Journal of Electronic Testing (2020) 36:643–663 https://doi.org/10.1007/s10836-020-05904-2 Formal Verification of ECCs for Memories Using ACL2 Mahum Naseer1 · Waqar Ahmad1 · Osman Hasan1 Received: 12 April 2020 / Accepted: 2 September 2020 / Published online: 26 September 2020 © Springer Science+Business Media, LLC, part of Springer Nature 2020 Abstract Due to the ever-increasing toll of soft errors in memories, Error Correction Codes (ECCs) like Hamming and Reed-Solomon Codes have been used to protect data in memories, in applications ranging from space to terresterial work stations. In past seven decades, most of the research has focused on providing better ECC strategies for data integrity in memories, but the same pace research efforts have not been made to develop better verification methodologies for the newer ECCs. As the memory sizes keep increasing, exhaustive simulation-based testing of ECCs is no longer practical. Hence, formal verification, particularly theorem proving, provides an efficient, yet scarcely explored, alternative for ECC verification. We propose a framework, with extensible libraries, for the formal verification of ECCs using the ACL2 theorem prover. The framework is easy to use and particularly targets the needs of formally verified ECCs in memories. We also demonstrate the usefulness of the proposed framework by verifying two of the most commonly used ECCs, i.e., Hamming and Convolutional codes. To illustrate that the ECCs verified using our formal framework are practically reliable, we utilized a formal record- based memory model to formally verify that the inherent properties of the ECCs like hamming distance, codeword decoding, and error detection/correction remain consistent even when the ECC is implemented on the memory. Keywords Error Correction Codes (ECCs) · Memory soft errors · Hamming codes · Convolutional codes · Formal verification · Theorem proving · ACL2 1 Introduction in IC packaging material, induce the silicon based semi- conductor memories to change their logic states, hence Soft errors are type of errors that do not cause permanent resulting in soft errors [10, 47]. damage to the semi-conductor devices [56], yet leading to Recent advancements in technology, including circuit temporary faults in them. In particular, radiation induced miniaturization, voltage reduction, and increased circuit soft errors have been a major concern in semi-conductor clock frequencies, have augmented the problem of soft devices since 1970s [12, 60]. In a long chain of events, errors in memories [10, 48]. The most obvious drawbacks of both the high speed protons in cosmic rays and the alpha memory errors include the loss of correct data and the addi- particles emitted during the decay of radioactive impurities tion of faulty data into the memory. However, depending on the application/system using the memory, the severity of these memory errors could vary. This is summarized in Fig. 1. In a LEON3 processor, a memory error may simply Responsible Editor: V. D. Agrawal cause a result error, i.e., an erroneous output from an algo- Mahum Naseer rithm running on the system, or a system timeout, i.e., the [email protected] termination of an application without any result [39]. Sim- ilarly, in a Xilinx FPGA, such errors may cause the system Waqar Ahmad to halt [33]. [email protected] Error Correction Codes (ECCs) [44], are used to cater Osman Hasan for memory errors by adding extra bits, often called parity [email protected] or check bits, to the data bits in the memory. The parity bits are calculated using the available data bits, and in case of an error, the lost data is retrieved using these parity bits. Hence, 1 School of Electrical Engineering and Computer Science (SEECS), National University of Sciences and Technology ECCs are considered to be the most effective solution for (NUST), Islamabad, Pakistan memory errors [10], and since the introduction of Hamming 644 J Electron Test (2020) 36:643–663 Fig. 1 Impact of a) Technology Miniaturization, b) Voltage Scaling, and c) Increased Clock Frequency on memories, and its consequences codes [27] in 1950, ECCs have remained an active domain Generally, there are two major categories of formal of research. methods to ensure system resilience: model checking and theorem proving. While the former was explored in earlier 1.1 Motivation researches for ensuring circuit reliability, its use was limited to smaller systems [43] due the large number of states Simulation based testing is the most commonly used formed in larger systems and state-space-explosion [18]. technique for ensuring the correctness of ECCs in memories The latter resolves the limitation posed by large/infinite [7, 20, 28, 51, 54]. Initially, errors are injected at the state space in model checking using induction [26]. input of the memory model, in a process known as fault However, this is achieved at the cost of increased complexity injection. The performance of the ECC, i.e., how well an of implementation [19]. ECC corrects the errors, is then evaluated at the output