4/19/2005jhj1 structure-independent sequential equivalence checking ee290a uc berkeley spring 2005

4/19/2005 JHJ 1

Structure-independent Sequential Equivalence Checking

EE290A

UC BerkeleySpring 2005

2

Outline

Design verification Combinational vs. sequential equivalence checking

Sequential equivalence checking by Reachability analysis

Explicit vs. implicit Forward vs. backward Exact vs. approximate Deterministic vs. probabilistic

State space partitioning From state equivalence to FSM equivalence Explicit vs. implicit

Connection between reachability and state equivalenceExperimentsConclusions

3

Outline






4

Design verification

Equivalence verification is the most important problem in design verificationHardness of equivalence verification

Combinational Verification w/o structure similarities

NP-complete Verification w/ structure similarities

P- to NP-complete Sequential

Verification w/o structure similarities PSPACE-complete

Verification w/ structure similarities E.g., retiming equivalence P- to PSPACE-complete

design verification

RTLsynthesis

Logicsynthesis

Physicaldesign

HDL-program

IC layout

Sili

con

Com

pile

r

5

Combinational equivalence checking

Considered being solved in practical design instances State-of-the-art solvers are powered with hybrid engines

using BDD, SAT and AIG Capable of verifying million-transistor microprocessor designs

Existence of structural similarities in real designs is the key to success

If the relation between state encodings is known, sequential equivalence checking reduces to combinational oneIn general, combinational EC is not complete to prove sequential equivalence (i.e., equivalence between FSMs)

E.g., FSMs retimed and resynthesized with unknown transformation history, or FSMs optimized using sequential don’t cares

6

Sequential equivalence checking

Special case of invariant verification (safety property checking)To describe properties, at times temporal formula are not sufficient (need a monitor!)

In SEC, the monitor is the correct FSM to be compared with

Used in the construction of product machines or multiplexed machines

Two approaches to SEC: reachability analysis vs. state space partitioning

7

Outline






8

SEC by state traversal

Product machine Composition of an FSM and a monitor Composition reveals bad states (state pairs with

different output observations) Cf. Mealy- and Moore-type FSMs

M1

i o

M2

i o

s0 s1

0/1

1/1

0/0 1/0

t0 t2

0/1

1/1

0/0 1/0

t1

t30/0

1/0

0/11/1

M1

io

M2

s0

t0s1

t2

0/0

1/0

0/0 1/0

s1

t1

s0

t30/0

1/0

0/01/0

s1

t0

0/1

1/1

0/1

1/1

s0

t1

s0

t20/1 1/1

s1

t3

1/10/1

9

Reachability analysis

Explicit vs. implicit Explicit graph enumeration

Reachability analysis over state transition graphs Practical for FSMs less than ~10 state variables

Implicit symbolic computation Iterative image computation over quantified Boolean

formula BDD- or SAT-based manipulations One step traversal from C(s):

Img(s’) = x, s. [i (si’ Ti(x,s))] C(s)

Practical for FSMs less than ~100 state variables

We will be concerned with implicit approaches based on BDDs

O. Coudert et al: Verification of Synchronous Sequential Machines Based on Symbolic Execution. Automatic Verification Methods for Finite State Systems 1989: 365-373

10


Forward vs. backward Forward analysis asks if bad states

are reachable from initial states Backward analysis asks if initial

states are reachable from bad states

Two approaches are incomparable A forward diameter can be

exponentially shorter than a backward one, and vice versa

Meet-in-the-middle by combining both directions

s0

t0s1

t1

s1

t2

s0

t3

R0R1

R2+

R0+

s1

t0

s1

t3

s0

t2

s0

t1

Forward

Backward

T. Filkorn: A Method for Symbolic Verification of Synchronous Circuits. Proc. Int'l Symp. Computer Hardware Description Languages and their Applications 1991: 249-259.

s0

t0s1

t2

0/0

1/0

0/0 1/0

s1

t1

s0

t30/0

1/0

0/01/0

s1

t0

0/1

1/1

0/1

1/1

s0

t1

s0

t20/1 1/1

s1

t3

1/10/1

11


Exact vs. approximate Exact image computation is complete but more

expensive Approximate image computation is cheaper but

incomplete (has false-negative or false-positive) Decomposing an FSM into several sub-FSMs

