AGENTIC AI FOR UVM + FORMAL/SVA

Verification agents
that prove what they generate.

ChipPilot writes UVM sequences, SVA properties, bind files, and formal collateral; runs simulator and bounded proof gates; parses failures; patches artifacts; and delivers PR-ready diffs with evidence attached.

Repo-aware Tool-gated On-prem / VPC Audit-ready
Request Access See architecture
93%
PR-ready first pass
4.2×
faster CEX → patch
600LoC
policy diff budget
0
retention by default
A manifesto · for serious verification teams

Suggestions.
Autocomplete.
Vibe-checked diffs.
We ship evidence.

01 · Gate it If a real tool didn't run, the agent didn't finish.
02 · Cite it Every artifact carries the file/line evidence a reviewer can chase.
03 · Box it Network egress and write paths are policy, not vibes.
01 · The Loop

From intent to evidence,
without leaving the loop.

ChipPilot turns a verification intent into a real run on real tools, then a real patch, then a reviewable PR. Every step is named, gated, and recorded — so a DV lead can audit it and a CI can rerun it.

01

Intent

Target module, protocol, and acceptance gate, in natural language.

02

Repo intel

RTL, TB, docs, prior patterns retrieved with file/line citations.

03

Generate

Sequence, property, bind file, assumptions, coverage hooks.

04

Run tools

Simulator compile + elab + smoke, bounded formal proof.

05

Repair

Log- and CEX-driven patch loop, constrained by policy.

06

Evidence

PR-ready diff, transcript, citations, audit trail.

02 · Proof of loop closure

Show the run, the failure,
the patch, the evidence.

The product story doesn't depend on vague AI claims. ChipPilot is built around reproducible artifacts — tool-gated runs, transcripts, file/line citations, counterexamples, and a PR-ready diff.

formal/axi_props.sv SystemVerilog
bounded proof 
// AXI ready/valid handshake — refined after CEX at t=18
module axi_props (
  input  logic clk, rst_n,
  input  logic valid, ready
);

  default clocking @(posedge clk); endclocking
  default disable iff (!rst_n);

  // stability: valid must hold until ready
  property ready_hold;
    valid && !ready |=> valid;
  endproperty

  a_ready_hold: assert property(ready_hold);
  c_ready_hold: cover property(ready_hold);

endmodule
transcript · bounded.log
PASS 
[04:18:21] orchestrator intent accepted · gate=bounded_proof
[04:18:23] retriever   3 citations · axi_dma.sv axi_agent_pkg.sv axi_bind.sv
[04:18:25] generator   drafted axi_props.sv · 18 lines
[04:18:31] simulator   compile PASS · elab PASS · smoke PASS
[04:18:42] formal      bounded CEX · ready_hold · depth=18
[04:18:43] repair      reading cex.vcd · 1 root cause
[04:18:48] policy      diff=2 LoC · within budget · approved
[04:18:52] formal      rerun · bounded PROVED · depth=32
[04:18:54] evidence    packet ready · attached to PR #1284
evidence_packet.json
PR-ready
Transcript
bounded.log
12 events · 31 ms
Diff
axi_props.sv
−1 / +1 LoC
CEX trace
cex_18.vcd
depth 18 · 4 signals
Citations
3 file/line refs
axi_dma · axi_agent · axi_bind
PR · github.com/acme/soc-top#1284
checks 6/6
compile elab smoke proved lint policy
title feat(formal/axi): refine ready_hold property
author chippilot · approved by @ksm
budget 2 LoC / 600 LoC max
paths formal/axi_props.sv
Audit-ready
Tool-gated · file/line cited · diff-budgeted · reproducible.
03 · Numbers that matter

The metrics a DV lead
actually reports up.

Representative pilot dashboard shown for product storytelling. Replace with measured results before external launch.

Shown metrics are from controlled pilot/evaluation runs. Production outcomes vary by codebase, toolchain, and policy configuration.

Time-to-close · bounded proofs

Median 4.2× faster than manual triage.

4.2×
04:18min

From CEX detected to PROVED — read CEX, locate root cause, refine SVA, rerun gate, package evidence.

manual ← | → chippilot
First-pass PR acceptance

Trending up across pilots.

93%

PRs accepted on first review, without revision rounds.

wk1 wk6
Median patch size

Tiny, by policy.

3LoC

Diff budget caps every patch; reviewers don't audit walls of code.

1 600
Reproducibility

Bit-for-bit gate reruns.

100%

Every run is a deterministic, reproducible artifact your CI can replay.

run a run b — identical
04 · The problem

Verification is too big
for manual iteration.

