CS137: Today Electronic Design Automation Sequential Verification - PDF document

CS137: Today Electronic Design Automation • Sequential Verification – DFA equivalence – Issues • Extracting STG Day 9: February 10, 2006 • Valid state reduction FSM Equivalence Checking • Incomplete Specification – Solutions • State PODEM • State/path exploration 1 2 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Cornerstone Result FSM Equivalence • Given two DFA’s, can test their • Given same sequence of inputs equivalence in finite time – Returns same sequence of outputs • N.B.: – Can visit all states in a DFA with finite input strings • Observation means can reason about • No longer than number of states finite sequence prefixes and extend to • Any string longer must have visited some state infinite sequences which DFAs (FSMs) more than once (by pigeon-hole principle) are defined over • Cannot distinguish any prefix longer than number of states from some shorter prefix which eliminates cycle (pumping lemma) 3 4 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Equivalence Smarter • Brute Force: • Create composite DFA – Generate all strings of length |state| • XOR together acceptance of two DFAs • (for larger DFA) in each composite state – Feed to both DFAs • Ask if the new machine accepts – Observe any differences? anything – |Alphabet| states – Anything it accepts is a proof of non- equivalence – Accepts nothing � equivalent 5 6 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon 1

Composite DFA Composite DFA • Assume know start state for each DFA • At most |alphabet|*|State1|*|State2| edges == work • Each state in composite is labeled by the pair {S1 i , S2 j } • Can group together original edges – At most product of states – i.e. in each state compute intersections of • Start in {S1 0 , S2 0 } outgoing edges • For each symbol a , create a new edge: – Really at most |E 1 |*|E 2 | – T(a,{S1 0 , S2 0 }) � {S1 i , S2 j } – If T 1 (a, S1 0 ) � S1 i, and T 2 (a, S2 0 ) � S2 j • Repeat for each composite state reached 7 8 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Acceptance Empty Language • State {S1 i , S2 j } is an accepting state iff • Now that we have a composite state – State S1 i accepts and S2 j does not accept machine, with this acceptance – State S1 i does not accept and S2 j accepts • Question : does this composite state • If S1 i and S2 j have the same acceptance for machine accept anything? all composite states, it is impossible to distinguish the machines – Is there a reachable state which accepts – They are equivalent the input? • A state with differing acceptance – Implies a string which is accepted by one machine but not the other 9 10 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Answering Empty Language Reachability Search • Start at composite start state {S1 0 , S2 0 } • Worst: explore all edges at most once • Search for path to an Accepting state – O(|E|)=O(|E 1 |*|E 2 |) • Use any search (BFS, DFS) • Actually, should be able to find during • End when find accepting state composite construction – Not equivalent – If only follow edges, fill-in as search • OR when have explored entire reachable graph w/out finding – Are equivalent 11 12 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon 2

Example Issues to Address • Get State-Transition Graph from s0 0 1 q0 – RTL, Logic 0 1 • Incompletely specified FSM? s1 s2 1 0 1 0 q1 q2 • Know valid (possible) states? 0 0 1 0 1 s3 s4 • Know start State for Logic? 0 1 1 • Computing the composite FSM may be large = accept state 13 14 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Getting STG from Logic Getting STG Verilog/VHDL • Brute Force • Gather up logic to wait statement – For each state – Make one state • For each input minterm – Simulate/compute output • Split states (add edges) on if/else, – Add edges select – Compute set of states will transition to • Backedges with while/for • Smarter – Branching edges on loop conditions – Use modified PODEM to justify outputs and next state • Start state is first state at beginning of • Exploit cube grouping, search pruning code. 15 16 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon CS137a: Day6 PODEM state extraction Delay Computation • Search for all reachable states • Modification of a testing routine – Don’t stop once find one output – used to justify an output value for a circuit – Keep enumerating and generating possible • PODEM outputs – backtracking search to find a suitable input vector associated with some target output – Simply a branching search with implication pruning • Heuristic for smart variable ordering 17 18 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon 3

Incomplete State Specification Valid States • Add edge for unspecified transition to • PODEM justification finds set of possibly reachable states – Single, new, terminal state • Composite state construction and • Reachability of this state may indicate reachability further show what’s problem reachable – Actually, if both transition to this new state for same cases • So, end up finding set of valid states • Might say are equivalent – Not all possible states from state bits • Just need to distinguish one machine in this state and other not 19 20 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Start State for Logic Memory? • Concern for size of search space • Start states should output same thing – Product set of states between two FSMs – Nodes in search space • Start search with state set {S1 0 , S2 i } for all S2 i with same output as S1 0 • Combine • Use these for acceptance – Generation (contradiction) reachability search – Reachability – State justification/enumeration 21 22 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon Composite Algorithm Start Composite Algorithm • PathEnumerate(st, path, ValStates) – // st is a state of M1 • PathEnumerate(Start(M1),empty,empty) – ValStates+=st – While !(st.enumerated) • Succeed if complete path search and • Edge=EnumerateStateFanout(st) // PODEM • Simulate Edge on M2 not fail – Equivalent result? If not return(FAIL) – Not encounter contradiction • If (Edge.FaninState(M1),Edge.FaninState(M2) in Path.Spairs) – Return(PATH_OK) ;; already visisted/expanded that state • Else – ValStates+=Edge.FaninState(M1) – Path=Path+Edge; Update Path.Spairs – PathEnuemrate(Edge.FaninState(M1),Path,ValStates) 23 24 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon 4

Big Ideas Admin • Equivalence • Class Monday: Processor Verification – Same observable behavior – Internal implementation irrelevant • No Class Wednesday • Number/organization of states, encoding of state bits… • Friday: 10:30am—noon + 1:30—3pm • Exploit structure – Proposed Plan of Attack – Finite DFA … necessity of reconvergent paths – Sequential baseline also due – Pruning Search – group together cubes – Limit to valid/reachable states • Proving invariants vs. empirical verification 25 26 CALTECH CS137 Winter2006 -- DeHon CALTECH CS137 Winter2006 -- DeHon 5