Abstract-Formal verification is an important issue in circuit and system design. In this context, bounded model checking (BMC) is one of the most successful techniques. However, even if all the specified properties can be verified, it is difficult to determine whether they cover the complete functional behavior of a design. We propose a practical approach to analyze coverage in BMC. The approach can easily be integrated in a BMC tool with only minor changes. In our approach, a coverage property is generated for each important signal. If the considered properties do not describe the signal's entire behavior, the coverage property fails, and a counter example is generated. From the counter example, an uncovered scenario can be derived. This way, the approach also helps in design understanding. We demonstrate our method for a reduced instruction set computer (RISC) CPU. First, the coverage of the block-level verification is considered. Second, it is demonstrated how the technique can be applied on a higher level. Therefore, we investigate the instruction set verification of the RISC CPU. The experiments show that the costs for coverage analysis are comparable to the verification costs. Based on the results, we identified coverage gaps during the verification. We were able to close all of them and achieved 100% functional coverage in total.
In MC, the functional properties are specified in temporal logic. Thus, each property unambiguously describes parts of the circuit's behavior. However, the most important question that arises here is "have I written enough properties?" [8] . In simulation-based verification, computing coverage is well understood since coverage corresponds to an activation of signals or source code during the execution of input vectors. In addition, formal techniques have been used to analyze test benches with respect to functional coverage [9] . For MC, estimating coverage is more difficult since the correspondence of coverage is not obvious because the complete underlying finite state machine (FSM) is traversed during the proof. Nevertheless, there exist several notions of coverage for MC [10] . For computation tree logic (CTL)-based approaches, the covered states of the FSM are computed [11] , [12] . By mutation-based coverage, modifications are applied to the FSM, and it is checked if this is detected by the specified properties [10] , [13] . However, most of the existing metrics suffer from complexity problems as in the case of CTL MC or are still very hard to use by verification engineers in practice.
Recently, a first approach for measuring the coverage for BMC has been proposed in [14] . There, the focus is mainly to relate errors in the design to the source code level. A component is considered covered if there is at least one property that is invalidated if this component is changed. The notion of "change" is described using a multiplexor construct based on the ideas in [15] . The approach cannot specify exact functional coverage. Instead, components that influence the behavior of the circuit are identified. Thus, the approach cannot present the uncovered scenarios in form of counter examples.
In [16] and [17] , a method for the coverage analysis of safety property lists has been presented. This method only works on the specified linear temporal logic (LTL) properties without using the design. The properties are synthesized into a checker circuit that has exactly one output. This output is 1 iff all the properties hold. Then, the checker circuit is duplicated. The two checker circuits use the same variables except for the output signal that is analyzed in the current step. Based on this construction, the method can identify a forgotten case, i.e., a trace where a particular output signal is not constrained by the properties. Therefore, the method looks for traces where both checker outputs are 1, but the values of the analyzed output signal differ at exactly one time point. The presented method is efficient because the design is not needed. However, if the method has identified a forgotten case, there is no information about the circuit behavior, as the design is not regarded in the check. Furthermore, the method needs to introduce a new LTL construct for specifying that a signal is allowed to be unconstrained in a certain case, whereas our method is built on top of the standard property specification language (PSL) [18] .
In this paper, we propose a practical approach for the analysis of coverage in BMC. The basic idea is as follows. First, for each output o of the circuit, all proven properties are identified, which involve o. Then, it is checked whether there exists a scenario where o is not determined by the set of properties. Here, "not determined" means that an input and state assignment has been found, where no consequent of the set of properties unambiguously specifies the value of o. We show that this idea can easily be integrated in a BMC verification tool. Furthermore, the approach automatically generates uncovered scenarios in form of counter examples. Analyzing these counter examples and adding corresponding properties allows the verification engineer to stepwise close the coverage gap.
