Presentation is loading. Please wait.

Presentation is loading. Please wait.

4/19/2005JHJ1 Structure-independent Sequential Equivalence Checking EE290A UC Berkeley Spring 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "4/19/2005JHJ1 Structure-independent Sequential Equivalence Checking EE290A UC Berkeley Spring 2005."— Presentation transcript:

1 4/19/2005JHJ1 Structure-independent Sequential Equivalence Checking EE290A UC Berkeley Spring 2005

2 2 Outline Design verification Combinational vs. sequential equivalence checking Sequential equivalence checking by Reachability analysis  Explicit vs. implicit  Forward vs. backward  Exact vs. approximate  Deterministic vs. probabilistic State space partitioning  From state equivalence to FSM equivalence  Explicit vs. implicit Connection between reachability and state equivalence Experiments Conclusions

3 3 Outline Design verification Combinational vs. sequential equivalence checking Sequential equivalence checking by Reachability analysis  Explicit vs. implicit  Forward vs. backward  Exact vs. approximate  Deterministic vs. probabilistic State space partitioning  From state equivalence to FSM equivalence  Explicit vs. implicit Connection between reachability and state equivalence Experiments Conclusions

4 4 Design verification Equivalence verification is the most important problem in design verification Hardness of equivalence verification Combinational  Verification w/o structure similarities NP-complete  Verification w/ structure similarities P- to NP-complete Sequential  Verification w/o structure similarities PSPACE-complete  Verification w/ structure similarities E.g., retiming equivalence P- to PSPACE-complete     design verification

5 5 Combinational equivalence checking Considered being solved in practical design instances State-of-the-art solvers are powered with hybrid engines using BDD, SAT and AIG  Capable of verifying million-transistor microprocessor designs Existence of structural similarities in real designs is the key to success If the relation between state encodings is known, sequential equivalence checking reduces to combinational one In general, combinational EC is not complete to prove sequential equivalence (i.e., equivalence between FSMs) E.g., FSMs retimed and resynthesized with unknown transformation history, or FSMs optimized using sequential don ’ t cares

6 6 Sequential equivalence checking Special case of invariant verification (safety property checking) To describe properties, at times temporal formula are not sufficient (need a monitor!) In SEC, the monitor is the correct FSM to be compared with  Used in the construction of product machines or multiplexed machines Two approaches to SEC: reachability analysis vs. state space partitioning

7 7 Outline Design verification Combinational vs. sequential equivalence checking Sequential equivalence checking by Reachability analysis  Explicit vs. implicit  Forward vs. backward  Exact vs. approximate  Deterministic vs. probabilistic State space partitioning  From state equivalence to FSM equivalence  Explicit vs. implicit Connection between reachability and state equivalence Experiments Conclusions

8 8 SEC by state traversal Product machine Composition of an FSM and a monitor Composition reveals bad states (state pairs with different output observations)  Cf. Mealy- and Moore-type FSMs

9 9 Reachability analysis Explicit vs. implicit Explicit graph enumeration  Reachability analysis over state transition graphs  Practical for FSMs less than ~10 state variables Implicit symbolic computation  Iterative image computation over quantified Boolean formula BDD- or SAT-based manipulations One step traversal from C(s): Img(s ’ ) =  x, s. [  i (s i ’  T i (x,s))]  C(s)  Practical for FSMs less than ~100 state variables We will be concerned with implicit approaches based on BDDs O. Coudert et al: Verification of Synchronous Sequential Machines Based on Symbolic Execution. Automatic Verification Methods for Finite State Systems 1989: 365-373

10 10 Reachability analysis Forward vs. backward Forward analysis asks if bad states are reachable from initial states Backward analysis asks if initial states are reachable from bad states Two approaches are incomparable  A forward diameter can be exponentially shorter than a backward one, and vice versa Meet-in-the-middle by combining both directions T. Filkorn: A Method for Symbolic Verification of Synchronous Circuits. Proc. Int'l Symp. Computer Hardware Description Languages and their Applications 1991: 249-259.

11 11 Reachability analysis Exact vs. approximate Exact image computation is complete but more expensive Approximate image computation is cheaper but incomplete (has false-negative or false-positive)  Decomposing an FSM into several sub-FSMs E.g., by partitioning state variables Traverse each sub-FSM independently (over-approximation)  High-density reachability analysis (which combines BFS and DFS) can be either exact or under-approximate Compute dense subsets of BDDs Prefer a small BDD represent a large state set Avoid memory explosion by subsetting newly reached state sets K. Ravi and F. Somenzi: High-density reachability analysis. ICCAD 1995: 154-158. H. Cho, et. al: Algorithms for Approximate FSM Traversal. DAC 1993: 25-30.

