Presentation is loading. Please wait.

Presentation is loading. Please wait.

ECE 667 - Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Sequential Equivalence Checking.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ECE 667 - Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Sequential Equivalence Checking."— Presentation transcript:

1

2 ECE 667 - Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Sequential Equivalence Checking

3 ECE 667 - Synthesis & Verification2 Formal Verification Deductive reasoning (theorem proving) –Uses axioms, rules to prove system correctness –No guarantee that it will terminate –Difficult, time consuming: for critical applications only Model checking –Automatic technique to prove correctness of concurrent systems: digital circuits, communication protocols, etc. –Practical tools become available, popular in industry Equivalence checking –Check if two designs are equivalent –OK for combinational circuits, unsolved for sequential systems

4 ECE 667 - Synthesis & Verification3 Why do we need Formal Verification Need for reliable hardware validation Simulation, test cannot handle all possible cases Formal verification conducts exhaustive exploration of all possible behaviors –compare to simulation, which explores some of possible behaviors –if correct, all behaviors are verified –if incorrect, a counter-example (proof) is presented Examples of successful use of formal verification –SMV system [McMillan 1993] –verification of cache coherence protocol in IEEE Futurebus+ standard

5 ECE 667 - Synthesis & Verification4 Basic Model: Finite State Machines X=(x 1,x 2,…,x n ) Y=(y 1,y 2,…,y n )  S=(s 1,s 2,…,s n ) S’=(s’ 1,s’ 2,…,s’ n ) D M(X,Y,S,S 0, , ): X: Inputs Y: Outputs S: Current State S 0 : Initial State(s)  : X  S  S (next state function)  : X  S  Y (output function) Delay element: Clocked: synchronous Unclocked: asynchronous Model sequential design as an FSM

6 ECE 667 - Synthesis & Verification5 Sequential Equivalence Checking 1 Represent each sequential circuit as an FSM –verify if two FSMs are equivalent Simplistic approach: reduction to combinational circuit –unroll each FSM over n time frames (flatten the design) –this is called a bounded model (fixed number of time frames) –also used in simulation based verification (using SAT) M(t 1 ) x(1) s(1) M(t 2 ) x(2) s(2) … … M(t n ) x(n) s(n) Combinational logic: F(x(1,2, …n), s(1,2, … n)) – check equivalence of the resulting combinational circuits – problem: the resulting circuit can be too large too handle

7 ECE 667 - Synthesis & Verification6 Sequential Equivalence Checking 2 Simplest case: compare two structurally similar FSMs –Same set of registers and state encoding –Same initial state –Register pairs match (name matching) Problem reduces to verifying equivalence of combinational logic component (CL) of the FSMs –Output functions –Next state logic CL 1  CL 2 (combinational)  FSM 1  FSM 2 (sequential)   D y1y1 M1M1 x s1s1   D y2y2 M2M2 x s2s2

8 ECE 667 - Synthesis & Verification7 Sequential Equivalence Checking 3 Another simplistic approach: based on checking isomorphism of state transition graphs (impractical) –two machines M1, M2 are equivalent if their state transition graphs (STGs) are isomorphic –perform state minimization of each machine –check if STG(M1) and STG(M2) are isomorphic  State min. 1/0 01.2 0/0 1/1 0/1 M1 min 1/0 0 1 0/0 1/1 0/1 M2 0/0 0/1 1/0 0 1 0/1 2 1/0 M1 1/1

9 ECE 667 - Synthesis & Verification8 Sequential Equivalence Checking If combinational verification paradigm fails –There is no name matching –Bounded model insufficient –No structural similarities, etc Two options: –Sequential verification based on state traversal Expensive but most general –Register matching structural register correspondence functional register correspondence

10 ECE 667 - Synthesis & Verification9 FSM Equivalence {X 1,X 2,…,X n } {1,1,…,1}  D y1y1 M1M1  D y2y2 M2M2 M 1 and M 2 are functionally equivalent iff the product machine M 1  M 2 produces a constant 1 for all valid input sequences {X 1,…,X n }. Most general approach: construct a product machine M 1  M 2 :

