# Doing the Impossible: Using Formal Verification on Packet Based Data Paths

Doug Smith Doulos Austin, Texas

Abstract-Formal verification is known to work well in areas like control logic, interface protocols, and so on, but it is often dismissed for use on data paths since capacity becomes a significant issue. In particular, packet based protocols have potentially very large state spaces, which can pose a problem for formal. However, in this paper, a step by step process is presented, showing how to decompose a frame of data into simple formal constraints, modeling code, and assertions, which allows formal to fully explore the entire packet state space.

#### I. INTRODUCTION

All verification tools and flows have their limitations. Formal verification is known to be limited by its capacity due to *state space* caused by a large cycle depths and a large cones of influence. Thus, it is commonly believed that using formal on data paths typically does not work or at least requires abstraction. In general, this is true. Therefore, packet based protocols spanning multiple cycles and carrying large payloads would be virtually impossible, at least in theory. For example, an Ethernet TCP/IP packet can transfer over 9000+ bytes of data in a jumbo frame. It is easy to understand why most would consider this too large of a data path for formal verification to handle.

However, in the words of Alexander the Great, "There is nothing impossible to him who will try." Indeed, even with Ethernet jumbo frames, it is possible for formal verification to explore the entire Ethernet state space. The trick is understanding that while 9000+ bytes may be sent, the *valid state space* is actually quite small.

Consider the packet structure of an Ethernet jumbo frame illustrated in Figure [1]. Most of the jumbo frame is comprised of the data payload, which can have any value. For this part of the frame, we can let formal pick any random data it wants, removing the data portion from the state space needed to explore. What we are really interested in verifying with packet-based protocols is: (1) does the packet get parsed correctly? and (2) is the embedded control information in the packet correct? In other words, we are really verifying the control logic that is driven by the information from the packet.

With the payload removed from the formal state space, there are only a handful of fields remaining. While these fields may be quite large, most fields only have a few valid values, which we can easily constrain to reduce the state

|           |           | 0 |                                       |   |   |   |   | 1   |   |        |      |        |        |        | 2                     |              |        |        |        |        |        |   | 3 |     |  |  |        |        |        |        |        |  |  |  |  |  |  |  |  |
|-----------|-----------|---|---------------------------------------|---|---|---|---|-----|---|--------|------|--------|--------|--------|-----------------------|--------------|--------|--------|--------|--------|--------|---|---|-----|--|--|--------|--------|--------|--------|--------|--|--|--|--|--|--|--|--|
| Oct<br>et | Bit       | 0 | 1                                     | 2 | 3 | 4 | 5 | 5 6 | 7 | 8      | 9    | 1<br>0 | 1<br>1 | 1<br>2 | 1<br>3                | 1<br>4       | 1<br>5 | 1<br>6 | 1<br>7 | 1<br>8 | 1<br>9 | 0 | 2 |     |  |  | 2<br>5 | 2<br>6 | 2<br>7 | 2<br>8 | 2<br>9 |  |  |  |  |  |  |  |  |
| 0         | 0         | ٧ | Version IHL                           |   |   |   |   |     |   | DSCP N |      |        |        |        |                       | Total Length |        |        |        |        |        |   |   |     |  |  |        |        |        |        |        |  |  |  |  |  |  |  |  |
| 4         | 32        |   | Identifi                              |   |   |   |   |     |   | fica   | atio | n      |        |        | Flags Fragment Offset |              |        |        |        |        |        |   |   | 3 1 |  |  |        |        |        |        |        |  |  |  |  |  |  |  |  |
| 8         | 64        |   | Time To Live Protocol Header Checksum |   |   |   |   |     |   |        |      |        |        |        |                       |              |        |        |        |        |        |   |   |     |  |  |        |        |        |        |        |  |  |  |  |  |  |  |  |
| 12        | 96        |   |                                       |   |   |   |   |     |   |        |      |        |        | S      | ou                    | rce          | l F    | P A    | dd     | re     | ss     |   |   |     |  |  |        |        |        |        |        |  |  |  |  |  |  |  |  |
| 16        | 128       |   | Destination IP Address                |   |   |   |   |     |   |        |      |        |        |        |                       |              |        |        |        |        |        |   |   |     |  |  |        |        |        |        |        |  |  |  |  |  |  |  |  |
| 20        | 160       |   |                                       |   |   |   |   |     |   |        |      |        |        |        |                       |              |        |        |        |        |        |   |   |     |  |  |        |        |        |        |        |  |  |  |  |  |  |  |  |
| 24        | 192       |   |                                       |   |   |   |   |     |   |        |      |        |        | _      | 4                     |              | - /    | :£ 11  |        |        | ۲,     |   |   |     |  |  |        |        |        |        |        |  |  |  |  |  |  |  |  |
| 28        | 224       |   |                                       |   |   |   |   |     |   |        |      |        |        | C      | pτ                    | ion          | s (    | if II  | ٦L     | >      | ວ)     | ) |   |     |  |  |        |        |        |        |        |  |  |  |  |  |  |  |  |
| 32        | 256       |   |                                       |   |   |   |   |     |   |        |      |        |        |        |                       |              |        |        |        |        |        |   |   |     |  |  |        |        |        |        |        |  |  |  |  |  |  |  |  |
| 36        | 260       |   |                                       |   |   |   |   |     |   |        |      |        |        |        |                       |              |        |        |        |        |        |   |   |     |  |  |        |        |        |        |        |  |  |  |  |  |  |  |  |
|           |           |   | Data                                  |   |   |   |   |     |   |        |      |        |        |        |                       |              |        |        |        |        |        |   |   |     |  |  |        |        |        |        |        |  |  |  |  |  |  |  |  |
| 9036      | 7228<br>8 |   |                                       |   |   |   |   |     |   |        |      |        |        |        |                       |              |        |        |        |        |        |   |   |     |  |  |        |        |        |        |        |  |  |  |  |  |  |  |  |

