Hardware verification using ANSI-C programs as a reference

Abstract: We describe an algorithm to verify a hardware design given in Verilog using an ANSI-C program as a specification. We use SAT based Bounded Model Checking [1] in order to reduce the equivalence problem to a bit vector logic decision problem. As a case study, we describe experimental results on a hardware and a software implementation of the data encryption standard (DES) algorithm.

“…The verification results of any given property can prove the correctness of the descriptions up to the length of this finite sequence. This is similar to the work on bounded model checking [11] where the method is conservative and guarantees that there is no false positive error.…”

“…Since we unwound all the loops in the descriptions such that the design is now consisting of a number of directed finite paths, we can simply check the reachability by using a standard (untimed) model checker. In model checkers where the design is translated into FSMs and property can be checked based on a full reachability analysis, our method can have less exit ("There is a race condition") 11: end if 12: /* Renaming all assignments of each variables */ 13: RenameP rojCE := RenameVariable(P rojCE, P ar) 14: result2 := Validate(RenameP rojCE) 15: return result2 end computation. Given a synchronization property, the result can be either 1) property holds, there is no deadlock or 2) property does not hold, e.g.…”

Synchronization Verification in System-Level Design with ILP Solvers

“…The verification results of any given property can prove the correctness of the descriptions up to the length of this finite sequence. This is similar to the work on bounded model checking [11] where the method is conservative and guarantees that there is no false positive error.…”

“…Since we unwound all the loops in the descriptions such that the design is now consisting of a number of directed finite paths, we can simply check the reachability by using a standard (untimed) model checker. In model checkers where the design is translated into FSMs and property can be checked based on a full reachability analysis, our method can have less exit ("There is a race condition") 11: end if 12: /* Renaming all assignments of each variables */ 13: RenameP rojCE := RenameVariable(P rojCE, P ar) 14: result2 := Validate(RenameP rojCE) 15: return result2 end computation. Given a synchronization property, the result can be either 1) property holds, there is no deadlock or 2) property does not hold, e.g.…”

Synchronization Verification in System-Level Design with ILP Solvers

“…Counter-example generation. Software model-checkers such as Save [24], Blast [25], Magic [26] or Cbmc [27] explore the paths of a bounded model of C programs in order to find a counter-example path to a temporal property. Some of them also address statement reacheability by generating test inputs to reach specific locations within the source code [8].…”

Constraint-Based Test Input Generation for Java Bytecode

“…It is essential to determine that the C and Verilog programs are consistent. We extend the tool of [5] with the results presented here. We translate clock constraints into Boolean constraints that are added to the Boolean formula representing the (bounded) computation of the design.…”

“…Our tool uses BMC to verify Verilog designs against specifications written in ANSI-C [5]. When a new device is designed, a "golden model" is often written in a programming language such as ANSI-C.…”

Specifying and verifying systems with multiple clocks