioned in the previous topic at point 2: Setting the environment) in the .cshrc which is located under the main directory, ex.: /home/ user\_name/.cshrc

**Note**: make sure to source .cshrc before proceeding if anyone wants to run the application before login again, as follows:

#### source .cshrc

2. Create a new file with any desired name (for example, runFC) and place these lines in it:

#!/bin/sh
rm -rf .formalcheck
/CMC/tools/formalcheck2.3/SOLARIS/formalcheck

3. Make sure that the file in Step 2 has "Execute" permission by doing the following command:

### chmod 755 file\_name

4. Now you can run the program by running the FormalCheck executable or by creating an Alias for that file in the .cshrc as follows:

alias any\_name\_u\_like '/home/user\_name/file\_name\_in\_step\_2'

### **APPENDIX B**

### **FormalCheck Files Description**

The following is the list of files created in the directory called .<priject\_name> (the name used for the project.

### DIRECTORY .crd\_project.fpj



**FIG 1:** SnapShot of the Directory .crd\_project.fp

### **Contents of the file README**

All the file contained in this directory and below are considered part of the FormalCheck project. Changing anything in this directory or its children could result in corrupting your verification results.

### DIRECTORY Query\_1

| ∎i_khan@dea Query_1 <mark>4:08pm</mark> >ls                    |
|----------------------------------------------------------------|
|                                                                |
| DOTU query.M query.an query.rf verify.stdout                   |
| environmentsr query.U query.c query.sr                         |
| environmentENV.sr <u>query.U.la</u> st query.lines verify.out  |
| ∎i_khan@dea Query_1 <mark>4:08pm</mark> >ls -all               |
| total 479                                                      |
| drwxr-x 3 mi_khan beng 512 Sep 22 14:31 .                      |
| drwxr-x 7 mi_khan beng 512 Sep 22 14:39                        |
| drwxr-x 2 mi_khan beng 1024 Sep 22 07:09 DOTU                  |
| -rw-r 1 mi_khan beng 24307 Sep 22 14:31 environmentsr          |
| -rw-r 1 mi_khan beng 288 Sep 22 14:31 environmentENV.sr        |
| -rw-r 1 mi_khan beng 1811 Sep 22 14:31 query.Μ                 |
| rw-r 1 mi_khan beng 25 Sep 22 14:31 query.U                    |
| -rw-r 1 mi_khan beng 25 Sep 22 07:09 query.U.last              |
| -rwxr-x 1 mi_khan beng 354900 Sep 22 05:48 query.an            |
|                                                                |
| -rw-r 1 mi_khan beng 1658 Sep 22 14:31 query.lines             |
| -rω-r 1 mi_khan beng 28500 Sep 22 14:31 query.rf               |
| rw-r 1 mi_khan beng 740 Sep 22 14:31 query.sr                  |
| -rω-r 1 mi_khan beng 2833 Sep 22 14:31 verify.out              |
| -rw-r 1 mi_kh <u>an_be</u> ng_ 2337 Sep 22 14:31 verify.stdout |
| ■i_khan@dea Query_1 <mark>4:08pm</mark> >                      |

**FIG 2**: SnapShot of the Directory Query\_1

### Contents of the file verify.stdout

| model M: FCHECK bcy0                              |  |  |  |
|---------------------------------------------------|--|--|--|
| model unM: FCHECK.C_B_clk FCHECK.C_B_reset        |  |  |  |
| model M_p:                                        |  |  |  |
| model M_o: .environmentH15_road_BVD5_state0_1_[1] |  |  |  |
| M_o+: .environmentH15_road_BVD5_state0_1_[0]      |  |  |  |
| M_o+: .environmentH14_road_AVD5_state0_1_[1]      |  |  |  |
| M_o+: .environmentH14_road_AVD5_state0_1_[0]      |  |  |  |
| pruned:                                           |  |  |  |
| .environment_ENV                                  |  |  |  |
| .environmentfi_status_A_[0]                       |  |  |  |
| .environmentfi_status_A_[1]                       |  |  |  |
| .environmentstatus_A_[0]                          |  |  |  |
| .environmentstatus_A_[1]                          |  |  |  |
| .environmentfi_test_                              |  |  |  |
| .environmenttest_                                 |  |  |  |
| .environmentfiVD0T1610_2[0]                       |  |  |  |
| .environmentfiVD0T1610_2[1]                       |  |  |  |
| .environmentfiVD0T1610_2_[2]                      |  |  |  |
| .environmentVD0T1610_2_[0]                        |  |  |  |
| .environmentVD0T1610_2_[1]                        |  |  |  |
| .environmentVD0T1610_2_[2]                        |  |  |  |
| .environmentH13_police_                           |  |  |  |
| .environmentH14_road_Afi_status_[0]               |  |  |  |