E.g., by partitioning state variables Traverse each sub-FSM independently (over-approximation)

High-density reachability analysis (which combines BFS and DFS) can be either exact or under-approximate

Compute dense subsets of BDDs Prefer a small BDD represent a large state set

Avoid memory explosion by subsetting newly reached state sets

K. Ravi and F. Somenzi: High-density reachability analysis. ICCAD 1995: 154-158.

H. Cho, et. al: Algorithms for Approximate FSM Traversal. DAC 1993: 25-30.

12


Deterministic vs. probabilistic Deterministic

Exhaustive search Probabilistic

Random walk on graphs Monte Carlo or Las Vegas

A. Kuehlmann, K. McMillan, R. Brayton: Probabilistic state space search. ICCAD 1999: 574-579

13


Other state traversal issues Abstraction, localization Cone of influence reduction

Transitive fanin in unfolded time-frame expansion Quantification scheduling Input/output splitting …

14

Outline






15

SEC by state space partitioning

Arguing FSM equivalence from state equivalence

State equivalence Two states of an FSM are equivalent iff, starting from

any of them, the IO behaviors of the FSM cannot be differentiated

FSM equivalence Two FSMs are equivalent iff, starting from their

respective initial states, they are indistinguishable from their IO behaviors

16

State equivalence

Explicit vs. implicit Explicit approach

Remove non-equivalent state pairs iteratively from a tableau Implicit approach

Representing an equivalence relation with Boolean formula Backward reachability analysis over product machine!

Representing equivalence classes with Boolean formula Functional composition over the original machine (to be

discussed)

We are concerned with implicit approaches

17

Identify state equivalence on product machine

Backward reachability analysis

io

M

M

18

FSM equivalence

Explicit vs. implicit Explicit graph enumeration

State minimization followed by graph isomorphism checking Implicit symbolic computation

Backward reachability analysis! Functional composition (to be discussed)

19

Determine FSM equivalence on product machine

Backward reachability analysis

M1

io

M2

s0

t0s1

t2

0/0

1/0

0/0 1/0

s1

t1

s0

t30/0

1/0

0/01/0

s1

t0

0/1

1/1

0/1

1/1

s0

t1

s0

t20/1 1/1

s1

t3

1/10/1

20

Identify state equivalence on original machine

Given an n-state FSM M with r registers Implicit computation of equivalent states

[Pixley, CAV’90; Lin et al., ICCAD’90] Refine state equivalence relation on the product

machine of two identical copies of M Number of state variables: 2r

[Henriksen et al., TACAS’95] Compute equivalence classes on M represented by n

shared n-terminal BDDs Number of state variables: r

Question: Compute equivalence classes on M without special

representations?

21


M

PrimaryOutputs

PrimaryInputs

x y

s s'

s0 s1 s2 ...

x0

x1

x2

...

s' 3 s' 2 s' 3

s' 2 s' 1 s' 2

s' 0 s' 5 s' 0

...

...

Transition Table

s0 s1 s2 ...

x0

x1

x2

...

y1 y2 y0

y0 y1 y1

y0 y3 y0

...

...

Output Table

M = (S, s0, , , , ) y=(s,x), s'=(s,x), sS, x, y Relate output/transition tables to decomposition table in functional decomposition Columns indexed by states; rows indexed by inputs

BDD-based functional decomposition State variables bound set; input variables free set Each column pattern in output table corresponds to an

eqv node Paths lead to same eqv node represent states in same

eqv class

0 1

s

x

Cutset

22


Procedure1. Consider time-frame expansions of M

Initially 0 has all states in the same equivalence class

y=(s,x) induces a partition 1 on the state space

2. Compute 1 by BDD-based functional decomposition

Mx y

s s'

t = i+1t = i

Mx y

s s'

s0 s1 s2 ...

x0

x1

x2

...

y1 y2 y0

y0 y1 y1

y0 y3 y0

...

...

Output Table

s0s1 s2...0

s0s1 s2...1

23


Procedure (cont’d)3. Represent 1 by a characteristic function 1(s)

4. Perform functional decomposition on 1((s,x)) to derive 2-

5. Compute 2 = 12-

6. Represent 2 by a characteristic function 2(s)

7. Iterate until reach fixpoint

s0 s1 s2 ...

x0

x1

x2

...

s' 3 s' 2 s' 3

s' 2 s' 1 s' 2

s' 0 s' 5 s' 0

...

