1. Field of the Invention
The present invention relates to techniques for verifying designs for digital systems. More specifically, the present invention relates to a method and an apparatus for determining if a trace can be produced by a generator, where the trace is defined as a sequence of assignments to the external interface signals of the generator.
2. Related Art
Verifying a design generally involves deciding whether the design will guarantee that its outputs satisfy some set of properties, under the assumption that its inputs satisfy some other properties. The properties the design is to guarantee are often expressed as checkers, which “observe” the design's input/output behaviors and either “accept” or “reject” the behaviors. Checkers are also referred to as “monitors” or “assertions.”
In contrast, the input behavior that the design can assume is often expressed as a generator, which “produces” legal inputs to the design based on the design's outputs and internal generator states. Hence, the generator provides a general model for the legal environments in which the design is intended to operate.
While checkers and generators are used in different roles in design verification, they share an underlying semantics which defines a set of input/output traces. More specifically, a given set of traces can be expressed either as a generator or as a checker. Deciding which representation to use involves considering two criteria: ease of expression, and tool support for a particular form of representation (checker or generator) in a particular verification role (assumption or guarantee). Neither form of representation is universally easier for expressing traces. For instance, the correctness of a sorting circuit involves two conditions: the values in the output array should vary monotonically with the array indices, and should be a permutation of the sorter's input array. Monotonicity is more easily expressed in the checker representation, while it is easier to use a generator to define the set of input permutations that must contain the sorter's output. There does not seem to be any general rule for predicting which traces will be more easily expressed by which representation. Tool support for the various combinations of role and representation is needed.
Compositional verification is a methodology where verification of a complete system is performed by separately verifying each of the blocks from which the system is constructed. These smaller verification sub-tasks can be much more effective with both simulation and formal tools, mainly because the exposed block interfaces give better controllability and observability. In compositional verification, one block's guarantee is used as a connected block's assumption, and vice versa. Consequently, over the set of block verifications involved in the compositional verification of a system, a single trace set representation will need to be used in both roles, as an assumption and as a guarantee. Thus, the choice of representation for a trace set cannot be governed by tool support for the particular role that trace set will play in any one block's verification, because that trace set will serve the complementary role in some other block's verification.
Tables 1 and 2 summarize the approaches used by these tools to support these representations in the two different roles. In both classes of tools, the generator representation is most natural in the role of block assumption, and the checker representation in the guarantee role. Checkers are also easily incorporated as assumptions in formal verification.
Using a checker as an assumption for, which is referred to as “stimulus generation,” has been recently studied by a number of researchers, and a number of solutions have been proposed.
Using a generator as a guarantee is also a non-trivial problem. Note that to simulate against a guarantee represented as a generator, one must test if the trace of a simulation run can be produced by the generator. We refer to the verification problem as “trace checking.” To date, the trace checking problem has not been significantly investigated, and effective solutions have not been developed.
Hence, what is needed is a method and an apparatus for efficiently performing a trace checking operation.
One embodiment of the present invention provides a system that verifies whether a trace can be produced by a generator. A generator is defined as a finite state machine with a set of input and output signals. The set of input signals are divided into parametric inputs and non-parametric inputs. The generator uses parametric inputs to model non-determinism. A trace is defined as a sequence of assignments of non-parametric input and output signals of the generator. The trace does not contain assignments of the parametric inputs. During operation, the system builds a data structure to determine if there exists a sequence of parametric input assignments that can match the non-parametric inputs and outputs of the generator with the ones specified in the trace.
In a variation on this embodiment, the generator is sequentially deterministic, which means that there exists a single next state for each combination of current state, non-parametric input and output. In this variation, the system uses a data structure to perform a satisfiability test to determine if there exist any parametric inputs that can match the non-parametric input and output assignment of the generator with the ones of the trace at current state. Next, the system uses the current state, non-parametric input and output to determine a unique next state of the generator. The system iterates this test through the sequence of input and output assignments in the trace.
In a variation on this embodiment, the generator is sequentially non-deterministic, which means that the next state can depend on parametric input, and consequently there can exist more than one next state for some combinations of current state, non-parametric input, and output. In this variation, the system determines if the non-parametric input and output assignments in a trace are consistent with a generator by determining the set of next states of a generator. This determination involves considering all possible parametric inputs, all states in a current set of states, the non-parametric input and the output. If there exists at least one state in the set of next states, the system determines that the non-parametric input and output are consistent.
In a variation on this embodiment, the system determines the set of next states by computing a forward image and constraining the parametric input and output to their assignments in the trace.
In a variation on this embodiment, the trace is produced by a simulation of a system under test.
In a variation on this embodiment, the data structure is in the form of a binary decision diagram (BDD).
