1 / 41

Structure-independent Sequential Equivalence Checking

Structure-independent Sequential Equivalence Checking. EE290A UC Berkeley Spring 2005. Outline. Design verification Combinational vs. sequential equivalence checking Sequential equivalence checking by Reachability analysis Explicit vs. implicit Forward vs. backward

dorothygilbert
Download Presentation

Structure-independent Sequential Equivalence Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Structure-independent Sequential Equivalence Checking EE290A UC Berkeley Spring 2005 JHJ

  2. Outline • Design verification • Combinational vs. sequential equivalence checking • Sequential equivalence checking by • Reachability analysis • Explicit vs. implicit • Forward vs. backward • Exact vs. approximate • Deterministic vs. probabilistic • State space partitioning • From state equivalence to FSM equivalence • Explicit vs. implicit • Connection between reachability and state equivalence • Experiments • Conclusions

  3. Outline • Design verification • Combinational vs. sequential equivalence checking • Sequential equivalence checking by • Reachability analysis • Explicit vs. implicit • Forward vs. backward • Exact vs. approximate • Deterministic vs. probabilistic • State space partitioning • From state equivalence to FSM equivalence • Explicit vs. implicit • Connection between reachability and state equivalence • Experiments • Conclusions

  4.       design verification Design verification • Equivalence verification is the most important problem in design verification • Hardness of equivalence verification • Combinational • Verification w/o structure similarities • NP-complete • Verification w/ structure similarities • P- to NP-complete • Sequential • Verification w/o structure similarities • PSPACE-complete • Verification w/ structure similarities • E.g., retiming equivalence • P- to PSPACE-complete

  5. Combinational equivalence checking • Considered being solved in practical design instances • State-of-the-art solvers are powered with hybrid engines using BDD, SAT and AIG • Capable of verifying million-transistor microprocessor designs • Existence of structural similarities in real designs is the key to success • If the relation between state encodings is known, sequential equivalence checking reduces to combinational one • In general, combinational EC is not complete to prove sequential equivalence (i.e., equivalence between FSMs) • E.g., FSMs retimed and resynthesized with unknown transformation history, or FSMs optimized using sequential don’t cares

  6. Sequential equivalence checking • Special case of invariant verification (safety property checking) • To describe properties, at times temporal formula are not sufficient (need a monitor!) • In SEC, the monitor is the correct FSM to be compared with • Used in the construction of product machines or multiplexed machines • Two approaches to SEC: reachability analysis vs. state space partitioning

  7. Outline • Design verification • Combinational vs. sequential equivalence checking • Sequential equivalence checking by • Reachability analysis • Explicit vs. implicit • Forward vs. backward • Exact vs. approximate • Deterministic vs. probabilistic • State space partitioning • From state equivalence to FSM equivalence • Explicit vs. implicit • Connection between reachability and state equivalence • Experiments • Conclusions

  8. SEC by state traversal • Product machine • Composition of an FSM and a monitor • Composition reveals bad states (state pairs with different output observations) • Cf. Mealy- and Moore-type FSMs

  9. Reachability analysis • Explicit vs. implicit • Explicit graph enumeration • Reachability analysis over state transition graphs • Practical for FSMs less than ~10 state variables • Implicit symbolic computation • Iterative image computation over quantified Boolean formula • BDD- or SAT-based manipulations • One step traversal from C(s): Img(s’) = x, s. [i (si’ Ti(x,s))]  C(s) • Practical for FSMs less than ~100 state variables • We will be concerned with implicit approaches based on BDDs O. Coudert et al: Verification of Synchronous Sequential Machines Based on Symbolic Execution. Automatic Verification Methods for Finite State Systems 1989: 365-373

  10. Reachability analysis • Forward vs. backward • Forward analysis asks if bad states are reachable from initial states • Backward analysis asks if initial states are reachable from bad states • Two approaches are incomparable • A forward diameter can be exponentially shorter than a backward one, and vice versa • Meet-in-the-middle by combining both directions T. Filkorn: A Method for Symbolic Verification of Synchronous Circuits. Proc. Int'l Symp. Computer Hardware Description Languages and their Applications 1991: 249-259.

