structure-dependent sequential equivalence checking

4/21/2005 JHJ 1

Structure-dependent Sequential Equivalence Checking

EE290A

UC BerkeleySpring 2005

2

Outline

IntroductionDiscovering hidden similarities

Signal correspondence Functional dependency Relational dependency

Reachability analysis under similarities Retiming for verification On-the-fly state re-encoding On-the-fly reduction using functional dependency

Design for verifiability C-1-D equivalence

Conclusions

3

Outline





Conclusions

4

Introduction

Bridge the complexity gap between sequential and combinational equivalence checking

Detect hidden similarities Designs to be checked are often similar in circuit

structures If the relation between state encodings is known,

equivalence checking can be done combinationally PSPACE-complete to NP-complete

Similarities can be captured by signal correspondence, functional dependency, relational dependency, etc.

Take advantage of similarities Simplify circuit Simplify reachability analysis

5

Outline





Conclusions

6

Hidden similarities in transition systems

Signal correspondence Two points of a sequential circuit are corresponding

signals if their valuations are the same (or complement to each other) under any input sequence

Functional dependency A signal x functionally depends on a set S of other

signals if the valuation of x can be expressed as a function over S under any input sequence

Relational dependency Two sets S1 and S2 of signals are related if the

valuations of one set can be inferred from those of the other

7

Usefulness of similarities

Simplify circuitsCompact BDD representationReduce search space for SAT-based verification

8

Similarity - signal correspondence

Exact signal correspondence Computationally hard

k-inductive signal correspondence Computationally easy for small k Only subset of signal correspondence

9

Signal correspondence

Detect equivalent state variables in an over-approximated state space by a least fixed-point computation [van Eijk 95]

Example [Kuehlmann]

s1= x v1

v1

s2= v1v2)

s3= v1v2)

v2

s1=1s2=1s3=1

v

s1= x v

v1

s2= v

s3= v

v2

Result: {s1}, {s2,s3}

xs1

1 11

s2 s3

10

Signal correspondence

Weakness Signal correspondence is a very limited form of

functional dependency In very few cases, can prove sequential equivalence by

signal correspondence Not sufficient to prove equivalence under retiming

How to characterize a more general form of functional dependency by a fixed-point computation (w/o reachability analysis)?

11

Similarity - functional dependency

Maximum functional dependency Not unique Computationally hard

k-inductive functional dependency Computationally easier

12

Functional dependency

Assume transition systems are described with transition functions rather than transition relationsConclude functional dependency directly from transition functions

Define combinational dependency Extend to sequential dependency

13

Combinational dependency

Given two vectors of Boolean functions f and g over the same domain Bn, f functionally depends on g if there exists some function such that f (·) = ( g (·) ).

f is the vector of (functional) dependents g is the vector of (functional) independents is the vector of dependency functions (f, g, ) is the dependency triplet

A necessary and sufficient condition:f (a) f (b) g (a) g (b), for all a,b Bn

(In other words, g is more distinguishing than f over the domain.)

Problem statement Given a vector of functions h, we are asked to partition h

into two sub-vectors f and g such that (f, g, ) forms a dependency triplet with |g| minimized

14


Search candidates of dependents and independents

Lemma. Given two functional vectors f and g, g is more distinguishing than f only if the support set of f is contained by that of g.

A variable x is a support of a functional vector f = (f1,…,fn)

if there exists i such that fi |x = 0 xnor fi |x = 1 is not a tautology

Compute in f = (g)

f(x)=1

g(x)

1

0f(x)=0

15


16

Sequential dependency

Extend combinational dependency for state transition systemsFind invariant such that

sdep= (sind) and dep= (ind)

where s represents the set of state variable and represents the set of transition functions.Two approaches to computing fixed points

Greatest fixed-point (gfp); least fixed-point (lfp)

17

Backward sequential dependency

Greatest fixed-point (gfp) computation

Initially, all state variables are distinct.

In each iteration, compute the combinational dependency among independent state variables from the previous iteration.

x

s'd(1)

s'i(1)

s

x

s'd(3)

s'i(3)

si(2) si

(1)

s

x

s'd(2)

s'i(2)

ssi(1)

s'i(1)

s'i(2)

18

Forward sequential dependency

Least fixed-point (lfp) computation

Initially, select one state var as the representative. (0) is determined by initial state information.

In each iteration of computing functional dependency, try to reuse ’s from the previous iteration.

If restrict ’s to be identity functions, the computation reduces to detecting signal correspondences.

x

s'd(1)

s'i(1)

ssk

x

s'd(3)

s'i(3)

si(2)

s

x

s'd(2)

s'i(2)

ssi(1)

19

Functional dependency

Caveat: Dependency may not hold for initial states I which have no predecessor states

For verification – use the successor states of I as the new initial state set

For logic synthesis – localize conflicting state variables and declare them as independent state variables

20

Functional dependency - experiments

Dependency in original FSM

Circuit Reg Signal Correspondence Sequential Dependency Gfp Sequential Dependency Lfp

Indp. Iter. Mb sec Indp. Iter. Mb sec Indp. Iter. Mb sec

s298-rt 34 31 5 10 0.3 23 2 23 1.6 24 10 41 6.2

s526n-rt 64 55 4 13 1.0 37 2 60 104.2 40 14 58 26.8

s838-rt 73 48 20 13 1.5 33 1 22 3.7 33 46 21 18.3

s991-rt 42 24 2 13 0.5 21 2 21 1.4 20 2 21 1.4

mult16a-rt

106 66 6 13 0.9 75 2 13 1.0 61 8 13 4.6

tbk-rt 49 49 2 49 6.8 13 4 62 264.1 21 3 59 48.4

s4863 104 81 3 47 4.7 81 1 69 178.7 75 3 47 14.5

s5378 179 163 12 37 6.5 155 2 51 15.9 154 14 51 43.1

s13207 669 303 16 138 95.6 460 5 111 384.6 263 37 100 836.0

s15850 597 431 24 142 221.7 569 3 134 1487.1

315 32 142 1441.0

s38584 1452 869 17 303 525.5 1440 1 155 4103.3

849 25 303 22001.1

8085 193 91 15 65 28.9 193 0 70 42.4 79 17 63 64.3

21

Functional dependency - experiments

Dependency in product FSM

Circuit Reg Signal Correspondence Sequential Dependency Gfp Sequential Dependency Lfp

Indp. Iter. Mb sec Indp. Iter. Mb sec Indp. Iter. Mb sec

s208 8+16 16 7 10 0.2 17 1 10 0.1 12 10 41 6.2

s298 14+34 39 5 10 0.5 37 2 21 1.5 30 14 58 26.8

s386 6+15 13 3 10 0.2 13 2 12 0.3 12 46 21 18.3

s499 22+41 63 21 14 3.1 43 2 38 7.3 42 2 21 1.4

s510 6+34 38 4 13 0.6 27 2 50 25.9 29 8 13 4.6

s526 21+58 64 8 13 2.2 59 2 60 41.6 50 3 59 48.4

s526n 21+64 69 8 13 2.4 58 2 59 121.9 50 3 47 14.5

s635 32+51 66 31 13 7.8 66 1 21 1.4 51 14 51 43.1

s838 32+73 78 31 25 16.8 65 2 48 4.2 59 37 100 836.0

s991 19+42 42 2 22 1.5 40 2 38 2.5 39 32 142 1441.0

mult16a

16+106

82 6 14 4.6 91 2 14 1.7 77 25 303 22001.1

tbk 5+49 54 2 14 5.5 17 4 61 175.6 25 17 63 64.3

22

Functional dependency - summary

Characterize stronger invariants than signal correspondence

In principle, can prove sequential equivalence under retiming transformation

However, may not find the right dependency in practice

Computationally harder than signal correspondence but still practical

Refinement relation instead of equivalence relation

23

Similarity - relational dependency

Exact relational dependency Computationally hard Equivalent to reachability analysis

Inductive relational dependency How?

24

Improving inductive approaches

Inductive characterization of S.C. and F.D.Base case: Init(s) Prop(s)Inductive case: Prop(s) Trans(s,t) Prop(t)(where Prop could be S.C., F.D., or even other properties)

Strengthening induction hypothesis Over transition

Base case: Init(s1) Trans(s1,s2) … Trans(sk-1,sk) Prop(s1) … Prop(sk)

Inductive case: Prop(s1) … Prop(sk) Trans(s1,s2) … Trans(sk,sk+1) Prop(sk+1)

Over propertyReachability analysis!

P. Bjesse, K. Claessen: SAT-Based Verification without State Space Traversal. FMCAD 2000: 372-389

25

Outline





Conclusions

26

Reachability analysis under similarities

Compact state space by removing redundanciesAvailable techniques

Retiming State re-encoding Variable dependency Functional dependency …

27

Reduction by retiming

Use retiming to reduce state variables or ease reachability analysis

Allow negative registers (peripheral retiming)

Special subset of functional dependency limited to circuit structures

No dependency can be discovered between different designs

Only static reduction

A. Kuehlmann & J. Baumgartner. Transformation-based verification using generalized retiming. CAV 2001.

28

Reduction by incremental re-encoding

Transform one FSM to another by incremental re-encoding

Two designs must be similar up to a 1-to-1 mapping between equivalent states

S. Quer, et al. Verification of similar FSMs by mixing incremental re-encoding, reachability analysis, and combinational check. Formal Methods in System Design, vol. 17, pages 107--134, 2000.

29

Reduction by variable dependency

Problem formulation [Berthet et al. 90] Given a characteristic function F(x1,x2, …, xn), compute a minimal

set of irredundant (independent) variables Variable xi is redundant if its valuation can be inferred by a function

over other variables

Solution - functional deduction [Brown 03] Variable xi is redundant in F if and only if

F|xi = 0 F|xi = 1 = false

Example F = abc ac

{a, b} is a minimal independent set with c = a a dependency function

Embed variable dependency in reachability analysis Weakness: detect dependency after every image computation

of a reachability analysis

30

Reduction by functional dependency

Static reduction Compute functional dependency (with gfp and/or

lfp) before a reachability analysis

Dynamic reduction Compute functional dependency before every

image computation of a reachability analysis

31

Reduction by functional dependency - experiments

On-the-fly reduction

Circuit Iter. Reach. Analysis w/o Dep. Reduction Reach. Analysis w Dep. Reduction

Peak(bdd nodes)

Reached(bdd nodes)

Mb sec Peak(bdd nodes)

Reached(bdd nodes)

Mb sec

s3271 4 28,819,301

16,158,242

620 2784.1 18,843,837 10,746,053 415 1082.6

s4863 2 18,527,781

248,885 365 404.8 549,006 8,772 67 13.1

s5378 2 N/A N/A >2G N/A 1,151,439 113,522 70 21.5

s15850

15 29,842,889

9,961,945 653 21337.4 17,667,076 6,356,714 463 8175.0

8085 50 16,663,749

1,701,604 390 24280.2 7,830,602 1,338,322 212 4640.1

32

Outline





Conclusions

33

Design for verifiability

Complete-1-distinguishability If any state of a specification FSM M1 can be

distinguished from others with a length-1 input sequence, then its corresponding equivalence class of an implementation FSM M2 can be found using a mapping induced by 1-equivalence between the states of the two FSMs.

Expose a subset of registers as pseudo-primary outputs to enforce the C-1-D property

One-step equivalence checking (solely depends on output functions if reachable states are known)

P. Ashar, A. Gupta, S. Malik: Using complete-1-distinguishability for FSM equivalence checking. ICCAD 1996: 346-353

34

Design for verifiability

Boundary-preserving retiming and resynthesis Protect some signals intact under RnR

transformation E.g. expose the signals as pseudo-primary outputs

Corresponding signals exist for combinational equivalence checking

35

Outline





Conclusions

36

Conclusions

Bridging the gap between sequential and combinational EC by exploiting hidden similarities

Extract similarities: Generalization from signal correspondence to

functional dependency How about from functional to relational dependency?

Accelerate reachability analysis: Using similarities to compact state space, simplify BDD

representation, and prune search space for SAT

structure-dependent sequential equivalence checking

Documents

functional dependencydesign

fly reduction

fly state reencodingon

transition functions

sequential circuit

state encodings

overapproximated state

s2 of signals