Jörg Bormann

Unbounded Protocol Compliance Verification Using Interval Property Checking With Invariants

We propose a methodology to formally prove protocol compliance for communication blocks in System-on-Chip (SoC) designs. In this methodology, a set of operational properties is specified with respect to the states of a central finite state machine (FSM). This central FSM is called main FSM and controls the overall behavior of the design. In order to prove a set of compliance properties, we developed an approach that combines property checking on a bounded circuit model with an approximate reachability analysis. The property checker determines whether a property is valid for an arbitrary state of the design regardless of its reachability. In order to avoid false negatives, reachability constraints are added to the property, which are generated by an approximate FSM traversal algorithm. We show how the existence of a main FSM can be exploited systematically in the reachability analysis and how to partition both the transition relation and the state space such that the computational complexity is reduced drastically. This makes formal verification of protocol compliance tractable even for large designs with several thousand state variables. Our approach has been applied successfully to verify several industrial designs.

Analyzing k -step induction to compute invariants for SAT-based property checking

This paper proposes enhancements to SAT-based property checking with the goal to increase the spectrum of applications where a proof of unbounded validity of a safety property can be provided. For this purpose, invariants are computed by reachability analysis on an abstract model. The main idea of the paper consists in a BDD-based analysis of k-step-induction on the abstract model and its use to guide a step-wise refinement process of the initial abstraction. The property is then proven on a bounded model of the original design using the computed invariant. The new approach has been applied to formally verify industrial SoC modules. In our experiments, we consider particularly difficult verification tasks occurring in the context of protocol compliance verification using generic, transaction-style verification IPs. In our experiments, numerous properties are proven which either required substantial manual interaction in previous approaches, or cannot be proven at all by other methods available to us.

A computational model for SAT-based verification of hardware-dependent low-level embedded system software

This paper describes a method to generate a computational model for formal verification of hardware-dependent software in embedded systems. The computational model of the combined HW/SW system is a program netlist (PN) consisting of instruction cells connected in a directed acyclic graph that compactly represents all execution paths of the software. The model can be easily integrated into SAT-based verification environments such as those based on Bounded Model Checking (BMC). The proposed construction of the model, however, allows for an efficient reasoning of the SAT solver over entire execution paths. We demonstrate the efficiency of our approach by presenting experimental results from the formal verification of an industrial LIN (Local Interconnect Network) bus node, implemented as a software driver on a 32-bit RISC machine.

A re-use methodology for formal SoC protocol compliance verification

We propose a new methodology for formally specifying on-chip bus protocols and for verifying protocol compliance of communication blocks in System-on-Chip (SoC) designs. In this methodology, the bus protocol is specified in a design-independent way by a set of protocol compliance properties based on a generic recorder finite state transition system. The properties are verified by combining local reachability analysis with a SAT-based property checking approach. This approach is called interval property checking and is based on a bounded circuit model generated from the design and the recorder. The proposed methodology clearly differentiates between design-specific and protocol-specific aspects of the overall verification task and exploits the nature of typical SoC protocol specifications and implementations. In this way, the proposed methodology contributes to reaching two important goals: making the computational complexity of formal verification algorithms tractable for large designs and reducing the manual effort of applying formal methods in industrial practice. Our approach has been applied successfully on several industrial designs.

Formal plausibility checks for environment constraints

Functional verification of a System-On-Chip (SoC) module requires that the legal behavior of its environment is modeled as part of the verification IP. In early stages of the SoC design process so called environment constraints are used for this purpose. As long as a complete implementation of the environment is not yet available these constraints restrict the inputs of the device under verification to reasonable values. Using such constraints during functional verification, however, imposes a high risk that legal environment behavior is pruned away. In this case some faulty behavior of the DUV may not be stimulated, i.e., the constraints may mask a bug. Since the individual modules of an SoC are usually developed simultaneously it may not be possible to check the constraints against the environment of a module before integration. Detecting verification gaps due to overconstrained environment assumptions at this late stage of the design process, however, requires a step back into module verification and may compromise project closure. In order to overcome this bottleneck of the verification flow we suggest two efficient plausibility checks for constraints that can be conducted without a concrete implementation of the considered environment. Our experimental results show that the proposed techniques detect issues that would otherwise remain undetected at least until module integration. The tests are applicable in both formal and constrained random verification environments.

Coverage of compositional property sets under reactive constraints

Designs of Systems-on-Chip (SoC) modules can be comprehensively verified by property checking together with different coverage metrics. Some of these coverage criteria measure whether or not the property set fully describes the functional behavior of the design under verification. Making coverage statements with formal precision, however, is a difficult task, especially, in compositional verification approaches where the legal behavior of a modules environment is modeled through reactive environment constraints. In this paper, we address the validity of certain coverage criteria for property suites of individual SoC modules when composing these modules into a system. In particular, we provide a compositional reasoning framework determining that a system is “completely” verified if all modules are verified with Complete Interval Property Checking (C-IPC) under reactive constraints. Our method discovered issues that could not be detected by the verifications and coverage statements of the submodules alone.