SymbiYosys: Investigating and Verifying Hardware Designs with Formal Open Source Tools Clifford Wolf Symbiotic EDA
Yosys, Yosys-SMTBMC, SymbiYosys ● Yosys – FOSS Verilog Synthesis tool and more – highly flexible, customizable using scripts ● Formal Verification (Safety Properties, Liveness Properties, Equivalence, Coverage) ● FPGA Synthesis for iCE40 (Project IceStorm), Xilinx 7-series (Vivado for P&R), GreenPAK4 (OpenFPGA), Xilinx Coolrunner-II, Gowin Semi FPGAs, MAX10, … ● ASIC Synthesis (full FOSS flows: Qflow, Coriolis2) ● Yosys-SMTBMC – A flow with focus on verification of safety properties using BMC and k- induction, using SMT2 circuit descriptions generated by Yosys ● SymbiYosys – A unified front-end for many Yosys-based formal verification flows
SymbiYosys Features ● Bounded verification of safety properties ● Unbounded verification of safety properties ● Generation of test benches from cover statements ● Verification of liveness properties ● Formal equivalence checking [TBD] ● Reactive Synthesis [TBD] Solvers: – SMT2 ● Yices, Boolector, Z3, CVC4, Mathsat ● easy to extend to any SMT2 solver with QF_AUFBV, QF_ABV, QF_BV, or QF_UFBV support – AIGER ● super_prove, Avy, everything in ABC (including pdr ) ● easy to extend to any AIGER solver for safety and/or liveness properties – BTOR2 [TBD] ● new word-level HW model checking format (see CAV 2018 paper)
Types of Properties Supported in SymbiYosys ● Safety properties – Verilog assume(…) and assert(…) statements – a CEX trace satisfies all assumptions and violates at least one assertion ● Fairness and Liveness – Fairness: if (…) assume property (s_eventually …); – Liveness: if (…) assert property (s_eventually …); – a CEX trace contains a loop that satisfies all fairness properties (and all assumptions) and violates at least one liveness property ● Cover – Verilog cover( … ) statements – Produces a trace for each cover statement that satisfies that cover statement.
Availability of various EDA tools for students, hobbyists, enthusiasts ● FPGA Synthesis ● Formal Verification – Free to use: – Free to use: ● Xilinx Vivado WebPack, etc. ??? ● – Free and Open Source: – Free and Open Source: ● Yosys + Project IceStorm ● VTR (Odin II + VPR) ??? ● ● HDL Simulation .. and people in the industry are complaining they can't find – Free to use: any verification experts to hire! ● Xilinx XSIM, etc. – Free and Open Source: ● Icarus Verilog, Verilator, etc.
“Formal first” vs. traditional use of formal methods Cost of (fixing) a bug Traditional use-case for formal Most formal tools are priced and advertised for the traditional use case. Number of found Formal new bugs first Time Development Verification / Testing Production
Formal First → designing better digital circuits faster and cheaper ● Formal First is a set of design methodologies focusing on using formal methods during development, as early as possible. – Target user base is design engineers, not verification engineers ● Not necessarily for creating complete correctness proofs. Instead run simple BMC for “low hanging fruits” safety properties, such as – standard bus interfaces like AXI/APB/etc. – simple data flow analysis to catch reset issues and/or pipeline interlocking problems – use cover() statements to replace hard-to-write one-off test benches for trying things with the design under test ● Can be as simple as: always @(posedge i_clk) cover(o_wb_ack); ● Formal methods can help to find a vast range of bugs sooner and produces shorter (and thus easier to analyze) counter example traces. ● Let’s not limit our thinking to “formal is for XYZ ”! Formal is a set of fairly generic technologies that have applications everywhere in the design process! – But we cannot unleash the full potential formal has to offer unless we make sure that every digital design and/or verification engineer has access to formal tools. (Like each of those people has access to HDL simulators.)
Formal First ● Here are a few example use cases for formal tools during the development phase of a new circuit: – Verification of embedded “sanity check” assertions ● E.g. “write and read pointers never point to the same element after reset” – Verification of standardized interface using standardized “off-the-shelf” formal properties ● E.g. standardized bus interfaces such as AXI. – Using cover statements to create test benches quickly. ● E.g. cover “done signal goes high (some time after reset)” – Using cover statements during debugging to make sense of trace data from FPGA based test runs. ● E.g. cover “done signal goes high while NAK is active” ● Or assert “done signal never goes high while NAK is active” – Note that this are the same techniques that are employed in the traditional use case for formal. – This is similar to how simulators are used by design and verification engineers alike. – Nobody would claim that simulators are “only for verification (of few very special designs)”.
