University of Southern California Dissertations and Theses

Induced hierarchical verification of asynchronous circuits using a partial order technique

(USC Thesis Other)

Induced hierarchical verification of asynchronous circuits using a partial order technique

PDF

Download

Open document

Flip pages

Download a page range

Download transcript

Copy asset link

Request this asset

Transcript (if available)

Content INFORMATION TO USERS This manuscript has been reproduced from the microfilm master. UMI films the text directly from the original or copy submitted. Thus, some thesis and dissertation copies are in typewriter face, while others may be from any type of computer printer. The quality of this reproduction is dependent upon the quality of the copy submitted. Broken or indistinct print, colored or poor quality illustrations and photographs, print bleedthrough, substandard margins, and improper alignment can adversely affect reproduction. In the unlikely event that the author did not send UMI a complete manuscript and there are missing pages, these will be noted. Also, if unauthorized copyright material had to be removed, a note will indicate the deletion. Oversize materials (e.g., maps, drawings, charts) are reproduced by sectioning the original, beginning at the upper left-hand comer and continuing from left to right in equal sections with small overlaps. Photographs included in the original manuscript have been reproduced xerographically in this copy. Higher quality 6" x 9" black and white photographic prints are availaole for any photographs or illustrations appearing in this copy for an additional charge. Contact UMI directly to order. ProQuest Information and Learning 300 North Zeeb Road, Ann Arbor, Ml 48106-1346 USA 800-521-0600 Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. INDUCED HIERARCHICAL VERIFICATION OF ASYNCHRONOUS CIRCUITS USING A PARTIAL ORDER TECHNIQUE by Vida Vakilotojar A Dissertation Presented to the FACULTY OF THE GRADUATE SCHOOL UNIVERSITY OF SOUTHERN CALIFORNIA in Partial Fulfillment of the Requirements for the Degree DOCTOR OF PHILOSOPHY (Computer Engineering) August 2000 Copyright 2000 Vida Vakilotojar Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. UMI Number: 3018140 ___ <g) UMI UMI Microform 3018140 Copyright 2001 by Bell & Howell Information and Learning Company. All rights reserved. This microform edition is protected against unauthorized copying under Title 17, United States Code. Bell & Howell Information and Learning Company 300 North Zeeb Road P.O. Box 1346 Ann Arbor, Ml 48106-1346 Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. UNIVERSITY OF SOUTHERN CALIFORNIA THE GRADUATE SCHOOL UNIVERSITY PARK LOS ANGELES. CALIFORNIA 90007 This dissertation, written by V rd o . Vcxki under the direction of h.CC. Dissertation Committee, and approved by aU its members, has been presented to and accepted by The Graduate School, in partial fulfillment of re quirements for the degree of DOCTOR OF PHILOSOPHY D an of Graduate Studies Date DISSERTATION COMMITTEE Chairperson Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. ii To their green whose gray protect us from the gold. To their green whose white we paint rainbows on. To their green who worship during dark and bright, while we are hazy busy with the crazy limelight. To their green who dance to the silver music of the wind. To their green whose feet are in the brown, whose hands are in the blue, and whose heads are in all shades of orange, pink, red, violet, and yellow. To the trees. To m y parents, Jamileh and Karim, who brought me to this world of colors. To all my teachers who taught me how to see and love its wondrous colors. A nd to all m y friends, and Lili, with whom I grew up, as we listened to the music o f this rainbow. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. Acknowledgments iii I had no doubt that this was going to be the hardest part to write. First of ail, I would like to thank my thesis advisor Professor Peter Beerel, for giving me the opportunity of doing research in the amazing area of formal verification. For somebody who loves riddles and puzzles, or thinks that she does, and one who also thinks that there is a relationship between verification and solving puzzles, nothing would have been more fun than doing a Ph.D. on formal verification. But things are not usually that fun when you do a Ph.D. Peter’s excellent teaching, his sheer enthusiasm and endless energy, and the diversity of his knowledge and research in the area of asynchronous circuit design have always been appraised by his students, and been a source of motivation for them, during ups and downs of graduate studies. This work started as an extension of Peter’s own thesis on verification of asynchronous circuits, motivated by his strong intuition that we should be able to hide some memory elements during hierarchical verification. It took very long hours of, some times disappointing, discussions to finally realize that to hide those memory elements, we needed to rid ourselves of the functional abstraction of complex-gate verification, and switch to a behavioral abstraction approach that turned out to be a valid partial order reduction. That was the cornerstone of this research. I remember a friend of mine, Maryam, having seen me that day as I was walking towards the EE department, and telling me not to think too much as I walked. It has always amazed me Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. how she could have felt that something strange was going on with me; I had just solved the puzzle! I would like to thank Peter for his support and patience as I was coding SPHINX, and in particular as I went through a sequence of revisions from a two level verifier for gate-level circuits to a truly hierarchical verifier that can verify collections of circuit blocks and specifications. Being able to go into that level of detail, besides our exciting discussions, helped me face with many delicacies and comer points of the framework, before I started to formalize it. I also thank him for his persistent emphasis on the importance of a well-formalized theoretical framework. Without that, this thesis would have not been as it is now; something to be proud of, as I am indeed. I would like to thank my qualifying and dissertation committee members Professors Massoud Pedram, Sandeep Gupta, Michel Dubois, and Ashish Goel for their live and exciting discussions and feedback during the qualifying exam and defense sessions, for their valuable comments and suggestions on possible future extensions of the framework, and their suggestions on improving the presentation of the thesis. In particular, I would like to thank Professor Massoud Pedram, my first advisor at USC, for his continuos support. It was under his direction that I was first introduced to formal verification. I would like to thank Professor Melvin Breuer for his thorough courses on CAD for Physical design and Test. His sense of humor and smile always draws forth a duplicate smile on the faces of his students. Being his teaching assistant was a great experience for me. I would also like to thank Professor Len Adleman whose wonderful Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. course on Logic and its Applications made me even more enthusiastic about my work. My thanks also go to Douglas Ierardi for his comprehensive course on Algorithms. And here, I should thank Peter again for his wonderful teachings of CAD and VLSI courses, and for the unique design experience that they always offer to the crowd of students. I would like to thank Professor Ken Yun of UCSD for the wonderful joint project on design and verification of an Asynchronous Differential Equation Solver that won us the Charles E. Molnar Award in Async 97. That project was a precious real world experience in concurrent design and verification for me. I would like to thank Dr. Kenneth McMillan, Dr. Patrick McGeer, and Dr. Jerry Burch for the wonderful experience in CAD software development that I had, working under their supervision at Cadence Berkeley Labs in summer 98. I would like to thank the many anonymous reviewers of early submissions of this work to IWLS, Async, and CAV workshop and conferences, for their very constructive feedback on issues relevant to the underlying models, and also on the relationsniy of this work to other works. The latter helped me formalize an important chapter of this thesis on finding safe abstractions based on a very solid and well-founded partial order reduction framework. I would like to acknowledge Professor David Dill of Stanford. His award winning thesis on hierarchical verification of speed-independent circuits was like my bible. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. Also, I should acknowledge Dr. Oriol Roig, for his valuable comments on this thesis that is an extension of his work on hierarchical verification of asynchronous circuits. I would like to acknowledge the use of the utilities package of VIS from UC Berkeley, and the CUDD package from University of Colorado in my verification CAD tool, SPHINX. My special thanks go to many staff members of the EE-Systems department of USC, especially Mary Zittercob, Diane Demetras, and Tim Boston, for always being such wonderful friendly people. Thanks to other members of the USC Asynchronous CAD Group, Wei-Chun Chou, Youpyo Hong, Sangyun Kim, Hoshik Kim, Recep Ozdag, Peter Yeh, and Aiguo Xie for the diverse and interesting discussions that we had. Also, many thanks to my dear friends at USC, Stanford, UCLA, and other schools, as well as my old friends in Iran, for their continuous support and friendship. Thanks to Ali, Amir, Babak, Famaz, Gita, Giti, Ishwar, Jaleh, Kamran, Katy, Maryam, Maziar, Nader, Payam, Persefoni, Peyman, Pouya, Philip, Roshanak, Shadi, Shayan, Shidokht, Soroosh, Tayebeh. Thanks to my dear cousins and relatives in US who never let me feel away from home: Mrs. Vakili, Mahnaz, Dr. Kani, Ali, Amir, Ashley, Eddie, Fakhri, Homay, Jaleh, Mani, Mark, Maryam, Mehdi, Minoo, Mitra, Nina, Sara, Shaeda, Shahram, Shina, Shoka, and Tooraj. Also thanks to other friends and family back home who always cared for me, especially my little sister and brother Mahsa and Nima. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. Thanks to my dear sister Lida for her pure love and care. And last but never least, thanks to my dear mother and father, Jamileh and Karim, for their unconditional love, to which no other love compares, and for their continuos support and encouragement. To them I dedicate this dissertation. Finally, I would like to acknowledge the financial support for my Ph.D. studies, provided by grant 98-DJ-486 from the Semiconductor Research Consortium (SRC), by other support from the Intel Corporation and the National Science Foundation (NSF), and by research and teaching assistantships from the Electrical Engineering- Systems department of University of Southern California. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. Table of Contents Dedication ii Acknowledgments iii List of Figures xi Abstract xiii 1 Introduction 1 1.1 Motivation.................................................................................................... 1 1.2 Speed-Independent Circuit Verification..................................................... 5 1.3 Related W ork................................................................................................8 1.4 Thesis Contributions................................................................................. 11 1.5 Thesis Organization................................................................................... 14 2 Models of Circuits and Behaviors 17 2.1 Circuit M odules..........................................................................................17 2.2 Examples of Circuit M odules.................................................................. 23 2.2.1 Combinational G ates.................................................................. 24 2.2.2 Sequential Gates...........................................................................25 2.2.3 Specifications............................................................................... 29 Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 2.2.4 Environment Modules: Mirror of Specifications......................33 2.3 Circuit Model............................................................................................ 34 2.4 More on Circuit Automaton and B ehavior............................................ 44 2.4.1 Automaton Behavior and Circuit Behavior...............................44 2.4.2 Projections of Behaviors............................................................. 48 2.4.3 Sub-automaton and Projection of an Automaton...................... 53 2.5 Safe Abstractions and Observational Sufficiency................................. 61 2.6 Formal Proofs............................................................................................. 63 3 Induced Hierarchical Verification of SI, Theoretical Framework 69 3.1 Partitioning a Circuit into Circuit-Blocks...............................................70 3.2 Safe Abstractions and Sub-circuits of a Circuit......................................72 3.2.1 Environment Module of a Circuit B lock................................... 73 3.2.2 Subcircuits.....................................................................................79 3.3 Circuit Failure-freedom and Sub-circuits’ Failure-freedom.................82 3.4 Formal Proofs..............................................................................................88 4 Induced Hierarchical Verification of Speed-Independence, Issues 104 4.1 Circuit Blocks Versus Complex-Gates....................................................104 4.2 Selection of OSV Sets for Hierarchical Verification............................107 4.3 Sequential Hierarchical Verification, S H V ........................................... 110 5 Finding Safe Abstractions 114 5.1 Some Background....................................................................................116 5.1.1 Partial Order Reductions............................................................ 117 5.1.2 Partial Order Reduction for Stuttering Equivalence...............128 5.2 A First Partial Order Technique to Find Safe Abstractions................. 131 5.2.1 Feasibility......................................................................................132 Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 5.2.2 Conditions on the Set of External V ariables........................... 135 5.2.3 A First Partial Order Reduction................................................. 138 5.3 An Enhanced Partial Order Reduction................................................... 144 5.3.1 A Complete Solution to Finding a Safe Abstraction.................145 5.3.2 Proof of Correctness.................................................................. 153 5.3.3 Further Optimizations................................................................170 6 In Comparison 175 6.1 The Flow of Our Approach Illustrated by an Exam ple.......................175 6.2 Induced Hierarchical Verification, an Assume Guarantee Paradigm. 176 6.3 Relation to Complex-Gate Verification.................................................177 6.4 Comparison with other Reduction Techniques....................................182 7 SPHINX 186 8 Directions for Future Research 191 8.1 Hierarchical Verification of Relative-Timed C ircu its......................... 192 8.2 Hierarchical Verification using Multiple Safe A bstractions..............202 Bibliography 209 Table 1: SPHINX Experimental Results............................................................... 189 Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. List of Figures Figure 2.1 Module description of a NOR gate..............................................................25 Figure 2.2 Module description of a C-element gate..................................................... 26 Figure 2.3 Module description of a Mutual-Exclusion element..................................27 Figure 2.4 Module description of a fair arbiter element.............................................. 28 Figure 2.5 Module description of a DME ring of length two......................................31 Figure 2.6 Petri-net specification of A DME ring with all implicit places shown. ..33 Figure 2.7 A four-state FIFO controller in an abstract environment.......................... 46 Figure 2.8 When an automaton projection does not exist!.......................................... 58 Figure 3.1 Three different partitions of the four-stage FIFO controller.................... 72 Figure 3.2 Deriving safe specifications for circuit blocks from a safe abstraction. .76 Figure 3.3 Deriving safe specifications for circuit blocks from a safe abstraction. .78 Figure 3.4 A four-stage FIFO controller and its sub-circuits.......................................8 1 Figure 3.5 Two overlapping arbitrary circuit blocks....................................................86 Figure 3.6 Overlapping arbitrary blocks with a non-external common signal...........87 Figure 4.1 A portion of a circuit with a multiple fan-out signal a7...........................106 Figure 4.2 Two solutions to the problem of overlapping complex-gates..................107 Figure 4.3 An example of technology mapping..........................................................109 Figure 4.4 An example of sequential decomposition in technology mapping......... 110 Figure 4.5 An abstract illustration of Sequential Hierarchical Verification..............I l l Figure 4.6 An abstract illustration of Sequential Hierarchical Verification..............113 Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. xii Figure 5.1 Module description of a fair arbiter element.............................................121 Figure 5.2 Module description of a Mutual-Exclusion element................................122 Figure 5.3 Classification of dependency between two circuit variables v and w.... 123 Figure 5.4 Constructing partial order sub-automaton.................................................134 Figure 5.5 Algorithm DFS_1........................................................................................ 139 Figure 5.6 Partial order reduction using Algorithm DFS_1.......................................140 Figure 5.7 Finding a safe abstraction using Algorithm DFS_2................................. 145 Figure 5.8 Algorithm DFS_2........................................................................................ 147 Figure 5.9 Algorithm Explore_intemal_trans..............................................................148 Figure 5.10 On-the-fly projection and projectability check of the sub-automaton. .149 Figure 5.11 Algorithm DFS_2 can create additional cycles.......................................152 Figure 5.12 Illustration of the inductive case of Lemma 5.8...................................... 159 Figure 5.13 Illustration of case (a) in the proof of Lemma 5.8.................................. 160 Figure 5.14 Illustration of case (b) in the proof of Lemma 5.8..................................161 Figure 5.15 Three different partitions of a four-stage FIFO controller.................... 169 Figure 5.16 Algorithm DFS_3.......................................................................................171 Figure 5.17 Finding a safe abstraction for the behavior of a FIFO controller..........174 Figure 6.1 One level of hierarchical verification for a FIFO controller................. 176 Figure 7.1 A FIFO controller of length = 8................................................................188 Figure 7.2 A DME cell................................................................................................. 190 Figure 7.3 A DME ring of length = 2..........................................................................190 Figure 8.1 Modeling an RT circuit as an SI circuit with additional circuitry.........196 Figure 8.2 A Sum-of-Product implementation of a C-element................................ 198 Figure 8.3 Modelling an RTC...................................................................................... 199 Figure 8.4 Modeling the effect of multiple RTCs on an inverter............................. 200 Figure 8.5 An abstract view of a circuit with a covering set of super-blocks.........204 Figure 8.6 Incorrect verification using multiple safe abstractions........................... 205 Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. ABSTRACT xiii Speed-independent circuits are asynchronous circuits that should "work correctly" regardless of their gate delays. Correctness— hazard-freedom and conformance of a circuit to its specification--can be verified by checking failure-freedom of a closed circuit. Being highly concurrent, asynchronous circuits may have state spaces that are exponential in the size of the circuit. Consequently, asynchronous circuit verification techniques that are based on full state space exploration frequently suffer from the so called state space explosion problem, even for moderately sized circuits. To attack the state space explosion problem, a new theoretical framework for induced hierarchical verification of speed-independent circuits is proposed. In this framework, a closed circuit is partitioned into a set of circuit-blocks by an observationally-sufficient set of external signals. A partial order reduction technique is then used to find a safe abstraction of the behavior of the external signals. It is shown that if a safe abstraction is used to derive an abstract environment module for each circuit block, then the circuit is failure-free iff all o f its sub-circuits are failure- free, where a sub-circuit is a circuit block composed with its abstract environment module. A divide and conquer approach that is based on this result can thus accurately verify a circuit by verifying its smaller sub-circuits in a hierarchical fashion. The new framework is a generalization of a previous approach for induced hierarchical verification of speed-independent circuits that used a form of functional abstraction to find safe abstractions and consequently required the set of external Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. signals to include all memory element outputs. Using a partial order reduction technique (i.e., behavioral abstraction) to find safe abstractions, the new framework asserts that inclusion of all memory element outputs is not a fundamental requirement for observational-sufficiency of a set of external signals. The proposed partial order technique successfully avoids the state explosion problem by exploring only one interleaving of internal signal transitions. The framework is implemented into a CAD tool called SPHINX. Experimental results show significant speed-ups in verification of circuits dominated by memory elements. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 1 Chapter 1 Introduction 1.1 Motivation With the continuous advancement of process and fabrication technologies, transistor feature sizes on VLSI circuits shrink and the complexity and degree of integration of such circuits exponentially increase, as predicted by the Moore’s law. However, without CAD tools that help designers in all different aspects of designing such gigantic circuits, the utilization of the Moore’s law would not have been possible. In particular, the advent of sub-micron technologies have confronted VLSI designers with new challenges, some of which might demand whole new design methodologies. One such challenge in sub-micron design is to circumvent the limitations introduced by interconnect delay that rapidly becomes the dominant delay factor as feature sizes shrink and switching delays scale down. These parasitic limitations make distribution of signals across a chip and dealing with signal skew a serious problem, restricting the maximum performance achievable by (any) particular Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 2 design style. Addressing the ever increasing demand for lower power consumption, especially for portable applications, is among other important challenges in the design of highly integrated circuits. These challenges are of particular significance and magnitude in synchronous design styles where circuit activities are coordinated by a globally distributed periodic signal(s) called “clock”. Synchronous design styles have been the dominant approach since mid 60’s, due to their relative ease and robustness. In such styles, the use of clock signals has introduced a level of abstraction in the time domain that hides many details about the temporal relations among circuit signals. This has greatly simplified timing analysis of such circuits, often reducing it to merely critical path analysis for the design of the clock signal. This simplification is possible because the only timing concern in a synchronous circuit is that the circuit has to be stable by the end of a clock cycle. As a result, the performance of a synchronous circuit is also a function of the worst case delay. Recent years have witnessed extensive research on asynchronous design techniques and methodologies in an attempt to overcome, among others, the above mentioned challenges of sub-micron design. Instead of using a global clock, asynchronous circuits [77, IS, 39] use local handshaking to coordinate circuit activities and implement sequencing. Moreover, in an asynchronous design, computation starts as soon as new data is available, and once it is completed, the results can be immediately communicated via local handshaking. This more flexible Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 3 and general method of operation makes asynchronous circuits highly concurrent systems. Asynchronous circuits have the potential of outperforming their synchronous counterparts due to advantages such as elimination of clock skew problem, lower power consumption, low noise and low emission, average case instead of worst case performance, heterogeneous timing, easing of global timing issues, better potential for technology migration, automatic adaptation to fabrication and environmental variations, higher modularity, robust mutual exclusion and external input handling [83, 36]. In addition, emerging more aggressive asynchronous design techniques, that frequently use timing information to combat the full handshake overhead in area and delay by removing redundant handshakes and associated logic [73], are further improving the performance, power, area, and even testability of asynchronous designs. As a result, such advanced asynchronous design techniques are being more frequently used in stand alone designs, in interfacing synchronous circuits in different clock domains, or in heterogeneous circuits that have both synchronous and asynchronous components. On the negative side, the lack of global synchronization and the high degree of concurrency in asynchronous circuits make their design, analysis, and verification a more serious challenge, if not an art. Without the level of abstraction that a clock signal provides in a synchronous circuit, variations in the speeds of components that are operating concurrently can no longer be ignored. In asynchronous circuit design, a great deal of attention has to be paid to the dynamic state of the circuit, avoiding Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 4 “hazards” [77, 78]. Hazards are spurious signal transitions that can interfere with the correct operation of the circuit and even render its digital model invalid by taking the circuit into a “metastable” state where one or more internal variables of the circuit take on a value in between the 0 and 1 designated values, possibly fluctuating in that range for an indefinite amount of time [78]. As shown in [78], a common cause of all types of hazards is the possibility for a gate to simultaneously receive contradictory signals on different inputs. In verifying asynchronous circuits, the proper behavior of the circuit has to be assured for all possible execution paths, each corresponding to a different set of (varying) component delays, and along each such path hazard conditions (as mentioned above) have to be checked for. The nondeterminism resulting from unknown or varying component delays can lead to large number of execution paths and reachable states that can be exponential in the number of circuit components. In contrast, synchronous circuits not only have deterministic execution paths, but also have state space sizes that are only (at worst case) exponential in the number of state holding components (e.g., latches or flip-flops). Thus, verification of asynchronous circuits inherently suffers exponentially more from the so called “state explosion problem”. As a result, while symbolic model checkers--with their ability to alleviate the state explosion problem-have been successfully used in verification of large synchronous circuits, they have been far less successful in verification of asynchronous circuits of comparable sizes. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 5 With the increased interest in asynchronous circuit design as a solution to overcome some of the bottlenecks of synchronous design in the sub-micron era, and because of the high inherent complexity of asynchronous system verification, research and development on specialized methodologies and CAD tools for the automation of asynchronous design verification are attracting much interest. As a contribution to such efforts, this thesis presents an enhanced methodology and framework for efficient verification of a fundamental class of asynchronous circuits, speed-independent circuits, which can easily be extended/adapted to the verification of other types of asynchronous circuits such as delay insensitive circuits, quasi-delay insensitive, and also circuits with relative timing assumptions. 1.2 Speed-Independent Circuit Verification Speed-independent circuits are a class of asynchronous circuits that assume the unbounded gate delay model for their components along with negligible wire delays; thus every fork in the circuit is assumed to be an isochronic fork, causing only negligible skew. Assuming such a delay model, an speed-independent circuit works properly for all possible ordering of events associated with all possible (and varying) relative delays of components. Seemingly restricted, speed-independence is a fundamental model based on which a broader range of asynchronous designs can be readily modeled, such as delay-insensitive designs [29,30,41,17,16, 30, 31, 36,76], quasi-delay insensitive designs [12,42, 23, 30], and even circuits with relative timing Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 6 assumptions [73, 74, 26,60]. For example, (quasi-) delay insensitivity of a circuit can be verified by checking speed-independence of the circuit augmented with additional buffers (delay elements) that are inserted on the non-isochronic forks and input ports of the circuit [16]. The verification problems that are addressed in this thesis are checking hazard- freedom, and conformance of a circuit implementation to the circuit’s specification. By conformance, a circuit implementation can be safely substituted for its specification with no danger in generating outputs that are not specified. The problem of checking conformance easily translates to that of checking failure-freedom of a closed circuit that is obtained by composing the circuit implementation with the mirror of the circuit specification. Mirroring a circuit specification yields a new circuit component, called an environment module, which together with the circuit implementation create a closed circuit. Failures are defined as any input signal transition at a circuit component that can disable an (previously enabled) output transition of that component. Failures described as such are thus reminiscent of semi-modularity failures in the circuit behavior [55, 57]. This notion of failure also covers chokes, where a choke is any (output) signal transition generated by the circuit implementation that is not specified in the circuit specification. Since chokes cannot thus be handled by the environment module of the circuit, they can be thought of as totally disabling the environment module, like a failure. (More formal definitions of these concepts are presented in [27].). Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 7 Interleaving semantics, also appearing in the literature as the GSW (Generalized Single Winner) race model [15], is commonly used to model the inherent concurrency in asynchronous circuit behavior. In this model of concurrency, when more than one circuit component is enabled (unstable), only one of them can change at any time. Yet, in an speed-independent circuit, concurrently enabled components always have equal chances to be the next component to change. Theoretically, the failure-freedom of a closed circuit can be checked by performing reachability analysis over the state space of the circuit which is modeled using interleaving semantics. In practice, however, the size of the state space that can be exponential in the number of circuit components (signals), may quickly grow out of the reach of any practicable reachability analysis tool. Even symbolic reachability analysis techniques that implicitly (rather than explicitly) represent and handle (sets of) states and state transitions may soon reach their limits, even in verifying moderately sized circuits. Research on verification of speed-independent circuits has thus focused on investigation and exploration of abstraction techniques to tackle the state space explosion problem associated with full reachability analysis. There exists a rich body of research and literature on various abstraction techniques to reduce the complexity of verification-of various properties and systems. Over-under approximations [86], assume guarantee paradigms [2], partial order techniques [1,32,33,62,63,81, 82,35, 37], homomorphic reductions [35,47], divide and conquer paradigms and hierarchical approaches [47] are some of the better known general approaches that can, or have Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 8 been, applied to speed-independent circuit verification in one or another way. However, there exist only a few theoretical frameworks that are specifically designed and tailored to address the verification of this fundamental class of asynchronous circuits, and yet fewer have attempted to combine various abstraction techniques for this problem. An overview of the previous work on verification of speed-independent circuits is presented next. 1.3 Related Work The verification of speed-independent circuits has been given significant attention in the literature. Dill proposed a trace theoretic framework in which he formulated the notion of trace conformance of speed-independent circuits [27]. Trace conformance is a safety property of speed-independent circuits checking whether the circuit can generate outputs that are unexpected by its specification. Ebergen and Gingras introduced the notion of completeness with respect to a specification which is stronger than trace conformance in that it requires the circuit to be able to exhibit all the behaviors defined by the specification [31]. Gopalakrishnan et al. proposed a similar notion of strong conformance [34]. It is important to note that both Dill’s work [27] and Ebergen and Gingras’s work [31] support hierarchical verification of speed-independent circuits. Specifically, if a block of a circuit has been successfully verified against a specification, the block can be modeled by its specification rather than by its implementation when verifying the Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 9 whole circuit. This feature is very useful since specifications can typically have more compact representations in a computer than the behavior of their corresponding implementations. Such hierarchical approaches, however, are not effective when a circuit is originally flat; i.e.; its circuit-blocks do not have specifications. Numerous techniques have been proposed to speed up the verification process of a flat circuit. McMillan proposed a partial order approach based on a technique called Petri-net unfolding [53]. While very successful on some scalable examples, the worst- case complexity is in fact no smaller than that of standard reachability analysis algorithms. Yoneda and Yoshikawa [88] proposed an extended version of a different type of partial order approach in which only a subset of interleavings of signals are needed to be explored [1, 32, 33, 62, 63, 81, 82, 35, 37]. While effective for some circuits, the run-time for other circuits was not impressive because of the high computational overhead associated with determining which interleavings to explore. Burch et al. proposed BDD-based techniques to implicitly analyze the circuit’s state space [18]. While successful on some examples, the techniques do not improve the worst-case complexity of the algorithm. Lastly, Roig et al. introduced a modified symbolic breadth-first search algorithm which resulted in significant run-time improvements for some circuits, but again, the worst-case complexity of their algorithm stays the same [64]. To reduce the verification complexity, Beerel et al. proposed a two-phase approach in which first functional correctness (i.e., complex-gate equivalence) of the circuit was verified and then behavioral properties (i.e., hazard-freedom) were checked [7, 8]. The Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 10 key to their technique is that the behavior of some of the circuit signals could be safely approximated, exponentially reducing the time and space complexity of the verification problem for many examples. Later, Roig et. al proposed a hierarchical approach which also had the advantage of approximating the behavior of some of the circuit signals [65]. Since our proposed technique is most directly related to these latter two works, we describe them in more detail. The first step in both approaches by Beerel et al. and Roig et al. is to create a complex-gate circuit which effectively induces hierarchy by hiding the signals internal to the complex-gates. The state space of the remaining external signals is then analyzed using standard reachability analysis techniques. The technique by Beerel et al. uses an analysis of this state space to deduce hazard-freedom of the internal hidden signals. The technique by Roig et al. uses projections of this state space as the environment of the complex-gates to verify the hidden signals. The key disadvantage of both techniques, however, is that the set of external signals needs to include all memory element outputs (i.e., memory elements cannot be hidden). Since most asynchronous circuits are dominated by memory elements, the number of external signals can still be large and their state space can be too large to analyze. This research started as an attempt to remove the above mentioned limitation on the set of external signals. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 11 1.4 Thesis Contributions Existing specialized frameworks have been less than successful in either fully characterizing and/or utilizing some of the unique properties of speed-independence. As an example, the specialized verification frameworks of [8, 64] use the behavior of an abstract circuit-obtained by collapsing the original circuit into a complex-gate circuit-as an abstraction of the circuit behavior which is then used to verify or deduce the failure freedom of each complex-gate. However, since they use a functional (or structural circuit) abstraction to find a behavioral abstraction-rather than a behavioral abstraction that is based on speed-independence properties-their approach, while the most coherent, has fundamental shortcomings that have been addressed by this thesis. We have proposed a theoretical framework for verification of speed-independent circuits that incorporates a combination of different abstraction and reduction techniques to achieve efficiency. This framework is a generalization of that of [65]. We introduce the notion of a safe abstraction of the behavior of a set of external circuit variables (signals) as a behavior that is never an over-approximation of the actual behavior of external variables, and that is guaranteed to exactly resemble that behavior if the circuit is failure-free. We define the notion of partitioning the circuit into circuit blocks using the set of external signals, the notion of a safe specification for a circuit block that is derived from a safe abstraction, the notion of an environment module of a circuit block that is derived from a safe specification, and finally the notion of a sub circuit as the composition of a circuit block with its environment module. We then Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 12 prove the following important theorem about the relationship between failure-freedom of a circuit and failure-freedom of its sub-circuits that are derived from a safe abstraction: a circuit is failure-free iff all o f its sub-circuits are failure free. By this theorem (which is also the basis of the hierarchical verification framework of [65]), given a safe abstraction, the problem of verifying a circuit reduces to the problem of verifying its sub-circuits, with the verification results always being exact. Since the sub-circuits are smaller that the original circuit, and the complexity of verification is exponential in circuit size, this divide and conquer approach which can be recursively applied in a hierarchical fashion can significantly speed up the verification procedure. However, the success of this approach would heavily depend on the existence of efficient techniques for finding safe abstractions. For efficient derivation of safe abstractions, we have proposed a novel partial order reduction approach. This approach, which substitutes the functional abstraction phase of [65], partially explores the state space of the circuit (avoiding the state space explosion problem) and constructs a sub-automaton of its behavior automaton. If the constructed sub-automaton is projectable onto the set of external variables, the behavior of its projection is shown to be a safe abstraction. We have proposed procedures that (concurrently) perform the partial order analysis, projectability check, and projection of the partial order sub-automaton onto the automaton of a safe abstraction. We have devised our partial order technique based on some important properties of speed-independent circuits. Intuitively, in an speed-independent circuit, no output Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 13 signal transition of a circuit component is ever disabled by an-independent-input signal transition. Here, two signals are called independent if they cannot disable each other, and a unique state is reached for different orderings of their transitions. Thus, in a speed-independent circuit, no output transitions are lost if the independent inputs are allowed to settle (stabilize). Based on this observation, assuming all dependent signals of a circuit are included in the set of external signals, our partial order technique always settles all independent internal variables of the circuit by any arbitrary order before exploring all orderings of transitions of external variables. The explored (external) behavior is proven to be exact if the circuit is speed-independent, and otherwise it might be an under-approximation. By this, our framework for hierarchical verification of speed-independence is also an assume-guarantee paradigm; assuming speed-independence, the partial order has to explore the exact behavior of the external variables; this is guaranteed when the sub-circuits are all found to be failure-free. The proposed approach for induced hierarchical verification of speed-independent circuits has been implemented in a CAD tool called SPHINX. SPHINX utilizes symbolic techniques using binary decision diagrams (BDDs) for efficient representation of states, state transitions, and the results of reachability analysis. It also uses an object oriented paradigm for representation and treatment of a circuit and its sub-circuits at different levels of hierarchy. SPHINX has been especially very successful in verifying speed-independent circuits that are particularly dominated by memory elements, e.g., FIFO controller circuits. This is due to its unique ability in hiding memory element outputs, a feature which was not supported by preceding Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 14 frameworks that used functional/structural abstractions (e.g., complex-gate verification [65]). This thesis is a presentation of my proposed theoretical framework for induced hierarchical verification of speed-independent circuits, its relationship to previous work, SPHINX— the developed CAD tool, and some experimental results. It also proposes some directions for future research, such as extending the current framework to the domain of circuits with relative timing assumptions. 1.5 Thesis Organization This thesis is organized as follows. Chapter 2 introduces the models that we use to represent circuits and (their) behaviors. This includes our finite-state-automata based model of a circuit as a collection of circuit modules, the notions of behavior and behavior projections together with behavior automata, sub-automata, and sub automata projections, and finally the notion of a safe abstraction. Our theoretical framework for induced hierarchical verification of speed- independent circuits is introduced in Chapter 3. The notions of partitioning a circuit into a set of circuit blocks using a set of external variables, a safe specification for a circuit block driven from a safe abstraction, an environment module of a circuit block driven from a safe specification, and finally the notion of a sub-circuit as the composition of a circuit block and its environment module are introduced in this chapter, all in relation to the notion of inducing hierarchy in a fiat circuit. The Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 15 consequential relationship between the failure-freedom of a circuit and that of its sub circuits, which is the foundation of our hierarchical verification framework, is presented and proven at the end of this chapter. In Chapter 4, we discuss some of the issues related to our hierarchical verification framework. The chapter includes a comparison of the approach with that of complex- gate verification in terms of their selection of external variables, the issue of selecting sets of external variables that can successfully induce hierarchy in verification of a circuit, and finally the concept of sequential hierarchical verification as a way of improving the performance of hierarchical verification. Chapter 5 introduces our efficient technique for finding safe abstractions. We prove that our proposed partial order technique explores a partial behavior of the circuit that under certain conditions (projectability of its automaton) can be used to derive a safe abstraction. We present an algorithm that concurrently performs the partial order analysis, checks the projectability of its automaton, and-if it is projectable-constructs a safe abstraction. Chapter 6 presents a brief comparison of our verification approach with a number of other general reduction techniques and verification methodologies and tools. In particular, a more thorough comparison of our framework and that of complex-gate verification is presented in this chapter. Chapter 7 presents a short overview of the status of our CAD tool, SPHINX, and our experimental results. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 16 Finally Chapter 8 proposes some directions for related future research. It presents some ideas on how to extend the current framework to the domain of asynchronous circuits with relative timing assumptions. The chapter is closed by an open conjecture on the issue of using multiple safe abstractions for hierarchical verification. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 17 Chapter 2 Models of Circuits and Behaviors In this chapter we introduce the models that we use to represent circuits and (their) behaviors. This includes our finite-state-automata based model of a circuit as a collection of circuit modules, the notions of behavior and behavior projections together with behavior automaton, sub-automaton, and sub-automaton projections. The notion of a safe abstraction as a key component of our hierarchical verification framework is introduced at the end of this chapter. 2.1 Circuit Modules In this section, we introduce our model for asynchronous components which we call a “circuit module”. Circuit modules are the building blocks of asynchronous circuits and systems. The generic model of a component presented in this section is general enough to model different types of gates (e.g., combinational or sequential, deterministic or nondeterministic), and different types of specifications (e.g., Petri- nets, STGs, etc.). Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 18 Definition 2.1 [Circuit module] A circuit module is a tuple M ‘ = (X‘, Z ‘, Y‘, FA1 ) , where • X 1 = { j t j , x l ml} is the set of binary module input variables; • Z' = { z [ , z‘ pi} is the set of binary module output variables; • Y‘ = { y j , y ‘ ni } is the set of binary module internal state variables; • FA‘ = (A 1 , V‘, Q‘, X', 77?', p.', q ‘ Q ) is a nondeterministic finite state automaton called the module automaton, where • A' = X ‘ u Z‘ is the input alphabet of the automaton; • V‘ = X ‘ u Z ‘ u K * is the set of module variables, as well as automaton variables; • Q‘ is the state set of the automaton; • X ': Q‘ — > L(V‘) is the state labeling Junction of the automaton. Here, L(V') is the set of all suijective functions / : V‘ — > {0, 1}; • 77?' Q < 2‘ x (A‘ u £) x Q‘ is the state transition relation of the automaton. Here, £ is an additional symbol which identifies empty input transitions of the automaton; • |i‘ : Q‘ x (A‘ u £) — > (F, S } is the transition labeling fiinction of the automaton; • q l 0 6 Q‘ is the initial state of the automaton. ■ The components of a circuit module M‘ are further explained below. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 19 X ‘, Y‘, and Z' are pair-wise disjoint sets. V' = X ‘ u Z ‘ u Y‘ is the set of module variables as indicated above. X ‘ u Z‘, the set of module I/O variables, is identical to the input alphabet A ‘ of FA1. A symbol a e X ‘ (a e Z‘) of the alphabet A ‘ corresponds to transitions on the associated input (output) of the circuit module. We shall assume that an encoding scheme (by the internal state variables Y‘) is given for the internal states of the circuit module. Note that here, “internal state of the module” refers to what is required beyond the I/O state of the module to fully capture the module’s state. X‘ : Q‘ — »L(V‘) is an injective function assigning to each state of the automaton a unique function which in turn assigns binary values to every v e V‘ . As a result, each state q e Q‘ is an interpretation of the module variables V ‘; i.e, it assumes for every variable v e V1 a value in its binary range (0, 1}. Thus, states of the automaton correspond to total states (input/output/intemal state) of the circuit module. TRl £ Q‘ x (A* u e) x Q‘ is associated with 5' : Ql x (A 1 u e ) - > 2 ^‘, the state transition function of the automaton1. In general, any individual I/O signal transition of a circuit module is accompanied by some internal state change of the module; that is, some T q T‘ may change simultaneously and instantaneously together with an I/O signal (e.g., a e A ‘) transition. On the other hand, the circuit module can have internal state changes even in the absence of any I/O signal transitions. 1. Each element of the set 2®‘ is one of the 2 ^ subsets of the finite set Q i . Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 20 Let a e A ‘ u e be any symbol corresponding to a transition on the associated I/O signal (or an empty I/O transition in the case of a - e ), and q, q' e Q‘ be any pair of automaton states. Then (q, a, q') e TRl iff all of the following hold: • X‘(q)(a) X'(<j’)( a ), and for all other I/O variables b e A‘, b * a , X‘(q)(b) = X‘(q')(b); • there exists YQ Y' such that for all v e Y, Xi(q)(v)^X‘(q')(v), and for all w e Y‘- Y , X‘(q)(w) = X‘(q')(w); • the total state of the circuit module can change according to q' e 5‘(q, a ) and through a transition of signal a . In other words, if the circuit module is at state q then a transition of signal a can take the circuit module to state q' by causing a simultaneous change in all internal state variables v e K c K' of the module. In the presence of the above conditions and if a e Z‘, then we say that the output signal a is enabled at q . Any internal state variable v e Y is also said to be enabled at <?• Let q e Q‘ be any state of the automaton. Then (q, e, q) e TR‘ is always a state transition of the automaton. In other words, every automaton state has a self-loop for £. Such self loops represent the behavior of the module when it is idle; i.e., no event occurs at the module2. 2. This notion of idle self loops is later used in composing modules’ automata into a circuit automaton. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. An important property of any circuit is its receptiveness. This property is related to the inability of a circuit to control the arrival of transitions on its inputs, and the fact that unwanted input transitions are always possible [27, 40]. As such, any proper model for a circuit has to account for the receptiveness of all circuit components. In our model, the receptiveness of any circuit module with respect to input signal transitions is modeled as follows: for any state q e Q‘ and any input signal a e X ‘, there always exists a (some) state q' e Q‘ and a corresponding state transition (q, a, q') 6 77?' . We say that FA1 is complete over X ‘ . In contrast, for any state q e Q‘ and any output signal a e Z ‘, q 'e Q‘ and (q,a,q')e TRl exist iff output signal a is enabled at q , but usually at each total state of the circuit module only a subset of the module’s outputs are enabled to change. Note that this model does not allow (and/or handle) simultaneous I/O signal changes; instead, all possible interleavings of simultaneously enabled I/O signal transitions are assumed to be included in the automaton of the circuit module. This convention is in accordance with interleaving semantics for circuit behavior, which we have adopted for our analysis of speed-independence. Interleaving semantics, also appearing in the literature as the GSW (Generalized Single Winner) race model [15], is commonly used to model the inherent concurrency of asynchronous circuit behavior. In this model of concurrency, when more than one circuit component is enabled (unstable), only one of them can change at any time; however, the order in which the components change cannot be predicted. For the particular case of speed- Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 22 independent circuits, concurrently unstable components always have equal chance in being the next component to change. The state transition labeling function p' : Q‘ x (A ‘ u e) — > {F, S } labels the edges of the underlying transition diagram of the automaton (induced by TR‘). Let q, q' e Q‘, a e A1 kj e , and (q, a, q') e TRl. Then for any output signal a e Z 'u e we always have n'(<7, a) = S; i.e., any state transition through an output signal transition is always considered a success transition. For any input signal a e X ‘, p'(<y, a) = F iff the transition of a at q is an illegal input signal transition. If H'(q, a) = F then any automaton state transition (q, a, q") e TR‘ is called a failure transition. An illegal input transition is one which is either not expected by the circuit module (e.g., an input choice to an specification module), and/or one which is known to cause a circuit malfunction (e.g., a hazardous output). In particular, we shall call any input signal transition which disables a previously enabled output signal (or an internal state variable y e Y‘), and thus violates semi-modularity [55, 57], an illegal input transition. More precisely, assume that q, q’ e Q‘, x e X ', (q, x, q') e TR', and there exists an output signal z £ Z‘ (or an internal state variable y e Y‘) which is enabled at state q but not so in state q '; then |i ‘{q, x) = F , marking all possible state transitions from q by the symbol x as failure transitions. In our model, illegal input transitions (e.g., chokes) do not change the internal state of a circuit module; that is, if \i‘(q, x) = F , and (q,x,q')e TR‘, then X‘(q) and X‘(q') differ only at the value they assign to the variable x . This convention is only to simplify the choice of a state that is entered by an illegal input transition. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. A circuit module is non-deterministic if the firing of any output signal can ever disable another output (e.g., arbitration in an arbiter module). In such a case, the decision of which output to fire is called a choice. A module which is not non- deterministic is said to be deterministic. Note that state transitions caused by output signal changes are excluded from the set of failure transitions. This makes all output choices legal; that is, any output signal change disabling another output signal change represents a non-failure state transition in the module automaton. qfa e Q‘ corresponds to the initial total state of the circuit module (within a circuit). 2.2 Examples of Circuit Modules The definition of a circuit module presented in the previous section is very general. In this section we show how elementary gates (combinational and sequential, deterministic and nondeterministic), and also higher level specifications (e.g., Petri- nets, STGs) can be modelled as circuit modules. It is to be noted that there may be many circuit module representations for a single gate/specification type. Such representations may differ in terms of the internal state encoding of the module, or the behavior manifested beyond the occurrence of a failure; however, they should all agree on the failure-free portion of their associated automata languages (the set of all I/O Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 24 sequences corresponding to the failure-free runs of the associated automata), precisely capturing the I/O behavior of the physical module prior to failure occurrences. 2.2.1 Combinational Gates A combinational gate is a deterministic circuit module M l = (X‘, Z ‘, Y\ FA‘) , such that: • Yl - 0 , and V‘ = A ' ; • FA1 = (A1 , A ‘, Q‘, X', 77?', |i \ q^) is a deterministic finite state automaton such that: • TRi Q Q i x ( A i < je)xQi is constructed based on the gate’s functionality. Let Fl j, 1 < j < p ‘, be the boolean function describing the j th output of the gate based on gate inputs; i.e., z‘ j = F‘ j ( x { , x ‘ mi) . Then for any R- g 'e Q 1 ', (q, z), q') e TR‘ iff F‘ j(x{, = z) and z) *z) . J J \q' J q J q' J q Here, .|^, denotes that the function arguments are evaluated by X'(q'); thus the latter condition translates to ^ ( V ( q ’)(x i),...,X ‘( ^ ) « ()) = X‘(q’)(z‘ .)^ X ‘(q)(z‘ .). Example 2.1 Figure 2.1.a depicts a NOR gate. The module description of the NOR gate is M - ({a, b}, {c}, 0 , FA) where the state diagram of FA, the module automaton, is depicted in Figure 2.1.b. The initial state is entered by an arrow; i.e., X (<70) = 0 0 0 .* Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 25 S: : = € > < (a) A NOR Gate failure transition non-failure transition [a,b,c] a.. (101 (b) Module Automaton Fig. 2.1 Module description of a NOR gate. 2.2.2 Sequential Gates For most elementary sequential gates, the I/O state of the gate completely captures the state of the gate, without requiring any extra internal state variables. Examples of such gates are Flip-Flops, C-elements, and Mutual-Exclusion elements (ME). A sequential gate with no internal state variables is modeled as a circuit module M' = (X‘, Z ‘, Y‘, FA‘) such that: • Y' = 0 , and V* = A‘; • FA‘ = (A 1 , A', Q‘, X‘, TRl, p ‘, qfo) is a deterministic finite state automaton such that: • TR‘ e Q‘ x (A1 U 0 ) x Q‘ is constructed based on the gate’s functionality. Let Fl j, I < j < p ‘, be the boolean function describing the next value of the yth output of the gate (denoted by z'‘ j) based on the present values of gate Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 26 [a.b.c] (a) A C-element (b) Module Automaton failure transition non-failure transition - Fig. 2.2 Module description of a C-eiement gate. inputs and outputs; i.e., z'‘ j = Fy(jt{, z{, Then for any (q, Zj, q') e TR‘ iff F*.(x{f x ‘ m„ z{, .... zj,,)| = z) and I zy * t • . *7 Example 2.2 Figure 2.2.a depicts a C-element gate. The module description of the C- element gate is M - ({a,b},{c},0,FA) where the state diagram of FA, the module automaton, is depicted in Figure 2.2.b. The initial state is entered by an arrow; i.e., X(qQ ) = 000. ■ Example 2.3 Figure 2.3.a depicts a Mutual-Exclusion (ME) element as described in [27]. The module description of the ME is M - ({ rl, r2}, ( a l, a2}, 0 , FA) where the state diagram of FA , the module automaton, is depicted in Figure 2.3.b. The initial state is entered by an arrow; i.e., A .(< ? 0) = 0000. Only non-failure state transitions are shown in Figure 2.3.b. It is to be noted that in an ME element if any input signal has a Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 27 al r1 w r2 — ► (a) An ME ME — ► a2 [r1,r2,a1,ai (b) Module Automaton Fig. 2.3 Module description of a Mutual-Exclusion element. second transition before the outputs have changed, that would cause a failure state transition. Thus in Figure 2.3.b the reverse of any state transitions that is associated with an input signal change is a failure state transition (not shown for clarity). ■ Note that although the above Mutual-Exclusion element is a nondeterministic gate, its module automaton is deterministic. As a matter of fact, the module automaton of any circuit module that does not have internal state variables, is always deterministic. On the other hand, the existence of internal state variables can introduce nondeterminism in the module automaton iff there can be (at least) two states, with different internal states, reachable from a single state by the same I/O signal transition. Example 2.4 Figure 2.4.a depicts a fair arbiter element as described in [48]. The module receives two independent requests to access a single resource, with signals r i and r2 , and grants access with signals a 1 and a l , respectively (the latter two signals Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 28 [r1,r2,a1,a2,p] r1_ _ (a) A fair arbiter ME a 1 — ► a2 00000 10000 ” 01001 10100. 11000” 11001 00100 (b) Module automaton Fig. 2.4 Module description of a fair arbiter element. are mutually exclusive). The module description of the arbiter is M - ({rl, r2}, {al,a2}, {p}, FA) where the state diagram of FA, the module automaton, is depicted in Figure 2.4.b. The initial state is entered by an arrow; i.e., X (<70) = 00000. Only non-failure state transitions are shown in Figure 2.4.b. It is to be noted that in an arbiter element if any input signal has a second transition before the outputs have changed, that would cause a failure state transition. Thus in Figure 2.4.b the reverse of any state transitions that is associated with an input signal change is a failure state transition (not shown for clarity). ■ Note that the above arbiter element is a nondeterministic gate with an internal variable p . However, its module automaton is deterministic. It is called fair because if it receives a request at one input, say r l , while it has already received a request at r 2 , it processes the request by r2 first, but once it is done with that, it processes the r l request before it can react to a new request from r 2 . Unlike the ME element, the fair Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 29 arbiter module is capable of distinguishing the order in which two, possibly concurrent, requests arrive at its inputs by means of the internal variable, p. As a result, from the initial state, 00000, the two sequence of signal transitions r l, r2 and r2, r 1 lead to different states 11000 and 11001, respectively. 2.2.3 Specifications We believe that any asynchronous specification with interleaving semantics can be modeled as a circuit module, once some encoding of the internal state of the module is adopted and the failure conditions are all identified. Signal Transition Graphs (STGs [22,68]) that are frequently used for specification of asynchronous circuit behavior are Petri-nets in which the Petri-net transitions are interpreted as circuit signal transitions (a complete introduction to Petri-nets can be found at [58]). The state of a Petri-net is completely captured by its marking; i.e., the distribution of tokens in Petri-net places. That is, the token-holding places together with the number of tokens in such places completely specify the internal state of a Petri-net specification. In a safe Petri-net (a Petri-net whose places have a capacity of only one token) the Petri-net marking is completely characterized by the token- holding places. Thus, a straight forward way of encoding the internal state of a safe Petri-net specifications would be to assign one internal state variable to each place of the Petri-net. Now, markings of the Petri-net will correspond to binary evaluations of the state variables; that is, for a given marking, a place holds a token iff the value of its Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 30 associated internal state variable is 1. For simplicity, we consider only safe STG specifications although unsafe STGs can similarly be modeled using multiple variables to represent unsafe places. More efficient encoding schemes for Petri-net markings are proposed in [61]. The pre-set of a Petri-net place p , indicated by • p , is defined as the set of signal transitions such that the firing of any of such transitions will put a token in that place. Similarly, the post-set of a place indicated by p • is the set of signal transitions such that for any of them to fire, a token has to be removed from that place. As an example, in Figure 2.6 we have • p 0 = (wa,-, ua2-} and pQ • = {naj+, ua2+} ■ An implicit place p of a Petri-net (or STG) is one which exists between two consecutive signal transitions t and t' of an STG (Petri-net) such that • p = {t} and p • = {/'}. As an example, place p t is an implicit place in the Petri-net of Figure 2.6, while p Q is an explicit place. Implicit places of an STG are usually not drawn, as suggested by Figure 2.5.b which illustrates the same STG as that of Figure 2.6. Example 2.5 The STG specification of a DME ring of length two is illustrated in Figure 2.5.b. This specification is an example of a safe STG. Thus, as already mentioned, the internal state of the specification can be easily encoded by defining one internal state variable per Petri-net place. M - <{«rlt ur2}, [ua{, ua2}, {p0}, FA) would then define the circuit module of the specification, where FA - ({ u rj.u a p U ^ M a j} , {p0,u r ,,u a 1 , « r2,u a 2}, r/?,p ,^ o ) is depicted in Figure 2.5.C, and A(g0) = 10000. Any state transition by an output signal change Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 31 'LI DME cell (w/ token) ua1 ur2 kua2 DME cell (w/o tokei (a) A DME ring V^o-urvuaLur^uag] I U^- (b) STG specification 10010 11010 ua2 u a -| (c) Module automaton Fig. 2.5 Module description of a DME ring of length two. that is missing from Figure 2.5.c corresponds to a failure of a circuit implementation, because a circuit implementation of this specification should not generate such output transitions. On the other hand, input transitions that are missing from the automaton correspond to transitions that are never applied to a circuit implementation of this Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 32 specification; i.e., the specification restricts possible transitions at the inputs of a circuit implementation. ■ The set of internal variables of the module automaton of Figure 2.5.c includes a single variable associated with explicit place p Q \ that is, we have defined no state variables associated with the implicit places of this STG specification. This is because the I/O state of this STG happens to uniquely determine the marking of its implicit places, eliminating the need to include the implicit places in the representation of the state of the specification. Constructing the module automaton from a given Petri-net specification can be a complicated process requiring full traversal of the Petri-net. However, the module automaton can be fully expressed by a collection of transition relations: each such relation would represent the possible (eligible) transitions of an associated output (input) signal of the specification in terms of some portion of the internal state of the specification represented by a subset of Petri-net places. Figure 2.6 depicts the Petri- net specification of Figure 2.5.b with all of its implicit places. The transition relation of signal u a x can then be defined as TRua = {(011000, na,, 100100), (100010, uax, 010001)}, where the states of this transition relation are evaluations of the following ordered set of variables [uai> P o > P \-> Pi> P 3* P 4I • Representing the automaton of a specification by a collection of transition relations as described above would require one internal state variable associated with each Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 33 P4| ur2- Fig. 2.6 Petri-net specification of A DME ring with all implicit places shown. implicit place of the specification. However, such variables can usually be projected away in later phases of hierarchical verification, as will be discussed later in this thesis. 2.2.4 Environment Modules: Mirror of Specifications Checking the conformance of a circuit to its specification is a common verification problem. Our notion of conformance follows that of [27]; that is, safe substitution. By this, a circuit implementation conforms to a circuit specification iff the former can be safely substituted for the latter in any context; i.e., the circuit implementation would not generate any output (transition) not specified in the circuit specification. This problem can be solved by checking the failure-freedom of a closed circuit composed of the original (open) circuit and the mirror of the specification [27]. Conformance checking will be discussed in detail in upcoming sections. In this section, we only define the notions of mirrored specifications and environment modules. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 34 The mirror of a specification is obtained by simply switching the role of the input and output signals of the specification and identifying failure transitions accordingly. The mirrored specification then comprises an environment module for the original circuit; one which interacts with the circuit by providing inputs to the circuit and accepting the circuits outputs. The composition of the original (open) circuit with this derived environment module creates a closed circuit. It has been shown that failure- freedom of this closed circuit guarantees the conformance of the original circuit to its specification [27]. Example 2.6 The circuit module for the mirror of the STG specification of Example 2.5 is defined as M - ({wa,, wa2} » ( Mri» “r 2 } » {Po}> ’ where FA = ({uri,ual,ur2,ua2},{PofUrl,ual,ur2,ua2},Q,X,TR,\i,qQ ) is depicted in Figure 2.5.c, X(q0) = 10000. Again, any state transition by an input signal change that is missing from Figure 2.5.C corresponds to a failure state transition. Such transitions correspond to unexpected output transitions of a circuit implementation. ■ 2.3 Circuit Model In this section, we introduce our circuit model which we conveniently call a “circuit”. Circuits are composed of circuit modules. We shall only consider closed or autonomous circuits, with the notion of closed-ness being implicit in our definition of a circuit. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 35 Definition 2.2 [Circuit] A circuit is a tuple C = (Mc, Ac, Vc, Gc, FA°), where • M c = {Ml, M " c}, nc > 1, is a set of circuit modules, where Af' is defined in Definition 2.1 for 1 < / < nc ; • A c = Z' is the set of circuit signals; 1 S i £ nc • Vc = u Z ‘ is the set of circuit variables; 1 S i < nc • Gc = <A rC ’ , ^ c) is a connected directed graph, the circuit graph, where • N c = { N l, ..., N nC} , is the set of circuit nodes, where circuit node N ‘ is representative of circuit module M l in the circuit graph; • K c q U Z 'x U Xj is the set of circuit edges, such that for any I S i £ nc 1 Z j £ n c, j * i input signal x\ of any circuit module M ‘, 1 < i< n c and 1 < / < m‘, there exists exactly one output signal z{ of a circuit module MJ, 1 < j < nc , j * i , and 1 <k< pj, such that (z] k, .tj) g K c . In other words, (a) each input signal is connected to (and thus driven by) exactly one output signal, and (b) no input of a module is ever connected to an output of that same module; • FAC - (Ac, Vc, Qc, Xc, TRC, \ic, qfi) is a nondeterministic finite state automaton called the circuit automaton, where • A c is the input alphabet of the automaton; • Vc is the set of automaton variables which coincides with the set of circuit variables; • Qc is the state set of the automaton; • Xc ; Qc — > L(VC) is the state labeling Junction of the automaton. Here, Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 36 L(VC) is the set of all suijective functions I : Vc -> {0,1}; • TRC q Qc x (Ac u e ) x Q c is the state transition relation of the automaton; • \ic : Qc x (Ac u e ) - > { F ,S } is the transition labeling Junction of the automaton; • qfi e Qc is the initial state of the automaton. ■ From the definition of a circuit graph it follows that, (a) there is no circuit edges (connections) between output signals of circuit modules, and (b) input signals of any circuit module are connected to output signals of other circuit modules. The first constraint above prohibits wired outputs; the second constraint disallows uncontrolled circuit module inputs, excluding from the set of circuits any non-autonomous collections of circuit modules. Note that dangling circuit module outputs that are not connected to any circuit module inputs are allowable. By this definition, a circuit has to be closed. The second constraint on circuit edges, mentioned above, prohibits connections between inputs and outputs of any given module. This directly follows from the definition of a circuit module in which the set of input and output signal variables must be disjoint. One may wonder about real circuits in which there might be connections between inputs and outputs of a circuit component. As an example, consider a circuit with a 2-input AND gate component whose output drives one of its inputs. In such a case, the generic model for 2-input AND circuit modules cannot be used to model this Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 37 particular AND gate; instead, a new circuit module, with one less input signal, needs to be devised to model this particular AND gate. The sole presence of a circuit edge (zj., x\) £ K between any pair of circuit modules Mi and Ml effectively synchronizes the transitions of signal zk in Mi with that of signal x\ in M‘. Thus any transition of the output signal zJ k of M i, is instantaneously seen as a transition on the input signal x\ of M ‘. On the other hand, signal transitions of a circuit module are, in general, accompanied by instantaneous internal state changes. Thus, any transition on zk will cause instantaneous changes in the internal states of M‘, Mi, and any other circuit module Mh for which 0i4,)eK. This direct correspondence between any input signal x\ of any module Ml of a (closed) circuit, 1 < i < n c , and the output signal zk of some other circuit module M i , makes the set X ‘ (all input signals of all modules of a circuit) an entity which 1Si£nc carries only redundant information about the circuit. That is why (a) input signals of the circuit modules M‘, 1 < / < nc , appear only in the circuit graph description of circuit C , (b) the set of circuit signals A c consists of only output signals of component modules (and not both input and output signals of modules), and (c) as a result, the set of circuit variables Vc consists of all circuit module output signals and internal state variables, but no module input signals. As a collection of circuit modules connected to each other in the manner described above, the behavior of a circuit is determined by the coordinated behaviors of individual circuit modules. The coordination of individual module behaviors is itself a Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 38 result of synchronized state transitions of the modules’ automata. The circuit automaton FAC is thus a composition of individual module automata FA 1, F A " C as described below. The first step in composing the individual module automata FA1 , ..., FAn C into the compound automaton FAC is variable substitution. Let (z{, x]) e K be any circuit edge indicating that input signal x\ is driven by output signal z [ . Variable substitution will then replace all occurrences of variable jcJ in the model description of module M' with the variable z{ . Variable substitution is thus simply a renaming operation. In the rest of our description of the compound automaton FAc , it is assumed that variable substitution is already performed. Ac , the input alphabet of FAC, coincides with the set of circuit signals. As previously mentioned, any circuit signal a e A c is the output of exactly one circuit module and the input of zero or more other circuit modules. On the other hand, as a symbol of the alphabet of FAC, any a e A c corresponds to transitions on the associated circuit signal. Xc : Qc — »L(VC) is an injective function assigning to each state of the automaton FAC a unique function which in turn assigns binary values to every v e Vc . As a result, each state q e Qc is an interpretation of the circuit variables Vc ; that is, it assigns to every variable v e Vc a value in its binary range {0, I} . Let q e Qc be any state of FAC and \ c(q) be the label of that state. Moreover, let M‘ be any module of the circuit C, and Xc(q)\Vi be the restriction of the function k c(q) to Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 39 the set of variables of M‘, V‘ (note that variable substitution has already replaced each input variable x e X‘ of Af with some variable v e Vc , and thus V‘ q Vc ; hence, Xc(q)\Vi is a well-defined function, \ c(q)\V‘ : V‘ -> {Ql} ). Then, there always exists a state ql 6 Ql such that Xc(q)\Vi = X‘(q‘) , and q‘ is called the local state of FA' associated with state q of FAC. Considering the state transition relation TRC q Qc x (A c u e ) x Q c , let a e A c u e be any symbol corresponding to a transition on the associated circuit signal (or an empty signal transition in the case of a = e ), q, q' e Qc be any pair of automaton states such that (q, a, q') e TRC, and M ‘ be any module of the circuit C. Furthermore, let q‘, q'1 e Q‘ be the local states of FA* associated with states q, q' of FAC, respectively, and let a\V ' be defined as follows: a\Vl ~ a if a e A ', and a\Vl = e, otherwise. Finally, let (q, a, q')\V ‘, the restriction of state transition (iq,a,q’) to V", be defined as (q, a, q ')\V ‘ = (q‘, a\V‘, qH). Then, (q, a, q')\V‘ is always a state transition of TR‘ (i.e., (q‘, a\ V‘, q'') e TR‘) which is called the local state transition of FA* associated with state transition (q, a, q') of FAC. The state transition labeling function \ic : Qc x (Ac u e ) {F, S} labels the edges of the underlying transition diagram of FAC (induced by TRC). Let a € Ac u e be any symbol corresponding to a transition on the associated circuit signal (or an empty signal transition in the case of a = e ), q, q' e Qc be any pair of automaton states such that (q, a, q') e TRC. Let \ic (q, a) = F indicate that all state transitions by a from state q are failure state transitions while n c (q, a) = S indicate that none of such state transitions are failure transitions. Then |xc (^, a) = F iff there Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 40 exists a module M ‘ such that at its associated local state q‘ e Q‘ (where Xc(q)| V " = X‘(q‘) ) we have a\V*) = F ; that is, all state transitions from state q and by symbol a are labeled as failure transitions iff there exists a module A/' such that from its local state, the symbol a causes failure state transitions. Note that by construction, we always have \ic (q, e) = S . We say that a circuit C is not failure-free iff there exist q e Qc and a e A c , such that |xc(q, a) = F ; otherwise, the circuit is failure-free. A circuit is non-deterministic if it has a non-deterministic module which can exhibit a choice within the circuit. qfi e Qc is the initial state of automaton FAC. Let M ‘ be any circuit module. Then we have V ( ^ ) = ^ c(^q)\V‘■ So far, we have described how states and state transitions of the compound automaton FAC are constrained by states and state transitions of the component automata FA1, F A n° . An inductive description of the state space of FAC based on those of FA1 , ..., FAn C is given below. Definition 2.3 [State space of a circuit automaton] Let C - (M c, A c , Vc, Gc, FA0) be a circuit. The state space of FAC = (Ac, Vc, Qc, Xc, TRC, p c, qft) is inductively defined as follows: (i) Xc(qfi), the label of the initial state qfi e Qc of FAC is uniquely selected such that for all M*, 1 < / < nc , Xc(q£) is an extension of X '(^ ) to Vc . Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 41 (ii) Let q e Qc be a state of FAC. Moreover, let (a) the state label of q be Xc (q) , (b) a e A c be any symbol of the alphabet (associated with signal a of the circuit); by the circuit graph constraints, there must exist a unique module Af ‘ , 1 < i < nc , such that a e Z ', (c) M Q M c be the set of all circuit modules of C such that Mi e M , 1 < j < nc , iff a e X i ; that is, M is exactly the set of all modules which are driven by the signal a, (d) ql e Ql be the local state of Af' at q \ i.e., Xc (q)\V‘ = \ ‘(q‘). Similarly, let for any Mi e M , qi e Qi be the local state of MJ at q, (e) a be enabled at q‘ and {q‘, a, q'1 ) e TR‘ be any of the possible state transitions in FA‘ by symbol a. Similarly, let for any M i e M , (qi,a,q’i ) e TRi be any of the possible state transitions in FAi by symbol a. Then q' is a state of FAC (i.e., q' e Qc ) and (q, a, q') is a state transition of FAC (i.e., (q, a, q') € TRC) if k c (q') , the label of q', satisfies the following constraints; (a) for M‘ and q'1 e Q‘ described above, Xc (^')| V' = , (b) for all Mi e M and q'i s Qi described above, Xc (q')\Vi = M{q'i), and (c) for all Mk e M c - M , 1 < k < n c , k c (q') \Vk = Xk(qk).m The base part of the inductive definition above describes the initial state of FAC. Notice that the initial state, and consequently FAC itself, are well-defined iff the circuit modules are initial-state-compatible. That is, let (a) a e A c be any circuit signal, (b) M G M c be the set of all circuit modules such that Mi e M , 1 < j < nc , iff a e A i, (c) qfie Qi be the initial state of circuit module M i e M . Then Xi(q^)(a) has a unique value over all Mi e M . Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 42 The inductive step of the inductive definition above describes how Qc (the set of states of FAC), Xc (the state labeling function of FAC), and TRC (the state transition function of FAC) are inductively defined. \ic (the transition labeling function of FAC) is defined based on its description that was given earlier. The automaton FAC defined as above describes the behavior of the circuit as an interleaved behavior. In other words, no two circuit signals change simultaneously, although they may concurrently be enabled to change; instead, all possible interleavings of enabled signals are represented in FAC. It is also noted that any signal change will cause a simultaneous and instantaneous change in the internal state of any circuit module which has that signal as an I/O. Such module internal state changes are dictated by the automaton of the corresponding module. Definition 2.4 [Changed variables of a transition] Let C be a circuit, FAC = (A c , Vc, Qc, Xc, TRC, p c, qfi) be its automaton, and (q,a,q')e TRC be any state transition of FAC. Let V q Vc be the set of all and only those circuit variables that change by state transition (q,a,q')\ i.e., for all v e V, A.c (<7) ( v ) * X c (< j')(v), and for all w e Vc - V , Xc(q)(w) = Xc (^')(w ). Then we define Changed(q, a, q’) = V. Note that if a * e , then a e Changed(q, a, q ) . ■ The following recursive procedure for full reachability analysis of FAC is directly derived from the inductive definition of FAC. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 43 Procedure 2.1 [Full reachability analysis of a circuit automaton] Let C - (M c, Ac, Vc, Gc, FA°) be a circuit. The state space of FAC - (Ac, Vc,Q c, \ c,TRc,\ic,qfi) can be fully constructed and explored as follows: (i) The initial state qfie Qc of FAC is constructed such that for all A/', 1 < i < n c , Xc ( ^ ) is an extension of X '( ^ ) to Vc . (ii) Let q e Qc be a previously constructed state of FAC which has not been explored yet. Then by exploring q, we find all possible state transitions from q, and all states reachable from q through such state transitions. The state exploration at q is performed as follows: for all states q' for which the inductive definition of FAC would define (q, a, q') as a state transition of FAC, q' e Qc and (q, a, q') e TRC are added to the constructed state space of FAC. The inductive construction of FAC is completed when all previously constructed states of FAC have already been explored; i.e., when the constructed state space reaches a fixed point. ■ Failure-freedom of a circuit can be exactly checked during full reachability analysis of the circuit automaton. As FAC is being constructed, newly explored state transitions of FAC are checked for failures. If any failure state transition is ever found, then the circuit is known to have a failure and there is no need to continue the construction of FAC. Otherwise, the construction of FAC is continued to completion, and the circuit would be declared as failure-free. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 44 Since the size of the state space of a circuit C can be as big as 0 (2 ^ ) , checking failure freedom of a circuit through full reachability analysis would often suffer from the state space explosion problem; i.e., it can be very costly for large circuits, out of the capacity of even state-of-the-art computers. This is where techniques which enable us to check for failure-freedom without fully exploring the state space, and yet provide exact results become of great importance. 2.4 More on Circuit Automaton and Behavior In this section, we present the notion of the behavior of a circuit C in terms of the runs of its automaton FAC. We also introduce a set of operations on behaviors and automata which are used in following sections. It is to be noted that we use the kind of automaton which was introduced in the previous section to model any abstract behavior and not just that of a circuit. Thus in what follows, FAC will characterize any behavior, and not necessarily that of a circuit, unless otherwise specified. 2.4.1 Automaton Behavior and Circuit Behavior In this section, we define the notion of a trace, as a sequence of automaton states, based on which we then define automaton behavior and circuit behavior. We also define the notion of an automaton string, as a sequence of automaton symbols associated with an automaton trace. Finally, we define two functions, Red(.) and FF(.), over traces and behaviors. Function Red(.) keeps only the prefix of a trace Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 45 (the subset of a behavior) which is necessary for the purpose of checking failure- freedom. Note that checking failure-freedom-the most important property of a circuit and the first to be verified— is completed as soon as any (single) failure is detected. This suggests that the behavior of a circuit beyond any failure point is of no significance; i.e., only those traces of a behavior whose prefixes are failure-free are of any interest for the purpose of verification. Function FF(.) returns the (longest) failure-free prefix of a trace, or the failure-free portion of a behavior. Definition 2.5 [Trace] Let FAC = (Ac, Vc, Qc, Xc, TRC, pc, qfi) be any automaton. A run (or trace) of the automaton FAC is a sequence of states t - qQ q x...qn such that (i) qt e Qc for all 0 < i < n , (ii) for any consecutive pair of states + 1 in the sequence, there exists afe A c u e such that (< ? ,» a < > <?,+ t ) e TRC. Len(t) = n is the length of such a run3. An initialized run of the automaton FAC is a run t - q0q x ...qn which starts at the initial state of FAC\ that is q0 - q$ M Definition 2.6 [Automaton behavior] Let FAC = (A c, Vc, Qc, Xc, TRC, |4C , qfi) be any automaton. The automaton behavior, denoted Bc , is defined to be the set of all initialized runs of FAC. Such a set is prefix-closed; that is, if qQ q x...qn e Bc , then qQ q\...qie Bc , for 0 < i < n . ■ 3. Note that we define the length of a run as the number of its state transitions, and not the number of its states. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 46 PC & ao a2 0 ' 84 Fig. 2.7 A four-state FIFO controller in an abstract environment. Definition 2.7 [Failure freedom] Let FAC - (Ac,V c,Q c, k c,TRc,\ic,qfi) be any automaton and Bc be its behavior. We say that FAC (Bc ) is not failure-free iff there exist q e Qc and a e Ac , such that Hc (q, a) - F ; otherwise, FAC (Bc ) is failure-free. ■ Definition 2.8 [Circuit behavior] Let C = (Mc, Ac, Vc, Gc, FA°) be a circuit. The circuit behavior is then defined to be the automaton behavior of FAC, and is thus denoted by Bc . A circuit C is failure-free iff Bc is failure-free. ■ Example 2.7 Figure 2.7 depicts a four-stage FIFO controller. Two possible traces of the circuit behavior are r, = 000000,100000,110000,111000,011000,011100. t2 = 000000,100000,110000,111000,111100,011100. Here, a state is an evaluation of [r0, aQ , a u a2, a3, a 4] . The two traces start with a common sequence of state transitions which is shown in bold face. Then, they express two different orderings of transitions of the two signals r 0 and a2. m Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 47 Definition 2.9 [Sub-behavior] Let FAC = (Ac, Vc, Qc, Xc, TRC, [ic, qfi) be any automaton and Bc be its behavior. We then call any prefix-closed set of initialized traces B c Bc a sub-behavior of Bc . ■ At this point, we are ready to define the function Red(.) and its operation on traces and behaviors. This function removes from a trace the suffix of it past the first occurrence of a failure. Definition 2.10 [Reduced trace, prime trace, reduced behavior] Let FAC = (A c, Vc, Qc, Xc, TRC, [ic, qfi) be any automaton, Bc be its behavior, and t e Bc be any automaton trace with Len(t) - n. We then define Red(t) - q0q l ...qm, m < n , to be the longest prefix of t such that \ic (qita,-) = 5 for all 0 < / < m - 1, where (qitaitq.+ l)e TRC. In other words, Red(t) is the longest prefix of t with the property that only the last state transition of Red(t) is possibly a failure transition. Trace t is called a prime trace iff Red(t) = t . We also define Red(Bc ) £ Bc as the sub-behavior of Bc consisting of all and only the prime initialized traces of Bc . In other words, t e Red(Bc ) iff t e Bc and Red(t) = t . ■ In the following, we define the function FF(.) and its operation on traces and behaviors. This function returns the longest prefix of a trace which is failure-free. Definition 2.11 [Failure-free trace and failure-free sub-behavior] Let FAC = (A c , Vc, Qc, Xc, TRC, p c, q£) be any automaton, Bc be its behavior, and t e Bc be any automaton trace with Len(t) = n. We then define Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 48 FF(t) = q0q l ...qm, m < n , to be the longest prefix of t such that \ic (qit a,) = S for all 0 < i < m - 1, (qt, at, q + ,) e TRC. In other words, FF{t) is the longest prefix of t which is failure-free. Trace t is then called a failure-free trace iff FF(t) = t . We also define FF(BC) q Bc as the sub-behavior of Bc consisting of all and only the failure-free traces of Bc . In other words, t e FF(B C) iff t e Bc and FF(t) = t . m Definition 2.12 [String of a trace] Let FAC = (Ac, Vc, Qc, Ac, TRC, \ic, qfi) be any automaton, t - q0q x-..qn be any trace of the automaton, and a‘ E = aQ a y ..an_ l , ai ; 6 A c u e and 0 < / < /i - 1, be the sequence of symbols (signal transitions) corresponding to trace t\ i.e., (< ?,, at, q.+ l) e TRC . Then the sequence of symbols obtained from a ' by removing all e symbols is called the string associated with trace t , and is denoted by a ' . ■ Note that for n = 0 we define a'E - e . Also, if < z ' is a sequence of e symbols only, then we define a1 - e . 2.4.2 Projections of Behaviors In this section, we define a function Proj(.)(.) and describe its operation on states, traces, and behaviors. Note that states are the building blocks of traces and therefore behaviors. On the other hand, each state is identified by an associated set of variables and the unique values assigned to them. Let Proj(V)(QTB) be any instant of the application of function Proj(.)(.) to an object of type state, trace, or behavior. The second argument, QTB , is a state (Q), a trace (T), or a behavior (B), and the first Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 49 argument, V, is a subset of the variables associated with object QTB. The function maps object QTB to an object of the same type; i.e., it maps states to states, traces to traces, and behaviors to behaviors. The states of the resultant object are associated with the variables in V and their values, and while information regarding the variables in V are preserved, any information regarding the other variables of QTB are lost in the resultant object Proj(V)(QTB). The function Proj(.)(.) can similarly be applied to strings. Let Proj(A){S) be any instant of the application of function Proj(.)(.) to an object of type string. The second argument, S , is a string, and the first argument, A , is a subset of the automaton alphabet Ac . The function maps object S to an object of the same type; i.e., it maps a string to another string, by simply removing any symbol which does not belong to the set A . Definition 2.13 [Wytransition] Let FAC = (Ac, Vc, Qc, Xc, TRC, (ic, qfi) be any automaton, V Q V C, and ( < 7 , a, q') € TRC. Then if V n Changed(q, a, q') = W , we say that (q, a, q') is a Wy-transition. ■ Definition 2.14 [V-compatibility, state projection] Let FAC = (Ac, Vc, Qc, Xc, TRC, p c, qfi) be any automaton, and V c Vc . Let P y Q Q c x.Qc be a relation such that for any pair of states qt, qj e Qc , {qitq j)e P$ iff k c(qi)\V - Xc (^y)|V; that is, the labels of the two states qK ,qj agree on the values that they assign to the variables in V. We say that any pair of states related by relation are V-compatible. It is easy to see that is an equivalence Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 50 relation over the set of states Qc and partitions that set into p$> 1 equivalence classes, such that each class is associated with a unique function over the set of variables V. We represent the equivalence class of any state q{ e Qc with respect to P$ with [qjy. We are now ready to define (i) a new set of states Q$, \Q§\ = p$, (ii) a corresponding state labeling function : Q §-*L (V ) for Q$, and (iii) a mapping Proj( V) : Q° — > Q $ , as follows: for any qt e Qc , Proj{ V) maps all states q e [q;]v to a unique state qv e Q$ such that X$(qv) = Xc(q)\V = Xc (qi)\V. Finally, if Proj(V)(q) - qv , then we say that qv is the projection of q onto V. ■ So far, we have defined the function Proj(V) : Qc — > Q $ . At this point, we extend our definition of projection over a set of variables Proj( V)(.) to the domain of traces (runs) and behaviors. Definition 2.15 [Trace projection] Let FAC = (A c, Vc, Qc, Xc, TRC, n c, q$) be any automaton and Bc be its behavior. Let V q V c and A = V n Ac (i.e., A consists of all and only those variables of V which belong to Ac ). Let t e Bc be a trace of Bc . Then the projection of t onto V, denoted by tv = Proj(V)(t), will be a sequence of states of Q$, and is inductively defined as follows: • if t = qfi, then tv - Proj(V)(q$); • if / = q ^q v ..qiqi+{ - f q i+l and Proj(V)(t') = /V .then t'vProj(V)(qi+l), Proj(VXqi)*Proj(V)(qi+l) otherwise Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 51 In other words, each maximal subsequence of V-compatible states in t is mapped to a single state in tv which is the projection of just any of the states of the subsequence. ■ Definition 2.16 [Behavior projection] Let FAC = (Ac, Vc, Qc, Xc, TRC, p c, qfi) be any automaton and Bc be its behavior. Then for any V c Vc , the projection of Bc onto V, denoted by Proj( V)(BC) , is the set of traces such that tv e Proj{ V)(BC) iff there exists t e Bc such that tv = Proj(V)(t) . ■ Definition 2.17 [Exact abstraction of a behavior over a set of variables] Let FAC = (Ac, Vc, Qc, Xc, TRC, \ic, qfi) be any automaton, and Bc be its behavior. Let V £ Vc , and B be any set of traces over the set of variables V . We say that B is an exact abstraction of Bc over V iff B = Proj( V)(BC) . (Note that by this definition, Proj(V)(Bc ) is itself an exact abstraction of Bc over V!). ■ Definition 2.18 [String projection] Let FAC - (Ac, Vc, Qc, Xc. TRC, nc, qjf) be any automaton, V q A c , and a ' be a string of FAC. Then the projection of a' onto V, denoted by Proj(V)(a‘) is the string obtained from a' by removing any symbol that does not belong to V. ■ Example 2.8 Let FAC be an automaton with Vc = {a ,b ,c ,d ,e }, and let Bc = (00001 10001 10101 00101 00100 00000 01000 01010 00010 00011)*. Here, any state of q e Q° is labeled with an evaluation of the ordered set [a, b, c, d, e ] , and qff - 00001. We have used regular expressions to simplify the Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 52 description of the behavior. In addition, we imply that all prefixes of the above regular expression are also in Bc . Projecting the behavior Bc onto the set Vc - e = {a, b,c,d } would yield: Proj(Vc -e )(B c ) - (0000 1000 1010 0010 0000 0100 0101 0001)*. Note that in this projected behavior, two different transitions are possible from state 0000; i.e., (0000, 1000) and (0000,0100). However, this two transitions occur only in an alternate fashion in the projected behavior. This situation has occurred since two semantically different states of Bc (i.e., 00001 and 00000) are projected onto a single state of Proj( Vc - e)(Bc ) , 0000. Now, consider projecting Bc onto the set Vc - a - {b ,c,d ,e} : Proj(Vc -a)(B ) - (0001 0101 0100 0000 1000 1010 0010 0011)*. This time, no two different states of Bc are projected onto a single state of Proj( Vc - a)(Bc ) . ■ We close this section by two lemmas which describe some useful properties of projections. The lemmas are trivial implications of the definitions of Proj(.)