Structure-dependent Sequential Equivalence Checking

Structure-dependent Sequential Equivalence Checking EE290A UC Berkeley Spring 2005 JHJ

Outline • Introduction • Discovering hidden similarities • Signal correspondence • Functional dependency • Relational dependency • Reachability analysis under similarities • Retiming for verification • On-the-fly state re-encoding • On-the-fly reduction using functional dependency • Design for verifiability • C-1-D equivalence • Conclusions

Introduction • Bridge the complexity gap between sequential and combinational equivalence checking • Detect hidden similarities • Designs to be checked are often similar in circuit structures • If the relation between state encodings is known, equivalence checking can be done combinationally • PSPACE-complete to NP-complete • Similarities can be captured by signal correspondence, functional dependency, relational dependency, etc. • Take advantage of similarities • Simplify circuit • Simplify reachability analysis

Hidden similarities in transition systems • Signal correspondence • Two points of a sequential circuit are corresponding signals if their valuations are the same (or complement to each other) under any input sequence • Functional dependency • A signal xfunctionally depends on a set S of other signals if the valuation of x can be expressed as a function over S under any input sequence • Relational dependency • Two sets S1 and S2 of signals are related if the valuations of one set can be inferred from those of the other

Usefulness of similarities • Simplify circuits • Compact BDD representation • Reduce search space for SAT-based verification

Similarity - signal correspondence • Exact signal correspondence • Computationally hard • k-inductive signal correspondence • Computationally easy for small k • Only subset of signal correspondence

s1=1 s2=1 s3=1 v s2= Øv s1= x Å v s3= Øv v1 v2 s1 s3 s2 x 1 1 1 s2= Ø(v1v2) s1= x Å v1 s3= Ø(v1v2) v1 v2 Signal correspondence • Detect equivalent state variables in an over-approximated state space by a least fixed-point computation [van Eijk 95] Example [Kuehlmann] Result: {s1}, {s2,s3}

Signal correspondence • Weakness • Signal correspondence is a very limited form of functional dependency • In very few cases, can prove sequential equivalence by signal correspondence • Not sufficient to prove equivalence under retiming • How to characterize a more general form of functional dependency by a fixed-point computation (w/o reachability analysis)?

Similarity - functional dependency • Maximum functional dependency • Not unique • Computationally hard • k-inductive functional dependency • Computationally easier

Functional dependency • Assume transition systems are described with transition functions rather than transition relations • Conclude functional dependency directly from transition functions • Define combinational dependency • Extend to sequential dependency

Combinational dependency • Given two vectors of Boolean functions f and g over the same domain Bn, ffunctionally depends on g if there exists some function  such that f (·) = ( g (·) ). • f is the vector of (functional) dependents • g is the vector of (functional) independents •  is the vector of dependency functions • (f, g, ) is the dependency triplet • A necessary and sufficient condition: f (a)  f (b)  g (a)  g (b), for all a,b  Bn (In other words, g is more distinguishing than f over the domain.) • Problem statement • Given a vector of functions h, we are asked to partition h into two sub-vectors f and g such that (f, g, ) forms a dependency triplet with |g| minimized

Combinational dependency • Search candidates of dependents and independents • Lemma. Given two functional vectors f and g, g is more distinguishing than f only if the support set of f is contained by that of g. • A variable x is a support of a functional vector f = (f1,…,fn) if there exists i such that fi|x = 0 xnorfi|x = 1 is not a tautology • Compute q in f = q (g)

Combinational dependency

Sequential dependency • Extend combinational dependency for state transition systems • Find invariant  such that sdep= (sind) and dep= (ind) where s represents the set of state variable and  represents the set of transition functions. • Two approaches to computing fixed points • Greatest fixed-point (gfp); least fixed-point (lfp)

Backward sequential dependency • Greatest fixed-point (gfp) computation • Initially, all state variables are distinct. • In each iteration, compute the combinational dependency among independent state variables from the previous iteration.

Forward sequential dependency • Least fixed-point (lfp) computation • Initially, select one state var as the representative. (0) is determined by initial state information. • In each iteration of computing functional dependency, try to reuse ’s from the previous iteration. • If restrict ’s to be identity functions, the computation reduces to detecting signal correspondences.

Functional dependency • Caveat: Dependency may not hold for initial states I which have no predecessor states • For verification – use the successor states of I as the new initial state set • For logic synthesis – localize conflicting state variables and declare them as independent state variables

Functional dependency - experiments • Dependency in original FSM

Functional dependency - experiments • Dependency in product FSM

Functional dependency - summary • Characterize stronger invariants than signal correspondence • In principle, can prove sequential equivalence under retiming transformation • However, may not find the right dependency in practice • Computationally harder than signal correspondence but still practical • Refinement relation instead of equivalence relation

Similarity - relational dependency • Exact relational dependency • Computationally hard • Equivalent to reachability analysis • Inductive relational dependency • How?

