00:37 <_whitenotifier-4> [amaranth] wanda-phi opened pull request #1556: mailmap: fix up some identities. - https://github.com/amaranth-lang/amaranth/pull/1556

00:43 <_whitenotifier-4> [amaranth] github-merge-queue[bot] created branch gh-readonly-queue/main/pr-1556-e2eca4a44c4651b273e0da1013cb7ea72a1941ea - https://github.com/amaranth-lang/amaranth

00:49 <_whitenotifier-4> [amaranth-lang/amaranth] github-merge-queue[bot] pushed 1 commit to main [+1/-0/±0] https://github.com/amaranth-lang/amaranth/compare/e2eca4a44c46...a570317c365a

00:49 <_whitenotifier-4> [amaranth-lang/amaranth] wanda-phi a570317 - mailmap: fix up some identities.

00:49 <_whitenotifier-4> [amaranth] whitequark closed pull request #1556: mailmap: fix up some identities. - https://github.com/amaranth-lang/amaranth/pull/1556

00:49 <_whitenotifier-4> [amaranth] github-merge-queue[bot] deleted branch gh-readonly-queue/main/pr-1556-e2eca4a44c4651b273e0da1013cb7ea72a1941ea - https://github.com/amaranth-lang/amaranth

00:51 <_whitenotifier-4> [amaranth-lang/amaranth-lang.github.io] whitequark pushed 1 commit to main [+0/-0/±35] https://github.com/amaranth-lang/amaranth-lang.github.io/compare/0a6b022f292f...771953d87202

00:51 <_whitenotifier-4> [amaranth-lang/amaranth-lang.github.io] github-merge-queue[bot] 771953d - Deploying to main from @ amaranth-lang/amaranth@a570317c365acacd67c52521e0eeab2605714235 🚀

08:50 <_whitenotifier-4> [YoWASP/yowasp.github.io] whitequark pushed 1 commit to main [+0/-0/±1] https://github.com/YoWASP/yowasp.github.io/compare/e0629fda4c69...ab7289f889bc

08:50 <_whitenotifier-4> [YoWASP/yowasp.github.io] whitequark ab7289f - Update for `nextpnr-himbaechel-gowin`.

08:54 <_whitenotifier-4> [YoWASP/yowasp.github.io] whitequark pushed 1 commit to main [+0/-0/±1] https://github.com/YoWASP/yowasp.github.io/compare/ab7289f889bc...3856ace32dcf

08:54 <_whitenotifier-4> [YoWASP/yowasp.github.io] whitequark 3856ace - Fix the NPM badge for Yosys.

15:07 <vup> so regarding https://github.com/amaranth-lang/amaranth/issues/1555, what would the overall goal be for the formal verification story with amaranth? Should there eventually be support for things like formal cutpoints? Furthermore, should different backends be supported? Right now its tied quite closely to yosys / sby, although with a small helper module implementing the `$any{const,seq}` modules, it also works with jasper for example. I guess the main

15:07 <vup> question there would be if the yosys verilog backend should / will ever be able to emit these cells in form of `assume`.

15:07 <vup> Finally it would be nice if the `assume`,`cover`,`assert` cells could be given a label that is propagated to a statement label in the generated verilog, but this is again mostly a yosys `write_verilog` issue I assume.

15:08 <whitequark[cis]> I thought the label does propagate, or maybe I misremember?

15:09 <whitequark[cis]> ah I think we may've moved that around during the NIR migration

15:09 <cr1901> And some ppl here are... not fans of sby, putting it mildly

15:10 <whitequark[cis]> I used to think formal was annoying until I realized using yosys-smtbmc directly made it much easier!

