A MATLAB toolbox is presented, with the goal of checking occurrences of design errors typically found in fixed-point digital systems, considering finite word-length effects. In particular, the present toolbox works as a front-end to a recently introduced verification tool, known as Digital-System Verifier (DSVerifier), and checks overflow, limit cycle, quantization, stability, and minimum phase errors in digital systems represented by transfer-function and state-space equations. It provides a command-line version with simplified access to specific functionality and a graphical-user interface, which was developed as a MATLAB application. The resulting toolbox enables application of verification to real-world systems by control engineers.
INTRODUCTION
Digital systems (e.g., filters and controllers) are used in a wide variety of applications, owing to advantages over their analog counterparts, such as reliability, flexibility and cost. Nonetheless, there are disadvantages: since they are normally implemented in microprocessors, errors might be introduced, due to quantization and related round-off effects [6] . Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. ISSTA'17-DEMOS, July 2017, Santa Barbara, CA, USA © 2017 Association for Computing Machinery. ACM ISBN 978-1-4503-5076-1/17/07. . . $15.00 https://doi.org /10.1145/3092703.3098228 Hardware choices, structure representations (e.g., direct forms) and implementation features (e.g., fixed-point arithmetic) can influence the precision and performance of a given digital system [2] . Additionally, such implementations are particularly susceptible to finite word-length (FWL) effects, e.g., overflows, limit cycles and poles/zeros sensitivity, which have the potential to reduce reliability and efficiency. Previous studies have shown that FWL effects might affect the efficiency, performance and stability of control systems [8, 11, 12] . Thus, it is important to detect such errors and ideally prove safety of the implementations w.r.t. FWL effects.
The Digital-System Verifier (DSVerifier) [7] is a model checker based on Boolean Satisfiability (SAT) and Satisfiability Modulo Theories (SMT) and detects such errors in digital systems. DSVerifier checks specific properties related to overflow, limit cycle, stability and minimum-phase in digital-system implementations and also supports the verification of robust stability, considering parametric uncertainties for closed-loop systems represented by transfer functions [3] . Recently, DSVerifier was extended to support state-space systems to verify violations in stability, controllability, observability and quantization-error properties [10] . Although those contributions are important advances in formal verification of digital systems, they do not integrate with tools such as MATLAB [13] , which are usually employed in the design of digital filters and controllers.
Currently, there are several toolboxes in MATLAB that facilitate digital system design [13] . For instance, the fixed-point designer toolbox provides data-types and tools for developing fixed-point digital systems. There are also other modules with different objectives, such as optimization, control systems and digital signal processing. In particular, users could employ formal verification methods to identify errors and generate test vectors for reproducing failures. In that sense, Simulink Design Verifier [13] employs formal methods to identify hidden design errors, without extensive simulation runs; it detects blocks that result in integer overflow, dead logic, array access, division by zero and requirement violations. Additionally, it is possible to use tools for detecting errors in C/C++ code, through Polyspace Bug Finder [13] . Nonetheless, both tools are unable to automatically detect specific errors related to digital system design (e.g., limit cycle, stability and minimumphase), unless an engineer provides additional assertions. Finally, the mentioned tools do not consider FWL effects during verification and also, there is no MATLAB toolbox for verifying digital systems using symbolic model checking based on SAT and SMT solvers.
The present paper addresses this problem and describes a MAT-LAB toolbox for DSVerifier, 1 known as DSVerifier Toolbox, which applies SAT-and SMT-based model checking to digital systems [7] , in MATLAB's environment. The main advantage regarding the use of a MATLAB toolbox lies in designing digital systems in MATLAB and then promptly verifying their desired properties. Additionally, when using DSVerifier Toolbox, an engineer is able to design a digital system with MATLAB, through transfer-function or state-space representations, consider low-level systems parameters (numerical format), define realization forms (delta and direct forms) and evaluate different overflow modes (wrap-around or saturate mode). Finally, if a verification procedure fails, DSVerifier Toolbox returns a counterexample in a ".MAT" file, which exploits a given violation, considering inputs, initial states and outputs, in order to reproduce a particular counterexample.
