Implicit and Explicit Reachable State Space Exploration Of Esterel Logical Circuits

1
Title Page
Implicit and Explicit Reachable State Space
Exploration Of Esterel Logical Circuits
Yannis.BRES_at_sophia.inria.fr
Advisor Gerard.Berry_at_esterel-technologies.com
10th International Workshop on Synchronous
Reactive Languages
Agelonde, France ? November 26th, 2002
2
Introduction
Introduction
Context of our work
Synchronous logical circuits (RTL) derived from
high-level hierarchical designs written in
SyncCharts, ECL or Esterel
Computing the Reachable State Space (RSS) of a
design is used for
Formal verification by observers
Equivalence checking (somewhat a special case of
formal verification)
Explicit automaton generation
Exhaustive test sequence generation

Several approaches to RSS computation
Implicit using BDDs
Explicit state enumeration recursive
branchings on inputs
Hybrid state enumeration BDDs representing
input combinations
3
Binary Decision Diagrams (BDDs)
Binary Decision Diagrams (BDDs)
A data structure for Boolean functions that
usually provide
Very compact representations
Very efficient algorithms
BDDs allow manipulating sets through their
characteristic function
However, BDDs may blow up impredictibly on
complex computations !
, - constant in time and space
?, ? quadratic in time and space
?, substitutions exponential in time and space
4
RSS Computation using BDDs
RSS Computation using BDDs
Exponentially complex wrt. involved variables, in
both memory and time
1 BBD variable per input
Input variables have to be existentially
quantified
2 BDD variables per state variable (register)
State variables have to be existentially
quantified and substituted
? Reduce state variables !
A usual technique to reduce state variables
Replacing state variables by free inputs
(inputization)
Less variables to substitute
As many variables to existentially quantify
Our approach abstracting variables using a
ternary-valued logic (0,1,?)
Variables to be abstracted are replaced by the
constant ?
Less variables to substitute
Less variables to existentially quantify
5
Over-approximation
Over-approximation
Inputization and variable abstraction relax
constraints between variables
?
Over-approximation, conservative wrt. reachable
states
?
No false positive for formal verification, only
false negative
?
Snow-ball effect
Inputization keeps correlation between variable
instances
r ? ?r ? i ? ?i 0
r ? ?r ? i ? ?i 1
Variable abstraction looses correlation between
variable instances
r ? ?r ? ? ? ?? ?
r ? ?r ? ? ? ?? ?
Another source of over-approximation within
ternary-valued RSS compu-tation algorithm set
widening
Three disjoint set (f0,f1,f?) ? two set
partition (f1,f0)
In practice, if over-approximation gets too
important, false negatives quickly appear and
computation stops ? worth trying
6
Our formal verifier evcl
Our formal verifier evcl
Esterel Verification Command Line
Built upon the TiGeR BDD package
Features
Variable inputization / abstraction
Use of structural information (Selection Tree) to
reduce over-approximation
White-Box (embed. observers) / Black-Box
(external obs.) Model Checking

Variable abstraction up to 23 times faster than
inputization on a few experi-ments on industrial
designs, although current implementation is
rather crude
Variable inputization/abstraction not applicable
on any design
Selection of variables to inputize/abstract not
automatized at all (although easy to perform in a
IDE providing a hierarchical view of the model to
be verified)
7
Explicit or hybrid implicit/explicit RSS
computation
Explicit or hybrid implicit/explicit RSS
computation
A multi-purpose engine for the exploration of the
RSS of Esterel circuits
States are analyzed one after another
Known states are stored in a hashtable and
identified by their state vector
States are analyzed through propagation of data
until circuit stabilization, as electric current
would do
Two flavours
Pure explicit approach
Stabilization through recursive branchings on
inputs
Hybrid implicit/explicit approach
Stabilization through BDD (referencing only
inputs) propagation
Support for (constructive) cyclic circuits is
transparent
Deeply tuned and optimized, many heuristics to
avoid time/space explosion
? high performances
Engine used for several purposes
Automaton generation, formal verification, test
sequence generation
8
Automaton generation
Application to automaton generation
Esterel v1, v2, v3 used automata as internal
model representation
Automata can be exponential both in construction
time and storage size
Since v4, Esterel use circuits as internal model
representation
Circuits are almost linear with code size
Automaton generation became less important
v4 automaton generator became out-of-sync
Worked only on acyclic circuits, poor
performances, hard to maintain
However, automata are still interesting
Automata often provide the most efficient
implementation
All control flow is computed at compile-time
Only input/test dependant stuff remain to be
evaluated at run-time
Lot of information on the design are directly
available with automata
9
Automaton generation
Application to automaton generation
How to generate automata ?
Enumerative approach almost required (to respect
action causality)
Implicit/explicit approach more expensive than
pure explicit approach
Too much BDD cofactoring required
Our automaton generator
By far much more efficient than the v4 one
Bundled with the Esterel Compiler since v5_91
10
Application to Formal Verification
Application to formal verification
For most designs, pure implicit approach is much
more efficient
However, pure implicit approach
Behaves impredictibly and may blow-up
Cannot work on cyclic circuits
Is very sensitive to redundant registers
Enumerative approaches
Behave very regularly on most designs, although
usually much slower
Provide transparent support for cyclic circuits
Dont care about redundant registers or design
depth
11
Formal verification case studies
Formal verification case studies
Purely linear testbench (depth 243, 243 states)
Pure implicit approach
39mn, 8.5Mb
SAT (Prover)
still no answer at all after gt3h, lt40Mb
Pure explicit approach
1.6s, insignificant memory
Hybrid implicit/explicit approach
1.8s, insignificant memory
TI data bus (depth 181, 652 948 states, lot of
redundant registers)
Pure implicit approach
blow-up at depth 9 in 17mn (2Gb)
SAT (Prover)
still no answer at all after many hours
Pure explicit approach
2h 33mn, 104Mb
Hybrid implicit/explicit approach
3h 09mn, 110Mb
12
Application to exhaustive test sequence generation
Application to exhaustive test sequence generation
The Finite State Machine model allows the
generation of exhaustive test sequences on
designs of small to average size
Several coverage goals
State coverage
Output coverage (pathes leading to output
emission)
Transition coverage

A test generation tool based on a pure implicit
approach, providing these coverage goals, has
been develop-ped at Esterel Technologies
Transition coverage cannot be performed
Only connected state pair coverage, at the
expense of twice more state variables involved in
image computations
Enumerative approaches can provide any kind of
coverage without signifi-cant overhead
Comparison on state coverage
Enumerative approach always more efficient, up to
86 times faster
13
Conclusion
Conclusion
A formal verification tool based on implicit
methods, allowing variable abs-traction and many
other features
A multi-purpose explicit or hybrid
implicit/explicit RSS exploration engine
Explicit automaton generation
Exhaustive test sequence generation
Formal verification