Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 221 times |
Download: | 1 times |
4/19/2005 JHJ 1
Structure-independent Sequential Equivalence Checking
EE290A
UC BerkeleySpring 2005
2
Outline
Design verification Combinational vs. sequential equivalence checking
Sequential equivalence checking by Reachability analysis
Explicit vs. implicit Forward vs. backward Exact vs. approximate Deterministic vs. probabilistic
State space partitioning From state equivalence to FSM equivalence Explicit vs. implicit
Connection between reachability and state equivalenceExperimentsConclusions
3
Outline
Design verification Combinational vs. sequential equivalence checking
Sequential equivalence checking by Reachability analysis
Explicit vs. implicit Forward vs. backward Exact vs. approximate Deterministic vs. probabilistic
State space partitioning From state equivalence to FSM equivalence Explicit vs. implicit
Connection between reachability and state equivalenceExperimentsConclusions
4
Design verification
Equivalence verification is the most important problem in design verificationHardness of equivalence verification
Combinational Verification w/o structure similarities
NP-complete Verification w/ structure similarities
P- to NP-complete Sequential
Verification w/o structure similarities PSPACE-complete
Verification w/ structure similarities E.g., retiming equivalence P- to PSPACE-complete
design verification
RTLsynthesis
Logicsynthesis
Physicaldesign
HDL-program
IC layout
Sili
con
Com
pile
r
5
Combinational equivalence checking
Considered being solved in practical design instances State-of-the-art solvers are powered with hybrid engines
using BDD, SAT and AIG Capable of verifying million-transistor microprocessor designs
Existence of structural similarities in real designs is the key to success
If the relation between state encodings is known, sequential equivalence checking reduces to combinational oneIn general, combinational EC is not complete to prove sequential equivalence (i.e., equivalence between FSMs)
E.g., FSMs retimed and resynthesized with unknown transformation history, or FSMs optimized using sequential don’t cares
6
Sequential equivalence checking
Special case of invariant verification (safety property checking)To describe properties, at times temporal formula are not sufficient (need a monitor!)
In SEC, the monitor is the correct FSM to be compared with
Used in the construction of product machines or multiplexed machines
Two approaches to SEC: reachability analysis vs. state space partitioning
7
Outline
Design verification Combinational vs. sequential equivalence checking
Sequential equivalence checking by Reachability analysis
Explicit vs. implicit Forward vs. backward Exact vs. approximate Deterministic vs. probabilistic
State space partitioning From state equivalence to FSM equivalence Explicit vs. implicit
Connection between reachability and state equivalenceExperimentsConclusions
8
SEC by state traversal
Product machine Composition of an FSM and a monitor Composition reveals bad states (state pairs with
different output observations) Cf. Mealy- and Moore-type FSMs
M1
i o
M2
i o
s0 s1
0/1
1/1
0/0 1/0
t0 t2
0/1
1/1
0/0 1/0
t1
t30/0
1/0
0/11/1
M1
io
M2
s0
t0s1
t2
0/0
1/0
0/0 1/0
s1
t1
s0
t30/0
1/0
0/01/0
s1
t0
0/1
1/1
0/1
1/1
s0
t1
s0
t20/1 1/1
s1
t3
1/10/1
9
Reachability analysis
Explicit vs. implicit Explicit graph enumeration
Reachability analysis over state transition graphs Practical for FSMs less than ~10 state variables
Implicit symbolic computation Iterative image computation over quantified Boolean
formula BDD- or SAT-based manipulations One step traversal from C(s):
Img(s’) = x, s. [i (si’ Ti(x,s))] C(s)
Practical for FSMs less than ~100 state variables
We will be concerned with implicit approaches based on BDDs
O. Coudert et al: Verification of Synchronous Sequential Machines Based on Symbolic Execution. Automatic Verification Methods for Finite State Systems 1989: 365-373
10
Reachability analysis
Forward vs. backward Forward analysis asks if bad states
are reachable from initial states Backward analysis asks if initial
states are reachable from bad states
Two approaches are incomparable A forward diameter can be
exponentially shorter than a backward one, and vice versa
Meet-in-the-middle by combining both directions
s0
t0s1
t1
s1
t2
s0
t3
R0R1
R2+
R0+
s1
t0
s1
t3
s0
t2
s0
t1
Forward
Backward
T. Filkorn: A Method for Symbolic Verification of Synchronous Circuits. Proc. Int'l Symp. Computer Hardware Description Languages and their Applications 1991: 249-259.
