Verification of Embedded Memory Systems using Efficient Memory Modeling

Verification of Embedded M emory System s using Efficient Mem ory Modeling Malay K Ganai, Aarti Gupta, Pranav Ashar {malay | agupta | ashar }@nec-labs.com NEC Laboratories Ameri ca, Princeton, NJ USA 08540 Abstract We describe ver ification techniques for embe dded memory syste ms using efficient memory mode ling (EMM), without explicitly modeling e ach memory b it. We extend our previously proposed approach of EMM in Bounded Mode l Ch ecking (BM C) for a single read/wr ite port single memory syste m, to more commonly occurring syst ems with multiple memories, having multiple read and write por ts. M ore importantly, we augment such EMM to providing correct ness proofs, in addition to finding real bugs as before. The novelties of our verification approach are in a) combining EMM with proof-bas ed abstraction that pres erve s the corre ctnes s of a property up to a certain analysis depth of SAT-based BMC, and b) modeling arbitrary initial mem ory state prec isely and ther eby, providing inductive proofs using SAT-base d BMC for em bedded memory syst ems. Similar to the previous approach, we constr uct a verific ation model by eliminating m emory a rrays, but retaining the memory interface signals with their control logic and adding constraints on those signals at every analysis depth to prese rve the data forwarding se mantics . The siz e of these EM M constraints depends quadratically on the number of memory acce sses and the number of read and write ports; and linearl y on the address and data widths and the number of memorie s. We show the effective ness of our approach on s everal i ndustry designs and softw are progr ams. 1. Introduction Ac cording to the Semiconduc tor Industry Associa tion roadmap prediction, embe dded mem ories will com prise m ore than 70% of the SoC by 2005. T hes e embedde d m e mor ies on SoC support divers e code and data requirem e nts aris ing f rom ever inc reas ing dem and for da ta throughput in applications rang ing from cellular phones, smart cards and digital cam era s. In the past, there were efforts [1 ] to verify on - ch ip mem ory arrays using Sym bolic Traj ectory Evaluation [2] . Howev er, these em bedded mem ories dramatically increase both design and verification com plexity due to an exponentia l increa se in the sta te spac e with each additio nal memory bit. In particular, this state explosion adversely affects the practical app licatio n of formal verificat ion techniques like m odel checking [3, 4] for f unctiona l verifica tion of such la rge e mbe dded me m ory s y stem s. To tame the verif ication complex ity, severa l mem ory abstra ction techniques, i.e., rem oving the mem ories partially or com pletely from the desig ns are ofte n used in the industry . How eve r, such technique s often produce spurious outcomes , adversely affecting overall verification eff orts. In many ref inem ent-ba sed techniques [5-8], s tarting fr om a sma ll abstrac t mode l of the concrete de sign, s purious counte r-ex am ples on the abstra ct model are used to refine the model iterativ ely . In practice, several iterati ons are needed before a property can be proved corre ct or a real counte r-ex am ple ca n be found. Note that afte r every iterative refinem ent step, the model size increases , ma king it increasing ly diffic ult to verify . In contrast, abstr action-ba sed approac hes [9, 10] use proof-ba sed abstra ction (PBA) techniques on a concrete desig n. As shown in [10], iterative abstraction can be used to apply such techniques on progressi vely more abstr act mode ls, ther eby leading to signif icant reduc tion in model size . Howe ver , since these approac hes use the concrete mode l to start with, it may not be fea sible to apply them on designs with large mem ories. In gene ral, both these ref inem ent and abstraction based approaches are not geared towards exploiting the mem ory sema ntics. Memory abstracti ons that preserve th e memory semantics – data read from a memory l ocatio n is t he same as the most recent data written at the same locatio n – have been employed in var ious ver ifi cation effor ts in the past. Burch et al. introduced the in terpreted read and write operations in their logic of equality with un-interpre ted f unctions [ 11]. Such partia l interpretation of memory has also been exploited in later derivative verificatio n efforts [ 12 -14] . Sp ecifically, V elev et al . used this partial interpre tation in a sym bolic simulation engine to repl ace mem ory b y