Abstract-In the digital signal processing (DSP) area, one of the most important tasks is digital filter design. Currently, this procedure is performed with the aid of computational tools, which generally assume filter coefficients represented with floating-point arithmetic. Nonetheless, during the implementation phase, which is often done in digital signal processors or field programmable gate arrays, the representation of the obtained coefficients can be carried out through integer or fixed-point arithmetic, which often results in unexpected behavior or even unstable filters. The present work addresses this issue and proposes a verification methodology based on the digital-system verifier (DSVerifier), with the goal of checking fixed-point digital filters w.r.t. implementation aspects. In particular, DSVerifier checks whether the number of bits used in coefficient representation will result in a filter with the same features specified during the design phase. Experimental results show that errors regarding frequency response and overflow are likely to be identified with the proposed methodology, which thus improves overall system's reliability.
I. INTRODUCTION
Digital Filters with finite impulse response (FIR) or infinite impulse response (IIR) are used in different areas, such as digital signal processing (DSP), control systems, telecommunications, medical instrumentation, and consumer electronics. In general, such applications vary from simple frequency selection and adaptive filters to equalizers and filter banks, whose objective is to modify the characteristics of a certain signal, in accordance with pre-established requisites.
Digital filter design follows an abundant mathematical theory, both in frequency and time domains, and is usually realized with tools as MATLAB [1] , which normally assume fixed-or floating-point precision. Nonetheless, there can be a great disparity between a filter design and its practical implementation. For instance, many projects are implemented in digital signal processors (DSPS) or field programmable gate arrays (FPGA), which can employ finite precision, based on fixed-point arithmetic (with lower cost and complexity), whereas the associated design usually assume floating-point precision.
This difference has the potential of generating undesirable effects regarding a filter's frequency response, both in phase and magnitude, in addition to problems as overflow and instability. Such behavior is due to quantization errors caused by finite precision, which result in coefficients that are different from the ones originally designed. As a result, there might be questions, in the implementation phase, regarding the effectiveness of digital filters and the number of bits needed for their representation, in such a way that design parameters are also satisfied.
This article presents a verification methodology for digital filters with fixed-point implementation, based on the Efficient SMT-Based Context-Bounded Model Checker (ESBMC), which employs Bounded Model Checking (BMC) techniques and Satisfiability Modulo Theories (SMT) [3] , [4] . Such an approach indicates, according to previously defined filter parameters, if the chosen number of bits is sufficient and does not lead to unexpected errors or behaviors. The main advantage of this approach, over other filter analysis techniques [5] , [6] , is that model-checking tools can provide precise information on how to reproduce errors (for instance, system input values) through counterexamples.
In order to apply the proposed methodology to digital filter verification, the Digital System Verifier (DSVerifier) tool was used, which is a front-end tool for the verification of different types of digital systems, with the aid of BMC techniques. An implementation written in C was developed and integrated into DSVerifier [17] , [18] , because it was unable to support the verification of filter-specific properties, such as magnitude and phase, prior to this work. Various kinds of practical digital filters were used for verification, with the goal of validating them against real designs. As a result, such a verifier, together with traditional design tools, provide a complete digital filter synthesizing scheme, according to application conditions. Indeed, the present approach is effective in verifying magnitude and phase responses, which provides an analysis deeply based on DSP theory and fills gaps presented in the existing literature. The performed experiments are based on a set of publicly available benchmarks. 2 This work is organized as follows. Section II presents the verification schemes available in the literature, highlighting its main characteristics. In section III, the BMC technique is presented. Then, in section IV, the proposed method is described, and section V presents the simulations results. Finally, the conclusions are set out in section VI.