s0
t0s1
t2
0/0
1/0
0/0 1/0
s1
t1
s0
t30/0
1/0
0/01/0
s1
t0
0/1
1/1
0/1
1/1
s0
t1
s0
t20/1 1/1
s1
t3
1/10/1
11
Reachability analysis
Exact vs. approximate Exact image computation is complete but more
expensive Approximate image computation is cheaper but
incomplete (has false-negative or false-positive) Decomposing an FSM into several sub-FSMs
E.g., by partitioning state variables Traverse each sub-FSM independently (over-approximation)
High-density reachability analysis (which combines BFS and DFS) can be either exact or under-approximate
Compute dense subsets of BDDs Prefer a small BDD represent a large state set
Avoid memory explosion by subsetting newly reached state sets
K. Ravi and F. Somenzi: High-density reachability analysis. ICCAD 1995: 154-158.
H. Cho, et. al: Algorithms for Approximate FSM Traversal. DAC 1993: 25-30.
12
Reachability analysis
Deterministic vs. probabilistic Deterministic
Exhaustive search Probabilistic
Random walk on graphs Monte Carlo or Las Vegas
A. Kuehlmann, K. McMillan, R. Brayton: Probabilistic state space search. ICCAD 1999: 574-579
13
Reachability analysis
Other state traversal issues Abstraction, localization Cone of influence reduction
Transitive fanin in unfolded time-frame expansion Quantification scheduling Input/output splitting …
14
Outline
Design verification Combinational vs. sequential equivalence checking
Sequential equivalence checking by Reachability analysis
Explicit vs. implicit Forward vs. backward Exact vs. approximate Deterministic vs. probabilistic
State space partitioning From state equivalence to FSM equivalence Explicit vs. implicit
Connection between reachability and state equivalenceExperimentsConclusions
15
SEC by state space partitioning
Arguing FSM equivalence from state equivalence
State equivalence Two states of an FSM are equivalent iff, starting from
any of them, the IO behaviors of the FSM cannot be differentiated
FSM equivalence Two FSMs are equivalent iff, starting from their
respective initial states, they are indistinguishable from their IO behaviors
16
State equivalence
Explicit vs. implicit Explicit approach
Remove non-equivalent state pairs iteratively from a tableau Implicit approach
Representing an equivalence relation with Boolean formula Backward reachability analysis over product machine!
Representing equivalence classes with Boolean formula Functional composition over the original machine (to be
discussed)
We are concerned with implicit approaches
17
Identify state equivalence on product machine
Backward reachability analysis
io
M
M
18
FSM equivalence
Explicit vs. implicit Explicit graph enumeration
State minimization followed by graph isomorphism checking Implicit symbolic computation
Backward reachability analysis! Functional composition (to be discussed)
19
Determine FSM equivalence on product machine
Backward reachability analysis
M1
io
M2
s0
t0s1
t2
0/0
1/0
0/0 1/0
s1
t1
s0
t30/0
1/0
0/01/0
s1
t0
0/1
1/1
0/1
1/1
s0
t1
s0
t20/1 1/1
s1
t3
1/10/1
20
Identify state equivalence on original machine
Given an n-state FSM M with r registers Implicit computation of equivalent states
[Pixley, CAV’90; Lin et al., ICCAD’90] Refine state equivalence relation on the product
machine of two identical copies of M Number of state variables: 2r
[Henriksen et al., TACAS’95] Compute equivalence classes on M represented by n
shared n-terminal BDDs Number of state variables: r
Question: Compute equivalence classes on M without special
representations?
21
Identify state equivalence on original machine
M
PrimaryOutputs
PrimaryInputs
x y
s s'
s0 s1 s2 ...
x0
x1
x2
...
s' 3 s' 2 s' 3
s' 2 s' 1 s' 2
s' 0 s' 5 s' 0
...
...
Transition Table
s0 s1 s2 ...
x0
x1
x2
...
y1 y2 y0
y0 y1 y1
y0 y3 y0
...
...
Output Table
M = (S, s0, , , , ) y=(s,x), s'=(s,x), sS, x, y Relate output/transition tables to decomposition table in functional decomposition Columns indexed by states; rows indexed by inputs
BDD-based functional decomposition State variables bound set; input variables free set Each column pattern in output table corresponds to an
eqv node Paths lead to same eqv node represent states in same
eqv class
0 1
s
x
Cutset
22
Identify state equivalence on original machine
Procedure1. Consider time-frame expansions of M
Initially 0 has all states in the same equivalence class
y=(s,x) induces a partition 1 on the state space
2. Compute 1 by BDD-based functional decomposition
Mx y
s s'
t = i+1t = i
Mx y
s s'
s0 s1 s2 ...
x0
x1
x2
...
y1 y2 y0
y0 y1 y1
y0 y3 y0
...
...
Output Table
s0s1 s2...0
s0s1 s2...1
23
Identify state equivalence on original machine
Procedure (cont’d)3. Represent 1 by a characteristic function 1(s)
4. Perform functional decomposition on 1((s,x)) to derive 2-
5. Compute 2 = 12-
6. Represent 2 by a characteristic function 2(s)
7. Iterate until reach fixpoint
s0 s1 s2 ...
x0
x1
x2
...
s' 3 s' 2 s' 3
s' 2 s' 1 s' 2
s' 0 s' 5 s' 0
...