(.), traces and strings, and thus their proofs are omitted. Lemma 2.1 [Successive projection] Let FAC = (Ac, Vc, Qc, Xc, TRC, \xc, qfi) be any automaton, and V q W q Vc . Then for any projectable automaton entity e we have Proj(V)(Proj(W)(e)) = Proj(V)(e).m Lemma 2.2 [Strings and projections] Let FAC - (Ac, Vc, Qc, Xc, TRC, pc, qfi) be any automaton, Bc be its behavior and V q Vc . Let t e Bc , a' be the string Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 53 associated with t , and tv = Proj(V)(t). Then a‘v = Proj(V)(a‘). In other words, the string associated with the projection of a trace t is the same as the projection of the string associated with t . ■ 2.4.3 Sub-automaton and Projection of an Automaton In this section, we first define the notion of a sub-automaton of an automaton. Then we define the notion of collapsing an automaton onto a set of automaton variables followed by the notion of an automaton projection as any collapsed automaton whose behavior is an exact abstraction of the behavior of the original automaton. Finally, we present a set of sufficient conditions for a collapsed automaton to be an automaton projection. Definition 2.19 [Sub-automaton] Let FAC = (Ac,V c,Q c, k c,TR c,\ic,qfi) be any automaton. We then define a sub-automaton of FAC to be any automaton FAC = (Ac, Vc, Qc, Xc , TRC, jlc, qg) such that (1) Qc q Q c , e Qc , and for all q e Qc , i C{q) = Xc (<?),(2) TRC q T R c , TRC Q Qc x (Ac u e) x Qc , and for all q, q' e Qc and a e Ac u e , if (q, a, q') e TRC then p.c(q, a) = S, and (3) the underlying state transition graph of FA is a connected subgraph of FAC. ■ Let C = (M c , Ac, Vc, Gc, FA°) be a circuit. The automaton FAC, as we have defined, describes the whole state space of the circuit C . A sub-automaton FAC, in contrast, describes the state space of the circuit only partially. A sub-automaton FAC can thus be constructed by partially exploring the state space of the circuit, instead of Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 54 full exploration. The inductive construction of FAC of a circuit C was previously described. In constructing a sub-automaton of FAC, it suffices to explore only a subset of state transitions from any state which is under exploration, and repeat this procedure from any reached state which is not previously explored, until no such state (reached and unexplored) is left. Note that while automaton FAC may have failure transitions, we define any sub automaton FAC to be failure-free. A more natural choice for the transition labeling * Q function of FA would seem to be one which carries the labels of the transitions from FAC to FAC\ i.e., one such that for all q , q ' s Q c and a e Ac u e , if (q, a, q') e TRC then p c (< 7, a) = |xc(q, a ) . However, as will become clear in the coming sections, the choice of the transition labeling function is not critical or relevant to our analysis, and in fact our simplistic choice is indeed sufficient for the correctness of our framework. Definition 2.20 [Collapsed automaton] Let FAC = (A c, Vc, Qc, Xc, TRC, \ic, qfi) be any automaton, V q Vc , and A = V r \A c . The collapsed automaton of FAC onto V, denoted by FA$ = (A, V, Q$, TR$, q£v) is then defined as follows: • Q$ is the codomain of Proj(V) : Qc Q$. Thus q v € Qy iff there exists a q e Qc such that q v - Proj(V)(q); in particular, we have Qqv - Proj(V)(qfi) . • Xy : Qy -4 L(V) is such that for any pair of states q and qv related by Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 55 qv - Proj(V)(q) we have X£(<?v) = Xc(q) \V. • TR$ q Q $ x ( A kje) x.Q$ is such that for any a e ( A u t ) and qVi, qVj e Q § , (qVi, a, qV j) e TR§ iff there exists a pair of states qt, qj e Qc such that qVi = Proj(V)(q^, qVj = Proj(V)(qj), and (g,, a, qj) e TRC • M ’V : Qv x u £) S } is such that for all a e (A u e ) and qVi, qVj e Q§ such that (qVi, a, qvj) e TR$, °) = S. That is, FA$ is defined to be failure-free. ■ Once again, we notice that while automaton FAC may have failure transitions, we define its collapsed automaton FA$ to be failure-free. A more natural choice for the transition labeling function of FA$ would seem to be one with the following description: • Hv : Q £ x ( A u e ) - » {F, S} is such that |x$(qVi,a) = F iff there exists qt e Qc , such that qVi - Proj(V)(q{), and either (i) \ic(qita) = F, or (ii) there exists b e A c - V such that Hc (< 7(, b) = F , and there exists a sequence of A c - V signal transitions from qit starting with a transition by b and leading to a state at which a is enabled. However, similar to the case of a sub-automaton, we have made the simplistic choice of letting FA$ be failure-free since that would suffice for our analysis. The definition of a collapsed automaton implies that it can be obtained from the original automaton by the following steps: Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 56 (i) take the underlying state diagram of the original automaton and relabel each state by restricting its labeling function to V ; (ii) merge any set of relabeled states that have a common (restricted) label into a single state with that common label. The resulting diagram will thus have states with unique labels. (Note that unique state labeling is a requirement of the kind of automaton that we have been using.). The resulting state diagram would represent the collapsed automaton. Definition 2.21 [Automaton projection] Let FAC - (Ac, V c,Q c, \ c,T R c.\ic,qfi) be any automaton, V q Vc , and A - V n Ac . We say FAC is projectable onto V and call the collapsed automaton FA$ an automaton projection iff is an exact abstraction of Bc over V\ i.e., By = Proj(V)(Bc ).m As will be seen in the coming sections of this thesis, in our hierarchical verification approach we frequently need to simplify (reduce) and abstract the model of a behavior. Such abstractions are obtained by hiding some subset of the variables of the original behavior. To prevent false negative/positive verification results, the abstract model has to precisely capture the behavior of the non-hidden variables in the original model. In other words, the behavior of the abstract model should be equivalent to the projection of the behavior of the original model onto the same set of variables; i.e., the former should be an exact abstraction of the latter. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 57 Although the projection of an automaton behavior is itself an exact abstraction, to obtain it we need to first obtain the behavior of the automaton by full reachability analysis of its underlying state diagram, and then find the projection of each trace of that behavior. In contrast, to collapse an automaton we simply need to appropriately examine the automaton’s underlying state diagram, without the need to perform full reachability analysis, and if the collapsed automaton is an automaton projection, its behavior is indeed an exact abstraction. That considered, along with the fact that we already have chosen automaton over trace sets in modeling circuits and their behavior (due to the more efficient and compact representation of automaton), we would prefer automaton projections over projections of automaton behavior to derive exact abstractions for specifications. Note that a collapsed automaton is not always necessarily an automaton projection, and thus may not precisely represent the behavior of the non-hidden variables. Consider the two steps of the outlined procedure for collapsing an automaton. It is possible for the resulting collapsed automaton to represent a behavior that is not an exact abstraction, since the second step of collapsing can map semantically different states of the original automaton onto a single state, creating spurious state sequences (and strings) that are not present in the projection of the automaton behavior. Figure 2.8 illustrates this condition through a simple example. Figure 2.8.a depicts the states diagram of an automaton, with a single state variable v , . The automaton is to be collapsed onto its alphabet, A c - {a,, a2, a 3, a4} . Note Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 58 00001 10000 :oooio] 10100. 01010' 00100] 01000] 00000] (a) [ a ! , 8 2 , 8 3 , 8 4 ] r o o o o i [ 8 1, 8 2, 8 3 , 8 4] r o o o o i Relabeling States (Toot) (000T) Merging States (1000] r t > (1010) (0101) r t > (1010] (OOIO) (OIOO) (OOIO a3 v a2 Automaton Projection onto {8 ^82,83,84}? Fig. 2.8 When an automaton projection does not exist! that this automaton represents an alternate behavior in which a sequence of transitions on signals a x and a 3 alternates with a sequence of transitions on signals a2 and aA. Relabeling the states of the automaton results in two states with similar labels (See Figure 2.8.b). Note that the initialized state sequences of state diagram 2.8.b represent the projection of the (alternate) behavior of the original automaton. Merging the two states of diagram 2.8.b into a single state creates the automaton of Figure 2.8.c in which any interleaving of the two above-mentioned sequence of signal transitions are possible. The behavior of the automaton of Figure 2.8.c is a superset of the projection of the behavior of the original automaton, and thus is not an exact abstraction of that behavior. In this case, we say that the original automaton is not projectable onto the indicated set of variables, or the collapsed automaton is not an automaton projection. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 59 Situations such as the above example force us to impose and practice conditions on the projectability of an automaton to guarantee that the behavior of the collapsed automaton is indeed an exact abstraction of the original automaton’s behavior. Consider automaton FAC = (Ac, Vc, Qc, Xc, TRC, |xc, qfi) and any set V q V c . We will call V the set of external variables, and Vc - V the set of hidden variables. We know that the V -compatibility relation P$ q Qc x Qc partitions the set of automaton states into V -compatible equivalence classes. Thus any state q e Qc belongs to a ’ /-compatibility class [q]v . The following theorem specifies the necessary and sufficient conditions for projectability of an automaton onto a set of external variables. Theorem 2.3 [Necessary and sufficient conditions for projectability of an automaton] Let FAC = (A c, Vc, Qc, Xc, TRC, \ic, qfi) be any automaton, V c Vc be a set of external variables, and A = V n A c . The collapsed automaton FA$ is then an automaton projection iff for any pair of states qit q\ 6 Qc such that q 'ii [q^y and ( q ^ a ^ 'J e TRC is a Wv -transition (i.e., V n Changed(qi, a, q\) - W * 0 ) , and for any pair of states q'j, qj e Qc such that q'j i [q jy, qj 6 [q^y, and (q'j, b, qj) 6 TRC, there exists a pair of states qt, q't e Qc , qt e [^,]v , q [ q t\v, such that (qt, c, q't) e TRC is a W v -transition and there exists a (possibly empty) sequence of V -compatible states from to qt.u The above theorem states that for FAC to be projectable onto V, for any (external) W v -transition (qt, a, <?',) e TRC in FAC it must be true that if ^ ■ 6 Qc is any state Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 60 that is V -compatible with qt and is either an initial state or reachable by an external transition, then there exists a (possibly empty) sequence of V -compatible transitions from qj to a state qt , such that a Wv -transition is possible from qt . It is straight forward to verify that the following is a reformulations of the above necessary and sufficient conditions for projectability of an automaton. Conditions 2.22 [Necessary and sufficient conditions for projectability of an automaton] Let FAC - (Ac, Vc, Qc, k c, TRC, \ic, qfi) be any automaton, V c Vc be a set of external variables, and A = V r*Ac . The collapsed automaton FA$ is then an automaton projection iff the following conditions hold: • Let qj e Qc be any initial state of Qc , or any state to which there exists an external transition (q'j, b, q ^ e TRC from some state q'j e Qc such that q'j £ [qj]v . Let Qj Q Qc be the set of all states such that qk e Qj iff (i) qk is reachable from qj through a (possibly 6) sequence of V -compatible states, and (ii) there exists (qk, c, qm) e TRC, qm £ [qj]v ; i.e., an external transition from qk to a state that is not V-compatible with qk. Then let Wj - {Proj(V)(qk,c,qm)\(qk,c ,q m) e TRc,q k e Qjt qm £ [qj]v ) be the projection of all external state transitions from the states in Q j . • Let 6 Qc be any other initial state of Qc , or any other state to which there exists an external transition (q\, d, qt) e TRC from some state q\ € Qc such that q \ £ [q;\v and qt e [qj]v ; i.e., ^ - and qt are V-compatible. Define Qt Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 61 and W[ similar to Qj and Wj above. • Then we must have Wj = Wt. If the above conditions hold, then we have Qy = {Proj(V)(qj)} and TR$ = {Wj}, for all states qj as described above. ■ 2.5 Safe Abstractions and Observational Sufficiency In this section, we first define our notion of a safe abstraction as an under approximation of the behavior of a subset of circuit variables which is guaranteed to be exact if the circuit is failure-free. We also define the notion of an observationally sufficient set of circuit variables whose behavior can be safely captured by a safe abstraction. Finally, we present a corollary suggesting that if the automaton of a circuit is projectable onto a set of circuit variables, then the behavior of the projected automaton is a safe abstraction of the circuit behavior over the same set of circuit variables. Definition 2.23 [Safe abstraction] Let C = (Mc, A c, Vc, Gc, FA0} be a circuit and Bc be its behavior. Then a behavior B v over a set of variables V c Vc is called a safe abstraction of Bc over V iff (a) B v is the behavior of some automaton FAV = <A, V, Qv, k v, TR V, \lv, qV), A - V n Ac , (b) B v Q Proj(V)(B° ) , and (c) B v = Proj(V)(Bc ) if the circuit is failure-free. ■ Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 62 By definition, a safe abstraction of Bc over V is an automaton behavior which is an under-approximation of the behavior of the circuit variables V and yet it is guaranteed to be exact if the circuit is failure-free4. Definition 2.24 [Observational sufficiency] Let C = (M c, A c, Vc, Gc, FA°) be a circuit and Bc be its behavior. Then a set V Q Vc is called observationally sufficient for Bc iff there exists an automaton FAV = ( A ,V ,Q v,X v,T R v,\Lv,q%), A = V n A c , such that B v is a safe abstraction of Bc over V. ■ By definition, the behavior of any set of observationally sufficient circuit variables is safely captured by the corresponding safe abstraction. Here, the word ‘safely’ is used to emphasize that safe abstractions never over-approximate the behavior of the corresponding variables. We will refer to an observationally sufficient set of variables as an OSV set. Corollary 2.4 [Automata projections and safe abstractions] Let C = <M c , A c, Vc, Gc, FA0) be a circuit and Bc be its behavior. Let V q Vc , A = V r \A c , and FAC = (Ac, Vc, Qc, \ c, TRC, jic, qfi) be a sub-automaton of 4. By the above definition, if any behavior B v is a safe abstraction of a circuit behavior Bc over a set of circuit variables V q V c , then B v must be the behavior of an automaton FAV - (A, V, Qv, TR V, p '1 ', q%) , A = V O A c . Thus, throughout this thesis, wherever we talk about a safe abstraction, the existence of such a corresponding automaton is automatically assumed. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 63 FAC such that Proj(V)(Bc ) - Proj(V)(Bc), and FAC is projectable onto V. Then By is a safe abstraction of Bc over V. ■ This Corollary directiy follows from By being an exact abstraction of Bc over V. Corollary 2.5 [Automata projections and safe abstractions] Let C = <M c, A c, Vc, Gc, FA°) be a circuit and Bc be its behavior. Moreover, let V q Vc , A = V n Ac , be such that FA$ is an automaton projection, and let be the behavior of FA £ . Then is a safe abstraction of Bc over V. ■ This Corollary directly follows from B$ being an exact abstraction of Bc over V. 2.6 Formal Proofs In this section, we present our proofs of Theorems 2.3 and Corollary 2.5 by first introducing a lemma that is used in the proofs. Lemma 2.6 [Over approximation by collapsed automata] Let FAC - (Ac, Vc, Qc, Xc, TRC, \ic, qfi) be any automaton, V <zVc , and A = V n Ac . Let FA£ be the collapsed automaton of FAC onto V, and be its behavior. Then B$ 2 Proj(V)(B c ) . ■ Proof (Sketch) We prove this Lemma by way of contradiction. Suppose B $ □ Proj(V)(Bc ) is not true. Then, there must exist a trace of shortest length tv e Proj(V)(Bc ) such that tv £ B $ . Let tv = Proj(V)(t), where Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 64 t = qQ...ql ...qn_ l ...qn e Bc is any trace whose projection onto V yields tv and whose last transition is by a variable in V. Here, any indicated pair of states qj, qj + x of trace r , 0 < y < n - 1, are V -incompatible states that are separated by a sequence of states that are V -compatible with qj. Let state q e Qc be the state immediately preceding state qn on trace 1. Thus, there exists a e A 'o e such that (</> qn) e TRC. But then by construction of FA$ it follows that {Proj(V)(q), Proj(V)(a), Proj(V)(qn))e TR$. However, since q and qn_ x are V-compatible, we will have (Proj(V)(qn_ ,), Proj(V)(a), Proj(V)(qn)) e TR$. Now, since tv is the shortest trace of interest, we must have t'v = Proj(V)(t') e where r' = q0...qx...qn_ xe Bc is a prefix of trace t . Now, on one hand we have t'v = Proj(V)(t') = Proj(V)(q0q x...qn_ x) e and on the other hand we have (Proj(V)(qn_ x), Proj(V)(a), Proj(V)(qn))e TR $. It then follows that Proj(V)(qQ q x...qn_ xqn) 6 B$, which in turn implies that tv = Proj{V){t) e B$. Since the latter result yields a contradiction, B$ o Proj{ V)(BC) is indeed true. ■ Theorem 2.3: Necessary and sufficient conditions for projectability of an automaton] Let FAC = (Ac, Vc, Qc, Xc , TRC, \ic, qfi) be any automaton, V c Vc be a set of external variables, and A = V n Ac . The collapsed automaton FA$ is then an automaton projection iff for any pair of states q(, q\ e Qc such that q \ i [ q ^ v and (< ?,, a, < ? '() e TRC is a W v -transition (i.e., V n Change d{qt, a, q\) = W * 0 ) , and for any pair of states q'j, qj e Qc such that q ' [<?j] v € [ < 7,]^, and (q'j, b, qj) e TRC, there exists a pair of states Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 65 qi,q't e Qc , qt € [< ?(]v , q't € such that (qt, c,q'f)E TRC is a W v -transition and there exists a (possibly empty) sequence of V -compatible states from qj to qt . m Proof (Sketch) FA$ is an automaton projection iff B§ = Proj(V)(Bc ) . We already know from Lemma 2.6 that B ^^P ro j(V )(B c ). Thus = Proj(V)(Bc ) would hold iff for all tv e B$, tv e Proj(V)(Bc ) . We will show that the latter condition holds iff the indicated condition of this theorem holds. First we show that if the condition of this theorem holds, then for all tv e B ^ , tv e Proj(V)(Bc ) . To prove this by contradiction, suppose that the conditions hold but there exists a shortest trace tv = qQ q l ...qn_ lqn e B§ such that rv € Proj(V)(Bc ) . Considering trace tv , we must have (qn_ ,, a’, qn) e TR$, and thus by construction of FA$ there must exist two states q(, q\ e Qc such that q'jiiqjhy and (qi,a,q'i) e T R c is a Wv -transition, and (9„_ i> qn) - (Proj(V)(qj), Proj(V)(a), Proj{V)(q',.)). Since tv is the shortest such trace, for its immediate prefix we have t'v = q0q l ...qn_ l e Proj(V)(Bc ) . Thus, there must exist a trace t' = q'0...q\...q'n_ l e Bc such that t'v - Proj(V)(t'). Here, any indicated pair of states q'm,q'm+i of trace r', 0 < m < n - 1, are V -incompatible states that are separated by a sequence of states that are K-compatible with q'm. Thus, t'v - Proj(V)(q'Q q'l ...q'n_ l) . Let q'j be the state immediately preceding state q'n_\ on trace t' with (q'j,b,q'n_ l) e TRC. As noted previously, q'n_ , and q'j are V -incompatible states. Moreover, since Proj(V)(q'n_ ,) = Proj{V){qt), we have [q jy and q 'jt [qjy. Now Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 66 (with qj - q'n_[) it follows from the conditions of the theorem that there exists a pair of states q[,q'iE Qc , q t e [qjy, [ ^ ] v ,such that { q ^ ^ q '^ e TRC is a Wv - transition, with a (possibly empty) sequence of V-compatible states from q'n _, to qt . This is equivalent to saying that there exists a trace t" = < 7*0 ..q\...q'„_\...qlq'l e Bc , and thus Proj{V){t")e Proj{V){Bc ) . However, note that since qt, [q^y, and (qt, c, q\) e TRC is a W v -transition, then q \ e [q\]v = [qn\v , and thus Proj(V)(t") - Proj(V)(q'0q\...q'n_ lq'l) = qQ q x ...qn_ xqn . But the latter implies that tv - qQ q x. ..qn_ xqn e Proj{ V)(BC) , which is a contradiction. Next, we show that if for all tv e B$, tv e Proj(V)(Bc ) , then the condition of the theorem holds. To prove this by contradiction, suppose for all tv e By, tv € Proj{V){Bc ) , but there exist a pair of states qx , q'i e Qc such that q\ e [q-]v and (qit a, q\) e TRC is a W v -transition (i.e., V n Changed(qt, a, q\) = W * 0 ) , together with a pair of states q'j, qj e Qc such that q’j& [q^y, gye and {q'j, b, qj) 6 TR C, but there does not exist any pair of states qt, q't e Qc , qt e [q ^y , q'l 2 [<7,]y. such that (qt, c, q'x) e TRC is a W v -transition with a (possibly empty) sequence of V-compatible states from qj to qt. Note that since (< jr(, a, <?',) € TRC is a W v -transition, by construction of FA$ we have (.Proj{ V)(qi), Proj{ V)(a), Proj{ V)(g'f)) e TR$ . Now let t' = q'Q...q'jqj ...qlq'[e Bc be any trace such that qt e [q^y, q't i [qf]v , (qt, c, q'{) e TRC, and qt is reached from qj through a sequence of V-compatible states, and let t'v - Proj{V){t'). The last state transition of t'v would be Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 67 (Proj(V)(qt), Proj(V)(c), Proj(V)(q’l)) e 77? but that cannot ever be equal to (P ro /(V )(q (), Proj(V)(a), Proj(V)(q’,)) 6 77?£, because (< 7Z , c, q’z) e 77?c is not a Wy -transition (note that qt e [q,]^). Thus, the last state of t'v cannot be Pfoj(V)(q'.), while because of (/Vo/(V) (<?,), Proj(V)(a), Proj{V)(q't)) e TR§, there exists a trace t”v e B$ whose prefix is same as that of t'v but its last state is Proj(V)(q'() . It then follows that for such t"v e B$, t"v e Proj(V)(Bc ) which is a contradiction. ■ Corollary 2.4: [Automata projections and safe abstractions] Let C = (M c, Ac, Vc, Gc, FA0) be a circuit and Bc be its behavior. Let V Q V C, A - V n A c , and FAC - (Ac, Vc, Qc, \ c, TRC, |ic, qfi) be a sub-automaton of FAC such that Proj(V)(Bc ) - Proj(V)(Bc ), and FAC is projectable onto V. Then By is a safe abstraction of Bc over V. ■ Proof (Sketch) Since FAy is an automaton projection, we know that By = Proj(V){Bc ). Now, since Proj(V){Bc ) - Proj(V)(Bc ) , we will have B y = Proj(V)(Bc )-, i.e., By is an exact abstraction of Bc over V. But then By would also be a safe abstraction of Bc over V. u Corollary 2.5: [Automata projections and safe abstractions] Let C = (M c , Ac, Vc, Gc, FA°) be a circuit and Bc be its behavior. Moreover, let V q Vc , A - V n Ac , be such that FA$ is an automaton projection, and let B$ be the behavior of FA Then B$ is a safe abstraction of Bc over V. ■ Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 68 Proof (Sketch) The proof of this corollary directly follows from Corollary 2.4, by letting FAC = FAC. U Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 69 Chapter 3 Induced Hierarchical Verification of SI, Theoretical Framework In the previous chapter, we introduced the notion of a safe abstraction as a behavior over a subset of circuit variables which may under-approximate the actual behavior of those variables, but is guaranteed to be exact if the circuit is failure-free. For a circuit that has a safe abstraction, we introduce in this chapter the notion of sub-circuits of the circuit. Such sub-circuits are derived from the safe abstraction and the circuit blocks, where circuit blocks are themselves the result of partitioning the circuit using the observationally sufficient variables of the safe abstraction. We prove in a main theorem of this chapter that for circuits which have a safe abstraction, failure-freedom of the circuit can be determined based on the failure-freedom of its sub-circuits. This important result is the basis of our framework for induced hierarchical verification of speed-independence, as will be seen in this chapter. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 70 3.1 Partitioning a Circuit into Circuit-Blocks In this section, we describe the notion of partitioning a circuit into circuit blocks using a selected set of circuit signals. Definition 3.1 [Circuit block] Let C = (Mc, A c, Vc, Gc, FA0} be a circuit and Ec q A c be a non-empty subset of circuit signals which we call external signals. We call Hc = A c - Ec as the set of hidden signals of the circuit. Let /?£ c M c x M c be a relation such that for any two circuit modules Ml, Mj s M c , (Af‘, MJ) s /?£ iff A ‘ n A7 n H c * 0 . In other words, M1 and MJ are related by RE iff there exists a circuit signal a s Hc which is a common I/O signal of the two modules. Note that r e is a reflexive and symmetric relation. Let R * E C be the transitive closure of the relation /?£; that is, Rec ^R% and for any modules if (Ml, Mj ) e R * e c and (Mj, Mk) e REC then (Ml, Mk) e REC. Since REC is a reflexive, symmetric, and transitive relation, it is an equivalence relation over the set of circuit modules, and partitions that set into r£ > 1 equivalence classes, A/£ ,,..., , each called a circuit block. ■ Let M £' i , 1 < i < r £ , be any circuit block. We define • i - {a 6 £ c |3 MJ e Af£ (, a s Xi} as the set of external inputs of circuit block A /£ ,; • Z £ i; = {a S £ c |3 Mj s Af£ f, a e Z/} as the set of external outputs of circuit block Af £ ; • K£ f = {y € Vc |3 Mj s A f£,, y s Yj} as the set of state variables of circuit Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 71 block A f£ ,; • / / £ , = {a e Hc 1 3 MJ e M% a e A/} as the set of hidden (internal) signals of circuit block f ; • a £ i = f u z £ u f/£ i as the set of signals of circuit block A/£ f ; • v ? , » a £ , u r g , as the set of variables of circuit block M £ ( ; By definition, the equivalence relation REC which partitions the circuit into circuit blocks is such that for any pair of circuit modules Ml and MJ belonging to two different circuit blocks (i.e., (M \ Mj ) € REC), if MJ feeds Ml through a common I/O signal (i.e., (zJ k, Jt}) e K c ) then the common I/O signal must be an external signal (i.e., 4 6 Ec ). In other words, circuit modules which belong to different circuit blocks would never feed each other through internal signals. This further emphasizes the fact that the circuit modules of any circuit block can communicate with the rest of the circuit only through external signal transitions. It is to be noted that in general, the set of external signals of a circuit block is a subset of the external signals of the circuit; i.e., ■ u Z £ , c £ c . Thus some signals in Ec may be neither an input nor an output of a circuit block. Example 3.1 Figure 3.1 shows three different partitions of a four-stage FIFO controller. For Figure 3.1(a), E { = ( r 0, a0}, for Figure 3.1(b), E2 - {a,, a2}> and for Figure 3.1(c), £ 3 = ( r 0, aQ , a3, a 4} . E2 , for example, partitions the circuit into two blocks, a left block A/£ x and a right block M £ 2 - Thus we have Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. (a) ' I q ‘ Si s a3 — I \ (c) (b) Fig. 3.1 Three different partitions of the four-stage FIFO controller. / / £ i = ( r 0, a0} , and A £ x = {rQ , a0, a x,a 2} ■ Note that a circuit block may not have any hidden signals, as is the case with the left circuit block induced by E x. ■ 3.2 Safe Abstractions and Sub-circuits of a Circuit In this section, we define our notion of sub-circuits of a circuit. This notion is defined only in association with a safe abstraction for the behavior of a circuit over a selected set of its signals. A sub-circuit of such a circuit is the closed circuit composed of a circuit block and its abstract environment module, where an environment module of a circuit block is the mirror of a safe specification of the circuit block, and a safe specification is in turn obtained from the safe abstraction of the circuit. We show in the next section how the failure-freedom of a circuit is related to the failure-freedom of its sub-circuits. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 73 3.2.1 Environment Module of a Circuit Block Let C = (M c , A c, Vc, G c , FA°) be a circuit and Bc be its behavior. Let W c c Vc , Ec = Ac n W c , and FAW C = (Ec, Qwc, \ wC, TRwC , n wc, q f ) be an automaton whose behavior BwC is a safe abstraction of Bc over W c (thus Wc is observationally sufficient for Bc ). We call Wc the set of external variables, Ec the corresponding set of external signals, and W c - Ec the set of external state variables. Let Af£ A/£ r£ be the set of circuit blocks of C as it is partitioned by the set of signals Ec . The safe abstraction Bwc which is an approximation of the behavior of the circuit variables W c , specifies for each circuit block A /£ ( how its I/O signals interact with each other and with (possibly) other external circuit variables. Definition 3.2 [Safe specifications, and safe specification sets] Let C = (M c, Ac, Vc, Gc, FA°) be any circuit for which there exists a behavior Bwc that is a safe abstraction of Bc over some Wc q Vc , and Ec = Ac n Wc . Let A/£ ( be any circuit block of C induced by Ec . Let V&, / c Wc be any set of circuit variables satisfying the following conditions: • X £ , Q Vw, i ; i e., Vw, i includes all external inputs of circuit block A/j? ( ; • Z £ , £ Vwt i ; i.e., Vw, / includes all external outputs of circuit block M £ , ; , the collapsed automaton of FAW C onto Vw, / is a projection automaton. We then define a new automaton FAw,i by applying the following modifications to Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 74 • for any a e Z £ , and q e (? $ c \, if there exists no q' e Qjfc ( such that (q, a, q') 6 TR^c , then (a) add state transition (q, a, q') to TRw, /, where state q' (that needs to be added to Qw,i) is such that kw,i(q)(a) = \yjc (q)(a)*\w,i(q')(a) and for all other b e V&ti, b * a , k & . i i q m = X ^ i q K b ) = X&,i(q')(b) , and (b) let £{£ t(q, a) = F. Then we say that B w j, the behavior of automaton FAw, /, is a safe specification for circuit block Af£ f , derived from the safe abstraction BwC. We call X% ( as the set of inputs of the safe specification, and Z £ i as the set of outputs of the safe specification. We also call the (non-empty) set of all possible safe specifications of f as the safe specification set of A/£ ( and denote it by Bfo ( . ■ Note that while automaton FA^fc is failure-free, FAw ; is not, and contains Vw .i ' newly introduced failure state transitions. Specifically, the failure state transitions introduced into the safe specification of A/£ • imply that for A/£ f to be failure-free, it should not produce any output transitions that are not originally present in safe abstraction Bwc. Note that since FAW C and hence do not originally include those failure transitions, and the behaviors of those automata beyond such unexpected A Q failure transitions are not specified, we had to fumish FAw, i with that information. In doing so, we simply specify the state entered immediately after a failure transition to be one which differs from the preceding state only in the value of the changed output A £ signal. These modifications introduce new traces into the behavior of FAw,i, compared to that of FA^c . However, all the newly introduced traces are failure Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 75 traces, and their failure-free prefixes are already in the behavior of F A j^ (see Lemma 3.8 in the formal proof section of this chapter). The definition of a safe specification of a circuit block implies that a circuit block can potentially have many safe specifications, as long as the alphabet of their automata satisfies the indicated conditions. It also implies that BwC is itself a safe specification for any circuit block it induces. Although BwC can always be used as a safe specification for any circuit block, reducing it to other smaller safe specifications by means of projecting its automaton will often speed up the overall hierarchical verification process. Example 3.2 Figure 3.2.a depicts a four-stage FIFO controller that is partitioned into two circuit blocks by the set of external signals E = {ax,a 2} (Figure 3.2.b). Figure 3.2.c depicts the state diagram of a safe abstraction of the circuit behavior over E. As indicated in Figure 3.2.d, the safe abstraction is used to derive safe specifications for each of the two circuit blocks. While the signals of the safe abstraction do not have any input/output attribute, an explicit distinction is made between the input and output signals of each of the two safe specifications. In this example, the graph of the automaton of each safe specification contains that of the safe abstraction (here, the safe abstraction, and not a projection of it, is used to derive the safe specifications). However, each safe specification also has additional transitions identifying unspecified output transitions; i.e., any output transition that is not present in the safe abstraction. Such illegal output transitions are depicted with dotted arrows. ■ Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 76 C > (a) A four-stage FIFO controller in an abstract environment Circuit partitioning Esta^aa} ■ V SL N ' £ 5 9 ' (b) Partitioned circuit ■ 1 lo ‘ 'ci •2 30 Block 1 I? a 3 C 3 *2 a4 — Block 2 (c) A safe abstraction (d) Safe Specifications (e) Corresponding circuit blocks Fig. 3.2 Deriving safe specifications for circuit blocks from a safe abstraction. Definition 3.3 [Environment module] Let C = (M c, Ac, Vc, Gc, FA°) be any circuit for which there exists a behavior BwC that is a safe abstraction of Bc over some Wc Q Vc , and Ec = Ac n Wc . Let Af£ f be any circuit block of C induced by Ec , and let B{^( - be any safe specification for Af £ i . Finally, let Aw,i Q Vw,i be the subset of consisting of circuit signals only and no state variables. Then the environment module Mw,i - (X w j,Zw j,Yw ,i,E A w ,i) of M g t corresponding to Bw, / is defined as follows: Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 77 * Yw.i = &W,i-Aw,i • Mw,i is in fact a virtual circuit module abstracting the environment of circuit block A /£ ,. ■ It is easy to verify that (a) the input signals of the environment module are exactly the external output signals of the circuit block, (b) the output signals of the environment module include all the external input signals of the circuit block, and possibly some additional signals from E c , and (c) the state variables of the environment module are a subset of the circuit’s external state variables. Since an environment module of a circuit block is defined based on a safe specification of the circuit block, a circuit block jV/£, may have many possible environment modules each corresponding to a different element of Bfa ,. The safe specifications of a circuit block (and thus the corresponding environment modules) may differ in terms of the size of their representation (e.g., automaton size) which is generally a monotonically increasing function of the number of automaton variables. In our framework, although the safe specifications of a circuit block are all equivalent in terms of their utility for hierarchical verification, we prefer the ones with smaller representations over others. The environment module Mw, / of defined above is in fact the mirror of the safe specification Bw,i derived from the safe abstraction B wC [27]. As indicated in the definition of Mw, ;, its set of input signals is exactly the set of output signals of the safe specification; its set of output signals includes the set of input signals of the safe Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. (a) A safe abstraction (b) Automaton of the (c) Environment modules environment modules Fig. 3.3 Deriving safe specifications for circuit blocks from a safe abstraction. specification; its set of internal state variables consists of all the state variables of the safe specification, and its automaton is the same as the automaton of the safe specification. Thus not only the role of inputs and outputs have changed from the safe specification to the environment module, but also failure state transitions of the safe specification that corresponded to unexpected output transitions of the circuit block are mapped to illegal input transitions (input chokes) of the environment module. These changes exactly characterize a mirroring procedure. We need to emphasize that environment modules of circuit blocks of a circuit are defined only given a safe abstraction of circuit behavior over the (observationally sufficient) set of external variables Wc . Example 3.3 An example of deriving environment modules for circuit blocks of a partitioned circuit from their safe specifications is shown in Figure 3.3. Each environment module is simply the mirror of the corresponding safe specification of Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 79 Figure 3.2. Thus, unexpected output transitions of each safe specification are translated to illegal input transitions at the corresponding environment module. In this example, the automaton of the environment module of the above circuit block turns out to be isomorphic to the automaton of a buffer, and that of the bottom circuit block turns out to be isomorphic to the automaton of an inverter. ■ 3.2.2 Subcircuits In this section, we show how a circuit block together with its environment module create a sub-circuit of the original circuit. Definition 3.4 [Sub-circuit] Let C be a circuit and Wc q Vc , Ec = Ac n Wc , and FAW C - (Ec,W c,Q wC,X wC,T R wC,iiwC, q ^ c) be an automaton whose behavior Bwc is a safe abstraction of Bc over Wc (thus Wc is observationally sufficient for Bc ). We then call Wc and Ac as the set of external variables, and the set of external signals of C, respectively. Let A/£ (, ..., Af£ r£ be the set of circuit blocks of C. For any circuit block A/£ f , |m £ ,| = n£ f , and any environment module Mw, i of it, we can devise a sub-circuit ( = C' = (M c , Ac , Vc , Gc , FAC) as follows: • M c = M £ i kj M w , I ; • Ac = ^ iU A £ .; • Vc = • Gc = (N c , Kc ) is such that • N c = { N \ ...,W nk' + l } and NJ is representative of circuit module Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 80 MJ'E Mc \ • Kc = { ^ x ^ e Kc \MJ,Mh e {(z[,x*)\Mh e x*} Kj{(zi,xi l)\MJeMCi,zi = xi}, where signals of Mw, / are identified by a ; • FAC = (Ac , Vc , Qc , Xc , 77?c , p c , is the composition of the automata FA 1 , ..., FAn^ ‘, FAw,i • ■ Thus, informally speaking, sub-circuit f is devised by cutting circuit block M £ ( out of C and connecting it to environment module Mw,i accordingly. We note that (a) since the circuit modules of circuit block , also belong to circuit C , they are all initial-state-compatible, and (b) since driven from Bwc by way of projecting its automaton--is a safe specification, the initial state of FAw,i is compatible with the initial state of C , and therefore with that of all circuit modules in M fjj. The initial-state-compatibility of all circuit modules of ( guarantee that the circuit automaton FAC is well-defined. Example 3.4 Figure 3.4.a depicts the four-stage FIFO controller of Figure 3.2 that is partitioned into two circuit blocks by the set of external signals E = { a 1 , a 2}. As mentioned in Example 3.3, the environment module of the left circuit block has the automaton of a buffer, while that of the right circuit block has the automaton of an inverter (remember that in deriving those specifications from the safe abstraction, no projection was performed). The combination of each circuit block and its environment module has defined a sub-circuit as shown in Figure 3.4.d. ■ Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 81 > ® 2 T c J c T “2 a3 (a) A four-stage FIFO controller in an abstract environment f k Circuit c V Circuit partitioning ' ro • i‘ ^ a3 N Block 1 Subcircuit extraction V _ jBlock 2_ ^ / (b) Partitioned circuit (c) A safe abstraction (d) Derived subcircuits Fig. 3.4 A four-stage FIFO controller and its sub-circuits. We have shown how given a safe abstraction BwC for the behavior of a circuit C, over a set of observationally sufficient variables Wc , the sub-circuits of the circuit can be constructed. In our hierarchical verification framework, the original circuit is said to be at the 1st level of hierarchy, while its sub-circuits are said to be at the 2nd level of hierarchy. Given a safe abstraction of the behavior of circuit C £ f over a corresponding set of signals Wc ^ ', the subcircuits of C& • can be similarly constructed. The j th sub-circuit of C& f is thus denoted by C ffij. This procedure can be repeated up to any finite level of hierarchy at which the size of a sub-circuit is small enough for the purpose of flat verification. The relationship between the verification of a circuit and that of its sub-circuits is the topic of the following section. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 82 3.3 Circuit Failure-freedom and Sub-circuits’ Failure-freedom In this section, we present a key result which is the basis of our framework for hierarchical verification of speed-independent circuits and systems. We show how the problem of verifying failure-freedom of a circuit can be recursively broken into a collection of smaller problems of verifying the failure-freedom of the sub-circuits of the circuit. Since verification of failure-freedom has computational complexity that is worst-case exponential in the number of circuit variables, such hierarchical approaches which are basically divide and conquer techniques can significantly speed up the verification process. The two theorems of this section collectively suggest that if there exists a safe abstraction of the behavior of a circuit over a set of external variables, then the circuit is failure-free iff all of its corresponding sub-circuits are failure-free. For the purpose of clarity, we first present each theorem, its implications, and some intuition behind its proof. We then present a more comprehensive sketch of the proofs of the two theorems for the interested reader. Theorem 3.1 [Circuit versus sub-circuit failure-freedom, I] Let C = (Afc, A c, Vc, Gc, FA°) be any circuit for which there exists a behavior B wc that is a safe abstraction of Bc over some Wc c V c , and Ec = A c n Wc . Then, if any sub-circuit C& , is not failure-free, then C is not failure-free. ■ The above theorem states that a negative verification result for any sub-circuit of a circuit is always indicative of the failure of the circuit itself. Thus, verifying the Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 83 failure-freedom of a circuit by way of verifying its sub-circuits can never generate a false negative result. The intuition behind the proof of this theorem is as follows. A sub-circuit failure is an illegal input signal transition either at some ordinary circuit module of the corresponding circuit block (e.g. a hazard), or at the environment module (i.e., an input choke to the environment module, or equivalently, an output transition unexpected by the safe specification of the corresponding circuit block). However, (a) any failure at an ordinary circuit module of the sub-circuit is guaranteed to be identically present in the original circuit; this is true since a sub-circuit is actually a circuit block which is operated in an abstract environment that is never an over-approximation of the actual environment of the circuit block, and (b) any input choke to the environment module of the sub-circuit indicates that the safe abstraction, from which the environment module is derived, is an under-approximation; however, by definition of a safe abstraction, this can be true only if the original circuit was not failure-free. Thus, any sub-circuit failure is always indicative of some circuit failure. Theorem 3.2 [Circuit versus sub-circuit failure-freedom, II] Let C = (Afc , Ac, Vc, Gc, FA°) be any circuit for which there exists a behavior BwC that is a safe abstraction of Bc over some Wc £ Vc , and Ec = Ac n Wc . If all sub-circuits j , ..., C £ r£ are failure-free, then C , itself, is failure-free. ■ The above theorem states that positive verification results for all sub-circuits is always indicative of the failure-freedom of the circuit itself. Thus, verifying the Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 84 failure-freedom of a circuit by way of verifying its sub-circuits can never generate a false positive result. The intuition behind the proof of this theorem is as follows. A circuit failure is an illegal signal transition at the input of some circuit module (a driven module), generated by another circuit module (a driving module). This failing signal is either an external signal or an internal signal of the circuit. If the failing signal is external, then either its failing transition is captured in the safe abstraction or it is not. If a failing external signal transition is captured in the safe abstraction, then an identical failure must have manifested itself in the sub-circuit containing the driven module. If a failing external signal transition is not captured in the safe abstraction, then the under approximated behavior of the driving module would have manifested itself as a choke to the environment module of the sub-circuit containing the driving module. Thus, any circuit failure on an external signal is guaranteed to be captured as a failure in some sub-circuit. On the other hand, if the failing signal is an internal circuit signal, then an identical failure would have manifested itself in the sub-circuit containing the driven (and the driving) circuit module, if the specification of the corresponding circuit block is exact; thus, any circuit failure on an internal signal is also guaranteed to be captured as a failure in some sub-circuit. Hence, if all sub-circuits are verified as failure-free, then the circuit must have been failure-free itself. Before we present our proofs of Theorems 3.1 and 3.2, we would like to further signify the dual role of external variables in our verification framework; i.e., (a) being Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 85 the set of variables whose behavior is approximated by a safe abstraction, and (b) containing the set of external signals that partition the circuit into circuit blocks. As indicated by the two theorems of this section, for any circuit which has a safe abstraction over a set of external circuit variables, there exists a particular relationship between the failure-freedom of the circuit and that of its induced sub-circuits. We are specifically interested in this particular relationship because it is the foundation of our hierarchical verification framework. Here, we would like to show that the relationship of our interest do not generally exist if the set of circuit blocks were arbitrary. We define an arbitrary circuit block as any subset of circuit modules. We also define an arbitrary set of circuit blocks to be any set of arbitrary circuit blocks. The input and output signals of the circuit blocks of an arbitrary set are defined as follows: any signal that is driven by a circuit module in one circuit block and drives a circuit module in another circuit block is an output of the first circuit block and an input of the second circuit block. Consider Figure 3.5 which depicts two overlapping arbitrary circuit blocks Cfl, and CB2. Assume that signal a is driven by the common portion of Cfl, and Cfl2, and drives modules in each of Cfl, and CB2. Our definition of input signals, given above, would not label a as an input signal of either of Cfl, or Cfl2 , since a is actually driven from within both circuit blocks. On the other hand, for a to be labeled as an output signal of either of the two circuit blocks, a has to be an input signal of a third circuit block; in such a case, a would be an output of both C fl, and Cfl2 . Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 86 CB, Fig. 3.5 Two overlapping arbitrary circuit blocks Next, we describe a set of necessary conditions that an arbitrary set of circuit blocks has to satisfy before their failure-freedom can have any significant relationship to that of the circuit. (i) An arbitrary set of circuit blocks must be a covering set for the circuit modules; i.e., each circuit module must belong to at least one arbitrary circuit block. This constraint is to guarantee that verification of a circuit by means of verifying its sub-circuits is inclusive and there is no circuit module which is not verified within any sub-circuit. (ii) Input signals of any arbitrary circuit block must all be external. This constraint is to guarantee that the environment module of the circuit block which is obtained from the safe abstraction-and thus lacks direct information regarding the behavior of internal signals-can appropriately drive all inputs of the circuit block. Since input signals of a circuit block are output signals of other circuit blocks, this constraint also implies that output signals of any arbitrary circuit block must all be external. (iii) If two circuit blocks overlap, then any signal which is driven by a module common to the two circuit blocks has to be external. This constraint is to avoid a Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 87 Cfl, Fig. 3.6 Overlapping arbitrary blocks with a non-external common signal. particular problem that is illustrated in Figure 3.6. Figure 3.6 depicts two overlapping arbitrary circuit blocks CBX and CB2. Assume that b and c are (external) output signals of CBX and CB2, respectively, and a is an internal signal driven by a circuit module in the common portion of the two circuit blocks. Moreover, assume that the only sequence of transitions that can possibly occur on the signals a , b , and c in the original circuit is c+, a+, b+, a-, b-, c - , such that c+ is required for a + , a+ is required for b+ , and b+ is required for a - . Assume that the lower level circuit is failure-free and that there exists a safe abstraction over the set of its external signals (note that b and c belong to the set of external signals, but not a). Such a safe abstraction would have the sequence of transitions c+, b+, b-, c- . This new sequence lacks any information about the relative order of transitions on signal a with respect to those of signals b and c. As an example, this sequence suggests that CBi (the environment module of CB2) can produce a b+ transition right after a c+ transition is produced by CB2. Thus, in the sub-circuit which is the composition of CB2 and CB2 , a c+ would enable not only a+ (through CB2) but also b+ (through CB2 ); Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 88 however if b+ occurs before a+, it would enable a- (through CB2), which is equivalent to disabling a+ which was already enabled by c + . In other words, in the sub-circuit associated with CB2, signal a can become enabled and then disabled without having a chance to fire. This situation will be detected as a failure in that sub circuit, while the original circuit was in fact failure-free. In such a case, taking the sub circuit failure as an indication of a circuit failure would generate nothing but a false negative verification result. In general, overlapping pairs of arbitrary circuit blocks that have non-external common signals do not always satisfy the particular conditions of the example of Figure 3.6 which led to false negative verification results. However, by disallowing non-extemal common signals all together, the possibility of generating such false negative verification results is removed. It can easily be seen that any set of circuit blocks created by partitioning a circuit by a set of external signals happens to satisfy our indicated set of necessary conditions. As proved next, such circuit blocks, together with the safe abstraction over the set of external variables, define sub-circuits whose failure properties do in fact relate to that of the circuit in the ways suggested by Theorems 3.1 and 3.2. 