counter_properties.sv

// Copyright 2019 ETH Zurich and University of Bologna.
// Copyright and related rights are licensed under the Solderpad Hardware
// License, Version 0.51 (the "License"); you may not use this file except in
// compliance with the License. You may obtain a copy of the License at
// http://solderpad.org/licenses/SHL-0.51. Unless required by applicable law
// or agreed to in writing, software, hardware and materials distributed under
// this License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
// CONDITIONS OF ANY KIND, either express or implied. See the License for the
// specific language governing permissions and limitations under the License.

// Author: Robert Balas <balasr@iis.ee.ethz.ch>

module counter_properties #(
    parameter int unsigned WIDTH = 4,
    parameter bit STICKY_OVERFLOW = 1'b0
)(
    input logic             clk_i,
    input logic             rst_ni,
    input logic             clear_i, // synchronous clear
    input logic             en_i, // enable the counter
    input logic             load_i, // load a new value
    input logic             down_i, // downcount, default is up
    input logic [WIDTH-1:0] d_i,
    input logic [WIDTH-1:0] q_o,
    input logic             overflow_o
);

    logic resetting;
    logic count_up;
    logic count_down;

    // very first clock indicator
    logic init = 1'b0;
    always_ff @(posedge clk_i) init <= 1'b1;

    // make sure that we touch the reset but otherwise we don't constrain it in
    // any way
    assume property (@(posedge clk_i) (!init) |-> !rst_ni);

    // if we are not regulary using the counter
    assign resetting = (clear_i || load_i);

    // direction
    assign count_up = en_i && !down_i;
    assign count_down = en_i && down_i;

    // test if we can count up
    assert property (@(posedge clk_i)
        disable iff (!rst_ni)
        (count_up && !resetting) |=> q_o == $past(q_o) + {{WIDTH-1{1'b0}}, 1'b1});

    // and count down
    assert property (@(posedge clk_i)
        disable iff (!rst_ni)
        (count_down && !resetting) |=> q_o == $past(q_o) - {{WIDTH-1{1'b0}}, 1'b1});

    // can we clear the counter synchronously
    assert property (@(posedge clk_i)
        disable iff (!rst_ni)
        clear_i |=> q_o == '0);

    // does loading work, considering that clearing has priority
    assert property (@(posedge clk_i)
        disable iff (!rst_ni)
        (load_i && !clear_i) |=> q_o == $past(d_i));

    // do we set overflow flags correctly
    // if we count up and overflow do we set it?
    assert property (@(posedge clk_i)
        disable iff (!rst_ni)
        (($past(q_o) > q_o) && $past(count_up) && $past(!resetting) && $past(!overflow_o))
        |-> (overflow_o));
    assert property (@(posedge clk_i)
        disable iff (!rst_ni)
        (($past(q_o) < q_o) && $past(count_down) && $past(!resetting) && $past(!overflow_o))
        |-> (overflow_o));

    // in sticky mode the overflow flag can only be cleared with a clear or load
    if (STICKY_OVERFLOW == 1'b1) begin
        assert property(@(posedge clk_i)
            disable iff (!rst_ni)
            (overflow_o && !resetting |=> overflow_o));
    end

    // cover sequence should touch interesting cases
    cover property (@(posedge clk_i)
        overflow_o == 1'b1);
    cover property (@(posedge clk_i)
        clear_i == 1'b1);
    cover property (@(posedge clk_i)
        load_i == 1'b1);

endmodule // counter_properties

// propagate parameters from counter to properties
bind counter counter_properties #(
    .WIDTH(WIDTH), .STICKY_OVERFLOW(STICKY_OVERFLOW)
) i_counter_properties(.*);