Towards Verifying Determinism of SystemC Designs Hoang M. Le 1 Rolf Drechsler 1,2 1 Institute of Computer Science, University of Bremen, 28359 Bremen, Germany 2 Cyber-Physical Systems, DFKI GmbH, 28359 Bremen, Germany {hle,drechsle}@informatik.uni-bremen.de Abstract—Ensuring the correctness of high-level SystemC designs is an important and challenging problem in today’s Electronic System Level (ESL) methodology. Prevalently, a design is checked against a functional specification given by e.g. a testcase with reference output or a user-defined property. Another research direction takes the view of a SystemC design as a piece of concurrent software. The design is then checked for common concurrency problems and thus, a functional specification is not required. Along this line, several methods for deadlock detection and race analysis have been developed. In this work, we propose to consider a new concurrency verification problem, namely input-output determinism, for Sys- temC designs. That means for each possible input, the design must produce the same output under any valid process sched- ule. We argue that determinism verification is stronger than both deadlock detection and race analysis. Beside being an attractive correctness criterion itself, proven determinism helps to accelerate both simulative and formal verification. We also present a preliminary study to show the feasibility of determinism verification for SystemC designs. I. I NTRODUCTION The so-called Electronic System Level (ESL) methodol- ogy [1] has become state of the art for the design and ver- ification of today’s complex electronic systems. The essential idea is to start the design and verification process at a high level of abstraction using a system modeling language such as the de facto standard SystemC [2]. Here, the functionality of the system is realized and evaluated in an abstract fashion, typically using algorithmic modeling or Transaction Level Modeling (TLM) [3] techniques. From the first abstract design, the RTL implementation is obtained by successive refinement steps across different levels of timing accuracy. During this process, it is important to detect errors in the SystemC models as early as possible to prevent costly late changes or product delay. Functional verification of SystemC designs is therefore of major interest. The main challenge is the huge verification space of a SystemC design that consists of all valid inputs and all possible process schedules. Among existing academic and industrial approaches, simulation is most widely employed due to its scalability and ease of use. Simulation-based approaches apply test vectors to the design and then check produced outputs against reference outputs, or alternatively monitor user-defined temporal properties during simulation [4], [5]. The shortcoming of simulation is that it considers only one 978-3-9815370-2-4/DATE14/ c  2014 EDAA possible schedule for a given data input, resulting in a poor coverage of the verification space. Methods based on Partial Order Reduction (POR) have been proposed [6], [7] to address this issue. They explore all possible scheduling sequences of SystemC processes, however, only for a given data input. The complete coverage of both inputs and process schedules can only be ensured by formal verification approaches [8], [9], [10], [11]. These verify a design exhaustively against a given property, but do not yet scale to large designs. In contrast to conventional functional verification, which requires a functional specification (reference outputs or prop- erties), another research direction takes the view of SystemC designs as concurrent software programs and checks them for common concurrency problems. It is advantageous since a correct design should be free of these problems and the check can be applied even if a functional specification is not yet available. So far, deadlock detection [12], [13] and data race analysis [7], [14] have been considered. Along this line of research, the paper makes two contribu- tions: 1) We propose to examine a new concurrency verification problem, namely input-output determinism, for SystemC designs. That means for each possible input, the design must produce the same output under any valid process schedule. Determinism verification has been considered for concurrent software [15], [16], however, approaches for SystemC requires special consideration of its concur- rency semantics. In SystemC context, we also show that determinism verification is stronger than both deadlock detection and race analysis, and discuss the benefits of determinism regarding enhancement of both simulative and formal verification. 2) We propose and evaluate a first solution to demonstrate the feasibility of determinism verification for SystemC designs. The implemented solution executes symboli- cally two versions of a design: a version with only one single schedule and an encoding of all possible sched- ules, and asserts the equivalence of produced outputs. Hence, the verification result is complete, i.e. either determinism is proved or a counter-example is found. The remainder of the paper is organized as follows: Sec- tion II summarizes SystemC semantics and its encoding for formal verification. Section III motivates determinism verifi- cation by an example. Section IV discusses the usefulness of