ABSTRACT Formal verification of high-level SystemC designs is an important and challenging problem. Recent works have proposed symbolic simulation in combination with Partial Order Reduction (POR) as a promising solution and experimentally demonstrated its potential. However, these symbolic simulation approaches have a fundamental limitation in handling cyclic state spaces. The reason is that they are based on stateless model checking and thus unable to avoid revisiting states in a cycle. In this paper, we propose a novel stateful symbolic simulation approach for SystemC. For the efficient detection of revisited symbolic states, we apply symbolic subsumption checking. Furthermore, our implementation integrates a cycle proviso to preserve the soundness of POR in the presence of cycles. We demonstrate the scalability and the efficiency of the proposed approach using an extensive set of experiments.
INTRODUCTION
The C++-based description language SystemC [11] has become the standard for modeling electronic systems at high levels of abstraction. These abstract SystemC designs serve as an executable specification for subsequent development steps in the design flow. Therefore, ensuring the correctness of high-level SystemC designs is crucial, especially for safety critical systems, as undetected errors will propagate and become very costly.
Due to their scalability and ease-of-use, simulation-based approaches are still prevalent for SystemC verification. However, in contrast to formal verification, they cannot prove the absence of errors and are very susceptible to subtle bugs caused by corner-case scenarios. Unfortunately, formal verification of SystemC is very challenging due to its object-oriented nature and event-driven simulation seman-tics [15] . The overall challenge in developing a SystemC verifier is threefold. First, it must obviously consider all possible inputs of the Design-Under-Verification (DUV). Second, a typical high-level SystemC DUV consists of multiple asynchronous processes, whose different orders of execution (also referred to as schedules) can lead to different behaviors, these must also be considered to the full extent by the verifier. Third, the verifier is required to deal with the full complexity of C++ to extract a suitable formal model.
Recently, an Intermediate Verification Language (IVL) for SystemC has been proposed [13] . The IVL is compact and easily manageable but at the same time powerful enough to model the behavior of SystemC designs. The IVL allows to separate the development of a SystemC verifier into two components: a front-end to translate a DUV into IVL and a back-end to verify this IVL description. Consequently, one can focus on addressing the first two challenges to increase the scalability and efficiency of the back-end in handling large state spaces.
As a viable solution for this task, recent works have proposed symbolic simulation [5, 4, 13] , which is basically a combination of symbolic execution [12] with complete exploration of all possible process schedules. These approaches allow the verification of safety properties specified in the form of source code assertions. In [4, 13] , symbolic simulation is further combined with Partial Order Reduction (POR) [9, 8] to avoid visiting redundant schedules. The whole state space of a DUV, which consists of all possible inputs and process schedules, can thus be exhaustively and efficiently explored.
However, these approaches are fundamentally limited in handling cyclic state spaces. Cycles arise naturally in many high-level SystemC designs due to the use of unbounded loops inside SC THREADs. The limitation is due to the fact that the core algorithm employed by these approaches is based on a stateless search. Essentially, no record of already visited states is kept and thus, re-exploration of states in a cycle cannot be avoided. This might cause the search to be non-terminating if the symbolic simulation is not bounded. Consequently, existing SystemC symbolic simulation approaches are unable to prove properties on cyclic state spaces and thus can be considered incomplete.
To overcome the aforementioned limitation, it is necessary to employ a stateful search in symbolic simulation. Two issues must be solved to enable this combination. First, symbolic simulation stores and manipulates symbolic expressions, which represent sets of concrete values. Therefore, the state matching process, required by a stateful search to decide whether a state has already been visited, involves nontrivial comparison of complex symbolic expressions. Second, a naive combination of POR with stateful search can potentially lead to unsoundness, i.e. assertion violations can be missed. This is due to the (transition/action) ignoring problem, which refers to a situation, where a relevant transition is not explored.
Contributions.
