2001 ciesielskiformal verification1 formal methods in hardware verification maciej ciesielski dept....
TRANSCRIPT
![Page 1: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/1.jpg)
2001 Ciesielski Formal Verification 1
FORMAL METHODS IN HARDWARE VERIFICATION
Maciej CiesielskiDept. of Electrical & Computer Engineering
University of Massachusetts, Amherst, [email protected]
![Page 2: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/2.jpg)
2001 Ciesielski Formal Verification 2
Overview• Introduction
– What is verification (validation)– Why do we need it– Formal verification vs. simulation-based methods
• Math background– Decision diagrams (BDD’s, BMD’s, etc.)– Symbolic FSM traversal
• Formal methods– model checking– equivalence checking
• Semi-formal methods– symbolic simulation– functional validation
![Page 3: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/3.jpg)
2001 Ciesielski Formal Verification 3
Formal Methods
• Equivalence checking– Combinational circuits– Sequential circuits
• Model checking– Problem statement – Explicit algorithms (on graphs)– Symbolic algorithms (using BDDs)
• Theorem proving – Deductive reasoning
![Page 4: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/4.jpg)
2001 Ciesielski Formal Verification 4
Functional Testing
• Simulation-based methods– Symbolic simulation– Functional test generation
• SAT-based methods, Boolean SAT• RTL verification: Arithmetic/Boolean SAT• ATPG-based methods
• Emulation-based methods– Hardware-assisted simulation– System prototyping
![Page 5: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/5.jpg)
2001 Ciesielski Formal Verification 5
Part I
INTRODUCTION
![Page 6: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/6.jpg)
2001 Ciesielski Formal Verification 6
Verification
• Design verification = ensuring correctness of the design – against its implementation (at different levels)
behavior
structure
function
layout
HDL / RTL
Gate level
Logic level
Mask level
Design 1
?
?
?
model ?
?
RTL
Gate level
Mask level
Design 2
Logic level
?
?
– against alternative design (at the same level)
![Page 7: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/7.jpg)
2001 Ciesielski Formal Verification 7
Why Verification
• Verification crisis– System complexity, difficult to manage– More time, effort devoted to verification than to
actual design– Need automated verification methods, integration
• Consequences– Disasters, life threatening situations– Inconvenience (Pentium bug … ?)– Many more …
![Page 8: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/8.jpg)
2001 Ciesielski Formal Verification 8
Verification Methods
• Deductive verification
• Model checking
• Equivalence checking
• Simulation - performed on the model
• Emulation, prototyping – product + environment
• Testing - performed on the actual product
(manufacturing test)
Formal VerificationFormal Verification
![Page 9: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/9.jpg)
2001 Ciesielski Formal Verification 9
Formal Verification
• Deductive reasoning (theorem proving)– uses axioms, rules to prove system correctness– no guarantee that it will terminate– difficult, time consuming: for critical applications only
• Model checking– automatic technique to prove correctness of concurrent
systems: digital circuits, communication protocols, etc.
• Equivalence checking– check if two circuits are equivalent
– OK for combinational circuits, unsolved for sequential
![Page 10: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/10.jpg)
2001 Ciesielski Formal Verification 10
Why Formal Verification
• Need for reliable hardware validation
• Simulation, test cannot handle all possible cases• Formal verification conducts exhaustive exploration of
all possible behaviors– compare to simulation, which explores some of possible
behaviors
– if correct, all behaviors are verified
– if incorrect, a counter-example (proof) is presented
• Examples of successful use of formal verification– SMV system [McMillan 1993]
– verification of cache coherence protocol in IEEE Futurebus+ standard
![Page 11: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/11.jpg)
2001 Ciesielski Formal Verification 11
Model Checking
• Algorithmic method of verifying correctness of (finite state) concurrent systems against temporal logic specifications– A practical approach to formal verification
• Basic idea– System is described in a formal model
• derived from high level design (HDL, C), circuit structure, etc.