...

Transition Table

1

t = i

Mx y

s s'

t = i 1

Mx y

s s'

s0s1 s2...1

s0s1 s2...2

24


Robustness Issues for state equivalence Work on reachable state subspace (if available)

BDD constrain operator [Coudert and Madre, ICCAD’90] + restricted BDD variable ordering

Restrict BDD variable ordering only when necessary

25

SEC by state space partitioning

Extend state equivalence to machine equivalence

Verification on multiplexed machine Verification on separate machines Verification on product machine

Theorem M1 and M2 are equivalent iff their initial states, s1

0 and s2

0, are equivalent

26

Verification on Multiplexed Machine

Given two FSMs M1 and M2 with r1 and r2 registers respectively, construct their multiplexed machine M:

aux=0 M=M1; aux=1 M=M2

s0 s1

0/1

1/1

0/0 1/0

t0 t2

0/1

1/1

0/0 1/0

t1

t30/0

1/0

0/11/1

aux

0

1

M1

M2

0

1

0

1

io

27

Verification on Multiplexed Machine

Procedure1. Partition the state space of the

multiplexed machine2. Check if ( s1

0) and ( s20) are in

the same equivalence class

Other aspects Robustness issues:

Carry out verification for each output separately

Collapse “bad” equivalence classes Error tracing and shortest

distinguishing sequences0

s0

s1t0

t1 t2

t3

s0

s1t0

t1 t2

t3

1+

s0 s1

0/1

1/1

0/0 1/0

t0 t2

0/1

1/1

0/0 1/0

t1

t30/0

1/0

0/11/1

28

Product machine vs. multiplexed machine

Given two completely specified FSMs M1 and M2 with r1 and r2 registers respectively

For product machine Product state space State variables: r1+r2

For multiplexed machine Sum state space State variables: max{r1, r2}+1

29

Verification on Separate Machines

Procedure1. Partition the state spaces of M1 and M2 separately

but simultaneously Maintain two sets of shared BDDs (share BDDs below

cutset)

2. Check if s10 and s2

0 lead to the same equivalence node

Properties No interference among state variables No BDD sharing above cutset Same number of state variables as product machine

(Verification is still in the sum state space)

30

Verification on Product Machine

Properties Flexible BDD variable ordering More state variables than multiplexed machine No direct BDD simplification using unreachable

states

31

Analysis

Functional decomposition replaces quantificationsGiven two FSMs M1 and M2 converging in n1 and n2 steps respectively, then their multiplexed machine converges in exactly max{n1, n2} steps (can be improved to min{n1, n2})

Both ST (state traversal) and SP (state partitioning) find counterexamples in shortest input sequences

Suppose ST and SP converge in t and p steps respectively. Then min{t, p} is the upper bound for fixpoint computation.

32

Outline






33

Connection between reachability analysis and state equivalence

Assume bad states are unreachable from initial states in a product machine

Forward reachability analysis reveals equivalent state pairs reachable from initial state pairs

Backward reachability analysis reveals (all?) non-equivalent state pairs

Backward reachability analysis is more powerful in identifying equivalent states

34

Outline






35

Experimental Results

Compare three equivalence checking techniques

STPM state traversal on product machine SPPM state partitioning on product machine SPMM state partitioning on multiplexed machine

Conduct experiments on a Linux machine with Pentium III 700 MHz CPU, 2Gb RAM

36


Circuit

Reg Overall Partition Worst Partial Partition STPM SPPM SPMM

whl (rf) rch (rf) whl (rf) rch (rf) Mb sec Mb sec Mb sec

s1196

18 82944 (2) 1509 (2) 96 (3) 56 (3) 28.3 2.3 25.1 1.5 12.4 1.2

s298 14 8061 (16) 135 (12) 249 (24) 118 (20) 7.8 0.2 16.4 1.0 8.7 0.2

s344 15 18608 (5) 1801 (5) 248 (8) 35 (6) 12.9 1.6 45.9 6.3 9.4 0.9

s349 15 18608 (5) 1801 (5) 248 (8) 35 (6) 12.7 1.5 35.4 6.3 9.4 0.9

s382 21 608448 (93) 8865 (93)

17174 (183) 8597 (183)