15:10 <whitequark[cis]> well, it's still annoying but in more interesting ways that don't involve subdirectories and subprocesses

15:10 <whitequark[cis]> basically, the big issue with formal support right now is that there is no coherent use model

15:10 <cr1901> https://github.com/cr1901/spi_tb/ same formal checks in sby and yosys-smtbmc directly

15:11 <whitequark[cis]> I've added it long ago as a something between proof of concept and an item to tick, and it has never graduated from that

15:11 <whitequark[cis]> we would need someone, ideally an FV expert, to come up with the answers to the questions: for whom is it built? what problems does it solve? and how does it solve these problems?

15:12 <whitequark[cis]> in particular I think that the idea of "just delegate to sby" goes against our principles of delivering an easy-to-use, hard-to-misuse toolchain because it is quite easy to misuse an sby script, and also the whole thing is really annoyingly non-integrated with things like remote builds or build overrides, etc

15:13 <whitequark[cis]> I think that if I went with launching yosys-smtbmc directly at the time I first implemented this we would've had a much nicer system today even if everything else went unchanged, by the virtue of me being forced to come up with some coherent use model

15:14 <whitequark[cis]> but I guess it's exactly because I didn't have that that we ended up with delegating to sby

16:29 <vup> whitequark[cis]: not sure how it would, I don't even see code that would emit labels in the `write_verilog` backend, (Im not talking about the assertion message just to be clear)

16:40 <vup> also I never get yosys-smtbmc to prove anything for me, `abc pdr` has been much more successful, but maybe I am just holding it wrong?

16:42 <catlosgay[m]> this is roughly expected, the algorithms in yosys-smtbmc are much less powerful (even abc pdr isn't exactly state of the art, but most of the more modern open source model checkers are riddled with bugs in my experience)

16:42 <catlosgay[m]> yosys-smtbmc is relatively stable and bug free though (most bugs affecting yosys formal verification tend to be in yosys in my experience)

17:05 <cr1901> vup: Try my linked repo for a known-working example of k-induction. Unfortunately, that's the most powerful algorithm I know, and I've not had the bandwidth to really try and understand anything more difficult

17:06 <cr1901> working example of k-induction using yosys-smtbmc*

17:07 <cr1901> OTOH, I've never really used abc directly, and kinda don't want to after hearing horror stories lmao

18:09 <_whitenotifier-4> [amaranth-boards] cr1901 commented on pull request #214: Add MachXO2 Breakout board - https://github.com/amaranth-lang/amaranth-boards/pull/214#issuecomment-2622478867

18:10 <vup> cr1901: do you have an example with a async reset? I think my problem with smtbmc always goes back to that. For example this https://paste.niemo.de/raw/dabisanozu.sv fails with it, but succeeds with `abc pdr`

18:11 <cr1901> No, no examples with async reset. Would have to play around with them to comment further

18:14 <vup> okay, thank you anyways :)

18:14 <catlosgay[m]> to use an async reset you want to use async2sync in your yosys script (if you only have one clock domain). if you have multiple clock domains/clock gating you need to use clk2fflogic at the moment instead. these correspond to multiclock off/on in sby

18:15 <catlosgay[m]> having said that that example snippet wont behave well anyway, the whole formal timestep bit is entirely unnecessary

18:16 <cr1901> Doesn't help that I don't know SV; I've never seen (* gclk *) as opposed to $global_clock, and I don't know what always_ff does compared to an always block

18:17 <catlosgay[m]> gclk is a yosys extension iirc, entirely unnecessary for this

18:18 <catlosgay[m]> yosys does seem to choke on this particular design due to how it does check cell lowering, gimme a sec and i can try to work out why

18:19 <vup> catlosgay[m]: yeah I put `multiclock on` in my sby file. And removing the (* gclk *) part does not change anything about induction failing.

18:20 <catlosgay[m]> yeah but the gclk part does nothing to help at all

18:20 <catlosgay[m]> induction fails because smtbmc doesnt implement a complete k-induction algorithm, if the design can stall and indefinitely make no progress k-induction will never pass with smtbmc

18:20 <cr1901> Is gclk supposed to be different from $global_clock?

