Hardware/Software Co-verification Using Path-based

Symbolic Execution by Mukherjee, Rajdeep et al.
ar
X
iv
:2
00
1.
01
32
4v
1 
 [c
s.F
L]
  5
 Ja
n 2
02
0
Hardware/Software Co-verification Using Path-based
Symbolic Execution
Rajdeep Mukherjee
Cadence Design Systems, USA
mrajdeep@cadence.com
Saurabh Joshi
IIT, Hyderabad
sbjoshi@iith.ac.in
John O’Leary
Intel Corporation, USA
john.w.oleary@intel.com
Daniel Kroening
University of Oxford, UK
kroening@cs.ox.ac.uk
Tom Melham
University of Oxford, UK
tom.melham@cs.ox.ac.uk
ABSTRACT
Conventional tools for formal hardware/software co-verification use
bounded model checking techniques to construct a single mono-
lithic propositional formula. Formulas generated in this way are ex-
tremely complex and contain a great deal of irrelevant logic, hence
are difficult to solve even by the state-of-the-art Satisfiability (SAT)
solvers. In a typical hardware/software co-design the firmware only
exercises a fraction of the hardware state-space, and we can use this
observation to generate simpler and more concise formulas. In this
paper, we present a novel verification algorithm for hardware/soft-
ware co-designs that identify partitions of the firmware and the hard-
ware logic pertaining to the feasible execution paths by means of
path-based symbolic simulation with custom path-pruning, property-
guided slicing and incremental SAT solving. We have implemented
this approach in our tool COVERIF. We have experimentally com-
pared COVERIFwith HW-CBMC, a monolithic BMC based co-verification
tool, and observed an average speed-up of 5× over HW-CBMC for
proving safety properties as well as detecting critical co-design bugs
in an open-source Universal Asynchronous Receiver Transmitter
design and a large SoC design.
1 INTRODUCTION
In modern embedded system development, software and hard-
ware components are designed and implemented in parallel. Hard-
ware/software co-verification is performed throughout the design
cycle to ensure that both components work correctly together.
Before Register Transfer Level (RTL) code exists for the hard-
ware components, engineers write abstract models of the proposed
hardware; such models are commonly known as Transaction Level
Models (TLM) [2]. TLMs are typically implemented using the Sys-
temC TLM library [20] or as plain C programs. TLMs capture
enough functionality of the hardware (HW) to enable executing and
debugging of the software (SW) or firmware (FW) before the RTL
is available [2, 3], but TLMs are always incomplete. Co-verification
of the TLM and the SW is typically performed by testing [1, 2]. We
use the term FW and SW interchangeably in this paper.
Once RTL coding for the hardware components is complete (that
is, post-RTL), hardware/software co-verification becomes more com-
plex. Unlike the TLM, which only captures limited design func-
tionality, the RTL code describes the cycle-accurate behavior of the
final HW, and contains many extra-functional artefacts related to
power, area, and timing. Because of the RTL’s detail and complex-
ity, the effectiveness of testing is severely limited in post-RTL co-
verification. Formal verification is mandatory to ensure correctness.
Note that whenever we refer to “hardware” from this point onwards,
we mean an RTL implementation and not a TLM.
The verification of SWwritten in C/C++ together with RTL coded
in Verilog/VHDL is very challenging. First, there is a timing mis-
match between the synchronous clock-driven HW model and asyn-
chronous event-driven SW model. For example, the FW running
on a processor could be much faster or slower than the HW model
it interacts with. Second, there are no standard languages or tech-
niques for specifying properties of HW/SW co-designs. Third, the
hardware is highly concurrent and the software are frequently multi-
threaded; leading to a large number of event interleavings to ana-
lyze. Finally, there are few automated formal HW/SW co-verification
tools that support co-designs implemented in C/C++ and Verilog.
Recently, Mukherjee et al. [15] presented a formal HW/SW co-
verification tool, called HW-CBMC, that constructs a combined HW-
SW model through in-tandem symbolic execution of the SW and
the RTL code. SAT-based Bounded Model Checking (BMC) [6] is
used to prove safety properties of the combined model. We will
refer to the combined HW-SW model as the co-verification model.
In this paper, we build on the observation that monolithic BMC
of the co-verification model leads to propositional SAT formulas
containing much irrelevant logic. The size and complexity of the for-
mulas pose difficulties for SAT solvers, making the approach inef-
fective for practical co-verification problems. An effective and prac-
tical co-verification solution must reason only about “relevant" in-
teractions between the SW and HW. The notion of relevance stems
from a few sources: 1) the property or co-specification to be proved,
2) the behavior of the software, and 3) environmental assumptions.
