02:14 <ZipCPU> promach__: So, I'm working on my own UART proof this evening.

02:14 <ZipCPU> It's taken me a bit of work to force the two states, transmitter and receiver, together.

02:15 <ZipCPU> One thing I did was to count clocks within both transmitter and receiver, and then insist that the difference between them was within a minimal limit.

02:16 <ZipCPU> promach: Another thing I did was force the transmission in the transmitter, and the reception in the receiver, to match the state given by the clock count.

02:17 <ZipCPU> Hence, if the receiver is N*BAUDCLOCKS+k clocks following the last idle, and *if* it is transmitting a known value, *then* the state of the receiver must be ... (assert the shift register state)

02:18 <awygle> ZipCPU: so if I understand correctly, you are proving the TX and RX halves of the UART together? Under what conditions?

02:18 <ZipCPU> I then had to repeat this within the transmitter. If the transmitter is N*BAUDCLOCKS+k clocks following a valid start bit, then it must have received either N or N-1 bits that matched the known transmit patttern.

02:18 <ZipCPU> awygle: Not quite.

02:18 <ZipCPU> I'm actually only proving the RX half.

02:18 <ZipCPU> However, to prove it I need to assume a transmitter.

02:18 <ZipCPU> That transmitter is within the RXUART code.

02:19 <ZipCPU> The condition I'm trying to hold to is that the clocks are within a half-a-baud of each other, but otherwise potentially dissimilar.

02:19 <ZipCPU> Or should I say, the clock rates are such that after 10 baud intervals, the result will be within a half a baud of each other.

02:20 <awygle> ZipCPU: hmm... I don't clearly see why a transmitter is required. why wouldn't the SAT solver control the input arbitrarily?

02:20 <ZipCPU> 2 reasons. 1) you want to make certain the input obeys the rules of a UART, and 2) you want to make certain that at the end of the transmission, you received the "right" value.

02:21 <ZipCPU> Rules of UART include: a start bit, a stop bit, 8-data bits, and things only change on baud intervals.

02:22 <awygle> ZipCPU: okay, I see why you might want a transmitter for your second purpose. at least, I don't see an obvious way to check the "rightness" without one

02:23 <awygle> I'm less sanguine about the first purpose. wouldn't one of the reasons to prove the receiver be to prove that it does the right thing in the presence of bad input?

02:23 <ZipCPU> I'm not sure I follow.

02:23 <ZipCPU> ??

02:24 <ZipCPU> Ahh ... okay, so ... does the receiver do "good things" in the presence of something that doesn't behave like a UART, is that your question?

02:24 <awygle> if I have a UART core in my FPGA, and someone hooks a SPI driver up to the receiver, it seems to me that I'd want *something* in particular to happen

02:24 <awygle> yes

02:25 <ZipCPU> What would you consider the "right" answer to be if you gave a UART RX processor something other than a UART input?

02:26 <ZipCPU> I would struggle with that, as it seems the "right" answer for a UART depends upon the "right" data being given to it.

02:26 <awygle> Probably to assert an error bit (either in a register or as an output from the module)

02:26 <awygle> More importantly, I'd say that it should be able to recover if the input becomes "good" again

02:27 <sorear> also, if it's hooked up to a bus of some kind, it should respect the rules of that bus (e.g. ack all transactions that require acks) no matter what it's connected to

02:27 <ZipCPU> sorear: That's the easy part. I've already got that working without problems. ;)

02:28 <awygle> Sure, although I'd call that a property of (e.g.) a MODBUS controller that just happens to contain a UART

02:29 <ZipCPU> Actually, let me back up a bit .... I've only managed to "prove" so far the transmitter and the FIFO. I'm working on the receiver. The bus interaction takes place within the module that integrates all of these parts.

02:30 <ZipCPU> Right now, my abilities with FV are really limited to leaf nodes, so I haven't gotten to the parent module yet.