  11. Reachability analysis • Exact vs. approximate • Exact image computation is complete but more expensive • Approximate image computation is cheaper but incomplete (has false-negative or false-positive) • Decomposing an FSM into several sub-FSMs • E.g., by partitioning state variables • Traverse each sub-FSM independently (over-approximation) • High-density reachability analysis (which combines BFS and DFS) can be either exact or under-approximate • Compute dense subsets of BDDs • Prefer a small BDD represent a large state set • Avoid memory explosion by subsetting newly reached state sets H. Cho, et. al: Algorithms for Approximate FSM Traversal. DAC 1993: 25-30. K. Ravi and F. Somenzi: High-density reachability analysis. ICCAD 1995: 154-158.

  12. Reachability analysis • Deterministic vs. probabilistic • Deterministic • Exhaustive search • Probabilistic • Random walk on graphs • Monte Carlo or Las Vegas A. Kuehlmann, K. McMillan, R. Brayton: Probabilistic state space search. ICCAD 1999: 574-579

  13. Reachability analysis • Other state traversal issues • Abstraction, localization • Cone of influence reduction • Transitive fanin in unfolded time-frame expansion • Quantification scheduling • Input/output splitting • …

  14. Outline • Design verification • Combinational vs. sequential equivalence checking • Sequential equivalence checking by • Reachability analysis • Explicit vs. implicit • Forward vs. backward • Exact vs. approximate • Deterministic vs. probabilistic • State space partitioning • From state equivalence to FSM equivalence • Explicit vs. implicit • Connection between reachability and state equivalence • Experiments • Conclusions

  15. SEC by state space partitioning • Arguing FSM equivalence from state equivalence • State equivalence • Two states of an FSM are equivalent iff, starting from any of them, the IO behaviors of the FSM cannot be differentiated • FSM equivalence • Two FSMs are equivalent iff, starting from their respective initial states, they are indistinguishable from their IO behaviors

  16. State equivalence • Explicit vs. implicit • Explicit approach • Remove non-equivalent state pairs iteratively from a tableau • Implicit approach • Representing an equivalence relation with Boolean formula • Backward reachability analysis over product machine! • Representing equivalence classes with Boolean formula • Functional composition over the original machine (to be discussed) • We are concerned with implicit approaches

  17. Identify state equivalence on product machine • Backward reachability analysis

  18. FSM equivalence • Explicit vs. implicit • Explicit graph enumeration • State minimization followed by graph isomorphism checking • Implicit symbolic computation • Backward reachability analysis! • Functional composition (to be discussed)

  19. Determine FSM equivalence on product machine • Backward reachability analysis

  20. Identify state equivalence on original machine Given an n-state FSM M with r registers • Implicit computation of equivalent states • [Pixley, CAV’90; Lin et al., ICCAD’90] • Refine state equivalence relation on the product machine of two identical copies of M • Number of state variables: 2r • [Henriksen et al., TACAS’95] • Compute equivalence classes on M represented by n shared n-terminal BDDs • Number of state variables: r • Question: • Compute equivalence classes on M without special representations?

  21. Identify state equivalence on original machine • M = (S, s0, , , , ) y=(s,x), s'=(s,x), sS, x, y  • Relate output/transition tables to decomposition table in functional decomposition • Columns indexed by states; rows indexed by inputs • BDD-based functional decomposition • State variables  bound set; input variables  free set • Each column pattern in output table corresponds to an eqv node • Paths lead to same eqv node represent states in same eqv class

  22. Identify state equivalence on original machine • Procedure • Consider time-frame expansions of M • Initially 0 has all states in the same equivalence class • y=(s,x) induces a partition 1 on the state space • Compute 1 by BDD-based functional decomposition

  23. Identify state equivalence on original machine • Procedure (cont’d) • Represent 1 by a characteristic function 1(s) • Perform functional decomposition on 1((s,x)) to derive 2- • Compute 2 = 12- • Represent 2 by a characteristic function 2(s) • Iterate until reach fixpoint

  24. Identify state equivalence on original machine • Robustness Issues for state equivalence • Work on reachable state subspace (if available) • BDD constrain operator [Coudert and Madre, ICCAD’90] + restricted BDD variable ordering • Restrict BDD variable ordering only when necessary

  25. SEC by state space partitioning • Extend state equivalence to machine equivalence • Verification on multiplexed machine • Verification on separate machines • Verification on product machine • Theorem • M1 and M2 are equivalent iff their initial states, s10 and s20, are equivalent