First, the co-specification in a HW/SW co-design captures the de-
sign intent that is to be verified. A scalable HW/SW co-verification
tool need only check those parts of the co-verification model that
pertain to the given co-specification model. Second, the SW in a
typical HW/SW co-design only exercises a fragment of the HW
state-space [8, 18, 19]. Formal tools may use this fact to verify only
the HW functionality exercised by the SW, ignoring or abstracting
the rest. This approach can generate much simpler and concise for-
mulas than those arising in monolithic BMC –most importantly, for-
mulas that are more readily solved by state-of-the-art SAT solvers.
Finally, assumptions about the environment of a HW/SW co-design
may be exploited to further constrain the verification state-space.
In this paper, we present a novel verification algorithm for HW/SW
co-designs that identifies partitions of the SW and the HW logic
pertaining to the feasible execution paths by means of path-based
symbolic execution with custom path-pruning, property-driven slic-
ing, and incremental SAT solving (see Section 3). We employ these
techniques in our tool COVERIF to demonstrate that the domain-
specific optimizations in COVERIF lead to more scalable reasoning
for HW/SW co-designs compared to HW-CBMC.
1.1 Contributions
In this paper, we present a novel verification algorithm for HW/SW
co-designs called, COVERIF, using path-based symbolic simulation
with custom path-pruning, property-guided slicing, and incremen-
tal SAT solving techniques. COVERIF supports HW designs in Ver-
ilog RTL (IEEE SystemVerilog 2005 standards) and SW in ANSI-C
(C89, C99 standards). We experimentally compare two approaches
for formal HW/SW co-verification – 1) the monolithic approach
used in HW-CBMC, and 2) the path-based approach of COVERIF.
We study an open-source Universal Asynchronous Receiver Trans-
mitter (UART) design and a large SoC design, and we find that
COVERIF is 5× faster than HW-CBMC for proving safety properties
as well as for detecting critical co-design bugs.
2 WORKING EXAMPLE
Figure 1 gives a fragment of a SW driver for a UART design. The
main module of the UART SW, shown on the right side of Figure 1,
begins by resetting the UARTHWwhich is followed by awb_idle()
function (explained next). The SW implements Linux style inb()
and outb() functions which further invoke the wb() class of func-
tions to communicate with the UART HW. The SW then configures
the UART in loopback mode using outb() function calls. The wb()
class of interface functions, shown on the left side of Figure 1, com-
municate with the wishbone bus interface to set/reset (wiggle) the
UART input ports and read/write data through the bus interface. The
calls to the top-level UART module is represented by UART_top()
function. We verify that the transmitted data is the same as the re-
ceived data in the loopback mode. To do so, we place an assertion
given by the assert() statement (marked in red) inside the main
logic of the UART SW, on the right-side of Figure 1.
3 PROPOSEDMETHODOLOGY
Figure 2 shows our proposed verification methodology, as imple-
mented in COVERIF. We now describe each step in detail.
Step 1: Generating Software Netlist from HW A HW circuit,
given in Verilog RTL, is automatically synthesized into a cycle-
accurate and bit-precise software netlist [14, 16, 17] model follow-
ing synthesis semantics. The software netlist model is represented
as a C program 1 which retains the word-level structure as well as
module hierarchy of the Verilog RTL. In contrast with conventional
RTL synthesis into a netlist, our software netlist exists solely to
facilitate hardware/software co-verification. Figure 3 shows an ex-
ample of Verilog RTL circuit containing both sequential and combi-
national elements. Column 2,3 in Figure 3 shows the formal seman-
tics of the Verilog RTL and the synthesized HW respectively. The
equivalent software netlist model is shown in column 4.