In this paper, we propose a novel stateful symbolic simulation approach for SystemC. For the efficient detection of revisited symbolic states, we employ symbolic subsumption checking, inspired by [1] . If the set of concrete states represented by a symbolic state s2 contains the set of concrete states represented by a symbolic state s1, s1 is subsumed by s2 and it is not necessary to explore s1 if s2 has already been explored. Thus, subsumption checking can lead to a reduction of the state space, which we denote as State Subsumption Reduction (SSR). We present a powerful exact subsumption checking method which involves solving a quantified SMT formula. As this computation is potentially very expensive, we also propose several optimizations. Furthermore, to preserve the soundness of POR, our implementation integrates a cycle proviso tailored for SSR. We show the potential of our approach using an extensive set of benchmarks.
Related Work.
KRATOS [6] is the state-of-the-art SystemC model checker for handling cyclic state spaces. As input language, KRATOS accepts threaded C, which is similar to the IVL proposed in [13] . The underlying model checking algorithm combines an explicit scheduler and symbolic lazy abstraction. POR is also integrated into the explicit scheduler to prune redundant schedules. For property specification, simple C assertions are supported. Although this approach is complete, its potentially slow abstraction refinements may become a performance bottleneck. SCIVER [10] is another complete model checker for SystemC. It translates a SystemC DUV into a sequential C model, then applies high-level induction on top of existing C model checkers. However, due to the absence of POR, it does not scale well to designs with a large number of processes.
There are also a handful of other formal verification approaches for SystemC which we do not discuss here. They are either incomplete or have very limited scalability. For a detailed review of these works we refer to the Related Work section of [6] .
In the context of symbolic model checking for Java, a subsumption checking technique similar to ours has been considered [1] . However, the authors applied this technique to sequential Java programs, while we combine subsumption checking with POR under the concurrency semantics of SystemC.
The ignoring problem has first been identified in [14] . Since then, a number of cycle provisos has been proposed as solution in combination with different search strategies, see e.g. [9, 3, 7] . However, in the context of SSR, these provisos are unsuitable, since they are too restrictive. In this paper we use an adapted proviso from [7] , for the combination of POR and SSR. To the best of our knowledge, such a proviso has not yet been proposed.
PRELIMINARIES

SystemC and IVL
SystemC is a C++ class library that includes an eventdriven simulation kernel. The structure of a SystemC design is described with ports and modules, whereas the behavior is described in processes which are triggered by events. SystemC provides three types of processes with SC THREAD being the most general type, i.e. the other two can be modeled by using SC THREAD.
The IVL as proposed in [13] provides modeling primitives for SC THREADs (called threads for simplicity), events and corresponding synchronization functions (i.e. wait and notify in different variants). The IVL supports Boolean and integer data types of C++ together with all arithmetic and logic operators. The control flow of a thread is modeled using conditional goto statements. For verification purposes in the context of symbolic execution, the functions assume and assert are provided. An IVL example is shown in Fig. 1 (explanation follows in Section 3.1). To improve the readability, we use high-level control structures instead of conditional gotos.
The simulation semantics of SystemC (see [11] ) is also precisely followed. Essentially, if multiple IVL threads are runnable, one of them will be non-deterministically selected. This thread is then executed non-preemptively until it finishes or suspends itself by calling wait. This causes a context switch back to the scheduler, which can again select another runnable thread. If no runnable thread is available, the scheduler performs pending delta or timed notifications accordingly to activate waiting threads.
SystemC Symbolic Simulation
Symbolic simulation of SystemC designs as proposed in [13, 5, 4 ] is a combination of symbolic execution and complete exploration of all process schedules.