a beh avioral model th at in teracts with t he rest of the circuit through a softw are interface that monitors the me mory control signals [12]. Bryant et al. proposed [15] mode ling of mem ory as a func tional ex pres sion in the UCLID system for verify ing safety properties. SAT -bas ed Bounded Model Checking (BMC) [16] enjoy s seve ral nice properties ove r BDD-bas ed sym bolic m odel check ing [3, 4]; its performa nce is less sensitive to the problem size s and it does not suff er from space explosion. To address the me mor y explosion problem, SAT-bas ed distributed BMC has been proposed [17] in which the BMC problem is partitioned over a network of wor ksta tions. How eve r, this technique is not gea red towar ds verif y ing em bedded mem ory syste ms . In our prev ious work, we have proposed an effi cient me mor y modeling (EMM) technique [18] that augm ents SAT- based BMC to handle large embedded mem ories without explicitly modeling each memory bit. We sho wed that EMM appro ach all ows deeper BMC sea rch in f inding rea l bugs in compari son to explic it me m ory models. Moreover, our approach captures the exclusiv ity of a matching read and writes p air explicitly , reducing the overall SAT solve time. However, there are two ma in draw back s to this previous work. First, the mem ory sy stem considered was fairly simplistic, with a single mem ory having a single read/write port. In modern designs, it is quite common to have a large n umber of diverse memories, each with multiple read and write ports. Second, the approach was gear ed towards fals ific ation i.e., finding real bugs, and not towards proving correctness o f the speci fied pro perty. In this work , we exte nd our previous approach [ 18] of EMM in SAT-based BMC to th e more co mm only o ccurring em bedded memory sy stem s, with multiple mem ories having Proceedings of the Design, Automation and Test in Europe C onference and Exhibition (DATE’05) 1530-1591/05 $ 20.00 IEEE multiple read and write ports. Mor e importantly , we augment the EMM techniques to providing correctne ss proofs in addition to finding real bugs. The novelties of our verific ation approach are in a) combining EMM with PBA that preserves the correctness of a property u p to a certain analysis depth of SAT-based BMC, and b) modeling arbitrary initial mem ory state precisely and thereby , providing inductive proofs using SAT -base d BMC f or em bedded me m ory sy ste m s. Sim ilar to the prev ious approa ch [18], we construct a verif ica tion model by eliminating mem ory array s, but retaining the m em ory interface signals with their control logic and adding constraints on those signals at every analy sis depth to preserv e the m em ory data for wa rding sem antics . The size of these m em ory -m odeling constraints depen ds quad ratically on t he number o f memory accesses an d the number of read and write ports; and linearly on the address and data widths and the num ber of mem ories . We have imple me nted our techniques in a prototype verific ation p latform , and dem onstra te their ef f ective ness on several industry designs and so ftware pro grams. Outlin e In Section 2 we give releva nt background on mem ory sema ntics, SAT-ba sed BMC, and PBA; in Section 3 we discuss the prev ious EMM approach; in Section 4 we describe our contributions; in Section 5 we discuss our experim e nts on seve ral case studies, and conclude in Section 6. 2. Background 2.1. Bounded Model Checking (B MC) In BM C, t he sp ecification is expressed in LTL (Linear Temporal Logic ). Given a Kripke structure M, an LTL formula f , and a bound n, the translation task in BMC is to construc t a propositional formula [ M, f] n such that the formula is satisfiable if and only if there exists a witness of length n [16]. The satisfiability check is performe d by a backe nd SAT solver. Verificatio n typicall y pr oceeds b y lo oking for witnesses or counter-e xam ples (CE) of increasing lengt h until the com pletenes s bound is r eached [ 16, 19 ]. The overall algorith m (BMC-1) of a SAT -bas ed BMC m ethod for checking a simple saf ety property is shown in Figure 1 (ignore lines 10-11 for now). Note that P i denotes the property node at the i th unrolling of the transition relation, I denotes the initial state of the sys tem , and LFP i denotes that the path of length i is loop-free. In lines 5- 7, a SAT so lver is used t o check the forward and backward term ination criteria for correctness [19] . In line 8, a SAT solver is used to check the existence of a counter-ex am ple. 1. BMC-1(n, P) { //Check