II. RELATED WORK
The application of tools that implement the BMC technique, regarding software verification, is becoming quite popular, mainly due to the advent of sophisticated SMT solvers, which are constructed based on efficient satisfiability solvers (SAT) [7] . Previously published studies related to SMT-based BMC, for software, handle the problem of verifying ANSI-C programs that use bit operations, fixed-and floating-point arithmetic, comparisons and pointers arithmetic [3] ; however, there is little evidence of studies that address the verification of properties related to digital filters implementation, in ANSI-C, especially when assuming arbitrary word-length. One of such studies was previously conducted by Freitas et al. [2] , where digital filter properties, such as overflow, magnitude and stability, were verified by employing ESBMC. Those results served as main inspiration for the present work, whose proposal is to further extend and reproduce the verified properties, while creating a support for them on the DSVerifier tool. Now this new implementation allows passband filters verifications.
Akbarpour and Tahar [8] , [9] presented a mechanical approach for error detection in digital-filter design, which is based on a high-order logic (HOL) theorems solver. The authors describe valuation functions that find the real values of a digital filter's output, through fixed-and floating-point representations, aiming to define an error. The latter represents the difference between the encountered values, through this valuation function, and the output corresponding to design specifications.
Recently, Cox, Sankaranarayanan and Chang [10] introduced a new approach that uses precise bit analysis for the verification of digital filter implementations, in fixed-point. This approach is based on the BMC technique and employs SMT solvers for checking verification conditions, which are generated in the digital-filter design phase. The authors show that such an approach is more efficient and produces fewer false alarms, if compared to those that use real arithmetic solvers; however, the mentioned studies do not address intrinsic filters characteristics, such as errors or modifications related to poles, zeros, or frequency response.
Abreu et al. also proposed a new methodology for the verification of digital filters, named as DSVerifier, which is based on state-of-the-art bounded model checkers that support full C and employ solvers for boolean satisfiability and satisfiability modulo theories [17] . In addition to verifying overflow and limit-cycle occurrences, DSVerifier can also check output errors and time constraints, based on discrete-time models implemented in C.
The findings presented in the previous studies served as inspiration for the present article, which aims to extend the approach proposed by Cox, Sankaranarayanan and Chang [10] and Abreu et al. [17] includes new digital filter properties to be checked, such as magnitude and phase responses, which provides an analysis closed related to DSP theory. In addition, this work applies DSVerifier, which is a model checking tool to investigate finite word-length (FWL) effects in digital systems implementations, to the verification of a more diverse set of benchmarks, including different classes of filters (e.g., passband filters).
III. THE BMC TECHNIQUE With ESBMC, a program under analysis is modeled by a state transition system, which is generated from the program control-flow graph (CFG) [11] that is automatically created during the verification process. A node in a CFG represents an assignment (deterministic or nondeterministic) or a conditional expression, while an edge represents a change in a program's flow.
A state transition system M = (S, T, S 0 ) is an abstract machine, which consists in a state set S, where S 0 ⊆ S represents a initial state set and T ⊆ S × S is the transition relation. A state s ∈ S consists of the value of a program counter pc and also the values of all variables in an application. An initial state s 0 assigns the program's initial location γ = (s i , s i+1 ) ∈ T , in the CFG. The transitions are identified as between two states s i and s i+1 , with a logical formula γ(s i , s i+1 ) that contains the value restrictions of the program counter and the system's variables.
Given a transition system M , a property φ and a bound k, ESBMC unfolds a system x times and transforms the associated result into a verification condition ψ, in such a way that ψ is satisfiable if φ contains a counterexample with length smaller than x [3] . Thus, the BMC technique problem is formulated as follows
where φ is a property, I is a set of the initial states in M , and γ(s j , s j+1 ) is the state transition function of M between steps j and j+1. Thus, I(s 0 )∧ i−1 j=0 γ(s j , s j+1 ) represents the execution of M for i times and eq. (1) will only be satisfied if, and only if, for each i ≤ x, there is a reachable state where φ is violated. If eq. (1) is satisfiable, then ESBMC shows a counterexample, defining which variable values are needed to lead to the related error. The counterexample for a property φ is a state sequence s 0 , s 1 , ..., s x with s 0 ∈ S 0 and γ(s i , s i+1 ) , for 0 ≤ i < x. If eq. (1) is not satisfied, one can conclude that no error stateis reachable with x steps or less.
