00:54 <promach> ZipCPU: do you place your assertion within the design source code itself ?

00:54 <ZipCPU> Yes. It seems to work best there.

00:55 <ZipCPU> That allows you to assert not only the outputs, but also information regarding the internal state.

00:55 <promach> I am starting to formally verify my UART receiver, do you have comments before I start designing the assert() and assume() and cover() ?

00:56 <ZipCPU> Formally prove your transmitter first ... its easier, and you'll learn a lot.

00:57 <promach> ok

00:59 <ZipCPU> See ... the receiver has some difficult parts to it when "proving" it.

00:59 <ZipCPU> For example, just what "speed" do you pick for the simulated transmitter that you'll be proving your receiver against?

01:00 <ZipCPU> Is the speed absolute, or is there any fuzziness about where the incoming bit changes?

01:00 <promach> cover() should help, at least from what I read

01:15 <cr1901_modern> I have no idea what cover does, tbh

01:15 <cr1901_modern> Mainly b/c I didn't bother to read up on it ;P

01:18 <ZipCPU> cr1901_modern: I haven't needed it (yet).

01:18 <ZipCPU> Today's success: Formally proving not only my WB -> AXI bridge, but also an Avalon -> WB bridge.

01:20 <cr1901_modern> I've been in a rut most of the week, tbh

01:20 <cr1901_modern> (surprise surprise)

01:20 <ZipCPU> In hind sight, I'm glad I proved my ZipCPU prefetches first. They created a nice build-up to proving a full-blow bus bridge.

01:21 <ZipCPU> I mean, part of the difficulty in a bridge is ... just how long do you anticipate giving the downstream bus to respond?

01:22 <ZipCPU> cr1901_modern: I'm not allowed to be in a rut. Someone wants to sponsor some of this work ... so, I'll have to provide *some* kind of result. ;)

01:22 <cr1901_modern> Lucky you... While I have a few clients, I can't seem to find more

01:23 <ZipCPU> In this case, being active on-line was the key to finding this particular client.

01:24 <cr1901_modern> Well yes. That's how I've found my clients too. It hasn't helped lately to find _new_ ones. Only keep current ones

01:24 <cr1901_modern> Which I mean, is fine. Until it isn't.

01:51 <ZipCPU> cr1901_modern: I should mention ... I haven't made the changes you recommended to how I describe formal induction.

01:51 <ZipCPU> I'm just still ... struggling to understand exactly how it works, and the description I gave is how I understand it -- misguided though it may be.

01:51 <ZipCPU> All that's to say ... I'm still thinking over your description.

02:09 <cr1901_modern> ZipCPU: Asking about this topic on MathOverflow is on my todo list

02:10 <cr1901_modern> I.e. "reconciling temporal induction w/ the definition of mathematical induction"

02:10 <ZipCPU> Let me know when you get an answer. I'd love to read it myself.

02:23 <kuldeep> *the

02:23 <ZipCPU> o/

02:32 <cr1901_modern> ZipCPU: Will do

02:51 <thoughtpolice> Well, I think it depends on what you define "mathematical induction" as. Do you think of it as "Induction on the natural numbers"? That's a kind of induction, but it isn't really what induction *is*. I'm sure this seems like nitpicking (i.e. "wikipedia says it's over the natural numbers!") but it's rather important. Temporal induction and "natural induction" are both more specific cases of a more general technique, concerning

02:51 <thoughtpolice> relations between sets.

02:52 <thoughtpolice> "Mathematical induction" is typically just a case where the "sets" are naturals and the "relation" is something like "less than". Temporal induction is where the sets are "states" and the "relation" is "transitions to" (much in the way states in any automaton are 'related' by if they transition to one another)

02:55 <cr1901_modern> thoughtpolice: This is why I like logs: https://irclog.whitequark.org/yosys/2017-10-19#1508451688-1508451688;

02:56 <cr1901_modern> https://irclog.whitequark.org/yosys/2017-10-20#1508458794-1508458805;

02:56 <cr1901_modern> thoughtpolice: And your explanation is fine, I would still like a formal definition to sink my teeth into

02:56 <cr1901_modern> not the wordy version I attempt to explain in the linked logs

02:57 <thoughtpolice> "Well founded relations" are essentially the formal version of what I said. https://en.wikipedia.org/wiki/Well-founded_relation -- so if you're looking for sort of the "common ancestor" between them, that's a good place to start.

03:04 <thoughtpolice> Another example is theorem provers or whatever, where you also tend to do 'structural induction' -- it's like the generalization of induction to lists, or trees or other recursive data types, where your 'base case' is the 'empty list' and the inductive case is "if P(L), and M is a prefix list of L, then P(M)", i.e. you recurse down the list, eventually hitting a base case, and proving it for all cases. (That's a way you prove

03:04 <thoughtpolice> a program always terminates, for example.)

03:07 <thoughtpolice> Most of them aren't very easy to use anyway. :)

03:07 <cr1901_modern> I've noticed...