safety property P within bound n 2. CP 0 =1; LR -1 = Ɏ ; 3. for ( int i=0; i<=n ; i++) { 4. P i = Un roll(P,i ); //Property node at i th unrolling 5. if (SA T _So lv e(I ∧ LFP i )=UNSAT or 6. SAT_Solve(L FP i ∧¬ P i ∧ CP i )=UNSAT){ 7. return PROOF;} // fwd and bwd termination check 8. if (SA T_Sol ve(I ∧¬ P i )=SAT) return C E; //Falsify 9. CP i+1 =C P i ∧ P i ; // update CP 10. U_Cor e = SA T_Ge t_Refutation() ; // get proof of UNSAT 11. L R i =L R i-1 ∪ Get_L atch_Reasons (U_Co re );} 12. return NO_CE ; } // No counter-example found Fig. 1. SAT-ba sed BMC w ith PB A 2.2. Proof -based Abstraction ( P BA) A PBA technique for SAT-ba sed BMC is shown in lines 10-11 in Figure 1. When the SAT problem at line 8 is unsatisfia ble, i.e., there is no counter-ex ample for the saf ety property at a give n depth i, the unsatisfi able core (U_Core) is obtained using the procedure SAT_Get_Refutation in line 10. This procedure simply retraces the resol ution -based proof tree u sed by the S AT solver and identifies a subset form ula that is suf fic ient for unsatisfia bility [9, 20]. One can then use either a gate-base d abstractio n [ 9] or a latch-b ased abstracti on [ 10] t echniq ue to obtain an abstrac t model from the U_Co re .H e r ew es h o wa latch-ba sed abstrac tion technique in line 11, to obtain a se t of latch reasons LR i at dep th i. An abstract model is then gen erated for dep th i by converti ng th ose lat ches in the given design that are not in the set LR i to pseudo-prim ary inputs. Due to the sufficiency p ropert y of U_Core , the resulting abstract model is guaranteed to preserve correctn ess of the p roperty u p to d epth i [9, 10]. Depending on locality of the property , the set LR i can be significantly sm aller than the total latches in the given design. Specificall y i n [ 10 ], a d epth d (< n) is cho sen such that th e size of set L R d does not increase over a certain number of depths, called stability depth . In ma ny case s, the property can be proved correct on th e abst ract model generated at d epth d an d hen ce, for the given design. One can apply PBA techniques iterative ly, called iterative abstraction [10] , to further reduce the set LR d and h ence, o btai n a smaller ab stract mod el. 2.3. Memory Semantics Embe dded mem ories are used in several f orm s such as RAM, stack, and FIF O with at least on e p ort for data access. We model a design with an embedded memory, as a Ma in module interac ting with the mem ory module using the following mem o ry interface signals: Address Bus (Addr), Write Data Bus (WD), Read Data Bus (RD), Write Enabl e (WE), and Read Enable (RE). For the single-port mem ory at any give n clock cycle: a) at most one add ress is val id, b ) at most on e write occurs , and c) at most one read occurs. In the write phase of the mem ory accesses, new dat a is assigned to WD in th e same cycle when the Add r i s vali d and WE is act ive. Note th at the new writte n data is available for read only afte r the current cycle. In the read p hase, data is assign ed to RD in the same cycle when the Addr is valid and RE is active . Ass u me that we unroll the design up to depth k (star ting from 0). Let X j deno te a memory in terface signal variable X, at time fram e j. Let the Boolean variable E i, j denote the address comparison b etween time frames i and j, defined as E i, j =(A ddr i =A ddr j ). Then the dat a forwardin g semantics o f the me mory can be expres sed as follow s, where j < k: (E j, k ∧ WE j ∧ RE k ∧∀ j 0 as fol lows: ∀ 0 ≤ i3hr NA 3 P2 27 30 44 >3hr NA 4 P1 42 601 105 >3hr NA 4 P2 42 453 124 >3hr NA 5 P1 59 6376 423 >3hr NA 5 P2 59 4916 411 >3ht N A Note that property P1 depends on both the array and the stack , while property P2 depends on only the stack for correc tness . In other words, for P2, the contents of the array should not matter at all. We used the P BA technique to exam ine this. For property P2, we compa red perfor ma n ce of EMM with P BA using BMC- 3, with that of PBA on Explicit Modeling using BMC-1. We used a stability depth of 1 0 to obtain the stable set LR. We prese nt the results in Table 2. Colum n 1 shows d iffere nt array size s N, Columns 2-5 show perform ance f igure s for EMM. Specif ically, Column 2 show s the number of lat ches in the reduce d model size using EMM with P BA. The value in bracket show s the original number of latches. Colum n 3 shows the time taken (in sec) for PBA to generate a stable latch set. Columns 4- 5 show the time and mem ory required for EMM to provide the forw ard induction