.environment\_.\_H14\_road\_A\_.\_\_fi\_status\_[1] .environment\_.\_H14\_road\_A\_.status\_[0] .environment\_.\_H14\_road\_A\_.status\_[1] .environment\_.\_H14\_road\_A\_.\_\_fi\_\_VD5\_state\_\_\_0\_1\_\_[0] .environment\_.\_H14\_road\_A\_.\_\_fi\_\_VD5\_state\_\_\_0\_1\_\_[1] .environment\_.\_H14\_road\_A\_.\_H4\_\_I3 .environment\_.\_H14\_road\_A\_.\_H5\_\_I4 .environment\_.\_H14\_road\_A\_.\_H6\_\_I5 .environment\_.\_H15\_road\_B\_.\_\_fi\_status\_[0] .environment\_.\_H15\_road\_B\_.\_\_fi\_status\_[1] .environment\_.\_H15\_road\_B\_.status\_[0] .environment\_.\_H15\_road\_B\_.status\_[1] .environment\_\_H15\_road\_B\_.\_\_fi\_VD5\_state\_\_\_0\_1\_\_[0] .environment\_.\_H15\_road\_B\_.\_\_fi\_\_VD5\_state\_\_\_0\_1\_\_[1] .environment\_.\_H15\_road\_B\_.\_H4\_\_I3 .environment .\_ H15\_road B\_. H5\_ I4 .environment\_.\_H15\_road\_B\_.\_H6\_\_I5 .environment\_.\_H16\_col\_ .environment\_.\_H17\_starv\_ .environment\_.\_H18\_\_I12 .environment\_.\_H19\_\_I13 .environment\_.\_H20\_\_I14 .environment\_.\_H21\_\_I15 .FCHECK.C\_B\_reset active: .FCHECK.P\_collision .bcy0 free: .environment\_.\_H14\_road\_A\_.\_VD5\_state\_\_\_0\_1\_\_[0]1 free choices .environment\_.\_H14\_road\_A\_.\_VD5\_state\_\_\_0\_1\_\_[1]1 free choices .environment\_.\_H15\_road\_B\_.\_VD5\_state\_\_\_0\_1\_\_[0]1 free choices .environment\_.\_H15\_road\_B\_.\_VD5\_state\_\_\_0\_1\_\_[1]1 free choices

product of free choices=1

free: .environment\_1x1x1x1=1 free choices

product of free choices=1

looking for: 400486bde2e4888a96a0765ca3de8bc06f3d7426b004e4b0394012c88d522073c4344bc5dd17fdb12a43dd391da3ae8bd3b78a0eb6 ad72a55f955107 FCkillMonitor 9771: PIDS is 9773

#### Contents of the file verify.out

#### 9771

Verification Server: enterprise.ece.concordia.ca 9771 SunOS enterprise.ece.concordia.ca 5.5.1 Generic sun4u sparc cospan -I/CMC/tools/formalcheck2.1/SOLARIS/include environment\_.sr -Ks -#caseonedflt -#varlines -#nmi -#missingasgn -#nocaseonedflterr -#shortfloat=3 -#status -#dupstvars -#hotunroot -#hotback -#Msuperset -b -q -#csplit -#pthreshold=1e3.50 -#rmc -#flow -#disconnect -#slowdisconnect=4 query.sr cospan: Version 8.23.24 (Bell Laboratories) 27 May 1998 Iterative run for option -q Iteration 0: cospan: Version 8.23.24 (Bell Laboratories) 27 May 1998 + sr E -I/CMC/tools/formalcheck2.1/SOLARIS/cospan -#caseonedflt -#varlines -#nmi -#missingasgn -#nocaseonedflterr -#shortfloat=3 -#status -#dupstvars -#hotunroot -#hotback -#Msuperset -#pthreshold=1e3,50 -#flow -#disconnect -#slowdisconnect=4 -I/CMC/tools/formalcheck2.1/SOLARIS/cospan -I/CMC/tools/formalcheck2.1/SOLARIS/include environment\_.sr -Ks -#caseonedflt -#varlines -#nmi -#missingasgn -#nocaseonedflterr -#shortfloat=3 -#status -#dupstvars -#hotunroot -#hotback -#Msuperset -b -#reduction -#pthreshold=1e3,50 -#flow -#disconnect -#slowdisconnect=4 query.sr -#caseonedflt -#varlines -#nmi -#missingasgn -#nocaseonedflterr -#shortfloat=3 -#status -#dupstvars -#hotunroot -#hotback -#Msuperset -#pthreshold=1e3,50 -#flow -#disconnect -#slowdisconnect=4 -#caseonedflt -#varlines -#nmi -#missingasgn -#nocaseonedflterr -#shortfloat=3 -#status -#dupstvars -#hotunroot -#hotback -#Msuperset -#reduction -#pthreshold=1e3,50 -#flow -#disconnect -#slowdisconnect=4 Status: Begin parsing at 0.01 sec 0 megabytes. query.rf: Wed Sep 22 14:31:28 1999 environment\_.sr: Wed Sep 22 14:31:31 1999 /environment ENV.sr: Wed Sep 22 14:31:31 1999 query.sr: Wed Sep 22 14:31:29 1999 /CMC/tools/formalcheck2.1/SOLARIS/include/QRY.h: Wed Jul 29 14:17:28 1998 /CMC/tools/formalcheck2.1/SOLARIS/include/ORY+.h: Wed Jul 29 14:17:27 1998 /CMC/tools/formalcheck2.1/SOLARIS/include/gui.h: Wed Jul 29 14:17:28 1998 Status: Begin checks and tree rewrites at 0.15 sec 1.37626 megabytes. query.rf: list entry count: unM 2 M 2 M o 4 568 pruned, 1 active, 4 freed by reduction 284 data variables declared or with width >= -#databits=4 4 selection/local variables 1 bounded state variables: 2 states 0 unbounded state variables 1 boolean cysets 0 boolean recurs 0 free selection/local variables: 1 selections/state 2 kill/free optimization actions 2 variable assignments driven by kills 886 variable reference clippings, 655 expression clippings 2 vector bitwise comparisons expanded 0 pausing processes 0 non-deterministic (non-free) selection/local variables 1 selections/state (maximum) 1 total selections/state (maximum) sr E: Equivalent reduction, Task performed! (older run) + exit 3FormalCheck Verification Finished Wed Sep 22 14:31:53 EDT 1999