3.4 Formal Proofs We present our proofs of Theorems 3.1 and 3.2 by first introducing some lemmas and corollaries which are used in the proofs. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 89 Lemma 3.3 [Projection of safe specifications] Let C - (M c, Ac, Vc, Gc, FA0) be any circuit for which there exists a behavior Bwc that is a safe abstraction of Bc over some Wc Q Vc , and Ec = Ac n Wc . Let Af j? ( be any circuit block of C induced by Ec , and Bw, ( be a safe specification of A f£f . Then Proj(Vw,i)(BwC) and FF(Bw,i) = Proj{V$j){B wc) . ■ Proof (Sketch) FAw,/--the automaton of 5 ^ , - is obtained from FA jj'/ -th e projection of automaton FAwC onto Vw, , -b y solely introducing new failure state transitions, which in turn introduce new failure traces into behavior Bw, < • Thus, we have B$c Q&w ; and FF(Bw /) = Boc ■ On the other hand, by definition of an V W .i * 1 y W .i automaton projection we know that fljjc, = Proj{Vw,i)(BwC). It then follows that F F ( B ^ i) = Proj(V&ti)(BwC).m Lemma 3.4 [Under approximation of the I/O behavior of a circuit block] Let C = (M c, A c, Vc, Gc, FA°) be any circuit for which there exists a behavior B wc that is a safe abstraction of Bc over some Wc Q Vc , and Ec = Ac n Wc . Let Af £ f be a circuit block of C, and Mw,i be its environment module. Then Proj(A&t i)(Bwc) £ P r o j M , i)(Bc ) . m Proof (Sketch) Since Bwc is a safe abstraction of Bc over Wc £ Vc , we have B wcQProj(W c )(Bc ), (1) and by applying function Proj(.)(.) to both sides of relation (1) we have Proj(A&, i)(BwC) C Proj(Aw, iKProji WC)(BC) ) . (2) Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 90 However, by Lemma 2.1 we have Proj(Aw, i)(Proj(Wc )(Bc )) = Proj(A&j)(Bc ) . (3) From (2) and (3) we conclude that P roj(A ^ i ) ( B wc) C Proj{Afc,, ) (BC) . ■ (4) Lemma 3.5 [Properties of traces captured in a safe specification] Let C = (M c , A c, Vc, Gc, FA°) be any circuit for which there exists a behavior Bwc that is a safe abstraction of Bc over some Wc c; Vc , and Ec = A c n Wc . Let C' = C £ , be any sub-circuit of C , and t e Bc be any trace for which there exists t^w.i e gC . such that Proj(Vwj)(t) - . Then Proj(Vc )(t)e Bc . Moreover, if t' 6 Bc is any trace such that Proj(Vw,/)(O = , then t' e Proj(Vc )(Bc ) , Informally speaking, Lemma 3.5 states that if a circuit trace t is successfully abstracted within the safe specification of circuit block Mfj , ■ (i.e. by trace t ^*-<), then not only (the projection of) trace t will be (locally) present in sub-circuit C = C £ ( , but also any other trace t' of sub-circuit C' that adheres to trace -an d thus to t - will be (globally) present in circuit C. ■ Proof (Sketch) We know that the I/O signals of circuit block M£ ( (corresponding to sub-circuit C £ i ) via which A/£ ( interacts with its actual environment (i.e., the rest of the circuit) are all external signals; that is, (5) Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 91 where Ec c Wc is the set of external circuit signals. We also know that A{£ , the I/O signals of environment module Mw, / via which Mw, / interacts with circuit block , are all external signals, and in particular In equation (9), P roj(X g , u Z £ corresponds to a sequence of transitions on the I/O signals of circuit block A /£, when it is operating within its actual environment, circuit C; equivalently, Proj(Xg f u Z £ i)(al) is a sequence of I/O signal transitions of the actual environment of circuit block M g f . On the other hand Proj(Xg f u Z £ i)(a‘v) corresponds to a sequence of I/O signal transitions of the safe specification of circuit block Mg f -By/ ,; equivalently, Proj{Xg f u Zg i)(alv) is a sequence of I/O signal transitions of the abstract environment of circuit block By a similar argument, if t' e Bc is such that Proj(Vwt ,)(r') = ‘ then we have (* £ fU Zii)QA^iQECQWC. (6) (7) From (7) and Proj(Vw ,)(r) = t ^"-‘, and by using Lemma 2.1 we have Proj(Xg j u Zg ;)(t) = P r o j i X g ^ Z g ^ ) (8) Let a' and alv be the strings associated with traces t e Bc and t ^ - 1 e B w j, respectively. Then from (8) we have P rojiX g^ Z g ^ a ') = P rojiX g^ Z g^ a" ). (9) Proj(X% f u Z £ f)(r') = P r o j i X g ^ Z g , ) ^ ) , (10) Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 92 and if we let a*' be the string associiited with trace t' e Bc then from (10) we have ProjiXg , u Z g ,)( a 0 = Proj(Xg . u Z g f .)( a ^ ). (11) In equation (11), Proj(X% f u Z g , )( a ') corresponds to a sequence of transitions on the I/O signals of circuit block M g ( when it is operating within its abstract environment, M g /; equivalently, Proj(X% f u Z g ,)( a ') is a sequence of I/O signal transitions of the abstract environment of circuit block M g ( , as also confirmed by the right side of equation (11). From equations (9) and (11) we conclude that Proj(Xg u Z g f)(fl0 = Proj(X g u Z g f) ( a ') . (12) Now, consider circuit block M g f interacting via its— all extemal--I/0 signals with (a) its actual environment, and (b) its abstract environment M g i whose automaton behavior is Bw, / • Equations (12) suggest that circuit block M g f can experience, the same sequence of I/O signal transitions within both environments. Naturally then, the original environment of Mg ■ is not distinguishable from the abstract environment of M g ( when their sequence of interactions with M g , adhere to t (as well as t'). On the other hand, the behavior of any circuit block (i.e., its set of all possible traces) is inherently unique per any unique sequence of I/O interactions. Intuitively, it then follows that • (i) the same sequence of transitions of Vc (the collection of variables of M g i and Mw,i) along trace t of the original circuit must also be observable in C (the sub-circuit composed of M g , and M g ,). In other words, we must have Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 93 Proj(Vc )(t)e Bc ; • (ii) the same sequence of transitions of Vc along trace t' of sub-circuit C must also be observable in C. In other words, we must have /' e Proj(Vc )(Bc ) . Claim (i) above (and similarly, claim (ii)) can be proven by an induction on the length of trace t (and that of t') and the enabling conditions of circuit modules of A/£ | . The inductive proofs of the two claims are very similar. However, for the sake of completeness, we present both of them in what follows. • (i) Consider the original circuit C and its sub-circuit C .Let t e Bc be any circuit trace. The circuit modules of A/j? f have a unique initial state in both C and C ; that is, the two circuits are initial-state-compatible. Now, since the initial state of any circuit uniquely defines the trace of that circuit which has a length of one, for the base case of Len(t) = 1 we have Proj(Vc )(t)e Bc . Now assume that Proj(Vc ){tn) s Bc holds for any trace tn e Bc of length n for which Proj{ V&, ,)(rn) = ‘ e Bw, / • (Note that trace t%"-‘, corresponding to trace tn , is not necessarily of length n , and the subscript is only to emphasize the correspondence.). We show that any trace tn + l e Bc of length n + 1, such that tn is the prefix of rn+, and Proj(V$ii)(tn+ ,) = t%f ( e will satisfy the condition Proj{ Vc )(tn+ j) e Bc . To see this, if the last state transition of tn + j involves no variables of C' , then obviously Proj(Vc )(tn+l) - Proj(Vc ){tn) e Bc . Otherwise, any variable of C involved in the last state transition of tn + , is either driven by a module in M £ { or by one outside A/£ f . First consider the case in which A/£ ( drives a changing Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 94 variable of the last state transition of tn + ,: since the modules of f have experienced the same set of signal transitions in both C and C , up to the last state transition of tn + ,, their state prior to the last transition is the same in both circuits, and thus at that point any signal of { which is enabled in C is also enabled in C . Secondly, consider the case in which a changing variable of C in the last state transition of tn + , is driven by a module outside ( : since Bw, ; is the automaton behavior of Mw, / and Proj(Vw, i)(tn + [) = e Bw, ,, the transitions of any such variable (who has to be an external variable) along trace tn + j are preserved in the automaton of Af w,,; that is, any such variable changes are also enabled in C’. Thus in both cases we observe that any change of variables of Vc that occurs at the last state transition of tn + , in the original circuit, is also enabled at the last state of Proj(Vc )(tn) in sub-circuit C . It then follows that Proj(Vc )(tn+ € Bc . • (ii) Consider the original circuit C and its sub-circuit C , and let t' e Bc be any sub-circuit trace. Since C and C are initial-state-compatible, for the base case of Len(t') = 1 we have t' e Proj(Vc )(Bc ) . Now assume that t'n 6 Proj(Vc )(Bc ) holds for any trace t'n e Bc of length n for which Proj(Vw,i)(t’n) - , where ‘ e Bw,i ■ (Note that trace , corresponding to trace t’n, is not necessarily of length n , and the subscript is only to emphasize the correspondence.).We show that any trace t'n + L e Bc of length n + 1, such that t'n is the prefix of r'fl+,, Proj(V&j)(t'n+ ,) = t *f ( , and e Bw,i, will satisfy the condition r’>1+1 6 Proj(Vc )(Bc ) . To see Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 95 this, any variable of C involved in the last state transition of t'n + { is either driven by a module in f or by Mw, i • First consider the case in which A /{? ( drives a changing variable of the last state transition of t'n + t : since the modules of A/£ ( have experienced the same set of signal transitions in both C and C , up to the last state transition of t'n + ,, their state prior to the last transition is the same in both circuits, and thus at that point any signal of A/£ , • which is enabled in C is also enabled in C. Secondly, consider the case in which a changing variable of C in the last state transition of t'n + , is driven by Mw, / and is thus a variable in Vw,i- from ( e Proj(Vw,i)(Bc ) and Pr°j(Vw,i)(t'n+ 1) = we know that Proj(Vfo,i)(t'n+1)6 Proj(Vw,i)(Bc ), suggesting that any Vw,i changes in C and along r'n+ , are also enabled in C. Thus in both cases we observe that any change of variables of Vc that occurs at the last state transition of t'n + , in sub-circuit C , is also enabled (possibly after a sequence of non- Vc signal transitions) in C. It then follows that t'n+, e Proj(Vc )(Bc) . m Corollary 3.6 [Properties of traces captured in a safe abstraction] Let C = (M c , A c, Vc, Gc, FA°) be any circuit for which there exists a behavior Bwc that is a safe abstraction of Bc over some Wc c Vc . Let t e Bc be any trace for which there exists twC e Bwc such that Proj{Wc )(t) = twc, and let C = C £ , be any sub-circuit of C . Then Proj(Vc )(t) e Bc . Moreover, if t' 6 Bc is any trace such that Proj(Vw,i)(t') = Proj(Vw, i)(twC) , then t' e Proj(Vc )(Bc ). Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 96 Informally speaking, Corollary 3.6 suggests that if a circuit trace t is successfully abstracted by a safe abstraction (i.e. by trace twc), then not only (the projection of) trace t will be locally present in any sub-circuit of the circuit, but also any trace t' of any sub-circuit C that adheres to trace twC~and thus to r— will be (globally) present in circuit C . ■ Proof (Sketch) Since Proj{Wc )(t) - twc and Vw,i Q IFC, by Lemma 2.1 we have Proj(V ^i)(t) = Proj(Vw,i)(twC). (13) Since twC e BwC, we have Proj(Vw,i)(twC) € Proj(Vw,i)(BwC) . (14) From (13) and (14) we have Proj(V&j)(t) e Proj(Vw,i)(Bwc) . (15) From Lemma 3.3 we have Projtf% tiK BwC) z B b ti . (16) From (15) and (16) we have P r o j { ^ im = t ^ ie B ^ il. (17) It then follows from (17) and Lemma 3.5 that Proj(Vc )(t) e Bc . On the other hand, from Proj(Vw, ,)( 0 = Proj(Vw, i)(twC) and (13) we have Proj(V$ti)(t') = Proj(Vw,i)(t), (18) and then from (17) and (18) we have Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 97 Proj(Vw,i)(t) = (19) It then follows from (19) and Lemma 3.5 that t' e Proj(Vc )(Bc ) . ■ Note that condition Proj(Vw,i)(t') = Proj(Vw,i)(twC) of Corollary 3.6 is equivalent to Proj(Vw, /)(O e Proj(Vw, i ) ( B wC) . Corollary 3.7 [Circuit and sub-circuit behaviors] Let C = (A/c, Ac , Vc, Gc, FA°) be any circuit for which there exists a behavior Bwc = Proj(Wc ){Bc ) that is a safe abstraction of Bc over some Wc c Vc , and let C - C £ ( be any sub-circuit of C. Then Proy( VC)(BC) c flc . ■ Informally speaking, Corollary 3.7 suggests that if a safe abstraction of the behavior of a circuit is exact, then the projection of the circuit behavior will be locally present in any sub-circuit of the circuit. That is, there is no circuit trace not exhibited by each sub-circuit. Proof (Sketch) For the special case of B wc - Proj( WC)(BC) , for any t e Bc there exists a twC e B wc such that Proj(Wc )(t) - t wC, and thus by Corollary 3.6 we have Proj(Vc )(t) e Bc . It then follows that Proj(Vc )(Bc ) c B c . l Lemma 3.8 [Under approximation of reduced sub-circuit behaviors] Let C = (Mc , Ac, Vc, Gc, FA°) be any circuit for which there exists a behavior Bwc <zProj(Wc )(Bc ) that is a safe abstraction of Bc over some Wc c Vc , Ec = Ac r \W c , and let C = C £ , be any sub-circuit of C. Then Red(Bc ) Q Proj(Vc )(Bc ) . ■ Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 98 Informally speaking, Lemma 3.8 suggests that the behavior of any sub-circuit of a circuit with a safe abstraction, when reduced, is completely present in the projection of the circuit behavior. That is, there is no prime trace of the sub-circuit not exhibited by the circuit. Note that a prime trace, if not failure-free itself, has an immediate prefix that is failure-free. Proof (Sketch) By Lemma 3.4, we know that Proj(Aw, t)(BwC) c Proj(Aw, i)(Bc ) ; thus, the possible interactions of circuit-block M j?, with the rest of the circuit can only be under-approximated by environment module Mw,i • To see this, note that environment module Mw,i > s directly derived from (a projection of) B wc by solely labeling unexpected signal transitions at the inputs of Mw,i as failure transitions; thus, the behavior of the output signals of M w who serve as the input signals of circuit block A /£,-exactly adhere to BwC. Now, within such an under-approximated abstract environment M w, /, the (reduced or prime) behavior of circuit block ( can only be an under-approximation of the behavior of A/£ ■ within its real environment; i.e., Red(Bc )£ P ro j(V c )(Bc ). This relation is stated over Red(Bc ) , and not Bc . The reason is that if Bc contains an input choke to Mw, /. since the reaction of Mw,i to that choke is not originally specified by the safe abstraction, any behavior beyond that failure point can be a spurious behavior (introduced by our arbitrary choice of the destination state of a failure transition), not necessarily present in the original circuit. However, the fact that the above relation holds for Red(Bc ) and not Bc does not make it any less attractive. This is true since Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 99 only the first fault along any trace is significant to us; i.e., we only care about prime traces and behaviors. More formally, consider any prime trace t' e Bc and let t'^c = Proj{ Vw, /)(/*). There are two cases; either t'^c € Proj(Vw, i)(BwC) or t'^c £ Proj(Vw i)(Bwc) . In case of t'^c g Proj(Vwti)(Bwc), Corollary 3.6 immediately suggests that t'e Proj(Vc )(Bc ). So, consider the case of t'yc £ Proj(Vw ,)(B wC), where V W. i ’ t’^c must be a failure trace of C ending with an input choke to environment module Mw, i ■ Let i" € Bc be the immediate prefix of t' . Note that since t' is a prime failure trace, its prefix /" will be failure-free, and we will have I \ c = Proj{Vw,i)(t")e. Proj(Vw,i)(Bwc) . But then by Corollary 3.6 we will have t" e Proj(Vc )(Bc ) . This suggests that the modules of Afj? ■ can experience the same sequence of signal transitions of t" in both C and C' , reaching a common local state in Af£ ( at the end of r". But then, any signal of f which is enabled in C at the end of r" is also enabled in C ; that is, the last (failure) state transition of C along t' is also enabled in C, although the reached states may not be compatible. In other words, i' 6 Proj(Vc )(Bc ) for the case of t’^c £ Proj(Vw,i)(Bwc) (again, note that the last signal transition of t' is present in Proj(Vc )(Bc ) , but probably not the last state of r'). Thus we have shown that t' 6 Proj(Vc )(Bc ) holds for any prime trace t' e Bc , which is equivalent to saying Red(Bc ) £ Proj(Vc )(Bc ) . m At this point we are ready to present the proof of the main two theorems of this section, Theorem 3.1 and Theorem 3.2. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 100 Theorem 3.1. [Circuit versus sub-circuit failure-freedom, I] Let C = <M c, Ac, Vc, Gc, FA°) be any circuit for which there exists a behavior Bwc that is a safe abstraction of Bc over some Wc q Vc , and Ec = Ac n Wc . Then, if any sub-circuit C = , is not failure-free, then C is not failure-free. ■ Proof (Sketch) Let t' e Bc be any (shortest) failure trace of C which is prime; i.e., t' e Red(B c ) . By Lemma 3.8 we have Red(Bc ) q Proj(Vc )(Bc ) , which together with t' 6 Red(Bc ) suggest that r' e Proj(Vc )(Bc ) . Thus, there must exist a trace t e Bc such that t' - Proj(Vc )(t); that is, the variables of sub-circuit C' can observe the same sequence of transitions (that of t') in both C and C'. Now, consider the last state transition of trace t' 6 Bc which is by assumption a failure transition. The failing circuit module of C (experiencing an illegal input signal transition) is either an ordinary module of C"= , (and thus a module of C), or it is environment module Mw, i ■ If the failing module of C is an ordinary module, then the failure is obviously a failure of C as well, since the failing module can experience exactly the same sequence of events in both C and C . On the other hand, if Mw, / is the failing module of C (i.e., the transition of an external signal is causing an input choke to then the actual output behavior of circuit block A/£ , • must have been under estimated by safe specification Bw, i ; but this can happen only if the behavior of the external variables Wc was under-approximated by safe abstraction B wc. (Remember that safe specification Bw, / which defines the expected input transitions of Mw, < is obtained via a projection of safe abstraction B wC.). However, by definition of a safe abstraction, BwC is obliged to exactly resemble the behavior of Wc if circuit C is Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 101 failure-free; in other words, if B wC is not exact, then C is not failure-free. Hence, input chokes to Mw, / are always indicative of circuit C failure. This completes our proof that any failure in any sub-circuit C is always an indication of failure of circuit C.m Theorem 3.2. [Circuit versus sub-circuit failure-freedom, II] Let C = (Mc , A c, Vc, Gc, FAc) be any circuit for which there exists a behavior Bwc that is a safe abstraction of Bc over some Wc Q Vc , and Ec = Ac n Wc . If all sub-circuits r£ are failure-free, then C is, itself, failure-free. ■ Proof (Sketch): We prove the failure-freedom of C by way of contradiction. Suppose C is not failure-free. Under this assumption, and by the definition of a safe abstraction, we must have Bwc q Proj(Wc )(Bc ) ; that is, either Bwc cz Proj(Wc )(Bc ) or BwC = Proj(Wc ){Bc ) . If Bwc c Proj(Wc )(Bc ) is the case (i.e., BwC under-approximates Proj(Wc )(Bc )), then there must be a shortest trace t = q0...ql ...qn...rqn+l e Bc such that twc = Proj(Wc )(t) = Proj(Wc )(qQ...qx...qn...rqn + ,) e Bwc. Here, all and only those states of trace t which are entered with some external variable change are labeled as qj, 0 < j < n + 1. Thus any pair of states q} and qj+ x are separated by maximal non-observable sub-traces of t . (A non-observable sub-trace is one which does not contain any external variable (Wc ) changes.). State r is the next to last state of trace t , and there must be an external signal a e Ec c Wc which is involved in the transition from state r to state qn+l. There must then exist a unique Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 102 circuit block A/£ f such that signal a is an external output signal of A f£,; that is a e Now consider /' = q0...qx...qn...r, the immediate prefix of t, and its projection t'wC = Proj(Wc )(t') = Proj(Wc )(qQ...ql ...qn) . (Note that the projection of the last maximal non-observable sub-trace of t' is the same as Proj(Wc )(qn) .). Since t is the shortest trace of interest, we must have t'wc e BwC; but then by Lemma 3.5 we must have Proj(Vc )(t') e B ° , where C - Cfc ( . Hence, the circuit modules of block A/£ f can experience the same sequence of transitions (that of Proj(Vc )(t'wc)) in both C and C = C& ( . But this suggests that external output signal a of Afj? ( is enabled at state Proj(Vc )(qn) = Proj(Vc )(r). On the other hand Bwt,, the safe specification of Af£ i , specifies any transition of signal a at state Proj(Vc )(r) as a failure transition; this is true because twC 2 BwC implies that Proj(Vc )(twc) € Proj(Vc )(BwC) . Now, since on one hand a is enabled at state Proj(Vc )(r) of C , and on the other hand it is not expected to be enabled by safe specification £& ,,, any transition of a will cause an input choke to environment module Mw, i . suggesting that C is not failure-free. But all sub-circuits of C are failure-free by the conditions of Theorem 3.2. Thus, the assumption of C not being failure-free leads to a contradiction in the case of B wC c Proj( WC)(BC) . Next, under the assumption of C not being failure-free, consider the case of B wc = Proj(Wc )(Bc ) . Then, there must exist a shortest (prime) failing trace t = q0...qx...qn...r 'r e B c , an internal signal a e Hc , a unique circuit module Mi e M c of circuit C, such that signal a e Xi has a transition from state r’ to r which is illegal. There must also exist a unique circuit block A /£ ( such that Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 103 A f'e M g ,.. By Corollary 3.7, Bwc - Proj(Wc )(Bc ) implies that Proj(V°)(t) e Bc . This implies that the above failure at circuit element MJ will also be present in C& ( , suggesting that , is not failure-free. Thus, the assumption of C not being failure-free leads to a contradiction in the case of Bwc = Proj(Wc )(Bc ). We have just shown that the assumption of C not being failure-free always would imply the presence of some failure in some sub-circuit which is in contradiction with the conditions of Theorem 3.2. Thus circuit C must be failure-free if all of its sub circuits are failure-free. ■ Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 104 Chapter 4 Induced Hierarchical Verification of Speed-Independence, Issues In this section, we first compare our proposed framework for hierarchical verification of speed-independent circuits with that of complex-gate verification, in terms of how the two frameworks choose the set of external variables over which safe abstractions are found. Next, we discuss the issue of choosing sets of external variables that are observationally sufficient (OSV sets), and how the choice can affect the performance of hierarchical verification. Finally, we introduce the concept of sequential hierarchical verification (SHV) as a heuristic that can improve the performance of hierarchical verification through better informed decisions; on the selection of external variables, and/or on the order in which sub-circuits are verified. 4.1 Circuit Blocks Versus Complex-Gates Our proposed framework for induced hierarchical verification of speed-independent circuits is a generalization of a previous technique for two-level hierarchical Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 105 verification of speed-independent circuits, called complex-gate verification [64, 65]. Both frameworks try to find a safe abstraction of the circuit behavior over a set of external variables which is then used to induce hierarchy in verification of the circuit. In this subsection, we compare the two frameworks in terms of their constraints for selection of sets of external variables, and how such constraints affect the requirements and performance of the two frameworks. In complex-gate verification, the set of external circuit variables over which a safe abstraction is found is taken as a superset of all output signals of sequential circuit modules. Then, for any module with external outputs, the module and the combinational cone of logic driving it are collapsed into a complex-gate and complete reachability analysis is performed on the collapsed circuit to find the behavior of its set of external signals. Such sets of external signals partition a circuit into circuit blocks each of which containing one or more complex-gates. Once a safe abstraction is found, each circuit block can then be checked for conformance to its specification which is derived from the safe abstraction. Note that since the complex-gate circuit has less signals, its full reachability analysis is less expensive than that of the fiat circuit. First of all, note the limitation of this technique in not being able to hide outputs of sequential modules. This limitation is not present in our more general verification framework. Being able to hide more signals, our framework can potentially outperform this technique when deriving safe abstractions. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 106 (b) Complex-gate circuit a 5 3! 32 - 33 ~ a^ a4 — (a) Overlapping circuit-blocks 7 © ~ ~ a 5 - D - - 3* Fig. 4.1 A portion of a circuit with a multiple fan-out signal a-j. A second limitation of this approach is concerned with the verification of individual complex-gates. It very often is the case that complex-gates of a circuit overlap (See Figure 4.1). Overlapping arbitrary circuit blocks and their associated problems were discussed in a previous section. We noted that any signal in the common portion of two overlapped arbitrary circuit blocks has to be external. However, in complex-gate verification approach, all signals of the common portion of two complex-gates are hidden, since they are internal signals of each of the two complex-gates. This suggests that a complex-gate with overlapped logic cannot be verified individually. There are two ways to solve this problem (See Figure 4.2). The first solution, depicted in Figure 4.2.b, is to add to the set of external signals, any signal which would have otherwise forked into two different (single output) complex- gates. This solution will increase the number of external signals, and thus add to the complexity of deriving safe abstractions. Another solution, depicted in Figure 4.2.c, is to combine overlapping complex-gates into multiple output complex-gates in such a way that no two multiple output complex-gates overlap. (Note that such multiple- output complex-gates are in fact same as the circuit blocks induced by partitioning the Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 107 C P s as ai a2 a 3 a4 (a) (b ) (c) Fig. 4.2 Two solutions to the problem of overlapping complex-gates. circuit by the set of external signals.). This solution can potentially result large circuit blocks whose verification would be more expensive than smaller ones. Such large blocks may need to be further partitioned into smaller blocks by choosing the signals that fork into multiple complex-gates as the external signals of the next level of hierarchy. This solution can be less expensive than the first one. However, both solutions reveal that to correctly verify the circuit in this framework, not all outputs of combinational modules can always be effectively hidden. This limitation, together with not being able to ever hide the outputs of sequential modules, highlights the advantage of our more general framework. 4.2 Selection of OSV Sets for Hierarchical Verification One of the most controversial issues with our hierarchical verification technique is the problem of choosing the set of external variables. While this problem, in its most general form, can be an interesting subject for future research, some ad hoc and inherent solutions are already available for it. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 108 Very often, observationally sufficient sets of circuit variables-over which safe abstractions exist-have high correlations with handshake signals of the circuit. Since full handshake protocols are an essential part of any speed-independent design, especially at higher levels of design hierarchy, coming up with OSV sets is not a hard problem, and designers can easily make an initial guess for an OSV set. If the observational sufficiency of such a set can not be proven (e.g., an attempt to find a safe abstraction over that set fails), it is often easy to figure out which signals/variables were involved in violating the safety of the abstract behavior. Such signals/variables can then be added to the set of external variables, and this procedure can be repeated until a safe abstraction, and thus an OSV set, is found. This approach usually works very well, unless the initial guess is not a good one. It is to be noted, that failure in finding a safe abstraction over an OSV set would cause a failure in recognizing its observational sufficiency. We can ensure that a set is OSV only when we are successful in finding a safe abstraction (i.e., when the underlying sub-automaton is projectable); otherwise, we had better choose another set of external signals and see if we can find a safe abstraction over them. On the other hand, increasing the size of a set of external signals is not always a guarantee that it will eventually become OSV, and stay OSV from that point on. In general, a set of variables which is an unrecognized OSV set can easily loose the property by inclusion of a new variable(s), or it may retain the property but not be recognized as an OSV set again. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 109 ai a2 83 a 4 33 a< » — £ ) - * « (b) Fig. 4 J An example of technology mapping As the circuit is broken up into smaller and smaller circuit blocks, it becomes harder to choose sets of external signals, since not much handshaking may be present inside small pieces of the circuit. As we discussed in the section about complex-gate verification, the output signals of combinational gates can be hidden in many cases. Exceptions can include cases where the output of a sequential gate have to be absent from an external set of handshake signals. To solve the problem of which sequential module outputs to hide, the circuit designers can once again come to help. An example of this case is in technology mapping of SI circuits using sequential decomposition [21, 25, 46]. Sequential decomposition substitutes a multi fan-in gate with a functionally and behaviorally equivalent cone of logic that is composed of gates with smaller fan-ins (see Figure 4.3). Since only the output of the new cone is expected to behave exactly as that of the original gate, and in that case, the behavior of the newly introduced signals connecting the set of modules is insignificant, they can all be hidden, even if they are outputs of sequential gates (see signal Z’ in Figure 4.4). This is very similar to the case of complex-gate circuits. First, remember that for any circuit, the set of signals of the corresponding complex-gate circuit is always an OSV set. Secondly, note that when a Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 110 Decomposition ___ ___ ► C -* Environment Environment Fig. 4.4 An example of sequential decomposition in technology mapping. module is decomposed, the resulting modules can be thought of as collapsing into the original module, as if the original module is a pseudo complex-gate. It then follows that the new signals introduced by sequential decomposition can all be hidden. 4.3 Sequential Hierarchical Verification, SHV In this section, we present some general directives which can potentially speed up hierarchical verification. We will also discuss the issues involved with such procedures. As was mentioned in the previous section, OSV sets are very often a collection of handshake signals of the circuit. For circuits that are composed of a large number of communicating circuit blocks, the number of handshake signals can be very large. (This can also be true at lower levels of the design hierarchy.). However, since the cost of finding a safe abstractions is exponential in the size of the selected set of external variables, we are much more interested in smaller sets. Smaller OSV sets may not represent all the circuit blocks of a particular level of the design hierarchy; i.e., a smaller OSV set usually represents larger circuit blocks, and a larger circuit block may Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. I l l Fig. 4.5 An abstract illustration of Sequential Hierarchical Verification. encompass a couple of circuit blocks associated with a larger OSV set. Smaller OSV sets very often include the handshake variables among subsets of communicating circuit blocks, where the circuit blocks within each subset have direct mutual communications. Thus, smaller OSV sets tend to partition the circuit into circuit blocks, such that each circuit block is collection of adjacent circuit blocks associated with a larger OSV set. Now, given a small OSV set, its circuit blocks can be further partitioned into smaller ones. This suggests that smaller OSV sets increase the depth of hierarchical verification, but speed up the derivation of safe abstractions. There is a trade off between the speed up of deriving safe abstractions and the increase in the depth of hierarchy. However, since the former has an exponential cost and the latter has a sub-exponential cost, smaller OSV sets are better preferred. Now, consider the case in which the size of the circuit blocks associated with a small OSV are not balanced; i.e., some of the circuit blocks are small and can be verified in fewer levels of hierarchy. If such OSV sets exist for a given circuit and the designer is most concerned about design errors located in the smaller circuit blocks, Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 112 the verification procedure can be sped up by first verifying those small circuit blocks, and proceeding to other circuit blocks only once the small ones are found to be failure- free. In this paradigm, the larger blocks are broken into smaller ones in a similar fashion; that is, OSV sets are chosen in such a way that culprit design errors are most probably located in smaller circuit blocks. We call this verification paradigm sequential hierarchical verification, or SHV (See Figure 4.5). Note that although this technique can potentially speed up finding failures, a final decision on failure-freedom of any block of the circuit cannot me made until all blocks are verified as failure-free. Knowledge of the possible location of design errors is not the only motivation for SHV. Another motivation for SHV can be the relative ease of finding safe abstractions. For example, consider a circuit which is to be verified against a specification. The circuit can be thought of as a collection of cones of logic, each driven by the inputs of the circuit and driving one output of the circuit. Now, if there exists a (reasonably) small cone of logic and a small OSV set containing the I/O signals of that cone, then that cone can be verified quickly, and the rest of the circuit can be verified in a similar fashion, sequentially (See Figure 4.6). Here, the SHV paradigm is directed towards speeding up the verification, without necessarily having the knowledge of the possible location of design errors. Finally, it is to be noted that the performance of any SHV procedure is very dependent on the choice of appropriate OSV sets (and their existence), and ordering of verification of the circuit blocks at each level of hierarchy. While designers (as well as Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 113 Circuit outputs Cones of Logic Circuit inputs Fig. 4.6 An abstract illustration of Sequential Hierarchical Verification. their intuition) should be able to guide such SHV approaches in many cases, devising heuristics for SHV verification can be an interesting subject for future research. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 114 Chapter 5 Finding Safe Abstractions Our hierarchical verification framework was presented in a previous chapter, along with a proof of its correctness. In this framework, a safe abstraction of the behavior of a circuit over a set of external variables is used to verify sub-circuits of the circuit that are induced by the safe abstraction-in a recursive and hierarchical fashion. This hierarchical approach, assuming that there are efficient techniques to derive safe abstractions, can speed up the verification process. Safe abstractions and efficient techniques to actually find them are the subject of this chapter. We use a partial order technique to find safe abstractions. This partial order technique constructs a subtle sub-automaton of the circuit automaton by partially exploring the state space of the circuit in a delicate fashion. The circuit sub-automaton is constructed with the goal of preserving all external variable transitions and maintaining as little number of interleavings of internal variable transitions as possible. By construction, if the sub-automaton is projectable onto the set of external variables, then the behavior of its projection is guaranteed to be a safe abstraction of the circuit behavior. Since partial order techniques are reduction techniques that Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 115 mitigate the state explosion problem, by using them in deriving safe abstractions we have achieved our goal of efficient hierarchical verification. This chapter is organized as follows. In Section 5.1 the general concepts and terminology associated with partial order reductions are introduced. In Section 5.2 we show how a particular class of partial order reduction techniques can be utilized for our specific problem of finding safe abstractions. This technique is capable of constructing a sub-automaton of circuit automaton that preserves the behavior of external variables of failure-free circuits. We know from the previous chapter that if such sub-automaton is also projectable onto the set of external variables, its projection would be a safe abstraction. Based on the requirements of this particular partial order technique, we then derive a set of constraints for the set of external circuit variables. Finally, we present a first partial order reduction algorithm and proof its correctness in generating reduced state spaces that can be used for finding safe abstractions. In Section 5.3, we present an enhanced partial order algorithm as a complete solution for finding safe abstractions. This algorithm is also furnished with an embedded procedure for on-the-fly projection of the constructed sub-automaton. The correctness of the enhanced algorithm is proven, and the chapter is closed by presenting an optimized version of the algorithm which can further improve the performance of partial order reduction for finding safe abstractions. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 116 5.1 Some Background Formal verification paradigms that are based on state space exploration can often greatly benefit from partial order reduction techniques that help attack the state space explosion problem [1, 62, 63, 32, 33, 81, 82]. In asynchronous systems, which are highly concurrent systems, one source of state space explosion is the exponential («!) number of possible interleavings of n concurrent events. If the concurrent events are independent, then all such interleavings are equivalent since they all lead to the same state. Now, if the property of the system to be verified does not depend on the ordering of such concurrent (independent) events, it would suffice to explore just one representative interleaving of them from the set of all possible interleavings. Consequently, during state space exploration, at each state it suffices to explore an ample set of enabled transitions, rather than all of them. This can usually lead to significant reduction in the size of the explored state space, especially for highly concurrent asynchronous systems. In our framework, we use partial order reduction in finding a safe abstraction of the behavior of a set of external circuit variables. As we will see, our partial order reduction, assuming that the external variables are independent of the internal variables, explores in a failure-free circuit only one interleaving of independent internal transitions, while exploring all possible external transitions (and thus their interleavings). The explored sub-automaton of the circuit automaton will thus preserve the exact behavior of the external variables of a failure- free circuit, and thus, if it is also projectable onto the set of external variables, its Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 117 projection would be a safe abstraction. The details of this approach are the subject of the following sections of this chapter. In the following subsections, we review the portion of the general framework for partial order reductions [1, 62, 63, 32, 33, 81, 82] that is relevant to our work. Instead of presenting the associated concepts in their original (general) form, we have occasionally tailored some of them into our own framework, only to ease the presentation. 5.1.1 Partial Order Reductions Peled [62] gives a very concise and yet complete overview of partial order reduction techniques for the analysis of concurrent systems that are modeled with interleaved semantics. In his overview, the general concepts in partial order reductions are presented first, followed by different sets of conditions that must be met for valid reductions in formalisms that include among others LTL (Linear Time Logic), CTL (Computational Tree Logic), and process algebra. In our framework, a two step procedure is proposed for finding safe abstractions. The first step involves finding a sub-behavior of a circuit that would preserve the behavior of external variables of a failure-free circuit. This problem is shown to be equivalent to the problem of generating a reduced state space of the (failure-free) circuit such that for each trace in the full state space, there is a stuttering equivalent trace in the reduced one. Partial order reductions for LTL (Linear Temporal Logic) are Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 118 claimed to precisely generate what we are looking for; a reduced state space that is equivalent to the full one up to stuttering. Thus, even without going over LTL logics, we have been able to prove the correctness of our partial order technique for finding safe abstractions by showing that it satisfies all the necessary conditions (for LTL), and that it is thus valid by construction. Our following overview of partial order reduction techniques is accordingly restricted to the domain of reductions for LTL [62]. However, since we directly focus on conditions for stuttering equivalence (and not general LTL properties) we will skip an overview of LTL logics. We will introduce the relevant concepts, and give specific examples that will gradually form the connection between the general reduction technique (for stuttering equivalence), and our quest for finding safe abstractions. Definition 5.1 [Finite transition system] [62] A finite transition system is a triple FTS = (FA,AP,L ) , where FA = (A, V, Q, X, TR, ji, q0) is a finite state automaton, AP is a finite set of propositions, and L:Q — » 2AP is an assignment Junction. For any sequence of states t = qQ q lq2 --, we define the corresponding propositions sequence as Prop(t) = L(qQ )L(q[)L(q2).... ■ Example 5.1 Let C = (M c, A c, Vc, Gc , FA°) be a circuit and Wc q Vc be a set of external variables. We can then define transition system FTSC - (FAC, APC, L°) as follows: APC = {Proj(Wc )(q)\q e Qc }, and Lc{q) - Proj(Wc )(q). Thus, Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 119 the transition system simply assigns to each state of the circuit automaton FAC, the projection of that state onto the set of external variables, Wc . ■ As mentioned in [62], partial order reduction is based on several observations about the nature of concurrent computations and specification formalisms. The first observation is that concurrently executed transitions are often commutative. This is usually formalized in the definition of independence. In the following, we have tailored the general notion of independence [1, 62, 63, 32, 33, 81, 82] to our own framework, so that it appropriately accounts for the particular way that we label the states of a transition system. Definition 5.2 [Independent variables] [62] Let FAC = < Ac, Vc, Qc , Xc, TRc, \ic, qfi) be a circuit automaton. A pair of distinct variables v, w e Vc are independent, written v - w if for all states q e Qc , if v, w e Enabled(q), then for all transitions (q, a, q') e TRC that change v but not w , w is enabled in q', and for all transitions (q, b, q") e TRC that change w but not v , v is enabled in q" , and there exists a unique state q'" e Qc such that all a - transitions (there has to exist at least one) from state q" that change v , and all b - transitions (there has to exist at least one) from state q' that change w lead to q'"; i.e., any two strings a, b and b, a from state q that change v and w (in different orders) always lead to a single state q'" (here, a, b e Ac u e ) . l Intuitively, two variables are independent if no transition that changes only one of them can disable the other one, and any order of execution of two signal transitions, Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 120 each changing one of the variables, leads to the same global state. The independence relation on the variables of a circuit automaton is irreflexive and symmetric. It is also notable that by the above definition of independence, two variables that can change simultaneously by a single state transition, are not necessarily dependent. Let q be any state, and v and w be any two enabled independent variables at q . Then if (q ,a ,q ') e T R c is any transition changing v but not w, and (q, b, q”), (q\ b, q'") e TRC are any pair of transitions changing w but not v , then we must have (q", a, q'") e TRC is also changing v . If a specification is only interested in the first and last states, q and q'", then we do not need to explore the transitions of both v and w from q . Otherwise, one must consider the possibility that the value of propositions might be different at the intermediate states q' and q'', and even be different from those at q or q'", and if so, the transitions of both variables v and w might need to be explored from state q for a valid partial order reduction. Example 5.2 Let M ‘ be any module of a circuit C such that Y‘ * 0 ; i.e., the module has internal variables. Assume that all (local) states of module M ‘ are reachable within a given circuit. Let v e A 1 and we V1- A‘ be any pair of module variables for which there exists a transition (q, v, q') e TRC that changes both variables (Ac (<j)|w*Ac (< 7')|w ), then v and w are simply changing simultaneously at q. On the other hand, if w is enabled in q but disabled in q' without being changed (kc(q)\w = Xc (<jf')|w), then v and w are dependent. Similarly, if v and w are Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 121 [r1 ,r2 ,a1 ,a2 ,pl r1 „ r 2 — ► (a)/ (b) Module automaton Fig. 5.1 Module description of a fair arbiter element. enabled in q and there exists a transition (q, u, q') e TRC, u e A' u e , that changes w and disables v , then again v and w are dependent. ■ Example 5.3 Figure 5.1 shows the module automaton of a fair arbiter Af‘ . From the module automaton, it can be seen that if M‘ is a module in a circuit C, and there exists q e Qc such that Proj(Vl)(q) = 00000, r l, r l e enabled(q), and r l and r2 cannot disable each other at q , then different states can be reached from q depending on which signal r l or r2 makes its transition first. Thus, signals r l and r2 are dependent in circuit C. Note that variable p is also enabled at state q, however, transition of signal r l will disable it. Thus, variables p and r l are dependent in C. Finally, p can simultaneously change with all other three signals r 2 , a 1 and a 2 , without being dependent with any of them. ■ 00000. ioood ” 01001 1010<f 01011 11000 fair arbiter 00100 Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 122 [r1 ,r2,a1 ,a2] r 1 . r2 ME a1 a2 (a) An ME Fig. 5.2 Module description of a Mutual-Exclusion element. Example 5.4 Figure 5.2 shows the module automaton of a mutual exclusion (ME) module M ‘. From the module automaton, it can be seen that if M ‘ is a module of a circuit C , and there exists q ^ Q c such that Proj{Vl){q) = 0000 and r l, r2 6 enabled(q) , then regardless of the order in which signals r i and r2 make their transitions, a unique state can be reached if no other variable changes along the two transitions and r l and r2 do not disable each other at q. Thus, the two signals can (possibly) be independent. However, if one of them can disable the other one (e.g., if the circuit has a failure), then the two will be dependent. Now, assume there exists q e Qc such that Proj{ V‘)(q) - 1100. Then both a l and a2 are enabled at q, but transition of either of them disables the other one. a 1 and a2 are thus dependent, however, this output choice is not considered a failure. ■ Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 123 w (a) an input v that can illegally disable an output w, a failure. V -------» w (b) an input v that can legally disable an output w. w (c) output choice between two outputs v and w. V w • V w A w (d) an I/O signal w that can disable an internal variable v , without v changing simultaneously. (e) an internal variable v that can change in a transition that disables an output signal w, without simultaneously changing w . w v w • • V u w • 4-----» • (f) two I/O signals v and w whose order can affect the internal state of the corresponding module differently. One of them simultaneously changes with u, and the other one disables u as in (d). (g) two internal variables v and w of a module. One of them simultaneously changes with I/O signal u, and the other one is dependent on u as in (d) or (e). (h) two internal variables v and w of separate modules. One of them simultaneously changes with common I/O signal u, and the other one is dependent on u as in (d) or (e). V A u2 u 1 A W w V A u2 % V w w w (i) an internal variable v and a signal w, w and u2 are dependent as in (b), (c) or (f), u2 and v can change simultaneously. (j) an internal variable v and a signal w, v and u 1 are dependent as in (h), u 1 and w can change simultaneously. Fig. 5.3 Classification of dependency between two circuit variables v and w . A taxonomy of all possible dependencies between circuit variables is summarized in the following. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 124 Observation 5.1 [Classification of dependencies between circuit variables] Let C = <M c , Ac, Vc, Gc, F A be a circuit. A classification of all kinds of dependencies between circuit variables is depicted in Figure 5.3. In the first two cases ((a) and (b)), dependency is due to an input being able to disable an output of a module. The incurred non-determinism can be associated with either a legal (acceptable) behavior (case (b)), or an undesirable failure (case (a)). Output choice (case (c)) is another form of legal non-determinism where an output car. disable another output; it thus creates dependency between the two outputs (see Example 5.4). If any I/O signal of a module can disable an internal state variable (case (d)), or conversely, if the internal state variable can change in a transition that disables the I/O signal (case (e)), then the I/O signal and the internal state variable are dependent. Case (0 is different from case (b) or (c) in that the two signals v and w do not necessarily disable each other; rather, the module might reach different local states by different interleavings of the two variables. As indicated in Figure 5.3.f, dependence of an internal variable u with one I/O signal v , and its simultaneous transition with another I/O signal w has made the two I/O signals dependent. The four last cases are similar to case (0 in that if any two variables v and u are dependent, then any third variable w that can simultaneously change with v (u ) is also dependent on u (v). There might be other dependency types that are missed in Figure 5.3, but the important result of this classification is that any kind of legal dependency between two circuit variables is the result of dependencies of types (b), (c), (d), or (e) between (possibly other) pairs of variables that are extended to other variables by means of simultaneity of transitions. ■ Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 125 Definition 5.3 [Simultaneity, prime, and failure-free dependency conditions] Based on Observation 5.1, we define the set of prime dependency conditions as the set containing conditions (b), (c), (d), and (e) of Figure 5.3. We define the simultaneity condition to exist between any two circuit variables that can ever change simultaneously. We call the union of prime dependency conditions and the simultaneity condition as failure-free dependency conditions. ■ A second observation about concurrent systems with interleaved semantics is that often the transitions of only a few variables can change the truth values of the propositional variables, and thus be visible. Definition 5.4 [Invisible variables] [62] Let FTS = (FA,AP,L ) be a finite transition system. A variable v e Vc is invisible if for all transitions (q, a, q') e TR that change variable v , we have L(q) = L(q') . ■ Example 5.5 Let C = <Mc, Ac, Vc, Gc, FA°) be a circuit, W c q V c be a set of external circuit variables, and FTSC = (FAC , APC, L°) be a finite transition system as described in Example 5.1 (i.e., Lc{q) = Proj(Wc )(q) ). Then all variables of Wc are visible. If in addition, Wc is such that no pair of variables v e Wc and w e Vc - Wc can change simultaneously, then any w e Vc - Wc would be an invisible variable. ■ Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 126 Definition 5.5 [Stuttering equivalence] [62] Let FTS = (FA, AP, L) be a finite transition system. The stutter removal operator Stutt(.) applied to a propositions sequence p results in a sequence Stuff(p) where each consecutive repetition of labeling is replaced by a single occurrence. Two proposition sequences o and p are equivalent up to stuttering if Stutt(a) - Sfuff(p). Two sequence of states t and t' are stutter equivalent if Stutt(Prop(t)) - Stutt(Prop(t') ) . ■ Example 5.6 Let C - (M c, A c, Vc, Gc, FA°) be a circuit, lVc c Vc be a set of external circuit variables, and FTSC = (FAC, APC, L°) be a finite transition system as described in Example 5.1 (i.e., Lc (q) = Proj(Wc )(q)). Then for any trace 1 - QqQxQi"’ we ha\e Proj(Wc )(t) = Stutt(Prop(t) ) . ■ The next notion that is defined in [62] is that of a persistent function. In partial order state exploration, the subset of enabled variables whose transitions are selected to be explored from a state q should be independent, not only of all the remaining enabled variables in state q , but also of any variable that can become enabled in a state reachable from q by transitions of variables not in the selected set. Definition 5.6 [Persistent functions and sets] [62] Let FAC - (A c, Vc, Qc, Xc, TRC, p c , qfi) be a circuit automaton. A function A.:QC — » Vc is persistent if for every state q e Qc the following holds: for all variables v e A(q) , (a) v is enabled in q ( v e Enabled(q) ), and (b) for any Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 127 sequence of state transitions t from q that changes variables in Vc /A(q) only, v is independent of all variables that can ever change (or become enabled) along t . A(q) is then called a persistent set of variables at q . ■ As we will see in the following subsection, for partial order reduction we require a selected set of enabled transitions that are explored from a given state to be persistent. Note that by definition of a persistent set, a set that includes all enabled variables of a state q would be persistent at q . In general, we can possibly have more than one persistent set of variables at each state q . The choice of the persistent set can however affect not only the structure of the explored state space, but also, the validity of partial order reduction. The last definitions of this section are those of a TMSCC and internal TMSCCs. Definition 5.7 [Terminal Maximal Strongly Connected Component, TMSCC] Let FAC = (A c, Vc, Qc, Xc, TRC, p c, qfi) be an automaton (e.g., a sub-automaton of a circuit automaton FAC). A subset Qc Q Qc is a strongly connected component of FAC iff within FAC, all states in Qc are reachable from all states in Qc . A strongly connected component in FAC is maximal if it is not properly included in any other strongly connected component, and it is terminal if there is no outgoing transitions from it; i.e., there is no state not in Qc that is reachable from a state in Qc . ■ By the above definition, a strongly connected component that is terminal is also maximal, and thus a TMSCC. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 128 Definition 5.8 [Internal TMSCC] Let C = <M c, A c, Vc, Gc, FA°) be a circuit, and Wc c Vc be a set of external circuit variables. A Wc -compatible subset Qc c Qc is called an internal TMSCC iff there exists a state q e Qc such that for any state q' that is reachable from q by any sequence of Wc -compatible states, we have q' e Qc and there exists a sequence of Wc -compatible states from q' back to q . Note that by the above definition, Qc c Qc is an internal TMSCC iff the above condition holds for all states q e Qc . Moreover, this definition implies that Qc is closed, in the sense that no sequence of W c -compatible states from any state q e Qc can leave Qc .m 5.1.2 Partial Order Reduction for Stuttering Equivalence In partial order exploration of the state space of a system (e.g., a circuit), the transitions of only a subset of enabled variables at any state q are explored. By carefully choosing this subset, the properties of interest can be checked over the reduced state space instead of the full state space, without incurring any false positive or negative results. Under such conditions, the properly selected subset of variables at any state q is usually called an ample set, and denoted by Ample(q) Q Enabled{q). We are particularly interested in a partial order reduction that would generate a reduced state space such that for each trace of the full state space, there exists a stuttering equivalent trace in the reduced one. Assuming that depth first search (DFS) is used for state space exploration, there exists a set of conditions for selection of Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 129 ample sets that guarantee stuttering equivalence between the full and reduced state spaces [62]. Note that during DFS, reaching a state that is already on the search stack implies closing a cycle. Conditions 5.9 [Ample sets for stuttering equivalence] [62] Let FTS - (FA, AP, L) be a finite transition system. To generate a sub-automaton FA (using DFS) that is stuttering equivalent to F A , it is sufficient for ample sets of variables at each state q e Q to satisfy the following conditions. C l: Ample(q) is a persistent set. C2: If Ample(q) * Enabled(q) (i.e.; q is not fully expanded), then all variables in Ample(q) are invisible. C3: For every TMSCC in F A , there exists at least one fully expanded state [81]. ■ To better understand condition C l, consider any subtrace t in FA that starts from state q . Two possible situations can happen [62]: Case 1. Let v be the first variable from Ample(q) that changes along t. Then condition C l guarantees that v is independent of all the variables that change before it on t . Thus by applying the definition of independence repeatedly, all the transitions on t prior to the transition by v can be commuted with the transition by v . The result would be a trace /' starting from q whose first transition changes a variable v in Ample(q). Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 130 Case 2. If no transition by a variable in Ample(q) occurs on t , then by condition C l, any variable v € Ample(q) is independent of all variables that change along t. Thus by definition of independence, one can form subtrace(s) t' starting from q by first firing any transition(s) changing variable v, and then consecutively firing the transitions of t . The above two cases suggest that for any sequence of transitions t from a state q of FA, there exists a sequence t' that starts by the transitions of a variable from Ample(q). Condition C2 is to make the two subtraces t and t' in both of the above cases stuttering equivalent. First consider the case that Ample(q) * Enabled(q). Then none of the variables in Ample(q) are visible. Now, moving a transition, that does not change any visible variable, to the beginning of trace t (Case 1), or inserting such a transition at the beginning of trace t (Case 2), would not change the propositional sequence of t, and as a result, t and t' will be stutter equivalent. In this case, C l and C2 together suggest that t' would contain all the properties of t ; confirming that it is sufficient to explore from q only transitions of Ample(q). Next, consider the case that Ample(q) = Enabled(q); then we already explore all enabled transitions from state q . When Ample(q)*Enabled(q), the transitions of any variable w e Enabled(q)/Ample(q) are deferred (note that w stays enabled in any state that is reached from q by a transition of a variable from Ample(q) ). Condition C3 is to prevent a situation in which Ample(q) * Enabled(q) and the transition of a variable Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 131 w e Enabled(q)/Ample(q) can be deferred forever along a closed cycle of states containing state q . Note that if a variable that is enabled everywhere in a TMSCC does not appear in the selected persistent sets of any of those states, then there could exist a trace in the full state space that is not represented in the reduced state space by any stuttering equivalent trace, which can lead to incorrect verification results. By enforcing at least one state of each TMSCC of the reduced state space to be fully expanded, this latter situation would be avoided. An ample set that satisfies the above conditions insists on exploring all enabled transitions from a state, or exploring the transitions of a persistent and invisible set of variables only, such that at least one state of each TMSCC in the reduced state space is fully expanded. 5.2 A First Partial Order Technique to Find Safe Abstractions In this section, we present our first partial order reduction technique to find safe abstractions. This partial order technique constructs a sub-automaton of the circuit automaton such that, if it is projectable onto the set of external variables, its projection would be a safe abstraction of the circuit behavior. We first show how the first step in finding a safe abstraction can be formalized as a search for a reduced state space that is stuttering equivalent with the full state space of the circuit. This would assert that the partial order reduction of section S. 1.2, that generates stutter equivalent reduced state spaces, can be used in finding safe Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 132 abstractions. Then we propose a set of conditions on external variables, and a strategy for selective search (when using DFS state space exploration) that satisfy all the ample set conditions for stutter equivalence (Conditions 5.9, Section 5.1.2). By construction, the resultant partial order reduction would automatically be a valid one, and thus can be used towards finding a safe abstraction. 5.2.1 Feasibility In this subsection we show why and how partial order reductions can be used to derive safe abstractions. Theorem 5.2 [Behavior projections and stutter equivalence] Let C = (M c, A c, Vc, Gc, FA°) be a circuit, Wc q Vc be a set of external circuit variables, and FTSC - (FAC,A P C,L C) be a finite transition system with Lc (q) = Proj(Wc )(q). If FAC is any sub-automaton of FAC that is stuttering equivalent with FAC (with respect to FTSC), then we have Proj(Wc )(Bc ) = Proj(Wc )(Bc ) . ■ Proof The above proposition is an immediate result of the following facts: because of stuttering equivalence of FAC and FAC, for any trace t e Bc there always exists a trace l e B c such that Stutt(Prop(t)) = Stutt(PropO)), and since Stutt(Prop(t)) = Proj(Wc )(t), we have Proj(Wc )(t) = Proj{Wc )(t) ■ The latter result directly implies that Proj(Wc )(Bc ) = Proj(Wc)(Bc ) . m Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 133 Corollary 5.3 [Safe abstractions and stutter equivalence] Let C = <M C, A C , VC,G C,FAC) be a circuit, W c q Vc be a set of external circuit variables, and FTSC - {FAC, APC, L°) be a finite transition system with Lc(q) - Proj(Wc )(q) . If partial order reduction for stuttering equivalence (Section 5.1.2) is used to construct a sub-automaton FAC of FAC, and FAC is also projectable onto W c , then B&c is a safe abstraction of b c over W c . ■ Proof The above corollary is a direct implication of Proposition 5.2 and Corollary 2.4. It implies that partial order reduction for stuttering equivalence has indeed the potential of finding safe abstractions. For this purpose, we need to devise an strategy for selection of ample sets that satisfy Conditions 5.9 of Section 5.1.2. ■ Before we present our strategy for selection of ample sets, we present our general procedure to construct a sub-automaton of a circuit automaton using any ample set strategy. Procedure 5.1 [Construction of circuit sub-automaton by partial order reduction] Let C = (M C,A C, VC,G C, FA°) be any circuit, Wc q Vc be a set of external circuit variables, and FTSC = (FAC, APC, L°) be a finite transition system with Lc (q) = Proj(Wc )(q). Given any strategy for selection of ample sets for stuttering equivalent partial order reduction, a corresponding sub-automaton FAC = (Ac, Vc, Qc, XC, TRC, jic, q$) of FAC = (A c, Vc, Qc, Xc, TRC, p c , q $ is constructed using the following steps: (i) let Qc - qft, and TRC = 0 ; Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 134 C o n s t r u c t _ s u b a u t o m a t o n ( q , a,q'){ Qc = QCUq' ; * . C ( q ' ) = * - c ( q ') ; 77?C = 77?C u (q, a, q') ; £ C (< ? . a) = S ; } Fig. 5.4 Constructing partial order sub-automaton. (ii) for any state transition (q, a, q') € 77?c that is explored from a state q € Qc , (i.e., (q,a,q')€ Ample(q)) let Qc - Qc ^Jq', A .c (<?') = >.c (^’), TRC - TRC u (^, a, q'), and \ic(q, a) = S . ■ We need to emphasize that usually Ample(q) is computed on the fly as a function of the partially constructed sub-automaton FAC. The above procedure is independent of any ample set strategy, or any search strategy for that matter (DFS or BFS); it simply specifies how to construct the sub automaton as the state space of the circuit automaton is partially explored. Algorithm C o n s tr u c t_ s u b a u to m a to n of Figure 5.4, implements step (ii) of the above procedure. In the following subsections, we first derive a set of criteria for external variables, based on conditions for ample sets in partial order reduction for stuttering equivalence (Conditions 5.9 of Section 5.1.2). These conditions, in turn, have a number of implications about the independence of circuit variables and persistency of sets of them. Finally, assuming that external variables satisfy our specified conditions, we Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 135 present our first strategy for selective search that satisfy the ample set conditions for stutter equivalence (Conditions 5.9 of Section 5.1.2). 5.2.2 Conditions on the Set of External Variables In this section, we first introduce some new propositions and definitions. Then, based on the conditions for ample sets (Conditions 5.9 of Section 5.1.2), we derive a set of conditions for the set of external variables. The implications of these conditions are studied in the next subsection. Proposition 5.4 [Visibility of external variables] Let C = (M c, A c, Vc, Gc, FA°) be a circuit, Wc q Vc be a set of external circuit variables, and FTSC = (FAC, APC, L°) be a finite transition system with Lc{q) = Proj(Wc ){q). Then all variables in Wc are visible. Moreover, any variable in Vc - Wc that is not simultaneous with any variable in Wc is invisible. ■ The above proposition directly follows from the definitions of visibility and simultaneity. It implies that to satisfy our ample set conditions (Conditions 5.9 of Section 5.1.2), if a state q is not fully expanded, then we must have Ample(q) n Wc = 0 . As seen in Example 5.5, if Wc is such that no pair of variables v 6 Wc and w e Vc - Wc are simultaneous, then any variable w e Vc - Wc would be an invisible variable, and thus can be included in Ample(q) of any state q that is not fully expanded. If in addition, Wc contains any variable v that is dependent on any Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 136 other variable, then any variable w e Vc - Wc would be independent of all other circuit variables. Under these latter conditions, consider any state q , and any variable v 6 Vc - Wc that is enabled at state q ; then {v } is always a persistent set. The reason is that there is no sequence of state transitions from q that, without changing v , can lead to a state at which a variable w that depends on v can become enabled. The reason: no variable w that depends on v exists. Based on the above observations, we have devised a set of conditions on the set of external variables that would then lead to a trivial strategy for selection of ample sets. Definition 5.10 [Closure under failure-free dependence] Let C = (M c, AC,V C,G C, FA0} be a circuit, Wc q Vc be its set of external variables, and FTSC = <FAC , APC, L°) be a finite transition system with Lc (q) = Proj{Wc)(q). Assume that Wc includes the subset of circuit variables Vp c Vc that are prime dependent. That is, for all signals v e Vc , if there exists any variable w such that v and w are dependent under the prime dependency conditions, then we must have v, w e Wc . Assume that Wc is also closed under the simultaneity dependency condition in the following sense: for all variables v e Wc , any variable w e Vc that can ever change simultaneously with v must also be included in Wc (i.e., w e Wc ). Then, we call such a set of external signals closed under failure-free dependence. ■ Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 137 Theorem 5.5 [Persistency and invisibility by closure under failure-free dependence] Let C = (M c, A c, Vc, Gc, FA0) be a circuit, Wc c Vc be a set of external variables that is closed under failure-free dependence, and FTSC = (FAC,A P C,L°) be a finite transition system with Lc (q) - Proj(Wc )(q). Then for any state q and any enabled internal signal v e (Enabled(q) n Ac ) - Wc , a persistent and invisible set at q is P(<l) - {v} u {w|w e Enabled(q), w can simultaneously change with v } . ■ Proof (Sketch) First, we show that P(q) is invisible. If there exists a variable w 6 P(q) that is visible, then it must be capable of simultaneously changing with a variable u e Wc . But then, since Wc is closed under failure-free dependence, we must have w e Wc , and by the same token, we must have v e Wc which is a contradiction. As a result, we must have P(q) q Vc - Wc is an invisible set. Next, we show that P(q) is persistent. If it is not, then there must exist a variable u i P(q) that is dependent on a variable w e P(q), and u can become enabled through a sequence of transitions not involving P(q). But, since Wc is assumed to be closed under failure-free dependence, no such pairs of variables, u and w can ever be dependent, or otherwise «, w e Wc which is a contradiction. Thus P{q) is persistent. ■ Note that by closure under failure-free dependence, a set of external variables might include independent variables as well. Also, under those conditions, the set of internal variables Vc - Wc can include pairs of simultaneous variables, if they are not dependent or simultaneous to any external variables. Another interesting results of this Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 138 condition is that if any I/O signal of any module is made external, then all internal variables of the module that are simultaneous with it must also be made external, together with any other I/O of the module that is, recursively, simultaneous with them. In the following subsection, we will present our procedure for construction of stuttering equivalent circuit sub-automaton (for a failure-free circuit) and the corresponding strategy for selection of ample sets. 5.2.3 A First Partial Order Reduction We are now ready to introduce our first algorithm for partial order exploration of the state space of a failure-free partitioned circuit; a selective search that satisfies the ample set conditions for stuttering equivalent partial order reduction. Algorithm 5.2 [ d f s _ i , a first algorithm for partial order reduction] Let C = (M c , Ac, Vc, Gc, FA°) be a failure-free circuit, Wc c Vc be a set of external circuit variables that is closed under failure-free dependence, Ec - A c r \W c , and FTSC = (FAC, APC, L0) be a finite transition system with Lc (q) = Proj(Wc )(q) . Algorithm d f s _ i of Figure 5.5 is a DFS algorithm that constructs a sub-automaton FAC - (A c, Vc, Qc, Xc, TRC, jlc, qfi) of FAC that is stuttering equivalent with FAC; i.e., its ample set strategy satisfies Conditions 5.9 of Section 5.1.2. ■ Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 139 1 D F S _ l ( / ) ( /* DFS on c i r c u i t b l o c k i */ 2 Pop (q ) ; 3 if q e Qc or Enabled(q) = 0 than 4 raturn; 5 /* t r y t o e x p l o r e a s i n g l e i n t e r n a l t r a n s i t i o n o f b lo c k i 6 t o a s t a t e t h a t i s n o t on t h e s e a r c h s t a c k */ 7 for e a c h v 6 (E nabled(q)-W c ) { 8 /* V i s a n e n a b l e d i n t e r n a l s i g n a l o f b l o c k I */ 9 if (q, v, q') 6 TRC and q' £ Stack than { 10 C o n s t r u c t _ s u b a u t o m a t o n (q , v, q ') ; 11 P u sh (q') ; 12 D FS_1(i ); 13 raturn; 14 } 15 } 16 /* i f a l l i n t e r n a l t r a n s i t i o n s o f b l o c k i l e a d t o s t a t e s on 17 t h e s e a r c h s t a c k , move on t o t h e n e x t b l o c k / + 1 a n d t r y 18 t o e x p l o r e a n i n t e r n a l t r a n s i t i o n o f t h a t b l o c k */ 19 if than { /* n o t t h e l a s t b l o c k */ 2 0 P u s h(q ) ; 21 DFS_1( J + 1 ) ; 22 raturn; 23 } 24 /* i f t h i s was t h e l a s t b lo c k , th e n f u l l y e x p a n d s t a t e q */ 25 alaa { 26 /* */ 27 /* e x p l o r e a l l t r a n s i t i o n s fro m s t a t e q */ 28 fo r e a c h v € Ettabled(q) { 29 /* V i s a n y e n a b le d s i g n a l */ 30 for e a c h (q,v,q')E TRC { 31 C o n s tr u c t _ s u b a u t o m a t o n (q, v, q '); 32 /* c o n t i n u e t h e DFS s e a r c h fro m e a c h 33 u n - e x p l o r e d s t a t e q' */ 34 if q' £ QC than { 35 P u s h(q') ; 36 D F S _ 1 (1 ); 37 } 38 } 39 } 40 } 41 } Fig. 5 J Algorithm DFS_1. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 140 1 P a r t i a l _ 0 r d e r () { 2 Qc = TRC = 0 ; 3 for e a c h i n i t i a l s t a t e qQ { 4 P u s h (qQ ) ; 5 D F S _1(1 ) ; 6 7 } Fig. 5.6 Partial order reduction using Algorithm D F S _1. Partial order reduction starts by calling procedure P a r t i a i _ o r d e r of Figure 5.6, that would call d f s _ i for (each of) the initial state(s) of the circuit. Before we prove that Algorithm d f s _ i indeed constructs a stuttering equivalent sub-automaton of the circuit automaton of a failure-free circuit, we explain how the algorithm works. The circuit blocks are numbered from 1 to r £ . Each recursive call of the algorithm receives as an argument the number of a circuit block which is to be searched for an ample (internal) transition. The search stack is initialized with an initial state, and d f s _ i is called with the first circuit block. Then, d f s _ i repeatedly does the following: assuming that the current state q (popped from the stack) is not previously explored, if there exists any transition (q, v,q')e TRC by an internal signal of current block i such that state q' is not on the search stack, that transition is explored and the search is continued from state q' and within circuit block /; otherwise, unless this is the last block, the search is continued from state q and within the next circuit block / + 1; if on the other hand, this is the last circuit block, then q is fully explored and the search is continued from each of the reached states and from Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 141 within circuit block 1. As any DFS search, previously explored states that are already in the reduced state space, or states not having any outgoing transitions, are not further processed once they are popped from the stack. For reduced state spaces of possibly smaller sizes, one can enforce exploration of internal transitions to previously explored states, assuming that they are not on the search stack. A more intuitive analysis of the behavior of Algorithm d f s _ i is as follows. The goal of the algorithm is to direct the circuit into a non-transient state where the internal variables of the circuit are either stabilized or involved in a non-transient oscillation. To do this, the algorithm successively directs each circuit block Mj? ( into a local non transient state where the internal variables of the block are either stabilized or involved in a non-transient oscillation. In directing a circuit block A/£ { from a state ql Q to its non-transient state, at any intermediate state q if there exists any (arbitrary) internal transition to any state q' that is not on the DFS stack (and hence does not close a cycle) then our partial order explores only that transition by letting Ample(q) to be a singleton set containing the corresponding variable. Thus, the goal is to explore, from ql 0 a single interleaving of internal signal transitions leading to a state at which all internal signals of the block are stabilized (or more generally, have made all of their transitions); however, in the presence of internal oscillations, an arbitrary internal signal transition might lead to a state on the DFS path, and close a cycle (oscillation). In such a case, a valid partial order should avoid a case in which a variable that is enabled everywhere along a cycle is never included in any ample set. This is required for the satisfaction of condition C3 of Section S. 1.2 for ample sets. That is why, in Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 142 stabilizing the internal signals of a circuit block, Algorithm DFS_1 tries to avoid closing cycles as much as possible. Eventually, a state q is reached at which either no internal signal of circuit block Mj? f is enabled, or all transitions of such signals lead to states that are on the DFS stack. It is easy to see that any such state q would be a local non-transient state of block M £ ( . At this point, Algorithm d f s _ i starts directing circuit block i + ! to its local non-transient states, starting from state ql 0+ 1 = q. Once all circuit blocks are successively directed to their local non-transient states, and (as can be proven) the whole circuit is in a global non-transient state, all enabled transitions from such a state are explored, and the DFS search is continued from each state q that can be reached by such transitions, such that q was not previously explored. Proof [Algorithm 5.2, DFS_1, generates a stuttering equivalent sub-automaton of a failure-free circuit] (Sketch) We need to show that the selectively explored sets of transitions in algorithm d f s _ i satisfy the ample set conditions of Section 5.1.2. C l: We note that from each state q that is visited by d f s _ i , either a single internal transition (lines 7-15) or all enabled transitions are explored (lines 28-39). However, since the set of external variables is closed under failure-free dependence, both of the above situations characterize a persistent set, and thus persistency condition C l for an ample set is satisfied. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 143 C2: Since external transitions are explored only from states that are fully explored, visibility condition C2 is also satisfied by the selective search of d f s _ i . C3: We note that unless a state is fully explored, d f s _ i does not explore any of its enabled transitions to states that are on the search stack. On the other hand, d f s _ i , as an ordinary DFS algorithm (that does not re-explore states), can close a cycle in the searched space only by exploring transitions to states on the search stack [24]. As a result, all cycles in the reduced state space that is explored by d f s _ i have a state that is fully explored. Since any TMSCC consists of states with cycle(s) between any pair of them, if all cycles of the reduced state space have a state that is fully explored, then all TMSCCs of the reduced state space (if there exists any) will also have a state that is fully explored. Thus, the selective search of d f s _ i also satisfies condition C3 for ample sets. Since all the three conditions are met, d f s _ i indeed generates a stuttering equivalent reduced state space for a failure-free circuit (i.e., if the internal variables are indeed failure-free independent of all other variables). ■ Algorithm d f s _ i simply generates a reduced state space that is stuttering equivalent to the full state space of a failure-free circuit. To find a safe abstraction of the behavior of a circuit, whether it is failure-free or not, the sub-automaton that is constructed by Algorithm d f s _ i (automaton of the partially explored state space) has to be projected onto the set of external variables. We will end this section without presenting any algorithm for projection of the sub-automaton constructed by d f s _ i . The reason is that such an algorithm would not be a simple one, and since in practice Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 144 we will not use d f s _ i to find safe abstractions, our efforts for devising or presenting such an algorithm would be wasted. In the following section, we present an enhanced algorithm for partial order reduction that is a close representative of what we use in practice. The enhanced algorithm has automatically provided a way for simple on-the- fly projection of the constructed sub-automaton that would be discussed in the next section. 5.3 An Enhanced Partial Order Reduction In this section, we present an enhanced algorithm for stuttering equivalent partial order reduction (for a failure-free circuit) that has an embedded procedure to check the projectability of the partial order sub-automaton and compute its projection, on-the- fiy. The new algorithm is thus capable of directly finding a safe abstraction. This enhanced algorithm, instead of the authentic DFS used in algorithm d f s _ i , uses what we call parallel DFS. Parallel DFS can be regarded as a special kind of breadth first search (BFS), which can in tum be implemented using symbolic techniques and BDDs. In this section, we first present the new algorithm, and then prove its correctness in finding a safe abstraction in the following way. We prove that the reduced state space (sub-automaton) generated by the algorithm is stuttering equivalent to the full state space, if the circuit is failure-free. This is proven by showing that ample set conditions are satisfied by the algorithm’s selective search. We also prove that if the circuit is failure-free, then the embedded procedure for on-the-fly Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 145 1 S a f e _ a b s t r a c t i o n ( ) 2 for e a c h i n i t i a l s t a t e qQ { 3 P ush (q0, qQ ) ; 4 DFS_2 ( q0, 1 ) ; 5 } 6 } Fig. 5.7 Finding a safe abstraction using Algorithm DFS_2 . projection finds an automaton projection of the constructed sub-automaton iff it is projectable, and otherwise it aborts the algorithm. In the same regard, we also prove that if the circuit is not failure-free and the on-the-fly projection procedure does not abort, then for all the traces of its generated automaton, there exist a stuttering equivalent trace in the reduced state space. These properties are proven based on properties of failure-free independence. Together, these results would imply the correctness of the overall approach in finding a safe abstraction. In Section 5.3.3, a further optimized version of the new algorithm is presented that can further speed up and reduce the size of the explored state space. 5.3.1 A Complete Solution to Finding a Safe Abstraction In this section we present a new partial order algorithm incorporating independent DFS searches that can be performed in parallel. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 146 Algorithm 5.3 [d f s _ 2 , an enhanced algorithm for finding safe abstractions] Let C = (M C, A C, VC,G C,FA°) be a failure-free circuit, Wc q Vc be a set of external circuit variables that is closed under failure-free dependence, Ec = A c n Wc , and FTSC - (FAC , APC, L°) be a finite transition system with Lc (q) - Proj(Wc )(q) . Algorithm d fs _ 2 (Figure 5.8) is a parallel DFS algorithm that constructs a sub-automaton FAC - (A c, Vc, Qc, Xc, TRC, \xc, qfi) of FAC that is stuttering equivalent with FAC; i.e., its ample set strategy satisfies Conditions 5.9 of Section 5.1.2. Moreover, its embedded procedure c o n stru c t_ p ro je c tio n (Figure 5.10) finds an automaton projection of the constructed sub-automaton iff it is projectable, and otherwise it aborts the algorithm. Finally, if procedure c o n stru c t_ p ro je c tio n does not abort the algorithm, then the behavior of its output automaton is always a safe abstraction of the circuit behavior, even when the circuit is not failure-free. ■ To find a safe abstraction, procedure sa fe _ a b stra c tio n of Figure 5.7 is called, which would call d fs_ 2 for (each of) the initial state(s) of the circuit. For on-the-fly projection and projectability check of the constructed sub-automaton, d fs_ 2 calls procedure c o n stru c t_ p ro je c tio n of Figure 5.10. Before we prove the above mentioned properties of Algorithm d fs _ 2 , we explain how the algorithm works. Algorithm d fs _ 2 , instead of a single stack, utilizes multiple DFS stacks that are initiated either from the initial state(s) or from states that are Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 147 1 DFS_2 (p,i) /* DFS on t h e s t a c k o f s t a t e p a n d c i r c u i t b l o c k i */ 2 Pop iq,p); /* pop a s t a t e q fro m t h e s t a c k o f s t a t e p */ 3 i f Enabled(q) = 0 t h e n 4 r e t u r n ; 5 /* t r y t o e x p l o r e a s i n g l e i n t e r n a l t r a n s i t i o n o f b l o c k / 6 t o a s t a t e t h a t i s n o t on t h e s t a c k o f p */ 7 f o r e a c h v € (Enabled(q) — Wc) n V £ { 8 /* v i s a n e n a b l e d i n t e r n a l s i g n a l o f b l o c k i * / 9 i f (q, v, q') 6 TRC a n d q' € Stack(p) t h a n { 10 C o n s tr u c t_ s u b a u to m a to n ( < j, v, q’ ) ; 11 P ush (q\ p) ; 12 D F S _2(p, I ) ; 13 r e t u r n ; 14 } 15 } 16 /* i f a l l i n t e r n a l t r a n s i t i o n s o f b l o c k 1 l e a d t o s t a t e s on 17 t h e s e a r c h s t a c k o f p , move on t o t h e n e x t b l o c k / + 1 an d 18 t r y t o e x p l o r e a n i n t e r n a l t r a n s i t i o n o f t h a t b l o c k */ 19 i f t h e n { /* n o t t h e l a s t b l o c k */ 20 P u s h(q, p ) ; 21 D FS_2(p, I + 1 ) ; 22 r e t u r n ; 23 } 24 /* t h e e n d o f t h e DFS p a t h fro m s t a t e p i s r e a c h e d * / 25 e l e e { 26 C o n s t r u c t _ p r o j e c t i o n (q ) ; 27 E x p l o r e _ i n t e m a l _ t r a n s (p, q ) ; 28 f o r e a c h V6 Enable d{q) C\WC {/* e x p l o r e e x t e r n a l t r a n s */ 29 /* v i s a n e n a b l e d e x t e r n a l s i g n a l */ 30 f o r e a c h (q,v,q')& TRC { 31 Cons t r u c t _ s u b a u t o m a t o n (q, v, q' ) ; 32 /* i n i t i a t e a new DFS s e a r c h fro m e a c h 33 u n - e x p l o r e d s t a t e q' */ 34 i f q 't QC t h e n { 35 Push(<?\<7’ ) ; 36 DFS_2(<7', 1 ) ; 37 } 38 } 39 } 40 } 41 } Fig. 5.8 Algorithm DFS_2. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 148 1 E x p l o r e _ i n t e r a a l _ t r a n s (p,q) { 2 for e a c h v e Enabled(q) - Wc and (q, v, q') 6 TRC { 3 Cons t r u e t_ s u b a u to m a to n (q, v, q') ; 4 /* i £ Mi ■ ( i s t h e c i r c u i t b l o c k t h a t d r i v e s s i g n a l v 5 t h e n e x p l o r e t h e same s e q u e n c e o f s i g n a l t r a n s i t i o n s 6 t h a t was p r e v i o u s l y e x p l o r e d i n b l o c k M g ; a lo n g 7 t h e DFS p a t h o f t h e s t a c k o f p */ 8 if v 6 Hg i than ( 9 if s e S ta c k (p ) s . t . Proj(H%j)(s) = Proj(H%jKq') than { 10 rapaat { 11 /* s' i s on to p o f s on t h e s t a c k o f p */ 12 s' = Top(s, p) ; 13 if (s, w, s') € TRC and we Hg i than { 14 if (q’, w, q") e TRC than { 15 C o n s tr u c t_ s u b a u to m a to n (q', w, q" ) ; 16 q' = q" ; 17 S - S ' ; 18 } 19 alsa 20 /* a t t h i s p o i n t we s h o u l d h a v e q' — q */ 21 break; /* q u i t t h e r e p e a t lo o p */ 22 } until 0 ; 23 } 24 } 25 } 26 } Fig. 5.9 Algorithm E x p l o r e _ i n t e r n a l _ t r a n s . entered after an external variable transition. These stacks are identified by the (label of the) state from which they were initiated. The recursive function, dfs_2 has thus two parameters: the first parameter is the stack identifier, and the second one is the number of the circuit block from which the DFS search has to be continued (similar to the case of Algorithm dfs_ i ). Each DFS stack is associated with an independent DFS search of the circuit state space that is started from the initial state of the stack (the state at Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 149 C o n s t r u c t _ p r o j e c t i o n (q ) { Temp = 0 ; for e a c h (q, v, q') e TRC s . t v e Enabled(q) n IF C Temp = Temp U Proj(Wc )(q, v, q'), if Proj(Wc )(q)e Q$ th.n if Temp * { (r, a, s) e TRv\r = Proj(Wc )(q)} thon •xit ( "N ot a s a f e a b s t r a c t i o n ' ) ; •la* raturn; alaa { Qv = Q v v P r o j( W c )(q); TRv — TRv U Temp; } } Fig. S.10 On-the-fly projection and projectability check of the sub-automaton. which the stack was initiated and which identifies the stack), and ends at a state from which all enabled transitions are explored, called the terminal state of that DFS. Each independent DFS search goes through all the r£ circuit blocks in order, and explores in each block a maximal cycle-free sequence of internal signal transitions of the block, by never exploring a transition to a state that is on its own stack. Eventually, each independent DFS search reaches a terminal state in the last circuit block from which either no internal transition is possible, or the transition of any internal signal would close a cycle of signal transitions in the local state of the circuit block that drives that signal. At the terminal state of each DFS path, procedure E x p l o r e _ i n t e r n a i _ t r a n s of Figure 5.9 explores all enabled internal transitions, and from each of the reached states it finds a sequence of internal transitions back to the same terminal state. All enabled external transitions of the terminal state are also explored and a new DFS Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 150 search is initiated from each new state that is reached. Thus each DFS search explores a cycle-free sequence (path) of states from the initial state of its stack to a terminal state at which all enabled transitions are explored. The DFS searches of Algorithm d fs _ 2 are independent in the sense that they are free to re-explore states that were previously explored (added to the reduced state space) by preceding DFS searches. This is different from the authentic DFS search of Algorithm d f s _ i which avoids re-exploring states that are already in the reduced state space (compare lines 3 of the two algorithms). This redundancy of d fs _ 2 is only to force each independent DFS path to complete exploration of a maximal cycle-free sequence of internal transitions before it is terminated, even if parts of this path (sequence) overlap with paths that were explored previously. The same thing is also true about the selective search of procedure E x p i o r e _ i n t e r n a i _ t r a n s ; i.e., it is free to re-explore states of the reduced state space. Comparing the two algorithms d f s _ i and d fs _ 2 , line by line, one can observe that they are quite similar, with the following differences (a) d f s _2 uses local stacks that are initiated at the initial state(s) of the circuit or after each external signal transition to a new state, while d f s _ i uses a global stack that is initiated just once, (b) d f s _2 might re-explore states, while d f s _ i avoids that (compare lines 3 of the two algorithms), (c) after exploring maximal sequences of internal transitions (i.e., at the terminal states of independent DFS paths), d fs _ 2 uses a directed independent DFS search to explore internal transitions (compare lines 27 and 28 of the two algorithms), in the sense that Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 151 the exp lored paths are led back to the term inal state, and (d) d f s _2 a lso carries a procedure for on -th e-fly projection o f the reduced state space (lin e 26). One major consequence of the first three above mentioned differences between algorithms dfs_2 and dfs_i, in terms of the structure of the reduced state spaces that they create, is the possibility of existence of extra cycles in the state space generated by dfs_2 that are not fully expanded at the state that closes the cycle. These cycles can be the result of exploring an internal transition to a previously explored state that is not on the current local stack of Algorithm dfs_2, but is on the global path from the lastly explored initial state of the circuit to the initial state of the current stack. Such cycles reside on the single stack of Algorithm dfs_i, without the closing state being fully explored, although the cycle does have a fully expanded state. An example of this case is illustrated in Figure 5.11 where the DFS path from state q3 to q4 does not close any cycle on itself; however, it closes a cycle on the global stack that starts from initial state q0 and passes through q1t q2, q3, q2, etc. The cycle is closed at state q2 which is an ancestor of state q3, the initial state of the local stack. Although the state at which the cycle is closed (q2) is not fully expanded, the cycle does have a state that is fully expanded, i.e., q3. Algorithm dfs_2 can also create cycles of internal transitions that are not on a global DFS path, but are created by independently explored paths (DFS paths or paths of internal transitions explored by E x p l o r e _ i n t e r n a i _ t r a n s ) that happen to cross each other more than once, in certain ways. Such cycles might have no state that is fully expanded. Two example of this case are illustrated in Figure 5.11. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. * • * Legend / ' ' 4 by a sequence of internal trans. / “ x v H a sequence of internal trans. ♦ " a subsequence in a cycle. • a fully-expanded state o a partially expanded state an external transition followed Fig. 5.11 Algorithm DFS_2 can create additional cycles. The cycle containing states q1 0 and q1 2 is created by two independent DFS paths starting from states q4 and qg, respectively. The cycle containing state q8 and q9 is created by a DFS path starting from state q6 crossing a cycle of internal transitions from state qn to itself. In both of these examples, no state on the cycles is fully expanded. In the rest of this section, we will prove that Algorithm d f s _2 indeed generates stuttering equivalent reduced state spaces for failure-free circuit by showing that it satisfies all the ample set conditions of Section 5.1.2. We will show that none of the additional cycles that can be introduced in the reduced state space generated by Algorithm d f s _2 are TMSCCs, and thus the fact that they might not have a fully expanded state is harmless. Moreover, we show that the persistency condition for the selected set of transitions from each state explored by Algorithm d f s _ 2 is satisfied. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 153 We also prove the ability of the embedded procedure c o n s t r u e t _ p r o j e c t io n in finding a safe abstraction, if one exists. 5.3.2 Proof of Correctness To prove the correctness of Algorithm d f s _2 for generation of a stuttering equivalent partial order sub-automaton of circuit automaton, we need to show that it satisfies the three ample set conditions of Section 5.1.2. Procedure E x p l o r e _ i n t e r n a i _ t r a n s that is illustrated in Figure 5.9 performs a selected search that is different in style from the one within the body of the Algorithm. Before we explain how procedure E x p l o r e _ i n t e m a i _ t r a n s works, we make the following observations about any path from the initial state p to the terminal state q of a local DFS. At line 27 of Algorithm d fs_ 2 , where terminal state q of the stack of state p is going to be fully expanded, the stack of state p contains a (cycle-free) sequence of states t = q^q\q^...qjliqjq^...q^ from state P t0 state q , where we have m - r£ , q ^ = p , and q ^ = q. This sequence consists of rj? possibly empty subsequences of states f, = q‘ n~ ^ { q ^ - q ^ , 1 - ' - r £ ■ Each ti is a sequence of ni + 1 unique states (because t , and hence r(, are cycle-free paths of states), and only internal signals of circuit block Af£ i change along r(. Moreover, the last state q * . of any subsequence r, has the property that the transition of any internal signal of block ( from state q l n > would lead to a state of r(. Finally, since no internal signal of block i changes along t after state explored, for all Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 154 l<i<rj? we have Proj(H%j)(q) = Proj(H% ,)(<?