4/21/2005JHJ1 Structure-dependent Sequential Equivalence Checking EE290A UC Berkeley Spring 2005

2 Outline Introduction Discovering hidden similarities Signal correspondence Functional dependency Relational dependency Reachability analysis under similarities Retiming for verification On-the-fly state re-encoding On-the-fly reduction using functional dependency Design for verifiability C-1-D equivalence Conclusions

3 Outline Introduction Discovering hidden similarities Signal correspondence Functional dependency Relational dependency Reachability analysis under similarities Retiming for verification On-the-fly state re-encoding On-the-fly reduction using functional dependency Design for verifiability C-1-D equivalence Conclusions

4 Introduction Bridge the complexity gap between sequential and combinational equivalence checking Detect hidden similarities  Designs to be checked are often similar in circuit structures If the relation between state encodings is known, equivalence checking can be done combinationally PSPACE-complete to NP-complete  Similarities can be captured by signal correspondence, functional dependency, relational dependency, etc. Take advantage of similarities  Simplify circuit  Simplify reachability analysis

5 Outline Introduction Discovering hidden similarities Signal correspondence Functional dependency Relational dependency Reachability analysis under similarities Retiming for verification On-the-fly state re-encoding On-the-fly reduction using functional dependency Design for verifiability C-1-D equivalence Conclusions

6 Hidden similarities in transition systems Signal correspondence Two points of a sequential circuit are corresponding signals if their valuations are the same (or complement to each other) under any input sequence Functional dependency A signal x functionally depends on a set S of other signals if the valuation of x can be expressed as a function over S under any input sequence Relational dependency Two sets S 1 and S 2 of signals are related if the valuations of one set can be inferred from those of the other

7 Usefulness of similarities Simplify circuits Compact BDD representation Reduce search space for SAT-based verification

8 Similarity - signal correspondence Exact signal correspondence Computationally hard k-inductive signal correspondence Computationally easy for small k Only subset of signal correspondence

9 Signal correspondence Detect equivalent state variables in an over-approximated state space by a least fixed-point computation [van Eijk 95] Example [Kuehlmann] s 1 = x  v 1 v1v1 s 2 =  v 1 v 2 ) s 3 =  v 1 v 2 ) v2v2 s 1 =1 s 2 =1 s 3 =1 v s 1 = x  v v1v1 s 2 =  v s 3 =  v v2v2 Result: {s 1 }, {s 2,s 3 } x s1s s2s2 s3s3

10 Signal correspondence Weakness Signal correspondence is a very limited form of functional dependency  In very few cases, can prove sequential equivalence by signal correspondence Not sufficient to prove equivalence under retiming How to characterize a more general form of functional dependency by a fixed-point computation (w/o reachability analysis)?

11 Similarity - functional dependency Maximum functional dependency Not unique Computationally hard k-inductive functional dependency Computationally easier

12 Functional dependency Assume transition systems are described with transition functions rather than transition relations Conclude functional dependency directly from transition functions Define combinational dependency Extend to sequential dependency

13 Combinational dependency Given two vectors of Boolean functions f and g over the same domain B n, f functionally depends on g if there exists some function  such that f ( · ) =  ( g ( · ) ). f is the vector of (functional) dependents g is the vector of (functional) independents  is the vector of dependency functions (f, g,  ) is the dependency triplet A necessary and sufficient condition: f (a)  f (b)  g (a)  g (b), for all a,b  B n (In other words, g is more distinguishing than f over the domain.) Problem statement Given a vector of functions h, we are asked to partition h into two sub-vectors f and g such that (f, g,  ) forms a dependency triplet with |g| minimized

14 Combinational dependency Search candidates of dependents and independents Lemma. Given two functional vectors f and g, g is more distinguishing than f only if the support set of f is contained by that of g.  A variable x is a support of a functional vector f = (f 1, …,f n ) if there exists i such that f i | x = 0 xnor f i | x = 1 is not a tautology Compute  in f =  (g)

15 Combinational dependency

16 Sequential dependency Extend combinational dependency for state transition systems Find invariant  such that s dep =  (s ind ) and  dep =  (  ind ) where s represents the set of state variable and  represents the set of transition functions. Two approaches to computing fixed points Greatest fixed-point (gfp); least fixed-point (lfp)

17 Backward sequential dependency Greatest fixed-point (gfp) computation Initially, all state variables are distinct. In each iteration, compute the combinational dependency among independent state variables from the previous iteration.

18 Forward sequential dependency Least fixed-point (lfp) computation Initially, select one state var as the representative.  (0) is determined by initial state information. In each iteration of computing functional dependency, try to reuse  ’ s from the previous iteration. If restrict  ’ s to be identity functions, the computation reduces to detecting signal correspondences.