1http://www.cprover.org/hardware/v2c/
Wishbone Interface Main Module
typedef unsigned char u8;
unsigned char inb
(unsigned long port) {
return wb_read(port);
}
void outb (u8 value,
unsigned long port) {
wb_write(port, value);
}
void wb_reset(void) {
rst_i = 1;
UART_top();
rst_i = 0;
stb_i = 0;
cyc_i = 0;
}
void wb_idle() {
UART_top();
}
void wb_write(_u32 addr,
_u8 b) {
adr_i = addr;
dat_i = b;
we_i = 1;
cyc_i = 1;
stb_i = 1;
UART_top();
we_i = 0;
cyc_i = 0;
stb_i = 0;
}
int main() {
wb_reset();
wb_idle();
// Configure the uart
outb (0x13, UART_MC);
outb (0x80, UART_CM3);
outb (0x00, UART_CM2);
outb (0x00, UART_CM1);
outb (0x00, UART_CR);
outb (0x03, UART_IE);
char tx_b[] = "Hello world";
_u8 status = 0;
char rx_b[100];
int i=0,c=0,d=0;
// data transfer in loopback
for (i=0; i<1990; i++){
if (irq_o){
status=inb(UART_IS)&0x0c;
if(istatus==0x0c){
//it was a tx_empty interrupt
outb(*(tx_b+c),UART_TR); c++;
}
else{ //status==0x04
//it was an rx_data interrupt
rx_b[d] = inb(UART_TR); d++;
}
}else {
// no interrupt.
wb_idle();
wb_idle();
}
}
// property
for(i=0; i<=10; i++)
assert(rx_b[i] == tx_b[i]);
}
Figure 1: Software driver of UART
Verification Conditions
Successful
Verification 
HW RTL
(in C)
Firmware
Infeasible 
Path Pruning
Incremental 
SAT solving
Verification Failed
(Counterexample)
CFG
Property
(ψ )
Software-netlist
(SN)
Sliced
(in Verilog)
Path-wise Exploration
Property-driven
Model
Co-verification
SAT/SMT Solver
Sequentialization
slicing
Co-verification
Sequential
Model Mseq
Figure 2: Path-based HW/SW Co-verification Flow in COVERIF
Step 2: Sequentializing Interactions of Firmware and Soft-
ware Netlist Concurrency is a key problem for co-verification. Test-
ing concurrent threads requires exploring all possible interleavings
between HW and SW threads. The number of interleavings could
potentially be exponential. However, we observe a specific inter-
action pattern, which resembles a producer-consumer relationship.
That is, a FW thread is mostly independent of the HW thread it
interacts with [1, 2]. Specifically, a FW thread is only responsible
for configuring the HW by writing to memory mapped registers,
2
Verilog Formal Semantics Synthesized Hardware Software netlist
module t o p ( c lk , a ) ;
input c lk , a ;
reg b , d , e ;
wire c , cond ;
a s s i gn c = e ? 1 ' b0 : d ;
a s s i gn cond = a ;
always @( posedge c l k )
beg in
b<=a ;
i f ( cond && b )
e<=b ;
e l s e
e <=0;
d<=c ;
end
endmodule
Combinational Logic
∀t , c(t) = i f e(t) then 0 else d(t)
∀t , cond(t) = a(t)
Sequential Logic
∀t , b(t + 1) = a(t)
∀t , e(t + 1) = i f (cond(t) ∧ b(t)) then b(t) else 0
∀t , d(t + 1) = c(t)
e
a
cond
d
b
0
0
c
s t r u c t s t a t e _ e l em e n t s _ t o p {
unsigned i n t b , d , e ; } ;
s t r u c t s t a t e _ e l em e n t s _ t o p u1 ;
vo id t o p ( _Bool c lk , unsigned a ) {
_Bool c , cond ;
_Bool b_o ld=u1 . b , d_o ld=u1 . d ;
_Bool e_o ld =u1 . e ;
cond = a ;
c = ( u1 . e ) ? 0 : u1 . d ;
u1 . b = a ;
i f ( cond && b_o ld )
u1 . e = b_o ld ;
e l s e
u1 . e = 0 ;
u1 . d = c ;
}
Figure 3: Circuit to Software Netlist
or polling the interrupt status register for data transmission, or re-
ceiving incoming data packets. Furthermore, we observe producer-
consumer interaction patterns in many practical industrial co-designs
from IBM [8, 18, 19], RockBox Media Player [1], and others co-
designs. In this paper, we verify co-designs that exhibit producer-
consumer interaction behavior. A co-verification model, Mseq , is
constructed through sequential composition of the FW and its inter-
acting software netlist.
Step 4: Property Driven Slicing of Co-verification Model A
property-driven slicing is performed on the unified co-verification
model, Mseq . This step is purely syntactic, meaning that we per-
form a backward dependency analysis starting from the property
which only preserve those program fragments that are relevant to a
given property. The sliced program is then passed to the symbolic
execution engine for path-based exploration.
Step 5: Co-verification Using Path-based Symbolic Execution
Given a co-verification model,Mseq , a scenario, S typically repre-
sented by assume properties, and a co-design property expressed
as assert(c) (where c is a condition stated in terms of variables
in Mseq) as input, COVERIF performs path-based exploration of
Mseq to automatically check its validity using backend solvers. If
the condition c does not hold, then Mseq is said to have violated
the property.