Figure 1: Potential IPv4 state space up to jumbo frames of 2<sup>72288</sup> bit combinations [1].

space further. Likewise, we can break up the packet into smaller structures so that each field of the packet is handled separately instead of as one large state space. In other words, packet-based frames and protocols are not beyond the scope of formal verification; rather, formal can prove that your packet parser handles every packet correctly and finds all invalid packet corner cases<sup>1</sup>, which is something hard to claim with other verification flows.

Using a small packet based protocol such as the CAN bus, this paper will outline a seven step procedure for modeling packet data for formal verification, which can be used for any packet-based protocol.

#### II. MODELING PACKET BASED INPUT

#### A. Model the control logic

The first step to sending a packet of data is defining the hand-shaking protocol between the producer and the consumer. This is typically handled using a start-of-packet (SOP) and end-of-packet (EOP) handshake protocol (see Figure 2). This can be modeled using helper code or formal constraints.



Figure 2: Packet handshake protocol.

The CAN bus protocol refers to a packet as a frame<sup>2</sup> and does not explicitly use a handshaking protocol. However, these handshaking signals can be used to constrain formal and are shown here for other protocols that use them. The control logic could be modeled with some procedural code as follows:

```
1
   module canbus (input clk,
2
                 input rst,
3
                 input rx,
4
                 output tx,
5
                 input tx rx);
                                     // Transmitter or receiver
6
7
     bit pkt sof;
                       // Start of frame
                       // End of frame
8
     bit pkt eof;
                       // Valid packet
9
     bit pkt vld;
10
11
      // -----
12
13
      // (1) Model the control logic
14
                                         // Frame transaction in progress
1.5
     bit
            in progress;
16
     bit [7:0] total bits;
                                         // Total frame bits
                                          // Number of frame bits transmitted
17
     bit [7:0] tx bits;
18
19
      // Create an active flag
20
      wire active = pkt sof | in progress;
21
22
      always @ (posedge clk or posedge rst) begin
23
             if ( rst ) in progress <= 1'b0;</pre>
         else if ( pkt eof ) in progress <= 1'b0;</pre>
24
25
         else if ( pkt sof ) in progress <= 1'b1;</pre>
26
```

Using this modeling code, formal constrains are easily specified to create the handshaking signals:

<sup>&</sup>lt;sup>1</sup> Provided the valid values of the packets are fully specified.

<sup>&</sup>lt;sup>2</sup> The terms packet and frame are used interchangeably in this paper.

```
28
      default clocking cb @(posedge clk); endclocking
29
30
      // Control signal constraints
31
      property prop transfer;
32
         pkt sof <-> pkt vld[*1:$] ##0 pkt eof;
33
      endproperty
34
      asm pkt vld: assume property ( active <-> pkt vld );
35
      asm_pkt_sof: assume property ( $rose(pkt_vld) -> $rose(pkt_sof) );
36
37
      asm_pkt_eof: assume property (pkt_vld && (tx_bits >= total_bits) <-> pkt_eof);
38
      asm_pkt_notsof: assume property ( in_progress |-> !pkt_sof );
```

The prop\_transfer property specifies the waveform shown in Figure 2. The other assumptions constrain formal from toggling the valid, start-of-frame, and end-of-frame signals while the transfer is in progress. The total\_bits and tx\_bits signals will be assigned in a later step.

## B. Define the packet structure

The next step is allocating a vector or array to hold the generated packet. While it may be tempting to define one large vector, the larger the vector, the larger the state space. By breaking the packet into smaller chunks, it makes it easier for formal to synthesize and reduces the number of constraints needed for each field in the packet. For this paper, we implement the CAN bus protocol as shown in Figure 3.



Figure 3: CAN bus protocol [2].

Examining the CAN frame, the largest field is the data field, which can be up to 8 bytes, and the CRC is the second largest field at 16 bits. Therefore, we could arbitrarily break the packet into either 8 bits or 16 bits chunks. The size of the chunk will determine the number of properties and potentially the speed of the formal analysis. For this example, we use 8 bits as our chunk size, and we use a standard CAN frame and not the extended frame format. (However, we do include bit stuffing, but bit stuffing is addressed when we transmit the data in another step).