£), and for any transition (q, v, q'), if v e / / £ i then there exists a state s e tt such that Proj(H% ;)(s) = Proj(H% ,)(<?'). These properties of trace t and its subtraces r( are the result of the particular way that Algorithm d f s _ 2 explores internal transitions of the circuit before reaching a terminal state of the stack of state p . Intuitively, along trace t , at any state q‘ n and beyond (e.g., at terminal state q ), each circuit block M £ ( is in a maximal local cycle of states, and no matter what transitions happen outside of block A/£ |;, and as long as no external transitions occur, any transition by an enabled internal signal of block Afj? f will take the circuit to a state that was locally visited before (in block A/£ f ), along r(. At this point we are ready to explain how procedure E x p io re_ in tem ai_ tran s works. For each internal transition (q, v, q') from a terminal state q to a state q', by an internal signal v of a circuit block Af£( ve t ), E x p io re_ in tem ai_ tran s explores transition (q, v, q') followed by a sequence of transitions from q' back to state q . This is achieved by exploring the same sequence of signal transitions that were previously explored to state q * from a state s along subsequence t. = q‘ n~ , where s has the property that Proj(H% i)(s) - Proj(H% j)(q'). Existence of such a state s and Proj(H^ jNqi, ) - Proj(H% i)(q) are guaranteed by properties of trace t that we had just discussed. The above observation about the terminal states of DFS paths of Algorithm d fs _ 2 can be summarized in the following lemma. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 155 Lemma 5.6 [Internal transitions from terminal states of DFS paths] Let C = (Mc, A c, Vc, Gc, FA0} be a failure-free circuit, W° c Vc be a set of external circuit variables that is closed under failure-free dependence, Ec = A c n Wc , and FTS° - (FAC,A P C,L°) be a finite transition system with Lc(q) - Proj{Wc )(q). Let Algorithm d fs _ 2 be used for partial exploration of the state space of C . At line 27 of Algorithm d f s _ 2, where state q would be the terminal state of the DFS path started from state p , state q has the following property: for any state q' that is reachable from state q by the transition of an enabled internal signal v e E n a b led (q )-W c (i.e., (q,v,q’) e TRC), there exists a sequence of internal transitions from state q' back to state q . ■ Each of the sequences of states that are explored by procedure E x p l o r e _ i n t e r n a i _ t r a n s from terminal state q, close a cycle at that state. However, all such cycles (even if associated with a TMSCC in the reduced state space) have a common state, q , that is fully expanded. Having explained the operation of procedure E x p l o r e _ i n t e m a i _ t r a n s , we are now ready to prove that the reduced state space explored by Algorithm d f s _2 is stuttering equivalent with the full state space, if the circuit is failure free (i.e., the internal signals are actually failure-free independent). Theorem 5.7 [Algorithm 5.3, d f s _2, generates a stuttering equivalent sub automaton] Let C = (M c, A c, Vc, G°, FA°) be a failure-free circuit, W ° q Vc be a set of external circuit variables that is closed under failure-free dependence, Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 156 Ec = A c n W c , and FTSC = (FAC, APC, L°) be a finite transition system with Lc (q) - Proj(Wc )(q). Then Algorithm d fs _ 2 constructs a sub-automaton FAC = (A c, Vc, Qc, i c, TRC, iic, qfi) of FAC that is stuttering equivalent with FAc .m Proof (Sketch) To prove the correctness of Algorithm d fs _ 2 in generating a reduced state space that is stuttering equivalent with the full state space of the partitioned circuit, we show that it satisfies all three conditions for selection of ample sets. C l: This condition is satisfied by the selective search of Algorithm d f s _2 for the following reasons. At each state q of the reduced state space that is generated by Algorithm d f s _ 2 , the set of enabled variables whose transitions are explored, denoted by Ample(q) £ Enabled(q) has (only) one of the following forms: (a) Ample(q) = {v}, where v e Enabled(q) - Wc . This condition happens when state q is explored just once, or when it is explored multiple times (along different paths), but each time the same internal transition from it is explored. (b) Ample(q) Q E n a b led (q )-W c . This condition happens when state q is explored multiple times (along different paths), but not the same internal transitions are explored each time. (c) Ample(q) = Enabled(q). This condidon happens when state q is fully expanded at the terminal state of at least one DFS path. Note that it is possible for a state to be fully expanded by one DFS search, while other independent DFS searches, Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 157 or E x p i o r e _ i n t e m a i _ t r a n s , might have explored only single transitions from that state. The set Ample(q) is thus a persistent set in each of the above situations. The reason is that any non-empty subset of internal transitions is always a persistent set (since Wc is assumed to be closed under failure-free dependence), and Enabled(q) is also always a persistent set. C2: This condition is satisfied by the selective search of Algorithm d f s _2 because the only place that any visible (i.e., external) transition is explored by that algorithm is when a state is fully expanded. C3: To prove that this condition is satisfied by Algorithm d f s_2, we need to show that any TMSCC in the reduced state space generated by that algorithm has a state that is fully expanded. A TMSCC in the reduced state space FA is a subset Qc c Q such A A that (a) each state q e Qc can reach any other state q' e Qc through a sequence of A A states in Qc , and (b) there exists no transition from any state q<z Qc to any state A A q' 2 Qc . By condition (a) above, for each pair of states q, q' e Qc , there exists a A cycle of states within Qc that contains the two states. The above two conditions also imply that if any state q e Qc belongs to a TMSCC, then any state that is reachable from state q also belongs to the same TMSCC. To prove condition C3, it is sufficient to prove for every state q of the reduced state space that if q belongs to a TMSCC, then that TMSCC has a state that is fully expanded (note that by definition of a TMSCC, each state can belong to at most one TMSCC). It is thus sufficient to show that from every state of the reduced state space, there exists a path to a state that is Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 158 fully expanded. But this is exactly what is enforced by Algorithm d f s _ 2 ; i.e., any independent DFS search is stretched to a state that is fully expanded, and the states that are explored by procedure E x p l o r e _ i n t e m a i _ t r a n s also have paths to the originating state that is also fully expanded. Thus, Algorithm d f s _2 indeed satisfies condition C3. ■ To prove that procedure c o n s t r u c t _ p r o j e c t i o n that is embedded in d f s_2 can find a safe abstraction, we need to first present some lemmas. Lemma 5.8 [The terminal state of any DFS path belongs to an internal TMSCC] Let C = <M C, A C, VC,G C,FA°) be a failure-free circuit, Wc Q Vc be a set of external circuit variables that is closed under failure-free dependence, Ec = Ac n Wc , and FTSC - (FAC, APC, LF) be a finite transition system with Lc (q) = Proj(Wc )(q). Also let Algorithm d f s_2 be used for partial exploration of the state space of C . Then the terminal state q of any DFS path, that is started from any state p, belongs to an internal TMSCC of FAC. That is— by definition of an internal TMSCC-from any state q' that is reachable from q through a sequence of internal transitions, there exists a sequence of internal transitions from q' back to q , and all such states q' belong to the internal TMSCC. ■ Proof (Sketch) We prove this lemma by first showing that for all n > 1, and all sequences of internal transitions tn = qqlq2...qn_ lqn from any terminal state q, there exists a sequence of internal transitions from qn to qn_ {. Since this is a recursive property, it also implies that any state qi on tn, l< i< n , can reach its Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 159 I Legend I > /-^ i f a single transition j , - I I , ' v * sequence of internal transitions! i_ _ _ _ _ _ _ _ _ _ _ _ i Fig. 5.12 Illustration of the inductive case of Lemma 5.8. preceding state, <?/_[, through a sequence of internal transitions (note that qQ = q). Thus, it also implies that any q{ on tn, and in particular qn, can reach q through some sequence of internal transitions. We prove the above property using an induction on the length n of the sequence of internal transitions from a terminal state q to any other state qn . Basis step: If q x is any state reached from terminal state q by a sequence of internal transitions of length one; i.e., {q, v, q x) e TRC and v e Enabled(q) - W c , then by Lemma 5.6 there exists a sequence of internal transitions from q { back to q . Inductive hypothesis: let qn be any state that is reachable from terminal state q by any sequence of internal transitions tn - q q ^ i - Rn-i^n °f length n , and assume that there exists a sequence of internal transitions from qn to qn_ l . Inductive step: for any state qn +1 that is reachable from q by any sequence of internal transitions fn+ , = q q ^ - Qn-x^nHn* l length n + 1, there exists a sequence of internal transitions from qn + , to qn . Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 160 i Legend Qn u Qn+1 I . v . . . . - o >o- - - -o o -o— -*o ( ^ a transition by signal v v l v ■ v • v • v ' v | a sub-sequence of trace tg . . 0 0 j P O a signal transition on trace tq n q ^ | * %■ £ a sub-sequence of trace t’Q i *— n | a signal transition on trace t'qn Fig. 5.13 Illustration of case (a) in the proof of Lemma 5.8. To prove this, for any state qn described in the inductive hypothesis, and any state qn + t that is reachable from qn by an internal transition (i.e., (qn, v,qn+[) e TRC, v € Enabled(qn) - Wc , and qn + 1 is reachable form q by a sequence tn + , of length n + 1 ), we show that there exists a sequence of internal transitions from qn + , to qn. As illustrated in Figure 5.12, let t - qnq'n +1 •• • ? „ - 1 ^ presumed sequence of internal transitions from qn to {qn, u, q 1) e TRC, u e Enabled(qn) - W c , (qn_ l,w ,q n) e T R c , and w e Enabled(qn_ {) - W c . Next consider the following two possible cases: (a) v makes a transition along trace ta . Then as illustrated by the commutative diagram of Figure 5.13, and because of the presumed independence of all internal transitions, there must exist a sequence t'q from qn to qn_ { whose first transition is by signal v to state qn + ,. But this means that the suffix of this sequence is from qn + t to qn _ j, and hence there exists a sequence from qn+ j to qn . (b) v does not make a transition along trace t , and thus v e Enabled(qn _ ,) - Wc , and (qn_ l5 v, q'n) e TRC. By the inductive hypothesis, there must exist a cycle of Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 161 Legend ( ' ^ a transition by signal v ,'~N^4 a sub-sequence of trace tq / v 4 a signal transition on trace tqn a sub-sequence of trace t’ „ r > * a signal transition on trace t’ q^ ? ~ ' ^ 4 a sub-sequence of trace tq ^ a signal transition on trace tq^ 1 'n Fig. 5.14 Illustration of case (b) in the proof of Lemma 5.8. internal transitions t ( = qn_ {q'n...qn_ i from <?„_[• But then, as illustrated by the commutative diagram of Figure 5.14, and because of the presumed independence of all internal transitions, there must exist a sequence t'q from qn to qn_ t whose first transition is by signal v to state qn + ,. But this again means that the suffix of sequence /' is from qn + , to qn _ ,, and hence there exists a sequence from qn+l to qn. Conditions (a) and (b) above indicate that there always exists a sequence of internal transitions from state qn + , to qn, and as a result a sequence back to q . ■ Lemma 5.9 [Convergence of sequences of internal transitions from a single state] Let C = (M C,A C, VC,G C, FA°) be a failure-free circuit, Wc c Vc be a set of external circuit variables that is closed under failure-free dependence, Ec - a c n W c , and FTSC - (FAC,A P C,L C) be a finite transition system with Lc (q) = Proj(Wc )(q). Also let Algorithm d f s_2 be used for partial exploration of the state space of C. Let p e Qc be any state (in particular, the initial state of any independent DFS path), and q, q’ e Qc be any pair of states (in particular, the Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 162 terminal states of any two independent DFS paths) such that q and q' are reachable from p by sequences of internal transitions. Then, there must exist a state p' e Qc that is reachable from both q and q' through sequences of internal transitions. ■ Proof (Sketch) This lemma directly follows from Keller’s result [43] about independent signals and transitions. ■ Lemma 5.10 [Terminal states reachable from a single state belong to the same internal TMSCC] Let C = (M c, AC, V C,G C, FA°) be a failure-free circuit, Wc c Vc be a set of external circuit variables that is closed under failure-free dependence, Ec = Ac n Wc , and FTSC = {FAC, APC, L°) be a finite transition system with Lc (q) = Proj(Wc )(q) . Also let Algorithm d f s _2 be used for partial exploration of the state space of C. Let p e Qc be any state (in particular, the initial state of any independent DFS path), and q, q' e Qc be the terminal states of any two independent DFS paths such that q and q' are reachable from p by sequences of internal transitions. Then q and q' belong to the same internal TMSCC. ■ Proof (Sketch) By Lemma 5.9, there exists a state p' e Qc that is reachable from both q and q' through sequences of internal transitions. By Lemma 5.8, terminal state q must belong to an internal TMSCC, Q q Q c , and similarly, terminal state q' must belong to an internal TMSCC, Q 'q Q c . By the definition of an internal TMSCC, state p' that is reachable from both q and q' must belong to both of Q and Q'. But since the internal TMSCC to which a state belongs is unique, we must have Q = Q' . ■ Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 163 Lemma 5.11 [Internal transitions cannot disable external transitions] Let C = (M c, A c, V°, Gc, FA0) be a failure-free circuit, Wc c V° be a set of external circuit variables that is closed under failure-free dependence, Ec = A c n Wc , and FTS° = (FAC,A P C,L°) be a finite transition system with Lc (q) = Proj(Wc )(q). Then no internal transition can ever disable any external variable. ■ Proof (Sketch) Assume that there exists an internal transition by a signal v e Vc - Wc that can disable an external variable w e Wc . Then, either v and w are legally dependent, which would contradict the closure of Wc under failure-free dependence, or the internal transition is a failure, which would contradict the failure- freedom of the circuit. ■ Lemma 5.12 [Uniqueness of the set of enabled external variables in an internal TMSCC] Let C = (M c, A c, Vc, Gc, FA°) be a failure-free circuit, Wc q Vc be a set of external circuit variables that is closed under failure-free dependence, E ° = Ac n Wc , and FTSC = (FAC, APC, L°) be a finite transition system with L°{q) = Proj(Wc )(q) .Let Q q Q c be an internal TMSCC. Then for all q £ Q , the set of enabled external variables, Enabled(q) n Wc , is unique. ■ Proof (Sketch) Assume there exists a pair of states q, q' e Q in the internal TMSCC, such that Enabled(q) r \W c * Enabled(q') n W c . Then there must exist an external variable v e Wc that is enabled in q but is not enabled in q'. Since Q is an internal TMSCC, there must exist a sequence of internal transitions from q to q'. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 164 Now, along any such sequence, external variable v must have become disabled, without being fired. This suggests that external variable v is not independent of all internal signals, contradicting our assumption about closure of W° under failure-free dependence. ■ Theorem 5.13 [dps_2 and finding a safe abstraction for a circuit] Let C = (M ° , A°, V°, G°, FA0) be a failure-free circuit, W° c V° be a set of external circuit variables that is closed under failure-free dependence, E° = A ° n W ° , and FTS° = (FAC,A P C,L°) be a finite transition system with L°(q) - Proj(W°)(q ) . Let Algorithm d f s_2 be used for construction of a stuttering equivalent sub-automaton, FAC. Then, embedded procedure c o n stru c t_ p ro je c tio n (Figure 5.10) constructs FAy/c iff FAC is projectable onto Wc , and otherwise it aborts the algorithm. Moreover, if procedure c o n stru c t_ p ro je c tio n does not abort the algorithm, then the behavior of its output automaton is always a safe abstraction of the circuit behavior, even when the circuit is not failure-free. ■ The first part of the above theorem implies that for a failure-free circuit, if d f s _2 constructs a sub-automaton FAC that is projectable onto W ° , then co n stru ct_ p ro j e c tio n constructs nothing but FA&c, and fl&c is a safe (exact) abstraction of B° over W° \ otherwise, co n stru ct_ p ro j e c tio n simply aborts. The second part of the theorem implies that the algorithm’s output-if it does not abort--is always a safe abstraction. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 165 Proof (Sketch) By Conditions 2.22 for projectability of an automaton, FAC is projectable onto Wc iff the following conditions hold: • Let qj e Qc be any initial state of Qc , or any state to which there exists an external transition (q'j, b, qj) e TRC from some state q'j e Qc such that q’j € [qj\wc ■ Let Qj £ QC be the set of all states such that qk e Qj iff (i) qk is reachable from qj through a (possibly e) sequence of Wc - compatible states in Qc , and (ii) there exists (qk,c,qm) e TRc,q mE [<?y]wC; i.e., an external transition from qk to a state that is not Wc -compatible with qk. Then let Wj = {Proj(Wc )(qk, c, qm)\(qk, c, qm) 6 TRC,q k e Qp qm € [qj]wc} be the projection of all external state transitions from the states in Q j. • Let q{ e Qc be any other initial state of Qc , or any other state to which there exists an external transition (q’t, d, qt) e TRC from some state q\ e Qc such that q'{£ [qj]wc and qt E [qj]wC' ‘ e > an£* 9/ ^ -compatible. Define Qt and Wt similar to Qj and Wj above. • Then we must have Wj = Wt . If the above conditions hold, then we have - {Proj{V)(qj)} and TR$ = {W j } , for all states q} as described above. Because of the specific way that d f s_2 constructs FAC, any state qj or qt in the above conditions must be the initial state of some independent DFS path, and any state Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 166 q'j, q't , or qk must be a terminal state that is fully expanded. As a result, FAC is projectable onto Wc iff the following conditions hold: • Let qj € Qc be the initial state of any independent DFS path of Algorithm d f s _ 2. Let Qj q Qc be the set of all terminal (fully expanded) states that are reachable from q} through sequences of internal transitions. Let Wj = {Proj(Wc )(qk,c ,q m)\(qk,c,qm) e TRC,q k e Qj,qm£ [qj]wc} be the projection of all external state transitions from the terminal states in Q j. • Let ql e Qc be the initial state of any other independent DFS path of Algorithm d f s_2, such that qt e [qj]wC \ i.e., qj and qt are Wc -compatible. Define Q( and W[ similar to Qj and Wj above. • Then we must have Wj = Wt . Now, consider procedure c o n stru ct_ p ro jec tio n of Figure 5.10. This procedure is called once for each independent DFS. That is, if qj e Qc is the initial state of a DFS path, then c o n stru c t_ p ro je c tio n is called at terminal state q'j e Qc of this DFS path. For each such terminal state q'j (and thus each initial state qj), c o n stru c t_ p ro je c tio n computes a set: W j = {Proj(WC)(qj,c,q„)\(q’j,c,<ll„)e TRC,q mi [ ^ 1 ^ } (note that since the initial and terminal states of any DFS path are Wc -compatible, we have [q'j]wc - [4/1 wc)- Note * a t since q'je Qj' we have W'jc W j. Next, C o n s t r u c t . . p r o j e c t i o n checks the validity of W'j — W'i for all previously processed DFS paths whose terminal states, q'l (and thus initial states qt), are Wc - Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 167 compatible with terminal state q'j (and thus initial state qj). If the above check fails, then the algorithm is aborted. Otherwise, if no such terminal state q\ (and thus initial state qt ) was processed before, all states and transitions in W'j are added to FAwc • In essence, procedure cons true t_proj ection analyses only a sub-behavior B'c c Bc and tries to find an automaton FA '£C such that fl'£ c = Proj(Wc )(B’c ) . Now, for failure-free circuits we always have W’j = Wj (by Lemma 5.12), and as a result Proj(Wc )(B’c ) = Proj(Wc )(Bc ) . Thus, if the circuit is failure-free, then construct_projection would correctly check the projectability of FAC , and correctly compute FAw<= or abort (if FAC is not projectable), without ever computing Qj. (Note that if FA&c exists, then we have FA '£C = FA^c •)• As a result, if the ~ c ~ c circuit is failure-free, then Construct_projection constructs FA^c iff FA is projectable onto Wc , and otherwise it aborts, suggesting that it could not find a safe abstraction. For a circuit that is not failure-free, the result of Lemma 5.12 will not hold, and W'j = Wj would not generally be true. In such a case, either co n stru ct_ p ro j e ctio n finds an automaton FA'foe such that B'wc = Proj(Wc )(B'c ) , or it aborts. If it succeeds, then as a result of B'c q Bc , Bc Q B C, and B'frc = Proj{Wc )(B'c ), we have B%c q Proj(Wc )(Bc ) ; i.e., fl'frc is a safe abstraction of Bc over Wc . u If construct_projection aborts, it simply means that we couldn’t find a safe " * c abstraction. Note that when a circuit is failure-free, the projectability of FA is independent of the DFS paths and, in particular, their terminal states. In contrast, when Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 168 the circuit is not failure-free, the projectability of FAC can vary by how the DFS paths are explored (the order in which internal signals fire along those paths). Thus, for a circuit that is not failure-free, failure of construct_projection to find a safe abstraction-even if one could have been found-is not considered a short-coming of the algorithm. Observation 5.14 [Algorithm 5.3, d f s _2, and the UEE conditions for finding a safe abstraction] Let C = (Mc, AC, V C,G C, FA°) be any given circuit, Wc c Vc be a set of external circuit variables that is closed under failure-free dependence, Ec = A c n Wc , and FTSC = (FAC, APC, L°) be a finite transition system with Lc(q) = Proj(Wc )(q). Let Algorithm d f s _ 2 be used for construction * n of a stuttering equivalent sub-automaton, FA . Then construct_projection successfully finds a safe abstraction iff the set of external transitions from terminal states of independent DFS paths that are Wc -compatible is unique. In other words, it finds a safe abstraction iff Wc -compatible terminal states have the Unique External Excitation property, or UEE. ■ Proof [Algorithm 5.3, d f s _2, an enhanced algorithm for finding safe abstractions] The proof of correctness of d f s _ 2 in finding a safe abstraction immediately follows from Theorems 5.7 and 5.13. ■ Before closing this subsection, we need to emphasize that if d f s _2 fails to find a safe abstraction, (the UEE conditions are not satisfied), then Wc is potentially not Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 169 (a) -a-. y '---------a------ ' (c) (b) Fig. 5.15 Three different partitions of a four-stage FIFO controller. observationally sufficient, and another set of external variables (that has to be closed under failure-free dependence) has to be chosen for hierarchical verification. Example 5.7 Figure 5.15 shows a four-stage FIFO controller that is partitioned with three different set of external signals. Figure 5.15.C is an example of a set of external signals over which a safe abstraction cannot be found. Intuitively, the middle circuit block in Figure 5.15.C can hold different number of tokens in the same external state. On the other hand, the output behavior of that circuit block depends on the number of tokens in it. As a result, the behavior of the corresponding set of external signals is not projectable, and hence a safe abstraction over it does not exist. Figure 5.15.a shows an example of a set of external signals over which a safe abstraction does exist; however, the right sub-circuit created by the safe abstraction is exactly the same as the original fiat circuit. As a result, the particular partition of Figure 5.15.a does not create any real hierarchy in the circuit. Finally, Figure 5.15.b shows an example of a set of external Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 170 signals that not only a safe abstraction over it does exist, but also it can successfully induce hierarchy in verification of the circuit. ■ 5.3.3 Further Optimizations In this subsection, we present a further optimized version of our enhanced algorithm for finding safe abstractions. This version of the algorithm is called dfs_3, and is depicted in Figure 5.16. It is called by safe_abstraction, in the same way that dfs_2 is called. And it is exactly like dfs_2, except that it does not call Expiore_internal_trans; i.e., it does not explore the transitions of enabled internal signals from the terminal states of the DFS paths. As was shown in the previous subsection, in a failure-free circuit, the terminal state of any DFS path belongs to an internal TMSCC, and any sequence of internal transitions from the terminal state always leads to other states of the same internal TMSCC. On the other hand, all states of any internal TMSCC were shown to have a unique set of enabled external variables. Thus, exploring enabled internal transitions from the terminal states of DFS paths will not create any new information about the behavior of the external variables. In fact, the particular selective search of procedure Expiore_internai_trans that explores from any terminal state a path of internal transitions back to the same terminal state, was intentionally devised so to emphasize the redundancy of exploring internal transitions from terminal states. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 171 1 DFS_3 (p, i ) /* DFS on t h e s t a c k o f s t a t e p a n d c i r c u i t b lo c k i */ 2 Pop ( q, p ) ; /* pop a s t a t e q fro m t h e s t a c k o f s t a t e p */ 3 if Enabled(q) = 0 then 4 return; 5 /* t r y t o e x p l o r e a s i n g l e i n t e r n a l t r a n s i t i o n o f b l o c k i 6 t o a s t a t e t h a t i s n o t on t h e s t a c k o f p */ 7 for e a c h v e (Enabled(q) - W c ) r i Vjp { 8 /* v i s a n e n a b l e d i n t e r n a l s i g n a l o f b l o c k i */ 9 if (q,v,q')e TRC and q' £ Stack(p) then { 10 C o n s t r u c t _ s u b a u t o m a t o n (q, v, q ') ; 11 P ush (q',p); 12 DFS_3(p,i) ; 13 return; 14 } 15 } 16 /* i f a l l i n t e r n a l t r a n s i t i o n s o f b lo c k i l e a d t o s t a t e s on 17 t h e s e a r c h s t a c k o f p , move on t o t h e n e x t b l o c k i + 1 an d 18 t r y t o e x p l o r e a n i n t e r n a l t r a n s i t i o n o f t h a t b l o c k */ 19 if then { /* n o t t h e l a s t b l o c k */ 20 P ush (q,p); 21 DFS_3 ( p, / + 1 ) ; 22 return; 23 } 24 /* t h e e n d o f t h e DFS p a t h from s t a t e p i s r e a c h e d */ 25 else { 26 C o n s t r u c t _ p r o j e c t i o n (q ) ; 27 /* e x p l o r e t h e e x t e r n a l t r a n s i t i o n s fro m s t a t e q */ 28 for e a c h V £ Enabled(q) n Wc { 29 /* V i s a n e n a b l e d e x t e r n a l s i g n a l */ 30 for e a c h (q,v,q') 6 TRC { 31 C o n s tr u c t_ s u b a u to m a to n (q, v, q ' ) ; 32 /* i n i t i a t e a new DFS s e a r c h fro m e a c h 33 u n - e x p l o r e d s t a t e q' */ 34 if q' £ QC then { 35 P u sh (q',q'); 36 DFS_3(q\ 1 ) ; 37 } 38 } 39 } 40 } 41 } Fig. 5 .1 6 Algorithm DFS_3. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 172 Algorithm 5.4 [d f s _ 3 , a further optimized algorithm to find safe abstractions] Let C = (M C,A C, Vc , GC,F A C) be a failure-free circuit, Wc c Vc be a set of external circuit variables that is closed under failure-free dependence, Ec = Ac n Wc , and FTSC = (FAC,A P C,L°) be a finite transition system with Lc (q) = Proj{Wc ){q). Algorithm d f s_3 (Figure 5.16) is an optimized version of algorithm d f s_2 that constructs a sub-automaton FAC = {Ac, Vc, Qc, Xc, TRC, p c, qfj) of FAC that is stuttering equivalent with FAC. Moreover, its embedded procedure C o n stru ct_ p ro jectio n (Figure 5.10) finds an automaton projection of the constructed sub-automaton iff it is projectable, and otherwise it aborts the algorithm. Finally, if procedure c o n stru c t_ p ro je c tio n does not abort the algorithm, then the behavior of its output automaton is always a safe abstraction of the circuit behavior, even when the circuit is not failure-free. ■ Proof [Algorithm 5.4, d f s _ 3 , a further optimized algorithm for finding safe abstractions] (Sketch) The correctness of Algorithm d fs _ 3 directly follows from the correctness of Algorithm d f s _ 2 , and the fact that in a failure-free circuit, any state that is reachable from the terminal state of any DFS path belongs to the same internal TMSCC, and thus has the same set of enabled external variables. As a result, exploration of enabled internal transitions from the terminal states of DFS paths in Algorithm d f s _2 is a redundant computation that can be removed. ■ Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 173 The above theorem states that for partial order reduction of a failure-free circuit, the selected set of enabled variables whose transitions are explored at terminal states of DFS paths need to include only the external variables, without violating the visibility condition (condition C2) of ample sets. Example 5.8 Figure 5.17 depicts a FIFO controller of length eight partitioned in the middle into two circuit blocks (E - {a3, a4}). A safe abstraction of the circuit behavior over E is found using our partial order procedure. Since the sub-automaton that is constructed by our procedure is very big, any of its sequences of internal signal transitions, starting immediately after an external signal transition, is collapsed into and depicted as a single state transition to the corresponding terminal state. The constructed sub-automaton satisfies UEE, and thus the collapsed automaton is indeed a safe abstraction. ■ Before we close this chapter, we would like to make two final notes about the selection of external variables. As previously suggested, construce_projection may fail to construct the automaton of a safe abstraction because of failure transitions that go undiagnosed during construction of the partial order sub-automaton. This may cause a seemingly unnecessary search for a safe abstraction over other sets of external variables that might repeatedly fail because of the inherent failure of a circuit. To avoid such a condition, we can check for failure transitions during construction of the partial order sub-automaton. In this case, as soon as a failure is detected, the verification procedure can be quit. Although checking failures during partial order reduction incur Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 174 S Tq _______ 3 l 8 3 \ S 8 5 8 7 \ ' I (fc3 | [ 'tf cs I <?c7 I lbi | ' T I S 0 8 I Rc ‘l I fs* I . 4°* I I ' 8q a3 y s 84 ag ag / Partial Order Analysis (0101000000 (0101001111 C 010110000Q O10101 j 4 111 P r S X r t0n (1010100000 (1010011111) i a4 - * - t a 3- (101011000Q (1010111111) A Safe Abstraction [a3a4] [roaoaVapSiasafiayafl] dub-automaton > External states Legend )Terminal states of DFS paths f " ) Initial states of DFS paths — ►A sequence of internal signal transitions — * An external signal transition Fig. 5.17 Finding a safe abstraction for the behavior o f a FIFO controller. some additional cost, this approach will remove the need for unnecessary subsequent search for safe abstractions. The second note is regarding an extension of this framework in which a partial order sub-automaton that is not projectable (e.g., does not satisfy UEE) can still be used to find safe abstractions assuming that appropriate state encoding is used to distinguish between external ly-compatible terminal states of the sub-automaton that do not have the same enabled external transitions. Such encoding schemes may introduce new state variables into the system and require additional analysis of the relabelled sub-automaton, adding to both space and time complexity of the algorithm. However, this approach removes the inherent complexity of our current framework in trying different set of external variables to find a safe abstraction. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 175 Chapter 6 In Comparison In this chapter, we first present an overall view of our framework for hierarchical verification of speed-independent circuits. In Section 6.2, we show how our framework is in fact based on an assume-guarantee paradigm. In Section 6.3, we present a comparison of our framework with that of complex-gate verification and show how we have succeeded in generalizing and extending that framework. Finally in Section 6.4, we show how our efforts compare to other verification efforts in terms of the reduction and/or abstraction techniques that are used. 6.1 The Flow of Our Approach Illustrated by an Example In this section, we simply review the steps involved in one level of recursion of our hierarchal verification approach; i.e., the steps taken starting from a circuit to the derivation of its sub-circuits. Since these steps have already been discussed and each Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 176 c X > (a) A four-stage FIFO controller Circuit partitioning (b) Partitioned circuit in an abstract environment E = (a1 ,a2} Partial order analysis [roaoa^jaaa*] r sub-automaton Projection C 3>< j’ l a 2v a1 a © B lo ck J ~ ~ aT O a2 \ 5 !2 C k £ x (c) A sub-automaton (d) A safe abstraction (e) Safe Specifications (f) Derived subcircuits Fig. 6.1 One level of hierarchical verification for a FIFO controller. illustrated by an example, we illustrate the whole flow in a single example illustrated in Figure 6.1. The Figure is assumed to be self explanatory. 6.2 Induced Hierarchical Verification, an Assume Guarantee Paradigm In this section, we briefly show how our hierarchical verification technique for SI circuits can be viewed as an assume guarantee paradigm. Our technique can be viewed as one which starts by assuming that a given circuit is failure-free (or SI), and then tries to guarantee that assumption by proving that the induced sub-circuits are failure-free. With the assumption of failure-freedom for the Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. ill circuit, any safe abstraction (i.e., one that is generated by our partial order technique) would exactly resemble the behavior of the selected set of external variables. However, if any induced sub-circuit is found to have a failure, it would be an indication that the initial assumption could not be guaranteed, and thus was not a true assumption. It is to be reminded that a failure in a sub-circuit is either at an internal module or at the environment module (i.e., a choke) of the corresponding circuit block; in the first case, the failure would be a failure of the same module inside the original circuit as well, contradicting our assumption of failure-freedom, and in the second case, the choke would reveal that the safe abstraction was not exact, indirectly contradicting our assumption that the circuit was failure-free. 6.3 Relation to Complex-Gate Verification In this section, we briefly revisit a previous hierarchical verification technique- complex-gate verification. We show how complex-gate verification is inherently based on the same principles and observations about speed-independent circuits that were presented in the previous chapter. Moreover, we will show how our hierarchical verification framework have succeeded in generalizing upon complex-gate verification. Our hierarchical verification framework initially started out as an attempt to extend and generalize complex-gate verification. Complex-gate verification is characterized by two phases; a Junctional verification phase, followed by a behavioral verification Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 178 phase. In the functional verification phase, the circuit is collapsed and abstracted into a network of complex-gates that is checked for Junctional correctness (e.g., conformance to specification) by full exploration of its state space. Once functional correctness is established, the explored behavior of the complex-gate circuit is used to derive an abstract environment for each induced circuit block. In the behavioral verification phase, failure-freedom of each circuit block in its abstract environment is checked. A circuit is said to be failure-free if it is both functionally and behaviorally correct [64,65]. The functional phase in complex-gate verification is the counterpart of deriving safe abstractions in our framework. However, while we use behavioral abstraction (i.e., partial order reduction) to derive a safe abstraction of a circuit’s behavior, the functional verification phase-as suggested by its name-uses functional abstraction to find an abstract behavior of the complex-gate circuit. The functional verification phase conceives of a circuit block that is collapsed into a complex-gate as a functional black box, focusing on the functionality of the circuit block rather than its behavior. The same complex-gate can also be conceived as a circuit block whose internal modules have zero delays and whose outputs are all lazy signals; i.e., the outputs fire only after all internal signals of the complex-gate have stabilized. It is this alternative view of a complex-gate, focusing on the behavior of the corresponding circuit block rather than its functionality, that has lead us to our partial order technique for behavioral abstraction. The above discussion also implies, although not immediately apparent, that in the special case where the set of external circuit variables includes all complex- Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 179 gate outputs, functional abstraction and our behavioral abstraction generate the same results. The generality of our framework as compared to complex-gate verification arises from the fact that an observationally sufficient set of external variables that partition a circuit into circuit blocks does not need to include all outputs of memory elements, and/or cut all cycles in the circuit, while the set of external variables partitioning the circuit into compiex-gates does. As a result, since no memory element output is ever internal to a complex-gate, the functional verification phase effectively assumes laziness for all such signals. In contrast, in our framework we may be able to hide some memory element outputs or cycles while deriving safe abstractions. Since the functional abstraction is equivalent to some sort of partial order reduction with static choice of ample sets, it is easy to comprehend that the set of external signals in complex-gate verification, similar to our framework, has to always satisfy the closure under failure-free dependence conditions. The absence of hidden memory element outputs in complex-gate verification, however, has implications that have facilitated the derivation of safe abstractions in that framework. In our framework, the sub-automaton that is constructed by our partial order analysis has to satisfy a certain condition before it can be used to derive a safe abstraction; i.e., it has to be projectable onto the set of external variables. In complex-gate verification, the absence of hidden memory element outputs or cycles in complex-gates makes their output excitations depend only on their inputs/outputs. That is why complex-gates are treated as functional blocks in the functional verification phase. Now, had we used our Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 180 equivalent partial order analysis instead, we would have noticed that regardless of the order of transitions on the non-lazy (hidden) circuit variables, the final excitations of lazy variables would depend on the value of (all) lazy variables only, and that the hidden non-lazy variables would never oscillate and would always stabilize at unique values. In other words, for a complex-gate circuit, our partial order analysis would always construct a sub-automaton that has no cycle of hidden state transitions and is always projectable onto the set of complex-gate input/outputs (because it satisfies UEE). Moreover, since the projection of such a sub-automaton would always be a safe abstraction, the set of complex-gate input/outputs would always be identified as observationally sufficient. It is this feature that has facilitated the derivation of safe abstractions in complex-gate verification by removing the need to check any additional conditions (i.e., projectability). It also becomes clear why complex-gate verification cannot support circuit blocks with internal memory modules, or combinational cycles. Complex-gate verification is closely concerned with the functional aspect of a complex-gate rather than its behavioral aspect; i.e., it is based on the fact that if the output excitation of a circuit block can be expressed as a function of its input/output signals only, then the behavior of the corresponding complex-gate circuit is indeed a safe abstraction. Now, if a circuit block has internal memory modules or cycles, its output excitation is generally not a function of its input/output signals only-it also depends on the current state of the internal variables of the block. Now, if the output excitation of such a circuit block is approximated by a function over only the input/output signals of the block, such that Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 181 the function is possibly an under-approximation or an over-approximation of the actual excitation of the block within its environment, then there would be no trivial relationship between the outcomes of functional/behavioral phases of complex-gate verification and the actual failure-freedom of the original circuit. This is because the framework of complex-gate verification assumes that the exact functionality of the circuit blocks (complex-gates) in terms of their input/output signals is given, or easily computable. One might argue that complete analyses of the behavior of circuit blocks within their actual environments can always be used to compute their exact functionality, but that would be contrary to the goal of induced hierarchical verification-verifying circuit blocks in abstract environments that are derived from safe abstractions which are found without complete behavioral analyses. Our comparison of the two frameworks and their relationship can be summarized as follows. In our attempt to generalize upon complex-gate verification, we first identified two inherent and implicit properties of complex-gates: (a) complex-gates, as functional blocks, internally stabilize before having any output transitions, (b) complex-gates have unique internal stabilizations, and thus when internally stabilized, they also have unique output excitations as functions of their (external) input/output signals only. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 182 Having identified the above properties, we next tried to exploit the same properties into our own framework: (a) we utilized and implemented the notion of stabilization into our behavioral abstraction by having our partial order technique explore only those traces of a circuit on which the internal variables of circuit blocks always stabilize (or reach a terminal oscillatory state) before external I/O transitions occur, (b) we explicitly enforced the notion of unique output excitations in intemally-stable (or terminal oscillatory) states by always checking the projectability of the sub automaton that is constructed by our partial order analysis. This has guaranteed the correctness of our approach in the more general case that wc have circuit blocks with internal memory elements or cycles. Our proposed behavioral abstraction has brought us the advantage of being able to exercise hiding memory element outputs or cycles. However, this is achieved with the additional cost of checking, among others, the projectability of the constructed sub automaton onto the set of external variables, a condition that is automatically satisfied in complex-gate verification. 6.4 Comparison with other Reduction Techniques Partial order, abstraction, and hierarchical verification techniques have been extensively used in different tools to reduce the complexity of verification [14,35,37]. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 183 This section discusses the relationship between the traditional usage of such techniques and our proposed induced hierarchical verification approach. In VIS [14], abstraction is referred to using non-determinism to abstract the behavior of some circuit signals. Specifically, the signals are treated as primary inputs whose behavior is totally unconstrained. This is probably too conservative for our application because such non-determinism would introduce unreachable states which may exhibit hazards, leading to false negatives. In contrast, we refer to an approximation of the behavior of a subset of circuit signals as an abstraction. Moreover, unlike that of VIS, our abstraction never overestimates the behavior of the signals. We have already discussed in detail the relation between our framework and partial order reduction techniques [1, 62, 63, 32, 33, 81, 82]. The tricky part of our use of partial order reduction techniques is that we do not know, a priori, whether a circuit is failure-free or not; yet we make the implicit assumption that it is failure-free and use partial order reduction to find the behavior of the external variables. Consequently, unlike the typical use of partial orders, our technique may actually under-approximate the behavior of the external variables. A key feature of our technique is that if there is any such under-approximation, it is always detected in the form of a failure in some sub-circuit with the conclusion that the circuit is not failure-free. The presumed independence of signals in a speed-independent (failure-free) circuit allows us to take advantage of different techniques to speed up the partial order analysis. For example, a form of symbolic trajectory analysis can be used for internal Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 184 stabilization of the circuit (at fixed external states). This symbolic trajectory analysis has two benefits. First, since the hidden signals are independent and the ordering of input transitions for hidden circuit elements with no state variables is immaterial, for such circuit elements we can use non-interleaving semantics in which enabled input signals are allowed to fire simultaneously (e.g., [85]). This reduces the number of iterations to stabilize the internal state of the circuit. Secondly, since the behavior of hidden variables is analyzed only locally when stabilizing the corresponding circuit block, the hidden signals appear only locally and temporarily in BDD computations; i.e., the hidden variables need not be global BDD variables. We believe that our technique is similar to homomorphic reductions as used in COSPAN [5, 35, 47]. In COSPAN, such homomorphisms simplify the language containment test between a model and a task by removing irrelevant aspects of the model. We conjecture that our safe abstraction can be viewed as a result of a homomorphic transformation which simplifies the model of the environment for each sub-circuit. In our framework, the homomorphic system is automatically generated (using our partial order technique) once a set of external signals is given, and the validity of the homomorphism is checked by checking a sufficient condition for observational sufficiency (projectability of the constructed sub-automaton). Moreover, we believe that this homomorphic reduction is both necessary and sufficient for verifying the non-reduced problem, and consequently does not lead to any false negatives, as can potentially happen with homomorphic reductions in COSPAN. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 185 Our approach is also similar to the more general assume-guarantee paradigm used in reactive modules [2]. In that paradigm, a composition of reactive modules is verified through verification of each module in an abstract environment followed by the verification of the composition of abstract environments. We believe that our safe abstraction is to some degree analogous to an abstract environment with some differences. The most obvious difference may be that our methodology does not need a separate step of verifying the composition of abstract environments. In comparison with other work on verification of speed-independent circuits, we should also note that Weih and Greenstreet developed a verification framework for speed-independent circuits with similar characteristics as ours but for a somewhat different purpose [85]. Specifically, rather than verifying speed-independence of a circuit, their goal is to verify local formulas for circuits that have already been verified to be hazard-free (i.e., semi-modular). In other words, in a preprocessing stage, they must rely on traditional techniques to verify the speed-independence of the design. Nevertheless, their ideas are similar to ours in that to achieve their goal, they argue that only one interleaving needs to be analyzed. Finally, the work by Kishinevsky et al. on analysis and identification of a class of speed-independent circuits, called distributive circuits [45], is based on derivation of an event specification of the circuit behavior in an STG-like notation that also avoids the state space explosion problem. Their derivation of such an specification is based on notions of dependency and concurrency similar to our framework. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 186 Chapter 7 SPHINX We have developed a CAD tool named SPHINX which implements our proposed induced hierarchical verification framework for speed-independent circuits. There are three types of input files to the program. One input file describes the structure of the circuit as an interconnection of elementary, macro, or specification modules, along with additional information about the initial value of circuit signals and suggested ordering for BDD variables. The second type of input file is used for the description of macro modules that are a collection of elementary circuit modules (e.g., gates). The third type of input file describes the specification modules as Petri-Net or STG specifications. The user has to interactively specify external variables of the circuit (and those of sub-circuits at different levels of hierarchy), and variables that need to be projected away to derive safe specifications for circuit blocks. The current version of the tool does not perform any analysis to identify legal dependencies between circuit variables, and the user is expected to choose the set of external variables in such a way that they are closed under failure-free dependence. While adding a feature to automatically identify legal dependencies is quite straight forward, Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 187 such a feature seems to be not much of use, since in many speed-independent circuits, the only types of legal dependencies are between the outputs of non-deterministic modules (output choice) which can easily be identified by the user. The tool automatically encodes the automaton representation of modules. For each circuit and its specified set of external signals, the program finds a safe abstraction if one exists, using symbolic partial order analysis, and automatically partitions the circuit into circuit blocks. Next, for each subsequent sub-circuit, the components of the sub-circuit are assigned (overloaded by) new descriptions relative to the context of that sub-circuit, and the sub-circuit is recursively analyzed. At the lowest level of the hierarchy, symbolic reachability analysis is used to verify failure-freedom of the flat subcircuit. For comparison purposes, the tool can also perform symbolic reachability analysis and verify hazard-freedom on the original flat circuit. The tool can also utilize the extra level of abstraction of complex-gates. That is, for further speed up, the partial order analysis can be alternatively performed on the complex-gate abstraction of the partitioned circuit, where the combinational cones of logic within the circuit blocks are collapsed into complex-gates. The program can generate a state diagram description of any partially or fully explored state space that can be interpreted and viewed by another program, PARG (by Tomas Rokicki). Symbolic techniques (using the CUDD package of VIS [14]) are used to handle sets of states and any operations on them, including the partial order exploration of the Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 188 r0______ a EH ® 1_______ a 3 Cfc3 I ® 2 C C * - J \ ___ C 5 S \ a 5 _ _ ?7 d T 7 ce 30 a 2 ®4 Fig. 7.1 A FIFO controller of length = 8. 3 6 3 g state space, any full reachability analysis of the state space of a sub-circuit, checking the projectability of automata, and automata projections. The executable files of SPHINX, together with descriptions of tool capabilities, guidelines, sample circuits, and runtimes are accessible at http://jungfrau.usc.edu/ S PHINX/sphinx. html. Table 1 shows some runtime results of the tool for two sets of examples, FIFO controller (Figure 7.1) and DME-ring circuits of different lengths (Figures 7.2 and 7.3), on a Sun SPARCstation 5 with 32 MBytes of memory. As a measure of the amount of memory required, we use the maximum number of BDD nodes i n use before any instance of garbage collection. The table shows that our hierarchical approach yields significant runtime speed ups compared to fiat verification, especially for the FIFO controller which is an example of a circuit dominated by memory elements that can be successfully hidden in our verification framework. In fact, the speed up grows exponentially with the length of the FIFO. This can be explained by the fact that, in the FIFO circuits, the depth of hierarchy logarithmically increases with the size of the circuit, while the maximum number of external gates always stays constant at four. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 189 Table l: SPHINX Experimental Results Circuit Depth of Hierarchy M ax# of External Gates CPU-Time (ms) Peak # of BDD Nodes CPU-Time Ratio BDD Size Ratio Projection Depth FIFO 4 0 6 120 1.00s 1.0 1.0 - FIFO 4 1 4 n o 582 1.1 1.7 FIFO 8 0 10 1,010 4,964 1.0 1.0 FIFO 8 2 4 420 1,645 2.4 3.0 FIFO 16 0 18 64,510 585,740 1.0 1.0 FIFO 16 3 4 1,030 4,193 62.7 140 FIFO 32 0 34 1.5e+7 5.5e+5 1.0 1.0 FIFO 32 4 4 3,780 11430 -4000 -47.0 FIFO 64 0 66 >180h >35Mbyte 1.0 1.0 FIFO 64 5 4 12420 28,116 N/A N/A DME-ring 2 0 32 6,490 16,584 1.0 1.0 DME-ring 2 1 21 5,310 17,768 1.2 0.9 DME-ring 2 1 19 4,630 25,194 1.4 0.7 1 DME-ring 2 2 15 7,550 15,880 0.9 1.0 1 DME-ring 2 2 12 8,150 101,353 0.8 0.2 2 DME-ring 3 0 48 95,320 501,919 1.0 1.0 - DME-ring 3 1 26 24,300 28,094 3.9 17.9 - DME-ring 3 1 21 22,730 31,734 4 4 15.8 1 DME-ring 3 2 17 29.600 26,702 3.2 18.8 1 DME-ring 3 2 15 37410 26,702 2.5 18.8 2 DME-ring 4 0 64 617,470 3.086,251 1.0 1.0 - DME-ring 4 I 31 94,390 46,632 6.5 66.2 - DME-ring 4 1 26 79,750 48,466 7.7 63.7 1 DME-ring 4 2 22 115,280 48,466 5.4 63.7 1 Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 190 Fig. 7.2 A DME cell. On the other hand, for the DME-ring example where the non-deterministic outputs of ME modules cannot be hidden, the depth of hierarchy remains constant while the number of initial sub-circuits and their set of external signals grow linearly with the size of the circuit. Limited projection of the safe abstraction has proven to be the best option for the verification of the DME-ring example. This is due to the high cost of checking projectability of the safe abstractions and computing their projections. ur2 ur1 ua2 ua1 DME cell — (w/o lokei DME cell (w/ token) Fig. 7.3 A DME ring of length = 2. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 191 Chapter 8 Directions for Future Research We presented a new approach for induced hierarchical verification of speed- independent circuits that improves upon previous approaches on some circuits. The approach generalizes previous efforts for the verification of speed-independent circuits [7, 8, 27, 53, 64, 65, 88] and is believed to have interesting relationships with current efforts in the analysis of synchronous circuits that have combinational loops [49, 20, 71,72]. Our CAD tool SPHINX is already available on the World-Wide-Web [91]. Our experiments with the tool have focused on example circuits for which the tool would promise advantage over available tools such as Versify [64,65], because our technique is a generalization of those techniques, and reduces to them for other circuits. However, there is still room to further improve, optimize, and even test the tool on more circuits. Some features of the program that can be improved are its interface, and error trace generation. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 192 The following is a list of possible future directions for this research: • a formal study of extension of the framework to the verification of asynchronous circuits with relative timing assumptions and in particular self-timed circuits; i.e., hierarchical verification and hierarchical extraction of relative-timing constraints/assumptions for such circuits, integration of the results of this research with techniques for (flat) verification of relative-timed circuits [44], etc. • a formal study of extensions of this work to the verification of delay-insensitive circuits, quasi-delay insensitive circuits, and verification of liveness properties. • exploring applications of the framework to the analysis of synchronous circuits that have combinational loops. • research on techniques/heuristics for automatic selection of observationally sufficient sets of external signals. In the following sections, we first present some of our preliminary ideas and directions for extending the scope of our current framework to the domain of relative timed circuit verification. We then present a discussion on the issues involved in using multiple safe abstractions for hierarchical verification, and will close this chapter with an open conjecture on the correctness of a potential solution for this problem. 8.1 Hierarchical Verification of Relative-Timed Circuits Speed-independent circuits (systems), as we know, are circuits which should work correctly regardless of-absolute or relative-component delays. Equivalently, a SI Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 193 circuit should work correctly for all possible ordering of events (e.g., signal transitions). In verifying speed-independent circuits (i.e., untimed systems), modules and specifications are modeled as if they have unbounded delays. Moreover, time is not quantitatively modeled; rather, it is inherently modeled in the evolution of the system through event occurrences. In this section, we briefly discuss the problem of verifying another class of asynchronous circuits; circuits which are not speed-independent per se, yet their failures are avoided by restricting the possible ordering of events through a set of timing constraints/assumptions. Timing constraints can be provided in the form of bounded delays for circuit modules and specifications. Verification of systems with such timing constraints (metric timing) requires explicit representation of time. There are techniques and tools for the verification of such systems which use either discrete or continuous time models. Continuous time models can provide accurate verification results. Discrete time models (e.g., [18,13]), on the other hand, are often not as accurate, and may have partial failure coverage [79, 80, 89, 90]. Discrete time models use timer variables to model the passage of time, while dense time models use notions such as unit-cubes (regions) [3], or convex geometric regions (or zones) [28, 11, 38]. Both techniques suffer from the additional cost associated with explicit modeling of time, which aggravates the already serious problem of state explosion. Partial order techniques have been used to avoid the explosion of timed states (or regions) [87,70, 84]. [66,67, Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 194 59, 9, 10] use partially ordered sets (POSETs) of events to reduce the number of regions per untimed states. Timing constraints can also be provided in the form of relative timing assumptions/ constraints (RTA/RTC). Often, the environment behavior is assumed to be restricted by relative timing assumptions (RTA), while the circuit behavior is constrained by relative timing constrains (RTC). An RTA/RTC imposes restrictions on the possible orderings of some set of related events. As an example, an RTC may indicate that if a signal transition will causally enable two other transitions, one of them always will occur before the other one. Such constraints restrict the reachable state space of a (closed) circuit, and if chosen correctly, can prevent a circuit from reaching its (untimed) failure states. Then, a physical implementation of the circuit will operate safely within its environment, if both the implementation and the environment meet their relative timing constraints/assumptions. Aggressive asynchronous circuit design using relative timing is becoming the state of the art in asynchronous design. The RAPPID architecture is an example of such efforts [69]. Design and verification of RT circuits has been addressed by [73, 74, 26, 60]. Verification of circuits with relative timing information does not require explicit modeling of time. All is needed is to impose timing assumptions/constraints when exploring the untimed state space of the circuit, pruning any part of the untimed state space which can be entered only by violation of such constraints/assumptions. Thus Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 195 flat verification of circuits with relative timing information seems to be a trivial problem. Our hierarchical verification framework for SI circuits can easily be generalized to handle RT circuits. For this, we simply need to exercise RTA/RTCs during any partial or full state space exploration of the circuit, whether it is for finding safe abstractions, or for flat verification of a sub-circuit. As a result, safe abstractions of RT circuits would contain only those interleaving of events on external signals which adhere to RTA/RTCs. A safe abstractions of an RT circuit may need to carry further information about relative ordering of events. For example, consider a timing constraint which involves three signals a , b , and c , with a eventually enabling b and c in some particular order. Moreover, assume that at some level of hierarchy, a becomes a hidden signal of one circuit block, and b and c become hidden signals of another circuit block. If RT information is not passed appropriately across levels of hierarchy, correct verification of the circuit block containing b and c may not be possible. This is because information regarding the correct ordering of events on b and c might have been lost in the safe abstraction, due to all signals a , b, and c being hidden signals. This example shows the importance of preservation of RT constraints across levels of hierarchy and also across circuit blocks of any level of hierarchy. Any RTA or RTC constraint can be modeled as an additional sequential circuit module whose inputs are the signals involved in the constraint. The state of such a module accordingly evolves by events on its input signals. We call any such module Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 196 Wi k ] P Ordinary module □ Control module J ^ j Constraint module Q J Circuit signals ' - \ jr Constraint/control signals/variables • * •. Fig. 8.1 Modeling an RT circuit as an SI circuit with additional circuitry. which represents a constraint a constraint module. The firings of any circuit signal a of an RT circuit is controlled by the set of ail constraints which constrain signal a . This can be modeled by an additional (control) input signal at the module that drives signal a . This additional control input signal would allow the driving module to fire signal a only if all RTA/RTCs containing that event are satisfied. Such a control signal can in turn be produced by some logic that monitors the states of all constraint modules which have signal a in their input, and generates a ‘1’ output only if all the constraints are met. We call such a module a control module. (See Figure 8.1). Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 197 Modelling the effect of RTA/RTS by introducing constraint modules, new control signals at ordinary circuit modules, and the logic driving such control signals, enables us to use the same framework for hierarchical verification of RT circuits that we had proposed for verification of speed-independent circuits. In other words, an RT circuit modeled as described above, can be verified for failure-freedom as an ordinary SI circuit. The advantage of modeling RT circuits as SI circuits with additional circuitry is that safe abstractions of such circuits will automatically contain and carry all required RT information necessary for correct verification. Example 8.1 Figure 8.2 shows the specification of a C-element, together with a Sum- of-Product implementation of it, and the circuit automaton of the implementation. As suggested by the circuit automaton, this SoP implementation of a C-element is not speed-independent, or failure-free. Note that to simplify the illustration, the failure transitions of the circuit are all directed to a failure state labeled with F. The main cause of failures in this implementation is the possibility for the inputs of the circuit to change before the internal signals of it have stabilized. For example, consider the scenario in which inputs A and B both become T , causing ui and then output C become 4 1 ’. Now, if before signal u2 (u3) gets a chance to rise to 41’, input A (B) falls to 4 0’, then u2 (u3) becomes disabled, causing a failure. This failure can cause output c to fall to ‘O’, while it is expected to remain at 41 \ The SoP implementation of C-element will be failure-free if two relative timing constraints are satisfied by the environment of the C-element. These constraints limit Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 198 [A,B.C,u1,u2,u3] (a) Specification of a C-element (b) Sum-of-Products implementation (c) Circuit automaton Fig. 8.2 A Sum-of-Product implementation of a C-element. the response time of the environment to changes at the output of the C-element, such that the circuit’s inputs are not changed before its internal signals are stabilized. These two RTCs are c+ u2+ < c+ A- and C+ u3+ < c+ B-. They suggest that the sequence of transitions consisting of rising of c followed by rising of u2 (u3), has to happen before the sequence of transitions consisting of rising of C followed by falling of A (B). Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 199 [C,u2,A] T oo" A+. u2- 510: [OOT) C+ T r r Fig. 8 J Modelling an RTC. For this particular circuit, RTC condition C+ u2+ < C+ A- (similarly C+ u3+ < C+ B-) can be modelled by a module with the automaton of Figure 8.3. The inputs of such a module are signals c and u2, and its output is signal A. Failure transitions (by unexpected inputs) are omitted for the sake of clarity. This model is developed using knowledge about sequences of signal transitions that are possible by the circuit. For example, it is not possible for signal C of this circuit to fall before both signals A and u2 fall. If such knowledge is not available, the RTC can be modelled with more general and complicated Petri-Nets. Such general models may allow the signals involved in the RTC to reset right after they have made the transitions specified in the RTC; however, after a reset, they may not allow the signals to make any further transitions before all transitions specified in the RTC have occurred. Such general models may also allow each signal to reset any time after it has made its transition, as late as right before its next expected transition in the RTC. The above modules cannot be directly composed with the ordinary modules of a circuit to impose the corresponding RTC constraints. The reason is that the outputs of Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. (a) A zero-delay constraint module with output Ae to control the falling transitions of signal A EA D u A — H > — • • (c) An inverter controlled by signal EA (d) The module automaton of the controlled inverter Fig. 8.4 Modeling the effect of multiple RTCs on an inverter. these modules (e.g., signal A) are in fact driven by other modules (e.g., the environment), and by definition of a circuit, no two modules can drive the same signal. This problem can be resolved by making all signals involved in an RTC constraint as input signals of its constraint module, and include an output signal that simultaneously becomes ‘1’ with the second transition of the RTC, and ‘0’ with the last transition of the RTC. Such a module acts like a zero-delay module whose output fires right after it becomes enabled, with no delay. The automaton of such a constraint module for RTC (b) A zero-delay control module with output EA to control the falling transitions of signal A [D.EA.A] A-tv 001 D + EA+, 011 001. EA+ A-.EA- 111 Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 201 C+ u2+ < c+ A- is depicted in Figure 8.4.a. The set of inputs of the new constraint module is {C,u2,A}, and its output set is {A*}. Signal A« can then be used to enable the falling transition of signal A. As an example, assume that there is an inverter in the circuit that drives signal A (Figure 8.4.c). Moreover, assume that there are multiple RTC constraint modules for the falling transition of A, and each of them have a zero-delay output, A*. The control module of the inverter gate can be modelled by a zero-delay speed-independent C- element that collects the A« signals and generates a ‘1’ at its output, EA, immediately following the instance that all A * signals become one (Figure 8.4.b). Note that the falling of A will simultaneously reset all A* signals and signal EA. The model of the inverter gate that drives signal A also needs to be modified, such that it supports an additional input that is driven by signal EA (Figure 8.4.c and 8.4.d). This controlled model of an inverter will monitor its control input EA and have a falling transition at the output A only if EA is a ‘1’, otherwise, the output transition is postponed (Figure 8.4.d). Note that transition of A after EA does not need to be a zero-delay transition. It is notable that the model of the controlled inverter that is illustrated in Figure 8.4.d is a simplified model, based on knowledge about the possible behaviors; e.g., it has taken advantage of the knowledge that EA can become ‘1’ only after A rises. If such knowledge were not captured in the model, its automaton would be more complicated.! The above example illustrates some of the issues that arise when using our framework for hierarchical verification of RT circuits. The most important issue is that Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 202 modelling the effect of RTC/RTAs by additional circuitry requires the introduction of the notion of zero-delay modules into the framework. Our present framework already supports the notion of internal state variables of modules that can simultaneously change with the I/O signals of their modules. Extending the framework to handle concurrent transitions of I/O signals is believed to affect only the semantics of the behavior of a circuit, and not the correctness of the framework. However, a proof of concept and feasibility of this approach requires further research. Efficient implementation of the effect of RTA/RTCs through additional circuitry and modified ordinary modules, choosing OSV sets over the newly introduced variables, and correct handling of projections of such variables seem to be other important issues that need to be further investigated and researched. We close this section by pointing to another problem which is closely related to verification of RT circuits; i.e., automatic extraction of RTA/RTCs for such circuits. Assuming that automatic extraction frameworks are available for fiat RT circuits, it might be possible to combine our proposed hierarchical verification framework with such frameworks for hierarchical extraction of RTA/RTCs. Studying the involved issues and problems is another interesting area for future research. 8.2 Hierarchical Verification using Multiple Safe Abstractions In this subsection, we discuss a variation of our hierarchical verification framework which seems to be an attractive alternative approach. This variation aims at verifying Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 203 the conformance of circuit blocks of a circuit to safe specifications that are not derived from the same safe abstractions; i.e., it uses multiple safe abstractions for derivation of sub-circuits. A particular problem with this approach is illustrated through an example. Then we propose a slight modification in our framework which might legitimize using multiple safe abstractions for hierarchical verification. However, the correctness of the new approach, or the existence of any correct approach for hierarchical verification using multiple safe abstractions remains an open problem. In our framework, we partition a given circuit into a set of circuit blocks, find a safe abstraction of the behavior of the external signals that partition the circuit, and verify each circuit block against a safe specification that is obtained from the safe abstraction. An alternative approach which may come to mind is to: (i) select a set of circuit super-blocks that is a covering set for the circuit modules, and which can possibly overlap. Each super-block is partitioned into a set of circuit blocks, (ii) for each super-block, find a safe abstraction over a set of external circuit variables that is a superset of the I/O variables of the circuit blocks in that super-block, (iii) verify each circuit block of a super-block against a safe specification that is derived from the safe abstraction that is found for that super-block (see Figure 8.5). This alternative approach is appealing since a safe abstraction that is used to verify the circuit blocks of a super-block has potentially a smaller set of external signals compared to a single safe abstraction that is used to verify all circuit blocks of a circuit. Since the complexity of finding (each) safe abstractions is exponential in the Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 204 Fig. 8.5 An abstract view of a circuit with a covering set of super-blocks. number of (the corresponding) external variables, the overall cost of finding multiple safe abstractions can be less than that of finding a single safe abstraction for all the circuit blocks. Note that by allowing the super-blocks to overlap in the proposed scenario, a single module can appear in multiple circuit blocks (of multiple super- blocks), and be verified multiple times. The problem with the above approach arises from the very fact that not all circuit blocks are verified against the same safe abstraction. It is not hard to imagine a case in which the safe abstractions that are used to verify the circuit blocks of different super blocks are all under approximated abstractions such that the internal failures of their corresponding circuit blocks do not get a chance to manifest themselves. In contrast, when a single under approximated safe abstraction is used to verify all circuit blocks, the sources of under approximation which are failure(s) in some of the circuit blocks will all be found during the verification of those failing circuit blocks. Figure 8.6.a illustrates an example of a circuit which is not always verifiable if multiple safe abstractions are used to verify its circuit blocks. The indicated (initial) Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 205 d; a=0 b=1 c=1 (b) A problematic transition d=1 b=1 c=1 (a) A problematic state Fig. 8.6 Incorrect verification using multiple safe abstractions. state of the circuit ([abed] = 0111) is selected very carefully; all three signals a, b, and c are simultaneously enabled in that state, but the firing of any one of them will disable another one of them, causing a failure. For example, a can rise and disable c ; b can fall and disable a ; and c can fall and disable b . All of the following are true of this circuit: (i) 0111, 1111, 1011 is a trace of the circuit which yields an under-approximated safe abstraction 11,01 over the I/O signals of the inverter ([be] ). The inverter is failure- free in the environment specified by this safe abstraction; (ii) 0111,0101, 1101 is a trace of the circuit which yields an under-approximated safe abstraction 011, 111 over the I/O signals of the top C-element ([abd] ). The top C- element is failure-free in the environment specified by this safe abstraction; (iii) 0111,0011,0001 is a trace of the circuit which yields an under-approximated safe abstraction Oil, 001 over the I/O signals of the bottom C-element ([acd]). The bottom C-element is failure-free in the environment specified by this safe abstraction. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 206 Thus, using different safe abstractions to verify the circuit blocks (modules) of this circuit may result a false positive verification result for the circuit. On the other hand, and as an example of using a single safe abstraction to verify all circuit blocks, if the two C-elements were verified using the safe abstraction used for the inverter (i.e., 0111, 1111, 1011), then a failure on the top C-element would have been detected, which would correctly imply the failure of the circuit. The example of Figure 8.6.a was able to illustrate the potential problem of using multiple safe abstractions because it had multiple failures which could mask each other in different safe abstractions. This particular condition, although seemingly artificial, can occur in practice, as illustrated in Figure 8.6.b. In Figure 8.6.b, there exists a race between the transitions of the two signals d and b , such that b falling first will cause no subsequent failures, but d rising first will enable multiple simultaneous failures; i.e., d rising will enable two more transitions (on a and c), with all of the enabled transitions leading to failures. This situation is reminiscent of a violation of fundamental mode constraints, since the input signal d is changing before the circuit has stabilized. Multiple simultaneous failures are not always enabled as described above; they can become enabled as a result of a single failure as well. In such a case, it might be possible to locate the actual source of the failures (the single failure initiating the other failures) in the sub-circuit containing the failing module. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 207 At this point, we present one possible solution to the problem of using multiple safe abstractions for hierarchical verification. We have not been able to prove or disprove the correctness of this solution yet, and thus it remains as an open problem for future research. This possible solution is based on a slight modification of the definition and derivation of safe abstractions. Our original definitions suggest that a safe abstraction of the behavior of a circuit is the projection of a sub-automaton of the circuit automaton that is assumed to be failure-free. This implies that during the construction of the sub-automaton out of the circuit description, there is no need to pay attention to failure transitions that might have been explored, since any such failures can be detected later when verifying the circuit blocks using a single safe abstraction. Not checking for failures during derivation of safe abstractions is also motivated by the fact that it reduces the cost of finding safe abstractions. The suggested modification in the definition and derivation of safe abstractions is as follows: during construction of each sub-automaton from which a safe abstraction is derived, failure transitions are all checked for; if any failure transition is detected then the circuit obviously has a failure, otherwise, the sub-automaton is truly failure-free. The new solution would then identify a circuit as failure-free iff for any super-block of the circuit the sub-automaton used to derive its safe abstraction is truly failure-free and all sub-circuits of the super-block are failure-free. The above modification in the derivation of safe abstractions guarantees that if a failure transition that is located outside a super-block is explored in the safe abstraction of that super-block, the failure is not masked out during verification of the Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 208 circuit blocks of the super-block. However, it is still possible for all failures that are located outside the super-block to be missed from the safe abstraction. Such a condition can result an under-approximated safe abstraction which can in turn hide internal failures of the super-block. The only situation in which the suggested solution can fail to correctly verify a circuit is when the circuit has a failure, yet all sub-automata of safe abstractions and all sub-circuits of the super-blocks are failure-free. This can happen only if during verification of sub-circuits, failures originating from within the circuit blocks are never activated. But that can possibly happen only if all (failure-free) safe abstractions which are used for verifying failing circuit blocks are under-approximations that can hide all the failures of those blocks. Note that if a safe abstraction is exact, the internal failures of the circuit blocks of its super-block are always guaranteed to be found. A prove or disprove of the suggested solution has to show whether or not the combination of the above conditions is ever possible. Even if the correctness of the suggested solution can be proven, the approach can be more expensive than our original approach (using a single safe abstraction) since it has to investigate all transitions of all sub-automata for possible failures. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 209 Bibliography [1] R. Alur, R. K. Brayton, T. A. Henzinger, S. Qadeer, S. K. Rajamani, “Partial-order reduction in symbolic state space exploration,” in Proc. 9th Int. Conf. Computer Aided Verification, LNCS 1254, Springer-Verlag, June 1997, pp. 340-351. [2] R. Alur and T. A. Henzinger, “Reactive Modules,” Formal Methods in System Design, vol. 15, 1999, pp. 7-48. [3] R. Alur. Techniques fo r Automatic Verification o f Real-Time Systems. Ph.D. Thesis, Stanford University, August 1991. [4] R. Alur and D. Dill, “A theory of timed automata,” Theoretical Computer Science, vol. 126, no. 2, 1994, pp. 183-235. [5] R. Alur and R. P. Kurshan, ‘Timing analysis in COSPAN,” in Proc. Hybrid Systems III: Verification and Control, 1996, pp. 220-231. [6] P. A. Beerel, CAD Tools fo r the Synthesis, Verification, and Testability o f Robust Asynchronous Circuits. Ph.D. Thesis, Stanford University, August 1994. [7] P. A. Beerel, J. R. Burch, and T. H.-Y. Meng, “Efficient verification of determinate speed-independent circuits,” in Proc. Int. Conf. Computer Aided Design, ICCAD-93, IEEE Computer Society Press, 1993, pp. 261-267. [8] P. A. Beerel, J. R. Burch, and T. H. Meng, “Checking combinational equivalence of speed-independent circuits,” Formal Methods in System Design, vol. 13, pp. 37-85, Kluwer Academic Publishers, Boston, 1998. [9] W. Belluomini and C. J. Myers, “Verification of timed systems using POSETS,” in Proc. 10th Int. Conf. Computer Aided Verification, Springer-Verlag, June 1998, pp. 403-415. [10] W. Belluomini and C. J. Myers, “Efficient timing analysis algorithms for timed state space exploration,” in Proc. 3rd Int. Symp. Advanced Research in Asynchronous Circuits and Systems, IEEE Computer Society Press, April 1997, pp. 88-100. [11] B. Berthomieu and M. Diaz, “Modeling and verification of time dependent systems using time Petri nets,” IEEE Transactions on Software Engineering, vol. 17, no. 3, March 1991, pp. 259-273. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 210 [12] K. van Berkel, F. Huberts, and Ad Peeters, “Stretching quasi delay insensitivity by means of extended isochronic forks,” in Asynchronous Design Methodologies, pp. 99-106. IEEE Computer Society Press, May 1995. [13] M. Bozga, O. Maler, A. Pnueli, and S. Yovine, “Some progress in the symbolic verification of timed automata,” in Proc. 9th Int. Conf. Computer Aided Verification, LNCS 1254, Springer-Verlag, June 1997, pp. 179-190. [14] R. K. Brayton et al., “VIS: A System for verification and synthesis,” in Proc. 8th Int. Conf. Computer Aided Verification, LNCS 1102, Springer-Verlag, July/Aug. 1996, pp. 428-432. [15] J. A. Brzozowski and C.-J. H. Seger, Asynchronous Circuits, Springer-Verlag, New York, 1995. [16] J. A. Brzozowski and H. Zhang, Delay-insensitivity and semi-modularity, Technical Report CS-97-11, Dept, of Comp. Science, Univ. of Waterloo, Mar. 1997. [17] J. A. Brzozowski and J. C. Ebergen, “On the delay-sensitivity of gate networks,” IEEE Transactions on Computers, vol. 41, Nov. 1992, pp. 1349-1360. [18] J. R. Burch, E. M. Clarke, D. E. Long, K. L. McMillan, and D. L. Dill, “Symbolic model checking for sequential circuit verification,” IEEE Transactions on Computer-Aided Design o f Integrated Circuits and Systems, vol. 13, no. 4, April 1994, pp. 401-424. [19] J. R. Burch, “Modeling timing assumptions with trace theory,” in Proc. Int. Conf. on Computer Design: VLSI in Computers and Processors, 1989, pp. 208-211. [20] J. R. Burch, D. Dill, E. Wolf, and G. De Micheli, “Modeling hierarchical combinational circuits,” in Proc. Int. Conf. Computer Aided Design, Nov. 1993, pp. 612-618. [21] S. M. Bums, “General conditions for the decomposition of state holding elements,” in Proc. 2nd Int. Symp. Advanced Research in Asynchronous Circuits and Systems, IEEE Computer Society Press, March 1996, pp. 48-57. [22] T.-A. Chu, “Synthesis of self-timed control circuits from graphs: An example,” in Proc. o f IEEE Int. Conf. on Computer Design, Oct. 1986, pp. 565-571. [23] J. N. Cook, Production rule verification fo r quasi-delay-insensitive circuits, Master’s thesis, California Institute of Technology, June 1993. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 211 [24] T. H. Cormen, C. E. Leiserson, and R. L. Rivest, Introduction to Algorithms, The MIT Press, 1990. [25] J. Cortadella, M. Kishinevsky, A. Kondratyev, L. Lavagno, E. Pastor, A. Yakovlev, “Decomposition and technology mapping of speed-independent circuits using Boolean relations,” in Proc. o f Intl. Conf. on Computer Aided Design, 1997, pp. 220-227. [26] J. Cortadella, M. Kishinevsky, A. Kondratyev, L. Lavagno, A. Taubin, and A. Yakovlev, “Lazy transition systems: application to timing optimization of asynchronous circuits,” in Proc. Int. Conf. Computer-Aided Design, Nov. 1998, pp. 324-331. [27] D. L. Dill, Trace Theory fo r Automatic Hierarchical Verification o f Speed- Independent Circuits, in ACM Distinguished Dissertations Series, The MIT Press, 1988. [28] D. L. Dill, “Timing assumptions and verification of finite-state concurrent systems,” in Proc. o f the Workshop on Automatic Verification Methods fo r Finite-State Systems, 1989. [29] Jo C. Ebergen and Ad M.G. Peeters, “Modulo-N Counters: Design and Analysis of Delay-Insensitive Circuits,” in Proc. Int. Workshop on Designing Correct Circuits, Elsevier, 1992, pp. 27-46. [30] Jo C. Ebergen, Translating Programs into Delay-Insensitive Circuits, Dissertation, Eindhoven University of Technology, Dept, of Computing Science, Oct. 1987. [31] J. C. Ebergen and S. Gingras, “A verifier for network decompositions of command-based specifications,” in Proc. ofHICCS, 1993. [32] P. Godefroid, Partial-Order Methods fo r Verification o f Concurrent Systems, LNCS 1032, Springer-Verlag, 1996. [33] P. Godefroid and P. Wolper, “A partial approach to model checking,” Information and Computation, vol. 110, May 1994, pp. 305-326. [34] G. Gopalakrishnan, “A correctness criterion for asynchronous circuit validation and optimization,” IEEE Transactions on Computer-Aided Design o f Integrated Circuits and Systems, vol. 13, no. 11, Nov. 1994. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 212 [35] R. H. Hardin, Z. Har’El, and R. P. Kurshan, “COSPAN,” in Proc. 8th Int. Conf. Computer Aided Verification, LNCS 1102, Springer-Verlag, July/Aug. 1996, pp. 423- 427. [36] S. Hauck, “Asynchronous Design Methodologies: An Overview,” in Proceedings o f the IEEE. vol. 83, no. 1, January 1995, pp. 69-93. [37] G. H. Holzmann and D. Peled, ‘T he state of SPIN,” in Proc. 8th Int. Conf. Computer Aided Verification, LNCS 1102, Springer-Verlag, July/Aug. 1996, pp. 385- 389. [38] H. Hulgaard, Timing Analysis and Verification o f Timed Asynchronous Circuits, Ph.D. thesis, University of Washington, 1995. [39] M. B. Josephs, S. M. Nowick, and C. H. (kees) Van Berkel, “Modeling and Design of Asynchronous Circuits,” in Proceedings o f the IEEE. vol. 87, no. 2, February 1999, pp. 234-242. [40] M. B. Josephs, “Receptive Process Theory,” in Acta Informatica. vol. 29, 1992, pp. 17-31. [41] M. B. Josephs and J. T. Udding, “An Overview of DI Algebra,” in Proc. o f 26th Annu. Hawaii Int. Conf. System Sciences, 1993, vol. 1, pp. 329-338. [42] H. Kagotani and T. Nanya, “A synthesis method of quasi-delay-insensitive processors based on dependency graph,” in Asia-Pacific Conf. on Hardware Description Languages, October 1994, pp. 177-184. [43] R. M. Keller, “A fundamental theorem of asynchronous parallel computation,” Lecture Notes in Computer Science, vol. 24, 1975, pp. 103-112. [44] H. Kim and P. A. Beerel, “Relative Timing Based Verification of Timed Circuits and Systems,” in Proc. o f Int. Workshop on Logic Synthesis, IWLS-99, June 1999. [45] M. Kishinevsky, A. Kondratyev, A. Taubin, and V. Varshavsky, “Analysis and identification of speed-independent circuits on an event model,” To appear in Formal Methods in System Design. [46] A. Kondratyev, J. Cortadella, M. Kishinevsky, L. Lavagno, and A. Yakovlev, ‘Technology mapping for speed-independent circuits: decomposition and resynthesis,” in Proc. 3rd Int. Symp. Advanced Research in Asynchronous Circuits and Systems, IEEE Computer Society Press, April 1997, pp. 240-253. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 213 [47] R. P. Kurshan, Computer-Aided Verification o f Coordinating Processes - The Automata-Theoretic Approach, Princeton Univ. Press, 1994. [48] L. Lavagno, Synthesis and Testing o f Bounded Wire Delay Asynchronous Circuits from Signal Transition Graphs, Ph.D. Dissertation, Univ. California, Berkeley, CA, 1992. [49] S. Malik, “Analysis of cyclic combinational circuits,” in Proc. o f Int. Conf Computer Aided Design, Nov. 1993, pp. 618-625. [50] R. Manohar and A.J. Martin, “Quasi-delay-insensitive circuits are Turing- complete,” in Proc. 2nd Int. Symp. on Advanced Research in Asynchronous Circuits and Systems, IEEE Computer Society Press, March 1996. [51] A. J. Martin, “Compiling communicating processes into delay-insensitive VLSI circuits,” Distributed Computing, vol. 1,1986, pp. 226-234. [52] A. Mazurkiewitcz, “Basic notions of trace theory,” in Workshop on Linear Time, Branching Time, and Partial Order in Logics and Models fo r Concurrency, LNCS 354, Springer-Verlag, 1988, pp. 285-363. [53] K. L. McMillan, “A technique of state space search based on unfolding,” in Formal Methods in System Design, vol. 6, pp. 45-65, Kluwer Academic Publishers, Boston, 1995. [54] K. L. McMillan, Symbolic Model Checking, New York, Kluwer Academic Publishers, 1993. [55] R. E. Miller, Switching Theory. Vol. II: Sequential Circuits and Machines, John Wiley and Sons, 1965. [56] C. E. Molnar, T. P. Fang, and F. U. Rosenberger, “Synthesis of Delay-Insensitive Modules,” in Proc. o f the 1985 Chapel Hill Conf. on VLSI, Computer Science Press, Rockville, Maryland, 1986, pp. 67-86. [57] D. E. Muller and W. S. Bartky, “A Theory of Asynchronous Circuits,” in The annals o f the Computation Laboratory o f Harvard University. Vol. XXIX: Proc. o f an Int. Symp. on the Theory o f Switching, Part I, pp. 204-243, Harvard University Press, 1959. [58] T. Murata, “Petri nets: Properties, analysis and applications,” in Proceedings o f the IEEE, vol. 77, no. 4, Apr. 1989, pp. 541-574. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 214 [59] C. J. Myers, Computer-Aided Synthesis and Verification o f Gate-Level Timed Circuits, Ph.D. Thesis, Stanford University, 1995. [60] R. Negulescu and A. Peeters, “Verification of Speed-Dependences in Single-Rail Handshake Circuits,” in Proc. o f 4th Int. Symp. Advanced Research in Asynchronous Circuits and Systems, IEEE Computer Society Press, 1998, pp. 159-170. [61] E. Pastor, J. Cortadella M. A. Pena, “Structural Methods to Improve the Symbolic Analysis of Petri Nets,” in Proc. 20th Int. Conf. on Application and Theory o f Petri Nets, June 1999. [62] D. Peled, “Ten Years of Partial Order Reduction,” in Proc. o f 10th Int. Conf. on Computer Aided Verification, Springer-Verlag, 1998, pp. 17-28. [63] D. Peled, “Combining partial order reductions with on-the-fly model-checking,” Formal Methods in System Design, vol. 8, 1996, pp. 39-64. [64] O. Roig, J. Cortadella, and E. Pastor, “Verification of asynchronous circuits by BDD-based model checking of Petri Nets,” in 16th Intl. Conf. on Theory and Application o f Petri-Nets, Torino, Italy, June 1996. [65] O. Roig, Formal Verification and Testing o f Asynchronous Circuits, Ph.D. Thesis, Univ. of Politecnica de Catalunya, Barcelona, 1997. [66] T. G. Rokicki, Representing and Modeling Circuits, Ph.D. Thesis, Stanford University, 1993. [67] T. G. Rokicki and C. J. Myers, “Automatic verification of timed circuits,” in Proc. o f 6th Int. Conf on Computer Aided Verification, LNCS 818, Springer-Verlag, 1994, pp. 468-480. [68] L. Ya. Rosenblum and A. V. Yakovlev, “Signal graphs: From self-timed to timed ones,” in Int. Workshop on Timed Petri Nets, July 1985, pp. 199-206. [69] S. Rotem, K. Stevens, R. Ginosar, P. Beerel, C. Myers, K. Yun, R. Kol, C. Dike, M. Roncken, and B. Agapiev, “RAPPID: An Asynchronous Instruction Length Decoder,” in Proc. o f the 5th Int. Symp. Advanced Research in Asynchronous Circuits and Systems, IEEE Computer Society Press, April 1999, pp. 60-70. [70] A. Semenov and A. Yakovlev, “Verification of asynchronous circuits using time Petri-net unfolding,” in Proc. o f ACM/IEEE Design Automation Conference, 1996. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 215 [71] T. R. Shiple, G, Berry, and H. Touati, “Constructive analysis of cyclic circuits,” in Proc. o f ED&TC-96, March 1996, pp. 328-333. [72] T. R. Shiple, V. Singhal, R.K. Brayton, and A.L. Sangiovnni-Vincentelli, “Analysis of combinational cycles in sequential circuits,” in Proc. o f ISCAS-96, May 1996, pp. 592-595. [73] K. Stevens, S. Rotem, M. Bums, J. Cortadella, R. Ginosar, M. Kishinevsky, and M. Roncken, “CAD directions for high performance asynchronous circuits,” in Proc. ACM/IEEE Design Automation Conference, 1999, pp. 116-121. [74] K. Stevens, R. Ginosar, S. Rotem, “Relative Timing,” in Proc. o f 5th Int. Symp. Advanced Research in Asynchronous Circuits and Systems, IEEE Computer Society Press, April 1999, pp. 208-218. [75] S. Tasiran and R. K. Brayton, “STARI: A case study in compositional and hierarchical timing verification,” in Proc. 9th Int. Conf. Computer Aided Verification, LNCS 1254, Springer-Verlag, 1997, pp. 191-201. [76] J. T. Udding, “A Formal Model for Defining and Classifying Delay-Insensitive Circuits and Systems,” Distributed Computing, vol. 1, no. 4, 1986, pp. 197-204. [77] S. H. Unger, Asynchronous Sequential Switching Circuits, John Wiley and Sons, 1969. [78] S. H. Unger, “Hazards, Critical Races, and Metastability,” IEEE Transactions on Computers, vol. 44, no. 6, June 1995, pp. 754-768. [79] V. Vakilotojar and P. A. Beerel, “RTL verification of timed asynchronous and heterogeneous systems using symbolic model checking,” in INTEGRATION, The VLSI Journal, December 1997. [80] V. Vakilotojar and P. A. Beerel, “RTL verification of timed asynchronous and heterogeneous systems using symbolic model checking,” in Proc. ASPDAC-97, January 1997. [81] A. Valmari, “Stubborn sets for reduced state space generation,” in Proc. 10th Int. Conf. on Petri Nets, vol. II, 1989, pp. 1-22. [82] A. Valmari, “On-the-fly verification with stubborn sets,” in Proc. o f 5th Int. Conf. Computer Aided Verification, LNCS 697, Springer-Verlag, 1993, pp. 397-408. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. 216 [83] C. H. (Kees) Van Berkel, M. B. Josephs, and S. M. Nowick, “Scanning the Technology,” in Proceedings o f the IEEE. vol. 87, no. 2, February 1999, pp. 223-233. [84] E. Verlind, G. de Jong, and B. Lin, “Efficient partial enumeration for timing analysis of asynchronous systems,” in Proc. o f ACM/IEEE Design Automation Conference, 1996. [85] D. T. Weih and M. R. Greenstreet, “Verification of speed-independent data-path circuits,” in IEE Proceedings-Computers and Digital Techniques, vol. 143, no. 5, Sept. 1996, pp. 295-300. [86] H. Wong-Toi and D. L. Dill, “Verification of real-time systems by successive over and under approximation,” in Proc. o f 7th Int. Conf. Computer-Aided Verification, LNCS 939, July 1995, pp. 409-422. [87] T. Yoneda, A. Shibayama, B. Schlingloff, and E. M. Clarck, “Efficient verification of parallel real time systems,” in Proc. o f 5th Int. Conf. Computer Aided Verification, Springer-Verlag, 1993, pp. 321-323. [88] T. Yoneda and T. Yoshikawa, “Using partial orders for trace theoretic verification of asynchronous circuits,” in Proc. 2nd Int. Symp. Advanced Research in Asynchronous Circuits and Systems, IEEE Computer Society Press, March 1996, pp. 152-163. [89] K. Y. Yun, P. A. Beerel, V. Vakilotojar, A. Dooply, and J. Arceo, ‘The design and verification of a low-control-overhead asynchronous differential equation solver,” in Proc. 3rd Int. Symp. Advanced Research in Asynchronous Circuits and Systems, IEEE Computer Society Press, April 1997, pp. 140-153. [90] K. Y. Yun, P. A. Beerel, V. Vakilotojar, A. Dooply, and J. Arceo, ‘The design and verification of a low-controi-overhead asynchronous differential equation solver,” in IEEE Transactions on VLSI, vol. 6, Dec. 1998, pp. 643-655. [91] The current version of SPHINX is accessible at http://jungfrau.usc.edu/ SPHINX/sphinx.html. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Linked assets

