# What inferactive theorem proving can do for Verilog hardware development

Andreas Lööw Imperial College London

#### Summary

Claim 1: Today you can do ITP-based development for software, this is useful

Claim 2: If we had ITP-based development for hardware, it would be equally useful for hardware

... this talk is about adapting a development methodology from ITPbased software development for Verilog hardware development

# Some ITPs/proof-assistants

Examples:

- Coq
- Isabelle/HOL
- HOL4
- Lean
- ACL2
- ...





Question: Why do **TP-based developmen#** instead of, e.g.: pen-and-paper mathematics, fully automated theorem proving, or something else?





#### ITP-based development – why

Main point of ITP:

- Trustworthy proofs, checked by small program ("kernel")

- Allows for combining human and machine reasoning – get the strengths of both, avoid the weaknesses of both

- Allows you to check/prove that large developments "fit together"

#### Non-ITP formal methods











#### ITP formal methods: Software



#### ITP formal methods: Hardware





#### Simulation-and-synthesis mismatches



#### Simulation-and-synthesis mismatches

زرج

Verilog or HDL

Outpu

re/

7364.7 m

IEEE Computer Society

PJKI SHREDER

IEEE Standard for Verilog ® Register

1EEF Sta 1364.7 14 2002

Antics.

Verilo

*<b>♦IEEE* 

#### IEEE STANDARDS ASSOCIATION

IEEE Standard for SystemVerilog— Unified Hardware Design, Specification, and Verification Language

IEEE Computer Society IEEE Standards Association Corporate Advisory Group

Sponsored by the Design Automation Standards Committee

IEEE 3 Park Avenue New York, NY 10016-5997

Jerila

IEEE Std 1800™-2017 (Revision of IEEE Std 1800-2012)

ted on March 23,2022 at 21:17:36 UTC from IEEE Xplore. Restrictions apply vitori to: imperial C

Combinational logic -- mismatch example and handling it formally in Lutsig

#### "Mis-ordered" assignments



#### **B.5** Assignment statements mis-ordered

```
module andor1a(
   output logic y,
   input logic a, b, c);
logic tmp;
```

```
always_comb begin
y = tmp | c;
tmp = a & b; // write after read
end
end
```

endmodule







What happens when you give today's synthesis tools a problematic design?

Basically anything, today's synthesis tools might:

- abort (good case)
- emit warnings (borderline case)
- silently synthesise nonsense (bad case)

Such synthesis tools are not semantics preserving, i.e., this is bad

#### Lutsig – a verified Verilog synthesis tool

- Developed and verified inside the HOL4 interactive theorem prover
- Designed to fit into ITP-based hardware development
- Specifically, semantics preserving
- (Can be used outside formal development as well, like any other synthesis tool.)

#### Lutsig – a verified Verilog synthesis tool

- Handles a small synthesisable subset of Verilog for synchronous designs
- Targets FPGAs:
  - Verified synthesis algorithm, based on open source CSYN synthesis tool
  - Translation-validation-based technology-mapping algorithm for FPGAs (LUTs)
  - Remaining steps outside formal development (e.g., P&R, bitstream encoding)

### Lutsig's correctness theorems (simplified)

Correctness w.r.t. (Lutsig's) Verilog simulation semantics:

Lutsig(D) = OK(N) ==: forall n, run\_verilog(D, n) = run\_netlist(N, n)

(except for X-related behavior, which is allowed to be removed)

Correctness w.r.t. synthesis idiom for always\_comb:

Lutsig(D) = OK(N) ==> torall Verilog variables v in D, if v written to by always\_comb block ==> no register with name v in netlist N

#### Lutsig vs. today's synthesis tools

- Design your Verilog module using the old familiar synthesis idioms
- If Lutsig successfully gives back a synthesised netlist:
  - because of Lutsig's correctness theorem, the synthesised netlist must have the same behaviour as the input Verilog module
  - i.e., simulation-and-synthesis mismatches are ruled out using mathematical proof

#### • If Lutsig errors out:

- revisit your design
- This happens e.g. when the simulation and synthesis semantics point in different directions, because Lutsig abides by both semantics, Lutsig is forced to abort if this happens

## What does Lutsig actually do?

- Sequential blocks (always\_ff) straightforward to handle, with check that blocking vs. nonblocking assignments are not misused
- Combinational blocks:
  - Sort blocks topologically w.r.t. read dependencies, e.g.:

always\_comb b = a + 1; always\_comb a = inp;

- (Abort if cannot sort.)
- Examples of individual blocks to follow...

#### Combinational example 1: Scalars

For straight-line code, read as netlist:

#### always\_comb begin

// Lutsig would die here since tmp
// read before written to



#### Combinational example 2: Arrays

For straight-line code, read as netlist:

logic[1:0] foo;

```
always_comb begin
foo[0] = inp1;
foo[1] = inp2;
// ok reading foo here since whole array covered
foo = foo + 1;
end
```

#### Combinational example 3: If-statements

Generate mux for if-statements, fail if not assigned in all branches:

always\_comb
if (c)
a = inp;
//else
// a = 'x;

### Remember: Lutsig is formally verified

- Previous slides are pretty much the same checks a helpful synthesis tool or a linter would do
- Lutsig, however, is formally verified
- So, we know that the checks done are sufficient to guarantee semantics-preserving synthesis, i.e., input Verilog module and output netlist behave the same

## To do: Consider more sources of simulationand-synthesis mismatches

- Obviously, need to go through the same process for other sources of simulation-and-synthesis mismatches
- SystemVerilog solves some things: e.g. incomplete sensitivity lists
- Some things should just be prohibited: e.g. delays
- Sometimes the simulation model is slightly off, e.g. dual-port block RAM

#### Conclusion

- Clearly, we want to do development inside ITPs
- Verilog is a... tricky language
- Lutsig is one attempt at doing formal hardware development using Verilog nevertheless
- Verilog is the most popular HDL, so it's doing *something* right