Semi-automatic Property Generation for the Formal

Verification of a Satellite On-board System

Wesley Gonçalves Silva

<wesley@lisha.ufsc.br>

Hardware verification

Simulation

2

Start state Error stateTestbenches

Hardware verification

Formal Verification

3

Propertiestemporal logic

FSM

Formal model

Formal Verification

F – eventuallyG – alwaysN – nextU – until Start state Error state

ManuallyDefined

Problem identification 4

Just data points are verified, i.e. incomplete coverage problem

Very dependent on system

Best suitable for small systems, in order to avoid the state explosion problem

How many properties are required to guarantee 100% of design coverage?

Simulation Verification Formal VerificationProperty P1

Property P2

Property P3

Problem identification

Two main problems

To cover a hundred percent of the system

To automate de process

Automatic property generation is indicated

It is less susceptible to human error

Cost and time of the project can be decreased

It supports the identification of additional properties

improving the system coverage

5

State-of-the-art

Rogin, F.; Klotz, T.; Fey, G.; Drechsler, R.; Riilke, S.

Automatic Generation of Complex Properties for

Hardware Designs. Design, Automation and Test in

Europe, 2008

Properties are extracted combining signals from

simulation trace data

High-quality properties depend of extensive system

simulation

6

State-of-the-art

Vasudevan, S.; Sheridan, D.; Patel, S.; Tcheng, D.;

Tuohy, B.; Johnson, D. GoldMine: Automatic assertion

generation using data mining and static

analysis. Design, Automation & Test in Europe, 2010

The developed tool also extracts properties analyzing

simulation trace data

Static analysis (behavioral analysis)

Data mining (knowledge and information from simulation)

7

State-of-the-art

Both applied to RTL design verification

They extract properties from simulation trace

The quality of the properties depends of the

simulation

It is required high effort in testbenches elaboration

8

Property Generation

State-of-the-art: ContributionState-of-the-art: Contribution

The proposed approach

extracts properties from

state machines

Avoiding the high effort in

testbenches elaboration

A procedure explores

the state space

State Machines

Properties

Formal verification tool

Specification

Semi-automatic generation 10

algorithm propertyGeneration (states)

Visit each state

Identification of the next (X) operator

Identification of infinite loops in a state

foreach states as state…

end

foreach state.next as next if state != next then setNextProperty(state, state.next) else setNotLockedProperty(state) endend

foreach state.next as next if state != next then setNextProperty(state, state.next) else setNotLockedProperty(state) endend

Has a FSM as input

Identification of reachable final states

setReachableFinalState(state)

Automatic property generation: implementation

Two tools are used to perform the verification, both from

Berkeley VeriABC (LONG, J.; RAY, S.; STERIN, B.; MISHCHENKO, A.; BRAYTON, R. Enhancing ABC for LTL stabilization verification of SystemVerilog/VHDL models. 2011)

ABC Model Checker (http://www.eecs.berkeley.edu/ alanmi/abc/)

11

VeriABC

ErrorTrace

ProvenDebug

RTL + SVA

AIGER ABC

Automatic property generation: implementation 12

SpecificationState

MachinesProperty

Generation

Verification flow

VeriABC

ErrorTrace

ProvenDebug

RTL + SVA

AIGER ABC

Results 13

idle send

inc.spc

F (data_available) → X (idle,send)

F(not buff_empty) → X (idle,send)

F (end_sending) → X (send,inc.spc)

F(not sending) → X (send, inc.spc)

F (wait_data) → X (inc.spc,idle)

buff_empty

data_available

sending

end_sendingwait_data

Conclusion and future work

Model checking has a coverage problem depending on

the number of properties

Automatic generation of properties is desirable

State-of-the-arts automatic generation depend of high

effort in simulation

we proposed a semi-automatic generation of properties from

state machines

Automation the formal verification helps the acceptance

in the industrial process

14

Conclusion and future work

To improve the heuristic to define and filter the

properties

To verify other modules of the UTMC

15