### Contents of the file query.c

static char WHAT[]="@(#)query.c Wed Sep 22 05:49:05 1999"; #ifndef Int #define Int int #endif #define String int #define BYTESIZE 8 #ifdef HDR extern #endif struct { struct { struct { Int \_clk\_; unsigned char U\_clk\_[2]; Int \_reset\_; unsigned char U\_reset\_[2]; struct{ Int \_prev0; }\_91179\_clk\_ }\_environment\_ENV; struct{ Int \_\_\_\_fi\_\_U2\_r\_state\_; Int \_\_\_\_fi\_\_U3\_r\_state\_; struct{ struct( Int\_9983\_\_fi\_VD5\_state\_\_0\_1\_\_0; Int\_9982\_\_fi\_VD5\_state\_\_0\_1\_\_1; Int\_9985\_VD5\_state\_\_0\_1\_\_0; Int\_9984\_VD5\_state\_\_0\_1\_\_1; struct { Int \_9923\_\_\_\_fi\_SR\_OUT\_state\_\_\_0; Int \_9922\_\_\_\_fi\_SR\_OUT\_state\_\_\_1; Int \_9925\_SR\_OUT\_state\_\_0; Int \_9924\_SR\_OUT\_state\_\_1; Int \_9911\_\_\_fi\_SR\_ST\_state\_\_0; Int \_9910\_\_\_fi\_SR\_ST\_state\_\_1; struct { Int \_st0; }\_9913\_SR\_ST\_state\_\_0; struct{ Int\_st1; Int \_\_str, }\_9912\_SR\_ST\_state\_\_1; Int \_\_fi\_T90\_; Int \_\_T90\_; Int \_\_190\_, unsigned char U\_\_T90\_[2]; Int \_9926\_\_\_fi\_Z1\_state\_\_1; Int \_9928\_Z1\_state\_\_1; }\_H6\_I5; }\_\_H14\_road\_A\_; struct{ ..... FILE CONTINUES

### **APPENDIX C**

### **Design Tips (for verification purpose)**

One may remember the following:

- One should not use two signals to activate the events in an always block. correct: always @(posedge clk) incorrect: always @(posedge clk && reset)
- "Initialization" is not supported by FormalCheck. We used another extra signal "reset", propagated through all the modules. The "reset" signal is made active high for only 2 cranks of time and low for ever (Reset/Repeat constraint). The always block activated by the positive "reset" signal contains the assignments for the initialization.

Note that while specifying the above reset signal one is going to introduce another "always" block (concurrent block). With two always blocks in the same module, one should be careful to avoid reassignment of the same signal in the 2 concurrent blocks. This may greatly affect the verification.

- If design contains internal nondeterministic signals, they should be converted to primary input of that module because, FormalCheck does not support nondeterministic internal signals.
- FormalCheck does not support real enumerated data types for Verilog code. But it is possible to use the key word "define". For example,

'define no\_cars 0
'define car\_waiting 1
'define cars\_passing 2
'define traffic\_status {no\_cars, car\_waiting, cars\_passing}

Note that the above piece of Verilog code is used just outside the modules (please refer to the Verilog example in Appendix D).

# **APPENDIX D**

# The "Arbiter" Example

(Courtesy of Cadence for educational purposes only)

\_\_\_\_\_

# **Description of the Arbiter to be verified:**



**FIG 3**: Arbiter Circuit Block Diagram

The circuit arbitrates a shared resource among 4 clients. It features a selectable (clockwise or counter clockwise) polling direction for either a round-robin or an aged-based arbitration scheme. The circuit also features the ability to bypass requests. The above picture shows the block diagram of the circuit.

The state diagram of the circuit's functionality is depicted on the next page.



Off = ~ReqA~ReqB~ReqC~ReqD

# **FIG 4**: Arbiter State Diagram

| SIGNAL       | POLARITY | BRIEF DESCRIPTION                                         |
|--------------|----------|-----------------------------------------------------------|
| Req[3:0]     | 1        | Client's Request - Active High                            |
| Byp_Req[3:0] | 1        | Command to Bypass Requests<br>Active High.                |
| Rot          | 0/1      | 0 - Counter -clockwise Rotation<br>1 - Clockwise Rotation |
| Am           | 0/1      | Arbitration Mode<br>0 - Round Robin<br>1 - Age Based      |
| Ck           | Posedge  | System Clock                                              |
| Reset        | 1        | Reset Signal - Active High                                |
| Ack[3:0]     | 1        | Acknowledgement - Active High                             |

# Table 1: Arbiter's I/O Specification

# **Arbiter Basic Specification:**

- Request inputs (Req[3:0]) are required to be deasserted a minimum of one clock cycle after the request is acknpwledged.
- Acknowledge outputs (Ack[3:0]) will remain stable one clock cycle after the corresponding Request (Req[3:0]) input goes low.

The following are all the necessary verilog files of the RTL design:

\_\_\_\_\_

## **RTL design:**

# <u>arb.h</u>

'define IDLE4'b0000 'define GrantA4'b0001 'define GrantB4'b0010 'define GrantC4'b0100 'define GrantD4'b1000

## <u>arb.v</u>

```
//
//File:arb.v
// Description:Top RTL-Level for arbiter
//
//
//
//
 *****
//
//
 circuit:arb.v
// Description:Arbiter for 4 clients.
//
 //
//
//
// Files:
//arb.h --'include "arb.h"
```