The next step is to define an 8 bit structure for each part of the packet. For parts that are greater than 8 bits, we will define multiple structures to represent the field. Of course, some parts of the structure may have extra bits if a field is not a multiple of 8, but anything extra will simply become unused bits<sup>3</sup>. Here is one possible way to define structs for the CAN packet (note, since the data is transmitted from MSB to LSB, any unused bits will be included at the bottom of the structure):

```
39
                                        45
                                              typedef struct packed {
40
     // (2) Define the packet structure
                                        46
                                                bit
                                                      sof;
                                                bit [6:0] unused;
41
                                        47
     // -----
42
                                        48
                                              } start of frame t;
     // Start of frame
43
                                        49
44
     // -----
                                        50
```

<sup>&</sup>lt;sup>3</sup> The smaller the packet is sliced, the less bits go unused, but at the cost of more structures and coding. The state space is unaffected by the extra bits because they are not used and pose no performance issue for the formal tool.

```
// -----
                                       87
52
     // Arbitration
                                       88
                                            typedef struct packed {
53
     // -----
                                       89
                                               bit [6:0] crc;
54
     typedef struct packed {
                                       90
                                               bit unused;
                                       91
                                            } crc low t;
55
       bit [10:3] id;
                                       92
56
     } arbitration high t;
57
                                       93
                                            // Break out the CRC delimiter
                                       94
                                            // so no bit stuffing occurs
58
     typedef struct packed {
59
       bit [2:0] id;
                                       95
                                            // during the delimiter
60
        bit
               rtr;
                                       96
                                            typedef struct packed {
61
        bit [3:0] unused;
                                       97
                                               bit crc delimiter;
                                               bit [6:0] unused;
                                       98
62
     } arbitration low t;
                                       99
63
                                             } crc delimiter t;
     // -----
64
                                       100
65
     // Control
                                       101
                                            // -----
     // -----
                                       102
66
     typedef struct packed {
67
                                      103
                                            // Acknowledge
       bit ide;
bit r0;
68
                                      104
                                            // -----
69
                                       105
                                            typedef struct packed {
70
       bit [3:0] dlc;
                                       106
                                             bit ack;
bit ack_delimiter;
71
       bit [1:0] unused;
                                       107
     } control_t;
72
                                       108
                                              bit [5:0] unused;
73
                                       109
                                            } ack t;
     // -----
74
                                       110
                                            // -----
     // Data
75
                                       111
     // -----
                                            // End of frame
76
                                       112
                                            // -----
77
     typedef struct packed {
                                      113
78
       bit [7:0] value;
                                      114
                                            typedef struct packed {
                                            bit [6:0] eof;
79
     } data t;
                                      115
80
                                      116
                                              bit unused;
     // -----
81
                                      117
                                            } end of frame t;
82
     // CRC
                                      118
     // -----
                                      119
                                            typedef struct packed {
8.3
     typedef struct packed {
                                       120
84
                                               bit [2:0] ifs;
85
      bit [14: 7] crc;
                                       121
                                               bit [4:0] unused;
86
     } crc_high_t;
                                       122
                                            } inter_frame_spacing_t;
```

With the packet structures defined, we can define a packed union to represent any part of the packet or frame. We include a member called qbits to explicitly access the packed union as a flatten queue of bits:

```
123
       // Combined packet type
       typedef union packed {
125
        start of frame t
                                   sof;
         arbitration_high_t arb_h;
arbitration_low_t arb_l;
control t ctrl;
126
127
128
          control t
                                   ctrl;
129
          data_t
                                   data;
        crc_high_t crc_h;
crc_low_t crc_delimiter;
ack_t ack;
130
131
132
133
          end_of_frame_t
134
                                    eof;
135
          inter frame spacing t ifs;
136
          bit [7:0]
                                   qbits;
137
       } pkt_item_t;
```

With our packet items defined, we now create an array that contains our CAN bus frame. Since we have 11 structures and the data can be up to 8 bytes in a frame, we set the size of the array to be at least 18 plus an extra array element for terminating the frame:

```
138
      // Packet items
139
      localparam NUM ITEMS = 1 + // SOF
                             1 + // ARB H
140
                             1 + // ARB L
141
                             1 + // CTRL
142
                             8 + // DATA
143
144
                             1 + // CRC H
                             1 + // CRC_L
145
146
                             1 +
                                  // CRC DELIMITER
147
                             1 +
                                  // ACK
148
                             1 +
                                  // EOF
                                  // IFS
149
                             1 +
150
                             1:
                                  // NONE
151
152
      pkt item t packet [NUM ITEMS+1];
```

When we define the packet array, we allocate one more location so our formal properties will synthesize and work correctly, which is explained in the last step.

