1 verification of fsm equivalence goal: verify that two sequential circuit implementations always...
TRANSCRIPT
1
Verification of FSM Verification of FSM EquivalenceEquivalence
GoalGoal: Verify that two sequential circuit implementations always produce the : Verify that two sequential circuit implementations always produce the same sequence of outputs given the same sequence of inputs.same sequence of outputs given the same sequence of inputs.
M2M2i1i1 out2out2
M1M1i1i1 out1out1
Note:Note: both machines are completely specified. both machines are completely specified.
Does Does out1 = out2out1 = out2 for all possible input sequences? for all possible input sequences?
2
FSM Equivalence of FSM Equivalence of the Product Machinethe Product Machine
Form the product machine:Form the product machine:
M(S,I,T,O,Init)M(S,I,T,O,Init)x = (xx = (x11,x,x22) ) present statepresent state
y = (yy = (y11,y,y22) ) next statenext state
i = ii = i11 = i = i2 2 inputinputInit(x) = (InitInit(x) = (Init11(x(x11) x Init) x Init22(x(x22)) )) initial statesinitial statesT(x,i,y) = TT(x,i,y) = T11(x(x11,i,y,i,y11) ) T2(x T2(x22,i,y,i,y22) ) transition relationtransition relation
f(x,i) = (ff(x,i) = (f11(x(x11,i) ,i) f f22(x(x22,i)) ,i)) single outputsingle output
where where denotes XNOR operation. denotes XNOR operation.
M2M2
M1M1M1xM2M1xM2
ii ff
3
Implicit State EnumerationImplicit State Enumeration
The FSM’s are The FSM’s are equivalentequivalent iff for all inputs, their outputs iff for all inputs, their outputs are identical on are identical on all reachable state pairsall reachable state pairs. .
Let Let RR be the set of all reachable state pairs. be the set of all reachable state pairs.
Equivalence is verified by the following predicate:Equivalence is verified by the following predicate:(x,i) [(x(x,i) [(x R) R) f(x,i)] f(x,i)]
EasyEasy computation with BDDs. Simply compute computation with BDDs. Simply compute+ f(x,i)+ f(x,i)
and check if this is identically 1.and check if this is identically 1.( )xR
4
Implicit State EnumerationImplicit State Enumeration
The following The following fixed pointfixed point algorithm computes the algorithm computes the set of reachable state pairs R(x) of an FSM.set of reachable state pairs R(x) of an FSM.RR00(x) = Init(x)(x) = Init(x)RRk+1k+1(x) = R(x) = Rkk(x) + [y (x) + [y x] x] x, i (Rx, i (Rkk(x) (x) T(x,i,y)) T(x,i,y))where where [y [y x] x] represents substitution of x for y. represents substitution of x for y.
The iteration terminates when RThe iteration terminates when Rk+1k+1(x) = R(x) = Rkk(x) and (x) and the the least fixed pointleast fixed point is reached. is reached.
5
Implicit FSM TraversalImplicit FSM Traversal
ImplicitImplicit enumeration of reached state set enumeration of reached state set– manipulates manipulates setset of states directly in a BFS manner of states directly in a BFS manner– exponentialexponential speed-up over explicit enumeration methods speed-up over explicit enumeration methods
(sometimes)(sometimes)– exploits the fact that the exploits the fact that the numbernumber of states does not usually of states does not usually
reflect system reflect system complexitycomplexity– implicit state enumeration may take a long time for implicit state enumeration may take a long time for
sequentially deepsequentially deep circuits e.g. those with counters circuits e.g. those with counters
one set of statesone set of statesat a time:at a time:
one stepone step
6
Finding Reachable States Finding Reachable States in an FSMin an FSM
RR00
RR00 is the set of intial states is the set of intial states
7
Finding Reachable States Finding Reachable States in an FSMin an FSM
RR00
RR11
RR11 is the set of states reachable from the is the set of states reachable from the initial states in less than or equal to one initial states in less than or equal to one steps.steps.
8
Finding Reachable States Finding Reachable States in an FSMin an FSM
RR22 is the set of states reachable from the is the set of states reachable from the initial states in less than or equal to two initial states in less than or equal to two steps.steps.
RR00
RR11
RR22
9
Finding Reachable States Finding Reachable States in an FSMin an FSM
RR00
RR11
The fixed-point iteration terminates after The fixed-point iteration terminates after finding Rfinding R44 = R = R55. .
The resultant set is the set of reachable The resultant set is the set of reachable states.states.
RR22
RR44=R=R55
10
Partial Product MethodPartial Product Method
Do not need to compute the transition Do not need to compute the transition relation T(x,i,y) relation T(x,i,y) explicitlyexplicitly as a single as a single monolithic BDD.monolithic BDD.
Can keep T(x,i,y) in Can keep T(x,i,y) in product formproduct form (called (called “partitioned translation relation”):“partitioned translation relation”):
( )1
( , ) ( , , ) ( ) ( , ) ( )k j j kj n
x i T x i y R x x i y f R x
11
Partial Product Method Partial Product Method Using ConstrainUsing Constrain
Can form the constrain with respect to RCan form the constrain with respect to Rkk(x) of each (x) of each (y(yjj f fjj) before forming the final AND. This usually ) before forming the final AND. This usually reduces the size of the final AND.reduces the size of the final AND.
The final AND operation can be decomposed into a The final AND operation can be decomposed into a balanced binary tree of Boolean ANDs. balanced binary tree of Boolean ANDs.
• intermediate variables can be quantified out as intermediate variables can be quantified out as soon as no other product depends on those soon as no other product depends on those variables.variables.
( ) ( )( )
1 1
( , ) ( ) ( , )k
j j k j j R xj n j n
x i y f R x x i y f
12
Using ConstrainUsing Constrain
Can pre-cluster groups of TCan pre-cluster groups of T jj(x(xjj,i,ijj,y,yjj) ) (defined as (defined as
(y(yjj f fjj(x(xjj,i,ijj)))))) together: together:
CCjj = = iikkjj(T(Tjj11
,...,T,...,Tjjkk))
where the iwhere the ikkjj that we can quantify out here are the ones that that we can quantify out here are the ones that
do not appear in any other Tdo not appear in any other T ii. Thus. Thus
Using constrain is a Using constrain is a bad ideabad idea since (C since (Cjj(x(xjj,i,ijj,y,yjj))))RRkk(x)(x) may result in may result in
a BDD with more variables. (a BDD with more variables. (It is better to use It is better to use RESTRICTRESTRICT).).
( ) ( )1 1
( , ) ( ) ( ) ( , , )kj j k q q q q R x
j n q p
x i y f R x x C x i y
13
Better Idea: Use RestrictBetter Idea: Use RestrictLinearly order Linearly order (heuristically)(heuristically) the C the Cjj and multiply from the right and multiply from the right
by Rby Rkk(x) one at a time, quantifying variables x(x) one at a time, quantifying variables xqq, i, iqq as soon as as soon as possible (when they appear in no other terms).possible (when they appear in no other terms).
RRi+1i+1 = R = Rii(x) + [y (x) + [y x] x] (x(xpp,i,ipp)C)Cll11(...((...((x(xqq,i,iq q )) CCllqq
PPii(x))...)(x))...)
where where PPii(x) = (x) = RESTRICTRESTRICT((RRii, ). , ).
NoteNote: here we do not care about any state in : here we do not care about any state in RRi-1i-1 since we have already since we have already
found all successor states of these.found all successor states of these.
Computation done as a Computation done as a binarybinary tree where quantification of x and i is done tree where quantification of x and i is done as soon as possibleas soon as possible::
R i 1-
Quantify all remainingvariables that appearin no other remaining
node.
CCllqqPPii(x)(x)
14
End of lecture 25End of lecture 25
15
Restrict OperatorRestrict OperatorRestrict:Restrict: 1.1. if f is independent of xif f is independent of xii then RESTRICT(f,c) is also. then RESTRICT(f,c) is also.
2.2. it does not have the other nice properties of constrain.it does not have the other nice properties of constrain.