//dpath.v -- Decision logic in a small datapath. //fsm.v -- FSM for arbiter //age.v -- State to compute the age of a client's request //arb.v -- Top RTL-level for arbiter //arb.fpj -- Project file (arb.fpj.ascii --> text mode project file) // // // //Brief Functional Description // // // Arb.v arbitrates a shared resource among 4 clients. // // A Request "Req\_(j)" is eventually acknowledged. Asserting "Ack\_(j)" // after a request is issued may take as little as 1 clock cycle or as // many as "X" clock cycles. It is expected from the environment that // each Req\_(j) asserted is eventually withdrawn. Removing Req\_(j) // after the acknowledment is issued may take as little as 1 clock cycle // or as many as "Y" clock cycles. Each Ack\_(j) goes away 1 clock cycle // after Req\_(j) is withdrawn. // // modulearb (ck, reset, req, byp\_req, rot, am, ack); input ck, reset; input[3:0] req, byp\_req; input rot, am; output[3:0] ack; // //Brief Description on I/O signals // // // Inputs // -----// cksystem clock // resetsynchronous reset - Active high // requests from clients // byp\_reqcommand to bypass requests from clients // rotarbiter's rotation direction //-----+------// rot Value | Polling Direction //-----+------// 0 | CounterClockwise // 1 | Clockwise // // amarbitration mode (scheme) // am Value | Arbitration Scheme //-----+------// 0 | Round Robin // 1 | Aged-based

assign aged = am; assign reqA = ~ byp\_req[0] & req[0]; assign reqB = ~ byp\_req[1] & req[1]; assign reqC = ~ byp\_req[2] & req[2]; assign reqD = ~ byp\_req[3] & req[3]; assign requests = { {reqD}, {reqB}, {reqA} };

fsm FSM (.ck(ck), .reset(reset), .reqA(selA), .reqB(selB), .reqC(selC), .reqD(selD), .state(ack));

```
dpath DP (.AgeA(AgeA), .AgeB(AgeB), .AgeC(AgeC), .AgeD(AgeD),
.rot(rot), .aged(aged), .req(requests), .lastGrant(ack),
.selA(selA), .selB(selB), .selC(selC), .selD(selD) );
```

```
age AGE (.ck(ck), .reset(reset), .req(requests), .ack(ack),
.AgeA(AgeA), .AgeB(AgeB), .AgeC(AgeC), .AgeD(AgeD));
```

endmodule // arb

# <u>fsm.v</u>

reg[3:0] state;

always @(posedge ck) begin if (reset) state <= 'IDLE;

```
else
   begin
case (state)
 'IDLE ://Waiting for Requests
   begin
if ((reqA | reqB | reqC | reqD) == 1'b1)
  begin
if (reqA)
state <= 'GrantA;
  else if (reqB)
state <= 'GrantB;</pre>
  else if (reqC)
state <= 'GrantC;</pre>
  else if (reqD)
state <= 'GrantD;
  end
   end
 'GrantA :
   begin
if (\text{reqA} | \text{reqB} | \text{reqC} | \text{reqD}) == 1'b0)
state <= 'IDLE;
else
  begin
if (reqB)
state <= 'GrantB;</pre>
  else if (reqC)
state <= 'GrantC;</pre>
  else if (reqD)
state <= 'GrantD;
  end
   end
 'GrantB :
   begin
if ( (reqA | reqB | reqC | reqD) == 1'b0)
state <= 'IDLE;
else
 begin
if (reqA)
state <= 'GrantA;
  else if (reqC)
state <= 'GrantC;</pre>
 else if (reqD)
state <= 'GrantD;
  end
   end
 'GrantC :
   begin
if (\text{reqA} | \text{reqB} | \text{reqC} | \text{reqD}) == 1'b0)
state <= 'IDLE;
else
  begin
if (reqA)
state <= 'GrantA;</pre>
  else if (reqB)
state <= 'GrantB;
 else if (reqD)
```

```
state <= 'GrantD;
 end
   end
 'GrantD :
   begin
if ( (reqA | reqB | reqC | reqD) == 1'b0)
state <= 'IDLE;
else
 begin
if (reqA)
state <= 'GrantA;</pre>
 else if (reqB)
state <= 'GrantB;</pre>
 else if (reqC)
state <= 'GrantC;
 end
   end
endcase
   end
end
```

endmodule // fsm

# <u>dpath.v</u>

'include "arb.h"

module dpath (AgeA, AgeB, AgeC, AgeD, rot, aged, req, lastGrant, selA, selB, selC, selD);