– The desired behavior is expressed as a set of properties• expressed as temporal logic specification
– The specification is checked against the model
![Page 12: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/12.jpg)
2001 Ciesielski Formal Verification 12
Functional Validation
• Verify the design in the full operational context
• RTL functional verification– Validate HDL specification of RTL model
• Functional test generation
– SAT-based methods (Boolean, arithmetic)– ATPG-based methodsATPG-based methods
• Symbolic simulation (semi-formal methods)Symbolic simulation (semi-formal methods)
– Combine simulation with symbolic methodsCombine simulation with symbolic methods
![Page 13: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/13.jpg)
2001 Ciesielski Formal Verification 13
• Canonical representations: BDD, BMD• Boolean satisfiability problem (SAT)• Finite State Machine (FSM) traversal
Part II
BACKGROUND
![Page 14: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/14.jpg)
2001 Ciesielski Formal Verification 14
Binary Decision Diagrams (BDD)
• Based on recursive Shannon expansion
F = x Fx + x’ Fx’
• Compact data structure for Boolean logic– can represents sets of objects (states) encoded as
Boolean functions
• Canonical representation– reduced ordered BDDs (ROBDD) are canonical– essential for verification
![Page 15: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/15.jpg)
2001 Ciesielski Formal Verification 15
BDD Construction
• Typically done using APPLY operator
• Reduction rules– remove duplicate terminals– merge duplicate nodes
(isomorphic subgraphs)– remove redundant nodes
• Redundant nodes:
– nodes with identical children10
b
10
b
c
a b
fff
a b
![Page 16: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/16.jpg)
2001 Ciesielski Formal Verification 16
BDD Construction – your first BDD
• Construction of a Reduced Ordered BDD
1 edge
0 edgea b c f
0 0 0 00 0 1 00 1 0 00 1 1 11 0 0 01 0 1 11 1 0 01 1 1 1
Truth table
f = ac + bc
Decision tree
10 0 0 1 0 10
a
b
c
b
c c c
f
![Page 17: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/17.jpg)
2001 Ciesielski Formal Verification 17
BDD Construction – cont’d
10
a
b
c
b
c c c
f f
10
a
b
c
b
c
10
a
b
c
f = (a+b)c
2. Merge duplicate nodes
1. Remove duplicate terminals
3. Remove redundant nodes
![Page 18: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/18.jpg)
2001 Ciesielski Formal Verification 18
Application to Verification
• Equivalence of combinational circuits• Canonicity property of BDDs:
– if F and G are equivalent, their BDDs are
identical (for the same ordering of variables)
10
a
b
c
F = a’bc + abc +ab’c G = ac +bc
10
a
b
c
![Page 19: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/19.jpg)
2001 Ciesielski Formal Verification 19
Application to Verification, cont’d
• Functional test generation– SAT, Boolean satisfiability
analysis– to test for H = 1 (0), find a path
in the BDD to terminal 1 (0) – the path, expressed in function
variables, gives a satisfying solution (test vector)
ab
ab’c
H
0 1
a
b
c
![Page 20: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/20.jpg)
2001 Ciesielski Formal Verification 20
Logic Manipulation using BDDs
• Useful operators
¬
1 00 1
F F’
0 1
F(x,y)
x=b 0 1
F(y)Restrict
– Restrict: F|x=b = F(x=b) where b = const
– Complement ¬ F = F’(switch the terminal nodes)
![Page 21: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/21.jpg)
2001 Ciesielski Formal Verification 21
Useful BDD Operators - cont’d
• Apply: F Gwhere stands for any Boolean operator (AND, OR, XOR, )
=
F G
0 1 0 10 1
F G
• Any logic operation can be expressed using only
Restrict and Apply
• Efficient algorithms, work directly on BDDs
![Page 22: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/22.jpg)
2001 Ciesielski Formal Verification 22
Apply Operation
• Basic operator for efficient BDD manipulation (structural)
• Based on recursive Shannon expansion
F OP G = x (Fx OP Gx) + x’(Fx’ OP Gx’)
where OP = OR, AND, XOR, etc
![Page 23: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/23.jpg)
2001 Ciesielski Formal Verification 23
Apply Operation - AND
10
a
c
aca AND c
10
a 2
c
10
3
0.3
2.3a
c1.3
1.11.0
AND
= =
![Page 24: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/24.jpg)
2001 Ciesielski Formal Verification 24
Apply Operation - OR
OR
ac
10
a
c
4
5
bc
10
b
c
6
7 ==
10
a
b
c
f = ac+bc
c
4+6
0+0
a
7+5
1
0+6 b6+5
0+5
0
0+7
![Page 25: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/25.jpg)
2001 Ciesielski Formal Verification 25
Binary Moment Diagrams (*BMD)
• Devised for word-level operations, arithmetic• Based on Shannon expansion, manipulated
f = x fx + x’ fx’ = x fx + (1-x) fx’ = fx’ + x (fx - fx’ ) = fx’ + x fx
.
