

22nd International SPIN Symposium on Model Checking of Software



# DSVerifier: A Bounded Model Checking Tool for Digital Systems

Hussama I. Ismail, **Iury V. Bessa**, Lucas C. Cordeiro Eddie B. de Lima Filho, and João E. Chaves Filho

Methodology

 Digital filters and controllers are currently replacing many analog components

Architecture

- Despite several advantages, they present limitations related to finiteword length (FWL) effects
- Limit cycle oscillations (LCOs) in power converters:
  - Oscillation in output voltage due to roundoff and overflows
  - More energy losses and short silicon lifespan
  - LCOs are almost unavoidable and difficult to be detected
  - LCOs are typically detected via timedomain simulations



Conclusions

Usage

 Digital filters and controllers are currently replacing many analog components

Motivation

- Despite several advantages, they present limitations related to finiteword length (FWL) effects
- Limit cycle oscillations (LCOs) in power converters:
  - Oscillation in output voltage due to roundoff and overflows
  - More energy losses and short silicon lifespan
  - LCOs are almost unavoidable and difficult to be detected
  - LCOs are typically detected via timedomain simulations



Architecture >

#### Methodology

Usage

Methodology

 Digital filters and controllers are currently replacing many analog components

Architecture

- Despite several advantages, they present limitations related to finiteword length (FWL) effects
- Limit cycle oscillations (LCOs) in power converters:
  - Oscillation in output voltage due to roundoff and overflows
  - More energy losses and short silicon lifespan
  - LCOs are almost unavoidable and difficult to be detected
  - LCOs are typically detected via timedomain simulations



Conclusions

Usage

Methodology

 Digital filters and controllers are currently replacing many analog components

Architecture

- Despite several advantages, they present limitations related to finiteword length (FWL) effects
- Limit cycle oscillations (LCOs) in power converters:
  - Oscillation in output voltage due to roundoff and overflows
  - More energy losses and short silicon lifespan
  - LCOs are almost unavoidable and difficult to be detected
  - LCOs are typically detected via timedomain simulations



Conclusions

Usage

Methodology

 Digital filters and controllers are currently replacing many analog components

Architecture

- Despite several advantages, they present limitations related to finiteword length (FWL) effects
- Limit cycle oscillations (LCOs) in power converters:
  - Oscillation in output voltage due to roundoff and overflows
  - More energy losses and short silicon lifespan
  - LCOs are almost unavoidable and difficult to be detected
  - LCOs are typically detected via timedomain simulations



Conclusions

Usage

Methodology

 Digital filters and controllers are currently replacing many analog components

Architecture

- Despite several advantages, they present limitations related to finiteword length (FWL) effects
- Limit cycle oscillations (LCOs) in power converters:
  - Oscillation in output voltage due to roundoff and overflows
  - More energy losses and short silicon lifespan
  - LCOs are almost unavoidable and difficult to be detected
  - LCOs are typically detected via timedomain simulations



Conclusions

Usage

 Digital filters and controllers are currently replacing many analog components

Architecture

Motivation

- Despite several advantages, they present limitations related to finiteword length (FWL) effects
- Limit cycle oscillations (LCOs) in power converters:
  - Oscillation in output voltage due to roundoff and overflows
  - More energy losses and short silicon lifespan
  - LCOs are almost unavoidable and difficult to be detected
  - LCOs are typically detected via timedomain simulations



Methodology

Methodology

 Digital filters and controllers are currently replacing many analog components

Architecture

Motivation

- Despite several advantages, they present limitations related to finiteword length (FWL) effects
- Limit cycle oscillations (LCOs) in power converters:
  - Oscillation in output voltage due to roundoff and overflows
  - More energy losses and short silicon lifespan
  - LCOs are almost unavoidable and difficult to be detected
  - LCOs are typically detected via timedomain simulations



Usage

Methodology

 Digital filters and controllers are currently replacing many analog components

Architecture

- Despite several advantages, they present limitations related to finiteword length (FWL) effects
- Limit cycle oscillations (LCOs) in power converters:
  - Oscillation in output voltage due to roundoff and overflows
  - More energy losses and short silicon lifespan
  - LCOs are almost unavoidable and difficult to be detected
  - LCOs are typically detected via timedomain simulations



Conclusions

Usage

### **Bounded Model Checking (BMC)**

Architecture

Motivation

• Basic Idea: given a transition system M, check negation of a given property  $\varphi$  up to given depth k