Associated with each chunk in the frame is another structure to keep track of its field kind or type, length, and a running tally of the overall length (as the number of bits or bytes depending on the protocol) of the frame. While this information can be embedded in each packet structure above, by separating out this information, we keep the size of the packet structure smaller for the formal tool and ensure that it does not affect the packet's state space. For example, the following code defines this additional structure:

```
153
154
      // Packet Structure
155
      // -----
      typedef enum bit [3:0] { SOF, ARB H, ARB L, CTRL, DATA, CRC H, CRC L,
156
                               CRC_DELIMITER, ACK, EOF, IFS, NONE } pkt_item_kind_t;
157
158
159
      typedef struct packed {
160
          pkt item kind t kind;
161
          bit [7:0]
                          length;
162
         bit [7:0]
                          total length;
163
      } packet info t;
164
165
      packet_info_t packet_info [NUM_ITEMS+1];
```

Once again, the purpose of this step is to break the packet-based protocol into smaller, manageable chunks, which reduces the state space for formal and simplifies its formal synthesis. Conceptually, the arrays are illustrated in Figure 4, showing how the structures map back to the packet diagram. The length field represents the number of bits used in that element, and the total\_length is the length of the entire packet/frame from that array element onwards.

|                                |                |                  |                         |                                      | Complete CA                                     |                  |                  | Н                     |                            |                  | -             |
|--------------------------------|----------------|------------------|-------------------------|--------------------------------------|-------------------------------------------------|------------------|------------------|-----------------------|----------------------------|------------------|---------------|
|                                | Start of frame | - Arbitration    | •                       | ← Control →                          | → Data →                                        | + CF             |                  | velimiter +           | elimiter                   | ← End of frame → |               |
| CAN bitstream                  | -              |                  |                         | 100010<br>100010<br>100010<br>100010 | DATA7 DATA6 DATA6 DATA7 DATA7 DATA7 DATA7 DATA1 |                  |                  | щ.                    | _                          |                  | 2 E 8         |
| Array index                    | [0]            |                  | [2]                     | [3]                                  | [4]                                             | [5]              |                  |                       | [8]                        |                  | [10]          |
| packet                         | bitsof         | bit [10:3] id    | bit [2:0] id<br>bit rtr | bit ide<br>bit r0<br>bit [3:0] dlc   | bit [7:0] value                                 | bit [14:7] crc   | bit [6:0] crc    | bit crc_delimiter     | bit ack; bit ack_delimiter | bit [6:0] eof    | bit [2:0] ifs |
| packet ind length total_length | sor<br>1<br>54 | ARB_H<br>8<br>53 | ARB_L<br>3<br>45        | CTRL<br>6<br>42                      | DATA<br>8<br>36                                 | CRC_H<br>8<br>28 | CRC_L<br>7<br>20 | C<br>R<br>C<br>D<br>1 | AC<br>K<br>2<br>12         | EOF<br>7<br>10   | IFS<br>3<br>3 |

Figure 4: Example mapping of a CAN frame to the packet and the packet info arrays.

## C. Define the packet constraints

With the packet structures defined, we constrain our packet arrays to represent a valid, basic CAN frame. First, some helper constraints are added to keep track of each frame item, and tally up the total packet size:

```
166
     // (3) Define packet constraints
167
168
     // -----
     sequence seq_kind(n, k);
169
170
        packet info[n].kind == k;
171
     endsequence
172
173
     sequence seq total length(n);
174
        packet info[n].total length == packet info[n+1].total length +
175
                                     packet info[n].length;
176
     endsequence
177
178
     sequence seq length(n, 1);
        ( packet info[n].length == 1 ) and seq total length(n);
179
180
     endsequence
181
182
     sequence seq_terminate_length(n);
183
        ( packet_info[n].length == 0 ) &&
184
        ( packet_info[n].total_length == 0 );
185
     endsequence
```

The n passed into the named sequences represents the element in the packet arrays shown above. With the seq\_total\_length sequence, the total length is calculated using the current element's length and the next element's length (n+1). The seq\_length sequence sets the length and then calls the seq\_total\_length. This technique of reaching into the previous or next element in the frame is one way to pass information about the entire packet to the header fields (like the total packet/frame length) or for error checking functions (like checksum or CRC).

