Retrascope. Reverse engineering tool for HDL descriptions
Modern digital microelectronic systems contain a large number of components with various complexity. For the system development and testing, CAD (Computer-Aided Design) tools are used actively. The range of tasks which these tools are aimed to address is rather wide (checking for correctness, performance measurements, etc.), but the tool applicability is bordered by the several stages of the design process. The digital hardware design process includes the following stages: 1) architecture design; 2) detailed (logic) design; 3) logic synthesis. The first stage includes arrangement and analysis of the requirements. They describe the common structure of the system under development and formats of data exchanges between system components. At the second stage, the structure and cycle-accurate detailed description of the system behavior at the register transfer level (RTL) are developed. This stage results in digital hardware representation which is described in a hardware description language (HDL), like VHDL or Verilog. These languages syntax is close to such traditional programming languages as C or Ada. The last stage, called logic synthesis, is performed automatically by the modern CAD tools and results in a microelectronic chip.
The growing complexity of HDL descriptions along with using of external components like IP (Intellectual Property) cores makes the task of HDL code reverse engineering to be of high importance. Reverse engineering is a technique for obtaining an information about the principles of the target system work and the system's internal structure. For accomplishing this task an extendible opensource tool called Retrascope (Reverse Engineering and Translation) has been implemented at ISP RAS. The tool operates with components of the following categories: 1) models – formal representations of HDL descriptions; 2) engines – components that transform and analyze models.
At present, the following kinds of models can be automatically extracted from the HDL code:
- Control flow graph (CFG);
- Guarded action decision diagram (GADD);
- High level decision diagram (HLDD);
- Extended finite state machine (EFSM).
Some of the Retrascope use cases are shown in Figure 1. The tool accepts hardware description written in VHDL or Verilog. Retrascope analyzes the code and constructs the inner representation based on the control flow graph. The inner representation keeps all the information related to the target HDL description. Next step consists of formal model extraction. Extracted models can be visualized through GraphML graphical format or through an Eclipse IDE plug-in called Retrascope IDE. The plug-in allows to run the tool itself and to construct the toolchains – sequences of engines that are grouped for reaching some target (test generation, formal analysis, etc.). Retrascope can be run both through the plug-in and the command line.
One of the widespread usages of the formal models are extracted from HDL code is functional verification i.e. a functional correctness checking. At the present time there are two main approaches to functional verification of HDL description – dynamic (simulation-based) and static (formal). Dynamic verification approach can be treated as a testing of HDL description through its running on a specific simulation environment, called HDL simulator. Static verification is based on a mathematical model of system building and an analysis of its properties. These properties should also be represented formally. For example, safety property means that erroneous states of the model are unreachable, liveness property means that there are no deadlocks in the model.
Figure 1. Retrascope use cases
Dynamic and static approaches to hardware verification can also be combined producing so called hybrid approaches. Such methods bundle advantages of traditional methods and do not suffer from their disadvantages. The Retrascope toolkit is suitable both for hybrid approaches construction and their application to hardware designs. In such a case the tool generates tests – sequences of input signals that lead to desired situations. For example, the tool is able to automatically extract an EFSM model of HDL description and then generate the test suite that covers every execution path of the target design. At present, Retrascope contains unit-level test generators of the following kinds:
- Random test generator (based on CFG model);
- EFSM simulation based test generator;
- Model checking based test generator (based on both EFSM and HLDD models).
Experiments showed that tests generated Retrascope tests are generated by hybrid approaches provide high HDL code coverage with lengths of tests that are shorter than already existing ones. It is promising also to use this tests at the level of logic circuits (the pre-stage for logic synthesis) to find stuck-at faults.