18:20 <cr1901> > if the design can stall and indefinitely make no progress

18:21 <cr1901> This is where I got stuck learning more

18:21 <cr1901> it feels like that's an inherent limitation to k-induction

18:21 <cr1901> if the design can get stuck in a loop, it doesn't matter if that actual state is unreachable from reset; k-induct will fail

18:21 <cr1901> but how do you avoid getting stuck in a loop?

18:22 <catlosgay[m]> you add constraints to prevent it being stuck in a loop

18:22 <catlosgay[m]> lemme find the paper one sec

18:23 <catlosgay[m]> https://www.cse.chalmers.se/edu/year/2011/course/TDA956/Papers/TIP.pdf sections 2.2 and 4.2 of this

18:23 <catlosgay[m]> fwiw that particular example you posted does seem to be hitting a bit of a bug, async2sync should be able to handle that

18:23 <catlosgay[m]> i can write it up as an issue in a little bit

18:24 <vup> can you give me an example of what assertion I would add to make this work? (I guess something around rst not being hold indefinitely and the clk actually toggeling?)

18:26 <catlosgay[m]> the right assertion to add is one that blocks states that the solver shows in the inductive counterexample that aren't actually reachable

18:26 <catlosgay[m]> unfortunately multiclock on adds these states in a way you cant do much about, its a known limitation that smtbmc will never get proofs with multiclock on

18:26 <catlosgay[m]> really for that example you should be using multiclock off, theres just a bug in yosys it seems at the moment

18:27 <cr1901> Section 2.2 looks like a definition of temporal induction

18:27 <vup> yeah I hit that bug and thats why I made it multiclock on

18:29 <vup> okay, so adding `always assert (counter <= 10)` makes its actually able to proof it. But for a complex design having to add all these helping asserts seems quite unfortunate.

18:29 <vup> Is there any advantage to using smtbmc instead of `abc pdr`, which seems to be able to handle this without any help?

18:29 <catlosgay[m]> cr1901: its the unique states part that smtbmc doesn't implement which is needed for complete k-induction

18:30 <catlosgay[m]> not really, i think smtbmc is more stable and its word level so it can handle arrays better but otherwise pdr is more powerful

18:30 <cr1901> Ahhh. Yea, I'm gonna have to chew on this for a while then

18:30 <catlosgay[m]> the helper assert sitution is definitely unfortunate, the state of formal with yosys from a practical standpoint is generally painful

18:31 <catlosgay[m]> fwiw with the work i do I output btor2 from yosys and then run academic model checkers like avr, pono and rIC3

18:31 <catlosgay[m]> but this tends to require quite a lot of manual work configuring the yosys script correctly, its definitely not an intuitive flow

18:32 <cr1901> It's ironic because smtbmc has genuinely helped me find bugs. I don't want to have to annotate the output SMTv2s by hand, which is what yosys-smtbmc does (--dumpsmt2)

18:32 <catlosgay[m]> actually on that previous example, if you do want to get it to prove with smtbmc with multiclock on, you can use the kind of things you wrote before, something like... (full message at <https://catircservices.org/_irc/v1/media/download/Ac2y-U0dG1BHZV88hgnUG6JpSj-DKAZdejhIBMQnoYnXbHcq7yboI6C4EvEoP5nNpkI5NH4alTbaJaqVjYw0Vie_8AAAAAAAAGNhdGlyY3NlcnZpY2VzLm9yZy9DZ1VvYmx3S1FBTHFhcUlJZkJLV1ZmQk4>)

18:33 <catlosgay[m]> cr1901: im not quite sure i follow. the alternative to smtbmc isnt annotating smt2 by hand, its using other output formats like btor with btor solvers

18:33 <cr1901> I don't understand the btor format, and not sure I am in a position to sit down and really study it :P

18:34 <catlosgay[m]> its just another word level netlist format like rtlil or others but specifically for hardware formal verification

18:34 <vup> yeah I used rIC3 with sby recently and it was incredibly more quick than `abc pdr`. Although that did used aiger. btor is wordlevel compared to aiger, right? Does that help with rIC3, I thought that just does btor2aiger as the first step?

