Digitaalsüsteemide verifitseerimise kursus 1
Formal verification: Property checking
Property checking
Digitaalsüsteemide verifitseerimise kursus 2
Property checking
• If designs to be verified are sequential and the correspondence of states is not known then equivalence checking not an option
• Property checking traverses the full search space (bounded or unbounded) to check if a property holds in the design.
• Property checking needed if incomplete or abstract specifications verified
Digitaalsüsteemide verifitseerimise kursus 3
• safety property states that an undesired property should not hold
• liveness property states that a necessary property should hold
• fairness property states that some states are traversed repeatedly
Types of properties
Digitaalsüsteemide verifitseerimise kursus 4
Communication between TLC and property automaton with properties:
1. North-South traffic has a different light than East-West traffic.
2. Traffic light follows the sequence R,G,Y,R,G,Y....
Properties as an automaton
Digitaalsüsteemide verifitseerimise kursus 6
Temporal structure & computation trees
• In general, using property automata is inconvenient
• Therefore other approaches applied: temporal logic, computation trees …
Digitaalsüsteemide verifitseerimise kursus 7
• State graph and state sequence
Temporal structure & computation trees
Digitaalsüsteemide verifitseerimise kursus 8
• State transitions tree
Temporal structure & computation trees
Digitaalsüsteemide verifitseerimise kursus 10
Temporal-logic
• Consider 3 logics:– LTL (linear temporal logic), – CTL (computation tree logic) and– CTL*
• LTL assumes linear time model, while CTL assumes branch time model
• Two types of formulae in temporal logic: state and path formulae
Digitaalsüsteemide verifitseerimise kursus 11
Temporal-logic: LTL
• LTL considers a single path• 2 temporal operations: X(neXt) and
U(Until)• LTL formulae:
– Every Boolean variable is an LTL formula– If f and g are LTL formulae, then ~f and
f+g are LTL formulae– If f and g are LTL formulae, then fUg and
Xg are LTL formulae
Digitaalsüsteemide verifitseerimise kursus 12
• More complex functions can be derived:
• Fg = TRUE U g, i.e. g will eventually become true
• Gf = ~(F~f), i.e. f is always (globally) true
• fRg = ~(~f U ~g), i.e. f must be false until g becomes true (Release operation)
Temporal-logic: LTL
Digitaalsüsteemide verifitseerimise kursus 14
• CTL includes 8 operators: AX,EX,AG,EG,AF,EF,AU ja EU
• In fact can be represented by three: EX,EG and EU
AXf = ~EX(~f)AF(f) = ~EG(~f)AG(f) = ~EF(~f)EF(f) = E( TRUE U f)A(fUg) = (~E(~gU(~f)(~g)))(~EG(~g))
Temporal-logic: CTL
Digitaalsüsteemide verifitseerimise kursus 23
Temporal-logic: System Verilog Assertions
• System Verilog Assertions and PSL also temporal languages!
Digitaalsüsteemide verifitseerimise kursus 24
Property checking in automata
1. Describe property as automaton, such that some states represent success or failure of property
2. Compose design automaton with property automaton
3. Property succeeds only iff no failure composite state is reachable
Digitaalsüsteemide verifitseerimise kursus 25
• A and B throw dice. When A gets more points, then – A’s score incremented by 1, if the score is not 2. If score is
2, then it becomes 0 again.– B’s score skoor is decremented by 1, if score not 0.
• If B gets more points, then the same applies but A and B interchanged.
• If A, B get equal points then score unchanged.
Property checking in automata: throwing dice
Digitaalsüsteemide verifitseerimise kursus 26
• Check two properties:
1. Can we have a draw1:1?
2. Can we have a draw 2:2?
Property checking in automata: throwing dice
Digitaalsüsteemide verifitseerimise kursus 29
Language containment
• Verify: L(D) L(P)?
1. Construct complementary automaton ¬P for property automaton P
2. Compose: D × ¬P
3. L(D) L(P), if L(D × ¬P) = Ø
Digitaalsüsteemide verifitseerimise kursus 31
Symbolic computation and model-checking
• Graph based algorithms described above operated with automata and Kripke structures
• Not applicable to large designs. A circuit with 100 flipflops has 2100 states...
• In Symbolic computation we don’t enumerate states but convert state traversal to Boolean functions
• We can verify larger designs
Digitaalsüsteemide verifitseerimise kursus 32
• Forward traversal of states:Symbolic computation and model-checking
Digitaalsüsteemide verifitseerimise kursus 33
Generating counter-examples
• Forward traversal until faulty state reached• Backward traversal from the faulty state
using symbolic computation• During backward traversal we limit the
state image with the ones obtained during forward traversal
• This is needed to reach the initial state!