IV. THE NEW VERIFICATION METHODOLOGY
In general, the fixed-point implementation uses standard registers to store the inputs and outputs along the adders, multipliers, and delays. However, the results of these elements might exceed the limits of the allocated variables, or generate different values than expected, due to the coefficients accuracy or the associated number of bits. As a result, it is possible that the result differs from the one specified in the design or even that a filter becomes unstable without this occurring in the filter design.
With this in mind, the proposed verification methodology is split into three main parts: magnitude and phase verification, poles and zeros stability, and overflow verification.
A. Magnitude and phase verification
Changes in the coefficients, due to the fixed-point quantization, alter the response in magnitude and phase [9] . An example of this can be seen in Fig. 1 .
In this first approach, the input of the proposed verification system is composed by the filter coefficients in floating-point by the design properties, which must be analyzed according to the adopted conditions, such as passband, cut-off frequency, rejection band, as well as the gains in each region and the amount of bits used for the representation in the fixed-point. Given that N is the number of points of the Discrete-Time Fourier Transform (DTFT) [12] , h[n] is the filter impulse response and H k is the k-th component of it's sampled equivalent in frequency domain, we have that
In addition, suppose that ω p , ω r and ω c are the digital frequencies of passband, stopband and cutoff, respectively. In turn, A p , A r and A c are the gains that will be checked. We assumed the following assertions to verify magnitude and phase properties for lowpass and highpass filters.
and
In case of assertion violation, an error is generated to indicate that the amount of bits is insufficient for the representation, taking into account the initial design restrictions.
B. Poles and zeros verification
Jury's algorithm is used to check the stability in the zdomain for a given characteristic polynomial of the form
In particular, Jury stability test is already explained in the control system literature [20] . This study, however, limits itself to explain the SMT encoding of Jury's criteria. For the stability test procedure, the following Jury matrix M = [m ij ] (2N −2)×N is built from S(z) coefficients:
where
, and (8)
where k ∈ Z, such that 0 < k < N − 2. S(z) is the characteristic polynomial of a stable system if and only if the following four propositions hold:
The stability property is then encoded by creating a constraint using the fixed size bit-vector theory, typically supported by state-of-the-art SMT solvers [19] :
where the literal φ stability represents the validity of the stability condition; in particular, the SMT-solver checks whether Jury criteria hold for the characteristic polynomial coefficients.
C. Overflow verification
The third part concerns the overflow verification after the coefficients quantization, which would be considered infeasible without computational tools.
The addition, subtraction, multiplication, and division operations allow the fixed-point representation; however, losing precision to respect the bits limitation amount. The overflow happens when the bits representation is violated. In order to better understand it we will study two overflow types. Despite the easy possibility to find the limits, it would be difficult to know which input will create the saturations.
Definition 2. The wrapping around occurs when the maximum value is attributed instead of a minimum value and vice-versa [10] .
The input verification has nondeterministic fixed-point numbersx[n], the h[n] filter coefficients that will be verified and the number of inputs N . All the overflow check iterations are given by
To detect an error, a counterexample is generated. This counterexample consists of the violated states, providing access to the inputs which generated the error, in a specific order, as well as the output value. This approach gives to the filter designer information to understand the error conditions of overflow and underflow, allowing the desginer to come up with an alternative implementation.
V. EXPERIMENTS
This section consists of two parts. The system configuration is described in Section V-A, while Section V-B summarizes our objectives with the experiments conducted and Section V-C describes the results obtained with the DSVerifier tool 1 [3] , [4] , [17] , [18] , implementing the changes regarding the filter magnitude and phase, as well as the preexisting functions for verification of stability and overflow.