As a nontrivial example, we study the formal verification and coverage analysis of a RISC CPU. At first, the block-level verification is considered. The verification and the coverage tests are described in detail by means of examples. Several cases that we observed to be the reason of a coverage gap are identified, and it is explained how these gaps can be closed. During this process also, the run times for verification and coverage analysis are analyzed. Furthermore, we investigate the analysis of coverage on a higher level. Based on the results of the complete block-level verification, we consider the RISC CPU at the top level. Typically, at this level, the properties for each CPU instruction are formulated. In such a property, the exact behavior of all the involved hardware blocks with respect to the considered CPU instruction is specified. In other words, the effect that results from the execution of an instruction including the communication of hardware blocks is checked. We show that the coverage approach can be used to guarantee coverage at this level. On the basis of a detailed example, the suggested notion of higher-level coverage based on proven correct instructions is discussed, and the costs for the coverage check are analyzed, too. Following a certain property style is helpful for achieving full functional coverage by reducing the number of uncovered scenarios.
The rest of this paper is structured as follows. In Section II, BMC is briefly reviewed. Section III describes the new approach for analyzing coverage in BMC. Then, in a case study, we demonstrate the coverage approach for the formal verification of a RISC CPU. In Section V, we discuss how the verification flow can be improved by the presented techniques. Finally, in Section VI, this paper is summarized.
II. BMC
In this paper, we use BMC as described in [6] . Thus, a property is only defined over a finite time interval. For a design with its transition relation T δ , a BMC instance for a property p over the finite interval [0, c] is given by
where p may depend on the inputs, states, and outputs of the circuit in the time interval [0, c] . This verification problem can be formulated as a SAT problem by unrolling the circuit for c time frames and generating logic for the property. The transformation is shown in Fig. 1 . As the property is negated in the formulation, a satisfying assignment corresponds to a case where the property fails-a counter example.
In contrast to the original BMC as proposed in [5] , there is no restriction for the state s 0 in the first time frame during the proof. This may lead to false negatives, i.e., counter examples that start from an unreachable state. In such a case, these states are excluded by adding additional assumptions to the property. However, for BMC as used here, it is not necessary to determine the diameter of the underlying sequential circuit. Thus, if the SAT instance is unsatisfiable, the property holds. We use this variant of BMC because it is necessary for the properties to hold before our coverage technique can be applied.
In the following, we assume that each property is an implication of the form always(A → C). A is the antecedent, and C is the consequent of the property, and both consist of a timed expression. A timed expression is formulated on top of variables that are evaluated at different points in time within the time interval [0, c] of the property. The operators in a timed expression are the typical hardware description language (HDL) operators like logic, arithmetic, and relational operators. The timing is expressed using the operators next and prev.
III. ANALYZING COVERAGE
First, in this section, we provide the basic idea for our coverage approach. Then, we describe our method in detail and discuss the method by using two examples.
A. Idea
After proving a set of properties, the verification engineer wants to know if the properties describe the complete functional behavior of the circuit. Thus, typically, the properties are manually reviewed, and the verification engineer checks that properties have been specified for each output (and important internal signals), which prove the expected behavior in all possible scenarios. Here, the goal of our approach is to automatically detect scenarios-assignments to inputs and states-where none of the properties specify the value of the considered output.
This idea is realized by the generation of a coverage property for each considered output. If this coverage property holds, there exists no scenario where the value of the output o is not determined by the properties. It is shown that the union of all the properties that involve the output o admit no behavior other than the one defined by the circuit. This is done by introducing a multiplexor for each bit that is driven by the output o and the inverted value of o. Then, the coverage check can be performed by proving that the multiplexor is forced to select the original value of o, assuming all involved properties. In the following section, this is described in more detail.
B. Coverage Property
To analyze the coverage, we generate a coverage property for each output o of the design. This coverage property for the output o is constructed as follows.
1) The set of properties P o that involve the output o is identified.
2) The maximum time point t max is determined. t max is defined as the latest time point in the consequent of all properties in P o at which o is constrained. consequents. The resulting properties are denoted asp i . Furthermore, in the antecedent of the coverage property, the signal sel is set to 1 during the time interval
. This guarantees that in all propertiesp i , the original output o is used for all time points up to t max − 1.
In the consequent of the coverage property, we force the signal sel to be 1 at time point t max . More formally, the coverage property is
where X j denotes the application of the next operator for j times.
Following these steps, we have formulated the coverage analysis problem as a BMC problem. In the following theorem, the soundness of the approach is considered.