A typical path-based symbolic execution engine might explore
a path until it come to an assert(c) statement. This whole path can
then be posed as a query to a SAT solver to see if the assertion is
violated at that point. If the path is infeasible, the assertion holds
trivially. If a large number of paths are infeasible, symbolic execu-
tion may waste time exploring them. COVERIF employs an eager
infeasibility check to prune infeasible paths, as well as incremental
encoding that makes it easier for the underlying SAT solver.
Alg. 1 shows the overall algorithm of COVERIF. States men-
tioned in the algorithm are all symbolic states, which are quantifier-
free predicates characterizing a set of program states. Symbolic ex-
ecution starts with an initial symbolic state I (x), is a quantifier-free
predicate over program variables x, and the first statement stmt
to be executed. Note that we assume all program variables have
finite bit-width and thus can be represented as bit-vectors. Every
statement acts as a state transformer during the symbolic execu-
tion. worklist maintains the set of symbolic states, along with the
corresponding stmt that should execute next. Assumptions can be
Algorithm 1: Co-verification Using Path-based Symbolic Exe-
cution
input :Co-verification Model Mseq with properties specified with
asser t (c), scenario specified with assume(c)
output :The status (Safe or Unsafe) and a counterexample if
Unsafe
/* The initial state */
1 S0 ← I (x )
2 stmt ← first statement
3 worklist .put (〈S0, stmt 〉)
4 while notworklist .empty() do
5 〈S, stmt 〉 ← worklist .дet ()
6 if stmt is an assume(c) then
7 stmt ← statement after assume(c)
8 if is Feasible(S ∧ c) thenworklist .put (〈S ∧ c, stmt 〉)
9 else if stmt is a branch with condition c then
10 stmtf ← first statement after stmt if branch is not taken
11 stmtt ← first statement after stmt if branch is taken
12 if is Feasible(S ∧ c) thenworklist .put (〈S ∧ c, stmtt 〉)
13 if is Feasible(S ∧ ¬c) then
worklist .put (〈S ∧ ¬c, stmtf 〉)
14 else if stmt is an asser t (c) then
15 stmt ← statement after asser t (c)
16 if is Feasible(S ∧ ¬c) then
17 print Unsafe
18 return Counterexample
19 end
20 else worklist .put (〈S ∧ c, stmt 〉)
21 else
22 S ← symex (S, stmt )
23 stmt ← the next statement in control flow after stmt
24 if stmt , ⊥ thenworklist .put (〈S, stmt 〉)
25
26 end
27 return Safe
28 end
specified in the program using assume(c) statements, where c is the
condition expressed in terms of program variables. Assumptions re-
strict the search to only those states for which the condition c holds
3
at the program point where assume(c) is encountered. For exam-
ple, suppose (x! = 0) characterizes the set of states that has been
discovered to be reachable so far by a verification tool. Here, x is
a program variable. Upon encountering assume(x > 0), the set of
states reachable at the point of assumption is shrunk to only those
that satisfy (x > 0). A user can specify assumptions to restrict the
verification to only certain regions of the program’s state space.
COVERIF performs a feasibility check at an assume statement
or a branch (Line 6 and 9) to ensure that only feasible symbolic
states are kept in the worklist . This ensures that the infeasibility
is detected as early as possible. If an assertion is violated, then a
counterexample is detected and Alg. 1 terminates (Line 14). In all
other cases, symex(S, stmt) performs one step of symbolic execu-
tion by executing stmt from the symbolic state S (Line 22). If no
further statement remains to be executed along the path that is be-
ing explored, then stmt is assigned the value ⊥. The symbolic state
is put in the worklist only if there are further statements remaining
(Line 24).
The feasibility checks shown as isFeasible pose a query to the
underlying SAT solver. Note that Alg. 1 does not refer to how the
methods worklist.put and worklist.get work. In principle, one can
use any search heuristic to select which symbolic state to explore
further from the worklist. In the current version COVERIF employs
a depth first strategy of exploration.
Apart from the eager infeasibility check, another crucial opti-
mization is the use of incremental SAT solving. During the sym-
bolic execution, only one solver instance is maintained while going
down a single path. Thus, when making a feasibility check from one
branch b1 to another branch b2 along a single path, only the program
segment from b1 to b2 is encoded as a constraint and added to the
existing solver instance. This results in speeding up the process of
feasibility check of the symbolic state at b2 as the feasibility check
at b1 was true. A new solver instance is used to explore a different
path, after the current path is detected as infeasible.