11 ECE 667 - Synthesis & Verification10 Sequential Verification Most general approach: symbolic (implicit) FSM traversal of the product machine M1M2 S1 S2 O2O1 X O(M) Given two FSMs: M 1 (X,S 1,  1, 1,O 1 ), M 2 (X,S 2,  2, 2,O 2 ) Create a product FSM: M = M 1  M 2 –traverse the states of M and check its output for each transition –the output O(M) =1, if outputs O 1 = O 2 –if all outputs of M are 1, M 1 and M 2 are equivalent –otherwise, an error state is reached –error trace is produced to show: M 1  M 2

12 ECE 667 - Synthesis & Verification11 Product Machine - Construction Define the product machine M(X,S, ,,O) –states, S = S 1  S 2 –next state function,  (s,x) : (S 1  S 2 )  X  (S 1  S 2 ) –output function, (s,x) : (S 1  S 2 )  X  {0,1} M1M2 11 22 2 1 X Error trace (distinguishing sequence) that leads to an error state -sequence of inputs which produces 0 at the output of M -produces a state in M for which M1 and M2 give different outputs (s,x) = 1 (s 1,x) 2 (s 2,x)  O =  1 if O 1 =O 2 0 otherwise

13 ECE 667 - Synthesis & Verification12 Construction of the Product FSM For each pair of states, s 1  M 1, s 2  M 2 –create a combined state s = (s 1. s 2 ) of M –create transitions out of this state to other states of M –label the transitions (input/output) accordingly 1/0 0 1 0/0 1/1 0/1 M1M1 M2M2 1/1 2 0 1 0/0 0/1 1/1 1/0 M1M1 0 0/1 1 M2M2 2 1/0 1 1.1 0/1 1111 1/1 0.2 0000 Output = { 1 OK 0 error

14 ECE 667 - Synthesis & Verification13 General Approach to EC miscomparing states i.e.,  1 comparing states i.e., = 1 State Space of S = M 1  M 2 Initial State S 0 R = “Good half”: r(s) = 1 (S-R) = “Bad half”: r(s) = 0 Inductive proof of equivalence: Find subset R  S with characteristic function r: S  {0,1} such that: 1. r(s 0 ) = 1 (initial state is in good half) 2. (r(s) = 1)  r (  (x,s)) = 1 (all states from good half lead go to states in good half) 3. (r(s) = 1)  (x,s) = 1 (all states in good half are comparing states) Different methods for equivalence checking differ in the way space R is computed

15 ECE 667 - Synthesis & Verification14 How Do We Obtain R? Reachability analysis (functional) –Perform state traversal until no more states can be explored Forward (from initial state) Backward (to reach initial state) Explicit (uses transition function to compute R) Symbolic (uses transition relation to compute R) Compute register correspondence (structural) –Equivalent state encoding in both machines –synthesis tool provides hint for R from sequential optimization manual register correspondence automatic register correspondence

16 ECE 667 - Synthesis & Verification15 Product FSM – Example 1 Product machine for equivalent FSMs (Hachtel, Somenzi, Fig. 7.41) Error states are unreachable !

17 ECE 667 - Synthesis & Verification16 Product FSM – Example 2 Product machine for non-equivalent FSMs (Hachtel, Somenzi, Fig. 7.45, 7.46) Error states are reachable !

18 ECE 667 - Synthesis & Verification17 Explicit FSM Traversal in Action STOP - backtrack to initial state to get error trace: x={1,1,1,0} 1/0 0 1 0/0 1/1 0/1 M1 M2 2 0 1 0/0 0/1 1/1 1/0 1.1 0/1 1/1 0/1 0.2 1/1 1.0 0/0 1/0 0/0 1.2 1/0 0.1 1/0 0/0 Out(M) State reached x=0 x=1 Error state 0.0 0/1 1/1 M Initiall states: s 1 =0, s 2 =0,s=(0.0) New 0 = (0.0) 1 1 New 1 = (1.1) 1 1 New 2 = (0.2) 1 1 New 3 = (1.0) 0 0

19 ECE 667 - Synthesis & Verification18 Symbolic FSM Traversal Explicit methods are expensive –Must evaluate all input combinations Use symbolic (implicit methods): traverse the product machine M(X,S, ,,O) –start at an initial state S 0 –iteratively compute symbolic image Img(S 0,R) (set of next states) until an error state is reached Img( S 0,R ) =  x  s S 0 (s) R(x,s,t) R =  i R i =  i (t i   i (s,x)) –transition relation R i for each next state variable t i can be computed as t i = (t   (s,x)) –this is an alternative way to compute transition relation, when design is specified at gate level, without explicitly creating a product machine.