DV and formal engineers lose days searching hardware repos, writing repetitive UVM scaffolding, debugging compile and formal failures, tracing counterexamples, maintaining stale plans, and repeating the same fix-verify loop by hand.

compile error
vlog-2730: unknown field axi_cfg.ready_mode
stale plan
reset sequence differs from rtl/top.sv:91
wave debug
ready deasserted while valid remains high
cex depth 18
assertion ready_hold failed
05 · Agents

Purpose-built agents
for UVM, formal, debug,
and regression closure.

Each agent has a job, a set of tools it's allowed to call, and a gate that decides whether its output is accepted. The orchestrator hands work off, collects evidence, and produces a single PR.

UUVM Agentv1.0

Sequences, monitors, coverage.

Generates sequences, tests, monitors, checkers, and coverage hooks. Learns repo patterns, then compiles and smoke-runs the result.

class axi_backpressure_seq
  extends uvm_sequence;
smoke run tools: vlog · vsim
SFormal/SVA Agentv1.0

Properties, binds, proofs.

Writes properties, assumptions, covers, and bind files. Runs bounded formal and refines properties from counterexamples.

assert property(ready_hold);
// depth 32 · proved
proved tools: bounded formal
DDebug Agentv1.5

Logs, waves, counterexamples.

Parses logs, wave artifacts, and CEX traces. Clusters failures and suggests minimal patches or next experiments.

cex found tools: vcd · log parser
RRegression Agentv2.0

Prioritize tests, rerun failing seeds, track closure across history.

Schedules and prunes regression sets, reruns failing seeds with new evidence, and tracks closure trends across tool runs and toolchains.

coming v2 / v3 closure · prioritization · history
PRTL Patch AgentControlled / v2.0

Localized RTL patches, always policy-controlled.

Diff budgets, path allowlists, and tool validation before any patch reaches a reviewable PR. Defaults off until you opt in for a target.

// localized · 2 LoC · policy ok
-  ready <= 1'b1;
+  ready <= cfg.ready_mode ? gnt : 1'b1;
controlled policy: paths · budget · approval
06 · Positioning

Not a chatbot. Not a copilot.
Not another script farm.

ChipPilot is the verification cockpit that closes tool-backed loops and leaves behind audit-ready evidence — not just suggestions.

Generic AI chat

Good at suggestions.

Can draft code. Usually can't retrieve repo context, run EDA tools, parse failures, patch, and prove the result.

IDE copilots

Helpful at edit time.

Useful in the editor. Weak on end-to-end simulator / formal gates, evidence packaging, and policy control.

Homegrown scripts

Useful but brittle.

Teams already have runners and parsers. Missing: a repo-aware agent that reasons across artifacts and reruns gates.

ChipPilot

Closes the loop.

Intent → repo intel → UVM / SVA generation → real tool run → repair → evidence-backed, PR-ready diff.

07 · Architecture

A policy-controlled
tool loop, where your
IP lives.

The orchestrator sequences planning, repo intelligence, policy checks, simulator and formal runners, failure repair, and the Evidence Graph. Every loop ends in a reviewable evidence packet.

Tool plane
Simulator Runner Verilator · Questa · VCS · Xcelium
Formal Runner SBY · Jasper · Questa Formal
UI / CLI / IDE intent intake
Control plane

Orchestrator

Closes the loop from intent to tool run to repair to evidence-backed review.

planner policy firewall Evidence Graph
PR / Evidence Packet diff · report · citations
Intent Plan Retrieve Run tools Repair Evidence
Agent services
01 Planner breaks intent into gated steps
02 Repo Intelligence RTL / TB / docs with file-line citations
03 Policy Firewall allowlists commands, paths, and diff budget
04 Simulator Runner compile, elab, and smoke simulation
05 Formal Runner bounded proof and property sanity gates
06 Log / CEX parser clusters errors and counterexamples
07 Evidence Graph links intent, citations, patches, and gates
08 Artifact Store transcripts, patches, evidence bundles
Policy firewall active
network egress gated · write paths scoped · tool gate required
08 · Toolchain

Real EDA runners,
policy-gated by default.

ChipPilot is judged by the gates it can drive. Open-source backends ship as the local default; commercial adapters live behind your license boundary.

Open-source simulation

local default

Lint, compile, and smoke loops when approved in policy. Runs in a sandboxed worker.

Open-source formal

bounded

Proof sanity where an approved local backend is available. Bounded depth configurable per gate.