12 12 Reachability analysis Deterministic vs. probabilistic Deterministic  Exhaustive search Probabilistic  Random walk on graphs  Monte Carlo or Las Vegas A. Kuehlmann, K. McMillan, R. Brayton: Probabilistic state space search. ICCAD 1999: 574-579

13 13 Reachability analysis Other state traversal issues Abstraction, localization Cone of influence reduction  Transitive fanin in unfolded time-frame expansion Quantification scheduling Input/output splitting …

14 14 Outline Design verification Combinational vs. sequential equivalence checking Sequential equivalence checking by Reachability analysis  Explicit vs. implicit  Forward vs. backward  Exact vs. approximate  Deterministic vs. probabilistic State space partitioning  From state equivalence to FSM equivalence  Explicit vs. implicit Connection between reachability and state equivalence Experiments Conclusions

15 15 SEC by state space partitioning Arguing FSM equivalence from state equivalence State equivalence  Two states of an FSM are equivalent iff, starting from any of them, the IO behaviors of the FSM cannot be differentiated FSM equivalence  Two FSMs are equivalent iff, starting from their respective initial states, they are indistinguishable from their IO behaviors

16 16 State equivalence Explicit vs. implicit Explicit approach  Remove non-equivalent state pairs iteratively from a tableau Implicit approach  Representing an equivalence relation with Boolean formula Backward reachability analysis over product machine!  Representing equivalence classes with Boolean formula Functional composition over the original machine (to be discussed) We are concerned with implicit approaches

17 17 Identify state equivalence on product machine Backward reachability analysis

18 18 FSM equivalence Explicit vs. implicit Explicit graph enumeration  State minimization followed by graph isomorphism checking Implicit symbolic computation  Backward reachability analysis!  Functional composition (to be discussed)

19 19 Determine FSM equivalence on product machine Backward reachability analysis

20 20 Identify state equivalence on original machine Given an n-state FSM M with r registers Implicit computation of equivalent states [Pixley, CAV ’ 90; Lin et al., ICCAD ’ 90]  Refine state equivalence relation on the product machine of two identical copies of M  Number of state variables: 2r [Henriksen et al., TACAS ’ 95]  Compute equivalence classes on M represented by n shared n-terminal BDDs  Number of state variables: r Question:  Compute equivalence classes on M without special representations?

21 21 Identify state equivalence on original machine M = (S, s 0, , , ,  ) y=  (s,x), s'=  (s,x), s  S, x , y   Relate output/transition tables to decomposition table in functional decomposition Columns indexed by states; rows indexed by inputs BDD-based functional decomposition State variables  bound set; input variables  free set Each column pattern in output table corresponds to an eqv node Paths lead to same eqv node represent states in same eqv class

22 22 Identify state equivalence on original machine Procedure 1. Consider time-frame expansions of M  Initially  0 has all states in the same equivalence class  y=  (s,x) induces a partition  1 on the state space 2. Compute  1 by BDD-based functional decomposition

23 23 Identify state equivalence on original machine Procedure (cont ’ d) 3. Represent  1 by a characteristic function  1 (s) 4. Perform functional decomposition on  1 (  (s,x)) to derive  2 - 5. Compute  2 =  1   2 - 6. Represent  2 by a characteristic function  2 (s) 7. Iterate until reach fixpoint

24 24 Identify state equivalence on original machine Robustness Issues for state equivalence Work on reachable state subspace (if available)  BDD constrain operator [Coudert and Madre, ICCAD ’ 90] + restricted BDD variable ordering Restrict BDD variable ordering only when necessary

25 25 SEC by state space partitioning Extend state equivalence to machine equivalence Verification on multiplexed machine Verification on separate machines Verification on product machine Theorem M 1 and M 2 are equivalent iff their initial states, s 1 0 and s 2 0, are equivalent

26 26 Verification on Multiplexed Machine Given two FSMs M 1 and M 2 with r 1 and r 2 registers respectively, construct their multiplexed machine M: aux=0  M=M 1 ; aux=1  M=M 2

27 27 Verification on Multiplexed Machine Procedure 1. Partition the state space of the multiplexed machine 2. Check if (  s 1 0 ) and (  s 2 0 ) are in the same equivalence class Other aspects Robustness issues:  Carry out verification for each output separately  Collapse “ bad ” equivalence classes Error tracing and shortest distinguishing sequences