Symbolic execution analyzes the behavior of each individual SystemC process/IVL thread pathwise by treating inputs as symbolic values. Along an execution path, the design state is represented by a set of symbolic expressions and a path condition P C, which must be satisfied by the expressions. At each conditional goto statement, the execution path s is forked into two independent paths sT and sF due to two possible evaluations of the condition c. The P C for each path is updated accordingly as P C(sT ) := P C(s) ∧ c and P C(sF ) := P C(s) ∧ ¬c. An SMT solver is used to determine whether sT and sF are feasible, i.e. their P C is satisfiable. Only feasible paths will be explored further. For verification purposes, assume(c) adds c to the current P C to prune irrelevant paths and assert(c) calls an SMT solver to check for assertion violations, i.e. P C ∧ ¬c is satisfiable.
POR is also employed to improve the scalability of symbolic simulation by avoid visiting redundant process schedules. Each process is separated into multiple transitions. A transition corresponds to a list of statements that is executed non-preemptively following the SystemC semantics. Thus every (non-terminated) process has a currently active transition, which is runnable, iff the process is runnable. The first transition begins at the first statement of the thread. Subsequent transitions continue right after the context switch of the previous transition.
POR requires a dependency relation between transitions. Intuitively, two transitions t1 and t2 are dependent, if their execution does not commute, i.e. t1t2 and t2t1 leads to different results. In SystemC context, t1 and t2 are dependent if one of the following holds: 1) they access the same variable with at least one write access, 2) one immediately notifies an event that the other awaits, 3) a transition is suspended by the other. Transition dependencies are used at runtime to compute a subset of runnable transitions, called a persistent Figure 1 : An IVL example set [9] , in each state. Exploration of transitions, and hence processes, is limited to the persistent sets.
The above description depicts a basic symbolic simulation approach for SystemC. Many improvements are possible such as path merging [4] or computation of a stronger dependency relation using model checking [2] .
STATE SUBSUMPTION REDUCTION
This section presents the main concepts of SSR in stateful symbolic simulation. We start with a motivating example, that shows the benefits of SSR and demonstrates that SSR and POR are complementary.
Motivating Example
The IVL description in Fig. 1 consists of two threads: increment (I) and guard (G). They communicate through a global variable v and use the event e for synchronization. The increment thread increments v and then blocks until e is notified. The guard thread is scheduled to run once in every delta cycle. It ensures that v does not exceed the maximum value and performs a delta notification of the event e. In this example the maximum value is 2. Both threads consist of two transitions, denoted as I1,I2 and G1,G2 respectively, separated by the context switches in Line 6 and Line 15. The whole simulation is unbounded and safe, i.e. the assertion in Line 13 always holds.
A representative part of the complete state space is shown in Fig. 2 . Circles represent states and edges depict transitions between them. A diamond represents a conditional branch, where both branches are feasible. The dashed triangles represent state space parts that are omitted to simplify the description. Initially, before the simulation starts (Line 24), v is assigned a symbolic integer literal x1 in Line 2. Then v, and thus x1, is constrained to the values {0, 1, 2} in Line 23, resulting in the initial state s0. Now consider the transition sequence I1G1I2G2I2G2. The relevant data of the involved states is shown in Table 1 . It shows the path condition (PC), the symbolic expression representing variable v, the set C(v) of all concrete values After I1 is executed and thread increment is blocked by event e, s1 is reached. Then, G1 performs a delta notification of e, and after a delta notification phase, the state s2 is reached, where both I2 and G2 become runnable.
Next, I2 increments v to x1 + 1 and reaches s3. Then G2 resumes from Line 16. Both, the branch condition cT = v ≥ 2 and its negation cF = v < 2 are feasible in Line 16, with the current value of v = x1 + 1 and path condition x1 ≥ 0 ∧ x1 ≤ 2. Thus the execution will fork two independent paths. The corresponding path conditions will be extended with cT and cF , respectively. In the path where cT holds, v gets decremented in Line 17, whereas nothing happens in the other path. Eventually both paths will reach the context switch in Line 15, resulting in the states s5 and s4, respectively.