12.6 4.8 51.9 14.1 34.5 98.7

s400 21 608448 (93) 8865 (93)

17174 (183) 8597 (183)

12.8 4.9 52.1 14.1 34.5 98.7

s420.1

16 65536 (32768) 45.1 669.2 37.9 290.9 58.1 4.5e+4

s444 21 608448 (93) 8865 (93)

17174 (183) 8597 (183)

12.7 4.8 52.2 13.9 37.3 133.6

s499 22 4.1e+6 (1) 22 (1) 24 (21) 22 (21) 299 157.1 16.5 1.0 8.6 0.2

s526 21 1.4e+6 (119)

8868 (93)

43068 (199) 8597 (183)

22.5 7.1 65.0 888.5 39.1 88.3

s526n

21 1.4e+6 (119)

8868 (93)

43068 (199) 8597 (183)

16.6 4.4 63.7 891.2 39.0 88.2

s641 19 294912 (1) 1480 (1) 24750 (8) 1248 (8) 11.9 0.7 128 95.8 39.5 3.3

s713 19 294912 (1) 1480 (1) 24750 (8) 1248 (8) 11.8 0.7 128 92.3 39.2 6.4

s953 29 N/A 504 (2) 42 (10) 35 (10) 11.3 0.1 58.9 82.7 11.9 1.1

ss967 29 N/A 549 (2) 42 (10) 35 (10) 11.4 0.9 62.5 68.0 10.3 0.5

s991 19 327680 (1) 10 (2) 35.4 26.4 >2G N/A 10.7 0.3

37


Circuit Reg Overall Partition Worst Partial Partition STPM SPPM SPMM

whl (rf) rch (rf) whl (rf) rch (rf) Mb sec Mb sec Mb sec

bigkey 224 N/A 4 (2) >2G N/A >2G N/A 21.4 1.5

clma 33 N/A N/A 5950 (178)

142 134.6 >2G N/A 113 9862.9

mm4a 12 3616 (1) 712 (1) 452 (2) 217 (1) 8.6 0.3 7.7 0.1 15.3 0.2

mm9a 27 N/A 522244 (2) 260617 (1)

82.1 1.2e+5 58.9 16.6 267 1.5e+4

mm9b 26 N/A N/A 260617 (1)

>2G N/A >2G N/A 306 6768.5

mult16a 16 65536 (16)

65535 (16)

65536 (16) 65535 (16)

8.5 0.2 8.4 0.1 62.0 42.0

sbc 28 N/A N/A 23048 (10)

>2G N/A >2G N/A 985 8.2e+4

control 35 N/A 43 (2) 14 (6) 8 (5) 191 79.4 46.1 7.9 20.3 1.1

IFetchCtl2

59 N/A N/A 9434 (37) >2G N/A >2G N/A 97.4 3762.7

IFetchCtl3

61 N/A N/A 8442 (39) >2G N/A >2G N/A 106 3912.9

parsepack

70 N/A 18 (9) 10 (9) >2G N/A 64.9 110.9 15.0 1.9

parsesys 312 N/A 164 (21) N/A >2G N/A 458 2.9e+4 94.8 21.5

8085* 193 N/A 309619 (28)

N/A >2G N/A >2G N/A 1165 2.3e+6

bpb 36 N/A 512 (3) >2G N/A 51.7 62.9 23.3 4.5

38


Elements to succeed Reduce state variables almost by a half Incorporate simplification using unreachable states Verify each output separately

Parallel processing

Limitation 106 equivalence classes per output

39

Experimental results

Identify state equivalence by BDD-based functional decompositionPose the equivalence checking problem as the state equivalence problem of the multiplexed machineVerify benchmarks with up to 312 registers, including all of the control outputs of microprocessor 8085More scalable for high speed designs

40

Outline






41

Conclusions

Two different frameworks on SEC State traversal based on reachability analysis

In product space State space partitioning based on state equivalence

In product space or disjoint union space

SAT-based SEC Unbounded model checking is based on state

traversal on product machine How about state space partitioning over multiplexed

machine?

4/19/2005jhj1 structure-independent sequential equivalence checking ee290a uc berkeley spring 2005

Documents

combinational equivalence

fsm equivalence explicit

retiming equivalence

state encodings

state space partitioning

reachability analysis

state variables impl

implicit forward