HDL features in Yosys (Open Source) and Symbiotic EDA Suite (Commercial) ● Yosys ● Symbiotic EDA Suite – Verilog 2005 – Everything in Yosys – Memories / Arrays + SystemVerilog 2012 – Immediate assert(), + VHDL 2008 assume(), and cover() + Concurrent assert(), – checkers, rand [const] regs assume(), and cover() + SVA Properties – Nonstandard extensions: ● $anyconst, $anyseq, $allconst, $allseq
SymbiYosys flow with Yosys-SMTBMC Verilog Design Yosys PASS / FAIL Verilog Asserts SMT-LIB2 Code Trace / counterexample formats VCD File Verilog Testbench Constraints File Yosys-SMTBMC Constraints File SMT-LIB2 Solver
SymbiYosys flow with AIGER model checker unoptimized word-level representation, good for creating human readable Verilog Design counter examples SMT-LIB Yosys code Verilog Asserts SMT-LIB2 Solver Model Checker AIGER AIGER Yosys-SMTBMC (e.g. pdr, avy) witness optimized bit-level model PASS/FAIL Yosys-SMTBMC is only used here as a post- Counter Example processor, turning the AIGER witness into a useful human readable counter example (e.g. VCD).
Custom SMT-LIB Flows Verilog Design Yosys Verilog Asserts Options for writing custom proofs: SMT-LIB2 Code - Hand-written SMT2 code - Custom python script using smtio.py (the python lib ? ? ? implementing most of yosys- smtbmc) - Any other app using any SMT- LIB2 solver (e.g. using C/C++ API for proofs that involve many SMT-LIB2 Solver (check-sat) calls.
Hello World hello.v hello.sby module hello ( [options] input clk, rst, mode prove output [3:0] cnt depth 10 ); reg [3:0] cnt = 0; [engines] smtbmc z3 always @(posedge clk) begin if (rst) [script] cnt <= 0; read_verilog -formal hello.v else prep -top hello cnt <= cnt + 1; end [files] hello.v `ifdef FORMAL assume property (cnt != 10); assert property (cnt != 15); `endif endmodule
Hello World $ sby -f hello.sby SBY [hello] Removing direcory 'hello'. SBY [hello] Copy 'hello.v' to 'hello/src/hello.v'. SBY [hello] engine_0: smtbmc z3 … … … SBY [hello] engine_0.basecase: finished (returncode=0) SBY [hello] engine_0: Status returned by engine for basecase: PASS SBY [hello] engine_0.induction: finished (returncode=0) SBY [hello] engine_0: Status returned by engine for induction: PASS SBY [hello] summary: Elapsed clock time [H:MM:SS (secs)]: 0:00:00 (0) SBY [hello] summary: Elapsed process time [H:MM:SS (secs)]: 0:00:00 (0) SBY [hello] summary: engine_0 (smtbmc z3) returned PASS for basecase SBY [hello] summary: engine_0 (smtbmc z3) returned PASS for induction SBY [hello] summary: successful proof by k-induction. SBY [hello] DONE (PASS, rc=0) - The sby option -f causes sby to remove the output directory if it already exists. - The output directory contains all relevant information, including copies of the HDL design files.
module fib ( input clk, pause, start, input [3:0] n, fib.v output reg busy, done, output reg [9:0] f ); reg [3:0] count; reg [9:0] q; initial begin `ifdef FORMAL done = 0; always @(posedge clk) begin busy = 0; if (busy) begin end assume (!start); assume ($stable(n)); always @(posedge clk) begin end done <= 0; if (!pause) begin if (done) begin if (!busy) begin case ($past(n)) if (start) 0: assert (f == 1); busy <= 1; 1: assert (f == 1); count <= 0; 2: assert (f == 2); q <= 1; 3: assert (f == 3); f <= 0; 4: assert (f == 5); end else begin 5: assert (f == 8); q <= f; endcase f <= f + q; cover (f == 13); count <= count + 1; cover (f == 144); if (count == n) begin cover ($past(n) == 15); busy <= 0; end done <= 1; end assume (s_eventually !pause); end end if (start && !pause) end assert (s_eventually done); end `endif endmodule
fib_{prove,live,cover}.sby fib_prove.sby fib_live.sby fib_cover.sby [options] [options] [options] mode prove mode live mode cover append 10 [engines] [engines] [engines] abc pdr aiger suprove smtbmc z3 [script] [script] [script] read_verilog -formal fib.v read_verilog -formal fib.v read_verilog -formal fib.v prep -top fib prep -top fib prep -top fib [files] [files] [files] fib.v fib.v fib.v Prove safety properties in Prove liveness properties Create a trace for each fib.v using IC3 (pdr). in fib.v . This assumes cover statement in the design (and check asserts that safety properties are for that trace). Add 10 already proven. additional time steps after the cover statement has been reached.
Recommend
More recommend