VERIFYING DIGITAL SYSTEMS WITH DSVERIFIER TOOLBOX 2.1 DSVerifier Toolbox Architecture
The proposed verification methodology is based on DSVerifier [7] and can be split into four main steps, as illustrated in Fig. 1 . In step 1, a digital system is designed (as open-or closed-loop), with any design technique or tool. Implementation features are defined in step 2, i.e., the FWL format that includes the number of bits in the integer and fractional parts, dynamic range and realization form (direct or delta). Here, DSVerifier formulates a FWL function FWL[·] : P n → P n , where P n is a space of polynomials of n-th order, to reproduce the effects of the chosen FWL format over the coefficients of a digital system. For instance, FWL[B(z)] and FWL[A(z)] represent the denominator and numerator polynomials B(z) and A(z) of a transfer function with FWL effects used to compute round-off effects in digital systems. Those definitions are then passed to DSVerifier, along with hardware specifications, verification parameters and properties to be checked.
In particular, with respect to open-loop systems in transferfunction representation, DSVerifier supports verification of overflow (we check whether a sum or product exceeds the number representation), stability and minimum-phase (we check whether the system poles and zeros are inside the unitary circle), limit cycle (we check whether there are persistent oscillations in the output of a system with constant input or zero input) and quantization error (we check whether the output error in digital systems implementation will be within admissible range), while it provides verification for stability, controllability (we check whether the system states can be changed by changing the system input), observability (we check whether the value of the initial state can be determined from the system output) and quantization properties, in state-space representation. Regarding closed-loop systems represented by a controller and a plant, in transfer function form, DSVerifier is able to verify stability, quantization error and limit-cycle, while it checks stability, controllability, observability and quantization error when state-space equations are employed.
Once the configuration has been set up in step 3, the verification process is then started in step 4, with the chosen back-end model checker: CBMC [9] or ESBMC [5] can be used to verify the generated C code. DSVerifier then checks the desired properties and returns "successful" if there is no property violation in the proposed implementation, or "failed" together with a counterexample, which contains inputs and states that lead the system under evaluation to a given property violation. In the latter case, the provided counterexample supports the fixes to the implementation parameters and the design. Realization, representation and FWL format can be re-chosen to avoid further errors. This process is repeated until a digital controller implementation does not present any failure.
DSVerifier Toolbox uses bounded model checking (BMC) as verification engine [5, 9] . The basic idea of BMC is to check the negation of a given property ϕ at a given depth k. Thus, overflow, limit cycle and quantization errors, in transfer-function representation, and quantization error verification, when employing a state-space representation, must be unrolled k times to find violations; the verification result is sound for executions of up to k steps. By contrast, properties such as stability and minimum-phase, in transfer-function representation, and controllability, stability and observability, in state-space representation, do not depend on the system inputs and thus do not require a bound k (verification is complete and sound) [2, 3, 10] .
Note that the verification methodology is split into two main stages: manual (user) and automated (toolbox) procedures. In the former, the user manually performs steps 1 to 3, which are the same tasks performed by DSVerifier. Note further that all those specifications are provided as parameters and translated into a specific format in the automated procedures performed by the toolbox, as illustrated in Fig. 1 . In particular, the DSVerifier Toolbox's automated engine (steps A to C) receives a digital system specification (as parameters) and verifies the desired property ϕ. In step A, an intermediate ANSI-C code for the desired implementation is generated, based on parameters that are then translated into a specific format (in MATLAB) and parsed, while the respective BMC tool is set and all requirements are configured in step B. Finally, in step C, the resulting ANSI-C code is passed to the verifier. If any violation is found, then DSVerifier reports a counterexample, which contains system inputs that lead to a failure; otherwise, it returns a successful verification. In particular, in case of a failure, the proposed DSVerifier Toolbox receives a counterexample and generates a corresponding ".MAT' file.
