Behavioral Consistency of C and Verilog Programs Using Bounded Model Checking

1
Behavioral Consistencyof C and Verilog Programs
Using Bounded Model Checking

• Daniel Kroening
• Edmund Clarke
• Karen Yorav
• Carnegie Mellon University

2
Motivation

• Common Design Practice
• Write ANSI-C program that behaves like new
  product(GOLDEN MODEL)
• Test/debug applications using C model
• Design HDL for product
• Compare C vs. HDL!

?
ANSI-CModel
HDLProduct
A
3
ANSI-C Models

• Two extremes
• Simple, low level Cuses gates, is synthesizable
• Complex, high level Cused for simulations,
  testing

First case can be handledwith existing synthesis
tools.
We focus on second case.
4
ANSI-C Constructs

• Idea Make C look like a debugging monitor
• ANSI-C program can access all variables in the
  circuit in arbitrary cycles
• int i signalcycle
• ANSI-C program can synchronize with the circuit
  using WAITFOR
• WAITFOR(signal)
• Variable mapping using assume/assert
• assume(inputcyclei_data)
• assert(outputcycleo_data)
• All constructs can be used in arbitrary places in
  the program

5
Overview

1. Add mapping between Variables to C
   Program(assertions/assumptions)
2. Both program and circuit are transformed into bit
   vector equation by unwinding
3. Bit vector equations are compared using SAT
   checker

6
Prototype Tool
ANSI-CModel
convert



?
Chaff

CNF


?
VHDL/VerilogProduct
convert


BV LogicDecisionProblem

?
Parsing andtype checking
BV Logic(Tree)

• Equivalence reduced to bit vector logic decision
  problem
• Tool requires decision procedure for large bit
  vector problems
• BV problems are HUGE directly passed to Chaff
  in CNF

7
Supported Language Features

• ANSI-C is a low level language, not meant for
  verification but for efficiency
• Complex language features, such as
• Bit vector operators (shifting, and, or,)
• Pointers, pointer arithmetic
• Dynamic memory allocation malloc/free
• Dynamic data types char sn
• Side effects
• Non-determinism

8
ANSI-C Transformation

• Preparation
• Side effect removal
• continue, break replaced by goto
• for, do while replaced by while
• Unwinding
• Loops are unwound to guarantee that enough
  unwinding is done,unwinding assertions are added
• Same for backward goto jumps and recursive
  functions

9
Implementation

• Transformation into Equation
• After unwinding Rename variablesExample
• Generate constraintsg guard from if statements

10
Example
11
Pointers

• While unwinding, we expand the dereferencing
  operator recursively using ?
• g guard from if statements
• o offset
• Allows complete treatment of pointers!

12
Pointers

• Definition ?(e)
• e is symbol of pointer type get value of e and
  recursivly apply ?
• e is symbol of array type ea ! ea0
• ?(s, g, 0) s check type of s, and that s is
  valid!
• ?(ai, g, 0) ai check type of a, and that
  a is valid!
• ?(c ? e' e'', g, o) c ? ?(e', g Æ c, o)
  ?(e'', g Æ c, o)
• ?(e'i, g, o) ?(e', g, oi) (Pointer
  arithmetic)
• ?((Q )e', g, o) ?(e', g, o) (Pointer type
  cast)
• All other cases assert that ?(g) does not hold!

A
13
Pointers - Example

• int a, p
• pa
• if(x) pNULL
• if(p!NULL p1)

Potentially dereferencing NULL! Prove
that p2?NULL Æ x0 is false
A
14
Dynamic Objects

• Dynamic Objects
• malloc / free
• Local variables of functions
• Two auxiliary variables for each dynamically
  allocated object
• Size (number of elements)
• Active bit
• malloc sets size (from parameter) and sets active
  bit
• free asserts that active bit is set and clears
  bit
• Same for local variables active bit is cleared
  upon leaving the function

15
Experiments Overview

• DES Crypto Core (sequential version)
• Functional verification
• Digital Thermometer
• Extensive arithmetic (division/multiplication)
• PS/2 Interface
• Verilog/ANSI-C are two sides of the protocol
• DLX
• Processor (Verilog) vs. ISA (ANSI-C)
• Instruction fetch control of Torch microprocessor
• Property checking
• Fifo used in Switch
• Two clock domains!

A
16
Future Work

• Concurrency
• Spec-C
• Object oriented languages C/System-C
• Data path abstraction using uninterpreted
  functions
• Better decision procedures for large programs
• Translation to arithmetic circuits too expensive
• Non-linear arithmetic?