...
Transition Table
1
t = i
Mx y
s s'
t = i 1
Mx y
s s'
s0s1 s2...1
s0s1 s2...2
24
Identify state equivalence on original machine
Robustness Issues for state equivalence Work on reachable state subspace (if available)
BDD constrain operator [Coudert and Madre, ICCAD’90] + restricted BDD variable ordering
Restrict BDD variable ordering only when necessary
25
SEC by state space partitioning
Extend state equivalence to machine equivalence
Verification on multiplexed machine Verification on separate machines Verification on product machine
Theorem M1 and M2 are equivalent iff their initial states, s1
0 and s2
0, are equivalent
26
Verification on Multiplexed Machine
Given two FSMs M1 and M2 with r1 and r2 registers respectively, construct their multiplexed machine M:
aux=0 M=M1; aux=1 M=M2
s0 s1
0/1
1/1
0/0 1/0
t0 t2
0/1
1/1
0/0 1/0
t1
t30/0
1/0
0/11/1
aux
0
1
M1
M2
0
1
0
1
io
27
Verification on Multiplexed Machine
Procedure1. Partition the state space of the
multiplexed machine2. Check if ( s1
0) and ( s20) are in
the same equivalence class
Other aspects Robustness issues:
Carry out verification for each output separately
Collapse “bad” equivalence classes Error tracing and shortest
distinguishing sequences0
s0
s1t0
t1 t2
t3
s0
s1t0
t1 t2
t3
1+
s0 s1
0/1
1/1
0/0 1/0
t0 t2
0/1
1/1
0/0 1/0
t1
t30/0
1/0
0/11/1
28
Product machine vs. multiplexed machine
Given two completely specified FSMs M1 and M2 with r1 and r2 registers respectively
For product machine Product state space State variables: r1+r2
For multiplexed machine Sum state space State variables: max{r1, r2}+1
29
Verification on Separate Machines
Procedure1. Partition the state spaces of M1 and M2 separately
but simultaneously Maintain two sets of shared BDDs (share BDDs below
cutset)
2. Check if s10 and s2
0 lead to the same equivalence node
Properties No interference among state variables No BDD sharing above cutset Same number of state variables as product machine
(Verification is still in the sum state space)
30
Verification on Product Machine
Properties Flexible BDD variable ordering More state variables than multiplexed machine No direct BDD simplification using unreachable
states
31
Analysis
Functional decomposition replaces quantificationsGiven two FSMs M1 and M2 converging in n1 and n2 steps respectively, then their multiplexed machine converges in exactly max{n1, n2} steps (can be improved to min{n1, n2})
Both ST (state traversal) and SP (state partitioning) find counterexamples in shortest input sequences
Suppose ST and SP converge in t and p steps respectively. Then min{t, p} is the upper bound for fixpoint computation.
32
Outline
Design verification Combinational vs. sequential equivalence checking
Sequential equivalence checking by Reachability analysis
Explicit vs. implicit Forward vs. backward Exact vs. approximate Deterministic vs. probabilistic
State space partitioning From state equivalence to FSM equivalence Explicit vs. implicit
Connection between reachability and state equivalenceExperimentsConclusions
33
Connection between reachability analysis and state equivalence
Assume bad states are unreachable from initial states in a product machine
Forward reachability analysis reveals equivalent state pairs reachable from initial state pairs
Backward reachability analysis reveals (all?) non-equivalent state pairs
Backward reachability analysis is more powerful in identifying equivalent states
34
Outline
Design verification Combinational vs. sequential equivalence checking
Sequential equivalence checking by Reachability analysis
Explicit vs. implicit Forward vs. backward Exact vs. approximate Deterministic vs. probabilistic
State space partitioning From state equivalence to FSM equivalence Explicit vs. implicit
Connection between reachability and state equivalenceExperimentsConclusions
35
Experimental Results