Theorem 1: If the coverage property for the considered output o holds, then o is covered by the properties (given as the set P o ).
Proof: We show this by contraposition: if the output o is not covered, then the coverage property fails. In the following, we denote the output of the multiplexors with o M . All propertiesp i hold due to construction. If the output o is not covered, then the value of o M at time point t max is not uniquely determined by the propertiesp i . In contrast, if the value of o M is determined by the propertiesp i , then for each input and state assignment, there is a property that predicts the value of o M . Hence, the values of o M and o_orig have to be identical since the predicting property has been proven on the design. Thus, in this case, sel is 1. Now, if the properties do not predict the value, then there exists at least one assignment o M for output o M that differs from the original value o_orig in at least one bit. However, this is equivalent to the fact that the selected signal for this bit can be set to 0 at time point t max , thus selecting the value o M without invalidating any of the propertiesp i . As a consequence, there exists a counter example with sel = n−1 i=0 sel i = 0 at time point t max , which means that the coverage property fails.
Complete coverage in terms of our approach is achieved by considering all outputs of a circuit. If all outputs are successfully proven to be covered by the properties, then the functional behavior of the circuit is fully specified. 
C. Examples
As a first example, consider the 1-bit memory shown in Fig. 3 . If the signal we (write enable) is set to 1, the flip-flop is updated with the value of the input din. Otherwise, it keeps its value.
To verify an implementation of this simple memory cell, a PSL property [18] has been specified (see Fig. 4 ). It states that whenever we is set, the value of din can be seen at the output dout one cycle later. The property holds.
It can now be checked whether the behavior of the memory cell is covered by this property. Therefore, a coverage property is generated (see Fig. 5 ). In line 2, a special command enclosed in a comment instructs the verification tool to insert a multiplexor at signal dout with a select signal named sel. In the antecedent of the coverage property, it is assumed that property WRITE holds (line 4). 1 Furthermore, it is assumed that the sel signal is set to 1 in the first cycle. Thereby, the original value of dout is routed to the output. Under these assumptions, it has to hold that the select signal is 1 in the next cycle (line 7).
As a result, the coverage property fails, and a counter example is generated, which is shown in Fig. 6 . The case that has not been covered can be deduced from the trace. Apparently, it has Fig. 11 . Structure of the RISC CPU including data and instruction memory. not been specified how the memory cell behaves if the signal we is set to 0. As a consequence, the sel signal can be set to 0 in the second cycle without violating the property WRITE. After adding an appropriate property like in Fig. 7 , the output is fully covered. The additional property NO_CHANGE states that the output remains unchanged as long as the write enable signal is set to 0.
As a second example, we consider a first-in first-out (FIFO) queue of depth 3 that filters some value by setting the output to 0 if the last three inputs have been 1. See Fig. 8 for the implementation of the FIFO. The two basic properties for the FIFO are shown in Fig. 9 . In the first property, the regular shifting of the FIFO is proven if the content of the FIFO is different from three times 1. The second property proves the filtering of the FIFO. Note that the comma operator is used here for the concatenation of the three values of the flip-flops to one memory word. Both properties hold.
We check if the output dout of the FIFO is covered with the coverage property given in Fig. 10 . Again, the multiplexor is inserted with the special command in line 2. For the FIFO and the given properties, t max is 3. Thus, the property PROPAGATE is assumed without shifting because o is already constrained at time point t max . However, the property FILT has to be shifted such that the output dout is constrained in this property at time point t max (see line 9). The last expression in the antecedent forces the select input to be 1 up to time point 2 (the next_a operator constraints the following expression to hold at every time point during the specified interval; see line 13). In the consequent, we want to show that the select input is 1 at time point t max = 3. The verification tool reports that the coverage property holds, and therefore, the FIFO output is covered by the given two properties.
Based on these two examples, the generation of the coverage property for simple and more complex properties with respect to several time points has been shown. In the following, our approach is studied on a RISC CPU.