The eager infeasibility check restricts the search to explore only
those SW/HW interactions which are feasible under a given sce-
nario. In our experiments, we find this optimization has a large ef-
fect on runtimes. Though COVERIF poses many queries to the SAT
solver, each query is relatively simple due to two reasons: the re-
sultant formula encodes only a single path, and exploration along
a path only needs to encode and solve for the path segment (along
with the existing constraints) from the last point of query.
4 HW-CBMC: MONOLITHIC HW/SW
CO-VERIFICATION
We briefly describe the working of the HW-SW co-verification tool,
HW-CBMC. In contrast to the path-based approach, in HW-CBMC,
the symbolic execution of HW and SW models are clearly sep-
arate and the two flows meet only at the solver phase, where a
complex monolithic formula is generated in Conjunctive Normal
Form (CNF) from the HW and SW designs. This complex formula
is passed on to the solver for verification purpose. Furthermore, HW-
CBMC provides specific handshake primitives such as next_time f rame()
and set_inputs() to model FW-HW communications.
5 PROPERTIES
Lack of support for property specifications in a HW/SW co-design
is one of the stumbling blocks for the application of formal tech-
niques in co-verification. We express a co-design property in C lan-
guage, which is discussed next.
Figure 4 shows an example of a temporal property for the UART
HW. The System Verilog Assertion (SVA) is shown on the left and
the equivalent property in C semantics is shown on the right. The
temporal delay (##2) of the SVA on the left is simulated by the
calls to the top-level UART module in the software netlist, which is
represented by UART_top() function in the right column. Figure 5
System Verilog Assertions Assertion (in C)
P1 : a s s e r t p r o p e r t y
(@( posedge c l k )
ack == 1|−>
( v a l i d == 1 &&
##2 empty == 0 ) ) ;
boo l P r op e r t y _P1 ( ) {
a s s e r t ( ! ack | | v a l i d ) ;
UART_top ( ) ;
UART_top ( ) ;
a s s e r t ( empty ==0) ; }
Figure 4: Sample property of UART HW
shows few examples of co-design properties that specify the inter-
action between the FW and HW components of the UART design.
In Property_P2(), the SW event outb(UART_TR, 0x0c) triggers the
HW event ack_o (marked in bold) after one clock cycle. Whereas
in Property_P3(), the antecedent tx_empty() is a HW event and
send_data is a SW event (marked in bold).
HW/SW Co-specification
boo l P r op e r t y _P2 ( ) {
i f ( ou tb (UART_TR ,0 x0c ) ) {
UART_top ( ) ;
a s s e r t ( ack_o==1 ) ; } }
boo l P r op e r t y _P3 ( ) {
a s s e r t ( ! t x_empty ( ) | |
( ( send_data&0x1 )==1) ) ;
}
Figure 5: Properties capturing FW/HW interactions
6 EXPERIMENTAL RESULTS
We report experimental results for SW-HW co-verification of a
UART and a SoC design. All our experiments were performed on
an Intel Xeon 3.0GHz machine with 48GB RAM. All times re-
ported are in seconds. The timeout for all our experiments was set
to 2 hours. The performance of bit-level and word-level flow in HW-
CBMC are similar. So, we only report bit-level results for HW-CBMC.
MiniSAT-2.2.0 [7] was used as underlying SAT solver with HW-
CBMC and COVERIF. The focus of our experiments is to compare
the performance of COVERIF against HW-CBMC for verification of
an UART design and a SoC design. We distribute our tool COV-
ERIF, along with the HW/SW co-design benchmarks here 2.
Comparison with Other HW/SW Co-verification Tools:Despite
extensive use of model checking and other formal methods in SW
verification or HWverification domain, building automated HW/SW
co-verification tools using formal methods has received little atten-
tion in the past. Other than HW-CBMC [15], we are not aware of
any other automated formal co-verification tool in the literature that
can readily accept co-designs written in C/C++ and Verilog RTL.
Hence, we only compare our results with HW-CBMC in this paper.
2https://drive.google.com/open?id=1Y2HkfIWwf6YkJgl24OXrA-dG2rX-92bm
4
Circuit Verilog Latches(L)/ Input Output GATE Firmware
LOC FF Ports Ports Count (LOC)
Universal Asynchronous Receiver Transmitter
UART 1200 356 12 9 413 528
System-On-a-Chip
SoC 3567 840 14 11 945 734
Table 1: Design statistics for UART and SoC Design
6.1 HW/SW co-verification of UART
About UART: A UART core is used for asynchronous transmission
and reception of data which provides serial communication capabil-
ities with a modem or other external devices. The UART is com-
pliant with industry standards for UART and interfaces with the
wishbone bus. The design statistics for UART is shown in Table 1.