20 ECE 667 - Synthesis & Verification19 Transition Relation Transition Relation t(s,s’) 01 x=0 x=1 Example

21 ECE 667 - Synthesis & Verification20 Image Computation - example Image of a set of states r(s): Example: 0 2 1 3 4 r(s) IMG(t,r(s)) Initial state: r(s)= (s  0)  (s  1){0,1} Transition relation: t(s,s’)= (s  0)  (s’  2)  {(0,2), (s  0)  (s’  3)  (0,3), (s  1)  (s’  3)  (1,3), (s  2)  (s’  4) (2,4)} t  r= (s  0)  (s’  2)  {(0,2), (s  0)  (s’  3)  (0,3), (s  1)  (s’  3) (1,3)}  s (r  t) = (s’  2)  (s’  3) {(2,3)} IMG( t, r ) =  s ( r(s) t(s.s’) ) Boolean notation Set notation

22 ECE 667 - Synthesis & Verification21 Forward State Traversal Algorithm TRAVERSE_FORWARD(t, ,S 0 ) { reached =  current = S 0 // start from init while (reached  (reached  current)) { // fixed point reached = reached  current // add new states next = IMG(t,current) // one trans. current = next // rename variable } return  x  ( (x,s)  reached) } Example: 0 1 3 2 4 56 Iteration:123 Reached:{0}{0,1,2}{0,1,2,3} Current:{0}{1,2}{1,2,3} Next:{1,2}{1,2,3}{0,1,2,3}

23 ECE 667 - Synthesis & Verification22 Backward State Traversal Algorithm TRAVERSE_BACKWARD(t, ,S 0 ) { reached =  current =  x.(l(x,s)=1) // start from bad while (reached  (reached  current)) { // fixed point reached = reached  current // add new states previous = PRE_IMG(t,current) // one trans. current = previous // rename variable } return (S 0  reached) } Example: 0 1 3 2 4 56 Iteration:123 Reached:{6}{4,6}{4,5,6} Current:{6}{4}{4,5} Previous: {4}{4,5}{4,5,6}

24 ECE 667 - Synthesis & Verification23 Finite State Machine (FSM) Model FSM M(X,S, ,,O) –Inputs:X –Outputs:O –States:S –Next state function,  (s,x) : S  X  S –Output function, (s,x) : S  X  OOX R  (s,x) (s,x) ss’

25 ECE 667 - Synthesis & Verification24 FSM Traversal State Transition Graphs –directed graphs with labeled nodes and arcs (transitions) –symbolic state traversal methods important for symbolic verification, state reachability analysis, FSM traversal, etc. 0/0 0/1 1/0 s0 s1 0/1 s2 1/0

26 ECE 667 - Synthesis & Verification25 Existential Quantification Existential quantification (abstraction)  x f = f | x=0 + f | x=1 Example:  x (x y + z) = y + z Note:  x f does not depend on x (smoothing) Useful in symbolic image computation (deriving sets of states)

27 ECE 667 - Synthesis & Verification26 Existential Quantification - cont’d Function can be existentially quantified w.r.to a vector: X = x 1 x 2 …  X f =  x1x2... f =  x1  x2 ... f Can be done efficiently directly on a BDD Very useful in computing sets of states –Image computation: next states –Pre-Image computation: previous states from a given set of initial states

28 ECE 667 - Synthesis & Verification27 Image Computation Computing set of next states from a given initial state (or set of states) Img( S,R ) =  u S(u) R(u,v) Img(v) R(u,v) S(u) FSM: when transitions are labeled with input predicates x, quantify w.r.to all inputs (primary inputs and state var) Img( S,R ) =  x  u S(u) R(x,u,v)

29 ECE 667 - Synthesis & Verification28 Image Computation - example Encode the states: s1=00, s2=01, s3=10, s4=11 Write transition relations for the encoded states: R = (ax’y’X’Y + a’x’y’XY’ + xy’XY + ….) a xy XY 1 00 01 0 00 10 - 10 11 ………. s1 s2 s3 s4 a a’ 00 01 10 11 Compute a set of next states from state s1

30 ECE 667 - Synthesis & Verification29 Example - cont’d Compute Image from s1 under R Img( s1,R ) =  a  xy s1(x,y) R(a,x,y,X,Y) =  a  xy (x’y’) (ax’y’X’Y + a’x’y’XY’ + xy’XY + ….) =  axy (ax’y’X’Y + a’x’y’XY’ ) = (X’Y + XY’ ) = {01, 10} = {s2, s3} Result: a set of next states for all inputs s1  {s2, s3} s1 s2 s3 s4 a a’ 00 01 10 11