• fx’ = f(x=0), is constant (zero moment)
• fx. = (fx - fx’ ) is called first moment, similar to first
derivative• Additive and multiplicative weights on edges (*BMD)
![Page 26: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/26.jpg)
2001 Ciesielski Formal Verification 26
*BMD for arithmetic circuits• Efficiently models word-level operators
Bit level
4
10
x0
x1
x2
12
4
y0
y1
y2
2
1
X + Y X Y
10
X
Y
word level
10
X
Y
word level
10
x0
x1
x2
y0
y1
y2
12
4
24
1
Bit level
![Page 27: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/27.jpg)
2001 Ciesielski Formal Verification 27
*BMD for Boolean logic
AND
10
x
y
x y = x y
10
x1 -1
x’ = (1-x)
NOTOR
x y = (x + y – x y)
10
x
yy
-11
XOR
x
10
yy
-21
x y = (x + y – 2 x y)
• Needed to model complex arithmetic circuits
![Page 28: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/28.jpg)
2001 Ciesielski Formal Verification 28
Decison Diagrams - summary• BDDs and BMDs are canonical for fixed variable order
• BDDs– Good for equivalence checking and SAT– Inefficient for large arithmetic circuits (multipliers)
• BMDs– Efficient for word-level operators– Less compact for Boolean logic than BDDs– Good for equivalence checking, but not for SAT
• New type of compact, canonical diagram available, better suited for arithmetic designs– TED, based on Taylor series Expansion
![Page 29: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/29.jpg)
2001 Ciesielski Formal Verification 29
Boolean Satisfiability (SAT)
• Given a representation for a Boolean function f (X):– Find an assignment X* such that f (X*) = 1, or– Prove that such an assignment does not exist
• A classical way to solve SAT:
– Represent function f (X) in conjunctive normal form (CNF)
– Solve SAT by finding satisfying assignment to binary
variables for each clause (GRASP, SATO)
![Page 30: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/30.jpg)
2001 Ciesielski Formal Verification 30
CNF for Boolean Network
ab d
d= [d = ¬(a b )][¬d = a b]= [d =¬a + ¬b][¬d = a b]
= (¬a d)(¬b d)(a b ¬d)
= (a +d)(b +d)(¬a +¬b + ¬d)
• Represent Boolean function as a connection of gates• Represent each gate as a CNF clause
• Solve = find satisfying assignment for all CNF clauses
![Page 31: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/31.jpg)
2001 Ciesielski Formal Verification 31
Finite State Machines (FSM)
• FSM M(X,S, , ,O)
– Inputs: X– Outputs: O– States: S– Next state function, (s,x) : S X S
– Output function, (s,x) : S X O
OOXX
R
(s,x)(s,x)
s s’
![Page 32: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/32.jpg)
2001 Ciesielski Formal Verification 32
FSM Traversal
• State Transition Graphs – directed graphs with labeled nodes and arcs
(transitions)– symbolic state traversal methods
• important for symbolic verification, state reachability analysis, FSM traversal, etc.
0/0 0/1
1/0
s0 s1
0/1s2
1/0
![Page 33: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/33.jpg)
2001 Ciesielski Formal Verification 33
Existential Quantification
• Existential quantification (abstraction)
x f = f |x=0 + f |x=1
• Example: x (x y + z) = y + z
• Note: x f does not depend on x (smoothing)
• Useful in symbolic image computation (sets of states)
![Page 34: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/34.jpg)
2001 Ciesielski Formal Verification 34
Existential Quantification - cont’d
• Function can be existentially quantified w.r.to a vector: X = x1x2…
X f = x1x2... f = x1 x2 ... f
• Can be done efficiently directly on a BDD
• Very useful in computing sets of states – Image computation: next states
– Pre-Image computation: previous states
from a given set of initial states
![Page 35: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/35.jpg)
2001 Ciesielski Formal Verification 35
Image Computation
• Computing set of next states from a given initial state (or set of states)
Img( S,R ) = u S(u) • R(u,v)
Img(v)
R(u,v)
S(u)
• FSM: when transitions are labeled with input predicates x, quantify w.r.to all inputs (primary inputs and state var)
Img( S,R ) = x u S(u) • R(x,u,v)
![Page 36: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/36.jpg)
2001 Ciesielski Formal Verification 36
Image Computation - example
• Encode the states: s1=00, s2=01, s3=10, s4=11
• Write transition relations for the encoded states:
R = (ax’y’X’Y + a’x’y’XY’ + xy’XY + ….)
a xy XY1 00 010 00 10 - 10 11……….
s1
s2
s3
s4a
a’00
01
1011
Compute a set of next states from state s1
![Page 37: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/37.jpg)
2001 Ciesielski Formal Verification 37
Example - cont’d
• Compute Image from s1 under R Img( s1,R ) = a xy s1(x,y) • R(a,x,y,X,Y)
Result: a set of next states for all inputs s1 {s2, s3}
s1
s2
s3
s4a
a’00
01
1011
= a xy (x’y’) • (ax’y’X’Y + a’x’y’XY’ + xy’XY + ….)
= axy (ax’y’X’Y + a’x’y’XY’ ) = (X’Y + XY’ )
= {01, 10} = {s2,s3}
![Page 38: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/38.jpg)
2001 Ciesielski Formal Verification 38
Pre-Image Computation
• Computing a set of present states from a given next state (or set of states)
Pre-Img( S’,R) = v R(u,v) )• S’(v)
S’(v)
R(u,v)
Pre-Img(u)
• Similar to Image computation, except that quantification is done w.r.to next state variables
• The result: a set of states backward reachable from state set S’, expressed in present state variables u
• Useful in computing CTL formulas: AF, EF
![Page 39: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/39.jpg)
2001 Ciesielski Formal Verification 39
Part III
EQUIVALENCE CHECKING
![Page 40: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/40.jpg)
2001 Ciesielski Formal Verification 40
Equivalence Checking• Two circuits are functionally equivalent
if they exhibit the same behavior
• Combinational circuits – for all possible input values
In OutCL
PoPoPIPI
CL
PsPs NsNs
R
• Sequential circuits
– for all possible input sequences
![Page 41: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/41.jpg)
2001 Ciesielski Formal Verification 41
Combinational Equivalence Checking
• Functional Approach– transform output functions of combinational
circuits into a unique (canonical) representation– two circuits are equivalent if their representations
are identical– efficient canonical representation: BDD
• Structural – identify structurally similar internal points– prove internal points (cut-points) equivalent– find implications
![Page 42: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/42.jpg)
2001 Ciesielski Formal Verification 42
Functional Equivalence
• If BDD can be constructed for each circuit– represent each circuit as shared (multi-output) BDD
• use the same variable ordering !