In a variation on this embodiment, if the non-parametric input and output are not consistent with a generator output, the trace is not valid.
In a variation on this embodiment, the generator uses a function with parametric inputs to model non-determinism.
In a variation on this embodiment, if the specification of the generator indicates that the block under test is sequentially deterministic, and hence does not depend on parametric inputs, the method further comprises translating a generator into a checker and using that checker to verify a trace.
Table 1 illustrates roles and representations in simulation in accordance with an embodiment of the present invention.
Table 2 illustrates roles and representations in formal verification in accordance with an embodiment of the present invention.
Table 3 illustrates a technique for trace checking using an SSD generator in accordance with an embodiment of the present invention.
Table 4 illustrates an exemplary SSD generator in accordance with an embodiment of the present invention.
Table 5 illustrates a stimulus generation procedure in accordance with an embodiment of the present invention.
Table 6 illustrates a technique for trace checking using an FSD generator in accordance with an embodiment of the present invention.
Table 7 illustrates a technique for a trace checking using an SND generator in accordance with an embodiment of the present invention.
The following description is presented to enable any person skilled in the art to make and use the invention, and is provided in the context of a particular application and its requirements. Various modifications to the disclosed embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be applied to other embodiments and applications without departing from the spirit and scope of the present invention. Thus, the present invention is not limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein.
The data structures and code described in this detailed description are typically stored on a computer-readable storage medium, which may be any device or medium that can store code and/or data for use by a computer system. This includes, but is not limited to, magnetic and optical storage devices such as disk drives, magnetic tape, CDs (compact discs) and DVDs (digital versatile discs or digital video discs), and computer instruction signals embodied in a transmission medium (with or without a carrier wave upon which the signals are modulated). For example, the transmission medium may include a communications network, such as the Internet.
Trace Checking
To develop efficient techniques for trace checking, we classify generators into three groups: structurally sequentially deterministic (SSD), functionally sequentially deterministic (FSD) and sequentially non deterministic (SND). More details on the generator representations will be discussed herein.
Formal methods can be used to verify that every trace emitted by a design is in the set of traces defined by a generator, i.e. that the design guarantees the property represented by the generator. This comparison of a design against a generator is known as the “refinement checking” problem. In the general case, where a guarantee generator is sequentially non-deterministic, refinement checking has been determined to be PSPACE complete with respect to the number of generator states. Existing approaches of refinement checking require manual construction of refinement maps or witness functions. We present practical and techniques for refinement checking where the guarantee generator is restricted to be sequentially deterministic.
Representation
DEFINITION 1: Let V be a finite set of boolean variables {ν1, ν2, . . . , νn}. A trace over V is an infinite sequence π=α0α1 . . . , where each αi is a complete assignment of variables in Vat time i. For D⊂V, α↓D denotes the projection of assignment α to the subset of variables in D. We refer to V as the type of trace π.
We define checkers and generators as special types of automata as follows.
DEFINITION 2: A checker is a Mealy machine defined by the tuple {haeck over (M)}=<S, s0, I, ν, ƒν, ƒS>, where S is a finite set of states, s0∈S is the initial state, I=DI∪DO is a finite set of input variables. DI denotes design inputs and DO denotes design outputs. DI∩DO=Ø. ν is an output variable. ƒν:S×ΣI→{0,1} is the output function, where ΣI represents the set of all possible assignments of I. ƒS:S×ΣI→S is the next state function. Both ƒν and ƒS are total functions.
When composing a guarantee checker with a design under test (DUT), DI is connected to the corresponding DUT input signals and DO to the corresponding DUT output signals. Both DI and DO are inputs to the checker. All inputs of a checker are connected to their corresponding design signals in a proper composition. By our definition, a checker is deterministic, i.e., there is a single next state and output for every current state and input combination.
Note that an additional restriction can be imposed on checkers. In particular, the valid signal may only depend on variables in S∪DO, but not in DI. ƒν:S×ΣDO→{0,1}. The restriction is referred to as “output separability.” Such restricted checkers are sufficient to specify behaviors that can be modeled as Moore machines.
DEFINITION 3: Assume π=α0α1 . . . is an infinite trace of type DI∪DO. π is accepted by {haeck over (M)}, or π|={haeck over (M)}, iff there exists an infinite sequence of states S=s0s1 . . . such that (1) s0 is the initial state; (2) ∀i si+1=ƒS(si, αi); (3) ∀i ƒν(si, αi)=1. We interpret a checker as the set of all traces I({haeck over (M)}) accepted by {haeck over (M)}, formally, I({haeck over (M)})={π|={haeck over (M)}}.
