Verification of Behavioral Consistency in C by Using

Verification of Behavioral Consistency in C by Using Symbolic Simulation and Program Slicer Takeshi Matsumoto Thanyapat Sakunkonchak Hiroshi Saito Masahiro Fujita The University of Tokyo 1

Outline n n n Introduction Basic Notations Verification Strategy Case Studies Conclusion and Future Work 2

Outline n n n Introduction Basic Notations Verification Strategy Case Studies Conclusion and Future Work 3

Formal verification in VLSI design n As VLSI designs become more complicated, verification tasks become more difficult Formal verification has many advantages, however, it is very sensitive to the size of descriptions Recently, C-based design languages are commonly used n n n Spec. C, System. C, … Easy to learn Able to describe HW and SW 4

C-base design & verification flow Checking behavioral consistency Specification in C Refined description for HW part Removal of pointer, recursive calling : Refinement step n Refined description with concurrency Introduction of concurrency (Spec. C or System. C may be used here) To RTL Our verification method works in this design flow n n There are many refinement steps in this flow At each refinement step, descriptions are very close to each other 5

Target of verification Specification in C n Refined description with concurrency In this work, target of verification is C hardware descriptions n n Refined description for HW part No pointer reference No recursive function calling No dynamic memory allocation In future, our verification method will cover all the design flow by extension 6

Our proposed method n We propose the verification method to check the behavioral consistency of two given Cdescriptions n n n These C-descriptions are restricted for HW Verification itself is operated in terms of symbolic simulation (formal method) Main interest is to make verification task reduced and realize the efficient verification n n Based on textual differences Code reduction by program slicing 7

Next n n n Introduction Basic Notations Verification Strategy Case Studies Conclusion and Future Work 8

Symbolic simulation n n In our method, verification itself is carried out in terms of symbolic simulation Variables are treated as symbols rather than bit vectors n Symbolic simulation can verify designs more efficiently than traditional simulation 9

Example n Example of checking the behavioral consistency based on symbolic simulation n Equivalent variables are collected into Eqv. Class a = v 1; b = v 2; add 1 = a + b; Description 1 add 2 = v 1 + v 2; Description 2 Symbolic simulation Eqv. Class We are going to check the equivalence 10 between add 1 and add 2

Example n This is an example of equivalence checking based on symbolic simulation n Equivalent variables are collected into Eqv. Class a = v 1; b = v 2; add 1 = a + b; Description 1 Symbolic simulation E 1 (a, v 1) E 2 (b, v 2) E 3 (add 1, a+b) add 2 = v 1 + v 2; Eqv. Class Description 2 Description 1 is simulated 11

Example n This is an example of equivalence checking based on symbolic simulation n Equivalent variables are collected into Eqv. Class a = v 1; b = v 2; add 1 = a + b; Description 1 Symbolic simulation E 1 E 2 E 3 E 4 (a, v 1) (b, v 2) (add 1, a+b) (add 2, v 1+v 2) add 2 = v 1 + v 2; Eqv. Class Description 2 is simulated 12

Example n This is an example of equivalence checking based on symbolic simulation n Equivalent variables are collected into Eqv. Class a = v 1; b = v 2; add 1 = a + b; Description 1 add 2 = v 1 + v 2; Description 2 Symbolic simulation E 1 E 2 E 3 E 4 (a, v 1) (b, v 2) (add 1, a+b) (add 2, v 1+v 2) Eqv. Class Due to the equivalences in E 1, E 2 13

Example n This is an example of equivalence checking based on symbolic simulation n Equivalent variables are collected into Eqv. Class a = v 1; b = v 2; add 1 = a + b; Description 1 add 2 = v 1 + v 2; Description 2 Symbolic simulation E 1 (a, v 1) E 2 (b, v 2) E 3’ (add 1, a+b, add 2, v 1+v 2) Eqv. Class E 3 & E 4 are merged into E 3’ 14

Program slicing n In our methods, the codes to be symbolically simulated are extracted by program slicing n n n This means only extracted codes will be simulated for verification Program slicing can extract the codes that can affect (be affected by) a variable Two kinds of slicing: backward slicing and forward slicing 15