– BDDs of both circuits must be identical
• If BDDs are too large– cannot construct BDD, memory problem– use partitioned BDD method
• decompose circuit into smaller pieces, each as BDD• check equivalence of internal points
![Page 43: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/43.jpg)
2001 Ciesielski Formal Verification 43
Functional Decomposition
• Decompose each function into functional blocks– represent each block as a BDD (partitioned BDD method)– define cut-points (z)– verify equivalence of blocks at cut-points
starting at primary inputsF
f2
f1
z
x y
G
g2
g1
z
x y
![Page 44: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/44.jpg)
2001 Ciesielski Formal Verification 44
Cut-Points Resolution Problem
F
f2
f1
z1
x y
G
g2
g1
z2
x y
• If all pairs of cut-points (z1,z2) are equivalent– so are the two functions, F,G
• If intermediate functions (f2,g2) are not equivalent– the functions (F,G) may still be equivalent – this is called false negative
• Why do we have false negative ?– functions are represented in terms of
intermediate variables– to prove/disprove equivalence must
represent the functions in terms of primary inputs (BDD composition)
![Page 45: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/45.jpg)
2001 Ciesielski Formal Verification 45
Cut-Point Resolution – Theory
• Let f1(x)=g1(x) x
– if f2(z,y) g2(z,y), z,y then f2(f1(x),y) g2(f1(x),y) F G
– if f2(z,y) g2(z,y), z,y f2(f1(x),y) g2(f1(x),y) F G
• False negative– two functions are equivalent,
but the verification algorithm declares them as different.
F
f2
f1
z
x y
G
g2
g1
z
x y
We cannot say if F G or not
![Page 46: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/46.jpg)
2001 Ciesielski Formal Verification 46
Cut-Point Resolution – cont’d
• Procedure 1: create a miter (XOR) between
two potentially equivalent nodes/functions – perform ATPG test for stuck-at 0– find test pattern to prove F G
– efiicient for true negative
(gives test vector, a proof)– inefficient when there is no test
0, F G (false negative) 1, F G (true negative)
F G
• How to verify if negative is false or true ?
![Page 47: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/47.jpg)
2001 Ciesielski Formal Verification 47
Cut-Point Resolution – cont’d• Procedure 2: create a BDD for F G
– perform satisfiability analysis (SAT) of the BDD• if BDD for F G = , problem is not satisfiable, false negative• BDD for F G , problem is satisfiable, true negative
Non-empty, F G
, F G (false negative)F G =
=
F G
Note: must compose BDDs until they are equivalent, or expressed in terms of primary inputs
– the SAT solution, if exists, provides a test vector (proof of non-equivalence) – as in ATPG
– unlike the ATPG technique, it is effective for false negative (the BDD is empty!)
![Page 48: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/48.jpg)
2001 Ciesielski Formal Verification 48
Structural Equivalence Check
• Given two circuits, each with its own structure– identify “similar” internal points, cut sets– exploit internal equivalences
• False negative problem may arise– F G, but differ structurally (different local support)– verification algorithm declares F,G as different
• Solution: use BDD-based or ATPG-based methods to resolve the problem. Also: implication, learning techniques.
b
d1a•
F a
c
d2
b •G
![Page 49: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/49.jpg)
2001 Ciesielski Formal Verification 49
Implication Techniques
• Techniques that extract and exploit internal correspondences to speed up verification
• Implications – direct and indirect
a=1
c=x
b=xf=0
d=0
e=0
a=0
c=x
b=xf=1
d=x
e=x
Direct: a=1 f=0 Indirect (learning): f=1 a=0
![Page 50: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/50.jpg)
2001 Ciesielski Formal Verification 50
Learning Techniques
• Learning– process of deriving indirect implications– Recursive learning
• recursively analyzes effects of each justification
– Functional learning• uses BDDs to learn indirect implications
0 1
a
b
G
10
a
b
H
G=1 H=0
a
c
bH=?
