coudert_iccad90

coudert_iccad90 - A Unified Framework for the Formal...

Info icon This preview shows pages 1–4. Sign up to view the full content.

View Full Document Right Arrow Icon
Image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 2
Image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 4
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: A Unified Framework for the Formal Verification of Sequential Circuits Olivier Coudert Jean Christophe Madre Bull Research Center PC 62Al3 68, Route de Versailles 78430 Louvecienncs FRANCE 1 Introduction Hardware description languages (HDLs) dramatically change the way circuit designers worle These languages can be used to describe circuits at a very high level of abstraction, which allows the designers to specify the behavior of a circuit before realizing it. The validation of these specifications is currently done by executing them, which is very costly [2]. This cost motivates the research [3] [5] [7] [10] done on the automatic verification of temporal properties of finite state machines. Once the design of the circuit is done, the problem is to verify that the resulting circuit is correct with respect to its specification. Until recently, this verification was done by simulating the circuit and its specification on the same input sequences and by comparing their output sequences. This verification method is very costly and incomplete because of the large number of input sequences to consider [2]. This paper presents a unified framework for the verification of synchronous circuits. Within this framework the two verification tasks presented above can be automatically performed using algorithms based on the same concepts. The first idea is to manipulate sets of states and sets of transitions instead of individual states and individual transitions. The second idea is to represent these sets by Boolean functions and to replace operations on sets with operations on Boolean functions. Part 2 of the paper defines the two problems addressed here, and then it presents the verification algorithms. It shows that these algorithms use the standard set operations in addition to two specific operations called “Pre” and “1mg”. Part 3 briefly explains why the basic set operations are very efficiently performed when sets are denoted by the typed decision graphs of their characteristic functions. Part 4 presents the new Boolean operators “Constrain” and “Restrict", and the function “Expand" that support efficiently the “1mg" and “Pre” operations. Pan 5 gives experimental results and discusses them. 2 The Verification Algorithms This section defines the model of sequential circuits that will be verified, and the two verification problems addressed here. Then it gives for both problems an algorithm based on set manipulations. 2.1 Definitions For the sake of clarity we will consider in this paper that the sequential circuits that must be verified are deterministic Moore machines. Moreover we assume that these machines are completely specified, which means that for any state of the machine, (1) the outputs are defined, and (2) for any input pattem, the next state of the machine is defined. This is not a limitation since, if the machine is incompletely specified, it is possible to add a dummy state in order to obtain a completely specified machine. CH2924-9/90/0000/0126$01.00 © 1990 lEEE 126 A deterministic Moore machine M is defined by a 6-mple (Y, l, 0,1,, 5, Init). Y is the vector [y], ...,ym] of Boolean state variables of the machine: a state of M is defined by the Boolean values of the variables y 1, ym. I is the vector of n boolean inputs of the machine. 0 is the vector of k boolean outputs of the machine. The output function it is a vector of k Boolean functions (one for each output) from the set {0, 1]“1 into {0, 1]. The transition function 8 is a vector of m Boolean functions from [0, l]mx {0, 1}n into {0,1}. Finally Init is the initial state of the machine. The 6-tuple that defines a sequential circuit can be obtained either from its gate level description or from its functional description, using a symbolic execution process such as the one used in PRIAM [2]. 2.2 Verification of Temporal Properties The temporal formulas that the verification system takes as input are the state formulas of the computation tree logic CTL [7]. This logic is a formalism that was specifically developed to express properties of the states and the computation paths of finite state systems. The meaning of a state formula is relative to a state of the machine, which is here defined by the values of its state variables. The 4 basic kinds of CTL state formulas are the following: (1) (yl), (yn) are state formulas. For any state s, s l=yj if and only if (iff) the value of the variable yj is 1 in the state s. If f and g are state formulas then so are the formulas (—-1f), (ng).thg).