input[2:0]AgeA, AgeB, AgeC, AgeD; inputrot, aged; input[3:0]req, lastGrant; outputselA, selB, selC, selD;

```
wire A_ge_B, A_lt_B, A_ge_C, A_lt_C, A_ge_D, A_lt_D;
wire B_ge_A, B_lt_A, B_ge_C, B_lt_C, B_ge_D, B_lt_D;
```

```
wire C_ge_A, C_lt_A, C_ge_B, C_lt_B, C_ge_D, C_lt_D;
wire D_ge_A, D_lt_A, D_ge_B, D_lt_B, D_ge_C, D_lt_C;
wire selA_pri0, selA_pri1, selA_pri2, selA_pri3;
wire selB_pri0, selB_pri1, selB_pri2, selB_pri3;
wire selC_pri0, selC_pri1, selC_pri2, selC_pri3;
wire selD_pri0, selD_pri1, selD_pri2, selD_pri3;
wire selA_pri2_1, selA_pri2_2, selA_pri2_3;
wire selB_pri2_1, selB_pri2_2, selB_pri2_3;
wire selC_pri2_1, selC_pri2_2, selC_pri2_3;
wire selD_pri2_1, selD_pri2_2, selD_pri2_3;
wire selA_pri3_1, selA_pri3_2, selA_pri3_3;
wire selB_pri3_1, selB_pri3_2, selB_pri3_3;
wire selC_pri3_1, selC_pri3_2, selC_pri3_3;
wire selD_pri3_1, selD_pri3_2, selD_pri3_3;
wire reqA, reqB, reqC, reqD;
wire selA, selB, selC, selD;
assign reqA = req[0];
assign reqB = req[1];
assign reqC = req[2];
assign reqD = req[3];
assign A_ge_B = (AgeA \ge AgeB)? 1'b1: 1'b0;
assign A_lt_B = ~A_ge_B;
assign A_ge_C = (AgeA \ge AgeC)? 1'b1: 1'b0;
assign A_lt_C = \simA_ge_C;
assign A_ge_D = (AgeA \ge AgeD)? 1'b1: 1'b0;
assign A_lt_D = ~A_ge_D;
assign B_ge_A = (AgeB \ge AgeA)? 1'b1 : 1'b0;
assign B_lt_A = \sim B_ge_A;
assign B_ge_C = (AgeB \ge AgeC)? 1'b1: 1'b0;
assign B_lt_C = ~B_ge_C;
assign B_ge_D = (AgeB \ge AgeD)? 1'b1: 1'b0;
assign B_lt_D = \sim B_ge_D;
assign C_ge_A = (AgeC >= AgeA) ? 1'b1 : 1'b0;
assign C_lt_A = \simC_ge_A;
assign C_ge_B = (AgeC \ge AgeB)? 1'b1: 1'b0;
assign C_lt_B = \simC_ge_B;
assign C_ge_D = (AgeC \ge AgeD)? 1'b1: 1'b0;
assign C_lt_D = \simC_ge_D;
assign D_ge_A = (AgeD \ge AgeA)? 1'b1: 1'b0;
assign D_lt_A = \sim D_ge_A;
assign D_ge_B = (AgeD \ge AgeB)? 1'b1: 1'b0;
assign D_lt_B = \sim D_ge_B;
assign D_ge_C = (AgeD \ge AgeC)? 1'b1: 1'b0;
assign D_t_C = \sim D_ge_C;
```

// // Default Selections // assign selA pri0 = (lastGrant == 'IDLE) & reqA; assign selB\_pri0 = (lastGrant == 'IDLE) & ~reqA & reqB; assign selC\_pri0 = (lastGrant == 'IDLE) & ~reqA & ~reqB & reqC; assign selD\_pri0 = (lastGrant == 'IDLE) & ~reqA & ~reqB & ~reqC & reqD; // // Ownership Selections // assign selA\_pri1 = (lastGrant == 'GrantA) & reqA; assign selB\_pri1 = (lastGrant == 'GrantB) & reqB; assign selC\_pri1 = (lastGrant == 'GrantC) & reqC; assign selD\_pri1 = (lastGrant == 'GrantD) & reqD; // // Round Robin Selections assign selA\_pri2\_1 = (lastGrant == 'GrantB) & ~reqB & (~rot || ~reqC & ~reqD); assign selA\_pri2\_2 = (lastGrant == 'GrantC) & ~reqC & (~rot & ~reqB || rot & ~reqD); assign selA\_pri2\_3 = (lastGrant == 'GrantD) & ~reqD & ( rot || ~reqC & ~reqB); assign selA\_pri2 = (reqA & ~aged) & (selA\_pri2\_1 | selA\_pri2\_2 | selA\_pri2\_3); assign selB\_pri2\_1 = (lastGrant == 'GrantC) & ~reqC & (~rot || ~reqD & ~reqA); assign selB\_pri2\_2 = (lastGrant == 'GrantD) & ~reqD & (~rot & ~reqC || rot & ~reqA); // Fix assign selB\_pri2\_3 = (lastGrant == 'GrantA) & ~reqA & (rot || ~reqD & ~reqC); assign selB\_pri2\_3 = (lastGrant == 'GrantA) & ~reqA & rot; assign selB\_pri2 = (reqB & ~aged) & (selB\_pri2\_1 | selB\_pri2\_2 | selB\_pri2\_3); assign selC\_pri2\_1 = (lastGrant == 'GrantD) & ~reqD & (~rot || ~reqA & ~reqB); assign selC\_pri2\_2 = (lastGrant == 'GrantA) & ~reqA & (~rot & ~reqD || rot & ~reqB); assign selC\_pri2\_3 = (lastGrant == 'GrantB) & ~reqB & (rot || ~reqA & ~reqD); assign selC\_pri2 = (reqC & ~aged) & (selC\_pri2\_1 | selC\_pri2\_2 | selC\_pri2\_3); assign selD\_pri2\_1 = (lastGrant == 'GrantA) & ~reqA & (~rot || ~reqB & ~reqC); assign selD\_pri2\_2 = (lastGrant == 'GrantB) & ~reqB & (~rot & ~reqA || rot & ~reqC); assign selD\_pri2\_3 = (lastGrant == 'GrantC) & ~reqC & ( rot || ~reqB & ~reqA); assign selD\_pri2 = (reqD & ~aged) & (selD\_pri2\_1 | selD\_pri2\_2 | selD\_pri2\_3); // // Age Based Selections assign selA\_pri3\_1 = (lastGrant == 'GrantD) & ~reqD & (( rot & A\_ge\_B & A\_ge\_C) || (~rot & C\_lt\_A & B\_lt\_A)); assign selA\_pri3\_2 = (lastGrant == 'GrantC) & ~reqC & (( rot & D\_lt\_A & A\_ge\_B) || (~rot & B\_lt\_A & A\_ge\_D)); assign selA pri3 3 = (lastGrant == 'GrantB) &  $\sim$ reqB & ((rot & C lt A & D lt A) || (~rot & A\_ge\_D & A\_ge\_C)); assign selA\_pri3 = (reqA & aged) & (selA\_pri3\_1 | selA\_pri3\_2 | selA\_pri3\_3);

