Formal verification is an important issue in circuit and system design. In this context, Bounded Model Checking (BMC) is one of the most successful techniques. But even if all specified properties can be verified, it is difficult to determine whether they cover the complete functional behavior of a design. We propose a pragmatic approach to estimate coverage in BMC. The approach can easily be integrated in a BMC tool with only minor changes. In our approach, a coverage property is generated for each important signal. If the considered properties do not describe the signal’s entire behavior, the coverage property fails and a counter-example is generated. From the counter-example an uncovered scenario can be derived. In this way the approach also helps in design understanding. Our method is demonstrated on a RISC CPU. Based on the results we identified coverage gaps. We were able to close all of them and achieved 100% functional coverage. 1.

Abstract. Vacuity checking is traditionally performed after model checking has terminated successfully. It ensures that all the elements of the specification have played a role in its satisfaction by the design. Vacuity checking gets as input both design and specification, and is based on an in-depth investigation of the relation between them. Vacuity checking has been proven to be very useful in detecting errors in the modeling of the design or the specification. The need to check the quality of specifications is even more acute in property-based design, where the specification is the only input, serving as a basis to the development of the system. Current work on property assurance suggests various sanity checks, mostly based on satisfiability, non-validity, and realizability, but lacks a general framework for reasoning about the quality of specifications. We describe a framework for inherent vacuity, which carries the theory of vacuity in model checking to the setting of property-based design. Essentially, a specification is inherently vacuous if it can be mutated into a simpler equivalent specification, which we show to coincide with the fact the specification is satisfied vacuously in all systems. We also study the complexity of detecting inherent vacuity, and conclude that while inherent vacuity leads to specifications that better capture designer intent, it is not more complex than simple property-assurance checks. 1

Abstract—In the design process of digital systems, functional verification is a major issue. Generally, formal methods like bounded model checking (BMC) offer the highest quality of the verification results, especially when used in combination with techniques that check if a set of properties forms a complete specification of a design. However, in contrast to simulationbased methods, like random testing, formal verification requires a detailed knowledge of the design implementation. Formalizing a specification as a set of properties is a tedious and time consuming process. In this paper, we show the application of techniques to aid the verification engineer in writing properties in a qualitydriven BMC flow, that have been introduced in [1]. The first method can be used to remove redundant assumptions from properties and to separate different scenarios. The second technique, here called inverse property checking, takes an expected behavior of a design and automatically generates valid properties that can be checked for conformance with a specification. Both techniques can serve to reduce the number of iterations to obtain full coverage, when integrated with the verification flow. The benefits of the techniques are demonstrated with a memory management unit. I.

In this paper, we propose a systematic set of guidelines for creating an effective formal verification testplan, which consists of an English list of comprehensive requirements that capture the desired functionality of the blocks we intend to formally verify. We demonstrate our formal verification testplanning techniques on a real example that involves an AMBA ™ AHB parallel to Inter IC (or I 2 C) serial bus bridge.

Abstract—For Electronic System Level (ESL) design SystemC has become the standard language due to its excellent support of Transaction Level Modeling (TLM). But even if the complexity of the systems can be handled using the abstraction levels offered by TLM – the most abstract one is untimed and focuses on functionality – still verification is the major bottleneck. In particular, as untimed TLM models are the reference for the following refinement steps their correctness has to be ensured. Thus, formal verification approaches have been developed to prove properties for these models. However, even if several properties have been checked this does not guarantee that the complete functionality of the TLM model has been verified. Thus, in this paper we consider the problem of functional coverage analysis in formal TLM property checking. We present a coverage approach which can analyze whether the property set unambiguously describes all transactions in a SystemC TLM model. The developed coverage analysis method identifies uncovered scenarios and hence allows to close all coverage gaps. As an example we consider an automated teller machine and we show the benefits of the proposed approach. I.