Methodology

Usage



- Translated into a VC ψ such that: ψ is satisfiable iff φ has counterexample of max. depth k
- BMC has been applied successfully to verify (embedded) software since early 2000's, but it has not been used to verify digital controllers



#### BMC of digital systems implementations considering FWL effects

- Investigate FWL effects in fixed-point digital system (controllers and filters) implementations via BMC techniques
- Apply a design-aided verification methodology to digital systems, which is supported by the Digital-Systems Verifier (DSVerifier)
- Verify overflows, limit cycles, time constraints, stability, and mimimum phase in digital systems using standard benchmarks

Usage

### The Digital-Systems Verifier (DSVerifier)

 DSVerifier is an additional module for the Efficient SMT-based Context-Bounded Model Checker (ESBMC) to add support for digital systems verification



The complete tool includes four components from ESBMC

C Parser, GOTO Program, GOTO Symex, and SMT Solver

Usage

### The Digital-Systems Verifier (DSVerifier)

 DSVerifier is an additional module for the Efficient SMT-based Context-Bounded Model Checker (ESBMC) to add support for digital systems verification



**DSVerifier module is included before the ANSI-C parser,** which provides functions related to quantization, digital-system realizations, and property verification

Usage

### The Digital-Systems Verifier (DSVerifier)



Usage

### The Digital-Systems Verifier (DSVerifier)



Usage

### The Digital-Systems Verifier (DSVerifier)



Usage

### The Digital-Systems Verifier (DSVerifier)



Usage

### The Digital-Systems Verifier (DSVerifier)



Usage

### The Digital-Systems Verifier (DSVerifier)



#### Methodology

Usage

### The Digital-Systems Verifier (DSVerifier)



Usage

### The Digital-Systems Verifier (DSVerifier)



#### Methodology

Usage

### The Digital-Systems Verifier (DSVerifier)



Usage

### The Digital-Systems Verifier (DSVerifier)





### **DSVerifier Features**

- DSVerifier supports five verification properties, considering three directand delta-form implementations, in addition to the cascade form
- **1. Overflow:** if a sum or product exceeds the number representation
- 2. Limit Cycle: checks for zero-input limit cycles, for any initial condition
- 3. Stability: considers FWL effects on pole locations
- 4. Minimum phase: considers FWL effects on zero locations
- 5. **Time constraints:** checks whether a specific realization meets time constraints

Methodology

Usage

Conclusions



**Motivation** 

#### Architecture

Methodology

Usage

Conclusions

Architecture



Methodology

Usage

Conclusions

Architecture



Methodology

Usage

Conclusions



#### **Motivation**

#### Architecture



#### **Motivation**

#### Architecture

Usage



Architecture

**Motivation** 

Usage

Methodology

Usage

Conclusions



**Motivation** 

#### Architecture

Methodology

Usage

Conclusions

Architecture





Motivation

#### Architecture

Usage

Re-choose the numeric format and/or realization form Step 2: Step 1: Step 3: Step 4: Step 5: **Digital System** Define Define Configure Verify Using **Realization Form** Verifications Design Representation a BMC tool • Hardware Model: (clock, Direct Forms • < k, l > k bits for Integer Model Checker DS(z)number of bits, ISA) (DFI, DFII, TDFII) part and / bits for (ESBMC)  $= \frac{b_0 + b_1 z^{-1} + \dots + b_M z^{-M}}{a_0 + a_1 z^{-1} + \dots + a_N z^{-N}}$  Verification Time Delta Forms fractional part; •SMT-Solver Property: Overflow, (DDFI, DDFII, TDDFII) Dynamical Range (Boolector and Z3) Limit Cycle, Timing, Cascade Delta and Stability or Minimum **Direct Forms** Phase Step 6: YES Counterexample Property Violation? NO

Architecture > Met

**Motivation** 

Methodology

Usage

Conclusions

**SUCCESS** 



Methodology

Architecture

**Motivation** 

Usage

## Motivation Architecture Methodology Usage Conclusions

### **DSVerifier-Aided Verification Example**



Architecture

**Motivation** 



Methodology

Usage

Conclusions

Numeric format choosen based on impulse response sum and hardware limitations

Methodology

Usage

Conclusions

Architecture



Methodology

Usage

Conclusions

Architecture



Architecture

**Motivation** 



Methodology

Usage

Architecture

**Motivation** 

Methodology

Usage



Methodology

Usage

Conclusions

Architecture



Methodology

Usage

Conclusions

Architecture



Architecture

**Motivation** 

Methodology

Usage



Architecture

**Motivation** 



Methodology

Usage

Methodology

Usage

Conclusions

Architecture



Methodology

Usage

Conclusions

Architecture



Architecture

**Motivation** 



Methodology

Usage

Architecture

**Motivation** 

Methodology

Usage

Conclusions



**Redefine the implementation!** 

Architecture

**Motivation** 



Methodology

Usage

Conclusions

Verifying with a different representation...