G=1
![Page 51: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/51.jpg)
2001 Ciesielski Formal Verification 51
Learning Techniques – cont’d
• Other methods to check implications G=1 H=0
– Build a BDD for G • H’• If this function is satisfiable (G·H’=1), the implication holds
and gives a test vector
• Otherwise it does not hold
– Since G=1 H=0 (G’+H’)=1, build a BDD for (G’+H’)• The implication holds if (G’+H’) 1 (tautology, trivial BDD)
a
c
bH
G=1
![Page 52: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/52.jpg)
2001 Ciesielski Formal Verification 52
Sequential Equivalence Checking• Represent each sequential circuit as an FSM
– verify if two FSMs are equivalent
• Approach 1: reduction to combinational circuit– unroll FSM over n time frames (flatten the design)
M(t1)
x(1)
s(1)
M(t2)
x(2)
s(2)…… M(tn)
x(n)
s(n)
Combinational logic: F(x(1,2, …n), s(1,2, … n))
– check equivalence of the resulting combinational circuits
– problem: the resulting circuit can be too large too handle
![Page 53: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/53.jpg)
2001 Ciesielski Formal Verification 53
Sequential Verification
• Approach 2: based on isomorphism of state transition graphs– two machines M1, M2 are equivalent if their state transition
graphs (STGs) are isomorphic– perform state minimization of each machine– check if STG(M1) and STG(M2) are isomorphic
State min.1/0
0 1.20/0
1/1
0/1
M1min
1/0
0 10/0
1/1
0/1
M2
0/0 0/1
1/0
0 1
0/12
1/0
M1
1/1
![Page 54: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/54.jpg)
2001 Ciesielski Formal Verification 54
Sequential Verification
• Approach 3: symbolic FSM traversal of the product machine
M1 M2S1 S2
O2O1
X
O(M)• Given two FSMs: M1(X,S1, 1, 1,O1), M2(X,S2, 2, 2,O2)
• Create a product FSM: M = M1 M2
– traverse the states of M and check its output for each transition
– the output O(M) =1, if outputs O1= O2
– if all outputs of M are 1, M1 and M2 are equivalent
– otherwise, an error state is reached
– error trace is produced to show: M1 M2
![Page 55: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/55.jpg)
2001 Ciesielski Formal Verification 55
Product Machine - Construction
• Define the product machine M(X,S, , ,O)– states, S = S1 S2
– next state function, (s,x) : (S1 S2) X (S1 S2)
– output function, (s,x) : (S1 S2) X {0,1}
M1 M2
1 221
X
• Error trace (distinguishing sequence) that leads to an error state- sequence of inputs which produces 1
at the output of M - produces a state in M for which M1
and M2 give different outputs
(s,x) = 1(s1,x) 2(s2,x) O =1 if O1=O2
0 otherwise
![Page 56: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/56.jpg)
2001 Ciesielski Formal Verification 56
FSM Traversal - Algorithm
• Traverse the product machine M(X,S,, ,O)– start at an initial state S0
– iteratively compute symbolic image Img(S0,R) (set of next states):
Img( S0,R ) = x s S0(s) • R(x,s,t)
R = i Ri = i (ti i(s,x))
until an error state is reached
– transition relation Ri for each next state variable ti
can be computed as ti = (t (s,x)) (this is an alternative way to compute transition relation, when
design is specified at gate level)
![Page 57: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/57.jpg)
2001 Ciesielski Formal Verification 57
Construction of the Product FSM
• For each pair of states, s1 M1, s2 M2
– create a combined state s = (s1. s2) of M– create transitions out of this state to other states of M– label the transitions (input/output) accordingly
1/0
0 10/0
1/1
0/1M1M2
1/1
2
0 10/0
0/0
0/11/1 1/0
M1
1/0
0
0/1
1
M2 2
0/1
1/01
1.1
0/111
1/10.2
00Output = {1 OK
0 error
![Page 58: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/58.jpg)
2001 Ciesielski Formal Verification 58
FSM Traversal in Action
• STOP - backtrack to initial state to get error trace: x={1,1,1,0}
1/0
0 10/0
1/1
0/1
M1 M2
2
0 10/0
0/0
0/1
1/1
1/1 1/0
1.10/1
1/1
0/1
0.2
1/1
1.0 0/01/0
0/0 1.2
1/0
0.1
1/0
0/0 Out(M)State reached x=0 x=1
Error state
0.00/1 1/1M
Initiall states: s1=0, s2=0, s=(0.0)
• New 0 = (0.0) 1 1
• New 1 = (1.1) 1 1
• New 2 = (0.2) 1 1• New 3 = (1.0) 0 0
![Page 59: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/59.jpg)
2001 Ciesielski Formal Verification 59
Part IV
MODEL CHECKING
![Page 60: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/60.jpg)
2001 Ciesielski Formal Verification 60
Model Checking
• Algorithmic method of verifying correctness of (finite state) concurrent systems against temporal logic specifications– A practical approach to formal verification
• Basic idea– System is described in a formal model
• derived from high level design (HDL, C), circuit structure, etc.