Now a property constraint needs written for each element in the packet to specify its legal values. Each property is passed an index into the packet array (n), and the packet element's kind, length, and legal values for its structure's members are described within the named property:

```
186
                                             214
                                                      and
      // Start of frame
187
                                             215
                                                   (packet[n].arb l.rtr == frame type)
188
      //
                                            216
189
                                            217
      property prop sof(n);
                                                      (packet[n].arb h.unused == '0);
190
                                            218
        seq kind(n,SOF) and
                                                   endproperty
191
                                            219
         seq_length(n,1) and
         (packet[n].sof.sof == '0) and
192
                                            220
193
                                            221
                                                   // Control
         (packet[n].sof.unused == '0);
194
      endproperty
                                             222
                                                   //
195
                                            223
                                                   bit [3:0] payload size;
196
                                            224
                                                   property prop_control(n);
197
      // Arbitration
                                            225
                                                      seq kind(n,CTRL) and
      //
198
                                            226
                                                      seq_length(n,6) and
199
      enum bit { DATA FRAME = 0,
                                            227
                                                      (packet[n].ctrl.ide == 0) and
200
                REMOTE FRAME = 1
                                            228
                                                      (packet[n].ctrl.r0 == 0) and
201
               } frame type;
                                            229
                                                  (packet[n].ctrl.dlc == payload size)
202
      bit [10:0] id;
                                             230
                                            231
203
                                                      (packet[n].ctrl.unused == '0);
204
                                            232
      property prop arb h(n);
                                                   endproperty
205
         seq_kind(n,ARB_H) and
                                            233
206
         seq length(n,8) and
                                            234
                                                  // Data payload
207
        (packet[n].arb h.id == id[10:3]);
                                           235
208
                                            236
      endproperty
209
                                            237
                                                   bit [7:0] random data;
210
                                            238
      property prop_arb_l(n);
                                            239
211
         seq kind(n, ARB L) and
                                                   property prop_data(n);
212
         seq length(n,4) and
                                            240
                                                   seq kind(n,DATA) and
213
         (packet[n].arb_1.id == id[2:0])
                                            241
                                                      seq_length(n,8) and
```

```
242 (packet[n].data.value == random data);
                                                        seq kind(n, ACK) and
                                               273
      endproperty
                                                         seq length(n, 2) and
244
                                               274
                                                         (packet[n].ack.ack == tx rx) and
245
      //
                                               275
                                                     (packet[n].ack.ack delimiter == '1);
      // CRC
246
                                               276
                                                      endproperty
      //
                                               277
247
248
      bit [15:0] crc;
                                               278
                                                      //
                                               279
                                                      // End of frame
249
250
                                               280
      property prop_crc_h(n);
251
         seq kind(n,CRC H) and
                                               281
                                                     property prop_eof(n);
252
          seq length(n,8) and
                                               282
                                                         seq kind(n, EOF) and
253
                                               283
                                                         seq_length(n,7) and
      (packet[n].crc h.crc == crc[14:7]);
254
                                               284
                                                         (packet[n].eof.eof == '1);
      endproperty
255
                                               285
                                                      endproperty
256
      property prop_crc_l(n);
                                               286
257
         seq kind(n,CRC L) and
                                               287
258
          seq length(n,7) and
                                               288
                                                      // Inter-frame spacing
259
       (packet[n].crc l.crc == crc[6:0]);
                                               289
260
                                               290
      endproperty
                                                     property prop ifs(n);
261
                                               291
                                                        seq kind(n, IFS) and
262
      property prop_crc_delimiter(n);
                                               292
                                                         seq_length(n,3) and
263
         seq_kind(n,CRC_DELIMITER) and
                                               293
                                                         (packet[n].ifs.ifs == '1);
264
          seq_length(n,1) and
                                               294
                                                     endproperty
265 packet[n].crc delimiter.crc delimiter
                                               295
   == 1);
                                               296
266
                                                     // Terminal for packet
      endproperty
                                               297
                                                     //
267
                                               298
268
                                               299
                                                     property prop_none(n);
      // ACK
                                                        seq_kind(n,NONE) and
269
                                               300
270
      //
                                               301
                                                        seq terminate length(n);
                                               302
      property prop_ack(n);
                                                     endproperty
```

To better understand these properties, consider the start-of-frame:

```
189     property prop_sof(n);
190     seq_kind(n,SOF) and
191     seq_length(n,1) and
192     (packet[n].sof.sof == '0) and
193     (packet[n].sof.unused == '0);
194     endproperty
```

On line 190, seq\_kind is called with the array index and the kind as defined by the pkt\_item\_kind\_t enumeration (line 157). This sets the packet\_info[n].kind element to the start-of-frame or SOF, and seq\_length sets packet\_info[n].length to 1, adds 1 to the total frame bit count, and assigns it to packet\_info[n].total\_length. These two sequences are included in all the properties, and then any individual field constraints required by the bus protocol are included. For example, the sof field is set to 0 per the CAN bus protocol. For purposes of the CRC calculation, the unused bits are also constrained to 0 since zeros are passed over in the CRC calculation.

Notice that the packet's payload, which can be up to 8 bytes in a basic CAN bus frame, is specified using only one named property, prop\_data. This property will be applied multiple times for each byte in the payload. Since we wish to transfer just random data, we are using an unconstrained formal control point, random\_data, and assigning it for our data payload. For calculating the CRC, we define a local variable called crc, which will be assigned the calculated CRC value for the CAN frame. The CRC calculation is performed using a function, which is shown in the last step. By themselves, these named properties do nothing, but in the next step, we apply these properties to each element of the packet array so formal knows how to generate the valid CAN frame.

# D. Apply the packet constraints

The next step is to apply the property constraints defined above. This is where the actual packet or frame is defined. When we verify our design, we want to check that both the valid and invalid packets are handled correctly;

however, it is easier to define the valid packets since they are generally fully specified. For now, our focus will be on defining valid packets, but later we will show how to generate illegal packets.

The key to creating a packet or frame is defining a top level property with conditional statements<sup>4</sup>. Here is what our CAN frame property looks like:

```
303
304
     // (4) Apply packet constraints
305
     // -----
306
     property prop pkt(n);
       307
308
310
        else if ( ( payload size == 0 ) && ( packet info[n].kind == CTRL) ) prop crc h(n+1)
311
         \textbf{else if ( (payload_size > 0 ) \&\& (packet_info[n].kind == CTRL) ) prop_data(n+1) } 
312
       else if ( (( payload size+3) > n) && ( packet info[n].kind == DATA )) prop data(n+1)
313
       else if ( (( payload size+3) <= n) && ( packet info[n].kind == DATA )) prop crc h(n+1)</pre>
       314
315
316
       else if ( packet_info[n].kind == CRC_DELIMITER ) prop_ack(n+1)
317
       else if ( packet info[n].kind == ACK ) prop eof(n+1)
318
        else if ( packet info[n].kind == EOF
                                           ) prop ifs(n+1)
319
        else
                                             prop none(n+1);
320
     endproperty
```

The first element in the packet\_info array needs set and then all the other constraints fall into place. The code for that is shown in a later step, but Figure 5 illustrates how the prop\_pkt property is applied to the packet\_info array, and how the n+1 index actually sets the element type for the *next element* in the array. The prop\_pkt property is applied to all packet elements, which is shown in the final step.