Enterprise simulators

adapter

Policy-gated runner adapters for private infrastructure. License auth stays inside your env.

Enterprise formal

adapter

Adapter pattern for teams with licensed formal tools. Same gate contract as the local path.

Review systems

github · gitlab

PR with the evidence report, transcript, citations, and diff summary attached.

Repo connectors

git · perforce

Read-only ingest by default. Allowlisted write paths once a target is approved.

09 · Security

Built for protected
silicon IP.

ChipPilot runs where your IP already lives. On-prem, private cloud / VPC, or hybrid routing — with no-retention mode, RBAC, audit logs, secret redaction, network egress disabled, write-path allowlists, max diff budgets, and mandatory tool gates.

On-prem
Private cloud / VPC
Hybrid routing
No-retention mode
RBAC
Audit logs
Secret redaction
Network egress disabled
Write path allowlist
Tool gate required
security control plane active
network egressdisabled
write path allowlistdv/** · tb/** · formal/**
max diff budget600 LoC
tool gate requiredenabled
no-retention modeenabled
RBACenabled
audit logsenabled
secret redactionenabled
10 · Pilot path

Pilot ChipPilot on
one repo in one week.

A focused evaluation path for UVM + Formal/SVA first. Start read-only, wire the runners, pick controlled target tasks, run gated loops, then review the evidence packet before expansion.

Day 1 — Read-only repo ingest

Index RTL, TB, docs, and verification plans without write access. Confirm redaction and citation behavior.

Day 2 — Configure simulator/formal runners

Attach Verilator or licensed runners behind your boundary with command allowlists and tool gates.

Day 3 — Select UVM/SVA target tasks

Pick one UVM sequence, SVA property, bind file, or compile/elab failure that already costs DV time.

Day 4 — Run gated loops

Generate, compile, smoke simulate, run bounded proof, parse failures, patch, and rerun within policy.

Day 5 — Review evidence packet and decide expansion

Review the transcript, citations, diff, CEX notes, and gate result. Expand only if the evidence is useful.

Request a pilot Runs where your IP lives: on-prem, private cloud / VPC, or hybrid.
11 · Workflow

Four verification loops,
one product surface.

The same control loop drives UVM generation, SVA proofs, compile repair, and CEX triage. Pick a tab to see how the gate produces review evidence.

prompt
Create a backpressure stress sequence for AXI DMA writes.
plan 
plan -> inspect axi_agent_pkg.sv
     -> generate sequence
     -> compile tb_top
result
axi_backpressure_seq.sv + coverage hook with file/line citations.
smoke passcov hook
generated 
class axi_backpressure_seq
  extends uvm_sequence #(axi_item);
  `uvm_object_utils(axi_backpressure_seq)

  function new(string name = "axi_backpressure_seq");
    super.new(name);
  endfunction

  task body();
    repeat (64) begin
      `uvm_do_with(req, {
        burst_len inside {[8:64]};
        ready_gap dist {0 := 10, [1:4] := 40};
      })
    end
  endtask
endclass
prompt
Prove valid is held stable until ready.
plan 
formal gate
  -> bounded check launched
  -> evidence captured
result
Property, bind file, assumptions, bounded proof transcript.
proveddepth 32
generated 
property ready_hold;
  @(posedge clk) disable iff (!rst_n)
    valid && !ready |=> valid;
endproperty

a_ready_hold: assert property(ready_hold);
c_ready_hold: cover property(ready_hold);

// bind file
bind axi_dma axi_props u_axi_props (.*);
prompt
Repair the generated sequence after compile / elab failure.
plan 
vlog-2730 -> field ready_mode not found
          -> patch config reference
result
Minimal diff, rerun transcript, COMPILE GREEN evidence.
compile pass1 LoC
diff 
// dv/env/axi_seq.sv:42
- if (axi_cfg.ready_mode == FAST) begin
+ if (axi_cfg.bp_mode == FAST) begin
   req.gap = 0;
  end
rerun 
[04:21:02] simulator compile PASS
[04:21:09] simulator elab    PASS
[04:21:18] simulator smoke   PASS
prompt
Explain this CEX and refine the property.
plan 
cycle 18: valid=1 ready=0 data_changed=1
  -> root cause located
  -> SVA refined
result
Root cause, waveform summary, repaired SVA, proof rerun.
cex t=18rerun proved
cex waveform
clk
valid
ready
cex t=18
data
refined property 
- assume ready |-> valid;
+ valid && !ready |=> valid;
12 · Packet anatomy

Anatomy of an
evidence packet.