University of Southern California Dissertations and Theses

Conceptually similar

PDF

Encoding techniques for energy -efficient and reliable communication in VLSI circuits

PDF

A template-based standard-cell asynchronous design methodology

PDF

Consolidated logic and layout synthesis for interconnect -centric VLSI design

PDF

Dynamic logic synthesis for reconfigurable hardware

PDF

BDD minimization using don't cares for formal verification and logic synthesis

PDF

Adaptive dynamic thread scheduling for simultaneous multithreaded architectures with a detector thread

PDF

Alias analysis for Java with reference -set representation in high -performance computing

PDF

Clock routing for low power.

PDF

Architectural support for network -based computing

PDF

Efficient PIM (Processor-In-Memory) architectures for data -intensive applications

PDF

Energy -efficient strategies for deployment and resource allocation in wireless sensor networks

PDF

Architectural and register -transfer-level power analysis and optimization

PDF

High fidelity multichannel audio compression

PDF

High -speed networks with self -similar traffic

PDF

I -structure software caches: Exploiting global data locality in non-blocking multithreaded architectures

PDF

Effects of non-uniform substrate temperature in high-performance integrated circuits: Modeling, analysis, and implications for signal integrity and interconnect performance optimization

PDF

Functional testing of constrained and unconstrained memory using march tests

PDF

Energy and time efficient designs for digital signal processing kernels on FPGAs

PDF

Adaptive packet scheduling and resource allocation in wireless networks

PDF

Pseudo-Exhaustive Built-In Self-Test System For Logic Circuits

Asset Metadata

Creator Vakilotojar, Vida (author)

Core Title Induced hierarchical verification of asynchronous circuits using a partial order technique

School Graduate School

Degree Doctor of Philosophy

Degree Program Computer Engineering

Publisher University of Southern California (original), University of Southern California. Libraries (digital)

Tag Computer Science,engineering, electronics and electrical,OAI-PMH Harvest

Language English

Contributor Digitized by ProQuest (provenance)

Advisor Beerel, Peter (committee chair), Dubois, Michel (committee member), Goel, Ashish (committee member), Gupta, Sandeep (committee member), Pedram, Massoud (committee member)

Permanent Link (DOI) https://doi.org/10.25549/usctheses-c16-88870

Unique identifier UC11337935

Identifier 3018140.pdf (filename),usctheses-c16-88870 (legacy record id)

Legacy Identifier 3018140.pdf

Dmrecord 88870

Document Type Dissertation

Rights Vakilotojar, Vida

Type texts

Source University of Southern California (contributing entity), University of Southern California Dissertations and Theses (collection)

Access Conditions The author retains rights to his/her dissertation, thesis or other graduate work according to U.S. copyright law. Electronic access is being provided by the USC Libraries in agreement with the au...

Repository Name University of Southern California Digital Library

Repository Location USC Digital Library, University of Southern California, University Park Campus, Los Angeles, California 90089, USA