This preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: A Uniﬁed Framework for
the Formal Veriﬁcation of Sequential Circuits Olivier Coudert
Jean Christophe Madre Bull Research Center PC 62Al3
68, Route de Versailles
78430 Louvecienncs FRANCE 1 Introduction Hardware description languages (HDLs) dramatically change the way
circuit designers worle These languages can be used to describe
circuits at a very high level of abstraction, which allows the designers
to specify the behavior of a circuit before realizing it. The validation
of these speciﬁcations is currently done by executing them, which is
very costly [2]. This cost motivates the research [3] [5] [7] [10] done
on the automatic veriﬁcation of temporal properties of ﬁnite state
machines. Once the design of the circuit is done, the problem is to verify that the
resulting circuit is correct with respect to its speciﬁcation. Until
recently, this veriﬁcation was done by simulating the circuit and its
speciﬁcation on the same input sequences and by comparing their
output sequences. This veriﬁcation method is very costly and
incomplete because of the large number of input sequences to
consider [2]. This paper presents a uniﬁed framework for the veriﬁcation of
synchronous circuits. Within this framework the two veriﬁcation
tasks presented above can be automatically performed using
algorithms based on the same concepts. The ﬁrst idea is to
manipulate sets of states and sets of transitions instead of individual
states and individual transitions. The second idea is to represent
these sets by Boolean functions and to replace operations on sets with
operations on Boolean functions. Part 2 of the paper deﬁnes the two problems addressed here, and then
it presents the veriﬁcation algorithms. It shows that these algorithms
use the standard set operations in addition to two speciﬁc operations
called “Pre” and “1mg”. Part 3 brieﬂy explains why the basic set
operations are very efﬁciently performed when sets are denoted by
the typed decision graphs of their characteristic functions. Part 4
presents the new Boolean operators “Constrain” and “Restrict", and
the function “Expand" that support efﬁciently the “1mg" and “Pre”
operations. Pan 5 gives experimental results and discusses them. 2 The Veriﬁcation Algorithms This section deﬁnes the model of sequential circuits that will be
veriﬁed, and the two veriﬁcation problems addressed here. Then it
gives for both problems an algorithm based on set manipulations. 2.1 Definitions For the sake of clarity we will consider in this paper that the
sequential circuits that must be veriﬁed are deterministic Moore
machines. Moreover we assume that these machines are completely
speciﬁed, which means that for any state of the machine, (1) the
outputs are defined, and (2) for any input pattem, the next state of the
machine is deﬁned. This is not a limitation since, if the machine is
incompletely speciﬁed, it is possible to add a dummy state in order to
obtain a completely speciﬁed machine. CH29249/90/0000/0126$01.00 © 1990 lEEE 126 A deterministic Moore machine M is deﬁned by a 6mple
(Y, l, 0,1,, 5, Init). Y is the vector [y], ...,ym] of Boolean state
variables of the machine: a state of M is deﬁned by the Boolean
values of the variables y 1, ym. I is the vector of n boolean inputs
of the machine. 0 is the vector of k boolean outputs of the machine.
The output function it is a vector of k Boolean functions (one for each
output) from the set {0, 1]“1 into {0, 1]. The transition function 8 is a
vector of m Boolean functions from [0, l]mx {0, 1}n into {0,1}.
Finally Init is the initial state of the machine. The 6tuple that deﬁnes a sequential circuit can be obtained either
from its gate level description or from its functional description, using
a symbolic execution process such as the one used in PRIAM [2]. 2.2 Verification of Temporal Properties The temporal formulas that the veriﬁcation system takes as input are
the state formulas of the computation tree logic CTL [7]. This logic
is a formalism that was speciﬁcally developed to express properties
of the states and the computation paths of ﬁnite state systems. The
meaning of a state formula is relative to a state of the machine, which
is here deﬁned by the values of its state variables. The 4 basic kinds
of CTL state formulas are the following: (1) (yl), (yn) are state formulas. For any state s, s l=yj if and only if (iff) the value of the variable yj is 1 in the state s. If f and g are state formulas then so are the formulas (—1f),
(ng).thg).(fﬁg),andtf=>g). If f is a state formula, so are the formulas EXo‘) and AXCﬂ:
s l: EXQ‘) if there exists at least one input pattem p such that
5(s, p) =f, and AXo‘) =def ﬂ EX(—.f). If f and g are state formulas, so are the formulas E[f U g] and
A[fU g]: s I: E[fU g] iﬂthere exists at least one path (so, s1, ...)
