Table of contents : Preface Acknowledgement Contents List of Algorithms List of Figures List of Tables 1 Introduction 1.1 Virtual Prototype-Based Design Flow 1.2 Book Contribution 1.3 Book Organization 2 Preliminaries 2.1 SystemC TLM 2.1.1 TLM-Based Communication 2.1.2 Simulation Semantics 2.2 RISC-V 2.2.1 ISA Overview 2.2.2 Atomic Instruction Set Extension 2.3 Coverage-Guided Fuzzing 2.3.1 LibFuzzer Core 2.3.2 LibFuzzer Extensions 2.4 Symbolic Execution 2.4.1 Overview 2.4.2 Example 3 An Open-Source RISC-V Evaluation Platform 3.1 RISC-V-Based Virtual Prototype 3.1.1 RISC-V-Based VP Architecture 3.1.1.1 RV32/64 (Multi-)Core 3.1.1.2 TLM 2.0 Bus 3.1.1.3 Traps and Interrupts 3.1.1.4 System Calls 3.1.1.5 VP Initialization 3.1.1.6 Timing Model 3.1.2 VP Interaction with SW and Environment 3.1.2.1 Interrupt Handling and HW/SW Interaction 3.1.2.2 Environment Interaction: Syscall Emulation and C/C++ Library 3.1.3 VP Performance Optimizations 3.1.3.1 Direct Memory Interface 3.1.3.2 Local Time Quantums 3.1.4 Simulation of Multi-Core Platforms 3.1.4.1 Example Bare-Metal Multi-Core SW 3.1.4.2 Implementation of the Atomic ISA Extension 3.1.5 VP Extension and Configuration 3.1.5.1 Extending the VP with a Sensor Peripheral 3.1.5.2 SW Debugging Support Extension 3.1.5.3 HiFive1 Board Configuration 3.1.6 VP Evaluation 3.1.6.1 Testing 3.1.6.2 Performance Evaluation 3.1.7 Discussion and Future Work 3.2 Fast and Accurate Performance Evaluation for RISC-V 3.2.1 Background: HiFive1 Board 3.2.2 Core Timing Model 3.2.2.1 Overview 3.2.2.2 Pipeline Timing Model 3.2.2.3 Branch Prediction Timing Model 3.2.2.4 Cache Timing Model 3.2.3 Experiments 3.2.4 Discussion and Future Work 3.3 Summary 4 Formal Verification of SystemC-Based Designs using Symbolic Simulation 4.1 Stateful Symbolic Simulation 4.1.1 SystemC Intermediate Verification Language 4.1.2 Overview Symbolic Simulation 4.1.2.1 Execution State 4.1.2.2 Symbolic Execution Engine (SymEx) 4.1.2.3 Partial Order Reduction (POR) 4.1.2.4 Stateless Scheduler 4.1.3 State Subsumption Reduction 4.1.3.1 Motivating Example 4.1.3.2 Weak Reachability 4.1.3.3 Cycle Proviso 4.1.3.4 Stateful Scheduler 4.1.4 Symbolic Subsumption Checking 4.1.4.1 Exact Symbolic Subsumption (ESS) 4.1.4.2 Optimizations 4.1.5 Experiments 4.1.5.1 Evaluation of ESS Optimizations 4.1.5.2 Comparison with KRATOS 4.1.6 Discussion and Future Work 4.1.6.1 Path Merging 4.1.6.2 Dynamic Partial Order Reduction 4.1.6.3 State Matching Heuristics 4.2 Formal Verification of an Interrupt Controller 4.2.1 TLM Peripheral Modeling in SystemC 4.2.1.1 TLM Register Modeling 4.2.1.2 TLM Wire Modeling 4.2.2 Bridging the Modeling Gap 4.2.3 Case Study 4.2.3.1 Interrupt Controller for Multiple Processors 4.2.3.2 Formal Verification 4.2.3.3 Discussion and Future Work 4.3 Compiled Symbolic Simulation 4.3.1 Overview 4.3.1.1 Generated C++ Program Overview 4.3.1.2 Data Structures for Execution State 4.3.1.3 Instrumented XIVL Code 4.3.2 Optimizations 4.3.2.1 Path Merging 4.3.2.2 Native Execution 4.3.3 Experiments 4.3.3.1 Native Execution Evaluation 4.3.3.2 Comparison with Existing SystemC Verifiers 4.3.4 Discussion and Future Work 4.4 Parallelized Compiled Symbolic Simulation 4.4.1 Implementation Details 4.4.1.1 PCSS Library 4.4.1.2 Fork/Join Based State Space Exploration 4.4.2 Evaluation and Conclusion 4.5 Summary 5 Coverage-Guided Testing for Scalable VirtualPrototype Verification 