Improving inductive approaches • Inductive characterization of S.C. and F.D. Base case: Init(s)  Prop(s) Inductive case: Prop(s)  Trans(s,t)  Prop(t) (where Prop could be S.C., F.D., or even other properties) • Strengthening induction hypothesis • Over transition Base case: Init(s1)  Trans(s1,s2)  …  Trans(sk-1,sk)  Prop(s1)  …  Prop(sk) Inductive case: Prop(s1)  …  Prop(sk)  Trans(s1,s2)  …  Trans(sk,sk+1)  Prop(sk+1) • Over property Reachability analysis! P. Bjesse, K. Claessen: SAT-Based Verification without State Space Traversal. FMCAD 2000: 372-389

Reachability analysis under similarities • Compact state space by removing redundancies • Available techniques • Retiming • State re-encoding • Variable dependency • Functional dependency • …

Reduction by retiming • Use retiming to reduce state variables or ease reachability analysis • Allow negative registers (peripheral retiming) • Special subset of functional dependency limited to circuit structures • No dependency can be discovered between different designs • Only static reduction A. Kuehlmann & J. Baumgartner. Transformation-based verification using generalized retiming. CAV 2001.

Reduction by incremental re-encoding • Transform one FSM to another by incremental re-encoding • Two designs must be similar up to a 1-to-1 mapping between equivalent states S. Quer, et al. Verification of similar FSMs by mixing incremental re-encoding, reachability analysis, and combinational check. Formal Methods in System Design, vol. 17, pages 107--134, 2000.

Reduction by variable dependency • Problem formulation [Berthet et al. 90] • Given a characteristic function F(x1,x2, …, xn), compute a minimal set of irredundant (independent) variables • Variable xiis redundant if its valuation can be inferred by a function over other variables • Solution - functional deduction [Brown 03] • Variable xiis redundant in F if and only if F|xi = 0F|xi = 1= false • Example • F = abc ac {a, b} is a minimal independent set with c = a a dependency function • Embed variable dependency in reachability analysis • Weakness: detect dependency after every image computation of a reachability analysis

Reduction by functional dependency • Static reduction • Compute functional dependency (with gfp and/or lfp) before a reachability analysis • Dynamic reduction • Compute functional dependency before every image computation of a reachability analysis

Reduction by functional dependency - experiments • On-the-fly reduction

Design for verifiability • Complete-1-distinguishability • If any stateof a specification FSM M1 can be distinguished from others with a length-1 input sequence, then its corresponding equivalence class of an implementation FSM M2 can be found using a mapping induced by 1-equivalence between the states of the two FSMs. • Expose a subset of registers as pseudo-primary outputs to enforce the C-1-D property • One-step equivalence checking (solely depends on output functions if reachable states are known) P. Ashar, A. Gupta, S. Malik: Using complete-1-distinguishability for FSM equivalence checking. ICCAD 1996: 346-353

Design for verifiability • Boundary-preserving retiming and resynthesis • Protect some signals intact under RnR transformation • E.g. expose the signals as pseudo-primary outputs • Corresponding signals exist for combinational equivalence checking

Conclusions • Bridging the gap between sequential and combinational EC by exploiting hidden similarities • Extract similarities: • Generalization from signal correspondence to functional dependency • How about from functional to relational dependency? • Accelerate reachability analysis: • Using similarities to compact state space, simplify BDD representation, and prune search space for SAT

Structure-dependent Sequential Equivalence Checking

Structure-dependent Sequential Equivalence Checking

Presentation Transcript

Towards A C++ based Design Methodology Facilitating Sequential Equivalence Checking

Sequential Equivalence Checking : Need and Challenges

DDEC: Data-Driven Equivalence Checking

Structure-independent Sequential Equivalence Checking

Equivalence Checking Problems

Equivalence Checking

Appearance-based Equivalence Checking

Appearance-Based Equivalence Checking

Appearance-based Equivalence Checking

Appearance-Based Equivalence Checking

Bounded Sequential Equivalence Checking with Range-Equivalent Circuit, Node Merging, and NAR

Bounded Sequential Equivalence Checking with Range-Equivalent Circuit, Node Merging , and NAR

Appearance-Based Equivalence Checking

Appearance-Based Equivalence Checking

Enhancing Bounded Sequential Equivalence Checking with Range-Equivalent Circuit Minimization

Enhancing Bounded Sequential Equivalence Checking with Range-Equivalent Circuit Minimization

Combinational Equivalence Checking

Appearance-based Equivalence Checking

Bounded Sequential Equivalence Checking with Range-Equivalent Circuit, Node Merging , and NAR

Structure-independent Sequential Equivalence Checking

Sequential Equivalence Checking : Need and Challenges

Sequential Equivalence Checking for Clock-Gated Circuits