3.3. Experiments show that restrict produces Experiments show that restrict produces smallersmaller BDDs. BDDs.
function function RESTRICTRESTRICT(f,c)(f,c)
assert(c assert(c 0) 0)
if (c = 1 or is_constant(f)) if (c = 1 or is_constant(f)) returnreturn ff
else if (celse if (cx’x’ii = 0), = 0), returnreturn RESTRICTRESTRICT(f(fxxii
,c,cxxii))
else if (celse if (cxxii = 0), = 0), returnreturn RESTRICTRESTRICT(f(fx’x’ii
,c,cx’x’ii))
else if (felse if (fxxii = f = fx’x’ii
), ), returnreturn RESTRICTRESTRICT(f(fxxii, c, cxxii
+ c + cx’x’ii))
else else returnreturn xxii RESTRICTRESTRICT(f(fxxii,c,cxxii
) +x’) +x’i i RESTRICTRESTRICT(f(fx’x’ii,c,cx’x’ii
))
16
Recursive Image MethodRecursive Image Method(R(Ri-1i-1 is the set of currently reached states and g is the is the set of currently reached states and g is the vectorvector of of
next state functions)next state functions)
The method uses CONSTRAIN: LetThe method uses CONSTRAIN: Let
g : Bg : Bnn B Bmm, g = [g, g = [g11, g, g22, ..., g, ..., gmm], and ], and
c = characteristic function of Rc = characteristic function of Ri-1i-1 . .
First stepFirst step: use the CONSTRAIN operator to form : use the CONSTRAIN operator to form f = gf = gcc = [(g = [(g11))cc, (g, (g22))cc, ..., (g, ..., (gmm))cc].].
Second stepSecond step: the range of f is determined. Let : the range of f is determined. Let RR(f) denote the (f) denote the range of the function f.range of the function f.
RRii = = RR(f)(y) = y(f)(y) = y11RR([f([f22,...,f,...,fmm]]ff11) + y’) + y’11RR([f([f22,...,f,...,fmm]]f’f’11
))
17
Explicit FSM TraversalExplicit FSM TraversalExplicitExplicit enumeration: enumeration:• process one state at a timeprocess one state at a time
– for each state, next states are enumerated one by onefor each state, next states are enumerated one by one
• complexity depends on the complexity depends on the numbernumber of of statesstates and the and the number of number of inputinput values. values.
• methods that enumerate the state space explicitly methods that enumerate the state space explicitly cannotcannot handle FSM’s with a large number of stateshandle FSM’s with a large number of states
11
22
33
44
one stateone stateat a timeat a time
firstfirst
secondsecond
thirdthird
fourthfourth
18
State enumerationState enumerationState traversal techniques are essential to:State traversal techniques are essential to:
– synthesissynthesis of sequential circuits of sequential circuits– verificationverification of sequential circuits of sequential circuits
Applications:Applications:– sequential testing sequential testing [Cho, Hachtel and Somenzi ITC ‘91][Cho, Hachtel and Somenzi ITC ‘91]– extraction of sequential don’t caresextraction of sequential don’t cares– implementation verification:implementation verification:
• checking sequential equivalence checking sequential equivalence [Coudert and Madre ICCAD ‘90][Coudert and Madre ICCAD ‘90] [Touati, Lin, Brayton and Sangiovanni ICCAD ‘90][Touati, Lin, Brayton and Sangiovanni ICCAD ‘90]
– design verification:design verification:• checking language containment of checking language containment of -regular languages -regular languages [Touati, Kurshan [Touati, Kurshan
and Brayton 1991] [HSIS system ‘94]and Brayton 1991] [HSIS system ‘94]• CTL model checking CTL model checking [Burch, Clarke, McMillan and Dill DAC ‘90] [SMV [Burch, Clarke, McMillan and Dill DAC ‘90] [SMV
(CMU ‘91), VIS (Berkeley ‘96), MOCHA (Berkeley ‘98) systems](CMU ‘91), VIS (Berkeley ‘96), MOCHA (Berkeley ‘98) systems]
19
End of this sectionEnd of this section