IV. CASE STUDY: RISC CPU
In this section, we provide experimental results for the complete verification and coverage analysis of a RISC CPU, moving from the level of single hardware blocks to the instruction set on the top level. The distinction between these levels of abstraction is not a consequence of the coverage approach, but come from the verification of hierarchical designs. In this methodology, single hardware blocks that might have been reused from former designs are first verified before reasoning about the behavior of the complete circuit. In the following, we first give some basic data of the CPU (see also [19] ).
A. RISC CPU
In Fig. 11 , the main components of the RISC CPU are shown. The CPU is designed as a Harvard architecture. The data width of the program memory and the data memory is 16 bits. The size of the program memory is 4 kB, and the size of the data memory is 128 kB. The length of an instruction is 16 bits. We only briefly describe the five different classes of instructions in the following: 1) six load/store instructions (movement of data between register bank and data memory or I/O device, loading of a constant into high or low byte of register); 2) eight arithmetic instructions (addition/subtraction with and without carry, left/right rotation, and shift); 3) eight logic instructions (bit-by-bit negation, bit-by-bit exor, conjunction/disjunction of two operands, and masking, inverting, clearing, and setting of single bits of an operand); 
B. Block-Level Verification
In order to guarantee the correct behavior of the RISC CPU, it is verified using BMC [19] . In a first step, for each of the hardware blocks, it is checked whether the input/output behavior of the implemented circuit matches the specification. Therefore, a number of properties have been formulated in PSL.
As the program counter (PC) will serve as an example, it is first described. Fig. 12 shows the PC with all its inputs and outputs. The PC has an internal 11-bit register pc that holds the current program address. The address is shown at the output pcout, whereas the output pcinc shows the current address increased by 1. The PC is reset to address 0 by setting the input reset to 1. If the load enable input le is set to 1, the PC is loaded with the address from input din. Otherwise, it is increased by 1 in every cycle if the PC is enabled, which means that the enable input en is set to 1.
In Fig. 13 , some of the properties for the PC can be seen. The first property RESET checks the correct behavior after a reset. The second property INC checks that the PC is increased if it is enabled, there is no reset, no load, and if the end of the address space has not yet been reached. The third property LOAD checks the load functionality of the PC.
For all the hardware blocks of the CPU, properties have been specified in a similar way. In Table I , the results of the blocklevel verification are shown. The first column gives the name of the hardware block. The second column provides the number of properties that have been written for the respective block. In the last two columns, the total CPU time for the verification and the maximal used memory during the verification are given. As can be seen, the verification can be carried out very fast using BMC.
C. Block-Level Coverage 1) Coverage Analysis:
If all properties hold, the coverage check can be performed in a next step. Following the approach described in Section III, for each single output of each hardware module, it is checked if its behavior is unambiguously specified by the properties. Therefore, a coverage property is generated for each output. Fig. 14 shows the coverage property for the output pcout of the PC. In line 2, the multiplexor needed for the coverage check is inserted using the already described special command. The original output pcout is replaced by the multiplexor construct-consisting of a multiplexor for each output bit-and is renamed to pcout_orig. Now the original value pcout_orig is routed to the output pcout iff the signal select is set to 1. Thus, all properties that use pcout now deal with the output of the multiplexors instead of the originally considered output (see also Fig. 2) . In lines 4-25, the original properties are assumed. Furthermore, it is assumed that at time point 0 the select signal is set to 1 (line 27), and thus, we are dealing with the original value of the circuit on output pcout at time point 0. Under these assumptions, we want to prove that the select signal has to be 1 at time point 1 as well (line 29), meaning that the output is determined in any case. It appears that the coverage property fails. Fig. 15 shows a counter example that has been generated by the verification tool. From the trace, it can be concluded which scenario has not been specified by the properties discussed in Section IV-B. As can be seen in the figure, none of the properties cover the case that the PC is enabled, there is no reset or load, and the PC points to the end of the address space.
At the same time, the trace gives information on the actual behavior of the circuit in the unregarded case. The signal pcout_orig gives the original value of pcout. Obviously, the PC starts over at address 0 when it exceeds the highest possible address. Table II . In the same way, every hardware block of the CPU is checked based on the coverage approach. The first column in Table II gives the name of the module. In the second column, the number of generated coverage properties is provided. The column cov reports whether all outputs were covered. If not, the last column provides the solution. As can be seen, we found three gaps in total. The details on closing these gaps and gaps in general are discussed next.