03:09 <sorear> i'm the other way around

03:10 <sorear> take: what induction is is transfinite induction

03:13 <thoughtpolice> My functional programming experience is leaking, clearly. (I think in general we sit closer to abstractions such as well-founded-ness)

03:14 <thoughtpolice> Or at least pedagogically, we do.

03:22 <awygle> sorear: i don't think you get to define induction using the word induction...

03:32 <ravenexp> you just need to prove the base case

03:49 <awygle> so i'm playing with yosys a bit, i wrote myself a boring gray code counter with an asynchronous reset. when i try to synthesize with yosys -S gray.v, i get "ERROR: Async reset \rst_i yields non-constant value 8'mmmmmmmm for signal \count."

03:50 <awygle> within my reset clause i have "count <= {SIZE{1'b0}};", so it really should just be 0. am i missing something? does yosys have issues with async resets?

03:51 <awygle> i've heard of x, and z, but never m

05:07 <cr1901_modern> clifford: Is "if $condition begin assert($assertion) end" equivalent to "assert property ($condition |-> $assertion)" in the general case?

05:10 <cr1901_modern> Oh ffs: https://stackoverflow.com/questions/24912264/systemverilog-implies-operator-vs

05:13 <cr1901_modern> nevermind, forget that q. It's opening a can of worms I'm not prepared to yet

07:01 <cr1901_modern> Does anyone know the simulation/synthesis semantics for an empty begin/end block in Verilog? At the very least, is it legal?

13:09 <promach> is it true that yosys-smtbmc does not support non-overlapping operator |=> yet ?

13:42 <ZipCPU> promach: Doesn't (A |=> B) mean the same as if ($past(A)) assert(B); ?

13:53 <promach> For a simple PISO shift register, what have I done wrong with https://gist.github.com/anonymous/1f9aa44394238150c40c874feb60af1f#file-shift_register-v-L26-L28 ?

14:48 <ZipCPU> promach: Try always @(*) assert (valid & !data_out);

14:48 <ZipCPU> Although ... your code will still break.

14:48 <ZipCPU> Look at the VCD file.

14:53 <ZipCPU> promach: Are you struggling to learn how to work with the yosys-smtbmc flow? The error you are getting *should* lead you directly to the problem you are having.

14:54 <promach> ## 0 0:00:00 Solver: z3

14:54 <promach> ## 0 0:00:00 Checking asserts in step 0..

14:54 <promach> ## 0 0:00:00 Assert failed in Tx_top.PISO: ../rtl/shift_register.v:28

14:54 <promach> ## 0 0:00:00 BMC failed!

14:54 <promach> ## 0 0:00:00 Writing trace to VCD file: Tx.vcd

14:54 <promach> ## 0 0:00:00 Status: FAILED (!)

14:54 <promach> ZipCPU

14:55 <ZipCPU> Ok, so ... look at shift_register.v line 28, and look at the VCD file.

14:55 <ZipCPU> What does it tell you?

14:55 <promach> I have already done assume on lines 26 and 27

14:55 <promach> so it should not fail

14:56 <ZipCPU> No?

14:56 <ZipCPU> What about the example given in your VCD file showing you inputs that would cause your design to fail.

14:57 <ZipCPU> Further, you are "assume"ing an ouput on line 27. That's wrong. Assume inputs, assert outputs.

15:06 <promach> hmm... line 27 is now removed, yet same error

15:06 <ZipCPU> Of course! Have you looked at the VCD file?

15:07 <promach> yeah

15:08 <ZipCPU> What's it tell you? You should see a trace that violates line 28.

15:08 <promach> data_out equals 1 in the vcd waveform

15:09 <ZipCPU> And ... ? Is valid true?

15:09 <promach> valid equals 0

15:10 <ZipCPU> So ... remember, the checker is going to try *ALL* input combinations that it can in order to see if it can cause one of your assumptions to be violated.

15:10 <ZipCPU> If valid equals 0, the assertion in line 28 will then fail.

15:10 <ZipCPU> So ... anytime the checker can make vaild = 0, it can cause your design to fail.

15:11 <ZipCPU> All you've said about valid is that it will start at zero. Wait, oops, that means that even in the initial conditions the assertion on line 28 will fail.

15:16 <promach> what about line 26 ?

15:19 <ZipCPU> All line 26 states is that valid will be initially equal to zero.

15:20 <ZipCPU> Line 26, though, contradicts your property in line 28, which asserts that both valid and !data_out will be true on the same clock.

15:20 <ZipCPU> Even this isn't what you want, since data_out will only ever be zero (as a result of valid) on the next clock based upon lines 21-23.

15:37 <shapr> jophish: hi!

15:37 <shapr> jophish: how's the log treating you?

16:20 <promach> ZipcPU: but I have line 27

16:48 <ZipCPU> The initial assume(data_out == 1) line?

16:48 <ZipCPU> Thought you had commented that out.

16:49 <ZipCPU> So ... if valid = 0, then (valid & !data_out) = 0 regardless of what data_out equals.