# Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

## Presentation on theme: "Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds."— Presentation transcript:

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds for the design. A counterexample if the property does not hold. Model checking is the alternative to simulation

Computational Tree Logic (CTL) CTL is a logic used to express properties for model checking CTL is useful because there is an efficient technique to check it A temporal logic is a logic which can express aspects of time CTL makes statements about the computational tree of a state machine Traffic light FSM Computational tree for FSM R GY R G Y R RGG

CTL Formulae A CTL formula is built from three things: 1.Atomic propositions - These are the variables 2.Boolean connectives - AND, OR, NOT, etc. 3.Temporal operators - Express something about paths in the computational tree A temporal operator has two parts: 1.A path quantifier - A (for all paths) or E (there exists a path) 2.A temporal modality - Describe the ordering of events in time

Temporal Modalities Assume that p is a CTL formula. F p - “p holds sometime in the future” Is true of a path is there exists a state on the path where p is true G p - “p is true globally” Is true of a path if p is true at all states on the path X p - “p holds in the next state” Is true of a path if p is true in the state immediately after the current state p1 U p2 - “p1 holds until p2 holds” Is true if p2 is true in a state and p1 is true in all preceding states

A CTL Property All temporal modalities, except G, are evaluated from the start state of the path AG (req -> AF ack) For all reachable states, if req is asserted then we must reach a state where ack is asserted AG is interpreted relative to the start state AG selects all states reachable from start state AF is interpreted relative to where req is asserted

Another CTL Property AG AF enabled For every reachable state, for all paths starting at that state we must reach another state where enabled is asserted AG EF restart From any reachable state, there must exist a path reaching a state where restart is asserted In other words, it must always be possible to reach the restart state

Fairness Constraints Fairness is when a set of constraints must be satisfied “infinitely often” “Buchi” type of constraints This can ensure fair access to a resource (bus access)

Traffic Light Controller Constraint AG ( !((farm_light = GREEN) * (hwy_light = GREEN)) ); Both lights can’t be green at the same time

Model Checking in VIS VerilogBlif-MV CTL vl2mv VIS We use VIS for model checking, not synthesis

Running VIS % module load vis % vl2mv tlc.v % vis vis> read_blif_mv tlc.mv vis> init_verify vis> model_check -i tlc.ctl  Setup environment vars  Convert verilog to blif_mv  Start VIS  Read the blif  Initialize for verification  Model check with properties (tlc.ctl)

Download ppt "Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds."

Similar presentations