2) Closing the Gap: If a gap is found using the presented coverage approach, there are different ways on how to deal with it. It is possible that the verification engineer has in fact forgotten to check a certain scenario. In this case, the properties have to be completed until coverage is achieved. For the RISC CPU, we found that the properties for the arithmetic logic unit did not specify the value of the carry bit in case of a logical operation. Therefore, we added an according property. In the same way, we had to add two properties in order to cover the behavior of the control unit in terms of our approach (see Table II ). For example, it was not properly specified how the I/O interface behaves during a reset.
It is also possible that some scenarios have been intentionally left out, possibly because the specification itself is incomplete. In this case, the assumptions of the coverage property can be extended to explicitly exclude these states. Referring to the example in Section IV-C1, the specification did not define the behavior of the PC at the end of the address space. It is left to the programmer of the CPU to avoid an address overflow. This is expressed by excluding the state 2047 in the coverage property. Thereby, the PC was fully covered. In Table II , this procedure is denoted as "excluded states." As can be seen in the table, three harmless gaps have been found. For example, one of the gaps in the control unit was related to inactive parts of the data path. In these cases, the coverage was completed by directly excluding the respective states in the coverage properties.
In total, by the presented coverage approach, we found three coverage gaps. Following the described steps, we achieved full coverage on the block level.
3) Computation Costs: To compare the effort for verification and coverage, the results of the final full coverage proof for each block are shown in Table III . The first column gives the name of the hardware block. In the second column, the number of outputs that have been checked for coverage in the respective block is given. The last two columns show the run time and the needed memory for the coverage check. As can be seen, the run times and the memory requirements are in the same order of magnitude as for the verification described in Section IV-B. 
D. Top-Level Verification
Based on the successful verification of all the involved hardware blocks, the instruction set of the RISC CPU is formally verified. A property has been formulated for each of the 32 instructions that check if the effects of the instruction meet the specification. Typically, these properties affect all of the hardware blocks.
We only summarize the results of the verification, see Table IV . For details, we refer the reader to [19] . The first column gives the category of the verified instructions. The number of properties for the respective category can be found in the second column. The last two columns give the total run time and the maximum memory needed during verification. Note that for the considered design, the time interval of most of the properties is [0, 1] . Thus, the model has to be unrolled twice.
E. Top-Level Coverage 1) Coverage Analysis:
In contrast to the block-level verification, the properties for the instructions of the RISC CPU do not consider single outputs or signals. In fact, the instruction set verification involves different hardware blocks and their communication. Therefore, the notion of coverage at this level is not as clear as for single hardware blocks. Obviously, it is not sufficient to prove the coverage of the outputs of the CPU because the input/output interface is only affected by a few instructions. To be sure that the properties form a complete specification of the circuit's behavior, the state holding elements have to be considered as well. If all state bits of the circuit are uniquely determined at any point in time, its behavior is fully covered in terms of our approach. We justify this approach by the fact that the circuit is equivalent to an FSM, and by covering all state bits, we describe the transition function in a unique way. Note that for the RISC CPU, most of the outputs of a block become a next state input of a state element at the top level.
As an example, the status bits of the RISC CPU are considered-the zero flag and the carry flag that indicate the result of the last logical or arithmetic operation (see also Fig. 11 ). Among the properties for top-level verification, there are 32 properties for the instructions and a reset property. In order to achieve full coverage with this partitioning of the properties, every property has to define the value of the status bits regardless of whether the respective instruction changes the flags or not.
As an example, consider the property for the jump instruction in Fig. 16 . It states that whenever there is no reset (line 6), and the current instruction is a JMP (line 7), then the PC is set to the target address in the next cycle (line 11). This obviously describes the correct behavior of the jump instruction. However, in order to achieve full coverage, the property must also specify what the jump instruction does not do. This is expressed in lines 14-20, which state that in the next cycle the status bits and the content of the registers remain unchanged.