The UART core is configured in 3 different operating modes, namely–
transmission without interrupt enabled (Scenario A), transmission
with interrupt enabled (Scenario B) which transmit non-deterministic
data through the serial output while the receiver module is inactive.
In Scenario C, the UART is configured in loopback mode with in-
terrupt enabled in which both the transmitter and the receiver are
active. The data-width varies in each mode, ranging from 8 bits to
64 bits.
Discussion of Result: Table 2 reports the run times for bounded
safety proofs of co-design properties in UART core. Column 1 in
Table 2 gives the name of the scenario, Column 2 gives the max-
imum loop unroll bound of the firmware, column 3-7 present the
runtime using HW-CBMC, total/feasible path counts, COVERIF, re-
spectively. Table 2 shows that COVERIF dominates HW-CBMC in
all scenarios (marked in bold). COVERIF is on average 8× faster
than HW-CBMC, both for proving safety as well as detecting bugs.
Thus, COVERIF outperforms HW-CBMC in all scenarios.
We verified a total of 39 properties of the UART design. Table 2 re-
ports some of the representative properties. In Scenario A and sce-
nario B, we verified whether the transmitted data (32-bit or 64-bit)
is available through the serial output port after a pre-determined
number of clock cycles. In both of the configurations, COVERIF
is able to prune the receiver logic since the SW only exercises
the transmitter module by appropriately configuring the memory-
mapped registers. In Scenario C, we verified whether the transmit-
ted data matches the data received when the UART is configured in
loopback mode. We found several bugs in the open source UART
obtained from http://www.opencores.org. The bottom part of Ta-
ble 2 reports the runtimes for detecting data-path and control-path
bugs.
6.2 HW/SW Co-verification of System-on-Chip
About the SoC: We obtained an open source System-on-Chip de-
sign from [21]. It consists of an 8051 micro-controller, a memory
arbiter, an external memory (XRAM) and cryptographic accelera-
tors, as shown in Figure 6. The design statistics for SoC is given in
Table 1. The accelerator implements encryption/decryption using
the Advanced Encryption Standard (AES). A separate module that
interfaces the AES to the 8051 micro-controller using a memory-
mapped I/O interface. The micro-controller communicates with the
Monolithic Path-based Verification
Scenario Bound HW-CBMC COVERIF Results
Bit-level Total/Feasible %-age Mseq Safe/Unsafe
Time Paths Pruning Time
non-deterministic data but deterministic control (Scenario A)
transmit (32) 250 15.02 247104/224 99.90 1.13 Safe (ψc )
transmit (64) 500 23.87 247104/324 99.86 1.61 Safe (ψt )
non-deterministic data and non-deterministic control (Scenario B)
trans_intr (32) 250 14.86 247104/295 99.88 1.49 Safe (ψt )
trans_intr (64) 500 24.14 247104/362 99.85 1.81 Safe (ψt )
non-deterministic data and non-deterministic control (scenario C)
loopback (8) 230 52.06 247104/354 99.85 3.95 Safe (ψt )
loopback (16) 500 122.12 247104/690 99.72 12.89 Safe (ψc )
loopback (32) 650 170.62 247104/1282 99.48 21.85 Safe (ψc )
loopback (64) 1300 409.71 247104/2566 98.96 62.31 Safe (ψt )
detecting data-path bugs in transmission mode w/o interrupt
transmit (64) 520 28.43 247104/324 99.86 1.12 Unsafe (ψt )
detecting control bugs with interrupt enabled
transmit (64) 520 31.35 247104/362 99.85 1.05 Unsafe (ψc )
detecting control bugs in loopback mode
loopback (64) 1300 443.15 247104/2566 98.96 62.34 Unsafe (ψt )
Table 2: Verification of UART (All time in seconds)
8051 Microcontroller
REG ALU
RAM
ROM
XRAM
ARBITER
AES SHAI
np
ut
/O
ut
pu
t P
or
ts
Figure 6: SoC Design obtained from [21]
Bound Monolithic Path-based Verification
Scenario HW-CBMC COVERIF Result
Bit-level Netlist Mseq Safe/Unsafe
Time (seconds) Time (seconds)
non-deterministic data and non-deterministic control
data_transfer 20 86.18 17.42 Safe (ψt )
AES_feedback 30 102.92 56.29 Safe (ψc )
non-deterministic data and non-deterministic control
write_XRAM 20 92.63 14.78 Unsafe (ψc )
DMA 32 128.63 68.19 Safe (ψt )
Table 3: Verification times for SoC Design (All time in Seconds)
accelerators and the XRAM by reading or writing to XRAM ad-
dresses. The arbitration of these module is done by the memory
arbiter module. The FW initiates the operation in the SoC by first
writing to an initial memory-mapped register. The FW implements
Linux-style inb() and outb() functions calls, which are used to com-
municate with the HW ports. The FW writes a sequence of non-
deterministic data to the XRAM port and then reads the data from
the same port. The cryptographic accelerators use direct memory
access to fetch the data from the external memory. The completion
of the operation is determined by polling the appropriate memory-
mapped registers in the FW.