– The desired behavior is expressed as a set of properties• expressed as temporal logic specification
– The specification is checked agains the model
![Page 61: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/61.jpg)
2001 Ciesielski Formal Verification 61
Model Checking
• How does it work
– System is modeled as a state transition structure (Kripke structure)
– Specification is expressed in propositional temporal logic (CTL formula)
• asserts how system behavior evolves over time
– Efficient search procedure checks the transition system to see if it satisifes the specification
![Page 62: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/62.jpg)
2001 Ciesielski Formal Verification 62
Model Checking• Characteristics
– searches the entire solution space– always terminates with YES or NO– relatively easy, can be done by experienced designers– widely used in industry– can be automated
• Challenges– state space explosion – use symbolic methods, BDDs
• History– Clark, Emerson [1981] USA– Quielle, Sifakis [1980’s] France
![Page 63: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/63.jpg)
2001 Ciesielski Formal Verification 63
Model Checking - Tasks
• Modeling– converts a design into a formalism: state transition
system
• Specification– state the properties that the design must satisfy– use logical formalism: temporal logic
• asserts how system behavior evolves over time
• Verification– automated procedure (algorithm)
![Page 64: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/64.jpg)
2001 Ciesielski Formal Verification 64
Model Checking - Issues
• Completeness– model checking is effective for a given property– impossible to guarantee that the specification
covers all properties the system should satisfy– writing the specification - responsibility of the user
• Negative results– incorrect model– incorrect specification (false negative)– failure to complete the check (too large)
![Page 65: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/65.jpg)
2001 Ciesielski Formal Verification 65
Model Checking - Basics
• State transition structure M(S,R,L) (Kripke structure)S = finite set of states {s1, s2, … sn}R = transition relationL = set of labels assigned to states, so thatL(s) = f if state s has property f
• All properties are composed of atomic propositions (basic properties), e.g. the light is green, the door is open, etc.– L(s) is a subset of all atomic propositions
true in state s
Label (property)
s3
s1
s2
a
b ac
![Page 66: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/66.jpg)
2001 Ciesielski Formal Verification 66
Specification using Temporal Logic
• Formalism describing sequences of transitions• Time is not mentioned explicitly• The temporal operators used to express temporal
properties– eventually – never– always
• Temporal logic formulas are evaluated w.r.to a state in the model
• Temporal operators can be combined with Boolean expressions
![Page 67: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/67.jpg)
2001 Ciesielski Formal Verification 67
Temporal Logics
• Temporal logics add temporal operators and path quantifiers to standard (e.g. propositional) logics
• Temporal operators allow one to conveniently describe the order of occurrence of events– Involve time, without explicitly mentioning it
• Exmples: CTL*, CTL, LTL, etc– Branching time logic– Linear time logic
![Page 68: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/68.jpg)
2001 Ciesielski Formal Verification 68
Computation Trees
State transition structure(Kripke Model)
Infinite computation tree for initial state s1
a
b
a ac
ac
ac
ac
s1
s3
s1
s2
a
b ac
![Page 69: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/69.jpg)
2001 Ciesielski Formal Verification 69
CTL – Computation Tree Logic
• Path quantifiers - describe branching structure of the tree– A (for all computation paths)
– E (for some computation path = there exists a path)
• Temporal operators - describe properties of a path through the tree– X (next time, next state)
– F (eventually, finally)
– G (always, globally)
– U (until)
– R (release, dual of U)
![Page 70: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/70.jpg)
2001 Ciesielski Formal Verification 70
Operators and Quantifiers
• State operators– G a : a holds globally– F a : a holds eventually– X a : a holds at the next state– a U b: a holds until b holds– a R b: a releases b
• Path quantifiers– E: along at least one path (there exists …)– A: along all paths (for all …)
![Page 71: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/71.jpg)
2001 Ciesielski Formal Verification 71
CTL – Computational Tree Logic
• CTL* - a powerul branching-time temporal logic
• CTL – a branching-time fragment of CTL*• In CTL every temporal operator (G,F,X,U,R)
must be immediately preceded by a path quantifier (A,E)
• We need both state formulae and path formulae to recursively define the logic
![Page 72: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/72.jpg)
2001 Ciesielski Formal Verification 72
CTL Formulas
• Temporal logic formulas are evaluated w.r.to a state in the model
• State formulas– apply to a specific state
• Path formulas– apply to all states along a specific path
![Page 73: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/73.jpg)
2001 Ciesielski Formal Verification 73
Basic CTL Formulas• E X (f)
– true in state s if f is true in some successor of s (there exists a next state of s for which f holds)
• A X (f)– true in state s if f is true for all successors of s (for all next
states of s f is true)
• E G (f)– true in s if f holds in every state along some path
emanating from s (there exists a path ….)
