Verification of Behavioral Consistency
in C by Using Symbolic Simulation and
Program Slicer
Takeshi Matsumoto
Thanyapat Sakunkonchak
Hiroshi Saito
Masahiro Fujita
The University of Tokyo
Outline
Introduction
Basic Notations
Verification Strategy
Case Studies
Conclusion and Future Work
2
Outline
Introduction
Basic Notations
Verification Strategy
Case Studies
Conclusion and Future Work
3
Formal verification in VLSI design
As VLSI designs become more complicated,
verification tasks become more difficult
Formal verification has many advantages,
however, it is very sensitive to the size of
descriptions
Recently, C-based design languages are
commonly used
SpecC, SystemC, …
Easy to learn
Able to describe HW and SW
4
C-base design & verification flow
Checking behavioral consistency
Specification
in C
Refined description for HW part
Removal of pointer,
recursive calling
: Refinement step
Refined description
with concurrency
Introduction of
concurrency
(SpecC or SystemC
may be used here)
To RTL
Our verification method works in this design flow
There are many refinement steps in this flow
At each refinement step, descriptions are very close to
each other
5
Target of verification
Specification
in C
Refined description
with concurrency
In this work, target of verification is C
hardware descriptions
Refined description for HW part
No pointer reference
No recursive function calling
No dynamic memory allocation
In future, our verification method will
cover all the design flow by extension
6
Our proposed method
We propose the verification method to
check the behavioral consistency of two
given C-descriptions
These C-descriptions are restricted for HW
Verification itself is operated in terms of
symbolic simulation (formal method)
Main interest is to make verification task
reduced and realize the efficient verification
Based on textual differences
Code reduction by program slicing
7
Next
Introduction
Basic Notations
Verification Strategy
Case Studies
Conclusion and Future Work
8
Symbolic simulation
In our method, verification itself is carried
out in terms of symbolic simulation
Variables are treated as symbols rather
than bit vectors
Symbolic simulation can verify designs more
efficiently than traditional simulation
9
Example
Example of checking the behavioral
consistency based on symbolic simulation
Equivalent variables are collected into EqvClass
a = v1;
b = v2;
add1 = a + b;
Description 1
add2 = v1 + v2;
Description 2
Symbolic simulation
EqvClass
We are going to check the equivalence
10
between add1 and add2
Example
This is an example of equivalence checking
based on symbolic simulation
Equivalent variables are collected into EqvClass
a = v1;
b = v2;
add1 = a + b;
Description 1
Symbolic simulation
E1 (a, v1)
E2 (b, v2)
E3 (add1, a+b)
add2 = v1 + v2;
EqvClass
Description 2
Description1 is simulated
11
Example
This is an example of equivalence checking
based on symbolic simulation
Equivalent variables are collected into EqvClass
a = v1;
b = v2;
add1 = a + b;
Description 1
Symbolic simulation
E1
E2
E3
E4
(a, v1)
(b, v2)
(add1, a+b)
(add2, v1+v2)
add2 = v1 + v2;
EqvClass
Description 2
Description2 is simulated
12
Example
This is an example of equivalence checking
based on symbolic simulation
Equivalent variables are collected into EqvClass
a = v1;
b = v2;
add1 = a + b;
Description 1
add2 = v1 + v2;
Description 2
Symbolic simulation
E1
E2
E3
E4
(a, v1)
(b, v2)
(add1, a+b)
(add2, v1+v2)
EqvClass
Due to the equivalences
in E1, E2
13
Example
This is an example of equivalence checking
based on symbolic simulation
Equivalent variables are collected into EqvClass
a = v1;
b = v2;
add1 = a + b;
Description 1
add2 = v1 + v2;
Description 2
Symbolic simulation
E1 (a, v1)
E2 (b, v2)
E3’ (add1, a+b,
add2, v1+v2)
EqvClass
E3 & E4 are merged
into E3’
14
Program slicing
In our methods, the codes to be
symbolically simulated are extracted by
program slicing
This means only extracted codes will be
simulated for verification
Program slicing can extract the codes that
can affect (be affected by) a variable
Two kinds of slicing: backward slicing and
forward slicing
15
Backward slicing
Backward slicing for a variable v extracts
all codes that affect the variable v
Backward slicing
a = 2;
a = 2;
b = 3;
b = 3;
c = 5;
c = 5;
a = a + 10;
a = a + 10;
b = a * c; /start/
b = a * c; /start/
c = c + a;
c = c + a;
a = a * b;
a = a * b;
16
Forward slicing
Forward slicing for a variable v extracts all
codes that are affected by the variable v
Forward slicing
a = 2;
a = 2;
b = 3;
b = 3;
c = 5;
c = 5;
a = a + 10;
a = a + 10;
b = a * c; /start/
b = a * c; /start/
c = c + a;
c = c + a;
a = a * b;
a = a * b;
17
Next
Introduction
Basic Notations
Verification Strategy
Case Studies
Conclusion and Future Work
18
Verification flow (1)
Description 1
Description 2
Pre-processes
Identification of textual
differences &
ordering them
Output the set of textual
differences (d1, d2, d3, …)
19
Identification of textual differences
First, textual differences are identified by “diff”
Then, they are sorted in the order of execution
int v1, v2, out, opcode;
v1 = 3;
v2 = 5;
if(opcode == 1) {
out = v1 + v2;
}
Description 1
d1
d2
d3
int v1, v2, out, opcode;
int reg1, reg2, alu;
v1 = 3;
v2 = 5;
reg1 = v1;
reg2 = v2;
if(opcode == 1) {
alu = reg1 + reg2;
out = alu;
}
20
Description 2
Verification flow (2)
(d1, d2, d3, …)
Is there any
differences left?