Figure 5: How the prop pkt property sets each element in the packet info array.

#### E. Model the packet driving logic

Sending the packet is easily accomplished with some synthesizable SystemVerilog helper code. The helper code also handles the bit stuffing used by the CAN bus protocol. Bit stuffing is used to maintain synchronization by

<sup>&</sup>lt;sup>4</sup> SVA allows a *case* statement within a property, but not all formal tools currently support it.

inserting a bit of the opposite polarity every time 5 consecutive bits of the same polarity are transmitted. It is slightly more complicated because bit stuffing is not used while transmitting the fixed length part of the frame from the CRC delimiter to the inter-frame spacing [2]. Plus, the bit stuffing is not used in the calculation of the CRC.

The CAN bus sends one bit of data at a time. Stepping through the CAN frame is accomplished using two pointers—one that specifies the unpacked dimensions of the packet array and one that steps through the packed dimensions of each array element. The unpacked dimension pointer is p in the following code, and n represents the packed dimensions pointer. Instead of driving directly onto the tx output port, an intermediate signal tx\_out is used, and then assigned to the tx output using a formal constraint in the next step. The reason for this is to simplify the helper code modeling and give the flexibility of controlling the output easily with additional formal constraints. A transmitted bit counter, tx\_bits, is maintained for determining the end-of-frame as shown above on line 17 of the example code. For completeness, the bit stuffing code is included, but it is slightly greyed out to focus on the packet driving logic.

```
// -----
321
322
     // (5) Model the packet driving logic
     // -----
323
     324
     bit [3:0] p;
325
326
     bit [2:0] n;
          prev_tx;
                     // Extra bit stuffing logic in grey
     bit
     bit [2:0] same;
328
329
330
     always @(posedge clk or posedge rst)
331
     begin
332
       if ( rst ) begin
333
          tx out <= '0;
334
               <= '0;
          р
335
               <= $bits(pkt item t) - 1'b1;
          tx bits <= '0;
336
          prev_tx <= '0;
          same
                <= "0;
338
339
       end
340
       else begin
341
       // -----
342
       // Transfer the data
343
       // -----
344
       if ( pkt_vld ) begin
345
346
347
348
          // Insert bit stuffing
          if (( packet info[p].kind inside { [SOF:CRC L] } ) && ( same == 5 )) begin
            tx_out <= ~prev tx;</pre>
            same <= '0;
354
            prev tx <= ~prev tx;</pre>
          else begin
358
359
            // Drive the packet data
360
            tx_out <= packet[p].qbits[n];</pre>
361
            // Keep track of how many bits sent
362
363
            tx bits <= tx bits + 1'b1;
364
365
            // Update pointers
            if ( ( $bits(pkt item t) - n ) == packet info[p].length ) begin
366
               if ( packet_info[p].kind == NONE )
367
368
                  p <= '0;
                                        // Wrap back to beginning
```

```
369
                   else
370
                       p \le p + 1'b1;
                                                      // Next packet item
371
372
                   n <= $bits(pkt item t) - 1'b1; // Start with the top bit</pre>
373
                end
374
                else begin
375
376
                    // Next bit in the packet item
377
                   n <= n - 1'b1;
378
                end
379
                // Bit stuffing tracking
                if ( packet[p].qbits[n] == prev tx ) begin
                           <= same + 1'b1;
                   same
                end
384
                else begin
                   same
                            <= '0;
                   prev tx <= packet[p].qbits[n];</pre>
                end
388
              end
389
            end
390
            else begin
391
392
               // Clear when not valid
                        <= '0;
393
               р
394
                        <= $bits(pkt_item_t) - 1'b1;
               n
               prev tx <= '0;
                        <= '0;
397
            end
398
          end
399
      end
```

The packet driving logic is highlighted on line 360. The pointers p and n are incremented through the packet, and unused bits are skipped over by looking at the length of each array element as defined in the packet\_info array (line 366). Formal synthesizes this code into the logic shown in Figure 6.



Figure 6: Diagram of the modeling code used to drive the packet data.

For the bit stuffing logic in grey, the data transmitted is saved in prev\_tx and a counter called same keeps track of the number of consecutive occurrences of the same polarity. When the counter reaches 5, data of the opposite polarity is driven onto the output except during the fixed length parts at the end of the frame.