DEFINITION 4: A generator is a Mealy machine defined by the tuple {right arrow over (M)}=<S, s0, I, O, ƒO, ƒS>, where S is a finite set of states, s0∈S is the initial state, I=DI∪P is a finite set of input variables. DI denotes the set of design inputs (or non-parametric inputs), and P denotes the set of parametric inputs. O=DO is a finite set of output variables. DO denotes the set of design outputs. I∩O=Ø. ƒO:S×ΣI→ΣO is the output function, where ΣI and ΣO represent the set of all possible assignments of I and O, respectively. ƒS:S×ΣI→S is the next state function. Both ƒO and ƒS are total functions.
Parametric input variables P model non-determinism in a generator.
DEFINITION 5: Assume π=α0α1 . . . . is an infinite trace of type DI∪O. π is generated by {right arrow over (M)}, or π|={right arrow over (M)}, iff there exists an infinite sequence of states S=s0s1 . . . and an infinite trace σ=β0β1 . . . of type P, such that (1) s0 is the initial state; (2) ∀i si+1=ƒS(si, αi↓DI, βi); (3) ∀i αi↓DO=ƒO(si, αi↓DI, βi); We interpret a generator as the set of all traces generated by {right arrow over (M)}, formally, I({right arrow over (M)})={π|π={right arrow over (M)}}.
Special Cases
DEFINITION 6: A generator {right arrow over (M)} is sequentially deterministic if there is a single next state for each assignment of S, DI and DO, i.e.
ƒO(s, dI, p)=ƒO(s,dI,p′)→ƒS(s,dI,p)=ƒS(s,dI,p′) (1)
where s, dI and dO denote vectors of state variables, design input variables, and design output variables, respectively.
A checker, by our definition, is sequentially deterministic, if we treat the checker's validity output ƒν as a specific instance of the general generator output function ƒO. Its next state is determined by the assignment of variables in S, DI and DO. The difference between a checker and a sequentially deterministic generator lies in their combinational representations of design outputs. A checker uses a relation to represent design outputs, i.e. ƒν(s, dI, dO)=1. A generator uses a function with parametric inputs, i.e. ƒO(dI, s, p). An equivalent relation can be obtained by explicitly introducing the output variables dO and quantifying the parametric inputs, i.e. ƒν(s, dI, dO)=∃p(dO=ƒo(dl, s, p)). Each representation can be more suitable in certain situations. For example, the set of variable assignments d that satisfies a boolean formula B can be expressed a relation B(d)=1. On the other hand, the set of composite natural numbers is more easily expressed as a function with parametric inputs d=x×y.
Methodology
Compositional verification enables much more effective searching for erroneous behaviors. To enable compositional verification, the system designer must provide additional block specifications in a form that verification tools can interpret. In
This becomes a simple example of assume-guarantee reasoning: if A can guarantee Q assuming P, and B can guarantee P, then one can conclude that the system composed of A and B will guarantee Q. Note that the converse is not true. It is possible to err in expressing P so that the entire system does guarantee Q, yet one or both of the block verifications fails. Compositional verification requires accurate block specification. What this approach accomplishes is to achieve dramatically more effective block level searches for design errors.
In a previous section of this specification we defined two forms of specification, checkers and generators. Consider property P. In performing compositional verification of our simple example, one has a choice to express P in the form of a checker or in the form of a generator. Let us examine the consequences of this decision.
If P is expressed as a checker, the block verification of B becomes possible through conventional simulation methods. The sequence of outputs of B are simply fed into the checker inputs and the checker output is observed. If the output is ever observed to have a 0 value, a property violation will have been detected. Simulation of block A is a bit more challenging, though. At each simulation cycle, an input vector must be constructed for which the checker for P will output a 1 value. P may well have a changing internal state, so this input vector construction problem is changing cycle by cycle. Previous research has studied techniques to efficiently solve this stimulus generation problem.
If P is instead expressed as a generator, simulation of block A becomes very straightforward. One simply drives the parametric inputs of the generator for P with directed or random stimulus, and observes the output of a checker for property Q. In this case, it is the simulation of block B that becomes more difficult. To verify the block simulation, one must check if the design output can be matched by the generator output. The difficulty here is to find parametric input assignments that produce a matching generator output.
The techniques we develop below address this problem of block verification when the property the block is required to guarantee is expressed as a generator. We will consider both simulation and formal verification techniques. Simulation generates a single trace, which then can be compared against the set of traces of the generator. In formal verification the block itself is analyzed to check the complete set of output traces it can emit.