18:34 <catlosgay[m]> its basically the bitvector and array logics from smt2 extended with state elements and properties

18:35 <catlosgay[m]> yeah rIC3 eagerly encodes to aiger, so it also cant handle things like arrays, but as a bit level solver its probably the best going atm

18:35 <catlosgay[m]> (although its license terms are weird and potentially not enforceable)

18:35 <cr1901> catlosgay[m]: A lot of this is "I'm used to the smtbmc flow, even if it's flawed, and I think I'll get overwhelmed trying to learn if I deviate too far from it". 1/2

18:36 <catlosgay[m]> there are people with plans to improve these types of things but i dont think they will materialise for a while

18:36 <cr1901> Maybe it might not be a good use of my time, but looking at the uniqueness constraints that smtbmc doesn't have and trying to figure out how to _add_ that to the smt files is a good first step where I won't get overwhelmed

18:37 <cr1901> Maybe it might not be a good use of my time <-- in that it's useful to others, I seem to be one of the few ppl who has a high opinion of smtbmc

18:38 <cr1901> Anyways, thanks for the paper... it'll be very useful now that you pointed out the differences :P

18:38 <catlosgay[m]> this is the nature of being at the intersection of a fairly technical/theory heavy field which not too many people are familiar with and working on open source tooling where the few people that are interested in this stuff either go to industry to be paid more or are in academia where the incentives aren't well aligned with high quality open source development

18:39 <catlosgay[m]> https://github.com/YosysHQ/yosys/pull/3504 smtbmc already has this to try to detect if the counterexample is failing the uniqueness constraint

18:39 <catlosgay[m]> i believe the view when it came up before was that you don't actually have a clear view of what the state elements are in the smt2 output so doing the simple path constraints is a bit of a pain, but maybe you can work it out

18:40 <catlosgay[m]> an alternative could be to extend sby's `btormc` support to also support `btormc --kind --simplepath`. `btormc` is a (faster) implementation of the same algorithms as smtbmc but using the btor output and is already supported in `bmc` mode, just not in `prove` mode

18:40 <cr1901> (To be explicit for future-me: that PR is doing detection only and will warn you that "yosys-smtbmc can't handle this")

18:45 <cr1901> I thought state was implemented as a bunch of declare-funs with constraints- i.e. "let the solver decide how to represent state". It's been a while since I took a look however.

18:49 <catlosgay[m]> yeah, maybe the issue was actually in checking equality of arrays or something. it has similarly been a while since i looked inside smtbmc so i dont remember

18:51 <cr1901> That makes two of us :P; I don't know if I'd succeed in adding the uniqueness constraints to smtbmc. I just need to be careful not to overwhelm myself.

18:53 <catlosgay[m]> if you do, make sure you check section 4.2 of that paper cos eagerly adding the constraints doesn't work well for performance, you have to do it incrementally :>

18:54 <cr1901> Never can be simple, huh :P?

18:55 <catlosgay[m]> i mean you can try it non-incrementally, but my experience is that it greatly overwhelms the solver

18:55 <vup> (ah I remember why I added the gclk rst thing. Its necessary to make `$past` work. `$past` seems to be impossible to be used under async reset, so I have to move to a sync reset process and manually check the reset, which of course breaks if its allowed to deassert rst asynchronously)

18:59 <cr1901> catlosgay[m]: I privmsg'd some exposition to avoid reducing SNR of the room if interested

19:02 <catlosgay[m]> im running through the 1b2 discord bridge so i dont think imma see that unfortunately, wheres it going to?

