Download ctl

Model Checking
Inputs: A design (in some HDL) and a property (in some temporal logic)
Outputs: Decision about whether or not the property always holds
for the design.
A counterexample if the property does not hold.
•Model checking is the alternative to simulation
Computational Tree Logic (CTL)
•CTL is a logic used to express properties for model checking
•CTL is useful because there is an efficient technique to check it
•A temporal logic is a logic which can express aspects of time
•CTL makes statements about the computational tree of a state
machine
R
R
G
Y
G
Traffic light FSM
Y
G
R
G
R
Computational tree for FSM
CTL Formulae
A CTL formula is built from three things:
1. Atomic propositions - These are the variables
2. Boolean connectives - AND, OR, NOT, etc.
3. Temporal operators - Express something about paths in the
computational tree
A temporal operator has two parts:
1. A path quantifier - A (for all paths) or E (there exists a path)
2. A temporal modality - Describe the ordering of events in time
Temporal Modalities
•
Assume that p is a CTL formula.
F p - “p holds sometime in the future”
Is true of a path is there exists a state on the path where p is true
G p - “p is true globally”
Is true of a path if p is true at all states on the path
X p - “p holds in the next state”
Is true of a path if p is true in the state immediately after the current state
p1 U p2 - “p1 holds until p2 holds”
Is true if p2 is true in a state and p1 is true in all preceding states
A CTL Property
•
All temporal modalities, except G, are evaluated from the start state of
the path
AG (req -> AF ack)
•For all reachable states, if req is asserted then we must reach a state
where ack is asserted
•AG is interpreted relative to the start state
•AG selects all states reachable from start state
•AF is interpreted relative to where req is asserted
Another CTL Property
AG AF enabled
•For every reachable state, for all paths starting at that state we must
reach another state where enabled is asserted
AG EF restart
•From any reachable state, there must exist a path reaching a state
where restart is asserted
•In other words, it must always be possible to reach the restart state
Fairness Constraints
•Fairness is when a set of constraints must be satisfied “infinitely often”
•“Buchi” type of constraints
•This can ensure fair access to a resource (bus access)
Traffic Light Controller Constraint
AG ( !((farm_light = GREEN) * (hwy_light = GREEN)) );
•Both lights can’t be green at the same time
Model Checking in VIS
CTL
Verilog
vl2mv
Blif-MV
VIS
•We use VIS for model checking, not synthesis
Running VIS
% module load vis
Setup environment vars
% vl2mv tlc.v
Convert verilog to blif_mv
% vis
Start VIS
vis> read_blif_mv tlc.mv
Read the blif
vis> init_verify
Initialize for verification
vis> model_check -i tlc.ctl
Model check with properties (tlc.ctl)