• A G (f)– true in s if f holds in every state along all paths emanating
from s (for all paths ….globally )
![Page 74: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/74.jpg)
2001 Ciesielski Formal Verification 74
Basic CTL Formulas - cont ’d
• E F (g)– there exists a path which eventually contains a state
in which g is true
• A F (g)– for all paths, eventually there is state in which g holds
• E F, A F are special case of E [f U g], A [f U g]– E F (g) = E [ true U g ], A F (g) = A [ true U g ]
• f U g (f until g)– true if there is a state in the path where g holds, and
at every previous state f holds
![Page 75: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/75.jpg)
2001 Ciesielski Formal Verification 75
CTL Operators - examples
so |= E F g
g
so so
g
g
g
so |= A F g
so |= E G g
gso
g
g
so |= A G g
so
g
g
g
g
gg
![Page 76: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/76.jpg)
2001 Ciesielski Formal Verification 76
CTL* Syntax
• An atomic proposition is a state formula• A state formula is also a path formula• If a, b are state formulae, so are ¬a, ab, ab, • If p is a path formula, E p is a state formula• If p, q are path formulae, so are ¬p, pq, pq• If p, q are path formulae, so are X p, pUq, pRq,
![Page 77: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/77.jpg)
2001 Ciesielski Formal Verification 77
Minimal set of CTL Formulas
• Full set of operators – Boolean: ¬, , , , – temporal: E, A, X, F, G, U, R
• Minimal set sufficient to express any CTL formula– Boolean: ¬, – temporal: E, X, U
• Examples: f g = ¬(¬f ¬g), F f = true U f , A (f ) = ¬E(¬f )
![Page 78: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/78.jpg)
2001 Ciesielski Formal Verification 78
CTL* Semantics• If formula q holds at state s (path ), we write:
s |= q ( |= q)• s |= p, p A iff p L(s) [label of s]• s |= ¬ a, iff s |# a• s |= a b, iff s |= a and s |= b• s |= E p, iff from state s, s.t. |= p
|= ¬ p, iff |# p |= p q, iff |= p and |= q |= X p, iff 1 |= p (p reachable in next
state)
![Page 79: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/79.jpg)
2001 Ciesielski Formal Verification 79
Semantics of X and U
• Semantics of X: |= X p
• Semantics of U: |= p U q
1 |= p
j |= p
i |= q
![Page 80: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/80.jpg)
2001 Ciesielski Formal Verification 80
Typical CTL Formulas
• E F ( start ¬ ready )– eventually a state is reached where start holds
and ready does not hold
• A G ( req A F ack )– any time request occurs, it will be eventually
acknowledged
• A G ( E F restart )– from any state it is possible to get to the restart
state
![Page 81: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/81.jpg)
2001 Ciesielski Formal Verification 81
Model Checking – Explicit Algorithm
Problem: given a structure M(S,R,L) and a temporal logic formula f, find a set of states that satisfy f
{s S: M,s |= f }
• Explicit algorithm: label each state s with the set label(s) of sub-formulas of f which are true in s.
1. i = 0; label(s) = L(s)
2. i = i + 1; Process formulas with (i -1) nested CTL operators. Add the processed formulas to the labeling of each state in which it is true.
3. Continue until closure. Result: M,s |= f iff f label (s)
![Page 82: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/82.jpg)
2001 Ciesielski Formal Verification 82
Explicit Algorithm - cont’d
• To check for arbitrary CTL formula f– successively apply the state labeling algorithm to the
sub-formulas– start with the shortest, most deeply nested– work outwards
• Example: E F ¬ (g h )
T1 = states in which g and h are true
T2 = complement of T1
T3 = predecessor states to T2
![Page 83: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/83.jpg)
2001 Ciesielski Formal Verification 83
Actions for Each Label
• Atomic proposition p: return set of states with p in their labels
• ¬a: return the complement of sat(M,a)• ab: return sat(M,a) sat(M,b)• ab: return sat(M,a) sat(M,b)• EX a: return the set of predecessors in M of
the states in sat(M,a)• EG a: return the set of states entirely
contained in sat(M,a)
![Page 84: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/84.jpg)
2001 Ciesielski Formal Verification 84
Model Checking Example
Traffic light controller (simplified)
R1 G2
Y1 R2
G1 R2
R1 Y2
C ’+ T ’
C T
C T ’
C ’+ T
C = car sensorT = timer
G1 R2
Y1 R2
R1 G2
G1 R2
G1 R2
Y1 R2
Y1 R2
R1 G2 R1 Y2 R1 G2
G1 R2R1 Y2 R1 G2
R1 Y2
G2
Y2
R2
G1
Y1
R1
C
C
Timer
T
sensor
Road 2
Ro
ad
1
![Page 85: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/85.jpg)
2001 Ciesielski Formal Verification 85
Traffic light controller - Model Checking
• Model Checking task: check – safety condition– fairness conditions
• Safety condition: no green lights on both roads at the same time
A G ¬ (G1 G2 )
• Fairness condition: eventually one road has green light
E F (G1 G2)
R1 G2
Y1 R2
G1 R2
R1 Y2
C ’+T ’
C T
C T ’
C ’+T
![Page 86: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/86.jpg)
2001 Ciesielski Formal Verification 86
Checking the Safety Condition
A G ¬ (G1 G2) = ¬ E F (G1G2)
• S(G1 G2 ) = S(G1) S(G2) = {1}{3} =
• S(EF (G1 G2 )) = • S(¬ EF (G1 G2 )) = ¬ =
{1, 2, 3, 4}
Each state is included in {1,2,3,4}
the safety condition is true (for each state)
2
R1 G2
Y1 R2
G1 R2
R1 Y2
1
3
4
![Page 87: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/87.jpg)
2001 Ciesielski Formal Verification 87
Checking the Fairness Condition
E F (G1 G2 ) = E(true U (G1 G2 ) )• S(G1 G2 ) = S(G1)S(G2) = {1} {3} = {1,3}• S(EF (G1 G2 )) = {1,2,3,4}
(going backward from {1,3}, find predecessors)
1 34 23 1
Since {1,2,3,4} contains all states, the condition is true for all the states
![Page 88: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/88.jpg)
2001 Ciesielski Formal Verification 88
Another Check
E X2 (Y1) = E X (E X (Y1))(starting at S1=G1R2, is there
a path s.t. Y1 is true in 2 steps ?)