28 28 Product machine vs. multiplexed machine Given two completely specified FSMs M 1 and M 2 with r 1 and r 2 registers respectively  For product machine Product state space State variables: r 1 + r 2  For multiplexed machine Sum state space State variables: max{ r 1, r 2 }+1

29 29 Verification on Separate Machines Procedure 1. Partition the state spaces of M 1 and M 2 separately but simultaneously  Maintain two sets of shared BDDs (share BDDs below cutset) 2. Check if s 1 0 and s 2 0 lead to the same equivalence node Properties  No interference among state variables  No BDD sharing above cutset  Same number of state variables as product machine (Verification is still in the sum state space)

30 30 Verification on Product Machine Properties  Flexible BDD variable ordering  More state variables than multiplexed machine  No direct BDD simplification using unreachable states

31 31 Analysis Functional decomposition replaces quantifications Given two FSMs M 1 and M 2 converging in n 1 and n 2 steps respectively, then their multiplexed machine converges in exactly max{n 1, n 2 } steps (can be improved to  min{n 1, n 2 }) Both ST (state traversal) and SP (state partitioning) find counterexamples in shortest input sequences Suppose ST and SP converge in t and p steps respectively. Then min{t, p} is the upper bound for fixpoint computation.

32 32 Outline Design verification Combinational vs. sequential equivalence checking Sequential equivalence checking by Reachability analysis  Explicit vs. implicit  Forward vs. backward  Exact vs. approximate  Deterministic vs. probabilistic State space partitioning  From state equivalence to FSM equivalence  Explicit vs. implicit Connection between reachability and state equivalence Experiments Conclusions

33 33 Connection between reachability analysis and state equivalence Assume bad states are unreachable from initial states in a product machine Forward reachability analysis reveals equivalent state pairs reachable from initial state pairs Backward reachability analysis reveals (all?) non-equivalent state pairs Backward reachability analysis is more powerful in identifying equivalent states

34 34 Outline Design verification Combinational vs. sequential equivalence checking Sequential equivalence checking by Reachability analysis  Explicit vs. implicit  Forward vs. backward  Exact vs. approximate  Deterministic vs. probabilistic State space partitioning  From state equivalence to FSM equivalence  Explicit vs. implicit Connection between reachability and state equivalence Experiments Conclusions

35 35 Experimental Results Compare three equivalence checking techniques STPM  state traversal on product machine SPPM  state partitioning on product machine SPMM  state partitioning on multiplexed machine Conduct experiments on a Linux machine with Pentium III 700 MHz CPU, 2Gb RAM

36 36 Experimental Results CircuitRegOverall PartitionWorst Partial PartitionSTPMSPPMSPMM whl (rf)rch (rf)whl (rf)rch (rf)MbsecMbsecMbsec s11961882944 (2)1509 (2)96 (3)56 (3)28.32.325.11.512.41.2 s298148061 (16)135 (12)249 (24)118 (20)7.80.216.41.08.70.2 s3441518608 (5)1801 (5)248 (8)35 (6)12.91.645.96.39.40.9 s3491518608 (5)1801 (5)248 (8)35 (6)12.71.535.46.39.40.9 s38221608448 (93)8865 (93)17174 (183)8597 (183)12.64.851.914.134.598.7 s40021608448 (93)8865 (93)17174 (183)8597 (183)12.84.952.114.134.598.7 s420.11665536 (32768)45.1669.237.9290.958.14.5e+4 s44421608448 (93)8865 (93)17174 (183)8597 (183)12.74.852.213.937.3133.6 s499224.1e+6 (1)22 (1)24 (21)22 (21)299157.116.51.08.60.2 s526211.4e+6 (119)8868 (93)43068 (199)8597 (183)22.57.165.0888.539.188.3 s526n211.4e+6 (119)8868 (93)43068 (199)8597 (183)16.64.463.7891.239.088.2 s64119294912 (1)1480 (1)24750 (8)1248 (8)11.90.712895.839.53.3 s71319294912 (1)1480 (1)24750 (8)1248 (8)11.80.712892.339.26.4 s95329N/A504 (2)42 (10)35 (10)11.30.158.982.711.91.1 ss96729N/A549 (2)42 (10)35 (10)11.40.962.568.010.30.5 s99119327680 (1)10 (2)35.426.4>2GN/A10.70.3