proof. Columns 6-9 report these perf orm ance numbe rs for the Explicit Modeling. It is interesting to note that by use of PBA, the reduced mode l in Column 2 did not have any latch from the control logic of the mem ory module representing the array . Ther ef ore, we were able to automatica lly abstract out the entire array mem ory module , while doing BMC analy sis on the reduced model using EMM. Note that this results in signific ant improve ment in perf ormanc e, as clear from a com parison of the perf orm ance fig ures of EMM on property P2 in columns 4-5 of Tables 1 and 2. Moreover, we see sev eral orders of ma gnitude perf ormanc e improv ement ove r the Explic it Modeling, even on the reduced mode ls. Note, for N=5 we could not generate a stable latch mode l in the give n time limit for the Explicit Modeling case. Table 2 . Perf orm ance summ ary on Qui ck S ort on P2 EMM +PBA EMM-Pr oof on Red. Model Explicit+P BA Explicit on Red. Mode l N FF (ori g) Sec S ec M B FF (orig) Sec Sec MB 3 91 (167) 10 5 13 293 (37K ) 293 2K 274 4 93 (167) 38 145 40 2858 (37K) 2858 10K 456 5 91 (167) 351 2316 116 - (37K ) >3hr NA NA Case St udy on Indust ry D esig n I: This case study mak es use of our approach of EMM for multiple mem ories and EMM with induction proofs. The industry design is a low-pas s image filter with 756 latches (excluding the mem ory registe rs), 28 inputs and ~15K 2- input gates . It has two mem ory modules, both having address width, AW = 10 and data width, DW = 8. Ea ch module has 1 write and 1 read port, with memory state initialized to 0. There are 216 reachability prop erties. Proceedings of the Design, Automation and Test in Europe C onference and Exhibition (DATE’05) 1530-1591/05 $ 20.00 IEEE EMM: We were able to find witnesse s for 206 of the 216 propertie s, in about 400s requiring 50Mb. The ma xim um depth over all witne sses was 51. For the rema ining 1 0 proper ties, we we re able to obtain the proofs by induction using BMC-3, in less than 1s requiring 6Mb. Note that the introduction of new variable s to model arbitrary initial me mory state, without the constra ints in equation (6), was suffic ient for the proofs although they capture extra behavior in the verific ation model. Explicit Modeling: We require d 20540s (~6Hrs) and 912Mb to find witne sses for al l 206 propertie s. For the remaining 10 propertie s, we were able to obtain the proofs by induction using BMC-1 in 25s requiring 50Mb. Case St udy on Indust ry Des ign II: This case stu dy makes use of EMM for mem ory with multiple ports, and for finding invari ants that can aid proofs by induction. The desig n has 2400 latches (exc luding the mem ory reg ister s), 103 inputs and ~46K 2-input gates . It has one me mor y module with AW =12 and DW=32. The me mory module has 1 write port and 3 read ports, with memor y state initialized to 0. There are 8 reachability properties. We found spurious witness es at depth 7 for all properties, if we ab stract o ut th e memory completely. Thus, we needed to include the mem ory module. Using EMM, we were not able to find any witnesses f or these properties u p to depths of 200 in about 10s. Next, we tried obtaining a proof of unr eachability for all depths. Using EMM w ith PBA, we were able to reduce the mode l to about 100 latches requiring 4-5 minutes. Howev er, the mode l was not sma ll enough for our BDD-bas ed model check er or SAT-bas ed BMC to provide a proof. We also noticed that the WE (write enable) control signal stayed inactive in the forw ard sear ch of 200 depth. Observing that, we hypothesiz ed that the me mory state does not get updated, i.e., it remai ns in its initial state . This is expres sed using the following LTL proper ty: G(WE= 0 o r WD=0 ) i.e., alwa ys, either the write enable is inac tive o r the write data ( W D )i s0 .U s i n gB M C - 3 , w ew e r ea b l et op r o v et h ea b o v e property using back wa rd induction at depth 2 in less than 1s. Explicit Modeling using BMC-1 take s 78s to prove the sam e. The above invariant implies that the data read is alway s 0 (could potentially be a design bug). Nex t we abstracted out the me mor y, but applied this constraint to the input read data signa ls. We used PBA to further reduce the design to only 20- 30s latches for each pr operty (taki ng a bout a minute). We then proved each pr operty un reachable on th e redu ced model usin g forw ard induction proof in BMC-1 in les s than 1s. (Our BDD- based model check er was unable to build even the transition relation for these abstract models.) 