There is a trade off: the oscillation is solved; however, there is an accurate loss

Methodology

Usage

Conclusions

Architecture



• The user provides the digital-system specification via an ANSI-C file

Methodology

• Consider the following digital system:

Architecture

**Motivation** 

 $H(z) = \frac{2.813z^2 - 0.0163z - 1.872}{z^2 + 1.068z + 0.1239}$ 

Conclusions

```
#include <dsverifier.h>
digital_system ds = {
   .b = {2.813, -0.0163, -1.872},
   .b_size = 3,
   .a = { 1.0, 1.068, 0.1239 },
   .a_size = 3
};
```

• The user provides the digital-system specification via an ANSI-C file

Methodology

• Consider the following digital system:

Architecture

**Motivation** 

 $H(z) = \frac{2.813z^2 - 0.0163z - 1.872}{z^2 + 1.068z + 0.1239}$ 

Conclusions

```
#include <dsverifier.h>
digital_system ds = {
    .b = {2.813, -0.0163, -1.872},
    .b_size = 3,
    .a = { 1.0, 1.068, 0.1239 },
    .a_size = 3
};
```

• The user provides the digital-system specification via an ANSI-C file

Methodology

• Consider the following digital system:

Architecture

**Motivation** 

 $H(z) = \frac{2.813z^2 - 0.0163z - 1.872}{z^2 + 1.068z + 0.1239}$ 

Conclusions

```
#include <dsverifier.h>
digital_system ds = {
   .b = {2.813, -0.0163, -1.872},
   .b_size = 3,
   .a = { 1.0, 1.068, 0.1239 },
   .a_size = 3
};
```

• The user provides the digital-system specification via an ANSI-C file

Methodology

• Consider the following digital system:

Architecture

**Motivation** 

 $H(z) = \frac{2.813z^2 - 0.0163z - 1.872}{z^2 + 1.068z + 0.1239}$ 

Conclusions

```
#include <dsverifier.h>
digital_system ds = {
    .b = {2.813, -0.0163, -1.872},
    .b_size = 3,
    .a = { 1.0, 1.068, 0.1239 },
    .a_size = 3
};
```

• The user provides the digital-system specification via an ANSI-C file

Methodology

• Consider the following digital system:

Architecture

**Motivation** 

 $H(z) = \frac{2.813z^2 - 0.0163z - 1.872}{z^2 + 1.068z + 0.1239}$ 

Conclusions

```
#include <dsverifier.h>
digital_system ds = {
   .b = {2.813, -0.0163, -1.872},
   .b_size = 3,
   .a = { 1.0, 1.068, 0.1239 },
   .a_size = 3
};
```

• The user provides the digital-system specification via an ANSI-C file

Methodology

• Consider the following digital system:

Architecture

**Motivation** 

 $H(z) = \frac{2.813z^2 - 0.0163z - 1.872}{z^2 + 1.068z + 0.1239}$ 

Conclusions



• The user provides the digital-system specification via an ANSI-C file

Methodology

• Consider the following digital system:

Architecture

```
digital_system ds = {
   .b = {2.813, -0.0163, -1.872},
   .b_size = 3,
   .a = { 1.0, 1.068, 0.1239 },
   .a_size = 3
};
implementation impl = {
   .int_bits = 4,
   .frac_bits = 10,
   .min = -5,
   .max = 5
};
```

#include <dsverifier.h>

em:  $H(z) = \frac{2.813z^2 - 0.0163z - 1.872}{z^2 + 1.068z + 0.1239}$ • Implementation aspects:

Usage

#### Architecture

Methodology

#### Usage

Conclusions

#### **DSVerifier Command-line Version**

- The user provides the digital-system specification via an ANSI-C file
- Consider the following digital system:

```
digital_system ds = {
   .b = {2.813, -0.0163, -1.872},
   .b_size = 3,
   .a = { 1.0, 1.068, 0.1239 },
   .a_size = 3
};
implementation impl = {
   .int_bits = 4,
   .frac_bits = 10,
   .min = -5,
   .max = 5
};
```