As a consequence, all properties have to be assumed in the coverage property for the status bits. This way, a large monolithic property is generated including all instructions. It could be proved that under all circumstances, the value of the status bits is unambiguously defined by the instruction set properties. Table V gives the results of the top-level coverage analysis. The first column shows the state bits and signals that have been tested for coverage. The second column reports whether the initial coverage check has been successful or not. In the latter case, the solution to reveal the coverage gap is shown in the last column. As can be seen, we found some gaps in the coverage 2) Closing the Gap and Property Style: As for the blocklevel coverage discussed in Sections IV-C1 and IV-C2, there are different solutions for the gaps on the top level. To achieve full coverage of the PC and the stack pointer, most of the instruction set properties had to be adopted to the style already mentioned in Section IV-E1. For all instructions except jump and conditional branches, we had to specify that the PC increases by 1. Similarly, we specified that all instructions except push, pop, and subroutine calls do not change the stack pointer.
For the coverage of the stack pointer, we excluded the states that correspond to a stack overflow or underflow, respectively. This has been done because the specification did not define the behavior for these cases, so it is left to the programmer to avoid these situations.
As the I/O signals are only affected by two instructions, we decided to define a new property that states that the I/O interface is in an idle state unless one of these two instructions is performed. After these changes, we achieved full coverage on the top level in terms of our approach.
3) Computation Costs: The costs for the final top-level coverage analysis are shown in Table VI . For most of the signals, the coverage check could be carried out very fast. The most effort is spent for the status bits and the general-purpose registers. However, the coverage proofs for the carry bit and the zero bit were still faster than some particular instruction set properties. Only the check for the registers required a significantly higher run time. We assume that this is due to the fact that the instructions perform many different logical and arithmetic operations on the registers that have to be taken into account during the coverage check.
In summary, we have shown that the complexity to prove functional coverage is manageable with our approach. This is possible by breaking down the overall problem into several block-level and top-level proofs. Thereby, each single proof in turn is carried out using BMC.
V. DISCUSSION
In this section, we discuss the contributions of the proposed approach. We show how the formal verification flow is improved using our method. The enhanced verification flow is illustrated in Fig. 17 . Note that the new parts of the flow are drawn dashed. Starting from the specification, the design is implemented. In parallel, properties are formulated to prove that the design meets the specification using BMC. Based on the verification results, the implementation is changed until the properties hold. In contrast to the traditional verification flow, now a coverage check can be performed fully automatically. If all properties cover the entire behavior of the design in terms of the coverage approach, then the properties form a complete and unambiguous specification of the design. This complete verification can be achieved stepwise by closing all coverage gaps that are being revealed by the approach.
Whenever a coverage check fails and a counter example is generated for the uncovered scenario, the verification engineer has to decide whether the gap has to be considered harmless. The counter example provides information on the actual behavior of the circuit in the uncovered scenario. If the behavior does not meet the specification, then there is a bug in the design. If the behavior conforms to the specification, then there is a coverage gap, and the verification has to be completed by adding a property. However, it is also possible that the specification itself is incomplete, and the verification engineer has intentionally left out certain scenarios. Another reason might be that the verification engineer only wants to check that a certain subset of all the possible scenarios is covered by the properties. In these cases, the unspecified scenarios can be excluded from the coverage check by an additional assumption in the coverage property. After handling of the gap, the algorithm has to be rerun.
In any case, the approach provides valuable feedback for the verification engineer and enables him/her to reason about the uncovered scenarios. This way, it supports design understanding and helps to improve the quality of the verification.
VI. CONCLUSION
In this paper, we have presented a practical coverage approach for BMC. The approach generates for each considered output a coverage property after a slight modification of the original design using multiplexors. Thus, the approach can be easily integrated in a standard verification tool. In addition to the coverage result itself, the main strength of the presented coverage approach is that the uncovered scenarios are automatically generated in the form of counter examples. Closing the coverage gap can stepwise be performed by the verification engineer by analyzing the counter examples.
We applied the proposed approach for the verification of a RISC CPU. First, on the block level, full coverage was proven. Second, by following an appropriate style for the instruction set verification, 100% coverage was achieved for the RISC CPU.
Overall, the technique presented here offers improvements in the quality of verification and in design understanding while being easy to integrate.
