Verification of Behavioral Consistencyin C by Using Symbolic Simulation and Program Slicer
Takeshi MatsumotoThanyapat Sakunkonchak
Hiroshi SaitoMasahiro Fujita
The University of Tokyo
2
Outline Introduction Basic Notations Verification Strategy Case Studies Conclusion and Future Work
3
Outline Introduction Basic Notations Verification Strategy Case Studies Conclusion and Future Work
4
Formal verification in VLSI design
As VLSI designs become more complicated, verification tasks become more difficult
Formal verification has many advantages, however, it is very sensitive to the size of descriptions
Recently, C-based design languages are commonly used SpecC, SystemC, … Easy to learn Able to describe HW and SW
5
C-base design & verification flow
Our verification method works in this design flow There are many refinement steps in this flow At each refinement step, descriptions are very close to
each other
Specificationin C
Refined descri-ption for HW part
Refined descriptionwith concurrency
Removal of pointer,recursive calling
Introduction ofconcurrency(SpecC or SystemCmay be used here) To RTL: Refinement step
Checking behavioral consistency
6
Target of verification
In this work, target of verification is C hardware descriptions No pointer reference No recursive function calling No dynamic memory allocation
In future, our verification method will cover all the design flow by extension
Specificationin C
Refined descri-ption for HW part
Refined descriptionwith concurrency
7
Our proposed method We propose the verification method to
check the behavioral consistency of two given C-descriptions These C-descriptions are restricted for HW Verification itself is operated in terms of
symbolic simulation (formal method) Main interest is to make verification task
reduced and realize the efficient verification Based on textual differences Code reduction by program slicing
8
Next Introduction Basic Notations Verification Strategy Case Studies Conclusion and Future Work
9
Symbolic simulation In our method, verification itself is
carried out in terms of symbolic simulation
Variables are treated as symbols rather than bit vectors Symbolic simulation can verify designs
more efficiently than traditional simulation
10
Example Example of checking the behavioral consiste
ncy based on symbolic simulation Equivalent variables are collected into EqvClass
a = v1;b = v2;add1 = a + b;Description 1
add2 = v1 + v2;Description 2
EqvClass
Symbolic simulation
We are going to check the equivalencebetween add1 and add2
11
Example This is an example of equivalence checking
based on symbolic simulation Equivalent variables are collected into EqvClass
a = v1;b = v2;add1 = a + b;Description 1
add2 = v1 + v2;Description 2
EqvClass
Symbolic simulationE1 (a, v1)E2 (b, v2)E3 (add1, a+b)
Description1 is simulated
12
Example This is an example of equivalence checking
based on symbolic simulation Equivalent variables are collected into EqvClass
a = v1;b = v2;add1 = a + b;Description 1
add2 = v1 + v2;Description 2
EqvClass
Symbolic simulationE1 (a, v1)E2 (b, v2)E3 (add1, a+b)E4 (add2, v1+v2)
Description2 is simulated
13
Example This is an example of equivalence checking
based on symbolic simulation Equivalent variables are collected into EqvClass
a = v1;b = v2;add1 = a + b;Description 1
add2 = v1 + v2;Description 2
EqvClass
Symbolic simulationE1 (a, v1)E2 (b, v2)E3 (add1, a+b)E4 (add2, v1+v2)
Due to the equivalencesin E1, E2
14
Example This is an example of equivalence checking
based on symbolic simulation Equivalent variables are collected into EqvClass
a = v1;b = v2;add1 = a + b;Description 1
add2 = v1 + v2;Description 2
EqvClass
Symbolic simulationE1 (a, v1)E2 (b, v2)E3’ (add1, a+b, add2, v1+v2)
E3 & E4 are mergedinto E3’
15
Program slicing In our methods, the codes to be
symbolically simulated are extracted by program slicing This means only extracted codes will be
simulated for verification Program slicing can extract the codes
that can affect (be affected by) a variable
Two kinds of slicing: backward slicing and forward slicing
16
Backward slicing Backward slicing for a variable v
extracts all codes that affect the variable v
a = 2;b = 3;c = 5;a = a + 10;b = a * c; /start/c = c + a;a = a * b;
a = 2;b = 3;c = 5;a = a + 10;b = a * c; /start/c = c + a;a = a * b;
Backward slicing
17
Forward slicing Forward slicing for a variable v
extracts all codes that are affected by the variable v
a = 2;b = 3;c = 5;a = a + 10;b = a * c; /start/c = c + a;a = a * b;
Forward slicinga = 2;b = 3;c = 5;a = a + 10;b = a * c; /start/c = c + a;a = a * b;
18
Next Introduction Basic Notations Verification Strategy Case Studies Conclusion and Future Work
19
Verification flow (1)Description 1 Description 2
Pre-processes
Identification of textual differences & ordering them
Output the set of textual differences (d1, d2, d3, …)
20
Identification of textual differences
First, textual differences are identified by “diff”
Then, they are sorted in the order of execution
int v1, v2, out, opcode;v1 = 3;v2 = 5;if(opcode == 1) { out = v1 + v2;}
Description 1
int v1, v2, out, opcode;int reg1, reg2, alu;v1 = 3;v2 = 5;reg1 = v1;reg2 = v2;if(opcode == 1) { alu = reg1 + reg2; out = alu;}
Description 2
d1
d2
d3
21
Consistencyis proved
Verification flow (2)Is there any differences left?