## F. Generate the packet

With everything in place, the last and final step is to add the formal constraints to create the packet of data. First, the packet needs to be initialized:

Constraint  $asm_pkt_init_start$  assigns the first element in the packet to be a start-of-frame. The last element in the packet array is assigned to be of type NONE, meaning that it is an unused element. The reason for including the extra element at the end of the packet array ( $NUM_ITEMS+1$ ) is because the packet constraints use n+1. Since the properties need to be synthesizable, the extra element is added so that no index out-of-bounds error is generated when referencing packet[n+1] or packet\_info[n+1]. In the above code, prop\_none ( $NUM_ITEMS$ ) initializes that last element to NONE since it is not used.

Next, each element in the packet is constrained using the prop pkt property discussed previously:

```
407
      // Create the packet/frame
      for (genvar i = 0; i < NUM ITEMS-1; i++ )</pre>
408
409
      begin : pkt init
410
         asm init pkt : assume property ( pkt sof |-> prop pkt(i) );
411
      end
412
      asm_set_total frame length :
413
414
                       assume property ( total bits == packet info[0].total length );
415
                         : assume property ( payload_size inside { [0:8] } );
416
      asm payload size
      asm payload size stable: assume property ( pkt vld |-> $stable(payload size) );
417
```

The generate block handles the packet initialization by assigning the prop\_pkt property constraint to each element. Recall, the total\_length bit count represents the total number of bits in the frame from that position onwards. Therefore, the total length can be found in element 0 of the packet\_info array as shown on line 414. The total\_bits variable is set with this assumption and then used to control the end-of-frame signal when the number of transmitted bits (tx\_bits) reaches total\_bits. In order to constrain the payload size (i.e., number of data elements), the payload is constrained on line 416.

While the asm\_init\_pkt constraint initializes most of the frame, the CRC still needs to be calculated. A synthesizable function is defined which incrementally calculates the CRC using one byte at a time. While the specific implementation is not important, it is included here for reference as an example for calculating CRC or checksum:

```
418
     // -----
     // CRC functions
419
     // The following is taken from http://blog.qartis.com/can-bus
420
421
     function bit [15:0] can crc next(bit [15:0] crc, bit [7:0] data);
422
423
        crc ^= 16'(data) << \overline{7};
424
425
        for ( int i = 0; i < 8; i++ ) begin
426
            crc <<= 1;
            if ( crc & 16'h8000 ) begin
427
              crc ^= 16'hc599;
428
429
            end
430
        end
431
        return (crc & 16'h7fff);
432
     endfunction : can_crc_next
433
```

```
function bit [15:0] calc crc();
435
          calc crc = '0;
436
437
          calc crc = can crc next( calc crc, { '0, packet[1].qbits[7:6] });
          calc_crc = can_crc_next( calc_crc, { packet[1].qbits[5:4],
438
439
                                                packet[2].qbits[7:2] });
440
          calc crc = can crc next( calc crc, { packet[2].qbits[1:0],
441
                                                packet[3].qbits[5:0] });
442
443
          for ( int i = 4; i < 12; i++ ) begin
444
              if (( payload size + 4 ) > i ) begin
445
                 calc crc = can crc next( calc crc, packet[i].qbits );
446
              end
447
          end
448
      endfunction : calc crc
449
```

Recall on line 248, a variable named crc was defined and used within the named properties prop\_crc\_h and prop crc 1. This variable can now be set using the calc crc() function:

```
450  // Generate the CRC
451  asm_calc_crc: assume property ( pkt_vld |-> crc == calc_crc() && $stable(crc) );
452
```

With the CRC constrained, the frame is now complete. A formal constraint is used to assign the  $tx_out$  variable to the tx output, and the packet needs to be held stable during the packet transfer or formal will continue to change the packet structure each clock cycle:

```
// Drive the frame
asm_drive_data : assume property ( pkt_vld |-> tx == tx_out );
asm_undriven : assume property ( !pkt_vld |-> tx == 1'b1 );
asm_pkt_stable : assume property ( pkt_vld |-> $stable(packet) );
asm_pkt_info_stable: assume property ( pkt_vld |-> $stable(packet_info) );
asm_pkt_info_stable: assume property ( pkt_vld |-> $stable(packet_info) );
```

The asm\_drive\_data constraint performs the actual driving of the data to the output. The CAN bus protocol specifies a value of 1 when not driving so asm undriven provides that functionality.

## G. Check the packets

The last and final step is to write the actual formal assertion or cover properties to perform the formal verification. If driving into a packet parser, the design would typically include a status signal to indicate whether a packet has been successfully received and parsed. In that case, a typical assertion would be to assert that the status signal never indicates an error since we have defined only valid, legal packets. For this CAN bus example, we define a cover property to generate a waveform of the frame:

```
459 // Generate waveform of frame
460 cov gen packet: cover property ( prop transfer );
```

The cover property waveform is shown in Figure 7. The packet\_info shows how the formal constraints have built the packet, specifically the type or kind of each element, which is used for constraining the packet elements. The union member qbits is used to drive the value onto the tx output, which is highlighted in blue in the waveform.

One modification to consider is the ability of specifying bad packets or frames for testing the design's handling of bad input. We start by defining a flag that specifies if the packet is valid (good) or invalid (bad):

```
461 // Used by formal tool to select good or bad packets
462 enum bit { FALSE = 0, TRUE = 1 } pkt good;
```



Figure 7: Example CAN frame generated by formal using a cover property.