(ffig),andtf=>g). If f is a state formula, so are the formulas EXo‘) and AXCfl: s l: EXQ‘) if there exists at least one input pattem p such that 5(s, p) |=f, and AXo‘) =def fl EX(—.f). If f and g are state formulas, so are the formulas E[f U g] and A[fU g]: s I: E[fU g] iflthere exists at least one path (so, s1, ...) with so: 5, such that ii ((s-l I: g) A (Vj (0 Sj < i =a sj )=f))), and s|=A[fU g] iff for all paths (so, s1, ...) such that s0=s, then 31((si|= g) A (Vi (0 Si < i => s,- ex»). The first algorithms that have been proposed to verify automatically that some machine holds a temporal property [7] used traversal techniques of its state-transition graph, which had to be partially or entirely built. This limited the application of these algorithms to relatively small machines. (2) (3) (4) The verification algorithm used here takes as inputs a machine M: (Y, I, 0, 7t, 5, Init) and the temporal formulafto be verified. lt recursively computes the set of states of M that satisfy the formula f from the sets of states that satisfy its subformulas. At each step there are only 4 basic cases to consider that correspond to the 4 basic kinds of formulas given above. Once the set of states F that satisfy the whole formula is obtained, to check whether (5 |=f) for some state s of M comes down to checking whether s belongs to F [3]. The sets of states that satisfy formulas of type (1) and (2) can be computed using the basic set operations. For instance, the set of states that satisfy the formula 0’1) is {1} X {0, l}""1 ; ifF and G are the sets of states that satisfy the formulas f and g respectively, then the set of states that satisfy the formula (f v g) is (F U G). The other kinds of formulas are treated with the “Pie” operation, either in one step (EX and AX formulas) or by fixed point algorithms (EU and AU formulas). By definition, PN(Q.A.B) : [S/(SE A)’\(QPB(S-P)E B))v where Q is either the existential “3” or the universal “V" quantifier. Pre(Q, A, B) is the subset of states of A which have either at least one successor (Q = 3) or all their successors (Q = V) in the set B. Let f be a formula and F be the set of states that satisfy f. The sets of states EX and AX that satisfy EXU) and AXO‘) respectively are defined by: EX: PreGl, (0,1)m,F) (1) AX: Pre(V,[0.1}m,F) (2) Let f and g be two formulas and F and G be the sets of states that satisfy f and g respectively. The sets of states EU and AU that satisfy the formulas ELf U g] and Alf U g] respectively are the limits of the following converging sequences of sets (Bk) and (Ak) [3]: E0 = G. and Elm = EkuPreG, F, Bk), (3) A0 = G. and Arm-1 = AkUPI‘C(V, F, AK). (4) These algorithms use only the basic set operations U, n, =, in addition with the “Pre” operation. 2.3 Comparison of Sequential Machines The fundamental method for comparing the observable behaviors of M1=(Y1,1,0,5,,l1,hm,) and M2=(Y2,t,o,82,a2,rnit2) is to check that the output ok of the product machine M: M1 >< M2 is equal to l for every valid state of M This machine is defined by M: (Y. 1, [0k], 8, X, lnit) where Y = Y1 @ Y2, (“@" is the vector concatenation), 8: [email protected] 82, Init=Init1><Init2 and 10k depends on the comparison criterion The correctness property given above holds for the machine M if the CTL state formula (—-. E(l'rue U (0k = 0))) holds in its initial state Init, so the verification algorithm presented in 2.2 can be used to compare two machines. We give here a specific comparison algorithm that has been shown by experience to be much more efcient than this general algorithm. Both methods will be discussed in Part 5. The idea used here is to compute the set Valid of all the valid states of the machine M This set is the limit of the converging sequence of sets Vk defined by the equations: v0 = lnit, and vk+1 =' vk u Img(8.ka {0, 1}"), (5) where Img(f, A) =d£f {f(a)/ ae A} is the image of the set A with respect to the function f. Once Valid is computed, the verification comes down to testing whether lmg(l.ok, Valid) = {l} (6). This algo- rithm. like the one given in the previous section, uses only the basic set operations, in addition to the “1mg" operation. 3 Boolean Functions and Sets Any subset A of [0,1}n can be represented by a unique Boolean function h from {0, 1]n to {0, 1}, defined by: xA(a) = 1 if and only if a e A. Thé 'function xA is called the characteristic function of A. The set operators (U, n, c. e, x) can be expressed in terms of the logical operators (v, A, =>, a, 4:). For instance, the characteristic function of the set A U B is ky.