37 37 Experimental Results CircuitRegOverall PartitionWorst Partial PartitionSTPMSPPMSPMM whl (rf)rch (rf)whl (rf)rch (rf)MbsecMbsecMbsec bigkey224N/A4 (2)>2GN/A>2GN/A21.41.5 clma33N/A 5950 (178)142134.6>2GN/A1139862.9 mm4a123616 (1)712 (1)452 (2)217 (1)8.60.37.70.115.30.2 mm9a27N/A522244 (2)260617 (1)82.11.2e+558.916.62671.5e+4 mm9b26N/A 260617 (1)>2GN/A>2GN/A3066768.5 mult16a1665536 (16)65535 (16)65536 (16)65535 (16)8.50.28.40.162.042.0 sbc28N/A 23048 (10)>2GN/A>2GN/A9858.2e+4 control35N/A43 (2)14 (6)8 (5)19179.446.17.920.31.1 IFetchCtl259N/A 9434 (37)>2GN/A>2GN/A97.43762.7 IFetchCtl361N/A 8442 (39)>2GN/A>2GN/A1063912.9 parsepack70N/A18 (9)10 (9)>2GN/A64.9110.915.01.9 parsesys312N/A164 (21)N/A>2GN/A4582.9e+494.821.5 8085*193N/A309619 (28)N/A>2GN/A>2GN/A11652.3e+6 bpb36N/A512 (3)>2GN/A51.762.923.34.5

38 38 Experimental Results Elements to succeed Reduce state variables almost by a half Incorporate simplification using unreachable states Verify each output separately  Parallel processing Limitation  10 6 equivalence classes per output

39 39 Experimental results Identify state equivalence by BDD-based functional decomposition Pose the equivalence checking problem as the state equivalence problem of the multiplexed machine Verify benchmarks with up to 312 registers, including all of the control outputs of microprocessor 8085 More scalable for high speed designs

40 40 Outline Design verification Combinational vs. sequential equivalence checking Sequential equivalence checking by Reachability analysis  Explicit vs. implicit  Forward vs. backward  Exact vs. approximate  Deterministic vs. probabilistic State space partitioning  From state equivalence to FSM equivalence  Explicit vs. implicit Connection between reachability and state equivalence Experiments Conclusions

41 41 Conclusions Two different frameworks on SEC State traversal based on reachability analysis  In product space State space partitioning based on state equivalence  In product space or disjoint union space SAT-based SEC Unbounded model checking is based on state traversal on product machine How about state space partitioning over multiplexed machine?

Download ppt "4/19/2005JHJ1 Structure-independent Sequential Equivalence Checking EE290A UC Berkeley Spring 2005."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
Lecture 24 MAS 714 Hartmut Klauck

Lecture 24 MAS 714 Hartmut Klauck
Hardware and Petri nets Symbolic methods for analysis and verification.

Hardware and Petri nets Symbolic methods for analysis and verification.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
ECE 667 - Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.

ECE Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.
TOWARDS EQUIVALENCE CHECKING BETWEEN TLM and RTL MODELS PRINCIPLES OF SEQUENTIAL EQUIVALENCE VERIFICATION Giray Kömürcü Boğaziçi University CMPE 58Q.

TOWARDS EQUIVALENCE CHECKING BETWEEN TLM and RTL MODELS PRINCIPLES OF SEQUENTIAL EQUIVALENCE VERIFICATION Giray Kömürcü Boğaziçi University CMPE 58Q.
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.

Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.

Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Penn ESE 535 Spring 2009 -- DeHon 1 ESE535: Electronic Design Automation Day 13: March 4, 2009 FSM Equivalence Checking.

Penn ESE 535 Spring DeHon 1 ESE535: Electronic Design Automation Day 13: March 4, 2009 FSM Equivalence Checking.
Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.

Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.
FSM Decomposition using Partitions on States 290N: The Unknown Component Problem Lecture 24.

FSM Decomposition using Partitions on States 290N: The Unknown Component Problem Lecture 24.
Bounded Model Checking EECS 290A Sequential Logic Synthesis and Verification.

Bounded Model Checking EECS 290A Sequential Logic Synthesis and Verification.
Sanjit A. Seshia and Randal E. Bryant Computer Science Department

Sanjit A. Seshia and Randal E. Bryant Computer Science Department
Reachability Analysis 290N: The Unknown Component Problem Lecture 14.

Reachability Analysis 290N: The Unknown Component Problem Lecture 14.

Similar presentations

Ads by Google