Verification of Behavioral Consistency in C by Using Symbolic Simulation and Program Slicer Takeshi Matsumoto Thanyapat Sakunkonchak Hiroshi Saito Masahiro

Verification of Behavioral Consistencyin C by Using Symbolic Simulation and Program Slicer

Takeshi MatsumotoThanyapat Sakunkonchak

Hiroshi SaitoMasahiro Fujita

The University of Tokyo

2

Outline Introduction Basic Notations Verification Strategy Case Studies Conclusion and Future Work

3

Outline Introduction Basic Notations Verification Strategy Case Studies Conclusion and Future Work

4

Formal verification in VLSI design

As VLSI designs become more complicated, verification tasks become more difficult

Formal verification has many advantages, however, it is very sensitive to the size of descriptions

Recently, C-based design languages are commonly used SpecC, SystemC, … Easy to learn Able to describe HW and SW

5

C-base design & verification flow

Our verification method works in this design flow There are many refinement steps in this flow At each refinement step, descriptions are very close to

each other

Specificationin C

Refined descri-ption for HW part

Refined descriptionwith concurrency

Removal of pointer,recursive calling

Introduction ofconcurrency(SpecC or SystemCmay be used here) To RTL: Refinement step

Checking behavioral consistency

6

Target of verification

In this work, target of verification is C hardware descriptions No pointer reference No recursive function calling No dynamic memory allocation

In future, our verification method will cover all the design flow by extension

Specificationin C

Refined descri-ption for HW part

Refined descriptionwith concurrency

7

Our proposed method We propose the verification method to

check the behavioral consistency of two given C-descriptions These C-descriptions are restricted for HW Verification itself is operated in terms of

symbolic simulation (formal method) Main interest is to make verification task

reduced and realize the efficient verification Based on textual differences Code reduction by program slicing

8

Next Introduction Basic Notations Verification Strategy Case Studies Conclusion and Future Work

9

Symbolic simulation In our method, verification itself is

carried out in terms of symbolic simulation

Variables are treated as symbols rather than bit vectors Symbolic simulation can verify designs

more efficiently than traditional simulation

10

Example Example of checking the behavioral consiste

ncy based on symbolic simulation Equivalent variables are collected into EqvClass

a = v1;b = v2;add1 = a + b;Description 1

add2 = v1 + v2;Description 2

EqvClass

Symbolic simulation

We are going to check the equivalencebetween add1 and add2

11

Example This is an example of equivalence checking

based on symbolic simulation Equivalent variables are collected into EqvClass



EqvClass

Symbolic simulationE1 (a, v1)E2 (b, v2)E3 (add1, a+b)

Description1 is simulated

12





EqvClass

Symbolic simulationE1 (a, v1)E2 (b, v2)E3 (add1, a+b)E4 (add2, v1+v2)

Description2 is simulated

13





EqvClass

Symbolic simulationE1 (a, v1)E2 (b, v2)E3 (add1, a+b)E4 (add2, v1+v2)

Due to the equivalencesin E1, E2

14





EqvClass

Symbolic simulationE1 (a, v1)E2 (b, v2)E3’ (add1, a+b, add2, v1+v2)

E3 & E4 are mergedinto E3’

15

Program slicing In our methods, the codes to be

symbolically simulated are extracted by program slicing This means only extracted codes will be

simulated for verification Program slicing can extract the codes

that can affect (be affected by) a variable

Two kinds of slicing: backward slicing and forward slicing

16

Backward slicing Backward slicing for a variable v

extracts all codes that affect the variable v

a = 2;b = 3;c = 5;a = a + 10;b = a * c; /start/c = c + a;a = a * b;


Backward slicing

17

Forward slicing Forward slicing for a variable v

extracts all codes that are affected by the variable v


Forward slicinga = 2;b = 3;c = 5;a = a + 10;b = a * c; /start/c = c + a;a = a * b;

18


19

Verification flow (1)Description 1 Description 2

Pre-processes

Identification of textual differences & ordering them

Output the set of textual differences (d1, d2, d3, …)

20

Identification of textual differences

First, textual differences are identified by “diff”

Then, they are sorted in the order of execution

int v1, v2, out, opcode;v1 = 3;v2 = 5;if(opcode == 1) { out = v1 + v2;}

Description 1

int v1, v2, out, opcode;int reg1, reg2, alu;v1 = 3;v2 = 5;reg1 = v1;reg2 = v2;if(opcode == 1) { alu = reg1 + reg2; out = alu;}

Description 2

d1

d2

d3

21

Consistencyis proved

Verification flow (2)Is there any differences left?

Decision of target variables

Backward slicing

Symbolic simulation

Symbolic simulation

Forward slicing

Yes

No Verification terminates successfully

An erroneous trace is reported

Consistency is not proved



(d1, d2, d3, …)

22

Verification flow (2)Is there any differences left?


Backward slicing

Symbolic simulation

Symbolic simulation

Forward slicing

Yes



Consistencyis proved Consistency is not proved



(d1, d2, d3, …)

23

Decision of target variables A variable v in a difference d is a target

variable, When the variable v is defined in both

descriptions, and assigned in the difference dint v1, v2, out, opcode;v1 = 3;v2 = 5;if(opcode == 1) { out = v1 + v2;}

Description 1

int v1, v2, out, opcode;int reg1, reg2, alu;v1 = 3;v2 = 5;reg1 = v1;reg2 = v2;if(opcode == 1) { alu = reg1 + reg2; out = alu;}

Description 2

d1

d2

d3

24


Case splitIs there any differences left?


Backward slicing

Symbolic simulation

Symbolic simulation

Forward slicing

Yes






(d1, d2, d3, …)

25


26

Case studies Our tool implementation has not been com

pleted A part of symbolic simulation is implemented Program slicing is done by CodeSurfer that is a

product of GrammaTech Inc. We evaluated efficiency of our proposed m

ethod by the amount of codes to be verified

27

Case study 1 C-model of Huffman decoder

Two functions were in-lined after refinement

2 differences, 2 target variables An example of textual differences

Original

Refined

v = show_bits();flush_bits();

v = inbuf[buf_index];buf_index++;

The declarations of show_bits, flush_bitsin the original description are also identified

28

Case study 1 C-model of Huffman decoder

Two functions were in-lined after refinement

2 differences, 2 target variables Result … behaviors were consistent

49 lines

41 lines 73%

58%

11 lines

21 lines

Reductionratio

Original

Refined

Totalcodes

Simulatedcodes

29

Case study 2 C-model of MAXSAT solver

We inserted differences in the original descri-ption so that both were consistent

6 differences, 6 target variables Result … behaviors were consistent

632 lines

630 lines 80%

79%

129 lines

131 lines

Reductionratio

Original

Refined

Totalcodes

Simulatedcodes

30


31

Conclusion and future work

We proposed a method to verify behavioral consistency of two given C-descriptions efficiently C-descriptions are restricted for HW Identification textual differences and program

slicing are applied for efficiency Future work

Fully implementation tool set to realize this proposed method

Extension of proposed method by introduction of concurrency

Thank you very much!!

Documents

Verification of Behavioral Consistency in C by Using Symbolic Simulation and Program Slicer Takeshi Matsumoto Thanyapat Sakunkonchak Hiroshi Saito Masahiro