#include <dsverifier.h>

em:  $H(z) = \frac{2.813z^2 - 0.0163z - 1.872}{z^2 + 1.068z + 0.1239}$ • Implementation aspects:

14-bits architecture: 4 bits for integer and10 bits for precision parts

#### Architecture

Methodology

Usage

#### **DSVerifier Command-line Version**

- The user provides the digital-system specification via an ANSI-C file
- Consider the following digital system:

```
digital_system ds = {
   .b = {2.813, -0.0163, -1.872},
   .b_size = 3,
   .a = { 1.0, 1.068, 0.1239 },
   .a_size = 3
};
implementation impl = {
   .int_bits = 4,
   .frac_bits = 10,
   .min = -5,
   .max = 5
};
```

#include <dsverifier.h>

em:  $H(z) = \frac{2.813z^2 - 0.0163z - 1.872}{z^2 + 1.068z + 0.1239}$ • Implementation aspects:

14-bits architecture: 4 bits for integer and10 bits for precision parts

Dynamical Range: between -5.0 and 5.0

#### Architecture

Methodology

#### Usage

Conclusions

#### **DSVerifier Command-line Version**

- The user provides the digital-system specification via an ANSI-C file
- Consider the following digital system:

```
#include <dsverifier.h>

digital_system ds = {
   .b = {2.813, -0.0163, -1.872},
   .b_size = 3,
   .a = { 1.0, 1.068, 0.1239 },
   .a_size = 3
};
implementation impl = {
```

.int bits = 4,

.min = -5, .max = 5

};

.frac bits = 10,

```
H(z) = \frac{2.813z^2 - 0.0163z - 1.872}{z^2 + 1.068z + 0.1239}
```

#### • Implementation aspects:

14-bits architecture: 4 bits for integer and10 bits for precision partsDynamical Range: between -5.0 and 5.0

#### DSVerifier is invoked as:

./dsverifier <file>
 --realization <i> --property <j> --x-size <k>

#### Architecture

Methodology

#### Usage

Conclusions

#### **DSVerifier Command-line Version**

- The user provides the digital-system specification via an ANSI-C file
- Consider the following digital system:

```
digital_system ds = {
   .b = {2.813, -0.0163, -1.872},
   .b_size = 3,
   .a = { 1.0, 1.068, 0.1239 },
   .a_size = 3
};
implementation impl = {
   .int_bits = 4,
   .frac_bits = 10,
   .min = -5,
   .max = 5
};
```

#include <dsverifier.h>

em:  $H(z) = \frac{2.813z^2 - 0.0163z - 1.872}{z^2 + 1.068z + 0.1239}$ • Implementation aspects: 14-bits architecture: 4 bits for integer and 10 bits for precision parts Dynamical Range: between -5.0 and 5.0

DSVerifier is invoked as:

./dsverifier <file> --realization <i> --property <j> --x-size <k> e.g., DFI, DFII

#### Architecture

Methodology

e.g., DFI, DFII

#### Usage

Conclusions

#### **DSVerifier Command-line Version**

- The user provides the digital-system specification via an ANSI-C file
- Consider the following digital system:

```
digital_system ds = {
   .b = {2.813, -0.0163, -1.872},
   .b_size = 3,
   .a = { 1.0, 1.068, 0.1239 },
   .a_size = 3
};
implementation impl = {
   .int_bits = 4,
   .frac_bits = 10,
   .min = -5,
   .max = 5
};
```

#include <dsverifier.h>

```
em: H(z) = \frac{2.813z^2 - 0.0163z - 1.872}{z^2 + 1.068z + 0.1239}

• Implementation aspects:

14-bits architecture: 4 bits for integer and

10 bits for precision parts

Dynamical Range: between -5.0 and 5.0

• DSVerifier is invoked as:

./dsverifier <file>
```

--realization <i> --property <j> --x-size <k>

e.g.,

**OVERFLOW** 

#### Architecture

Methodology

Usage

#### Conclusions

#### **DSVerifier Command-line Version**

- The user provides the digital-system specification via an ANSI-C file
- Consider the following digital system:

```
digital_system ds = {
   .b = {2.813, -0.0163, -1.872},
   .b_size = 3,
   .a = { 1.0, 1.068, 0.1239 },
   .a_size = 3
};
implementation impl = {
   .int_bits = 4,
   .frac_bits = 10,
   .min = -5,
   .max = 5
};
```

#include <dsverifier.h>

em:  $H(z) = \frac{2.813z^2 - 0.0163z - 1.872}{z^2 + 1.068z + 0.1239}$ • Implementation aspects: 14-bits architecture: 4 bits for integer and 10 bits for precision parts Dynamical Range: between -5.0 and 5.0