19 Functional dependency Caveat: Dependency may not hold for initial states I which have no predecessor states For verification – use the successor states of I as the new initial state set For logic synthesis – localize conflicting state variables and declare them as independent state variables

20 Functional dependency - experiments Dependency in original FSM CircuitRegSignal CorrespondenceSequential Dependency GfpSequential Dependency Lfp Indp.Iter.MbsecIndp.Iter.MbsecIndp.Iter.Mbsec s298-rt s526n-rt s838-rt s991-rt mult16a-rt tbk-rt s s s s s

21 Functional dependency - experiments Dependency in product FSM CircuitRegSignal CorrespondenceSequential Dependency GfpSequential Dependency Lfp Indp.Iter.MbsecIndp.Iter.MbsecIndp.Iter.Mbsec s s s s s s s526n s s s mult16a tbk

22 Functional dependency - summary Characterize stronger invariants than signal correspondence In principle, can prove sequential equivalence under retiming transformation  However, may not find the right dependency in practice Computationally harder than signal correspondence but still practical Refinement relation instead of equivalence relation

23 Similarity - relational dependency Exact relational dependency Computationally hard Equivalent to reachability analysis Inductive relational dependency How?

24 Improving inductive approaches Inductive characterization of S.C. and F.D. Base case: Init(s)  Prop(s) Inductive case: Prop(s)  Trans(s,t)  Prop(t) (where Prop could be S.C., F.D., or even other properties) Strengthening induction hypothesis Over transition Base case: Init(s 1 )  Trans(s 1,s 2 )  …  Trans(s k-1,s k )  Prop(s 1 )  …  Prop(s k ) Inductive case: Prop(s 1 )  …  Prop(s k )  Trans(s 1,s 2 )  …  Trans(s k,s k+1 )  Prop(s k+1 ) Over property Reachability analysis! P. Bjesse, K. Claessen: SAT-Based Verification without State Space Traversal. FMCAD 2000:

25 Outline Introduction Discovering hidden similarities Signal correspondence Functional dependency Relational dependency Reachability analysis under similarities Retiming for verification On-the-fly state re-encoding On-the-fly reduction using functional dependency Design for verifiability C-1-D equivalence Conclusions

26 Reachability analysis under similarities Compact state space by removing redundancies Available techniques Retiming State re-encoding Variable dependency Functional dependency …

27 Reduction by retiming Use retiming to reduce state variables or ease reachability analysis Allow negative registers (peripheral retiming) Special subset of functional dependency limited to circuit structures No dependency can be discovered between different designs Only static reduction A. Kuehlmann & J. Baumgartner. Transformation-based verification using generalized retiming. CAV 2001.

28 Reduction by incremental re-encoding Transform one FSM to another by incremental re- encoding Two designs must be similar up to a 1-to-1 mapping between equivalent states S. Quer, et al. Verification of similar FSMs by mixing incremental re-encoding, reachability analysis, and combinational check. Formal Methods in System Design, vol. 17, pages , 2000.

29 Reduction by variable dependency Problem formulation [Berthet et al. 90] Given a characteristic function F(x 1,x 2, …, x n ), compute a minimal set of irredundant (independent) variables  Variable x i is redundant if its valuation can be inferred by a function over other variables Solution - functional deduction [Brown 03] Variable x i is redundant in F if and only if F| x i = 0  F| x i = 1 = false  Example F = abc   a  c {a, b} is a minimal independent set with  c = a a dependency function Embed variable dependency in reachability analysis Weakness: detect dependency after every image computation of a reachability analysis

30 Reduction by functional dependency Static reduction Compute functional dependency (with gfp and/or lfp) before a reachability analysis Dynamic reduction Compute functional dependency before every image computation of a reachability analysis

31 Reduction by functional dependency - experiments On-the-fly reduction CircuitIter.Reach. Analysis w/o Dep. ReductionReach. Analysis w Dep. Reduction Peak (bdd nodes) Reached (bdd nodes) MbsecPeak (bdd nodes) Reached (bdd nodes) Mbsec s ,819,30116,158, ,843,83710,746, s ,527,781248, ,0068, s53782N/A >2GN/A1,151,439113, s ,842,8899,961, ,667,0766,356, ,663,7491,701, ,830,6021,338,

32 Outline Introduction Discovering hidden similarities Signal correspondence Functional dependency Relational dependency Reachability analysis under similarities Retiming for verification On-the-fly state re-encoding On-the-fly reduction using functional dependency Design for verifiability C-1-D equivalence Conclusions

33 Design for verifiability Complete-1-distinguishability If any state of a specification FSM M 1 can be distinguished from others with a length-1 input sequence, then its corresponding equivalence class of an implementation FSM M 2 can be found using a mapping induced by 1-equivalence between the states of the two FSMs.  Expose a subset of registers as pseudo-primary outputs to enforce the C-1-D property One-step equivalence checking (solely depends on output functions if reachable states are known) P. Ashar, A. Gupta, S. Malik: Using complete-1-distinguishability for FSM equivalence checking. ICCAD 1996:

34 Design for verifiability Boundary-preserving retiming and resynthesis Protect some signals intact under RnR transformation  E.g. expose the signals as pseudo-primary outputs Corresponding signals exist for combinational equivalence checking

35 Outline Introduction Discovering hidden similarities Signal correspondence Functional dependency Relational dependency Reachability analysis under similarities Retiming for verification On-the-fly state re-encoding On-the-fly reduction using functional dependency Design for verifiability C-1-D equivalence Conclusions

36 Conclusions Bridging the gap between sequential and combinational EC by exploiting hidden similarities Extract similarities:  Generalization from signal correspondence to functional dependency  How about from functional to relational dependency? Accelerate reachability analysis:  Using similarities to compact state space, simplify BDD representation, and prune search space for SAT