Next, we modify the properties we already defined, creating a new property that will set the kind, length, and call our previous properties. For example,

```
189  property prop_sof(n);
190  seq_kind(n,SOF) and
191  seq_length(n,1) and
192  (packet[n].sof.sof == '0) and
193  (packet[n].sof.unused == '0);
194  endproperty
```

# Is changed to:

```
189
     property prop sof(n);
190
        (packet[n].sof.sof == '0) and
191
        (packet[n].sof.unused == '0);
192
     endproperty
193
194
      // Add new property
195
     property prop_pkt_sof(n);
195
         seq kind(n,SOF) and
196
         seq length(n,1) and
197
        if ( pkt_good )
                             prop_sof(n)
198
                          not(prop sof(n));
         else
199
     endproperty
```

The pkt\_good flag tells formal to use the valid packet constraints or set it to the opposite. Once we modify each constraint, we modify the pkt\_prop constraint to call the new properties instead (e.g., prop\_pkt\_sof shown above). Then to generate a good or bad packet, we just include the prop\_good flag in the assertions or cover property:

```
cov_gen_good_packet : cover property ( pkt_good and prop_transfer );
cov gen bad packet : cover property ( not(pkt good) and prop transfer );
```

The not (pkt\_good) causes formal to set pkt\_good == FALSE, which in turn affects the conditional statements in the packet properties. With pkt\_good set to false, only invalid packet data will be generated.

In this example, only cover properties have been shown, but this could easily be applied to assertions and checking the design. For example, we could assert that when a packet or frame is bad (i.e., not (pkt\_good)), the packet is caught by the parser and marked as malformed:

```
465
      // Define a sequence to indicate the design is parsing the packet
466
      property pkt parsing;
467
         !parse[*0:$] ##1 parse[*1:$] ##1 !parse;
468
      endproperty
469
470
      ast bad pkt marked malformed :
471
         assert property ( not(pkt good) && pkt sof && pkt valid |->
472
                                              malformed signal within ( pkt parsing ));
473
```

### III. RESULTS

Performance between formal tools varies using this approach. Compilation is typically very quick (usually seconds) provided the packet structures are sliced small enough to be efficient for formal. The author has personally used this approach for verifying Ethernet jumbo frames (9000 bytes) on a real-world Ethernet parser. Generating a packet waveform as shown in Figure 7 takes a bit more time. In this example of a CAN bus frame, results vary between the major EDA vendors between 20 seconds to 1 minute. However, for the larger Ethernet example, generation times were typically between 3 to 6 minutes, but formal analysis could take a bit longer for proofs.

Developing the constraints and modeling code discussed in this paper is typically much less time than developing an equivalent UVM environment. For example, this CAN bus example was developed over a couple days, including learning the bus protocol. With this approach, no test cases were needed nor did any corner case need specified. All that is needed is the requirements for the design and the appropriate assertions and cover properties specifying whether to use a good or bad packet. Formal will do the rest and thoroughly test your design without weeks or even months of developing a simulation testbench. The added advantage is that the formal constraints used to specify the packet or frame can also be used with simulation and complement other verification environments. Assumptions specified for formal become assertions in simulations so they can be used as extra checks in simulation to verify that the stimulus was generated correctly.

Indeed, the formal constraints are perhaps the easiest part to this approach. Developing the appropriate modeling code is typically much more time-consuming. In this example, adding in the bit stuffing and the CRC calculation proved to be the more difficult and time-consuming component than developing the constraints.

## IV. SUMMARY

In summary, modeling a packet-based protocol for formal technology can be accomplished using the following seven steps:

- 1. *Model the control logic* this refers to the logic that indicates a valid packet is available, usually including a start of packet, end of packet, and valid signal.
- 2. Define the packet structures break the packet into smaller chunks to reduce the state space. Find a small divisor to break the packets into a manageable size and make all the packet structures that size. If your packet interface transfers 8, 16, or 32 bits at a time, it might be easiest to match the interface bus width.
- 3. *Define the packet constraints* the packet constraints define what are the valid values for each field in the packet.

- 4. *Apply the packet constraints* applying the constraints involves a top-level conditional named property that can apply the constraints to the packet fields based on other fields in the packet, mode bits, or inputs.
- 5. *Model the packet driving logic* this involves writing synthesizable code that drives the packet structures onto the design's packet interface.
- 6. *Generate the packet* generating the packet is accomplished by applying the constraints with assume properties. Generate statements can be a great help when applying packet constraints.
- 7. *Check the packets* lastly, create assertions to check for the correct design behavior when either valid or invalid packets are generated.

While not all data path problems are solvable using formal, this approach demonstrates that with a little ingenuity, a proven methodology, and understanding how a formal tool synthesizes and solves problems, even complicated packet-based protocols are within the possibility of formal verification.

#### REFERENCES

- [1] Wikipedia, "IPv4," [Online]. Available: https://en.wikipedia.org/wiki/IPv4. [Accessed 26 07 2022].
- [2] Wikipedia, "CAN bus," [Online]. Available: https://en.wikipedia.org/wiki/CAN\_bus. [Accessed 28 July 2022].