Execution of I2G2 from s5 will reach the state s6 and then s7. Note that the execution of G2 from s6 does not fork at the conditional branch. The reason is that v ∈ {2, 3} at this point, thus the negated branch condition v < 2 is not satisfiable. The state s7 is equal with s5, as shown in Table 1 , thus s5,s6 and s7 = s5 form a cycle.
A stateless search cannot detect the cycle and would explore it infinitely unless the search is bounded. Conceptually, a stateful search, that is capable to detect the equality of C(v) and runnable in s5 and s7, would solve the problem.
However, much stronger reduction can be achieved by checking subsumption of states. For example, the exploration of I2G2 from s5 is actually unnecessary. The reason is C(v) of s5 is a subset of C(v) of s2 and the runnable sets are identical. Thus, any concrete states that are reachable from s5 can also be reached from s2. We say that s5 is subsumed by s2, and analogously, s4 is also subsumed by s2
1 . Thus the exploration of transitions from both s4 and s5 would be prevented by SSR. This is not possible with a simple stateful search based on equality checking. On large cyclic state spaces, SSR is expected to explore significantly less states.
Additionally, POR can be combined with SSR as complementary reduction technique to further reduce the explored state space. In this example the execution of G1I1 from the initial state s0 is pruned by POR, since I1 has already been explored from s0 and it is independent with any other transition.
However, as mentioned earlier, care must be taken to avoid unsoundness when applying POR in cyclic state spaces, and especially here in combination with SSR. In the following we introduce the concept of weak reachability and a cycle proviso based on this concept to solve the problem. The actual procedure for subsumption checking between two symbolic states is detailed in Section 4.
Weak Reachability
SSR results in the exploration of a reduced state space, denoted as AR. Whenever it is detected, that a state s1 is subsumed by a state s2, denoted as s1 s2, s1 is not further explored. We say that there exists a weak transition from s1 to s2 in this case. This concept can be naturally extended to weak reachability. A state s is weakly reachable from s, if it is reachable from s through a sequence of normal or weak transitions. Intuitively when a state s is reachable from a state s in the complete state space AG, a state s will be weakly reachable from s in AR, such that s s holds. Thus, reachability of concrete states and as a consequence, assertion violations are preserved through SSR. Example 1. In the state space shown in Fig. 2, s7 is reachable from s5 by the sequence of transitions (trace) I2G2 in AG. In AR, s5 is weakly reachable from itself by the same trace as follows: first s2 is reached from s5 by a weak transition and than s5 is reached from s2 by the trace I2G2. Since s5 and s7 are equivalent, s7 s5 holds.
Cycle Proviso
A cycle proviso is required, to prevent transition ignoring when applying POR in the context of a stateful search and checking properties more elaborate than deadlocks. Otherwise, a relevant transition might be permanently ignored due to a cycle in the reduced state space. We have adapted the proviso C S 2 from [7] , to the notion of weak reachability that arises in SSR, resulting in the novel proviso C S 2W . C S 2W For every state s in AR there exists a weakly reachable state s from s in AR, such that s is fully expanded, i.e. every runnable transition in s is explored.
In contrast the C S 2 proviso requires normal reachability of a fully expanded state, which would limit the reduction achieved by SSR. Recall the IVL example presented in Section 3.1. Since e.g. s5 s2 holds, it is not necessary to further explore s5, thus no state is reachable from s5 in AR. However, the C S 2 proviso would enforce that a fully expanded state is reachable from s5, resulting in the exploration of a larger state space.
A search algorithm that explores persistent sets and satisfies the C S 2W proviso preserves assertion violations, as the following theorem states. However, the applicability of SSR and POR is not limited to the verification of safety properties.
Theorem 1 (Assertion Violation Preserving). Let AR be a POR and SSR reduced state space, which satisfies the cycle proviso C S 2W . Let w be a sequence of transitions (trace) in AG leading to an error state from the initial state s0. Then there exists a trace wr in AR such that an error state is weakly reachable from s0.
