Download presentation
Presentation is loading. Please wait.
1
ECE 667 Synthesis and Verification of Digital Systems
9/12/2019 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Sequential Equivalence Checking ECE Synthesis & Verification ECE 667, Spring 2011
2
Formal Verification Deductive reasoning (theorem proving)
9/12/2019 Formal Verification Deductive reasoning (theorem proving) Uses axioms, rules to prove system correctness No guarantee that it will terminate Difficult, time consuming: for critical applications only Model checking Automatic technique to prove correctness of concurrent systems: digital circuits, communication protocols, etc. Practical tools become available, popular in industry Equivalence checking Check if two designs are equivalent OK for combinational circuits, unsolved for sequential systems ECE Synthesis & Verification ECE 667, Spring 2011
3
Why do we need Formal Verification
9/12/2019 Why do we need Formal Verification Need for reliable hardware validation Simulation, test cannot handle all possible cases Formal verification conducts exhaustive exploration of all possible behaviors compare to simulation, which explores some of possible behaviors if correct, all behaviors are verified if incorrect, a counter-example (proof) is presented Examples of successful use of formal verification SMV system [McMillan 1993] verification of cache coherence protocol in IEEE Futurebus+ standard ECE Synthesis & Verification ECE 667, Spring 2011
4
Basic Model: Finite State Machines
9/12/2019 Model sequential design as an FSM X=(x1,x2,…,xn) Y=(y1,y2,…,yn) S=(s1,s2,…,sn) S’=(s’1,s’2,…,s’n) D M(X,Y,S,S0,,): X: Inputs Y: Outputs S: Current State S0: Initial State(s) : X S S (next state function) : X S Y (output function) Delay element: Clocked: synchronous Unclocked: asynchronous ECE Synthesis & Verification ECE 667, Spring 2011
5
Sequential Equivalence Checking 1
9/12/2019 Sequential Equivalence Checking 1 Represent each sequential circuit as an FSM verify if two FSMs are equivalent Simplistic approach: reduction to combinational circuit unroll each FSM over n time frames (flatten the design) this is called a bounded model (fixed number of time frames) also used in simulation based verification (using SAT) M(t1) x(1) s(1) M(t2) x(2) s(2) … M(tn) x(n) s(n) Combinational logic: F(x(1,2, …n), s(1,2, … n)) check equivalence of the resulting combinational circuits problem: the resulting circuit can be too large too handle ECE Synthesis & Verification ECE 667, Spring 2011
6
Sequential Equivalence Checking 2
9/12/2019 Sequential Equivalence Checking 2 Simplest case: compare two structurally similar FSMs Same set of registers and state encoding Same initial state Register pairs match (name matching) Problem reduces to verifying equivalence of combinational logic component (CL) of the FSMs Output functions Next state logic CL1 CL2 (combinational) FSM1 FSM2 (sequential) D y1 M1 x s1 D y2 M2 x s2 ECE Synthesis & Verification ECE 667, Spring 2011
7
Sequential Equivalence Checking 3
9/12/2019 Sequential Equivalence Checking 3 Another simplistic approach: based on checking isomorphism of state transition graphs (impractical) two machines M1, M2 are equivalent if their state transition graphs (STGs) are isomorphic perform state minimization of each machine check if STG(M1) and STG(M2) are isomorphic 0/0 0/1 1/0 1 2 M1 1/1 1/0 1.2 0/0 1/1 0/1 M1min State min. 1/0 1 0/0 1/1 0/1 M2 ECE Synthesis & Verification ECE 667, Spring 2011
8
Sequential Equivalence Checking
9/12/2019 Sequential Equivalence Checking If combinational verification paradigm fails There is no name matching Bounded model insufficient No structural similarities, etc Two options: Sequential verification based on state traversal Expensive but most general Register matching structural register correspondence functional register correspondence ECE Synthesis & Verification ECE 667, Spring 2011
9
9/12/2019 FSM Equivalence Most general approach: construct a product machine M1M2: D y1 M1 {1,1,…,1} {X1,X2,…,Xn} D y2 M2 M1 and M2 are functionally equivalent iff the product machine M1 M2 produces a constant 1 for all valid input sequences {X1,…,Xn}. ECE Synthesis & Verification ECE 667, Spring 2011