• DSVerifier is invoked as:



### **DSVerifier Usage (Graphical User Interface)**

Methodology

 The graphical user interface (GUI) improves usability and attracts more digital-system enginners

Architecture

**Motivation** 

- Allows users to provide all required parameters for the verification
- Parallel execution of verification tasks, which is guided by properties

|                                                                                                                                                         | DSVerifier - Digital Systems Verifier                                                                                                                                                                                                                                                        | - ×                                            |
|---------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------|
| DS Verifier                                                                                                                                             | Benchmarks Documentation P                                                                                                                                                                                                                                                                   | ublications                                    |
| <ul> <li>▼ Digital System</li> <li>Numerator         <ul> <li>{ 2.813, -0.0163, -1.872 }</li> <li>Denominator             <ul></ul></li></ul></li></ul> | Checking Dverflow Checking Limit Cycle Checking Stability Checking Timing Checking Minimum Phase                                                                                                                                                                                             | Cancel<br>Cancel<br>Cancel<br>Cancel<br>Cancel |
| Implementation  Properties  Verify Results Reset                                                                                                        | <b>Digital Systems Verifier</b><br>DSVerifier (Digital Systems Verifier) is a bounced model checker tool to aid enginners and cesigner<br>for properties of digital systems related to overflow, limit cycle, timing, stability, and minimu<br>considering finite word length (FWL) effects. | 's to check<br>um phase,                       |

Usage

### **DSVerifier Usage (Graphical User Interface)**

 Graphical verification results and counterexamples

**Motivation** 

- Access the documentation, benchmarks, and publications
- Developed using JavaFX
- Requires Java Runtime Environment Version 8.0 Update 40 (jre1.8.0 40)

| Property                                                        |                                                                | Time(s)                                  | Result               |                                              |                |
|-----------------------------------------------------------------|----------------------------------------------------------------|------------------------------------------|----------------------|----------------------------------------------|----------------|
| Timing<br>Stability                                             |                                                                | 1<br>1                                   | success<br>success   |                                              |                |
| Limit Cycle                                                     |                                                                | 317                                      | fail                 | Counter<br>Example                           | Show<br>Inputs |
| Minimum Phase                                                   |                                                                | 1                                        | success              |                                              |                |
| Overflow                                                        |                                                                | 2                                        | fail                 | Counter<br>Example                           | Show<br>Inputs |
|                                                                 | Inputs fo                                                      | or Overflow Viola                        | ion                  |                                              |                |
| gital System In<br>×[0]                                         | Inputs fo<br>puts x[n]:<br>x[1]                                | or Overflow Violat<br>x[2]               | ion                  | x[3]                                         |                |
| gital System In<br>×[0]                                         | Inputs fo<br><b>puts x[n]:</b><br>x[1]                         | x[2]                                     | ion                  | x[3]                                         |                |
| gital System In<br>×[0]<br>4.9990234375                         | Inputs fo<br>x[1]<br>4.9990234375                              | x[2]<br>4.99902343                       | cion<br>375          | x[3]<br>4.9990234375                         |                |
| gital System In<br>x[0]<br>4.9990234375<br>x[4]                 | Inputs fo<br><b>puts x[n]:</b><br>x[1]<br>4.9990234375<br>x[5] | x[2]<br>4.9990234:<br>x[6]               | cion<br>375          | x[3]<br>4.9990234375<br>x[7]                 |                |
| gital System In<br>×[0]<br>4.9990234375<br>×[4]<br>4.9990234375 | Inputs x[n]:<br>x[1]<br>4.9990234375<br>x[5]<br>4.9990234375   | x[2]<br>4.99902343<br>x[6]<br>4.99902343 | 210 <b>n</b><br>1375 | x[3]<br>4.9990234375<br>x[7]<br>4.9990234375 |                |

Usage

Conclusions

#### Architecture > Method

# Motivation Architecture Methodology Usage Conclusions

## Conclusions

- DSVerifier is able to verify digital systems and supports an extensive verification of different properties and realization forms
- DSVerifier can be regarded as an automated and reliable tool if compared to traditional simulation tools
  - An enginner can verify during design phase, if the digital-system presents the expected behavior

## **Future Work**

- Support for closed-loop system verification, more system-level properties, realizations, hardware platforms, and BMC tools
- Source code, benchmarks, experimental results, and publications are available at http://www.dsverifier.org



#### **Demonstration**