Backward slicing n Backward slicing for a variable v extracts all codes that affect the variable v Backward slicing a = 2; b = 3; c = 5; a = a + 10; b = a * c; /start/ c = c + a; a = a * b; 16

Forward slicing n Forward slicing for a variable v extracts all codes that are affected by the variable v Forward slicing a = 2; b = 3; c = 5; a = a + 10; b = a * c; /start/ c = c + a; a = a * b; 17

Next n n n Introduction Basic Notations Verification Strategy Case Studies Conclusion and Future Work 18

Verification flow (1) Description 1 Description 2 Pre-processes Identification of textual differences & ordering them Output the set of textual differences (d 1, d 2, d 3, …) 19

Identification of textual differences n n First, textual differences are identified by “diff” Then, they are sorted in the order of execution int v 1, v 2, out, opcode; v 1 = 3; v 2 = 5; if(opcode == 1) { out = v 1 + v 2; } Description 1 d 2 d 3 int v 1, v 2, out, opcode; int reg 1, reg 2, alu; v 1 = 3; v 2 = 5; reg 1 = v 1; reg 2 = v 2; if(opcode == 1) { alu = reg 1 + reg 2; out = alu; } 20 Description 2

Verification flow (2) (d 1, d 2, d 3, …) Is there any differences left? No Yes Verification terminates successfully Decision of target variables Backward slicing Consistency is proved Symbolic simulation Consistency is not proved Forward slicing An erroneous Symbolic simulation Consistency trace is reported is proved is not proved 21

Verification flow (2) (d 1, d 2, d 3, …) Is there any differences left? No Yes Verification terminates successfully Decision of target variables Backward slicing Consistency is proved Symbolic simulation Consistency is not proved Forward slicing An erroneous Symbolic simulation Consistency trace is reported is proved is not proved 22

Decision of target variables n A variable v in a difference d is a target variable, n When the variable v is defined in both descriptions, and assigned in the difference d int v 1, v 2, out, opcode; v 1 = 3; v 2 = 5; if(opcode == 1) { out = v 1 + v 2; } Description 1 d 2 d 3 int v 1, v 2, out, opcode; int reg 1, reg 2, alu; v 1 = 3; v 2 = 5; reg 1 = v 1; reg 2 = v 2; if(opcode == 1) { alu = reg 1 + reg 2; out = alu; } 23 Description 2

Case split (d 1, d 2, d 3, …) Is there any differences left? No Yes Verification terminates successfully Decision of target variables Backward slicing Consistency is proved Symbolic simulation Consistency is not proved Forward slicing An erroneous Symbolic simulation Consistency trace is reported is proved is not proved 24

Next n n n Introduction Basic Notations Verification Strategy Case Studies Conclusion and Future Work 25

Case studies n Our tool implementation has not been completed n n n A part of symbolic simulation is implemented Program slicing is done by Code. Surfer that is a product of Gramma. Tech Inc. We evaluated efficiency of our proposed method by the amount of codes to be verified 26

Case study 1 n C-model of Huffman decoder n n n Two functions were in-lined after refinement 2 differences, 2 target variables An example of textual differences Original v = show_bits(); flush_bits(); Refined v = inbuf[buf_index]; buf_index++; The declarations of show_bits, flush_bits in the original description are also identified 27

Case study 1 n C-model of Huffman decoder n n n Two functions were in-lined after refinement 2 differences, 2 target variables Result … behaviors were consistent Total codes Simulated codes Reduction ratio Original 49 lines 21 lines 58% Refined 41 lines 11 lines 73% 28

Case study 2 n C-model of MAXSAT solver n n n We inserted differences in the original description so that both were consistent 6 differences, 6 target variables Result … behaviors were consistent Total codes Simulated codes Reduction ratio Original 632 lines 131 lines 79% Refined 630 lines 129 lines 80% 29

Next n n n Introduction Basic Notations Verification Strategy Case Studies Conclusion and Future Work 30

Conclusion and future work n We proposed a method to verify behavioral consistency of two given C-descriptions efficiently n n n C-descriptions are restricted for HW Identification textual differences and program slicing are applied for efficiency Future work n n Fully implementation tool set to realize this proposed method Extension of proposed method by introduction of concurrency 31

Thank you very much!! 32