| Summary: | formal proof of soc.fu.compunits.FunctionUnitBaseSingle needed | ||
|---|---|---|---|
| Product: | Libre-SOC's first SoC | Reporter: | Luke Kenneth Casson Leighton <lkcl> |
| Component: | Formal Verification | Assignee: | Cesar Strauss <cestrauss> |
| Status: | RESOLVED FIXED | ||
| Severity: | enhancement | CC: | libre-soc-bugs |
| Priority: | --- | ||
| Version: | unspecified | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| See Also: | https://bugs.libre-soc.org/show_bug.cgi?id=341 | ||
| NLnet milestone: | NLNet.2019.10.032.Formal | total budget (EUR) for completion of task and all subtasks: | 2500 |
| budget (EUR) for this task, excluding subtasks' budget: | 2500 | parent task for budget allocation: | 197 |
| child tasks for budget allocation: | The table of payments (in EUR) for this task; TOML format: |
"cesar"={amount=2500,submitted=2022-07-04,paid=2022-07-21}
|
|
|
Description
Luke Kenneth Casson Leighton
2020-05-23 23:57:30 BST
the tricky bit: MultiCompUnit is time-dependent. that involves use of "Past()". it is similar in some ways to the formal proof for SyncFIFO because it is similar signalling rules on each of the REQ/GO signals. Does the module that this proof is for exist yet? I don't see it at the moment. (In reply to Michael Nolan from comment #2) > Does the module that this proof is for exist yet? I don't see it at the > moment. soc.fu.compunits.FunctionUnitBaseSingle. although it's probably a good idea to start with MultiCompUnit instead (and alu_hier.ALU or probably better alu_hier.DummyALU as a first experiment) the actual ALU doesn't matter as much as the CompUnit. michael am just going over the notes in proof_fu.py
# Assume no instruction is issued until rd_rel is
# released. Idk if this is valid
with m.If(busy):
comb += Assume(issue == 0)
ok so yes, nothing happens at the ALU - nothing is sent to the ALU - until
all incoming operands are valid, and the condition for that is:
* busy_o is set HI
* all bits of rd_rel are LOW
note btw the industry-standard convention in circuits, a "N" at the end
of a name indicates that it is inverted from what you would normally think
its function should be. this means shadown is LOW if shadowing is requested,
and when shadown is HI, shadowing is *not* being enabled.
extra little funny things that can be thrown in: * all of rd.go, rd.req, wr.go, wr.req, and issue: if done_o is LOW then absolutely all of those should be LOW as well. the reason for the existence of done_o over busy_o is because, sigh, if you look closely, you can see that some of the latches are reset synchronously (a 1 clock delay). this means that busy_o actually drops immediately on completion, and done_o drops a cycle later. * when the write phase has started, the rd phase is *definitely* over. therefore, if wr.req is non-zero, rd.req and rd.go should *definitely* be non-zero. another one, a part of the API: issue_i is only asserted for one cycle. however as an external signal i have no idea how that woule be expressed. Assume? with m.If(Past(wr_rel) & Past(go_wr)):
# the alu data is output
comb += Assert(dut.data_o == alu_temp)
# wr_rel is dropped
comb += Assert(wr_rel == 0)
# busy is dropped.
with m.If(~Past(go_die)):
comb += Assert(busy == 0)
Shouldn't the module drop busy after go_die is asserted? If I delete the m.If(~Past(go_die)) the proof fails.
(In reply to Michael Nolan from comment #7) > with m.If(Past(wr_rel) & Past(go_wr)): > # the alu data is output > comb += Assert(dut.data_o == alu_temp) > # wr_rel is dropped > comb += Assert(wr_rel == 0) > # busy is dropped. > with m.If(~Past(go_die)): > comb += Assert(busy == 0) > > > Shouldn't the module drop busy after go_die is asserted? If I delete the > m.If(~Past(go_die)) the proof fails. annoyingly, it's one cycle after, because of the syncs setting the latches. fascinatingly, in practice, we get away with it. the code is complex enough that i am not sure why. cesar, would you like to have a go at this one? FSM CompUnit proof, using a shifter unit as an ALU to be tested https://git.libre-soc.org/?p=soc.git;a=history;f=src/soc/experiment/formal/proof_alu_fsm.py;h=8883a985f480ae8b2ea5a732ca1f4463a129665d;hb=10f4200e58562d6070203afdddea1dc0c0eb5f88 |