200 likes | 216 Views
This paper introduces state abstraction techniques using ternary-valued logic for the verification of reactive circuits, including methods for computing the reachable state space and variable abstraction. The approach is applied to the safety property verification of finite state machines in synchronous logical circuits. Experimental results demonstrate the effectiveness of the techniques.
E N D
State Abstraction Techniquesfor the Verification of Reactive Circuits Title Page Designing Correct Circuits,European Joint Conference on Theory and Practice of Software, Grenoble, France april 6-7 2002 Yannis Bres, CMA-EMP / INRIAGérard Berry, Esterel TechnologiesAmar Bouali, Esterel TechnologiesEllen M. Sentovich, Cadence Berkeley Labs
Outline Outline Introduction Context of our work Finite State Machines (FSMs) Reachable State Space (RSS) computation principle and algorithm Computing Over-approximated Reachable State Space (ORSS) State variable inputization Variable abstraction using ternary-valued logic Refinement using the Esterel Selection Tree Experiment results Conclusions
Reachable State Space Uses Reachable State Space Uses Computing the Reachable State Space of a design is used for: Formal verification by observers Equivalence checking Automated test pattern generation State minimization State re-encoding …
Exact RSS computation is expensive Exact RSS computation is expensive Exponentially complex wrt. intermediate variables, in both memory and time: 1 variable per input 2 variables per state variable Several (orthogonal) techniques to reduce complexity: Application-specific partial RSS computation (transitive network sweeping) BDD pruning Decomposed FSM RSS computation Turning state variables into inputs … Our approach : abstracting variables through ternary-valued logic
Context of our work Context of our work Synchronous logical circuits (RTL level) derived from high-level hierarchical programs written in SyncCharts, ECL or Esterel Well-suited for control-dominated programs, both for hardware and software targets Implicit state set representation using BDDs (TiGeR package) Application to safety property verification (synchronous observers) Implemented as a command-line tool
FSMs FSMs A Finite State Machine (FSM) is described by the tuple , where is the number of inputs is the number of state variables (registers) is the number of outputs is the transition function is the output function describes the set of initial states describes the valid input space
RSS computation principle RSS computation principle Find the limit of the converging sequence: Where becomes: Eventually, the equality becomes:
Basic RSS computation algorithm Basic RSS computation algorithm
Complexity analysis Complexity analysis With BDDs: : constant , : polynomial , substitutions: exponential … with respect to the number of intermediate variables Goal: reducing the number of intermediate variables ! Constraint: be “conservative”, i.e. compute an over-approximation of the RSS Thus, if property holds on the “cheap” ORSS, it holds on the exact RSS
State variable inputization State variable inputization Reduces the number of register variables 2 variables per register 1 variable per inputized register Reduces the number of functions Increases the swept area Maintains correlation between instances of a variable ii= 0 ii= 1 Same number of a posteriori existential quantifications Over-approximated result because constraints between variables are relaxed “Snow-ball” effect
Ternary-valued logic Ternary-valued logic Usual Boolean logic with a third value: d or (i.e. , X, …) Parallel extension of Boolean operators: Dual-rail encoding of constants:
Ternary-valued logic Ternary-valued logic Ternary Valued Functions (TVFs) are encoded using a pair of Boolean functions(f0 , f1 ) f0 f1 fd Standard Boolean operators are extended to TVFs: (f0 , f1 ) = (f1 , f0 ) (f0 , f1 )(g0 , g1 ) = (f0 g0, f1 g1) (f0 , f1 )(g0 , g1 ) = (f0 g0, f1 g1)
Application to RSS computation Application to RSS computation The Boolean transition function is enlarged as: f0 f1 f f fd
Variable abstraction Variable abstraction Abstracted variables are replaced by the constant d Reduces the number of state variables 2 variables per register 0 variable per abstracted register Reduces the number of input variables 1 variable per input 0 variable per abstracted input Even fewer a posteriori existential quantifications Reduces the number of functions Increases the swept area Loses correlation between instances of a variable dd=d dd=d Even more over-approximated result “Snow-ball” effect Variables to be abstracted must be chosen with great care!
Refinement Using the Esterel Selection Tree Refinement Using the Esterel Selection Tree [await I1 ;do something ;await I2 ;do something||await I3 ;do something] ;await I4 ;do something 1 # 2 3 # 4 Gives an overapproximation ceiling Allows to reinforce input care set for inputized registers
Experiment results #1 Experiment results #1 Industrial design: fuel management system of a jet aircraft from Dassault Aviation ensures that the engines are properly fed manages system components failures manages the fuel load balancing between the two sides of the aircraft manages in-flight refueling …
Experiment results #1 Experiment results #1 Inputization gives excellent results on all properties Abstraction gives even better ones !
Experiment results #2 Experiment results #2 Undisclosed industrial design
Experiment results #2 Experiment results #2 Abstraction gives very good on most properties, but inputization often gives better ones !
Conclusions Conclusions A method to ease Reachable State Space computation, by computing an over-approximation of it, through variable abstraction, using a ternary-valued logic. Requires some abstraction hints from the designer, easy in a graphical IDE for hierarchical designs. Refinements and over-approximation ceiling from design structural informations Quite good results on a few experiments on industrial designs, although current implementation is rather crude Abstraction figures vs. inputization ones can be improved