170 likes | 351 Views
Behavioral Consistency of C and Verilog Programs Using Bounded Model Checking. Daniel Kroening Edmund Clarke Karen Yorav Carnegie Mellon University. Motivation. Common Design Practice: Write ANSI-C program that behaves like new product (“GOLDEN MODEL”) Test/debug applications using C model
E N D
Behavioral Consistencyof C and Verilog Programs Using Bounded Model Checking Daniel Kroening Edmund Clarke Karen Yorav Carnegie Mellon University
Motivation Common Design Practice: • Write ANSI-C program that behaves like new product(“GOLDEN MODEL”) • Test/debug applications using C model • Design HDL for product • Compare C vs. HDL! = ? ANSI-CModel HDLProduct A
ANSI-C Models Two extremes: • Simple, low level C:uses gates, is synthesizable • Complex, high level C:used for simulations, testing First case can be handledwith existing synthesis tools. We focus on second case.
ANSI-C Constructs Idea: Make C look like a debugging monitor • ANSI-C program can access all variables in the circuit in arbitrary cycles: int i = signal[cycle]; • ANSI-C program can synchronize with the circuit using WAITFOR: WAITFOR(signal); • Variable mapping using assume/assert: assume(input[cycle]==i_data); assert(output[cycle]==o_data); • All constructs can be used in arbitrary places in the program
Overview • Add mapping between Variables to C Program(assertions/assumptions) • Both program and circuit are transformed into bit vector equation by unwinding • Bit vector equations are compared using SAT checker
Prototype Tool ANSI-CModel convert = * + Chaff = CNF * + VHDL/VerilogProduct convert = * BV LogicDecisionProblem + Parsing andtype checking BV Logic(Tree) • Equivalence reduced to bit vector logic decision problem • Tool requires decision procedure for large bit vector problems • BV problems are HUGE – directly passed to Chaff in CNF
Supported Language Features • ANSI-C is a low level language, not meant for verification but for efficiency • Complex language features, such as • Bit vector operators (shifting, and, or,…) • Pointers, pointer arithmetic • Dynamic memory allocation: malloc/free • Dynamic data types: char s[n] • Side effects • Non-determinism
ANSI-C Transformation • Preparation • Side effect removal • continue, break replaced by goto • for, do while replaced by while • Unwinding • Loops are unwound: to guarantee that enough unwinding is done,unwinding assertions are added • Same for backward goto jumps and recursive functions
Implementation • Transformation into Equation • After unwinding: Rename variablesExample: • Generate constraints:g: guard from if statements
Pointers • While unwinding, we expand the dereferencing operator recursively using : • g: guard from if statements • o: offset • Allows complete treatment of pointers!
Pointers Definition (e): • e is symbol of pointer type: get value of e and recursivly apply • e is symbol of array type: e=a ! e=&a[0] • (&s, g, 0) := scheck type of s, and that s is valid! • (&a[i], g, 0) := a[i]check type of a, and that a is valid! • (c ? e' : e'', g, o) := c ? (e', g Æ c, o) : (e'', gÆ :c, o) • (e'+i, g, o) := (e', g, o+i) (Pointer arithmetic) • ((Q *)e', g, o) := (e', g, o) (Pointer type cast) • All other cases: assert that (g) does not hold! A
Pointers - Example int a, *p; p=&a; if(x) p=NULL; if(p!=NULL && *p==1); Potentially dereferencing NULL! Prove that p2≠NULL Æ:x0 is false A
Dynamic Objects • Dynamic Objects: • malloc / free • Local variables of functions • Two auxiliary variables for each dynamically allocated object: • Size (number of elements) • Active bit • malloc sets size (from parameter) and sets active bit • free asserts that active bit is set and clears bit • Same for local variables: active bit is cleared upon leaving the function
Experiments: Overview • DES Crypto Core (sequential version) • Functional verification • Digital Thermometer • Extensive arithmetic (division/multiplication) • PS/2 Interface • Verilog/ANSI-C are two sides of the protocol • DLX • Processor (Verilog) vs. ISA (ANSI-C) • Instruction fetch control of Torch microprocessor • Property checking • Fifo used in Switch • Two clock domains! A
Future Work • Concurrency • Spec-C • Object oriented languages: C++/System-C • Data path abstraction using uninterpreted functions • Better decision procedures for large programs • Translation to arithmetic circuits too expensive • Non-linear arithmetic?