with so: 5, such that ii ((sl I: g) A (Vj (0 Sj < i =a sj )=f))), and
s=A[fU g] iff for all paths (so, s1, ...) such that s0=s, then
31((si= g) A (Vi (0 Si < i => s, ex»). The ﬁrst algorithms that have been proposed to verify automatically
that some machine holds a temporal property [7] used traversal
techniques of its statetransition graph, which had to be partially or
entirely built. This limited the application of these algorithms to
relatively small machines. (2) (3) (4) The veriﬁcation algorithm used here takes as inputs a machine
M: (Y, I, 0, 7t, 5, Init) and the temporal formulafto be veriﬁed. lt
recursively computes the set of states of M that satisfy the formula f
from the sets of states that satisfy its subformulas. At each step there
are only 4 basic cases to consider that correspond to the 4 basic kinds
of formulas given above. Once the set of states F that satisfy the
whole formula is obtained, to check whether (5 =f) for some state s
of M comes down to checking whether s belongs to F [3]. The sets of states that satisfy formulas of type (1) and (2) can be
computed using the basic set operations. For instance, the set of
states that satisfy the formula 0’1) is {1} X {0, l}""1 ; ifF and G are
the sets of states that satisfy the formulas f and g respectively, then
the set of states that satisfy the formula (f v g) is (F U G). The other kinds of formulas are treated with the “Pie” operation,
either in one step (EX and AX formulas) or by ﬁxed point algorithms
(EU and AU formulas). By deﬁnition, PN(Q.A.B) : [S/(SE A)’\(QPB(SP)E B))v where Q is either the existential “3” or the universal “V" quantiﬁer.
Pre(Q, A, B) is the subset of states of A which have either at least one
successor (Q = 3) or all their successors (Q = V) in the set B. Let f be
a formula and F be the set of states that satisfy f. The sets of states
EX and AX that satisfy EXU) and AXO‘) respectively are deﬁned by: EX: PreGl, (0,1)m,F) (1)
AX: Pre(V,[0.1}m,F) (2) Let f and g be two formulas and F and G be the sets of states that
satisfy f and g respectively. The sets of states EU and AU that satisfy
the formulas ELf U g] and Alf U g] respectively are the limits of the
following converging sequences of sets (Bk) and (Ak) [3]: E0 = G. and Elm = EkuPreG, F, Bk), (3)
A0 = G. and Arm1 = AkUPI‘C(V, F, AK). (4)
These algorithms use only the basic set operations U, n, =, in addition with the “Pre” operation. 2.3 Comparison of Sequential Machines The fundamental method for comparing the observable behaviors of
M1=(Y1,1,0,5,,l1,hm,) and M2=(Y2,t,o,82,a2,rnit2) is to
check that the output ok of the product machine M: M1 >< M2 is
equal to l for every valid state of M This machine is deﬁned by
M: (Y. 1, [0k], 8, X, lnit) where Y = Y1 @ Y2, (“@" is the vector
concatenation), 8: [email protected] 82, Init=Init1><Init2 and 10k depends on
the comparison criterion The correctness property given above holds for the machine M if the
CTL state formula (—. E(l'rue U (0k = 0))) holds in its initial state Init,
so the veriﬁcation algorithm presented in 2.2 can be used to compare
two machines. We give here a speciﬁc comparison algorithm that has
been shown by experience to be much more efcient than this general
algorithm. Both methods will be discussed in Part 5. The idea used here is to compute the set Valid of all the valid states
of the machine M This set is the limit of the converging sequence of
sets Vk deﬁned by the equations: v0 = lnit, and vk+1 =' vk u Img(8.ka {0, 1}"), (5) where Img(f, A) =d£f {f(a)/ ae A} is the image of the set A with
respect to the function f. Once Valid is computed, the veriﬁcation
comes down to testing whether lmg(l.ok, Valid) = {l} (6). This algo
rithm. like the one given in the previous section, uses only the basic
set operations, in addition to the “1mg" operation. 3 Boolean Functions and Sets Any subset A of [0,1}n can be represented by a unique Boolean
function h from {0, 1]n to {0, 1}, deﬁned by: xA(a) = 1 if and only
if a e A. Thé 'function xA is called the characteristic function of A.
