digitaalsüsteemide verifitseerimise kursus1 formal verification: property checking property...

Digitaalsüsteemide verifitseerimise kursus 1

Formal verification: Property checking

Property checking


Property checking

• If designs to be verified are sequential and the correspondence of states is not known then equivalence checking not an option

• Property checking traverses the full search space (bounded or unbounded) to check if a property holds in the design.

• Property checking needed if incomplete or abstract specifications verified


• safety property states that an undesired property should not hold

• liveness property states that a necessary property should hold

• fairness property states that some states are traversed repeatedly

Types of properties


Communication between TLC and property automaton with properties:

1. North-South traffic has a different light than East-West traffic.

2. Traffic light follows the sequence R,G,Y,R,G,Y....

Properties as an automaton


Properties as an automaton


Temporal structure & computation trees

• In general, using property automata is inconvenient

• Therefore other approaches applied: temporal logic, computation trees …


• State graph and state sequence



• State transitions tree



Kripke structures: computational tree


Temporal-logic

• Consider 3 logics:– LTL (linear temporal logic), – CTL (computation tree logic) and– CTL*

• LTL assumes linear time model, while CTL assumes branch time model

• Two types of formulae in temporal logic: state and path formulae


Temporal-logic: LTL

• LTL considers a single path• 2 temporal operations: X(neXt) and

U(Until)• LTL formulae:

– Every Boolean variable is an LTL formula– If f and g are LTL formulae, then ~f and

f+g are LTL formulae– If f and g are LTL formulae, then fUg and

Xg are LTL formulae


• More complex functions can be derived:

• Fg = TRUE U g, i.e. g will eventually become true

• Gf = ~(F~f), i.e. f is always (globally) true

• fRg = ~(~f U ~g), i.e. f must be false until g becomes true (Release operation)

Temporal-logic: LTL


Temporal-logic: LTL


• CTL includes 8 operators: AX,EX,AG,EG,AF,EF,AU ja EU

• In fact can be represented by three: EX,EG and EU

AXf = ~EX(~f)AF(f) = ~EG(~f)AG(f) = ~EF(~f)EF(f) = E( TRUE U f)A(fUg) = (~E(~gU(~f)(~g)))(~EG(~g))

Temporal-logic: CTL


• Operation AX(f):

Temporal-logic: CTL


• Operation EX(f):

Temporal-logic: CTL


• Operation AG(f):

Temporal-logic: CTL


• Operation EG(f):

Temporal-logic: CTL


• Operation AF(f):

Temporal-logic: CTL


• Operation EF(f):

Temporal-logic: CTL


• Operation A(fUg):

Temporal-logic: CTL


• Operation E(fUg):

Temporal-logic: CTL


Temporal-logic: System Verilog Assertions

• System Verilog Assertions and PSL also temporal languages!


Property checking in automata

1. Describe property as automaton, such that some states represent success or failure of property

2. Compose design automaton with property automaton

3. Property succeeds only iff no failure composite state is reachable


• A and B throw dice. When A gets more points, then – A’s score incremented by 1, if the score is not 2. If score is

2, then it becomes 0 again.– B’s score skoor is decremented by 1, if score not 0.

• If B gets more points, then the same applies but A and B interchanged.

• If A, B get equal points then score unchanged.

Property checking in automata: throwing dice


• Check two properties:

1. Can we have a draw1:1?

2. Can we have a draw 2:2?



Language containment

• Verify: L(D) L(P)?

1. Construct complementary automaton ¬P for property automaton P

2. Compose: D × ¬P

3. L(D) L(P), if L(D × ¬P) = Ø


Language containment in verification


Symbolic computation and model-checking

• Graph based algorithms described above operated with automata and Kripke structures

• Not applicable to large designs. A circuit with 100 flipflops has 2100 states...

• In Symbolic computation we don’t enumerate states but convert state traversal to Boolean functions

• We can verify larger designs


• Forward traversal of states:Symbolic computation and model-checking


Generating counter-examples

• Forward traversal until faulty state reached• Backward traversal from the faulty state

using symbolic computation• During backward traversal we limit the

state image with the ones obtained during forward traversal

• This is needed to reach the initial state!


Generating counter-examples


Equivalence of Sequential Circuits• How to perform sequential equivalence

checking without one to one mapping in states?• Have to check whether the output state 1 of the

combined miter circuit is reachable

digitaalsüsteemide verifitseerimise kursus1 formal verification: property checking property...

Documents

ltl slide

ctl slide

g temporallogic

ltl ltl

automaton slide

ltl linear temporal

temporal operations

property automaton