github-mirrors/ibex
1
0
Fork 0
mirror of https://github.com/lowRISC/ibex.git synced 2025-06-27 17:00:41 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
ibex/dv/formal/thm/riscv.proof
Louis-Emile c0636dcbde [dv,formal] Add flow for formal equivalence checking with Sail 
Here's a high-level overview of what this commit does:
- Compiles Sail into SystemVerilog including patchin compiler bugs
- Create a TCL file that tells JasperGold what to prove and assume
- Check memory operations modelling the LSU
  Most of these properties now prove without time-bound on the response
  from memory due to alternative LSUs
- Check memory even with Smepmp errors:
  Continues on top of https://github.com/riscv/sail-riscv/pull/196
- CSR verification
- Checks for instruction types such as B-Type, I-Type, R-Type
- Check illegal instructions and WFI instructions
- Using psgen language for proof generation
- Documentation on how to use the setup
- Wrap around proof that proves instructions executed in a row still
  match the specification.
- Liveness proof to guarantee instructions will retire within a upper
  bound of cycles.

All of these proofs make heavy use of the concept of k-induction. All
the different properties and steps are necessary to help the tool get
the useful properties it needs to prove the next step. The instruction
correctness, wrap-around and liveness all give us increased confidence
that Ibex is trace-equivalent to Sail.

Throughout this process an issue was found in Ibex where the pipeline
was not flushing properly on changing PMP registers using clear: #2193

Alternative LSUs:
This makes all top level memory properties prove quickly and at a low
proof effort (1 or 2-induction). Three 'alternative LSUs' representing
three stages of memory instructions:
1. Before the first response is received, in the EX stage
2. After the first response is received, but not the second grant,
also in the EX stage
3. Before the last response is received in the WB stage.
In each case we ask 'if the response came now, would the result
be correct?'. Similar is applied for CSRs/PC though less directly.
This is particularly interesting (read: ugly) in the case of a PMP error

wbexc_exists makes Wrap properties fast to prove. The bottleneck becomes
SpecPastNoWbexcPC, which fails only due to a bug. See the comment
in riscv.proof.

Co-authored-by: Marno van der Maas <mvdmaas+git@lowrisc.org>
Signed-off-by: Louis-Emile Ploix <louis-emile.ploix@lowrisc.org>
2025-04-30 13:30:45 +00:00