02:30 <awygle> In any case I don't particularly care what you do in response to bad input, but defining *a* behavior and showing that it occurs seems critical to me

02:30 <awygle> But maybe I'm overly paranoid - #python has spent all day suggesting that might be the case :-P

02:30 <ZipCPU> How so?

02:31 <awygle> I miss the ability to do proper encapsulation. "Private" methods in python are marked by a leading _ but are still entirely accessible

02:32 <awygle> The folks there seem to think that I should trust my users more and not worry about it

02:32 <ZipCPU> I've been instructed on how to do it via abstraction, but I haven't tried it yet.

02:32 <ZipCPU> The basic rule is that if you can prove (A -> C), then it must be true that (AB -> C) as well.

02:33 <ZipCPU> So ... if I can prove that a UART that produces random data "works" in the parent module, then it must also be true that a UART producing the proper data would work as well.

02:33 <ZipCPU> Or ... at least that's how I'm looking at it these days.

02:36 <awygle> I am just starting on this journey as well. I'd appreciate your thoughts on how I am planning to approach it.

02:38 <ZipCPU> Well ... that's how I'd approach it. I might even replace the RXUART submodule of the parent with a module that just produces random data outputs, but only if FORMAL is defined.

02:40 <awygle> my intention is to start with what i'd call a "domain model" of a UART. at the lowest level, the UART receives bits. at a higher level, it receives bytes (or whatever the 1-character packets a UART receives are properly called). at a higher level still, those bytes either satisfy or do not satisfy certain properties (parity, primarily). and it does all this under certain conditions (say, configured baud rate must be within 5% of the actual baud

02:40 <awygle> rate)

02:41 <awygle> so first i would prove that, under those conditions, the receiver can properly receive a bit (and properly reject an invalid bit)

02:42 <ZipCPU> How will you know the bit received is the "correct" one, in order to know it was properly received?

02:43 <ZipCPU> Or, for that matter, how will you know you've sampled the channel in the "right" place?

02:44 <awygle> for the first, i would assert that the output bit equals the input bit, and that the input bit has been set for the last 16 samples (assuming 16x oversampling)

02:45 <awygle> or maybe the last 15/16 for glitch rejection, but you get the general approach

02:45 <awygle> actually, that more or less answers your second question as well, doesn't it?

02:46 <ZipCPU> Hmm ... not sampling in the center of the baud?

02:46 <awygle> my understanding of UARTs is that due to their low speed oversampling is more typical than trying to do clock recovery style approaches. although i could be wrong

02:47 <ZipCPU> We must be misunderstanding each other, for I cannot comprehend a reason why you wouldn't sample in the middle of the baud.

02:47 <awygle> because the input is asynchronous

02:48 <awygle> and finding the middle of the baud is nontrivial

02:48 <awygle> and there may be glitching, etc

02:48 <ZipCPU> Not at all! You just want a half-baud interval from the beginning of the start bit. That puts you in the middle of the baud interval.

02:49 <ZipCPU> If you want to the end of the interval, then if the transmitter is just a touch faster than the receiver it will get "bad" data.

02:49 <ZipCPU> *wait

02:49 <ZipCPU> "bad" data in this case means the receiver will appear to "skip" bits that were transmitted.

02:50 <awygle> ah, i see what you're saying now. i was imagining something much more analog, but you're just talking about delaying by a number of clocks that gets you as close as possible to the center of the baud

02:51 <ZipCPU> Yes.

02:51 <awygle> this stackoverflow answer covers my thoughts pretty well https://electronics.stackexchange.com/a/207880

02:51 <ZipCPU> If you are really worried about glitching, I suppose you could apply a "matched filter", but then it might be harder to align to the start bit.

02:52 <awygle> i was just taking his "sample multiple times" to the extreme

02:53 <awygle> regardless, this is somewhat off the track. if i'm proving the receiver, i don't care if i've sampled at the "right" place. i only care that i got the right data. as long as my input is constrained in such a way that all the "errors" i've claimed to be able to handle (5% baud difference, maybe 100ns of glitching) are allowed to the SAT solver, any bugs caused by bad sampling location will be exposed.