 $\begin{array}{l} \mbox{assign selB\_pri3\_1} = (lastGrant == `GrantA) \& \ \mbox{ereqA} \& ((\ rot \& B\_ge\_C \& B\_ge\_D) \parallel \\ (\ \mbox{rot} \& D\_lt\_B \& C\_lt\_B)); \\ \mbox{assign selB\_pri3\_2} = (lastGrant == `GrantD) \& \ \mbox{ereqD} \& ((\ rot \& A\_lt\_B \& B\_ge\_C) \parallel \\ \end{array}$ 

(~rot & C\_lt\_B & B\_ge\_A)); assign selB\_pri3\_3 = (lastGrant == 'GrantC) & ~reqC & (( rot & D\_lt\_B & A\_lt\_B) || (~rot & B\_ge\_A & B\_ge\_D));

assign selB\_pri3 = (reqB & aged) & (selB\_pri3\_1 | selB\_pri3\_2 | selB\_pri3\_3);

 $\begin{aligned} & \operatorname{assign} \operatorname{selD\_pri3\_1} = (\operatorname{lastGrant} == \operatorname{`GrantC}) \& \operatorname{~reqC} \& ((\operatorname{rot} \& \operatorname{D\_ge\_A} \& \operatorname{D\_ge\_B}) \parallel \\ & (\operatorname{~rot} \& \operatorname{B\_lt\_D} \& \operatorname{A\_lt\_D})); \\ & \operatorname{assign} \operatorname{selD\_pri3\_2} = (\operatorname{lastGrant} == \operatorname{`GrantB}) \& \operatorname{~reqB} \& ((\operatorname{rot} \& \operatorname{C\_lt\_D} \& \operatorname{D\_ge\_A}) \parallel \\ & (\operatorname{~rot} \& \operatorname{A\_lt\_D} \& \operatorname{D\_ge\_C})); \\ & \operatorname{assign} \operatorname{selD\_pri3\_3} = (\operatorname{lastGrant} == \operatorname{`GrantA}) \& \operatorname{~reqA} \& ((\operatorname{rot} \& \operatorname{B\_lt\_D} \& \operatorname{C\_lt\_D}) \parallel \\ & (\operatorname{~rot} \& \operatorname{D\_ge\_C} \& \operatorname{D\_ge\_B})); \\ & \operatorname{assign} \operatorname{selD\_pri3} = (\operatorname{reqD} \& \operatorname{aged}) \& (\operatorname{selD\_pri3\_1} \mid \operatorname{selD\_pri3\_2} \mid \operatorname{selD\_pri3\_3}); \\ & \operatorname{assign} \operatorname{selA} = \operatorname{selA\_pri0} \mid \operatorname{selA\_pri1} \mid \operatorname{selA\_pri2} \mid \operatorname{selA\_pri3}; \end{aligned} \end{aligned}$ 

assign selA = selA\_pri0 + selA\_pri1 + selA\_pri2 + selA\_pri3, assign selB = selB\_pri0 | selB\_pri1 | selB\_pri2 | selB\_pri3; assign selC = selC\_pri0 | selC\_pri1 | selC\_pri2 | selC\_pri3; assign selD = selD\_pri0 | selD\_pri1 | selD\_pri2 | selD\_pri3;

endmodule // dpath

## age.v

module age (ck, reset, req, ack, AgeA, AgeB, AgeC, AgeD); inputck, reset; input[3:0] req, ack; output[2:0] AgeA, AgeB, AgeC, AgeD;

wireReqA, ReqB, ReqC, ReqD; wireAckA, AckB, AckC, AckD; wireAwon, Bwon, Cwon, Dwon; reg[2:0] AgeA, AgeB, AgeC, AgeD;

```
assign Awon = req[0] && ack[0];
assign Bwon = req[1] && ack[1];
assign Cwon = req[2] && ack[2];
assign Dwon = req[3] && ack[3];
```

```
always @(posedge ck)
```

```
begin
  if (reset)
       begin
AgeA <= 3'd0;
AgeB <= 3'd0;
AgeC <= 3'd0;
AgeD <= 3'd0;
       end
  else
     if (Awon)
       begin
AgeA <= 3'd0;
         if (req[1])
           begin
         if (AgeB < 6)
         AgeB <= AgeB + 3'd1;
         else
          AgeB <= AgeB;
           end
         if (req[2])
           begin
         if (AgeC < 6)
         AgeC <= AgeC + 3'd1;
         else
          AgeC <= AgeC;
           end
         if (req[3])
           begin
         if (AgeD < 6)
          AgeD <= AgeD + 3'd1;
         else
          AgeD <= AgeD;
           end
       end
     if (Bwon)
       begin
AgeB <= 3'd0;
         if (req[0])
           begin
         if (AgeA < 6)
         AgeA <= AgeA + 3'd1;
         else
          AgeA <= AgeA;
           end
         if (req[2])
           begin
         if (AgeC < 6)
         AgeC <= AgeC + 3'd1;
         else
          AgeC <= AgeC;
           end
         if (req[3])
           begin
         if (AgeD < 6)
         AgeD <= AgeD + 3'd1;
         else
          AgeD <= AgeD;
           end
       end
```

if (Cwon) begin AgeC <= 3'd0; if (req[0]) begin if (AgeA < 6)AgeA <= AgeA + 3'd1; else AgeA <= AgeA; end if (req[1]) begin if (AgeB < 6) AgeB <= AgeB + 3'd1; else AgeB <= AgeB; end if (req[3]) begin if (AgeD < 6)AgeD  $\leq$  AgeD + 3'd1; else AgeD <= AgeD; end end if (Dwon) begin AgeD <= 3'd0; if (req[0]) begin if (AgeA < 6)AgeA  $\leq$  AgeA + 3'd1; else AgeA <= AgeA; end if (req[1]) begin if (AgeB < 6)AgeB <= AgeB + 3'd1; else AgeB <= AgeB; end if (req[2]) begin if (AgeC < 6)AgeC <= AgeC + 3'd1; else AgeC <= AgeC; end end end endmodule // age