194 lines
6.3 KiB
Text
Raw Blame History

# Copyright lowRISC contributors.
# Copyright 2024 University of Oxford, see also CREDITS.md.
# Licensed under the Apache License, Version 2.0, see LICENSE for details.
# Original author: Louis-Emile Ploix
# SPDX-License-Identifier: Apache-2.0
# This is the 'entry point' of the proofs, it invokes all the other proofs in thm/
def csr_split
each X Priv:(priv) Mstatus:(mstatus) Mie:(mie) Mcause:(mcause) Mtval:(mtval) Mtvec:(mtvec) \
Mscratch:(mscratch) Mepc:(mepc) Mcounteren:(mcounteren) \
Pmp_cfg:(pmp_cfg) Pmp_addr:(pmp_addr) Mseccfg:(mseccfg)
have (wbexc_dut_cmp_post_``X == wbexc_spec_cmp_post_``X)
def spec_compliant_raw_csr_split
Addr: have (addr_match)
Data: have (data_match)
PC: have (pc_match)
use csr_split
def spec_compliant_raw
Addr: have (addr_match)
Data: have (data_match)
CSR: have (csrs_match)
PC: have (pc_match)
def spec_compliant
cond (finishing_executed & ~wbexc_illegal)
use spec_compliant_raw
def spec_compliant_no_err
cond (finishing_executed & ~wbexc_illegal)
NoErr: have (~wbexc_err)
/
use spec_compliant_raw
def structure_fast
cond (finishing_executed & ~wbexc_illegal)
Fast: have ($past(instr_will_progress))
def structure_fast_err
cond (finishing_executed & ~wbexc_illegal & wbexc_err)
Fast: have ($past(instr_will_progress))
lemma riscv
Ibex: lemma ibex
/
Arith:
in I:(`ISS_ADDI | `ISS_SLTI | `ISS_SLTIU | `ISS_XORI | `ISS_ORI | `ISS_ANDI) \
R:(`ISS_ADD | `ISS_SUB | `ISS_SLL | `ISS_SLT | `ISS_SLTU | `ISS_XOR | `ISS_SRL | `ISS_SRA | `ISS_OR | `ISS_AND) \
Shift:(`ISS_SHIFTIOP)
use structure_fast
/
use spec_compliant_no_err
# Never actually proved, just assumed to be true instead.
MType:
in Mul:(`ISS_MUL) MulH:(`ISS_MULH) MulHSH:(`ISS_MULHSH) MulHU:(`ISS_MULHU) Div:(`ISS_DIV) DivU:(`ISS_DIVU) Rem:(`ISS_REM) RemU:(`ISS_REMU)
use spec_compliant_no_err
CSR:
in (`ISS_CSR & wbexc_is_checkable_csr)
use structure_fast
/
use spec_compliant
split_bool Err:(wbexc_err)
BType:
in (`ISS_BTYPE)
lemma btype
use structure_fast
/
use spec_compliant
JType: block
lemma jump
/
in Jal:(`ISS_JAL) Jalr:(`ISS_JALR)
use structure_fast
/
use spec_compliant
UType:
in Lui:(`ISS_LUI) Auipc:(`ISS_AUIPC)
use structure_fast
/
use spec_compliant
Fence:
in Fence:(`ISS_FENCE) FenceI:(`ISS_FENCEI)
use structure_fast
/
use spec_compliant
Special:
in ECall:(`ISS_ECALL) EBreak:(`ISS_EBREAK) MRet:(`ISS_MRET)
use structure_fast
/
use spec_compliant
WFI:
in (`ISS_WFI && finishing_executed && ~wbexc_illegal)
use structure_fast
/
use spec_compliant_raw
split_bool Err:(wbexc_err)
Mem: block
lemma mem
/
Load: lemma load
Store: lemma store
/
in L:(wbexc_is_pres_load_instr) S:(wbexc_is_pres_store_instr)
use spec_compliant
split_bool Err:(wbexc_err)
IRQ: in (wbexc_handling_irq)
PC: have (pc_match)
CSR: have (csrs_match)
Illegal: in (wbexc_illegal & can_check_illegal & wbexc_finishing & ~wbexc_fetch_err & (`ISS_CSR -> wbexc_is_checkable_csr))
Fast: have ($past(instr_will_progress))
/
use spec_compliant_raw
FetchErr: in (wbexc_finishing & wbexc_fetch_err)
Fast: have ($past(instr_will_progress))
/
use spec_compliant_raw
/
# Uncomment this for liveness proofs, see ibex.proof for a description of when this can be done.
# Liveness: lemma live
Top: in (wbexc_finishing & (`ISS_CSR -> wbexc_is_checkable_csr))
use spec_compliant_raw
/
RegMatch:
each i 1:(1) 2:(2) 3:(3) 4:(4) 5:(5) 6:(6) 7:(7) 8:(8) 9:(9) 10:(10) 11:(11) 12:(12) 13:(13) 14:(14) \
15:(15) 16:(16) 17:(17) 18:(18) 19:(19) 20:(20) 21:(21) 22:(22) 23:(23) 24:(24) 25:(25) 26:(26) \
27:(27) 28:(28) 29:(29) 30:(30) 31:(31)
have ((~`CR.rf_write_wb || `CR.rf_waddr_wb != i) & spec_past_has_reg[i] |-> pre_regs[i] == spec_past_regs[i])
SpecPastNoWbexc:
in (has_spec_past & ~wbexc_exists)
each X Priv:(priv) Mstatus:(mstatus) Mie:(mie) Mcause:(mcause) Mtval:(mtval) Mtvec:(mtvec) \
Mscratch:(mscratch) Mepc:(mepc) Mcounteren:(mcounteren) \
Pmp_cfg:(pmp_cfg) Pmp_addr:(pmp_addr) Mseccfg:(mseccfg)
have (spec_past_``X == pre_``X)
SleepSpecPastPC: have (has_spec_past & (`IDC.ctrl_fsm_cs == `IDC.WAIT_SLEEP || `IDC.ctrl_fsm_cs == `IDC.SLEEP) |-> spec_past_pc == `CR.pc_if)
/
# If you find a visualize SST trace for this property of length 5, you will be told none exists.
# If you find an SST trace via prove -sst, one will be found, but upon visualizing it JG will report that an
# assumption was violated. This leads me to believe that this property is provable by 5-induction, but JG has
# a bug preventing it from seeing so. It proves instead via engine D.
SpecPastNoWbexcPC: have (has_spec_past & ~wbexc_exists |-> spec_past_pc == (`ID.instr_valid_i ? pre_pc : `CR.pc_if))
/
# Prove these with engine D (apart from Live which needs Oh)
Wrap: in (spec_en)
each X Priv:(priv) Mstatus:(mstatus) Mie:(mie) Mcause:(mcause) Mtval:(mtval) Mtvec:(mtvec) \
Mscratch:(mscratch) Mepc:(mepc) Mcounteren:(mcounteren) \
Pmp_cfg:(pmp_cfg) Pmp_addr:(pmp_addr) Mseccfg:(mseccfg) \
Pc:(pc)
have (has_spec_past |-> pre_``X == spec_past_``X)
RegA: have (spec_rx_a_en && (spec_rx_a_addr != 0) && spec_past_has_reg[spec_rx_a_addr] |-> spec_rx_a == spec_past_regs[spec_rx_a_addr])
RegB: have (spec_rx_b_en && (spec_rx_b_addr != 0) && spec_past_has_reg[spec_rx_b_addr] |-> spec_rx_b == spec_past_regs[spec_rx_b_addr])
# Live: have (always (##[1:157 + 2*`WFI_BOUND + 17*`TIME_LIMIT] spec_en))
Mem:
block
En: have (data_req_o |-> spec_mem_en)
SndEn: have (mem_req_snd_d |-> spec_mem_en_snd)
We: have (data_req_o |-> data_we_o == spec_mem_write && data_we_o == ~spec_mem_read)
FstAddr: have (mem_req_fst_d |-> spec_mem_fst_addr == data_addr_o)
SndAddr: have (mem_req_snd_d |-> spec_mem_snd_addr == data_addr_o)
FstWData: have (mem_req_fst_d & data_we_o |-> (spec_mem_write_fst_wdata & fst_mask) == (data_wdata_o & fst_mask))
SndWData: have (mem_req_snd_d & data_we_o |-> (spec_mem_write_snd_wdata & snd_mask) == (data_wdata_o & snd_mask))
FstEnd: have (spec_en & spec_mem_en |-> mem_gnt_fst_d)
SndEnd: have (spec_en & spec_mem_en_snd |-> mem_gnt_snd_d)
Reference in a new issue View git blame Copy permalink