Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM...
-
date post
20-Dec-2015 -
Category
Documents
-
view
215 -
download
1
Transcript of Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM...
![Page 1: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/1.jpg)
Penn ESE 535 Spring 2008 -- DeHon 1
ESE535:Electronic Design Automation
Day 22: April 23, 2008
FSM Equivalence Checking
![Page 2: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/2.jpg)
Penn ESE 535 Spring 2008 -- DeHon 2
Today
• Sequential Verification– DFA equivalence– Issues
• Extracting STG• Valid state reduction• Incomplete Specification
– Solutions• State PODEM• State/path exploration
![Page 3: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/3.jpg)
Penn ESE 535 Spring 2008 -- DeHon 3
Motivation
• Write at two levels– Java prototype and VHDL implementation– VHDL specification and gate-level
implementation
• Write at high level and synthesize/optimize– Want to verify that synthesis/transforms did
not introduce an error
![Page 4: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/4.jpg)
Penn ESE 535 Spring 2008 -- DeHon 4
Cornerstone Result• Given two DFA’s, can test their
equivalence in finite time• N.B.:
– Can visit all states in a DFA with finite input strings
• No longer than number of states• Any string longer must have visited some state
more than once (by pigeon-hole principle)• Cannot distinguish any prefix longer than
number of states from some shorter prefix which eliminates cycle (pumping lemma)
![Page 5: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/5.jpg)
Penn ESE 535 Spring 2008 -- DeHon 5
FSM Equivalence
• Given same sequence of inputs– Returns same sequence of outputs
• Observation means can reason about finite sequence prefixes and extend to infinite sequences which DFAs (FSMs) are defined over
![Page 6: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/6.jpg)
Penn ESE 535 Spring 2008 -- DeHon 6
Equivalence
• Brute Force:– Generate all strings of length |state|
• (for larger DFA)
– Feed to both DFAs– Observe any differences?– |Alphabet|states
![Page 7: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/7.jpg)
Penn ESE 535 Spring 2008 -- DeHon 7
Smarter
• Create composite DFA
• XOR together acceptance of two DFAs in each composite state
• Ask if the new machine accepts anything– Anything it accepts is a proof of non-
equivalence– Accepts nothing equivalent
![Page 8: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/8.jpg)
Penn ESE 535 Spring 2008 -- DeHon 8
Composite DFA
• Assume know start state for each DFA• Each state in composite is labeled by the pair
{S1i, S2j}– At most product of states
• Start in {S10, S20}
• For each symbol a, create a new edge:– T(a,{S10, S20}) {S1i, S2j}
• If T1(a, S10) S1i, and T2(a, S20) S2j
• Repeat for each composite state reached
![Page 9: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/9.jpg)
Penn ESE 535 Spring 2008 -- DeHon 9
Composite DFA
• At most |alphabet|*|State1|*|State2| edges == work
• Can group together original edges– i.e. in each state compute intersections of
outgoing edges
– Really at most |E1|*|E2|
![Page 10: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/10.jpg)
Penn ESE 535 Spring 2008 -- DeHon 10
Acceptance
• State {S1i, S2j} is an accepting state iff– State S1i accepts and S2j does not accept– State S1i does not accept and S2j accepts
• If S1i and S2j have the same acceptance for all composite states, it is impossible to distinguish the machines – They are equivalent
• A state with differing acceptance – Implies a string which is accepted by one machine
but not the other
![Page 11: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/11.jpg)
Penn ESE 535 Spring 2008 -- DeHon 11
Empty Language
• Now that we have a composite state machine, with this acceptance
• Question: does this composite state machine accept anything? – Is there a reachable state which accepts
the input?
![Page 12: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/12.jpg)
Penn ESE 535 Spring 2008 -- DeHon 12
Answering Empty Language
• Start at composite start state {S10, S20} • Search for path to an Accepting state• Use any search (BFS, DFS)• End when find accepting state
– Not equivalent
• OR when have explored entire reachable graph w/out finding– Are equivalent
![Page 13: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/13.jpg)
Penn ESE 535 Spring 2008 -- DeHon 13
Reachability Search
• Worst: explore all edges at most once– O(|E|)=O(|E1|*|E2|)
• Actually, should be able to find during composite construction– If only follow edges which fill-in as search
![Page 14: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/14.jpg)
Penn ESE 535 Spring 2008 -- DeHon 14
Example
s3 s4
0
s0
s1 s2
0 1
1 0 1
101
0
q0
q1 q2
0 1
0 1 0 1
= accept state
![Page 15: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/15.jpg)
Penn ESE 535 Spring 2008 -- DeHon 15
Issues to Address
• Get State-Transition Graph from – RTL, Logic
• Incompletely specified FSM?