5.1 Data Flow Testing for Virtual Prototypes 5.1.1 SystemC Running Example 5.1.2 Def-Use Association and Data Flow Testing 5.1.3 Data Flow Testing for SystemC 5.1.3.1 Overview 5.1.3.2 Classification of Data Flow Associations 5.1.3.3 Coverage Result 5.1.3.4 Illustration 5.1.4 Implementation Details 5.1.4.1 Static Analysis 5.1.4.2 Dynamic Analysis 5.1.4.3 Data Flow Association Construction 5.1.5 Experimental Results 5.2 Verifying Instruction Set Simulators using Coverage-Guided Fuzzing 5.2.1 Coverage-Guided Fuzzing for ISS Verification 5.2.1.1 Overview 5.2.1.2 Functional Coverage Metric 5.2.1.3 Instrumentation for Tracing Functional Coverage 5.2.1.4 Custom Mutations 5.2.2 Case Study: RISC-V ISS Verification 5.2.2.1 Evaluation Setting and LibFuzzer Integration 5.2.2.2 Evaluation Results 5.2.3 Discussion and Future Work 5.3 Summary 6 Verification of Embedded Software Binaries using VirtualPrototypes 6.1 Concolic Testing of Embedded Binaries 6.1.1 Background on Concolic Testing of SW 6.1.2 Concolic Testing Engine for RISC-V Embedded Binaries 6.1.2.1 Overview 6.1.2.2 Peripheral Modeling Concepts 6.1.2.3 Concolic Testing Example 6.1.3 Experiments 6.1.3.1 Performance Evaluation 6.1.3.2 Testing the FreeRTOS TCP/IP Stack 6.1.4 Discussion and Future Work 6.2 Verification of Embedded Binaries using Coverage-guidedFuzzing 6.2.1 VP-based Coverage-Guided Fuzzing 6.2.1.1 Overview 6.2.1.2 SW and Peripheral Coverage Collection in the VP 6.2.1.3 Example Embedded Application Fuzzing 6.2.1.4 Discussion: Encoding Functional Coverage for Embedded Systems 6.2.2 Experiment 1: Testing Embedded Applications 6.2.2.1 Results Overview 6.2.2.2 Application 1: Data Transfer 6.2.2.3 Application 2: Fan Control 6.2.3 Experiment 2: Testing the Zephyr IP Stack 6.2.3.1 Test Setup 6.2.3.2 Custom IP Packet Mutation 6.2.3.3 Heap Buffer Overflow Detection 6.2.3.4 Results 6.2.4 Discussion and Future Work 6.3 Summary 7 Validation of Firmware-Based Power Management using Virtual Prototypes 7.1 A Constrained Random Approach for Workload Generation 7.1.1 Early Validation of FW-based Power ManagementStrategies 7.1.1.1 Overall Workflow 7.1.1.2 Constraint-based Workload Scenarios 7.1.1.3 Constrained Random Generator 7.1.2 SoCRocket Case Study 7.1.2.1 Power Management Extensions 7.1.2.2 Firmware-Based Power Management 7.1.3 Results 7.1.4 Discussion and Future Work 7.2 Maximizing Power State Cross Coverage 7.2.1 Maximizing Power State Cross Coverage 7.2.1.1 Overview 7.2.1.2 Coverage-Loop 7.2.1.3 Final Test Generation 7.2.2 Case Study 7.2.2.1 Block Definition and Calibration 7.2.2.2 Experiments 7.2.3 Discussion and Future Work 7.3 Summary 8 Register-Transfer Level Correspondence Analysis 8.1 Towards Fully Automated TLM-to-RTL Property Refinement 8.1.1 UTOPIA Case Study 8.1.2 Static Analysis of Transactors 8.1.2.1 Symbolic Execution 8.1.2.2 FSM Construction 8.1.3 Property Refinement 8.1.3.1 Property Specification Language 8.1.3.2 TLM Properties for Refinement 8.1.3.3 Refinement Process 8.1.4 Discussion and Future Work 8.2 Automated RTL-to-TLM Fault Correspondence Analysis 8.2.1 RTL-to-TLM Fault Correspondence Analysis 8.2.1.1 Correspondence Analysis Overview and Algorithm 8.2.1.2 Example 8.2.2 Formal Fault Localization Analysis 8.2.2.1 Annotations 8.2.2.2 Symbolic Error Injection Logic 8.2.2.3 Testbench 8.2.3 Case Study 8.2.3.1 Experiments 8.3 Summary 9 Conclusion References Index