Discussion of Result: Table 3 gives the runtimes for the bounded
safety proofs of the SoC design. Column 1 gives the name of the
scenario, column 2 report the maximum loop unroll bound of the
FW. Column 3-5 present the verification runtimes using HW-CBMC,
COVERIF and the verification outcome respectively. The result in
Table 3 shows that COVERIF is approximately 2× faster than HW-
CBMC for proving safety. For detecting bugs, the speedup is 6× for
5
COVERIF over HW-CBMC. In the case of SoC scenario (data_transfer),
the SW exercises only the micro-controller and transfer sequence of
bytes to the XRAM port bypassing peripherals connected to other
ports such as hardware accelerator. This scenario allows path-based
symbolic execution engine in COVERIF to prune the logic for the
accelerator and generate only relevant verification conditions for the
micro-controller and XRAM. It is important to note that forward
symbolic execution without these optimizations timeout for all the
benchmarks.
We verifies a total of 19 properties for the SoC co-design. Due to
space limitations, we report 4 representative properties in Table 3.
We check whether the acknowledgement for data transmission and
data reception arrives from the micro-controller in the correct cycle.
We verify whether the non-deterministic data transmitted through
outb() is the same as the data received through inb(). We also verify
that reading/writing to the appropriate memory-mapped registers
produce the correct result during the data transmission phase. We
found one critical control bug in the SoC design. The bug is man-
ifested when memory arbiter hardware wrongly arbitrates the port
selection thereby forcing the write strobe for the external RAM to
be LOW. This violates the data transfer protocol in the SoC design.
7 LIMITATIONS OF PROPOSED APPROACH
The primary motivation for constructing a sequential single threaded
unified co-verification model is to avoid enumerating exponential
number of interleavings between the HW and SW threads. We have
shown that this is extremely beneficial for co-designs that exhibits
producer-consumer relationship. Such interaction pattern is preva-
lent in many practical co-designs [1, 8, 18, 19]. However, the pro-
posed verification approach is not applicable for co-designs that ex-
hibits true concurrency [5], that is, when a SW and its interacting
HW threads do not exhibit producer-consumer relationship. In this
case, it is imperative to consider all possible interleavings between
participating threads in an efficient manner.
8 RELATEDWORK
Previous work [2, 3, 9, 22] for co-verification have addressed the
problem at the pre-RTL phase. However, we address the co-verifi-
cation problem at the post-RTL phase [11, 13] where a key risk is
divergence of the HW RTL from the behavior expected by the SW.
Generating a unified co-verification model is a well-known tech-
nique in HW/SW co-verification. Notably, Kurshan et al. modeled
HW and SW using finite state machines [10], Monniaux in [12]
modeled HW and SW as C programs which are formally push-
down systems (PDS), Li et al. in [11] used Buchi Automata to
abstractly model a hardware and PDS to abstractly model a soft-
ware to generate a unified SW-HW model, called Buchi Pushdown
System (BPDS). In this paper, we construct a unified sequential co-
verification model in C language.
Common practice in industry for system-level co-verification is
to either use emulators/accelerators or Instruction Set Simulators
(ISS) [4]. However, no rigorous formal verification effort is per-
formed at the post-RTL phase to ensure the validity of the SW-HW
interactions.
