ECE%20667%20Spring%202011%20Synthesis%20and%20Verification%20of%20Digital%20Systems

1
ECE 667Spring 2011Synthesis and
Verificationof Digital Systems

• Verification
• Sequential Equivalence Checking

2
Formal Verification

• Deductive reasoning (theorem proving)
• Uses axioms, rules to prove system correctness
• No guarantee that it will terminate
• Difficult, time consuming for critical
  applications only
• Model checking
• Automatic technique to prove correctness of
  concurrent systems digital circuits,
  communication protocols, etc.
• Practical tools become available, popular in
  industry
• Equivalence checking
• Check if two designs are equivalent
• OK for combinational circuits, unsolved for
  sequential systems

3
Why do we need Formal Verification

• Need for reliable hardware validation
• Simulation, test cannot handle all possible cases
• Formal verification conducts exhaustive
  exploration of all possible behaviors
• compare to simulation, which explores some of
  possible behaviors
• if correct, all behaviors are verified
• if incorrect, a counter-example (proof) is
  presented
• Examples of successful use of formal verification
• SMV system McMillan 1993
• verification of cache coherence protocol in IEEE
  Futurebus standard

4
Basic Model Finite State Machines

• Model sequential design as an FSM

M(X,Y,S,S0,d,l) X Inputs Y Outputs S
Current State S0 Initial State(s) d X S
S (next state function) l X S Y (output
function)

• Delay element
• Clocked synchronous
• Unclocked asynchronous

5
Sequential Equivalence Checking 1

• Represent each sequential circuit as an FSM
• verify if two FSMs are equivalent
• Simplistic approach reduction to combinational
  circuit
• unroll each FSM over n time frames (flatten the
  design)
• this is called a bounded model (fixed number of
  time frames)
• also used in simulation based verification (using
  SAT)

• check equivalence of the resulting
  combinational circuits
• problem the resulting circuit can be too large
  too handle

6
Sequential Equivalence Checking 2

• Simplest case compare two structurally similar
  FSMs
• Same set of registers and state encoding
• Same initial state
• Register pairs match (name matching)
• Problem reduces to verifying equivalence of
  combinational logic component (CL) of the FSMs
• Output functions
• Next state logic
• CL1 ?? CL2 (combinational) ?? FSM1 ?? FSM2
  (sequential)

7
Sequential Equivalence Checking 3

• Another simplistic approach based on checking
  isomorphism of state transition graphs
  (impractical)
• two machines M1, M2 are equivalent if their state
  transition graphs (STGs) are isomorphic
• perform state minimization of each machine
• check if STG(M1) and STG(M2) are isomorphic

8
Sequential Equivalence Checking

• If combinational verification paradigm fails
• There is no name matching
• Bounded model insufficient
• No structural similarities, etc
• Two options
• Sequential verification based on state traversal
• Expensive but most general
• Register matching
• structural register correspondence
• functional register correspondence

9
FSM Equivalence

• Most general approach construct a product
  machine M1 M2

1,1,,1
X1,X2,,Xn

• M1 and M2 are functionally equivalent iff the
  product machine
• M1 M2 produces a constant 1 for all valid
  input sequences X1,,Xn.

10
Sequential Verification

• Most general approach symbolic (implicit) FSM
  traversal of the product machine

• Given two FSMs M1(X,S1, ?1, ?1,O1), M2(X,S2,
  ?2, ?2,O2)
• Create a product FSM M M1? M2
• traverse the states of M and check its output for
  each transition
• the output O(M) 1, if outputs O1 O2
• if all outputs of M are 1, M1 and M2 are
  equivalent
• otherwise, an error state is reached
• error trace is produced to show M1 ? M2

11
Product Machine - Construction

• Define the product machine M(X,S, ?, ?,O)
• states, S S1 ? S2
• next state function, ?(s,x) (S1 ? S2) ? X ?
  (S1 ? S2)
• output function, ?(s,x) (S1 ? S2) ? X ?
  0,1

• Error trace (distinguishing sequence) that leads
  to an error state
• sequence of inputs which produces 0 at the output
  of M
• produces a state in M for which M1 and M2 give
  different outputs