19:03 <cr1901> Ahhh I was doing an IRC privmsg. You appear to be a Matrix user from my perspective "catlosgay[m]". IRC to Matrix privmsg _does_ work

19:03 <catlosgay[m]> ahh yeah im through two layers of bridges unfortunately

19:06 <catlosgay[m]> vup: have submitted the multiclock bug here https://github.com/YosysHQ/yosys/issues/4875 (wasn't sure what github username to tag you with). not sure if anyone will have a chance to look at it anytime soon but at least its there for now

19:06 <cr1901> Well, the TL;DR version is "learning about SMT solvers from YT videos, and looking at the intermediate outputs from yosys-smtbmc (--dumpsmt2) and yosys (write_smt2) was what got k-induction to click for me. 1/2

19:07 <cr1901> And I've struggled to extend my knowledge beyond that: e.g. AIGER for liveness/s_eventually, even safety and liveness aren't intuitive to me lol"

19:07 <cr1901> Safety: "Bad things can't happen". Yes, that's _technically_ correct. In a temporal induction proof, you're solving to make sure a counterexample (a bad thing) can't occur. But in your Verilog code, you're doing "assert this always occurs" :D.

19:08 <catlosgay[m]> ahh yes, i think me also. despite all its flaws it was playing about with sby that got me into formal and my jobs have been doing various formal things for the last few years as a result

19:08 <catlosgay[m]> good thing always happens and bad thing never happens are just duals right

19:10 <catlosgay[m]> liveness is instead saying good thing eventually happens or equivalently we never stay in bad states forever

19:12 <cr1901> One of my early attempts to understand liveness was in the spi_tb repo I linked... it requires a depth of 180 to pass in it's current form. A lot of that is "waiting for the clock divider to eventually get to 0"

19:12 <cr1901> I wish it was possible for: 1. An SMT solver to realize "oh wait, nothing's going to happen until the clock divider count reaches 0" and skip all those states with just waiting

19:12 <catlosgay[m]> in the finite state setting `a -> eventually b` is equivalent to saying "there is no trace where after a occurs we can stay in a loop where b doesnt occur". because if there was that loop can be extended as much as you like so you can create an arbitrarily long trace that never reaches b

19:13 <cr1901> Hmmmm

19:13 <catlosgay[m]> fwiw commercial tools struggle a lot with liveness too, in the open source world hardly anything supports it and if it does it tends to be buggy or not performant in my experience

19:13 <cr1901> and 2. An SMT solver to be able to realize "for any finite clock divider value, we will eventually make forward progress, so we can prove this core works for all clock dividers > some int"

19:14 <cr1901> Like both of these are "well, duh" things for humans (for want of a nicer term), so why can't the tools see it?

19:14 <catlosgay[m]> yeah thats definitely a hard problem

19:15 <cr1901> > fwiw commercial tools struggle a lot with liveness too <-- well that makes me feel better

19:16 <cr1901> your definition of "a -> eventually b", coupled with the uniqueness constrait that yosys-smtbmc doesn't satisfy gives me some hints to go forward tho (at my own pace :P)

19:18 <cr1901> Maybe I can even apply some of it back to the spi_tb... If I prove that the clock divider always goes to 0 for some large int, then can't I shorten the clock divider int and do k-induct without loss of generality?

19:19 <cr1901> (Btw, I doubt wq minds the OT, but there's an ##smt IRC channel... dunno if avail on the bridge tho)

19:19 <catlosgay[m]> https://fmv.jku.at/papers/BiereArthoSchuppan-FMICS02.pdf you may find this classic paper interesting. it explains how to convert liveness to safety by looking for these "lasso" shapes where you have some finite prefix and then a loop that can be extended arbitrarily without witnessing b. looking for these loops is very similar to the loops in k-induction uniqueness and they serve a similar purpose - a loop is something that

19:19 <catlosgay[m]> doesn't make progress

19:19 <catlosgay[m]> i have to head off in a minute anyway unfortunately

19:19 <cr1901> Will take a look, thanks

22:09 <vup> catlosgay[m]: thanks for filing it. Also thanks for the hints re making smtbmc pass.