10
Sequential Verification
9/12/2019 Sequential Verification Most general approach: symbolic (implicit) FSM traversal of the product machine Given two FSMs: M1(X,S1, 1, 1,O1), M2(X,S2, 2, 2,O2) Create a product FSM: M = M1 M2 traverse the states of M and check its output for each transition the output O(M) =1, if outputs O1= O2 if all outputs of M are 1, M1 and M2 are equivalent otherwise, an error state is reached error trace is produced to show: M1 M2 M1 M2 S1 S2 O2 O1 X O(M) ECE Synthesis & Verification ECE 667, Spring 2011
11
Product Machine - Construction
9/12/2019 Product Machine - Construction Define the product machine M(X,S, , ,O) states, S = S1 S2 next state function, (s,x) : (S1 S2) X (S1 S2) output function, (s,x) : (S1 S2) X {0,1} O = 1 if O1=O2 0 otherwise (s,x) = 1(s1,x) 2(s2,x) M1 M2 1 2 2 1 X Error trace (distinguishing sequence) that leads to an error state sequence of inputs which produces 0 at the output of M produces a state in M for which M1 and M2 give different outputs ECE Synthesis & Verification ECE 667, Spring 2011
12
Construction of the Product FSM
9/12/2019 Construction of the Product FSM M2 1/1 2 1 0/0 0/1 1/0 1/0 1 0/0 1/1 0/1 M1 For each pair of states, s1 M1, s2 M2 create a combined state s = (s1. s2) of M create transitions out of this state to other states of M label the transitions (input/output) accordingly M1 1/0 0/1 1 0/1 11 Output = { 1 OK 0 error 1/1 0.2 00 M2 2 0/1 1/0 1 1.1 ECE Synthesis & Verification ECE 667, Spring 2011
13
Product FSM – Example 1 Product machine for equivalent FSMs
9/12/2019 Product FSM – Example 1 Error states are unreachable ! (machines are equivalent) Product machine for equivalent FSMs (Hachtel, Somenzi, Fig. 7.41) ECE Synthesis & Verification ECE 667, Spring 2011
14
Product FSM – Example 2 Product machine for non-equivalent FSMs
9/12/2019 Product FSM – Example 2 Error states Good states Product machine for non-equivalent FSMs (Hachtel, Somenzi, Fig. 7.45, 7.46) Error states are reachable ! (machines are NOT equivalent) ECE Synthesis & Verification ECE 667, Spring 2011
15
Explicit FSM Traversal in Action
9/12/2019 Explicit FSM Traversal in Action M2 2 1 0/0 0/1 1/1 1/0 1/0 1 0/0 1/1 0/1 M1 Initiall states: s1=0, s2=0,s=(0.0) Error state 1.0 0/0 1/0 0.1 1/0 0/0 Out(M) State reached x=0 x=1 0/1 0.2 1/1 New 0 = (0.0) 0/0 1.2 1/0 New 1 = (1.1) 1.1 0/1 1/1 New 2 = (0.2) 0.0 0/1 1/1 M New 3 = (1.0) STOP - backtrack to initial state to get error trace: x={1,1,1,0} ECE Synthesis & Verification ECE 667, Spring 2011
16
Explicit FSM Traversal
9/12/2019 Explicit FSM Traversal Breadth-first Search (BFS) procedure on a product machine ECE Synthesis & Verification ECE 667, Spring 2011
17
Explicit FSM Traversal
9/12/2019 Explicit FSM Traversal Error Trace computation ECE Synthesis & Verification ECE 667, Spring 2011
18
Symbolic FSM Traversal
9/12/2019 Symbolic FSM Traversal Explicit methods are expensive Must evaluate all input combinations Use symbolic (implicit methods): traverse the product machine M(X,S,, ,O) start at an initial state S0 iteratively compute symbolic image Img(S0,R) (set of next states) until an error state is reached Img( S0,R ) = x s S0(s) • R(x,s,t) R = i Ri = i (ti i(s,x)) transition relation Ri for each next state variable ti can be computed as ti = (t (s,x)) this is an alternative way to compute transition relation, when design is specified at gate level, without explicitly creating a product machine. ECE Synthesis & Verification ECE 667, Spring 2011
19
9/12/2019 Transition Relation Transition Relation t(s,s’) – characteristic function x=0 x=1 Example 1 ECE Synthesis & Verification ECE 667, Spring 2011
20
Image Computation - example
9/12/2019 Image Computation - example Boolean notation Set notation Image of a set of states r(s): IMG( t, r ) = s ( r(s) • t(s.s’) ) Initial state: r(s) = (s 0) (s 1) {0,1} Transition relation: t(s,s’) = (s 0) (s’ 2) {(0,2), (s 0) (s’ 3) (0,3), (s 1) (s’ 3) (1,3), (s 2) (s’ 4) (2,4)} t r = (s 0) (s’ 2) {(0,2), (s 1) (s’ 3) (1,3)} s(r t) = (s’ 2) (s’ 3) {(2,3)} Example: 2 1 3 4 r(s) IMG(t,r(s)) ECE Synthesis & Verification ECE 667, Spring 2011