The set operators (U, n, c. e, x) can be expressed in terms of the
logical operators (v, A, =>, a, 4:). For instance, the characteristic
function of the set A U B is ky.(xA(y) v xB(y)). Typed decision graphs [1] are a compact canonical representation of
Boolean functions. They have remarkable properties that make the
symbolic manipulations on Boolean functions very efﬁcient. Typed
decision graphs, which are binary decision diagrams [4] with typed 127 edges, are the canonical graph representation associated to Shannon's
typed canonical form [1]. By associating a unique atom to each of
the component of the cartesian product [0, 1}“, any characteristic
function can be represented by a unique typed decision graph. The correspondence mentioned above gives the computational cost of
the elementary set operations. The negation on typed decision graphs
has a null cost so this is the same for the set complementation. The
others Boolean operations have a complexity in 0(IG1IXlel)u where
IGI is the number of vertices in the graph G, which gives the
computational cost of the corresponding elementary set operations. There is no relation between the number of elements in a set and the
number of vertices in the graph of its characteristic function.
However there exists some subsets of {0.1}'1 whose graphs have
0(2“ / log(n)) vertices. Experience shows that, for most of the
machines we deal witlt, while the sets manipulated by the veriﬁcation
algorithms are very large, the graphs of their characteristic functions
stay small. This means that the computational cost of the basic set
operations performed by the symbolic veriﬁcation algorithms is low,
and that the total cost of these algorithms depends on the costs of the
operations “Pro” and “1mg". 4 The “Pre” and “1mg” Operations This part explains how the operations “Pre” and “1mg” can be easily
realized when the typed decision graph of the transition relation and
of the output relation of the machine can be build [5]. Then it
presents the techniques we have developed to perform these
operations when it is not possible to built these graphs, which
happens for most complex circuits. 4.] Using the transition and the output relations The transition relation A of the machine M is a subset of
(0.1]"1 X [0, 1]“x [0, l}m. For any states s and s' ofM, and for any
input pattern 1), (s. p. 5‘) belongs to A if and only if s' = 5(s, p). For
any subset A and B of {0, 1}“, the characteristic function of the set
Pre(Q, A, B) is equal to: magma) = AS(MS) A (QP 3S' x36) A Ms. 9. 5')». The output relation of the machine M noted A, is a subset of
[0, 1]“1 x [0, llk. For any state s of M and for any output pattern
out, (5, out) belongs to A if and only if out: Ms). The equations (5)
and (6), using the operation “ling", can be written as: erg(8.Ax{0,1}n)= M5613 35 XA(S)AXA(SsPS')) (5‘) xlmqu A) = MULGJS xA(S) A XA(S. out)). (6') Since the formula (3x f(x)) is equivalent to (f(O) v f(l)), and the
formula (Vx f(x)) is equivalent to (f(O) A f(1)). the graphs of the
characteristic functions of Pre(Q, A, B), Img(8, A X {0, 1}“) and
Img(h, A) can be directly computed from the graphs of xA, 3m, 3m,
and M by eliminating the quantiﬁed atoms associated with p. s and s'.
This technique is very efﬁcient [5], because it uses only the operators
v and A, which have been shown in Section 3 to have relatively low
computational costs. The problem is that, for complex machines, it is
not possible to build the graphs of A and A [8]. 4.2 The “Restrict” and “Expand” Operators
The equations that deﬁne the “Pre” operation are the following:
Zine, A, a) = AS(XMS) M31) 13(56: p)))). and (7) XPMV, A, B) = AS.(XA(S) A ‘1 (3i) " X365, p)))). (3) The graph of the function Asap x(8(s. p)), where x is X]; or —. XE,
can be computed in two steps. The ﬁrst step consists in computing
the function x o 8. Then, the quantiﬁed atoms associated to the input
pattern p are eliminated from the graph of this function. It has been shown [4] that substituting some variable v in the graph
G] with the graph G; has a computational cost in 000112 x IGzl)~ In order to compute the graph of hs.hp.(x(81(s,p), 5m(S.p))), this
basic substitution process must be iterated so that all variables of x
are substituted by the graphs of the corresponding components of 5.
The problem is that during this composition. some intermediate
graphs can be too large to be built. Section 4.2.1 shows that it is not necessary to build the graph of x o 6
to compute Pre(Q, A, B). It presents the function “Expand" that
avoids this construction. Section 4.2.2 presents the “Restrict”
operator that further reduces the computational cost of the “Pie"
operation by reducing the sizes of the graphs that are manipulated. 4.2.1 The function “Expand” The idea that underlies the function "Expand" is to express the
function x o 5 as a sum of K functions hl, ..., hK, whose graphs have
less vertices than the graph of x o 5. Using these functions, the term
(3p x(8(s, p))) can be rewritten into (VJ(3p hJ(s. p))). This identity
allows us to eliminate directly the quantiﬁed atoms associated to the
input pattern p from the graphs of the functions hl, hK, and so the
graph of x o 8 does not have to be built. Each path in the graph G of the function x starting from the root and
leading to the leaf 1 deﬁnes a cube cj of the function x. This means
that the function e o 5 can be taken as one function hj. The problems
are that the functron x can have 0(2lc'l) cubes, and that even if its
number of cubes is relatively small, many redundant computations
will be made. The function Expand performs a topdown traversal of the graph G,
and stores in each of its vertices the graph of the function CV o 8,
where the function Cv is the sum of all the cubes represented by the
paths starting from the root of G and leading to v. Each time the top
down traversal reaches the leaf 1, the function Expand produces one
of the functions hj. The function Cv associated to a vertex v is
recursively computed using the functions Cw of the vertices w that
point to v. Thanks to the sharing in the graph, partial results are
factorized and redundant computations are avoided [10]. Experience shows that the graphs of the functions hl, hK generated
by the Expand operation are smaller than the graph of x o 5. The
time needed to compute each of these functions directly depends on
the sizes of the graphs of the functions bj. The next section presents a
Boolean operator that can be used to reduce the sizes of the graphs
used in the term x(8(s, p)). 4.2.2 The Operator “ii” In the equations (7) and (8), when xA(s) = 0 the characteristic func
tion of Pre(Q, A, B) is also equal to O. This means that, in the term
xB(5(s, p)) that occurs in the equations (7) and (8), the transition
function 8 can be replaced with its restriction to the domain A. The “Restrict” operator, noted “U", takes as input the typed decision
graph of a boolean function f and of the characteristic function e of
the set to which the function f must be restricted. The semantics of
the Restrict operator [8], is given on Shannon’s canonical form in
Figure I. In this ﬁgure, c.root is the root of Shannon's canonical form