## **VERIFICATION RESULTS:**

## Query-1:

| Query: NoAck_Unless_Req |
|-------------------------|
|                         |

#### **PROPERTIES:**

\_\_\_\_\_

Property: NoAcks Type: Always

Always: (arb.ack == 0) Unless After: (arb.req >= 1) && (arb.ck == rising)

Options: Fulfill at discharge

\_\_\_\_\_

#### CONSTRAINTS:

Clock Constraint: ck Signal: arb.ck Extract: No Default: Yes

Start: Low 1st Duration: 1 2nd Duration: 1

Reset Constraint: reset Signal: arb.reset Default: Yes

Start: High

Transition Duration Value Start 2 1 forever 0

-----

#### **RUN OPTIONS:**

Algorithm: Symbolic (BDD)

-----

### **REDUCTION OPTIONS:**

Reduction Technique: 1-Step Reduction Seed: Empty **RESULT:** 

\_\_\_\_\_

Verification Query NoAck\_Unless\_Req VERIFIED! Wed May 10 01:15:50 2000 on server: richards

Query Data: 1.32e3 combinational variables 1.02e3 Possible input combinations per state 20 State variables: 2.1e+06 states

Verification Data: 5 states reached. State variable coverage: 20 variables, 57.50% average coverage Search Depth: 5 Real time: 0 minutes 23 seconds Memory Usage: 5.99654 megabytes

### \_\_\_\_\_

EXPRESSION MACROS:

@AckA: arb.ack[0] == 1 @AckB: arb.ack[1] == 1 @AckC: arb.ack[2] == 1 @AckD: arb.ack[3] == 1 @All\_Reqs: arb.req == 15 @CkRising: arb.ck == rising @Multi\_Acks: (((arb.ack[3] + arb.ack[2]) + arb.ack[1]) + arb.ack[0]) > 1 @ReqA: arb.req[0] == 1 @ReqB: arb.req[1] == 1 @ReqC: arb.req[2] == 1 @ReqD: arb.req[3] == 1 @ResetDone: arb.reset == finished

### Query-2:

Query: Only\_One\_Ack

There are 4 request inputs and 4 acknowledge outputs in this design.

We want to verify that the arbiter never acknowledges more than one request at a time.

Ensure  $P1{NEVER{Ack1 + Ack2 + .... + Ackn >1}}$ 

THIS IS A NEVER PROPERTY.

\_\_\_\_\_

PROPERTIES:

\_\_\_\_\_

Property: Never\_Multiple\_Acks Type: Never

Never: @Multi\_Acks

#### Options:(None)

\_\_\_\_\_

CONSTRAINTS:

Clock Constraint: ck Signal: arb.ck Extract: No Default: Yes

Start: Low 1st Duration: 1 2nd Duration: 1

-----

Reset Constraint: reset Signal: arb.reset Default: Yes

Start: High

Transition Duration Value Start 2 1 forever 0

-----

### **RUN OPTIONS:**

Algorithm: Symbolic (BDD)

-----

\_\_\_\_\_

**REDUCTION OPTIONS:** 

Reduction Technique: 1-Step Reduction Seed: Empty

#### **RESULT:**

\_\_\_\_\_

Verification Query Only\_One\_Ack VERIFIED! Wed May 10 01:16:29 2000 on server: richards

Query Data: 1.32e3 combinational variables 1.02e3 Possible input combinations per state 20 State variables: 2.1e+06 states

Verification Data: 1.11e+04 states reached.

State variable coverage: 20 variables, 97.50% average coverage Search Depth: 20 Real time: 0 minutes 17 seconds Memory Usage: 5.99654 megabytes

## Query-3:

ery: AckA\_Width

Checking if the AckA is minimum of 2 clocks wide.

We can later check for AckB, AckC and AckD. Which can be easily done in command line version.

\_\_\_\_\_

### **PROPERTIES**:

\_\_\_\_\_

Property: Min\_Width\_AckA\_2clks Type: Always

After: arb.ack[0] == rising Always: arb.ack[0] == 1

Options: Fulfill Delay: 0 Duration: 2 counts of @CkRising

### CONSTRAINTS:

\_\_\_\_\_

Constant Constraint: Dont\_bypassA Signal: arb.byp\_req[0] Default: No Value: 0

Group Constraint: ReqA

Constraints: ReqA\_cant\_occur ReqA\_persists

Default: Yes

-----

Clock Constraint: ck Signal: arb.ck Extract: No Default: Yes

Start: Low 1st Duration: 1 2nd Duration: 1

-----

Reset Constraint: reset

Signal: arb.reset Default: Yes

Start: High

Transition Duration Value Start 2 1 forever 0

\_\_\_\_\_

### **RUN OPTIONS:**

Algorithm: Symbolic (BDD)

**REDUCTION OPTIONS:** 

Reduction Technique: 1-Step Reduction Seed: Empty

\_\_\_\_\_

\_\_\_\_\_

### **RESULT**:

-----

Verification Query AckA\_Width VERIFIED! Wed May 10 01:17:03 2000 on server: richards

Query Data: 1.32e3 combinational variables 512 Possible input combinations per state 25 State variables: 1e+08 states

Verification Data: 1.54e+04 states reached. State variable coverage: 25 variables, 96.00% average coverage Search Depth: 42 Real time: 0 minutes 24 seconds Memory Usage: 6.0375 megabytes

## Query-4:

Query: Acka

This query includes a liveness property and fairness constraint.