  26. Verification on Multiplexed Machine • Given two FSMs M1 and M2 with r1 and r2 registers respectively, construct their multiplexed machine M: • aux=0 M=M1; aux=1 M=M2

  27. Verification on Multiplexed Machine • Procedure • Partition the state space of the multiplexed machine • Check if (as10) and (as20) are in the same equivalence class • Other aspects • Robustness issues: • Carry out verification for each output separately • Collapse “bad” equivalence classes • Error tracing and shortest distinguishing sequences

  28. Product machine vs. multiplexed machine Given two completely specified FSMs M1 and M2 with r1 and r2 registers respectively • For product machine • Product state space • State variables: r1+r2 • For multiplexed machine • Sum state space • State variables: max{r1, r2}+1

  29. Verification on Separate Machines • Procedure • Partition the state spaces of M1 and M2 separately but simultaneously • Maintain two sets of shared BDDs (share BDDs below cutset) • Check if s10 and s20 lead to the same equivalence node • Properties • No interference among state variables • No BDD sharing above cutset • Same number of state variables as product machine (Verification is still in the sum state space)

  30. Verification on Product Machine • Properties • Flexible BDD variable ordering • More state variables than multiplexed machine • No direct BDD simplification using unreachable states

  31. Analysis • Functional decomposition replaces quantifications • Given two FSMs M1 and M2 converging in n1 and n2 steps respectively, then their multiplexed machine converges in exactly max{n1, n2} steps (can be improved to  min{n1, n2}) • Both ST (state traversal) and SP (state partitioning) find counterexamples in shortest input sequences • Suppose ST and SP converge in t and p steps respectively. Then min{t, p} is the upper bound for fixpoint computation.

  32. Outline • Design verification • Combinational vs. sequential equivalence checking • Sequential equivalence checking by • Reachability analysis • Explicit vs. implicit • Forward vs. backward • Exact vs. approximate • Deterministic vs. probabilistic • State space partitioning • From state equivalence to FSM equivalence • Explicit vs. implicit • Connection between reachability and state equivalence • Experiments • Conclusions

  33. Connection between reachability analysis and state equivalence • Assume bad states are unreachable from initial states in a product machine • Forward reachability analysis reveals equivalent state pairs reachable from initial state pairs • Backward reachability analysis reveals (all?) non-equivalent state pairs • Backward reachability analysis is more powerful in identifying equivalent states

  34. Outline • Design verification • Combinational vs. sequential equivalence checking • Sequential equivalence checking by • Reachability analysis • Explicit vs. implicit • Forward vs. backward • Exact vs. approximate • Deterministic vs. probabilistic • State space partitioning • From state equivalence to FSM equivalence • Explicit vs. implicit • Connection between reachability and state equivalence • Experiments • Conclusions

  35. Experimental Results • Compare three equivalence checking techniques • STPM state traversal on product machine • SPPM state partitioning on product machine • SPMM state partitioning on multiplexed machine • Conduct experiments on a Linux machine with Pentium III 700 MHz CPU, 2Gb RAM

  36. Experimental Results

  37. Experimental Results

  38. Experimental Results • Elements to succeed • Reduce state variables almost by a half • Incorporate simplification using unreachable states • Verify each output separately • Parallel processing • Limitation •  106 equivalence classes per output

  39. Experimental results • Identify state equivalence by BDD-based functional decomposition • Pose the equivalence checking problem as the state equivalence problem of the multiplexed machine • Verify benchmarks with up to 312 registers, including all of the control outputs of microprocessor 8085 • More scalable for high speed designs

  40. Outline • Design verification • Combinational vs. sequential equivalence checking • Sequential equivalence checking by • Reachability analysis • Explicit vs. implicit • Forward vs. backward • Exact vs. approximate • Deterministic vs. probabilistic • State space partitioning • From state equivalence to FSM equivalence • Explicit vs. implicit • Connection between reachability and state equivalence • Experiments • Conclusions

  41. Conclusions • Two different frameworks on SEC • State traversal based on reachability analysis • In product space • State space partitioning based on state equivalence • In product space or disjoint union space • SAT-based SEC • Unbounded model checking is based on state traversal on product machine • How about state space partitioning over multiplexed machine?

More Related