A. System configuration and preparation for the experiments
The set of magnitude and phase verification where split into two main groups: one consisting of IIR filters and another of FIR filters. Each set is divided into 3 categories: lowpass, highpass and bandpass, with three filters of small order (2nd or 4th order), and three filters with high order (12th or 30th order) in each set for different cut-off frequencies. Three types of IIR filters were used: Butterworth, Chebyshev, and Elliptic. For FIR filters, the types Equiripple, Hann Window, and Maximally Flat.
Altogether, 54 stable filters were created during the design stage, with 18 FIR and 36 IIR, with sample frequency of 48kHz. All filters transfer functions were obtained with the Filter Design and Analysis Tool application available in MATLAB [1] and written in a ".c" file according to the input specifications for DSVerifier.
Aiming to explore different theories employed on the SMT [3] solvers, non-integer numbers were encoded in two different ways: in binary (when bit vector arithmetics is used) and also in real (when using rational arithmetic). The fixedpoint representation was performed by dividing the number to be represented between its integer part I, with m bits, and its fractional part F , with n bits [15] . This approach is represented within the tuple I, F , which can be encoded both in bit vectors and rational arithmetic and is interpreted as I + F/2 n . Thus, all the represented values must be between the maximum and minimum expected values, that is
All experiments were conducted with a Intel Core i7-2600 PC, with 3.40GHz of clock speed and 16GB RAM and 64-bits Ubuntu as operational system. The verification times presented in the following tables are related to the average CPU time measured with the times system call (POSIX system) of 20 consecutive executions for each benchmark, where the measurement unit is always in seconds.
B. Experimental Objectives
While creating our benchmark, we aimed for the variety of filter parameters, such as order, frequency and type, so we could demonstrate the usefulness of the method in all sorts of situations. Some filters were defined with an extremely short interval of passband, so that DSVerifier was taken to the limit when trying to represent unrealistically challenging situations. Table I summarizes the verification results of phase and magnitude, with the first letter in the identification name indicating which filters are FIR and which are IIR. Filters that contain "hp" are high-pass, while "lp" stands for lowpass. The filter order is displayed as the number in each filter identification name. Columns "CF", "PF" and "SF" indicate, respectively, the cut-frequency, the pass-frequency and the stop-frequency in kHz used when synthesizing the filters. Some of these frequencies are not employed (indicated by "NE") in the design specifications of certain filter types. "VTM" stands for the verification time for magnitude, while "SM" stands for the magnitude verification status. The status can be either Successful (S), Passband fail (FP), Stopband fail (FS) or Cutoff-frequency fail (FC) . SP is the status for phase verification. The phase status can be either Successful (S) or Fail (F). FP represents the quantity of bits used for fixedpoint representation. The minimum gain, for the passband, is fixed in −1dB in Eliptic filters, while the maximum gain for stopband is fixed in −80dB for Eliptical and Chebychev filters. These specifications apply for both low-pass and highpass filters. Near identical criteria were used for band-pass filters, except that now a pair of each region frequencies is needed too the fully specification of the project. All filters in table I were verified considering a fixed-representation tuple of 4, 10 , except by the second order filters, where 1, 5 was used.
C. Results
The results for magnitude verification of band-pass filters are included on table II. It's important noting that instead of a single frequency as specification, now a frequency pair is used. The column "FP tuple" indicates the considered FWL constriction.
The poles and zeros verification occurred in the set of IIR filters and the result is shown in table III. "VT" stands for the verification time, in seconds, and "SPZ" represents the status of the verification. It is worth noting the results for filters with cutoff-frequency of 100Hz since magnitude failures were found for all IIR filters. Table IV presents the results of overflow verifications, which indicates the efficacy on the detection of this type of error. All the tested filters were IIR, that were also used in Table I. VI. CONCLUSION The present work proposed a methodology for the verification of digital filter design parameters through the BMC technique, which indicates if the amount of bits used in the representation of the coefficients and samples changes the previously specified characteristics. During the simulations, both IIR and FIR filters were addressed, in order to ensure the outcome of real projects, in different realizations and applications. The results show that it is possible to detect low 
