picorv32/scripts/smt2-bmc
Clifford Wolf b5b1816101 Better "steps" default in smt2-bmc/sync.py 2015-10-06 11:35:23 +02:00
..
.gitignore Added scripts/smt2-bmc/sync.* 2015-08-15 11:28:35 +02:00
README More improvements in smt2-bmc scripts 2015-08-15 18:07:01 +02:00
async.py Improvements to smtio.py 2015-09-18 20:19:14 +02:00
async.sh Renamed scripts/smt2-bmc/mem_equiv to .../async 2015-08-15 10:50:27 +02:00
async.ys Added scripts/smt2-bmc/sync.* 2015-08-15 11:28:35 +02:00
main.v Added scripts/smt2-bmc/sync.* 2015-08-15 11:28:35 +02:00
smtio.py Improvements to smtio.py 2015-09-18 20:19:14 +02:00
sync.py Better "steps" default in smt2-bmc/sync.py 2015-10-06 11:35:23 +02:00
sync.sh Added scripts/smt2-bmc/sync.* 2015-08-15 11:28:35 +02:00
sync.ys Added scripts/smt2-bmc/sync.* 2015-08-15 11:28:35 +02:00

README

Checking equivalence of different configurations of PicoRV32 using Yosys and
SMT solvers (Yices, Z3, CVC4, MathSAT).

The PicoRV32 core provides configuration parameters that change the supported
ISA and/or the timing of the core. This set of scripts uses model checking
techniques to proof equivalence of cores in different configurations, thus
transfering the confidence in the cores gained by running test benches on a few
configurations to the rest of the configurations.


async
-----

The async test compares two cores with different timings (number of clock
cycles per operation), but same ISA. The SMT problem models the following
scenario:

The cores start out with identical memory and register file. In cycle 0 the
reset input is active, in all other cycles the reset input is inactive. The
trap output must by active in the last cycle for both cores. I.e. whatever
the program in memory does, it must terminate in a trap and it must do so
for both cores within the simulated number of clock cycles.

The script searches for a trace that ends in different memory content and/or
different register file content in the last cycle, i.e. a trace that exposes
divergent behavior in the two cores.


sync
----

The sync test compares two cores same timings but different ISA. The ISA of the
2nd code (main_b) must be a superset of the ISA of the first core (main_a), and
catching illegal instructions and illegal memory transfers must be enabled in
the first core. The SMT problem models the following scenario:

The cores start out with identical memory and register file. In cycle 0 the
reset input is active, in all other cycles the reset input is inactive. The
cores are run in parallel for a number of cycles with the first core not going
into the trap state. I.e. all traces are limited to the ISA supported by the
first core.

The script searches for a trace that ends in different memory content and/or
different register file content in the last cycle, i.e. a trace that exposes
divergent behavior in the two cores.