9 CONCLUDING REMARKS
In this paper, we presented a formal HW/SW co-verification tool
called COVERIF. In a typical HW/SW co-design, the software only
exercises a fragment of the HW state-space. This renders many in-
teractions between HW and SW modules infeasible. Our general
observation is that the bounded model checking technique in HW-
CBMC cannot prune irrelevant logic, and hence generates formulas
that are extremely difficult to solve with a SAT/SMT solver. In con-
trast, the path-based exploration strategy in COVERIF is able to au-
tomatically prune design logic with respect to a given configuration
(scenario), owing to domain-specific optimizations such as eager
path pruning combined with incremental SAT solving and property-
guided slicing. Our experiments show that COVERIF is on average
5× faster than HW-CBMC for proving safety as well as for finding
critical bugs. In the future, we plan to extend COVERIF to support
HW/SW co-designs that exhibit further interaction patterns as well
as implement efficient domain-specific path-merging techniques.
REFERENCES
[1] S. Ahn and S. Malik. Modeling firmware as service functions and its application
to test generation. In HVC, pages 61–77, 2013.
[2] S. Ahn and S. Malik. Automated firmware testing using firmware-hardware in-
teraction patterns. In CODES+ISSS, pages 1–25, 2014.
[3] S. Ahn, S. Malik, and A. Gupta. Completeness bounds and sequentialization for
model checking of interacting firmware and hardware. In CODES+ISSS, pages
202–211, 2015.
[4] J. Andrews. Co-verification of Hardware and Software for ARM SoC Design.
Elsevier, 2004.
[5] J.-M. Bergé, O. Levia, and J. Rouillard. Hardware/Software Co-design and Co-
verification. Springer, 1997.
[6] A. Biere, A. Cimatti, E. M. Clarke, O. Strichman, and Y. Zhu. Bounded model
checking. Advances in Computers, 58:117–148, 2003.
[7] N. Eén and A. Biere. Effective preprocessing in SAT through variable and clause
elimination. In SAT, pages 61–75, 2005.
[8] H. Giefers, R. Polig, and C. Hagleitner. Accelerating arithmetic kernels with
coherent attached FPGA coprocessors. In DATE, pages 1072–1077, 2015.
[9] A. Horn, M. Tautschnig, C. G. Val, L. Liang, T. Melham, J. Grundy, and
D. Kroening. Formal co-validation of low-level hardware/software interfaces.
In FMCAD, pages 121–128, 2013.
[10] R. P. Kurshan, V. Levin, M. Minea, D. A. Peled, and H. Yenigün. Combining
software and hardware verification techniques. FMSD, 21(3):251–280, 2002.
[11] J. Li, F. Xie, T. Ball, V. Levin, and C. McGarvey. An automata-theoretic approach
to hardware/software co-verification. In FASE, pages 248–262, 2010.
[12] D. Monniaux. Verification of device drivers and intelligent controllers: a case
study. In EMSOFT, pages 30–36, 2007.
[13] R. Mukherjee, P. Dasgupta, A. Pal, and S. Mukherjee. Formal verification of
hardware/software power management strategies. In VLSI, pages 326–331, 2013.
[14] R. Mukherjee, D. Kroening, and T. Melham. Hardware verification using soft-
ware analyzers. In ISVLSI, 2015.
[15] R. Mukherjee, M. Purandare, R. Polig, and D. Kroening. Formal techniques for
effective co-verification of hardware/software co-designs. In Proceedings of the
54th Annual Design Automation Conference, DAC 2017, Austin, TX, USA, June
18-22, 2017, pages 35:1–35:6, 2017.
[16] R. Mukherjee, P. Schrammel, D. Kroening, and T. Melham. Unbounded safety
verification for hardware using software analyzers. In DATE, 2016.
[17] R. Mukherjee, M. Tautschnig, and D. Kroening. v2c – a Verilog to C translator.
In TACAS, LNCS. Springer, 2016.
[18] R. Polig, K. Atasu, L. Chiticariu, C. Hagleitner, H. P. Hofstee, F. R. Reiss, H. Zhu,
and E. Sitaridi. Giving text analytics a boost. Micro, 34(4):6–14, 2014.
[19] R. Polig, K. Atasu, H. Giefers, and L. Chiticariu. Compiling text analytics
queries to FPGAs. In FPL, pages 1–6, 2014.
[20] A. Rose, S. Swan, J. Pierce, and J. Fernandez. Transaction level modeling in
SystemC. In Open SystemC Initiative, 2005.
[21] P. Subramanyan, Y. Vizel, S. Ray, and S. Malik. Template-based synthesis of
instruction-level abstractions for SoC verification. In FMCAD, pages 160–167,
2015.
[22] F. Xie, G. Yang, and X. Song. Component-based hardware/software co-
verification. In MEMOCODE, pages 27–36, 2006.
6