Compare three equivalence checking techniques
STPM state traversal on product machine SPPM state partitioning on product machine SPMM state partitioning on multiplexed machine
Conduct experiments on a Linux machine with Pentium III 700 MHz CPU, 2Gb RAM
36
Experimental Results
Circuit
Reg Overall Partition Worst Partial Partition STPM SPPM SPMM
whl (rf) rch (rf) whl (rf) rch (rf) Mb sec Mb sec Mb sec
s1196
18 82944 (2) 1509 (2) 96 (3) 56 (3) 28.3 2.3 25.1 1.5 12.4 1.2
s298 14 8061 (16) 135 (12) 249 (24) 118 (20) 7.8 0.2 16.4 1.0 8.7 0.2
s344 15 18608 (5) 1801 (5) 248 (8) 35 (6) 12.9 1.6 45.9 6.3 9.4 0.9
s349 15 18608 (5) 1801 (5) 248 (8) 35 (6) 12.7 1.5 35.4 6.3 9.4 0.9
s382 21 608448 (93) 8865 (93)
17174 (183) 8597 (183)
12.6 4.8 51.9 14.1 34.5 98.7
s400 21 608448 (93) 8865 (93)
17174 (183) 8597 (183)
12.8 4.9 52.1 14.1 34.5 98.7
s420.1
16 65536 (32768) 45.1 669.2 37.9 290.9 58.1 4.5e+4
s444 21 608448 (93) 8865 (93)
17174 (183) 8597 (183)
12.7 4.8 52.2 13.9 37.3 133.6
s499 22 4.1e+6 (1) 22 (1) 24 (21) 22 (21) 299 157.1 16.5 1.0 8.6 0.2
s526 21 1.4e+6 (119)
8868 (93)
43068 (199) 8597 (183)
22.5 7.1 65.0 888.5 39.1 88.3
s526n
21 1.4e+6 (119)
8868 (93)
43068 (199) 8597 (183)
16.6 4.4 63.7 891.2 39.0 88.2
s641 19 294912 (1) 1480 (1) 24750 (8) 1248 (8) 11.9 0.7 128 95.8 39.5 3.3
s713 19 294912 (1) 1480 (1) 24750 (8) 1248 (8) 11.8 0.7 128 92.3 39.2 6.4
s953 29 N/A 504 (2) 42 (10) 35 (10) 11.3 0.1 58.9 82.7 11.9 1.1
ss967 29 N/A 549 (2) 42 (10) 35 (10) 11.4 0.9 62.5 68.0 10.3 0.5
s991 19 327680 (1) 10 (2) 35.4 26.4 >2G N/A 10.7 0.3
37
Experimental Results
Circuit Reg Overall Partition Worst Partial Partition STPM SPPM SPMM
whl (rf) rch (rf) whl (rf) rch (rf) Mb sec Mb sec Mb sec
bigkey 224 N/A 4 (2) >2G N/A >2G N/A 21.4 1.5
clma 33 N/A N/A 5950 (178)
142 134.6 >2G N/A 113 9862.9
mm4a 12 3616 (1) 712 (1) 452 (2) 217 (1) 8.6 0.3 7.7 0.1 15.3 0.2
mm9a 27 N/A 522244 (2) 260617 (1)
82.1 1.2e+5 58.9 16.6 267 1.5e+4
mm9b 26 N/A N/A 260617 (1)
>2G N/A >2G N/A 306 6768.5
mult16a 16 65536 (16)
65535 (16)
65536 (16) 65535 (16)
8.5 0.2 8.4 0.1 62.0 42.0
sbc 28 N/A N/A 23048 (10)
>2G N/A >2G N/A 985 8.2e+4
control 35 N/A 43 (2) 14 (6) 8 (5) 191 79.4 46.1 7.9 20.3 1.1
IFetchCtl2
59 N/A N/A 9434 (37) >2G N/A >2G N/A 97.4 3762.7
IFetchCtl3
61 N/A N/A 8442 (39) >2G N/A >2G N/A 106 3912.9
parsepack
70 N/A 18 (9) 10 (9) >2G N/A 64.9 110.9 15.0 1.9
parsesys 312 N/A 164 (21) N/A >2G N/A 458 2.9e+4 94.8 21.5
8085* 193 N/A 309619 (28)
N/A >2G N/A >2G N/A 1165 2.3e+6
bpb 36 N/A 512 (3) >2G N/A 51.7 62.9 23.3 4.5
38
Experimental Results
Elements to succeed Reduce state variables almost by a half Incorporate simplification using unreachable states Verify each output separately
Parallel processing
Limitation 106 equivalence classes per output
39
Experimental results
Identify state equivalence by BDD-based functional decompositionPose the equivalence checking problem as the state equivalence problem of the multiplexed machineVerify benchmarks with up to 312 registers, including all of the control outputs of microprocessor 8085More scalable for high speed designs
40
Outline
Design verification Combinational vs. sequential equivalence checking
Sequential equivalence checking by Reachability analysis
Explicit vs. implicit Forward vs. backward Exact vs. approximate Deterministic vs. probabilistic
State space partitioning From state equivalence to FSM equivalence Explicit vs. implicit
Connection between reachability and state equivalenceExperimentsConclusions
41
Conclusions
Two different frameworks on SEC State traversal based on reachability analysis
In product space State space partitioning based on state equivalence
In product space or disjoint union space
SAT-based SEC Unbounded model checking is based on state
traversal on product machine How about state space partitioning over multiplexed
machine?