Decision of target variables
Backward slicing
Symbolic simulation
Symbolic simulation
Forward slicing
Yes
No Verification terminates successfully
An erroneous trace is reported
Consistency is not proved
Consistencyis proved
Consistency is not proved
(d1, d2, d3, …)
22
Verification flow (2)Is there any differences left?
Decision of target variables
Backward slicing
Symbolic simulation
Symbolic simulation
Forward slicing
Yes
No Verification terminates successfully
An erroneous trace is reported
Consistencyis proved Consistency is not proved
Consistencyis proved
Consistency is not proved
(d1, d2, d3, …)
23
Decision of target variables A variable v in a difference d is a target
variable, When the variable v is defined in both
descriptions, and assigned in the difference dint v1, v2, out, opcode;v1 = 3;v2 = 5;if(opcode == 1) { out = v1 + v2;}
Description 1
int v1, v2, out, opcode;int reg1, reg2, alu;v1 = 3;v2 = 5;reg1 = v1;reg2 = v2;if(opcode == 1) { alu = reg1 + reg2; out = alu;}
Description 2
d1
d2
d3
24
Consistencyis proved
Case splitIs there any differences left?
Decision of target variables
Backward slicing
Symbolic simulation
Symbolic simulation
Forward slicing
Yes
No Verification terminates successfully
An erroneous trace is reported
Consistency is not proved
Consistencyis proved
Consistency is not proved
(d1, d2, d3, …)
25
Next Introduction Basic Notations Verification Strategy Case Studies Conclusion and Future Work
26
Case studies Our tool implementation has not been com
pleted A part of symbolic simulation is implemented Program slicing is done by CodeSurfer that is a
product of GrammaTech Inc. We evaluated efficiency of our proposed m
ethod by the amount of codes to be verified
27
Case study 1 C-model of Huffman decoder
Two functions were in-lined after refinement
2 differences, 2 target variables An example of textual differences
Original
Refined
v = show_bits();flush_bits();
v = inbuf[buf_index];buf_index++;
The declarations of show_bits, flush_bitsin the original description are also identified
28
Case study 1 C-model of Huffman decoder
Two functions were in-lined after refinement
2 differences, 2 target variables Result … behaviors were consistent
49 lines
41 lines 73%
58%
11 lines
21 lines
Reductionratio
Original
Refined
Totalcodes
Simulatedcodes
29
Case study 2 C-model of MAXSAT solver
We inserted differences in the original descri-ption so that both were consistent
6 differences, 6 target variables Result … behaviors were consistent
632 lines
630 lines 80%
79%
129 lines
131 lines
Reductionratio
Original
Refined
Totalcodes
Simulatedcodes
30
Next Introduction Basic Notations Verification Strategy Case Studies Conclusion and Future Work
31
Conclusion and future work
We proposed a method to verify behavioral consistency of two given C-descriptions efficiently C-descriptions are restricted for HW Identification textual differences and program
slicing are applied for efficiency Future work
Fully implementation tool set to realize this proposed method
Extension of proposed method by introduction of concurrency
Thank you very much!!