of c. and (cl—1a, c/a) is Shannon's expansion [1] of the function c with
respect to a. The main properties of the Restrict operator [8] [10] are
expressed by the following theorems. function restrict(f, e); if c = 0 then error; if c = 1 then return f; iff= 0 or f: 1 then return f; let a = c.root in {
if c/—.a = 0 then return restrict(f/a, c/a); if 0/3. = 0 then return restrict(f/—ta, c/—.a);
if f/—.a = f/a then return restrict(f, cl—ra v c/a);
return (—a A restrict(f/——.a, e/—.a)) v (a A restrict(f/a, c/a)); } Figure 1. The Restrict Operator on Shannon's canonical form. 128 Theorem 1. For any Boolean functions f and c at 0, if C(x) = 1 then all no) =ﬂx). Theorem 2. For any Boolean functions f and c ¢ 0. Shannon's typed
canonical form of (f U c) has a: most the same number of vertices as that off. Theorem 2 is not true for typed decision graphs. It can happen that
the graph of (f U c) has more vertices than the graph of f. In this case
the function restrict returns the graph of f. Experience shows that this
case occurs very rarely. 4.3 Performing the “1mg” Operation The problem addressed here is to compute the characteristic function
x of the image of the restriction of a vectorial Boolean function
F = [fl fn] to a domain deﬁned by its characteristic ﬁrnction xA. A
deﬁnition of x is [8]: x = Myl ynl.(3xxA(x) A (AJ (yj e too)».
The term (Aj (y~ <=> fj(x))) represents the transition relation of the
machine, which has been shown to be in many cases too complex to
be computed [8]. This section presents two algorithms that can be used to compute x without computing this term. Both algorithms are based on the “constrain" operator, noted “.L”, and
work in two steps [8]. The ﬁrst step common to both algorithms
consists in computing a new vectorial function F' = [fl' fn‘] such
that Img(F, xA) = Img(F', l). The second step then consists in
computing the characteristic function of Img(F, 1), by using co
domain partitioning in the ﬁrst algorithm and domain partitioning in
the second algorithm. Figure 2 gives the semantics of the operator “l" [9] on Shannon's
canonical form. The operator applies on Shannon‘s canonical forms
of the Boolean functions f and c, and produces Shannon's canonical
form of the function (f l c). Its fundamental properties are expressed
by the following theorem [9]. Theorem 3. Let F = [fl ..fn] be a vector of functions, and c be a
function diﬁerent from 0. Let F i c =def [0‘] i c) (fn l c)]. Then
lmg(F l c, I) = Img(F, 0). function cnst(f, c) if c = 0 then error; if c = 1 then return f; if f = 0 or f: 1 then return f; let a = c.root in (
if else: = 0 then return cnst(f/a, c/a); if c/a = 0 then return cnst(fI—ta. c/—.a);
if f/aa = f/a then return (aa A cnst(f, c/—.a)) v (a A cnst(f, 0/3));
return (—.a A cnst(f/ﬁa, c/ﬁa» v (a A cnst(f/a, c/a)); } Figure 2. The Constrain Operator on Shannon's canonical form. 4.3.1 Codomain Partitioning Based Algorithm The ﬁrst recursive algorithm that computes Img(F, 1) uses the
operator “J.” to partition the codomain of the vectorial function F.
The algorithm is a direct application of the following theorem. Theorem 4. Let F n = [fl fn] be a Boolean vectorial function. Then:
Img(F,,,1) = Img(F,,_, iﬁfﬂ, I) x {0} u Img(F,l_I lfn,])x{1}. The number of recursions needed to compute Img(F, l) is bound by
the number of elements of this set. Several teelmiques have been
proposed to reduce this number of recursions. Vector partitioning [9]
consists in splitting the vector F into several subvectors of functions
which have disjoint supports of variables. In [6] it has been proposed
to use a cache where partial results obtained during previous
recursions’ are stored. However the exact marching used in [6] can be
replaced by an extended matching that allows us to match any vector
of k components in the cache with (kl x 2...
View
Full Document
 Fall '09
 brewer

Click to edit the document details