of the In this paper, we developed a framework for formal model. This approach of testing is quite effective for smaller verification of ECCs used in memories using a semi- memories, where exhaustive simulation can be somewhat automated theorem prover A Computational Logic for achievable. However, as the memory size grows, it becomes Applicative Common Lisp (ACL2) [37]. ACL2 is a powerful increasingly difficult to employ exhaustive simulation [20]. Lisp-based tool in a sense that it not only provides automatic So, a common practice is to pick random combinations of proof execution, but also enables its users to direct the proof input errors, and observe the response of an ECC in presence procedures in a meaningful way using the hints facility. In of those error combinations [7, 20, 28]. This undermines the addition, it is an efficient tool that augments the speed of reliability of simulation results in determining the resilience proof procedures by the use of previously proved lemmas to of ECCs against the errors. verify new theorems; this means that a theorem which may Formal methods [29] have been extensively used to require huge amount of time for verification if proved using provide an efficient alternative to the simulation based only the basic logic axioms, can be proved in a significantly testing. The main idea here is to first construct a shorter duration using auxiliary lemmas. mathematical model of the given system using a state- machine or an appropriate logic, and then use logical 1.2 Challenges reasoning and deduction methods to formally verify that this model exhibits the desired characteristics of the system. The major challenges while using ACL2 for a framework The desired behavior of the system is also specified for verification of ECCs used in memories are: mathematically using appropriate logic. This overcomes the need of applying combinations of errors at input, and • Formal Modelling: shifts the focus of the verification task on formal reasoning The ECCs are generally represented either as a instead. system of encoder and decoder equations/logic, or as J Electron Test (2020) 36:643–663 645 a hardware circuit implementation [32, 51, 54]. Hence, memories and forms the basis of several multiple-error- the first challenge is to create a system model that correcting codes like two-dimensional codes. fulfills all the specifications of the ECC equations/ • Formalization of convolutional codes, which provide logic/hardware implementation. the foundation for the formal verification of the more • Formal Reasoning: sophisticated ECCs, such as turbo codes. To the best In formal methods, having a logical explanation for of our knowledge, this is the first endeavor towards the the behavior of ECC is not sufficient to ensure the formal verification of convolutional codes. correctness of the model. So, the second challenge is • Utilizing ACL2 theorem prover for developing libraries to use mathematical reasoning to verify the model and for formal verification of ECCs used in memories. its associated properties. There are two major classes of ACL2 is a semi-automatic tool, which provides properties that we dealt with: (i) properties that verify necessary automation to facilitate the verification working of the ECC in the absence of any errors, and process. This signifies the ease of use of our libraries. (ii) the properties that verify ECC performance in the • Implemention of the formally verified ECCs on a presence of the error. formal record-based memory model to demonstrate • Translating the formal ECC model and its properties in that the verified properties of the ECCs pertaining to Lisp (ACL2) language: encoding/decoding, error detection and error correction, Hand-written mathematical models and proofs are are generic enough to easily comply with any given unsound due to the possibility of human errors involved memory model. in the modeling/proof procedure. Hence, we need to translate our model and the associated mathematical The rest of the paper is organized as follows: Section 2 proof procedure to ACL2. This requires some degree provides an overview of the current state–of–the–art in of expertise in understanding the Lisp language and the domain of formal verification for memory/system error handling the tool. resilience. Section 3 describes the preliminaries for the • Model Reusability: ACL2 theorem prover. Section 4 presents our proposed To minimize the formalization efforts during the methodology. Sections 5 and 6 define the formalization of verification of new ECCs, such as Turbo codes, the our two libraries i.e., the Standard Library for ECCs and existing formalization framework needs to be composi- the ECCs Library. Section 7 demonstrates a case study tional in nature in order to provide reusable definitions using a record-based memory model. Finally, Section 9 and theorems. This ensures wider applicability of the concludes our work with guildelines to extend our approach framework for the verification of ECCs with different for verification of advanced ECCs using our framework.