Model Checking

Inputs: A design (in some HDL) and a property (in some temporal logic)

Outputs: Decision about whether or not the property always holds for the design. A counterexample if the property does not hold.

•Model checking is the alternative to simulation

Computational Tree Logic (CTL)

•CTL is a logic used to express properties for model checking

•CTL is useful because there is an efficient technique to check it

•A temporal logic is a logic which can express aspects of time

•CTL makes statements about the computational tree of a state machine

Traffic light FSM Computational tree for FSM

R

GY

R

G

Y

R

RG G

CTL Formulae

A CTL formula is built from three things:

1. Atomic propositions - These are the variables

2. Boolean connectives - AND, OR, NOT, etc.

3. Temporal operators - Express something about paths in the computational tree

A temporal operator has two parts:

1. A path quantifier - A (for all paths) or E (there exists a path)

2. A temporal modality - Describe the ordering of events in time

Temporal Modalities

• Assume that p is a CTL formula.

F p - “p holds sometime in the future” Is true of a path is there exists a state on the path where p is true

G p - “p is true globally” Is true of a path if p is true at all states on the path

X p - “p holds in the next state” Is true of a path if p is true in the state immediately after the current state

p1 U p2 - “p1 holds until p2 holds” Is true if p2 is true in a state and p1 is true in all preceding states

A CTL Property

• All temporal modalities, except G, are evaluated from the start state of the path

AG (req -> AF ack)

•For all reachable states, if req is asserted then we must reach a state

where ack is asserted•AG is interpreted relative to the start state•AG selects all states reachable from start state•AF is interpreted relative to where req is asserted

Another CTL Property

AG AF enabled

•For every reachable state, for all paths starting at that state we must reach another state where enabled is asserted

AG EF restart

•From any reachable state, there must exist a path reaching a state where restart is asserted•In other words, it must always be possible to reach the restart state

Fairness Constraints

•Fairness is when a set of constraints must be satisfied “infinitely often”•“Buchi” type of constraints•This can ensure fair access to a resource (bus access)

Traffic Light Controller Constraint

AG ( !((farm_light = GREEN) * (hwy_light = GREEN)) );

•Both lights can’t be green at the same time

Model Checking in VIS

Verilog Blif-MV

CTL

vl2mv VIS

•We use VIS for model checking, not synthesis

Running VIS

% module load vis

% vl2mv tlc.v

% vis

vis> read_blif_mv tlc.mv

vis> init_verify

vis> model_check -i tlc.ctl

Setup environment vars

Convert verilog to blif_mv

Start VIS

Read the blif

Initialize for verification

Model check with properties (tlc.ctl)