6. Conclusions We have proposed sever al techniques for verif ying embedde d me mor y system s using EMM. We extend the previous EMM approach f or a single m emory with a single read/w rite port, to the more comm only occurring mem ory system s of multiple mem ories with multiple read and write ports. We also extend the previo us E MM appr oach for falsification to d erivation of p roofs. We have proposed a precise modeling of the arbitrary initial state o f mem ory, for use in SAT- based induction proofs using BMC. We have also proposed com bining P BA techniques with EMM. We showe d that using this combine d approach, we can identify fewe r me mory modules that need to be modeled; thereby reducing the mode l size and verif ication problem complexity. We appli ed these EMM techniq ues on several case studi es to sho w their effectiveness in pract ice, i n co mparison t o an explic it me mory m odeling approach. In one case study , EMM techniq ues also h elped to efficiently check invariants, which were then used to p rove several p roperti es unreach able. References [1] M. Pandey, R. Raimi, D. L . Beatty , and R. Brayto n, "F orma l Verifica tion of PowerPC Arrays usi ng Symbolic Traject ory Eval uation," Proceedings of DAC , 1996. [ 2 ] C .J .H .S e g e ra n dR .E .B r y a n t ," F o r m a lV e r i f i c a t i o nb yS y m b o l i c Evaluatio n by Partial ly -ordere d Traje ctories," Proceedings of Formal Method in System Design , 1995. [ 3 ] K .L .M c M i l l a n , Symbolic Model Checking: An Approach to the State Explosion Problem : Kluw er A cademic Publisher s, 1993. [4] E. M. Clarke , O. Grum ber g, and D. Pele d, Model Checking :M I T Pre ss, 1999. [5] D. E. Lo ng, "Model checking, abstractio n and compos itional ver ification," Carneg ie Mell on Unive rsity, 1993. [ 6 ] E .M .C l a r k e ,O .G r u m b e r g ,S .J h a ,Y .L u ,a n dH .V e i t h , "Cou nt erexamp le-gu id ed a bst rac ti on r efin ement ," in Proceedings of CAV , vol . 1855, LNCS , 2000, pp. 154-169. [7] E. M. Clarke, A. Gupta, J. Kukula, and O. Strichm an, "SA T based abstraction- ref inement using I LP and machine le arning technique s," in Proceedings of CAV , 2002. [8] P. Chauhan, E. M. Clarke, J. Kukula, S. Sapra, H. Veith, and D. Wang , "A utomate d Abs traction Refineme nt for Model Checking L arge State Spaces u sing SAT based Conflict Anal ys is," in Proceedings of FMCAD , 2002. [9] K. McMill an and N. Aml a, "Automa tic Abstr action w ithout Cou nt erexamp les, " in Proceedings of TACAS , A pril 2003. [10] A. G upta, M. Ganai, P. Ashar, and Z. Yang, "I terative Abstractio n using SA T-based BMC with Pro of Analy sis," in Proceedings of ICCAD , 2003. [11] J. R. Burch and D. L. Dill, "A utomatic ver ification of pipeline d micr oprocess or con trol," in Proceedings of CAV , 1994. [12] M. N. Vel ev , R. E. Bry ant, and A. Jain, "Efficient Modeling of Memo ry Ar rays in Sy mbol ic Simulatio n," in Proceedings of CAV , 1997. [1 3] R. E. B ryant , S. Germa n, an d M . N. Velev, "Pr ocess or Veri fic ati on Using Efficient Reductions of the Lo gic of Uninterpr ete d Functio ns to Pro p ositional L ogic," in Proceedings of CAV , 1999. [14] M. N. Vel ev, "Autom atic Abstr action of Memor ies in the For mal Ver ification of Superscalar Microproce ssors," in Proceedings of TACAS , 2001. [ 1 5 ] R .E .B r y a n t ,S .K .L a h i r i ,a n dS .A .S e s h i a ," M o d e l i n ga n d Ver ifying Syste ms using a Log ic of Counte r Arithme tic with L ambda Expr essions and Uninte rpre ted Functions," in Proceedings of CAV , 2002. [16] A. Bier e, A. Cimatti, E. M. Clarke, and Y. Zhu, "Sy mbolic Model Checking without BDD s," in Proceedings of TACAS , 1999. [17] M. Ganai, A . Gupta, and P. As har, "Dis tribute d SAT and Distri buted Bounde d Model Checking," in Proceedings of CHARME , 2003. [18] M. Ganai, A . Gupta, and P. Ashar , "Eff icient Mode ling of Embe dded Mem orie s in Bounde d Model Checking," in Proceedings of CAV , 2004. [19] M. Sheer an, S. Singh, and G. Stalmar ck, "Checking Safe ty Pro pertie s using Inductio n and a SAT Solv er ," in Proceedings of FMCAD , 2000. [20] L. Zhang and S. Malik, "Val idating SAT Solv ers Using an I ndependent Resolutio n-Base d Checker : Practical I mpleme ntations and Other Applications ," in Proceedings of DATE , 2003. [21] M. Ganai, L . Zhang, P. As har, and A. Gupta, "Com bining Stre ngths of Circuit-base d and CNF- based Alg orithms for a High Performance SAT Solver," i n Proceedings of DAC , 2002. Proceedings of the Design, Automation and Test in Europe C onference and Exhibition (DATE’05) 1530-1591/05 $ 20.00 IEEE