1 / 16

Behavioral Consistency of C and Verilog Programs Using Bounded Model Checking

Behavioral Consistency of C and Verilog Programs Using Bounded Model Checking. Daniel Kroening Edmund Clarke Karen Yorav Carnegie Mellon University. Motivation. Common Design Practice: Write ANSI-C program that behaves like new product (“GOLDEN MODEL”) Test/debug applications using C model

wren
Download Presentation

Behavioral Consistency of C and Verilog Programs Using Bounded Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Behavioral Consistencyof C and Verilog Programs Using Bounded Model Checking Daniel Kroening Edmund Clarke Karen Yorav Carnegie Mellon University

  2. Motivation Common Design Practice: • Write ANSI-C program that behaves like new product(“GOLDEN MODEL”) • Test/debug applications using C model • Design HDL for product • Compare C vs. HDL! = ? ANSI-CModel HDLProduct A

  3. ANSI-C Models Two extremes: • Simple, low level C:uses gates, is synthesizable • Complex, high level C:used for simulations, testing First case can be handledwith existing synthesis tools. We focus on second case.

  4. ANSI-C Constructs Idea: Make C look like a debugging monitor • ANSI-C program can access all variables in the circuit in arbitrary cycles: int i = signal[cycle]; • ANSI-C program can synchronize with the circuit using WAITFOR: WAITFOR(signal); • Variable mapping using assume/assert: assume(input[cycle]==i_data); assert(output[cycle]==o_data); • All constructs can be used in arbitrary places in the program

  5. Overview • Add mapping between Variables to C Program(assertions/assumptions) • Both program and circuit are transformed into bit vector equation by unwinding • Bit vector equations are compared using SAT checker

  6. Prototype Tool ANSI-CModel convert = * +  Chaff = CNF * +  VHDL/VerilogProduct convert = * BV LogicDecisionProblem +  Parsing andtype checking BV Logic(Tree) • Equivalence reduced to bit vector logic decision problem • Tool requires decision procedure for large bit vector problems • BV problems are HUGE – directly passed to Chaff in CNF

  7. Supported Language Features • ANSI-C is a low level language, not meant for verification but for efficiency • Complex language features, such as • Bit vector operators (shifting, and, or,…) • Pointers, pointer arithmetic • Dynamic memory allocation: malloc/free • Dynamic data types: char s[n] • Side effects • Non-determinism

  8. ANSI-C Transformation • Preparation • Side effect removal • continue, break replaced by goto • for, do while replaced by while • Unwinding • Loops are unwound: to guarantee that enough unwinding is done,unwinding assertions are added • Same for backward goto jumps and recursive functions

  9. Implementation • Transformation into Equation • After unwinding: Rename variablesExample: • Generate constraints:g: guard from if statements

  10. Example

  11. Pointers • While unwinding, we expand the dereferencing operator recursively using : • g: guard from if statements • o: offset • Allows complete treatment of pointers!

  12. Pointers Definition (e): • e is symbol of pointer type: get value of e and recursivly apply  • e is symbol of array type: e=a ! e=&a[0] • (&s, g, 0) := scheck type of s, and that s is valid! • (&a[i], g, 0) := a[i]check type of a, and that a is valid! • (c ? e' : e'', g, o) := c ? (e', g Æ c, o) : (e'', gÆ :c, o) • (e'+i, g, o) := (e', g, o+i) (Pointer arithmetic) • ((Q *)e', g, o) := (e', g, o) (Pointer type cast) • All other cases: assert that (g) does not hold! A

  13. Pointers - Example int a, *p; p=&a; if(x) p=NULL; if(p!=NULL && *p==1); Potentially dereferencing NULL! Prove that p2≠NULL Æ:x0 is false A

  14. Dynamic Objects • Dynamic Objects: • malloc / free • Local variables of functions • Two auxiliary variables for each dynamically allocated object: • Size (number of elements) • Active bit • malloc sets size (from parameter) and sets active bit • free asserts that active bit is set and clears bit • Same for local variables: active bit is cleared upon leaving the function

  15. Experiments: Overview • DES Crypto Core (sequential version) • Functional verification • Digital Thermometer • Extensive arithmetic (division/multiplication) • PS/2 Interface • Verilog/ANSI-C are two sides of the protocol • DLX • Processor (Verilog) vs. ISA (ANSI-C) • Instruction fetch control of Torch microprocessor • Property checking • Fifo used in Switch • Two clock domains! A

  16. Future Work • Concurrency • Spec-C • Object oriented languages: C++/System-C • Data path abstraction using uninterpreted functions • Better decision procedures for large programs • Translation to arithmetic circuits too expensive • Non-linear arithmetic?

More Related