02:55 <ZipCPU> Sounds fair.

02:58 <awygle> basically, at every clock the "bit retriever" portion of the UART makes some claim about the data. if it asserts "valid && output" then it's claiming that the last 16 clocks were a valid 1 bit. as long as we remember the last 16 clocks in our formal verification code, we can check whether that claim is accurate.

02:59 <awygle> at that point i assume we'd also need to use cover() to show that it eventually asserted all combinations of (valid, output) and error

02:59 <ZipCPU> Ok, I think I'm starting to see what you are doing.

03:03 <awygle> once we've got that, we can take the same approach with the character recognizer. the character recognizer claims "i've received a valid 0x7F", we remember the last ~12 input bits, and test the claim with our assertions

03:06 <awygle> does that seem generally sane?

03:06 <ZipCPU> Yes, but more than that ... it sounds like you might be able to "cheat" on the clock cycles as well.

03:07 <ZipCPU> To your benefit, if the second stage only runs once every 16 clocks, and if it is independent of the lower stages clock rate, you might manage to run your formal proof on only every 16th clock.

03:10 <awygle> True, but two caveats - one, I'm not sure proving the pieces independently proves the combination correct, and a full-system simulation would have to be evaluated at the fastest rate. Two, I'm not totally sure how glitching would work but handling it might result in needing the bit recovery proof to run much much faster than the sample rate.

03:11 <awygle> "simulation" was a bad word there. "proof".

03:34 <awygle> Thinking about it further, I don't fully understand how the performance aspects of FV work out, but I don't think it'd be related to the baud rate/clock rate really. At least not for induction.

03:34 <awygle> It's all about the number of states, isn't it?

03:36 <awygle> In that case, adding glitching adds to the state space somewhat but it's not as simple as "now I have to run the simulation 4x faster" because there isn't a simulation

03:36 <awygle> Hard to break that habit of thought...

03:38 <ZipCPU> Yeah ... I guess I'm struggling with that myself.

03:44 <awygle> Unrelated, but how are your preparations for the course you're teaching going?

03:51 <ZipCPU> awygle: Thanks for asking!

03:51 <ZipCPU> I've been dealing with a contract I'm working for, and so ... I haven't put enough time into it for the past two weeks.

03:52 <ZipCPU> That said, there's really only three chapters missing or incomplete. 1) on $anyconst and $anyseq, 2) On abstraction, and 3) on the System Verilog bindings available with Verific.

03:54 <ZipCPU> You've probably seen me write about my experiences with the CYCLONE-V. That is for the paid contract.

03:56 <ZipCPU> I should mention, I do have some fun projects coming. One is a port of the ZipCPU to the tinyfpga, and another (nearly identical) project ports the ZipCPU to the MAX1000.

04:03 <awygle> ZipCPU: are those paid projects? Being aware that it's none of my business

04:04 <ZipCPU> The post about the cyclone-v is a paid project.

04:04 <ZipCPU> I'm hoping to get paid for teaching, but ... the deal isn't really complete.

04:08 <awygle> ah i see

04:08 <awygle> which tinyfpga are you planning to use?

12:51 <ZipCPU> awygle: I have the Bx on my desk.

15:23 <thoughtpolice> ZipCPU: Are you using Yosys with Verific?

18:12 <ZipCPU> thoughtpolice: Sadly, no. I need to try it with Verific, but haven't really done so yet. One of the lessons in the formal course is to be based upon that.

18:55 <daveshah> thoughtpolice: I have done a bit with Yosys/Verific, if you're curious

18:55 <ZipCPU> daveshah: Cheers! How's it going?

18:56 <daveshah> It's been going well, although I didn't get round to the VHDL verification I planned today because SymbiFlow stuff was distracting me...

19:01 <ZipCPU> :D