Using Formal Methods to Verify Complex Designs

Using Formal Methods
to Verify Complex
Designs
IBM Haifa Research Lab
The IBM center of competence for formal verification
a
!
!
'
!
* "
/
)0
'#
/
#
$%%%%%%%%%%%%%%%%%%%%%%%%&
$%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%(
'
) *+ ,
"
)
' '
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%(
*
%%%%%%%%%%%%%%%%%%%%%%%%%%-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.
#
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2
' %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3
6
'
"
'
' 9
"
6'
'"
'
'
<
6
"% ,
"
'
6'
' '"
%
'
5 5
6
9
'
6
%
' %
'
6
'
5
5 '
9
%<
5
%
9
+6
5
5
'
6
6
+6
5
6
'
%<
=
'
'
'
%
'
4
>
5 6'
+ 5
'
%
$
6
5
5
5
'
'
%<
6 '"
'
'
'
'
%,
6
6
9
' '"
?
9
% <
9
6
6
'
A'
"
,
?
9
6
5
'
6
%@
'
9
'
6
'
'
8
331
;
:
;
6
%!
7
+0 '
5
5
'
+6
6
'
5
%
'
%/
a
&
'
'5
'
'9
'
B
%
5
'
5
'
'
'
5
C
'
' '
)
*
'
) *% <
6
@5
-
5
'
'
5
D
%
'
5
5
'
5
"
5
6
5
E
'
E
5
5 '5
6
5
"
9
6
6
'
5
6
'
%<
+
6
6
'
E
?
'
E
5
6 '5
5
'6
'
'%
'
5
'5
'
'
6
6
5
%
5
5
9
'
' '
'
9
5
'
' '"
5
5
'
+
'
'
%
%!
'
5
,
9
5
'
'
'
%@ '
%
<
%
'
5
6 '
C
'
'
%#
6
%<
' '"
' '"
5
9
9
5
%
'
'
'
'
6
'
9
'
' '
9
'
'
5
9
%
'
(
6
6'
%
'
6
5
6
5
5
% < "9
9
F
The ack signal will be sent within three to five cycles
after the req signal is asserted, unless the request is
cancelled
<
' '
5
'
9
''
5
"
5
'
'
'
9
5 6
)
%
'
'%
5 5
' '
6
'
'
'6
5
*
'
'%
-3
%
=
) *> 6 '
'
9
''
%
)*
#
000
33- =
#
000 G-3H + 33->% <
'6
5
) *'
8
)*
% < "9
9
F
assert always (req -> next ack)
<
'
5
9
6
)*
6
'' % <
6
'
'
' '"
4
I
'
5
%<
'
'
%
<
)*
' '
%#
9)*
0
9
'
'
''
?
0
/
0/0% , 0/0
F
assert never {write ; write}!;
a
-
<
)*
65
'
'
5
' 5
%
assert never { req; (!ack)[*]; req }!;
<
)*
5
''
'
'
5
%
<
5
?
'
5
'
%<
'
"
5
6
%
J!
5
'
'
'
'
6
'
8
6
5
'
5
$
'
'
'
'
5
6
=
'
>% <
'
9
6
5
"
3K
'
' '
6
'
'
=
>
'
5
'
J,
5
'
'
'
'
6
'
6
%
9'
'
'
%
9
9
5
%,
'5
5
'
' '
'
'
'
'
%
J
' '
@ '
5
' '
'
'
9
L'
9
"
%,
' '
%
!
'
5
J
'
%
6
' '"
%<
.
'
5 5
6
%,
5
"
'
5
5
'
'" 5
6
'
%
"#
J
'
5
5
=
'
'
*'
'
5
>
%,
*
9
%<
'
9
5
C
*
'
'
5
'
%
$#
J
5
" %<
5
'
9
6
'
6
%,
%
J, '
6'
'
5
'
6
%
5
'
'
'
'
'
'
"
C'
'
%
%
#
J
' '
8
' C
L'%
5
'
'
'
'
!
''
?
'
'
6 6 '"
'
6
!
"#
)0
5
L'% ,
6
?
'
'
%
$
'
' '"
a
"
L' %
J @''
''
/
%,
5
'
5
6
' %,
9
5
9
'
9
1
6
6
5
5'
)09
'
%
5
'
6
'
+
'
#
5
/
' '
'
9#
%
+
5
'
5
9
6
' *6
)0
5
/
% <
+
5
/
'
"
'
5
6
5
'' % # '
+ '
5
'
'
#
'
5
?
22&
5
'
6
''
%/
' '
5 5
)*
?
%
/
5
6
% @5
5
5
9
6
%
/
)0
% /
5
F
)0'
5
'
'
%<
"
'
8
'
/
5
)0
6
%
% /
)0
+
'
'
+
6'
; #
% 05
'5
9
J
&% /
)0
)*
/
'
) *%
'
)*
5
9
'
5
)0%
(% /
)0
5
'
6
% 0'
'
6
'F
,< 6
'
6
+
5
6
5
)*
'
6
%
-% /
)0
5
; *=
;
F
9
'
'6
#
000 &.(% 33 A
*
>
G
5
'
/
5 9
.% /
)0% #
%
)0
9
*
%
1% /
)0
6
A6
%!
'
"
'
'
6
9
'
9
5
A
'
G% /
%
'
'
%
)0
3
+
'9 6
5
•
=
,B
(33>
8
•
•
9
=
M
>
'
'
5
5
#
9)
=
;
2% #
'
(9-9.>
B
&23>
=
=
)#
9
/
9 N6 >
90
9 O>
)0
'
''
# E
/
5
F
= )9 ,
•
5
# %# # 9/
•
•
6
"
' '
5
'
6
'
"
'
)0
6 '"
C
6
5
%
5
5
'
#
<'
'
'
'
9
9
'%
&
#
'
•
5
/6
#
)0
9
5'
/
' *6
< F P21 +(+G G
0
a
/
'F
F
5
3G
Q % 6 %'
2
•
K
+
#
/
' *6
< F P21 +(+G 2. -1
0
6
FB
B
%
F
Q % 6 %'
F
% % 6 %'
B
L' B
5
'
B
/R
%
•
%0
9
%
4,
''
'
) *I
9
33.9
# MF 21G+3+&G1+&-& &+-%
•
9
%
+
5 9
@
•
%
+
5 9
%0
%0
9 ,% *
'
<
9
%;
5
9 4/
F
#
+
'"
# I
9
I
9 ,C
2.%
9
!
9
94
9#
= 33&>9
3 + 3G%
3
'
#
'
" 9
5
6'
4
I
%
'
'
'
A
%
<
!
6'
5
6
M
'
'
'
%
'
"
'6
A
#
%#
=>
"
%
'
5
B
6'
'
5'
'=>
%
'5
'
%
'
%
9
'
%<
'
#
a
'
'
'
,
'
'
6
5
'
#
''
6
6
'
6'
B
'
"
6
'
/
'
9#
?
"
331% ,
9
%
6L'
5
9
'5
5
%
%