It says that eventually there will be an acknowledgment for the request from A.

\_\_\_\_\_

#### PROPERTIES:

-----

Property: Eventually\_AckA Type: Eventually

After: @ResetDone && @ReqA && @CkRising Eventually: @AckA

Options:(None)

-----

\_\_\_\_\_

CONSTRAINTS:

Constraints: ReqA\_cant\_occur ReqA\_persists

Default: Yes

\_\_\_\_\_

Group Constraint: ReqB Constraints: ReqB\_cant\_occur ReqB\_persists

Default: Yes

\_\_\_\_\_

Group Constraint: ReqC Constraints: ReqC\_cant\_occur ReqC\_persists

Default: Yes

-----

Group Constraint: ReqD Constraints: ReqD\_cant\_occur ReqD\_persists

Default: Yes

Constraint Stable\_Rotation

Type: Always

After: @ResetDone && @CkRising Assume Always: arb.rot == stable

Options: (None)

-----

Constant Constraint: am\_zero Signal: arb.am Default: No Value: 0

To make the arbitration mode non age based

\_\_\_\_\_ Clock Constraint: ck Signal: arb.ck Extract: No Default: Yes Start: Low 1st Duration: 1 2nd Duration: 1 -----Reset Constraint: reset Signal: arb.reset Default: Yes Start: High Transition Duration Value Start 2 1 forever 0 \_\_\_\_\_

### RUN OPTIONS:

Algorithm: Symbolic (BDD)

| <br>- / |
|---------|
| <br>    |
|         |

### **REDUCTION OPTIONS:**

Reduction Technique: 1-Step Reduction Seed: Empty

### **RESULT:**

-----

Verification Query Acka VERIFIED! Wed May 10 01:17:44 2000 on server: richards

Query Data: 557 combinational variables 256 Possible input combinations per state 16 State variables: 6.55e4 states \*\*\*\* Same as prior verification Wed May 10 00:10:16 2000

Verification Data: Reachable space: 495 states 495 states reached. State variable coverage: 19 variables, 100.00% average coverage Search Depth: 10 Real time: 0 minutes 11 seconds Memory Usage: 2.32653 megabytes.

## Query-5:

uery: Seq\_ClockwiseAged

This is a Liveness property.

To verify that the sequence for Clockwise/Aged arbitration is

AckA -> AckB -> AckC -> AckD

Also... note the use of state variable called "Seq".

**PROPERTIES:** 

Property: ClockwiseAged

Type: Eventually

After: @All\_Reqs && (Seq == 0) && @CkRising && (arb.ack == 0) Eventually: Seq == 4

\_\_\_\_\_

Options:(None)

-

\_\_\_\_\_

\_\_\_\_\_

### CONSTRAINTS:

Group Constraint: ReqA Constraints: ReqA\_cant\_occur ReqA\_persists

Default: Yes

Group Constraint: ReqB Constraints: ReqB\_cant\_occur ReqB\_persists

Default: Yes

Group Constraint: ReqC Constraints: ReqC\_cant\_occur ReqC\_persists

Default: Yes

Group Constraint: ReqD Constraints: ReqD\_cant\_occur ReqD\_persists

Default: Yes

-----

Constant Constraint: am\_high

Signal: arb.am Default: No Value: 1 \_\_\_\_\_ Constant Constraint: byp\_req\_low Signal: arb.byp\_req Default: No Value: 0 -----Clock Constraint: ck Signal: arb.ck Extract: No Default: Yes Start: Low 1st Duration: 1 2nd Duration: 1 -----Reset Constraint: reset Signal: arb.reset Default: Yes Start: High Transition Duration Value Start 2 1 forever 0 -----Constant Constraint: rot\_high Signal: arb.rot Default: No Value: 1 \_\_\_\_\_ STATE VARIABLES: \_\_\_\_\_ Seq: Range 0 to 4 Initial: 0 if ((Seq == 0) && @AckA && @CkRising) Seq = 1;else if ((Seq == 1) && @AckB && @CkRising) Seq = 2;else if ((Seq == 2) && @AckC && @CkRising) Seq = 3; else if ((Seq == 3) && @AckD && @CkRising) Seq = 4; else if ((Seq == 4) && @CkRising) Seq = 0; else Seq = Seq;\_\_\_\_\_

#### **RUN OPTIONS:**

-----

Algorithm: Symbolic (BDD)

\_\_\_\_\_

### **REDUCTION OPTIONS:**

Reduction Technique: 1-Step Reduction Seed: Empty

#### **RESULT**:

-----

Verification Query Seq\_ClockwiseAged VERIFIED! Wed May 10 01:18:12 2000 on server: richards

#### Query Data:

925 combinational variables
16 Possible input combinations per state
28 State variables: 6.71e8 states
\*\*\*\* Same as prior verification Wed May 10 00:48:10 2000

Verification Data: Reachable space: 2.86e+03 states 2.86e+03 states reached. State variable coverage: 30 variables, 93.33% average coverage Search Depth: 42 Real time: 0 minutes 12 seconds Memory Usage: 2.32653 megabytes.

\_\_\_\_\_

#### EXPRESSION MACROS:

@AckA: arb.ack[0] == 1 @AckB: arb.ack[1] == 1 @AckC: arb.ack[2] == 1 @AckD: arb.ack[3] == 1 @All\_Reqs: arb.req == 15 @CkRising: arb.ck == rising @Multi\_Acks: (((arb.ack[3] + arb.ack[2]) + arb.ack[1]) + arb.ack[0]) > 1 @ReqA: arb.req[0] == 1 @ReqB: arb.req[1] == 1 @ReqC: arb.req[2] == 1 @ReqD: arb.req[3] == 1 @ResetDone: arb.reset == finished