• S (Y1) = {2}• S (EX (Y1)) = {1}
(predecessor of 2)• S (EX (EX(Y1)) = {1,4}
(predecessors of 1)
R1 G2
Y1 R2
G1 R2
R1 Y2
1
3
4
2
Property E X2 (Y1) is true for states {1,4}, hence true
![Page 89: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/89.jpg)
2001 Ciesielski Formal Verification 89
Explicit Model Checking - complexity
• CTL model checking is linear in the size of the formula and the size of the structure M
• Not a good news: – what if you have 1050 states?– Number of states grows exponentially with number
of variables– Explicit model checking limited to … 109 states
• Symbolic model checking can do much better
![Page 90: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/90.jpg)
2001 Ciesielski Formal Verification 90
Symbolic Model Checking
• Symbolic– operates on entire sets rather than individual states
• Uses BDD for efficient representation
– represent Kripke structure – manipulate Boolean formulas
• RESTRICT and APPLY logic operators
• Quantification operators– Existential: x f = f |x=0 + f |x=1 (smoothing)
– Universal: x f = f |x=0 • f |x=1 (consensus)
![Page 91: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/91.jpg)
2001 Ciesielski Formal Verification 91
Symbolic Model Checking - exampleTraffic Light Controller
• Encode the atomic propositions (G1,R1,Y1, G2,Y2,R2): use [a b c d] for present state, [v x y z] for next state
a b c d
G1 1 1 - -Y1 0 1 - -R1 1 0 - -G2 - - 1 1Y2 - - 0 1R2 - - 1 0 R1 G2
Y1 R2
G1 R2
R1 Y2
s1
s3
s4
s211 10
10 01
01 1010 11
![Page 92: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/92.jpg)
2001 Ciesielski Formal Verification 92
Example - cont’d
• Represent the set of states as Boolean formula Q:
Q = abcd’ + a’bcd’ + ab’cd + ab’c’d
R1 G2
Y1 R2
G1 R2
R1 Y2
s1
s3
s4
s211 10
10 01
01 1010 11
• Store Q in a BDD
(It will be used to perform logic
operations, such as S(G1) S(G2)
![Page 93: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/93.jpg)
2001 Ciesielski Formal Verification 93
Example - cont’d
• Write a characteristic function R for the transition relation R =abcd’vxyz’ + abcd’v’xyz’ + … + ab’c’dvxyz’
(6 terms)
R1 G2
Y1 R2
G1 R2
R1 Y2
s1
s3
s4
s211 10
10 01
01 1010 11
abcd vxyz
1110 1110 11110 0110 10110 1011 11011 1011 11011 1001 11001 1110 1
R
• Store R in a BDD. It will be used for Pre-Image computation for EF.
![Page 94: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/94.jpg)
2001 Ciesielski Formal Verification 94
Example - Fairness Condition
• Check fairness condition: E F (G1 G2 )
• Step 1: compute S(G1), S(G2) using RESTRICT operator
– S(G1): ab·Restrict Q(G1) = ab Q|ab = abcd’ = {s1}
– S(G2): cd·Restrict Q(G2) = cd Q|cd = ab’cd = {s3}
• Step 2: compute S(G1) S(G2 ) using APPLY operator– Construct BDD for (abcd’ + ab’cd) = {s1, s3}, set of states
labeled with G1 or G2
![Page 95: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/95.jpg)
2001 Ciesielski Formal Verification 95
Example – cont’d
• s’ {s1’,s3’} • R(s,s’) ) =
= vxyz(vxyz’ + vx’yz) • R(a,b,c,d;v,x,y,z)
= vxyz(abcd’vxyz’ + a’bcd’vx’yz + ab’cdvx’yz + ab’c’dvxyz’)
= (abcd’ + a’bcd’ + ab’cd + ab’c’d) = {s1, s2, s3, s4}
• Compare to the result of explicit algoritm
• Step 3: compute S(EF (G1 G2 )) using Pre-Image computation (quanitfy w.r.to next state variables)
• Recall: R = abcd’vxyz’ + abcd’v’xyz’+ … + ab’c’dvxyz’
![Page 96: 2001 CiesielskiFormal Verification1 FORMAL METHODS IN HARDWARE VERIFICATION Maciej Ciesielski Dept. of Electrical & Computer Engineering University](https://reader031.vdocuments.us/reader031/viewer/2022020219/56649d305503460f94a085cd/html5/thumbnails/96.jpg)
2001 Ciesielski Formal Verification 96
Example – Interpretation
• Pre-Img(s1’,s3’,R) eliminates those
transitions which do not reach {s1,s3}
R1 G2
Y1 R2
G1 R2
R1 Y2
s1
s3
s4
s211 10
10 01
01 1010 11
abcd vxyz
1110 1110 11110 0110 10110 1011 11011 1011 11011 1001 11001 1110 1
R
X
X
• Quantification w.r.to next state variables (v,x,y,z)
gives the encoded present states {s1,s2,s3,s4}