21
Forward State Traversal
9/12/2019 Forward State Traversal Algorithm TRAVERSE_FORWARD(t, ,S0) { reached = current = S // start from init while (reached (reached current)) { // fixed point reached = reached current // add new states next = IMG(t,current) // one trans. current = next // rename variable } return x((x,s) reached) Example: 1 3 2 4 5 6 Iteration: Reached: {0} {0,1,2} {0,1,2,3} Current: {0} {1,2} {1,2,3} Next: {1,2} {1,2,3} {0,1,2,3} ECE Synthesis & Verification ECE 667, Spring 2011
22
Backward State Traversal
9/12/2019 Backward State Traversal Algorithm TRAVERSE_BACKWARD(t, ,S0) { reached = current = x.(l(x,s)=1) // start from bad while (reached (reached current)) { // fixed point reached = reached current // add new states previous = PRE_IMG(t,current) // one trans. current = previous // rename variable } return (S0 reached) Example: 1 3 2 4 5 6 Iteration: Reached: {6} {4,6} {4,5,6} Current: {6} {4} {4,5} Previous: {4} {4,5} {4,5,6} ECE Synthesis & Verification ECE 667, Spring 2011
23
Implicit State Traversal Another Look
9/12/2019 Implicit State Traversal Another Look O X R (s,x) (s,x) s s’ Product machine: M(X,S, , ,O) Inputs: X Outputs: O States: S Next state function, (s,x) : S X S Output function, (s,x) : S X O ECE Synthesis & Verification ECE 667, Spring 2011
24
FSM Traversal State Transition Graphs
9/12/2019 FSM Traversal State Transition Graphs directed graphs with labeled nodes and arcs (transitions) symbolic state traversal methods important for symbolic verification, state reachability analysis, FSM traversal, etc. 0/1 1/0 s0 s1 s2 0/0 ECE Synthesis & Verification ECE 667, Spring 2011
25
Existential Quantification
9/12/2019 Existential Quantification Existential quantification (abstraction) x f = f |x=0 + f |x=1 Example: x (x y + z) = y + z Note: x f does not depend on x (smoothing) Useful in symbolic image computation (deriving sets of states) ECE Synthesis & Verification ECE 667, Spring 2011
26
Existential Quantification - cont’d
9/12/2019 Existential Quantification - cont’d Function can be existentially quantified w.r.to a vector: X = x1x2… X f = x1x2... f = x1 x2 ... f Can be done efficiently directly on a BDD Very useful in computing sets of states Image computation: next states Pre-Image computation: previous states from a given set of initial states ECE Synthesis & Verification ECE 667, Spring 2011
27
9/12/2019 Image Computation Computing set of next states from a given initial state (or set of states) Img( S,R ) = u S(u) • R(u,v) Img(v) R(u,v) S(u) FSM: when transitions are labeled with input predicates x, quantify w.r.to all inputs (primary inputs and state var) Img( S,R ) = x u S(u) • R(x,u,v) ECE Synthesis & Verification ECE 667, Spring 2011
28
Image Computation - example
9/12/2019 Image Computation - example Compute a set of next states from state s1 Encode the states: s1=00, s2=01, s3=10, s4=11 Write transition relations for the encoded states: R = (ax’y’X’Y + a’x’y’XY’ + xy’XY + ….) s1 s2 s3 s4 a a’ 00 01 10 11 a xy XY ………. ECE Synthesis & Verification ECE 667, Spring 2011
29
Example - cont’d = a xy (x’y’) • (ax’y’X’Y + a’x’y’XY’ + xy’XY + ….)
9/12/2019 Example - cont’d Compute Image from s1 under R Img( s1,R ) = a xy s1(x,y) • R(a,x,y,X,Y) = a xy (x’y’) • (ax’y’X’Y + a’x’y’XY’ + xy’XY + ….) = axy (ax’y’X’Y + a’x’y’XY’ ) = (X’Y + XY’ ) = {01, 10} = {s2, s3} s1 s2 s3 s4 a a’ 00 01 10 11 Result: a set of next states for all inputs s1 {s2, s3} ECE Synthesis & Verification ECE 667, Spring 2011
30
Pre-Image Computation
9/12/2019 Pre-Image Computation Computing a set of present states from a given next state (or set of states) Pre-Img( S’,R) = v R(u,v) )• S’(v) R(u,v) Pre-Img(u) S’(v) Similar to Image computation, except that quantification is done w.r.to next state variables The result: a set of states backward reachable from state set S’, expressed in present state variables u Useful in computing CTL formulas: AF, EF ECE Synthesis & Verification ECE 667, Spring 2011
Similar presentations