(xA(y) v xB(y)). Typed decision graphs [1] are a compact canonical representation of Boolean functions. They have remarkable properties that make the symbolic manipulations on Boolean functions very efficient. Typed decision graphs, which are binary decision diagrams [4] with typed 127 edges, are the canonical graph representation associated to Shannon's typed canonical form [1]. By associating a unique atom to each of the component of the cartesian product [0, 1}“, any characteristic function can be represented by a unique typed decision graph. The correspondence mentioned above gives the computational cost of the elementary set operations. The negation on typed decision graphs has a null cost so this is the same for the set complementation. The others Boolean operations have a complexity in 0(IG1IXlel)u where IGI is the number of vertices in the graph G, which gives the computational cost of the corresponding elementary set operations. There is no relation between the number of elements in a set and the number of vertices in the graph of its characteristic function. However there exists some subsets of {0.1}'1 whose graphs have 0(2“ / log(n)) vertices. Experience shows that, for most of the machines we deal witlt, while the sets manipulated by the verification algorithms are very large, the graphs of their characteristic functions stay small. This means that the computational cost of the basic set operations performed by the symbolic verification algorithms is low, and that the total cost of these algorithms depends on the costs of the operations “Pro” and “1mg". 4 The “Pre” and “1mg” Operations This part explains how the operations “Pre” and “1mg” can be easily realized when the typed decision graph of the transition relation and of the output relation of the machine can be build [5]. Then it presents the techniques we have developed to perform these operations when it is not possible to built these graphs, which happens for most complex circuits. 4.] Using the transition and the output relations The transition relation A of the machine M is a subset of (0.1]"1 X [0, 1]“x [0, l}m. For any states s and s' ofM, and for any input pattern 1), (s. p. 5‘) belongs to A if and only if s' = 5(s, p). For any subset A and B of {0, 1}“, the characteristic function of the set Pre(Q, A, B) is equal to: magma) = AS(MS) A (QP 3S' x36) A Ms. 9. 5')». The output relation of the machine M noted A, is a subset of [0, 1]“1 x [0, llk. For any state s of M and for any output pattern out, (5, out) belongs to A if and only if out: Ms). The equations (5) and (6), using the operation “ling", can be written as: erg(8.Ax{0,1}n)= M5613 35 XA(S)AXA(SsP-S')) (5‘) xlmqu A) = MULGJS xA(S) A XA(S. out)). (6') Since the formula (3x f(x)) is equivalent to (f(O) v f(l)), and the formula (Vx f(x)) is equivalent to (f(O) A f(1)). the graphs of the characteristic functions of Pre(Q, A, B), Img(8, A X {0, 1}“) and Img(h, A) can be directly computed from the graphs of xA, 3m, 3m, and M by eliminating the quantified atoms associated with p. s and s'. This technique is very efficient [5], because it uses only the operators v and A, which have been shown in Section 3 to have relatively low computational costs. The problem is that, for complex machines, it is not possible to build the graphs of A and A [8]. 4.2 The “Restrict” and “Expand” Operators The equations that define the “Pre” operation are the following: Zine, A, a) = AS-(XMS) M31) 13(56: p)))). and (7) XPMV, A, B) = AS.(XA(S) A ‘1 (3i) " X365, p)))). (3) The graph of the function Asap x(8(s. p)), where x is X]; or —. XE, can be computed in two steps. The first step consists in computing the function x o 8. Then, the quantified atoms associated to the input pattern p are eliminated from the graph of this function. It has been shown [4] that substituting some variable v in the graph G] with the graph G; has a computational cost in 000112 x IGzl)~ In order to compute the graph of hs.hp.(x(81(s,p), 5m(S.p))), this basic substitution process must be iterated so that all variables of x are substituted by the graphs of the corresponding components of 5. The problem is that during this composition. some intermediate graphs can be too large to be built. Section 4.2.1 shows that it is not necessary to build the graph of x o 6 to compute Pre(Q, A, B). It presents the function “Expand" that avoids this construction. Section 4.2.2 presents the “Restrict” operator that further reduces the computational cost of the “Pie" operation by reducing the sizes of the graphs that are manipulated. 4.2.1 The function “Expand” The idea that underlies the function "Expand" is to express the function x o 5 as a sum of K functions hl, ..., hK, whose graphs have less vertices than the graph of x o 5. Using these functions, the term (3p x(8(s, p))) can be rewritten into (VJ-(3p hJ-(s. p))). This identity allows us to eliminate directly the quantified atoms associated to the input pattern p from the graphs of the functions hl, hK, and so the graph of x o 8 does not have to be built. Each path in the graph G of the function x starting from the root and leading to the leaf 1 defines a cube cj of the function x. This means that the function e- o 5 can be taken as one function hj. The problems are that the functron x can have 0(2lc'l) cubes, and that even if its number of cubes is relatively small, many redundant computations will be made. The function Expand performs a topdown traversal of the graph G, and stores in each of its vertices the graph of the function CV o 8, where the function Cv is the sum of all the cubes represented by the paths starting from the root of G and leading to v. Each time the top- down traversal reaches the leaf 1, the function Expand produces one of the functions hj. The function Cv associated to a vertex v is recursively computed using the functions Cw of the vertices w that point to v. Thanks to the sharing in the graph, partial results are factorized and redundant computations are avoided [10]. Experience shows that the graphs of the functions hl, hK generated by the Expand operation are smaller than the graph of x o 5. The time needed to compute each of these functions directly depends on the sizes of the graphs of the functions bj. The next section presents a Boolean operator that can be used to reduce the sizes of the graphs used in the term x(8(s, p)). 