12
Construction of the Product FSM

• For each pair of states, s1? M1, s2? M2
• create a combined state s (s1. s2) of M
• create transitions out of this state to other
  states of M
• label the transitions (input/output) accordingly

13
General Approach to EC
State Space of S M1 M2
Initial State S0
R Good half r(s) 1
(S-R) Bad half r(s) 0

• Inductive proof of equivalence
• Find subset R Í S with characteristic function
  r S 0,1 such that
• 1. r(s0) 1 (initial state is in good half)
• 2. (r(s) 1) Þ r (d(x,s)) 1 (all states from
  good half lead go to states in good half)
• 3. (r(s) 1) Þ l(x,s) 1 (all states in
  good half are comparing states)
• Different methods for equivalence checking differ
  in the way space R is computed

14
How Do We Obtain R?

• Reachability analysis (functional)
• Perform state traversal until no more states can
  be explored
• Forward (from initial state)
• Backward (to reach initial state)
• Explicit (uses transition function to compute R)
• Symbolic (uses transition relation to compute R)
• Compute register correspondence (structural)
• Equivalent state encoding in both machines
• synthesis tool provides hint for R from
  sequential optimization
• manual register correspondence
• automatic register correspondence

15
Product FSM Example 1

• Product machine for equivalent FSMs
• (Hachtel, Somenzi, Fig. 7.41)

16
Product FSM Example 2

• Product machine for
• non-equivalent FSMs
• (Hachtel, Somenzi, Fig. 7.45, 7.46)

17
Explicit FSM Traversal in Action
Error state
Initiall states s10, s20,s(0.0)

• New 0 (0.0) 1 1

• New 1 (1.1) 1 1

• New 2 (0.2) 1 1

• New 3 (1.0) 0 0

• STOP - backtrack to initial state to get error
  trace x1,1,1,0

18
Symbolic FSM Traversal

• Explicit methods are expensive
• Must evaluate all input combinations
• Use symbolic (implicit methods) traverse the
  product machine M(X,S,?, ?,O)
• start at an initial state S0
• iteratively compute symbolic image Img(S0,R) (set
  of next states) until an error state is reached
• Img( S0,R ) ?x ?s S0(s) R(x,s,t)
• R ?i Ri ?i (ti ? ?i(s,x))
• transition relation Ri for each next state
  variable ti can be computed as ti (t ? ?(s,x))
• this is an alternative way to compute transition
  relation, when design is specified at gate level,
  without explicitly creating a product machine.

19
Transition Relation
Transition Relation t(s,s)
x0
x1
Example
20
Image Computation - example
Boolean notation Set notation
Image of a set of states r(s)
Initial state r(s) (s º 0) Ú (s º
1) 0,1 Transition relation t(s,s) (s º 0)
Ù (s º 2) Ú (0,2), (s º 0) Ù (s º 3) Ú
(0,3), (s º 1) Ù (s º 3) Ú (1,3), (s º
2) Ù (s º 4) (2,4) t Ù r (s º 0) Ù (s º
2) Ú (0,2), (s º 0) Ù (s º 3) Ú (0,3),
(s º 1) Ù (s º 3) (1,3) s(r Ù t) (s º
2) Ú (s º 3) (2,3)
IMG( t, r ) ?s ( r(s) t(s.s) )
Example
r(s)
IMG(t,r(s))
21
Forward State Traversal
Algorithm TRAVERSE_FORWARD(t, ? ,S0) reached
Æ current S0
// start from init while (reached ¹
(reached Ú current)) // fixed point reached
reached Ú current // add new states
next IMG(t,current) // one
trans. current next
// rename variable return x.(l(x,s) Ù
reached)
Example
22
Backward State Traversal
Algorithm TRAVERSE_BACKWARD(t, ? ,S0) reached
Æ current x.(l(x,s)1)
// start from bad while (reached ¹
(reached Ú current)) // fixed point reached
reached Ú current // add new states
previous PRE_IMG(t,current) // one
trans. current previous
// rename variable return (S0 Ù reached)
Example
23
Finite State Machine (FSM) Model

• FSM M(X,S, ?, ?,O)
• Inputs X
• Outputs O
• States S
• Next state function, ?(s,x) S ? X ? S
• Output function, ?(s,x) S ? X ? O

24
FSM Traversal

• State Transition Graphs
• directed graphs with labeled nodes and arcs
  (transitions)
• symbolic state traversal methods
• important for symbolic verification, state
  reachability analysis, FSM traversal, etc.