An error state is reached, when an assertion violation is detected during transition execution. The above theorem can be shown by induction over the length of w. However, the proof is omitted due to the page limitation.
SYMBOLIC SUBSUMPTION CHECKING
Before describing the actual procedure for subsumption checking between a new state s1 and an already visited state s2, we start with the definition of execution states.
Execution State
Essentially, an execution state consists of a path condition P C, a name-to-value mapping vars of variables and the kernel state KS. The kernel state contains the status of each thread, the current simulation time and a list of pending notifications. The kernel state only contains concrete values. It is thus included in the concrete state parts and irrelevant for symbolic subsumption checking. The path condition and variable values, in contrast, can be symbolic expressions or concrete values.
For simplicity of representation, we assume that only global variables are used 2 . Let V = {v1, . . . , vn} be the set of all variables, the mapping vars of a state s can be denoted as {(v1 : e 
Exact Symbolic Subsumption
Detecting that s1 is subsumed by s2 requires to show that the set of concrete states represented by a state s1 is a subset of concrete states represented by s2. A necessary condition for subsumption is thus KS(s1) = KS(s2). Furthermore, if e are two concrete values, they must also be equal. Therefore, before trying subsumption on symbolic expressions, an equality test for these concrete state parts is performed. As an optimization we abstract away the current simulation time during this test, if the simulation is not bounded by time and the control flow of the program does not depend on the simulation time.
The subset condition for subsumption above can now be rephrased as follows: if a concrete state can be constructed from s1 by assigning valid concrete values to its symbolic literals, then the same concrete state can also be constructed from s2. The Exact Symbolic Subsumption (ESS) algorithm generates a quantified formula F (s1 s2) that naturally encodes this requirement, as shown in the following: show that F is valid, we check its negation ¬F for unsatisfiability. Any SMT solver with support for quantifiers can be employed.
Example 2. Consider SP (s1) = (P C: x1 = 0, a: 2 * x1, b : x2) and SP (s2) = (P C: T rue, a: y1 + 1, b: y2 + y3).
All symbolic literals contained in s1 and s2 are {x1, x2} and {y1, y2, y3}, respectively. Two fresh symbolic literals f1 and f2 will be introduced with corresponding types for the variables a and b. The ¬F (s1 s2) formula is as follows:
Optimizations
The ESS algorithm detects symbolic subsumption precisely, but it can be computationally very expensive due to the use of quantifiers. Therefore, we devise three optimization techniques:
1. Explicit Structural Matching (ESM) heuristically detects state equivalence (a special form of subsumption) by matching the structure of symbolic expressions;
2. Filter Check (FC) tries to refute subsumption by checking a simpler formula without quantifiers;
3. Expression Simplification (SIMP) is a generic technique that reduces the size of symbolic expressions and the path condition, thus also the size of the SMT formulas.
ESM and FC can in many cases avoid expensive ESS queries as shown in Fig. 3 .
Explicit Structural Matching
The ESM heuristic is based on the simple observation that two symbolic expressions are semantically equal, if they are structurally equal. ESM checks whether every pair (e s 1 i , e s 2 i ) as well as (P C(s1), P C(s2)) are equal except for the renaming of symbolic literals. Every symbolic literal has to be mapped to exactly another type-compatible symbolic literal. Matching the path conditions ensures that the mapped symbolic literals have the same constraints on both states. For example, ESM detects equivalence between SP (s1) = (pc: x1 > 5, x1 + 1) and SP (s2) = (pc: x2 > 5, x2 + 1) if x1 and x2 have the same type.
Filter Check
The FC heuristic constructs a random concrete state sC from s1 and checks if sC can be constructed from s2. If the check fails, s1 cannot be subsumed by s2, and thus an ESS query is not necessary. This situation is shown on the left side of Fig. 4 . Otherwise, s1 might be subsumed by s2, but not always as depicted on the right side.