4.2.2 The Operator “ii” In the equations (7) and (8), when xA(s) = 0 the characteristic func- tion of Pre(Q, A, B) is also equal to O. This means that, in the term xB(5(s, p)) that occurs in the equations (7) and (8), the transition function 8 can be replaced with its restriction to the domain A. The “Restrict” operator, noted “U", takes as input the typed decision graph of a boolean function f and of the characteristic function e of the set to which the function f must be restricted. The semantics of the Restrict operator [8], is given on Shannon’s canonical form in Figure I. In this figure, c.root is the root of Shannon's canonical form of c. and (cl—1a, c/a) is Shannon's expansion [1] of the function c with respect to a. The main properties of the Restrict operator [8] [10] are expressed by the following theorems. function restrict(f, e); if c = 0 then error; if c = 1 then return f; iff= 0 or f: 1 then return f; let a = c.root in { if c/—.a = 0 then return restrict(f/a, c/a); if 0/3. = 0 then return restrict(f/—ta, c/—.a); if f/—-.a = f/a then return restrict(f, cl—ra v c/a); return (—a A restrict(f/——.a, e/—.a)) v (a A restrict(f/a, c/a)); } Figure 1. The Restrict Operator on Shannon's canonical form. 128 Theorem 1. For any Boolean functions f and c at 0, if C(x) = 1 then all no) =flx). Theorem 2. For any Boolean functions f and c ¢ 0. Shannon's typed canonical form of (f U c) has a: most the same number of vertices as that off. Theorem 2 is not true for typed decision graphs. It can happen that the graph of (f U c) has more vertices than the graph of f. In this case the function restrict returns the graph of f. Experience shows that this case occurs very rarely. 4.3 Performing the “1mg” Operation The problem addressed here is to compute the characteristic function x of the image of the restriction of a vectorial Boolean function F = [fl fn] to a domain defined by its characteristic firnction xA. A definition of x is [8]: x = Myl ynl.(3xxA(x) A (AJ- (yj e too)». The term (Aj (y~ <=> fj(x))) represents the transition relation of the machine, which has been shown to be in many cases too complex to be computed [8]. This section presents two algorithms that can be used to compute x without computing this term. Both algorithms are based on the “constrain" operator, noted “.L”, and work in two steps [8]. The first step common to both algorithms consists in computing a new vectorial function F' = [fl' fn‘] such that Img(F, xA) = Img(F', l). The second step then consists in computing the characteristic function of Img(F, 1), by using co- domain partitioning in the first algorithm and domain partitioning in the second algorithm. Figure 2 gives the semantics of the operator “l" [9] on Shannon's canonical form. The operator applies on Shannon‘s canonical forms of the Boolean functions f and c, and produces Shannon's canonical form of the function (f l c). Its fundamental properties are expressed by the following theorem [9]. Theorem 3. Let F = [fl ..fn] be a vector of functions, and c be a function difierent from 0. Let F i c =def [0‘] i c) (fn l c)]. Then lmg(F l c, I) = Img(F, 0). function cnst(f, c) if c = 0 then error; if c = 1 then return f; if f = 0 or f: 1 then return f; let a = c.root in ( if else: = 0 then return cnst(f/a, c/a); if c/a = 0 then return cnst(fI—ta. c/—.a); if f/aa = f/a then return (aa A cnst(f, c/—.a)) v (a A cnst(f, 0/3)); return (—.a A cnst(f/fia, c/fia» v (a A cnst(f/a, c/a)); } Figure 2. The Constrain Operator on Shannon's canonical form. 4.3.1 Co-domain Partitioning Based Algorithm The first recursive algorithm that computes Img(F, 1) uses the operator “J.” to partition the co-domain of the vectorial function F. The algorithm is a direct application of the following theorem. Theorem 4. Let F n = [fl fn] be a Boolean vectorial function. Then: Img(F,,,1) = Img(F,,_, ififfl, I) x {0} u Img(F,l_I lfn,])x{1}. The number of recursions needed to compute Img(F, l) is bound by the number of elements of this set. Several teelmiques have been proposed to reduce this number of recursions. Vector partitioning [9] consists in splitting the vector F into several sub-vectors of functions which have disjoint supports of variables. In [6] it has been proposed to use a cache where partial results obtained during previous recursions’ are stored. However the exact marching used in [6] can be replaced by an extended matching that allows us to match any vector of k components in the cache with (kl x 2...
View Full Document

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern