1 Verification of FSM Equivalence Goal: Verify that two sequential circuit implementations always produce the same sequence of outputs given the same sequence.

Slides:



Advertisements
Similar presentations
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Advertisements

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
CS357 Lecture: BDD basics David Dill 1. 2 BDDs (Boolean/binary decision diagrams) BDDs are a very successful representation for Boolean functions. A BDD.
CS357: CTL Model Checking (combined notes from lectures 11/5 and 11/7) David Dill 1.
ECE Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.
SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
MVI Function Review Input X is p -valued variable. Each Input can have Value in Set {0, 1, 2,..., p i-1 } literal over X corresponds to subset of values.
Introduction to Computability Theory
FSM Decomposition using Partitions on States 290N: The Unknown Component Problem Lecture 24.
A New Approach to Structural Analysis and Transformation of Networks Alan Mishchenko November 29, 1999.
Reachability Analysis 290N: The Unknown Component Problem Lecture 14.
1 CSEP590 – Model Checking and Automated Verification Lecture outline for July 16, 2003.
ECE Synthesis & Verification - Lecture 19 1 ECE 667 Spring 2009 ECE 667 Spring 2009 Synthesis and Verification of Digital Systems Functional Decomposition.
4/19/2005JHJ1 Structure-independent Sequential Equivalence Checking EE290A UC Berkeley Spring 2005.
Computation Engines: BDDs and SAT (part 2) 290N: The Unknown Component Problem Lecture 8.
Nov. 13, 2002ICCAD 2002 Simplification of Non-Deterministic Multi-Valued Networks Alan Mishchenko Electrical and Computer Engineering Portland State University.
ECE Synthesis & Verification - L211 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Verification Equivalence checking.
ECE Synthesis & Verification - Lecture 9b 1 ECE 697B (667) Fall 2004 ECE 697B (667) Fall 2004 Synthesis and Verification of Digital Systems Boolean.
Data Flow Analysis Compiler Design Nov. 8, 2005.
5/6/2004J.-H. R. Jiang1 Functional Dependency for Verification Reduction & Logic Minimization EE290N, Spring 2004.
Exact State Minimization of Non-Deterministic FSMs 290N: The Unknown Component Problem Lecture 17.
4/21/2005JHJ1 Structure-dependent Sequential Equivalence Checking EE290A UC Berkeley Spring 2005.
ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Sequential Equivalence Checking.
01/27/2005 Combinationality of cyclic definitions EECS 290A – Spring 2005 UC Berkeley.
ECE Synthesis & Verification - Lecture 10 1 ECE 697B (667) Spring 2006 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Binary.
ECE 667 Synthesis and Verification of Digital Systems
Computing with Finite Automata (part 2) 290N: The Unknown Component Problem Lecture 10.
IT University of Copenhagen Lecture 8: Binary Decision Diagrams 1. Classical Boolean expression representations 2. If-then-else Normal Form (INF) 3. Binary.
Programming Language Semantics Denotational Semantics Chapter 5 Part III Based on a lecture by Martin Abadi.
New Approach to Quantum Calculation of Spectral Coefficients Marek Perkowski Department of Electrical Engineering, 2005.
Fast Spectral Transforms and Logic Synthesis DoRon Motter August 2, 2001.
State Minimization and Determinization EECS 290A Sequential Logic Synthesis and Verification.
Courtesy RK Brayton (UCB) and A Kuehlmann (Cadence) 1 Logic Synthesis Two-Level Minimization I.
1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs Small parts by: Brandon Eames ISIS/Vanderbilt.
B. Alizadeh Advanced Logic Design (2008) 1 / 55 Decision Diagrams.
Solving fixpoint equations
Binary Decision Diagrams (BDDs)
Model Checking Lecture 4 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
An ordered n-tuple is a set of n objects with an order associated with them. If n objects are represented by x 1, x 2,..., x n, then we write the ordered.
CS 267: Automated Verification Lecture 6: Binary Decision Diagrams Instructor: Tevfik Bultan.
1 Sequential Machine Theory Prof. K. J. Hintz Department of Electrical and Computer Engineering Lecture 1 Adaptation to this.
Algorithmic Software Verification V &VI. Binary decision diagrams.
Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View BDDs.
Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View BDDs.
Mathematical Preliminaries
Courtesy RK Brayton (UCB) and A Kuehlmann (Cadence) 1 Logic Synthesis Multi-Level Logic Synthesis.
Verifying Programs with BDDs Topics Representing Boolean functions with Binary Decision Diagrams Application to program verification class-bdd.ppt
1 CSEP590 – Model Checking and Automated Verification Lecture outline for July 9, 2003.
BDDs1 Binary Tree Representation The recursive Shannon expansion corresponds to a binary tree Example: Each path from the root to a leaf corresponds to.
To Split or to Conjoin: The Question in Image Computation 1 {mooni, University of Colorado at Boulder 2 Synopsys.
Boolean Functions 1 ECE 667 ECE 667 Synthesis and Verification of Digital Circuits Boolean Functions Basics Maciej Ciesielski Univ.
1 Using Don’t Cares - full_simplify command Major command in SIS - uses SDC, ODC, XDC Key Questions: How do we represent XDC to a network? How do we relate.
2009/6/30 CAV Quantifier Elimination via Functional Composition Jie-Hong Roland Jiang Dept. of Electrical Eng. / Grad. Inst. of Electronics Eng.
Lecture 9: Query Complexity Tuesday, January 30, 2001.
BDD-based Synthesis of Reversible Logic for Large Functions Robert Wille Rolf Drechsler DAC’09 Presenter: Meng-yen Li.
How CTL model checking works
Fixpoints and Reachability
Hybrid BDD and All-SAT Method for Model Checking
CTL model checking algorithms
Hardware Verification
Fei Li Jinjun Xiong University of Wisconsin-Madison
Binary Decision Diagrams
CSCI1600: Embedded and Real Time Software
A logic function f in n inputs x1, x2, ...xn and
design entry (schematic capture, VHDL, truth table and etc.)
State Abstraction Techniques for the Verification of Reactive Circuits
A logic function f in n inputs x1, x2, ...xn and
ECE 667 Synthesis and Verification of Digital Systems
Presentation transcript:

1 Verification of FSM Equivalence Goal: Verify that two sequential circuit implementations always produce the same sequence of outputs given the same sequence of inputs. M2 i1 out2 M1 i1 out1 Note: both machines are completely specified. Does out1 = out2 for all possible input sequences?

2 FSM Equivalence of the Product Machine Form the product machine: M(S,I,T,O,Init) x = (x 1,x 2 ) present state y = (y 1,y 2 ) next state i = i 1 = i 2 input Init(x) = (Init 1 (x 1 ) x Init 2 (x 2 )) initial states T(x,i,y) = T 1 (x 1,i,y 1 )  T2(x 2,i,y 2 ) transition relation f(x,i) = (f 1 (x 1,i)  f 2 (x 2,i)) single output where  denotes XNOR operation. M2 M1M1xM2if

3 Implicit State Enumeration The FSM’s are equivalent iff for all inputs, their outputs are identical on all reachable state pairs. Let R be the set of all reachable state pairs. Equivalence is verified by the following predicate:  (x,i) [(x  R)  f(x,i)] Easy computation with BDDs. Simply compute + f(x,i) and check if this is identically 1.

4 Implicit State Enumeration The following fixed point algorithm computes the set of reachable state pairs R(x) of an FSM. R 0 (x) = Init(x) R k+1 (x) = R k (x) + [y  x]  x, i (R k (x)  T(x,i,y)) where [y  x] represents substitution of x for y. The iteration terminates when R k+1 (x) = R k (x) and the least fixed point is reached.

5 Implicit FSM Traversal Implicit enumeration of reached state set –manipulates set of states directly in a BFS manner –exponential speed-up over explicit enumeration methods (sometimes) –exploits the fact that the number of states does not usually reflect system complexity –implicit state enumeration may take a long time for sequentially deep circuits e.g. those with counters one set of states at a time: one step

6 Finding Reachable States in an FSM R0R0R0R0 R 0 is the set of intial states

7 Finding Reachable States in an FSM R0R0R0R0 R1R1R1R1 R 1 is the set of states reachable from the initial states in less than or equal to one steps.

8 Finding Reachable States in an FSM R 2 is the set of states reachable from the initial states in less than or equal to two steps. R0R0R0R0 R1R1R1R1 R2R2R2R2

9 Finding Reachable States in an FSM R0R0R0R0 R1R1R1R1 The fixed-point iteration terminates after finding R 4 = R 5. The resultant set is the set of reachable states. R2R2R2R2 R 4 =R 5

10 Partial Product Method Do not need to compute the transition relation T(x,i,y) explicitly as a single monolithic BDD. Can keep T(x,i,y) in product form (called “partitioned translation relation”):

11 Partial Product Method Using Constrain Can form the constrain with respect to R k (x) of each (y j  f j ) before forming the final AND. This usually reduces the size of the final AND. The final AND operation can be decomposed into a balanced binary tree of Boolean ANDs. intermediate variables can be quantified out as soon as no other product depends on those variables.intermediate variables can be quantified out as soon as no other product depends on those variables.

12 Using Constrain Can pre-cluster groups of T j (x j,i j,y j ) (defined as (y j  f j (x j,i j ))) together: C j =  i k j (T j 1,...,T j k ) where the i k j that we can quantify out here are the ones that do not appear in any other T i. Thus Using constrain is a bad idea since (C j (x j,i j,y j )) R k (x) may result in a BDD with more variables. (It is better to use RESTRICT).

13 Better Idea: Use Restrict Linearly order (heuristically) the C j and multiply from the right by R k (x) one at a time, quantifying variables x q, i q as soon as possible (when they appear in no other terms). R i+1 = R i (x) + [y  x]  (x p,i p )C l 1 (...(  (x q,i q ) C l q P i (x))...) where P i (x) = RESTRICT(R i, ). Note: here we do not care about any state in R i-1 since we have already found all successor states of these. Computation done as a binary tree where quantification of x and i is done as soon as possible: Quantify all remaining variables that appear in no other remaining node. C l q P i (x)

14 End of lecture 25

15 Restrict Operator Restrict: 1.if f is independent of x i then RESTRICT(f,c) is also. 2.it does not have the other nice properties of constrain. 3.Experiments show that restrict produces smaller BDDs. function RESTRICT(f,c) assert(c  0) if (c = 1 or is_constant(f)) return f else if (c x’ i = 0), return RESTRICT(f x i,c x i ) else if (c x i = 0), return RESTRICT(f x’ i,c x’ i ) else if (f x i = f x’ i ), return RESTRICT(f x i, c x i + c x’ i ) else return x i RESTRICT(f x i,c x i ) +x’ i RESTRICT(f x’ i,c x’ i )

16 Recursive Image Method (R i-1 is the set of currently reached states and g is the vector of next state functions) The method uses CONSTRAIN: Let g : B n  B m, g = [g 1, g 2,..., g m ], and c = characteristic function of R i-1. First step: use the CONSTRAIN operator to form f = g c = [(g 1 ) c, (g 2 ) c,..., (g m ) c ]. Second step: the range of f is determined. Let R (f) denote the range of the function f. R i = R (f)(y) = y 1 R ([f 2,...,f m ] f 1 ) + y’ 1 R ([f 2,...,f m ] f’ 1 )

17 Explicit FSM Traversal Explicit enumeration: process one state at a timeprocess one state at a time –for each state, next states are enumerated one by one complexity depends on the number of states and the number of input values.complexity depends on the number of states and the number of input values. methods that enumerate the state space explicitly cannot handle FSM’s with a large number of statesmethods that enumerate the state space explicitly cannot handle FSM’s with a large number of states one state at a time first second third fourth

18 State enumeration State traversal techniques are essential to: –synthesis of sequential circuits –verification of sequential circuits Applications: –sequential testing [Cho, Hachtel and Somenzi ITC ‘91] –extraction of sequential don’t cares –implementation verification: checking sequential equivalence [Coudert and Madre ICCAD ‘90] [Touati, Lin, Brayton and Sangiovanni ICCAD ‘90]checking sequential equivalence [Coudert and Madre ICCAD ‘90] [Touati, Lin, Brayton and Sangiovanni ICCAD ‘90] –design verification: checking language containment of  -regular languages [Touati, Kurshan and Brayton 1991] [HSIS system ‘94]checking language containment of  -regular languages [Touati, Kurshan and Brayton 1991] [HSIS system ‘94] CTL model checking [Burch, Clarke, McMillan and Dill DAC ‘90] [SMV (CMU ‘91), VIS (Berkeley ‘96), MOCHA (Berkeley ‘98) systems]CTL model checking [Burch, Clarke, McMillan and Dill DAC ‘90] [SMV (CMU ‘91), VIS (Berkeley ‘96), MOCHA (Berkeley ‘98) systems]

19 End of this section

20 FSM Equivalence on the Product Machine M2 M1M1xM2if

21 Transition and Output Relations Let x be the present state, i the inputs, y the next state, and o the outputs.Let x be the present state, i the inputs, y the next state, and o the outputs. Transition function vector: f(x,i) = [f 1 (x,i),..., f m (x,i)]Transition function vector: f(x,i) = [f 1 (x,i),..., f m (x,i)] Output relation: O(x,i,o) = 1  output is o at state x and input iOutput relation: O(x,i,o) = 1  output is o at state x and input i Transition relation: T(x,i,y) = 1  y = next state from state x on input i.Transition relation: T(x,i,y) = 1  y = next state from state x on input i. Note: transition relation can represent non- deterministic FSM but transition functions cannot.

22 Transition and Output Relations     m k kk ixfyyixT 1,,,     y1y1y1y1 y2y2y2y2 y3y3y3y3 ymymymym f1f1f1f1 f3f3f3f3 f2f2f2f2 fmfmfmfm x i Transition Relation T(x,i,y)

23 Range, Domain, Image and Inverse Image R(f) = range of f and D(f) = domain f(x) is a unique point y  R, but f -1 (y) is in general a set The image of a function f(x) with respect to a domain constraint C(x) is denoted Img (f, C) = {y |  x  C : y = f(x)}. In terms of relation T(x,i,y) and BDD operators: Img (T, C)(y) =  x(C(x)  T(x,i,y)). The inverse image of a function f(x) with respect to a domain constraint C(y) is denoted Pre (f, C) = {x |  y  C : y = f(x)}. In terms of relation T(x,i,y) and BDD operators: Pre (T, C)(x) =  y(C(y)  T(x,i,y)). Img (T,C) and Pre (T,C) are sets usually represented by BDD’s.

24 Generalized Cofactor Recall: If c is a cube, the Shannon cofactor is the cover of the generalized cofactor cof(f,c), which is independent of variables of the cube c. There are many other functions which cover cof(f,c). Want: heuristic to select a representative function of cof(f,c) that has a small BDD representation. The constrain operator [Coudert ICCAD ‘90] is a representation of generalized cofactor which, in most cases, has a small BDD representation. When c is a cube, constrain operator gives the same result as the usual Shannon cofactor.

25 Constrain Operator function constrain(f,c) assert(c  0) if (c = 1 or is_constant(f)) return f else if (c x’ i = 0), return constrain(f x i,c x i ) else if (c x i = 0), return constrain(f x’ i,c x’ i ) else return x i constrain(f x i,c x i ) + x’ i constrain(f x’ i,c x’ i ) a bb f a b 01c1 a b 0 1 fcfcfcfc1

26 Properties of Constrain Operator Following properties of the constrain operator make it very useful in implicit image computations. We denote constrain(f,c) by f c. 1.(g  f) c = g  f c In particular, (f + g) c = f c + g c and (f’) c = (f c )’. 2.  x f(x,y)  c(x) =  x f c (x,y) 3.c is contained in f iff f c is a tautology. 4.If c is the characteristic function of a set A  B n, then f c (B n ) = f(A). i.e. R(f c ) = Img (f,A) 5.Given F (f,d,r), f d’ usually has a smaller BDD representation than f.

27 Constrain Operator: Another Perspective Let c : Bn  B be a non-null Boolean function, and x 1 < x 2 <... < x n an ordering of its input variables. The mapping  c is defined as follows:  c is a projection that maps a minterm x  B n to a minterm y in the ON-set of c, which has the closest distance to x, according to the distance metric d. The particular metric used guarantees the uniqueness of y in the definition above. Since  c maps all points in B n into the ON-set of c, then f c (x) = f(  c (x)). If f = (f 1,...,f m ), then f c = ((f 1 ) c,...,(f m ) c ).

28 Fixed Point Iteration via Predicate Transformers Let (p,q) be two predicates on a finite set S. Let F be a predicate transformer, i.e. F(p) = r where r is a new predicate on S. Suppose F is monotone: p  q  F(p)  F(q) We associate a sequence {p i } as follows: p 0 = 0 p i+1 = F(p i ) p  = p i if p i+1 = p i p  is called the least fixed point of the predicate transformer F. Note that p i  p i+1, since 0  F(p 0 )  F(0)  F(F(0)). Since S is finite (p i ) i  0 converges after a finite number of iterations.

29 Fixed Point Iteration via Predicate Transformers If p 0 = S, the corresponding iteration gives the greatest fixed point of F. All sets can be represented by BDD’s, and the predicate transformer F(p i ) can be computed using BDD operations.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.