No
Yes
Verification
terminates
successfully
Decision of target variables
Backward slicing
Consistency Symbolic simulation
is proved
Consistency is not proved
Forward slicing
An erroneous
Symbolic simulation
Consistency
Consistency trace is reported
is proved
is not proved
21
Verification flow (2)
(d1, d2, d3, …)
Is there any
differences left?
No
Yes
Verification
terminates
successfully
Decision of target variables
Backward slicing
Consistency Symbolic simulation
is proved
Consistency is not proved
Forward slicing
An erroneous
Symbolic simulation
Consistency
Consistency trace is reported
is proved
is not proved
22
Decision of target variables
A variable v in a difference d is a target variable,
When the variable v is defined in both descriptions,
and assigned in the difference d
int v1, v2, out, opcode;
v1 = 3;
v2 = 5;
if(opcode == 1) {
out = v1 + v2;
}
Description 1
d1
d2
d3
int v1, v2, out, opcode;
int reg1, reg2, alu;
v1 = 3;
v2 = 5;
reg1 = v1;
reg2 = v2;
if(opcode == 1) {
alu = reg1 + reg2;
out = alu;
}
23
Description 2
Case split
(d1, d2, d3, …)
Is there any
differences left?
No
Yes
Verification
terminates
successfully
Decision of target variables
Backward slicing
Consistency Symbolic simulation
is proved
Consistency is not proved
Forward slicing
An erroneous
Symbolic simulation
Consistency
Consistency trace is reported
is proved
is not proved
24
Next
Introduction
Basic Notations
Verification Strategy
Case Studies
Conclusion and Future Work
25
Case studies
Our tool implementation has not been
completed
A part of symbolic simulation is implemented
Program slicing is done by CodeSurfer that is a
product of GrammaTech Inc.
We evaluated efficiency of our proposed
method by the amount of codes to be
verified
26
Case study 1
C-model of Huffman decoder
Two functions were in-lined after refinement
2 differences, 2 target variables
An example of textual differences
Original
v = show_bits();
flush_bits();
Refined
v = inbuf[buf_index];
buf_index++;
The declarations of show_bits, flush_bits
in the original description are also identified
27
Case study 1
C-model of Huffman decoder
Two functions were in-lined after refinement
2 differences, 2 target variables
Result … behaviors were consistent
Total
codes
Simulated
codes
Reduction
ratio
Original
49 lines
21 lines
58%
Refined
41 lines
11 lines
73%
28
Case study 2
C-model of MAXSAT solver
We inserted differences in the original description so that both were consistent
6 differences, 6 target variables
Result … behaviors were consistent
Total
codes
Simulated
codes
Reduction
ratio
Original
632 lines
131 lines
79%
Refined
630 lines
129 lines
80%
29
Next
Introduction
Basic Notations
Verification Strategy
Case Studies
Conclusion and Future Work
30
Conclusion and future work
We proposed a method to verify behavioral
consistency of two given C-descriptions efficiently
C-descriptions are restricted for HW
Identification textual differences and program slicing are
applied for efficiency
Future work
Fully implementation tool set to realize this proposed
method
Extension of proposed method by introduction of
concurrency
31
Thank you very much!!
© Copyright 2026 Paperzz