Hardware/Software Co-verification Using Path-based Symbolic Execution

TL;DR

This paper introduces a novel path-based symbolic execution method for hardware/software co-verification, significantly improving efficiency by generating simpler formulas tailored to feasible execution paths.

Contribution

The paper presents a new verification algorithm that partitions hardware and firmware paths, enabling more efficient co-verification compared to traditional monolithic approaches.

Findings

Achieved an average 5X speed-up over existing tools.

Successfully verified safety properties in complex hardware designs.

Detected critical bugs in open-source hardware projects.

Abstract

Conventional tools for formal hardware/software co-verification use bounded model checking techniques to construct a single monolithic propositional formula. Formulas generated in this way are extremely complex and contain a great deal of irrelevant logic, hence are difficult to solve even by the state-of-the-art Satis ability (SAT) solvers. In a typical hardware/software co-design the firmware only exercises a fraction of the hardware state-space, and we can use this observation to generate simpler and more concise formulas. In this paper, we present a novel verification algorithm for hardware/software co-designs that identify partitions of the firmware and the hardware logic pertaining to the feasible execution paths by means of path-based symbolic simulation with custom path-pruning, property-guided slicing and incremental SAT solving. We have implemented this approach in our tool COVERIF. We have experimentally compared COVERIF with HW-CBMC, a monolithic BMC based co-verification tool, and observed an average speed-up of 5X over HW-CBMC for proving safety properties as well as detecting critical co-design bugs in an open-source Universal Asynchronous Receiver Transmitter design and a large SoC design.