Every closed loop emits a single versioned bundle. Open it and you find the same four things, every time — the artifacts a DV lead would have asked for anyway, only assembled before the review meeting.

01 · Transcript
04:18:42 formal CEX d=18
04:18:43 repair 1 root cause
04:18:48 policy approved
04:18:52 rerun  PROVED
02 · Diff
- assume ready |-> valid;
+ valid && !ready |=> valid;
# formal/axi_props.sv · 2 LoC
03 · CEX trace
clk valid ready cex t=18
04 · Citations
rtl/axi_dma.sv:184
dv/env/axi_agent_pkg.sv:42
formal/axi_bind.sv:17
────────────────────
 sha256 · digest
01

Transcript

Every tool call, gate decision, and policy check, with deterministic timestamps.

.log
02

Diff

Constrained patch within your diff budget and path allowlist. Nothing more.

.patch
03

CEX trace

Counterexample witness — VCD plus a one-paragraph root-cause summary.

.vcd
04

Citations

File / line references the agent retrieved and used. Reviewable in seconds.

.json
13 · For the skeptics

Questions a DV lead
asks on the first call.

We've heard them all. Short answers below; longer ones in the docs and on the pilot call. If your team is harder on this than we are — good. So are we.

Q · 01

Does it hallucinate?

Generation is allowed to be wrong. Acceptance is not. A run isn't finished until the simulator compiles it, the smoke test runs, the property proves, and the diff is within policy. No gate, no PR.

Tool-gated by default
Q · 02

Does my IP leave the building?

No. On-prem and private-VPC deployments are the default. Network egress is a hard-off policy bit. Retention is opt-in. License auth for commercial tools stays in your environment.

Egress = policy
Q · 03

Will it touch my RTL?

Only when you opt in for a target, with a path allowlist and a diff budget. Default is verification collateral only — sequences, properties, bind files, assumes, coverage hooks.

Opt-in · path-bound
Q · 04

Which simulators & formal tools?

Local open-source backends ship as the default. Enterprise simulators and formal tools attach via adapters behind your license boundary. Same gate contract on both paths.

Adapter pattern
Q · 05

What about audit and review?

Every run produces a reproducible evidence packet — transcript, diff, CEX, citations — and reattaches it on every PR. You decide the gate; the agent provides the receipts.

Evidence packets
Q · 06

How do we evaluate it?

Four-day pilot path. One repo, one target, one real gate, one review. No black-box demo. You walk away with the evidence packets whether or not you continue.

4-day pilot path
14 · Engagement

Pilot first.
Expand only with evidence.

Packaging is intentionally pilot-led while the product matures. Treat these as engagement models, not contracted customer pricing.

Pilot

Four-day eval.

Sandbox one repo, pick one target, run one real gate, review one packet.

Scoped one repo · one week
  • One sandboxed repo
  • UVM + Formal/SVA agents
  • Local sim & bounded formal
  • Evidence packets · audit log
  • White-glove onboarding
Book a pilot
pilot expansion
Team

Production loop.

A DV / formal team running closed loops in CI, with policy and review controls.

Private beta team workflow
  • All agents · UVM · SVA · debug · regression
  • Enterprise sim & formal adapters
  • Policy-as-code · path allowlists · diff budgets
  • Multi-repo · RBAC · audit retention
  • GitHub / GitLab / Perforce
  • Gate state reporting for review workflows
Request Access
Enterprise

Enterprise review.

Multi-org, multi-region evidence review with custom deployment.

Talk to us custom · on-prem · hybrid
  • Everything in Team
  • Air-gapped & sovereign deployments
  • SSO · SCIM · org-wide policy
  • SLAs · dedicated support · roadmap influence
  • Regression closure orchestration
Contact sales
15 · Roadmap

From loop closure
to enterprise review.

Released, in development, and on the horizon. Gates expand, deployment surface expands, the loop stays closed.

v1.0 · shipping

UVM + Formal / SVA

Simulator compile / smoke, bounded formal, evidence report, single-repo loop.

v2.0 · in dev

Multi-agent workflows

Spec → verification plan, CEX refinement, debug triage, coverage guidance.

v3.0 · next

Enterprise closure

Regression orchestration, multi-repo, RBAC, policy-as-code, hybrid deployment.

v4.0 · vision

Review-grade evidence

Coverage closure agents, formal review recipes, and tape-out evidence bundles.

16 · Get started

Bring closed-loop AI
into your verification flow.

Runs where your IP lives — on-prem, private cloud, or hybrid.

Request Access See architecture