31 ECE 667 - Synthesis & Verification30 Pre-Image Computation Computing a set of present states from a given next state (or set of states) Pre-Img( S’,R) =  v R(u,v) ) S’(v) S’(v) R(u,v) Pre-Img(u) Similar to Image computation, except that quantification is done w.r.to next state variables The result: a set of states backward reachable from state set S’, expressed in present state variables u Useful in computing CTL formulas: AF, EF

32 ECE 667 - Synthesis & Verification31 Register Correspondence Find registers in product machine that implement identical or complemented function –these are matching registers in the two machines under comparison –BUT: might be more, we may have redundant registers Definition: A register correspondence: RC  S x S is an equivalence relation in the set of registers S (This definition includes only identical functions, it can be extended to also include complemented functions) A register correspondence can be used as a candidate for R: r(s) =   (s i,s j )  RC (s i  s j )

33 ECE 667 - Synthesis & Verification32 Functional Register Correspondence Algorithm REGISTER_CORRESPONDENCE { RC’ = {(s i,s j ) | s i 0 = s j 0 } // start with registers with do { // identical initial states RC = RC’ r(s) = P  (si,sj)  (s i  s j ) RC’ = {(s i,s j ) | (s i,s j )  RC  d i (x,s)=d j (x,s)  r(s)} } while (RC’  RC) return RC } In essence: the algorithm starts with an initial partitioning with two equivalence classes, one for each initial value the algorithm computes iteratively the next state function, assuming that the RC is correct - if yes, fixed point is reached and RC returned - if no, split equivalence classes along the miscompares

34 ECE 667 - Synthesis & Verification33 Functional Register Correspondence - Example s 1 1 = x  v s 1 4 = x  v v1v1  s 1 2 =  v s 1 3 =  v s 1 5 =  v v2v2 s 2 1 = x  v 1 s 2 4 = x  v 1 v1v1  s 2 2 =  v 1 v 2 ) s 2 3 =  v 1 v 2 ) s 2 5 =  v 1 v 2 ) v2v2 Result: {s 1,s 4 }, {s 2,s 3,s 5 } Once s 3 =s 5 is proven, outputs are sequentially equivalent x s1s1 1 1 0 s2s2 s3s3 y1y1 y2y2 s 0 2 =0 s 0 1 =1  s 0 2 =1 s 0 3 =1 s 0 4 =1 s 0 5 =1 v Use new variable for each class 1 1 s4s4 s5s5

35 ECE 667 - Synthesis & Verification34 Functional Signal Correspondence – Example (van Eijk, TCAD 200) Equivalence classes: { {f 1 }, {f 2 }, {f 3,f 6 }, {f 4,f 7 }, {f 5 } }

36 ECE 667 - Synthesis & Verification35 Problems with Functional Register Correspondence In case of miscomparing designs –effect of miscomparing cone may ripple through entire algorithm and split all equivalence classes until they contain only single registers –difficult to debug since no hint of error location Solution: –relaxation of equivalence criteria e.g. structural register correspondence algorithm based on support set of registers combined techniques with name mapping, functional/structural criteria

Download ppt "ECE 667 - Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Sequential Equivalence Checking."

Similar presentations

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Types of Logic Circuits

Types of Logic Circuits
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Timed Automata.

Timed Automata.
ECE 667 - Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.

ECE Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University.

 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University.
ECE 331 – Digital System Design

ECE 331 – Digital System Design
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
Spring 07, Feb 6 ELEC 7770: Advanced VLSI Design (Agrawal) 1 ELEC 7770 Advanced VLSI Design Spring 2007 Verification Vishwani D. Agrawal James J. Danaher.

Spring 07, Feb 6 ELEC 7770: Advanced VLSI Design (Agrawal) 1 ELEC 7770 Advanced VLSI Design Spring 2007 Verification Vishwani D. Agrawal James J. Danaher.
ECE 667 - Synthesis & Verification - Lecture 8 1 ECE 697B (667) Spring 2006 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Circuits Introduction.

ECE Synthesis & Verification - Lecture 8 1 ECE 697B (667) Spring 2006 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Circuits Introduction.

Similar presentations

Ads by Google