The concrete state sC is obtained by employing an SMT solver to solve P C(s1) and get a complete model (i.e. every symbolic variable is assigned to a concrete value). Such a model is always available, since the path to s1 has been
Single concrete state sC ∈ s1 shown to be feasible before. Now, sC can be constructed from s2, iff the following formula is satisfiable:
One implementation detail that is crucial to the overall performance of FC is to create and cache sC when the feasibility of the path to s1 is checked. This avoids an unnecessary solver query by FC to solve P C(s1) again.
Expression Simplification
Symbolic expressions are simplified based on term rewriting, e.g. folding of concrete arguments (1 + x + 2 → x + 3) or simplification of special cases (x ∨ ¬x → T ).
The path condition is a conjunction of terms P C = c1 ∧ ... ∧ cn representing constraints. During symbolic simulation, symbolic literals go out-of-scope when the variable using them is overwritten. For example, if x1 is only used by the variable v, then x1 goes out-of-scope when v is assigned to a new literal x2. If a constraint ci, which contains both out-of-scope and in-scope literals, does not exist, the outof-scope literals can be safely removed. Constraints, which contains only these literals, also become irrelevant and thus are eliminated. This process is performed using standard garbage collection techniques.
EXPERIMENTS
We have implemented the proposed approach and evaluated it using an extensive set of benchmarks from the literature on SystemC verification [2, 10, 6, 13] and some new benchmarks. All experiments are performed on a 3.4 GHz AMD machine running Linux. The time and memory limits are set to 1000 seconds and 4GB, respectively. The abbreviations T.O. and M.O. denote that the time and memory limit has been exceeded, respectively. The result tables show the benchmark name in the first column and the verification result, with S for safe and U for unsafe, in the second column. All runtimes are specified in seconds.
First we have performed a comparison of the different optimization techniques which have been discussed in Section 4.3, for our symbolic state matching algorithm ESS. Table 2 shows the results of the base algorithm (ESS), with structural matching (+ESM), with filter check (+FC), with expression simplifications (+SIMP) and a combination of all techniques (+ALL). All configurations use symbolic expression simplifications based on term rewriting. The Z3 solver 3 is used to handle all symbolic queries, since it provides quantifier support as required for the ESS algorithm. It can be observed that every optimization technique results in improvements compared to the base ESS algorithm. The combination of all optimization techniques yields the overall best results. The last column shows the observed factor of improvement (FoI) compared to the base algorithm. 3 Available at http://z3.codeplex.com Consequently, this optimized version of ESS is compared with KRATOS in its most recent version [6] , which is the state of the art SystemC model checker for handling cyclic state spaces as mentioned earlier. The results are presented in Table 3 . The table is divided into two halves by a double line. The upper half shows benchmarks with acyclic state spaces, whereas the more important cyclic state spaces are shown in the lower half.
Our approach shows very competitive results compared to KRATOS. Improvements up to two orders of magnitude can be observed, as shown in the last column (FoI). This can especially be observed with up-scaled benchmarks, e.g. the token-ring, symbolic-counter, mem-slave-tlm and pressure benchmarks. On some benchmarks, KRATOS shows better results but the runtime differences are not significant. Furthermore, on some safe benchmarks, KRATOS reports spurious counterexamples. These benchmarks are marked with * and not considered in the comparison.
CONCLUSION
A stateful symbolic simulation approach has been proposed in this paper for the efficient and complete verification of safety properties in high-level SystemC designs. With the proposed approach, safety properties can be completely proven on cyclic state spaces, which has not been possible before with symbolic simulation. The well-known state explosion problem is alleviated by integrating two complementary reduction techniques, namely POR and SSR. The former allows to prune redundant schedules, whereas the latter can increase the effectiveness of symbolic state matching significantly. In addition to an exact algorithm for subsumption detection, we proposed several optimizations to improve its efficiency. The experiments using an extensive set of benchmarks demonstrated the efficiency of these optimizations and the competitiveness of the stateful symbolic simulation with the state of the art.