The main development challenge related to DSVerifier Toolbox is the represention of the control system models. In particular, our implementation consists of 2000 lines of code related to MATLAB scripts to soundly represent the control system models, considering FWL effects. In addition, there are 250 lines of code to parse MATLAB functions and there are approximately 1000 benchmarks to ensure the DSVerifier Toolbox's regression. All those artifacts together with documentation and videos are available in a public github repository, which is located at https: //github.com/ssvlab/dsverifier/tree/master/toolbox-dsverifier.
DSVerifier Toolbox Features
DSVerifier Toolbox's features can be described as follows: Fig. 1 ). (5) BMC tools: DSVerifier Toolbox handles the verification for digital-systems using CBMC [9] or ESBMC [5] as back-end, to perform the symbolic verification (cf. step 3 of Fig. 1 ).
DSVerifier Toolbox Usage
In order to explain the DSVerifier Toolbox's workflow, the following second-order controller represented by a transfer-function H (z) =
B (z )
A(Z ) (cf. section 2) for an A/C motor plant is used
2.3.1 Command Line Version. Users must provide a digital system described as a MATLAB system using a tf (for transfer-function) or an ss (for state-space) command (cf. step 1 of Fig. 1 ). DSVerifier Toolbox is then invoked to check the digital system representation and the desired property (cf. steps 2 and 3 of Fig. 1) . Table 1 summarizes the DSVerifier Toolbox's commands that perform the proposed automatic verification and the required parameters for each property (cf. step 4 of Fig. 1 ). In Table 1 , system represents the digital system in transfer-function or state-space format, intbits is the integer part, fracbits is the fractional part, max and min are the maximum and minimum dynamic range, respectively, bound is the k bound to be employed during verification, cmode is the connection mode, for closed-loop systems in transfer-function (series or feedback), and error is the maximum possible value in the quantization error check. Additionally, optional parameters can be included, such as overflow mode, rounding mode, BMC tool, solver, quantization error mode and delta coefficient (for delta realization). 2 All available functions w.r.t. DSVerifier Toolbox have been exhaustively tested and experimental results are available online. 3 
GUI Application Version.
A graphical user interface application was developed (Fig. 2) , in order to favor digital-system verification in MATLAB, besides improving usability and, consequently, attracting more digital-system engineers. Users can provide all required parameters for digital-system verification: specification, target implementation and properties to be checked.
Illustrative Example
To illustrate the DSVerifier Toolbox's usage, Fig. 3 shows the stability verification for the digital system specified in Eq. 1, where "num" and "den" represent the numerator A(z) and denominator B(z), resp., using a dynamic range [−1, 1] and a fixed-point format ⟨2, 13⟩, i.e., 2 bits for the integer part and 13 for the fractional one. If the fixed-point format is changed to ⟨12, 3⟩, for the same system described in Eq. 1, the verification indicates a failure, i.e., a digital system is unstable, as shown in Fig. 4 , which indicates that DSVerifier Toolbox can correctly verify digital systems with different implementations.
After verifying that the adopted digital system is unstable with format ⟨12, 3⟩, the respective failed verification result can be confirmed by reproducing the counterexample generated by DSVerifier where set J has one root with modulus greater than one, which confirms that using ⟨12, 3⟩ format the verified system becomes unstable. The stability for the digital systems described above could be indeed observed through the associated step response for both cases, as shown in Fig. 5 . In subfigure 5(a), the step response shows that the digital system is stable, while in 5(b) it is unstable.
CONCLUSION
DSVerifier Toolbox is able to verify dynamic digital-systems (controllers or filters) designed in MATLAB given as transfer-function or state-space representations in open-or closed-loop form. We have shown that using different numerical representations for a digital controller can yield different verification results. In particular, we demonstrated that the choice of representation has the potential to cause instability and then compromises the entire system. Given the current literature in formal verification, there is no other MAT-LAB toolbox for verifying specific properties of digital systems while taking into account implementation aspects. As future work, DSVerifier Toolbox will perform verification for robust stability and be combined with DSValidator [4] . 