• Know valid (possible) states?
• Know start State for Logic?
• Computing the composite FSM may be large
![Page 16: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/16.jpg)
Penn ESE 535 Spring 2008 -- DeHon 16
Getting STG Verilog/VHDL
• Gather up logic to wait statement– Make one state
• Split states (add edges) on if/else, select
• Backedges with while/for– Branching edges on loop conditions
• Start state is first state at beginning of code.
![Page 17: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/17.jpg)
Penn ESE 535 Spring 2008 -- DeHon 17
Getting STG from Logic
• Brute Force– For each state
• For each input minterm– Simulate/compute output– Add edges
– Compute set of states will transition to
• Smarter– Use modified PODEM to justify outputs and
next state• Exploit cube grouping, search pruning
![Page 18: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/18.jpg)
Penn ESE 535 Spring 2008 -- DeHon 18
PODEM state extraction
• Search for all reachable states– Don’t stop once find one output– Keep enumerating and generating possible
outputs
![Page 19: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/19.jpg)
Penn ESE 535 Spring 2008 -- DeHon 19
Delay Computation
• Modification of a testing routine– used to justify an output value for a circuit
• PODEM– backtracking search to find a suitable input
vector associated with some target output– Simply a branching search with implication
pruning• Heuristic for smart variable ordering
Day 7
![Page 20: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/20.jpg)
Penn ESE 535 Spring 2008 -- DeHon 20
Incomplete State Specification
• Add edge for unspecified transition to – Single, new, terminal state
• Reachability of this state may indicate problem– Actually, if both transition to this new state
for same cases• Might say are equivalent• Just need to distinguish one machine in this
state and other not
![Page 21: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/21.jpg)
Penn ESE 535 Spring 2008 -- DeHon 21
Valid States
• PODEM justification finds set of possibly reachable states
• Composite state construction and reachability further show what’s reachable
• So, end up finding set of valid states– Not all possible states from state bits
![Page 22: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/22.jpg)
Penn ESE 535 Spring 2008 -- DeHon 22
Start State for Logic
• Start states should output same thing between two FSMs
• Start search with state set {S10, S2i} for all S2i with same output as S10
• Use these for acceptance (contradiction) reachability search
![Page 23: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/23.jpg)
Penn ESE 535 Spring 2008 -- DeHon 23
Memory?
• Concern for size of search space– Product set of states– Nodes in search space
• Combine– Generation– Reachability– State justification/enumeration
![Page 24: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/24.jpg)
Penn ESE 535 Spring 2008 -- DeHon 24
Composite Algorithm
• PathEnumerate(st, path, ValStates)– // st is a state of M1– ValStates+=st– While !(st.enumerated)
• Edge=EnumerateStateFanout(st) // PODEM• Simulate Edge on M2
– Equivalent result? If not return(FAIL)• If (Edge.FaninState(M1),Edge.FaninState(M2) in Path.Spairs)
– Return(PATH_OK) ;; already visisted/expanded that state• Else
– ValStates+=Edge.FaninState(M1)– Path=Path+Edge; Update Path.Spairs– PathEnuemrate(Edge.FaninState(M1),Path,ValStates)
![Page 25: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/25.jpg)
Penn ESE 535 Spring 2008 -- DeHon 25
Start Composite Algorithm
• PathEnumerate(Start(M1),empty,empty)
• Succeed if complete path search and not fail– Not encounter contradiction
![Page 26: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/26.jpg)
Penn ESE 535 Spring 2008 -- DeHon 26
Admin
• Reading
• Assignment 7
![Page 27: Penn ESE 535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 22: April 23, 2008 FSM Equivalence Checking.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2cf8f/html5/thumbnails/27.jpg)
Penn ESE 535 Spring 2008 -- DeHon 27
Big Ideas
• Equivalence– Same observable behavior– Internal implementation irrelevant
• Number/organization of states, encoding of state bits…
• Exploit structure– Finite DFA … necessity of reconvergent paths– Pruning Search – group together cubes– Limit to valid/reachable states
• Proving invariants vs. empirical verification