0/0
25
Existential Quantification

• Existential quantification (abstraction)
• ?x f f x0 f x1
• Example
• ?x (x y z) y z
• Note ?x f does not depend on x (smoothing)
• Useful in symbolic image computation
• (deriving sets of states)

26
Existential Quantification - contd

• Function can be existentially quantified w.r.to a
  vector X x1x2
• ?X f ?x1x2... f ?x1 ?x2 ?... f
• Can be done efficiently directly on a BDD
• Very useful in computing sets of states
• Image computation next states
• Pre-Image computation previous states
• from a given set of initial states

27
Image Computation

• Computing set of next states from a given initial
  state (or set of states)
• Img( S,R ) ?u S(u) R(u,v)

• FSM when transitions are labeled with input
  predicates x, quantify w.r.to all inputs (primary
  inputs and state var)
• Img( S,R ) ?x ?u S(u) R(x,u,v)

28
Image Computation - example
Compute a set of next states from state s1

• Encode the states s100, s201, s310, s411
• Write transition relations for the encoded
  states
• R (axyXY axyXY xyXY .)

29
Example - contd

• Compute Image from s1 under R
• Img( s1,R ) ?a ?xy s1(x,y) R(a,x,y,X,Y)
• ?a ?xy (xy) (axyXY axyXY xyXY
  .)
• ?axy (axyXY axyXY ) (XY XY )
• 01, 10 s2, s3

Result a set of next states for all inputs s1
? s2, s3
30
Pre-Image Computation

• Computing a set of present states from a given
  next state (or set of states)
• Pre-Img( S,R) ?v R(u,v) ) S(v)

R(u,v)
S(v)
Pre-Img(u)

• Similar to Image computation, except that
  quantification is done w.r.to next state
  variables
• The result a set of states backward reachable
  from state set S, expressed in present state
  variables u
• Useful in computing CTL formulas AF, EF

31
Register Correspondence

• Find registers in product machine that implement
  identical or complemented function
• these are matching registers in the two machines
  under comparison
• BUT might be more, we may have redundant
  registers
• Definition A register correspondence RC ? S x S
• is an equivalence relation in the set of
  registers S
• (This definition includes only identical
  functions, it can be extended to also include
  complemented functions)
• A register correspondence can be used as a
  candidate for R
• r(s) ??(si,sj) ? RC (si ? sj)

32
Functional Register Correspondence

• Algorithm REGISTER_CORRESPONDENCE
• RC (si,sj) si0 sj0 // start with
  registers with
• do // identical initial
  states
• RC RC
• r(s) P" (si,sj) ÎRC (si º sj)
• RC (si,sj) (si,sj) Î RC Ù
  di(x,s)dj(x,s) Ù r(s)
• while (RC ! RC)
• return RC
• In essence
• the algorithm starts with an initial
  partitioning with two equivalence classes,
• one for each initial value
• the algorithm computes iteratively the next
  state function, assuming that
• the RC is correct
• - if yes, fixed point is reached and RC returned
• - if no, split equivalence classes along the
  miscompares

33
Functional Register Correspondence - Example
s020
x
y1
y2
Result s1,s4, s2,s3,s5 Once s3s5 is
proven, outputs are sequentially equivalent
34
Functional Signal Correspondence Example(van
Eijk, TCAD 200)
Equivalence classes f1, f2, f3,f6,
f4,f7, f5
35
Problems with Functional Register Correspondence

• In case of miscomparing designs
• effect of miscomparing cone may ripple through
  entire algorithm and split all equivalence
  classes until they contain only single registers
• difficult to debug since no hint of error
  location
• Solution
• relaxation of equivalence criteria
• e.g. structural register correspondence algorithm
  based on support set of registers
• combined techniques with name mapping,
  functional/structural criteria