With these trace checking and refinement checking techniques, tool support becomes available for every combination of role and representation. Thus, the decision of which representation to use need not be constrained by tool support limitations. Ease of expression for a particular trace set remains a criterion. Efficient tool processing is also a criterion. A checker or generator is often written at Register Transfer Level (RTL) in a High Level Design Language such as Verilog, or in some assertion language. Using a checker as a guarantee and a generator as an assumption can take advantage of RTL simulation, and is therefore very efficient. Both stimulus generation and trace checking typically involve formal reasoning and are often slower. To use a checker as an assumption, a simulator must interact with stimulus generation each cycle to obtain legal input stimulus. It is observed that simulation generation time represents a significant portion of total simulation time, sometimes more than 50 percent.
A generator as guarantee, however, can be used offline—a simulator can save the simulation trace in a dump file to be checked later against the generator. This does not affect overall CPU time, but unburdening simulation lets the designer more quickly address other bugs and free limited resources such as software licenses for EDA simulation tools and computer memory. Thus, it seems from a tool efficiency perspective, the generator representation has an overall efficiency advantage.
Flow Summary and Context
Before proceeding further with the description, it may be helpful to place this process in context.
The EDA software design process (step 310) is actually composed of a number of steps 312-330, shown in linear fashion for simplicity. In an actual ASIC design process, the particular design might have to go back through steps until certain tests are passed. Similarly, in any actual design process, these steps may occur in different orders and combinations. This description is therefore provided by way of context and general explanation rather than as a specific, or recommended, design flow for a particular ASIC.
A brief description of the components steps of the EDA software design process (step 310) will now be provided:
The trace checking process can take place during the logic design and functional verification step 314 described above.
The trace checking problem is defined as follows. Given a trace π=α0α1 . . . and a generator {right arrow over (M)}, check whether π can be generated by {right arrow over (M)}, or mathematically, π|={right arrow over (M)}.
The trace checking problems arise in practice when a generator is used as a guarantee in simulation. To be compatible with well-established theories on temporal logic, we have defined traces to be infinite. Any actual simulation runs, however long, must terminate and therefore will produce only finite traces. In this example, we focus on safety properties, for which a simple solution exists. A finite trace satisfies a generator iff it is a prefix of a satisfying infinite trace.
The techniques presented in this section determine whether the finite prefix can indeed be generated. A generator provides at least one legal output for every combination of generator state and non-parametric input. Thus, any finite trace generated by a generator can be extended indefinitely, by simulating the generator with arbitrary input combinations and using the corresponding input/output assignments to extend the finite trace. Thus, any finite trace generated by a generator is a prefix of some infinite trace generated by the generator. In contrast, a checker can have one or more combinations of checker states and inputs for which no output is accepted as valid. These states are known as dead-end states. A finite trace can exist which the checker accepted as valid at every step, but if that trace leads to such a dead-end state, then the trace cannot be extended. Thus, the fact that a checker has accepted a finite trace does not imply that that finite trace is a prefix of any infinite trace that the checker would accept.
Referring to the flow chart illustrated in
Next, the system uses the specification to build a data structure that can be used to determine if a non-parametric input and output are consistent with the parametric input and output for the generator (step 406). The system then verifies elements of the trace (step 408), wherein verifying the trace involves using the data structure to determine if there exists any parametric input assignment that causes a match between non-parametric inputs and outputs of the generator with the ones specified in the trace.
Sequentially Deterministic
We now present trace checking techniques for sequentially deterministic generators. We further divide the class into structurally sequentially deterministic (SSD) generators and functionally sequentially deterministic (FSD) generators.
SSD
For SSD generators, the next state function ƒS is expressed as the composition of functions {circumflex over (ƒ)}S:S×ΣDI×ΣO→S and ƒO:S×ΣDI×ΣP→ΣO. Namely,
ƒS(s, dI, p)={circumflex over (ƒ)}S(s, dI, ƒO(s, dI, p))
Such decomposition, if it exists, significantly simplifies the trace checking problem. In particular, {circumflex over (ƒ)}S can be used to efficiently compute the next state of an SSD generator. A trace checking technique is illustrated in Table 3. In Table 3, π denotes the length of input trace π. Furthermore, νI and νO denote assignments of design input variables (dI) and design output variables (dO), respectively. The relation R between s, dI and dO is represented as a binary decision diagram (BDD) (For a description of a BDD see R. E. Bryant, “Graph-based Algorithms for Boolean Function Manipulation,” IEEE Transactions on Computers, C-35(8): 677-691, August 1986.)
Table 4 shows an example of SSD generator in Verilog. In an SSD generator, next state functions do not directly depend on parametric inputs. Design inputs, design outputs and current states should form a cut in the fanin logic of every next state assignment. The cut can be computed by syntactical analysis of an SSD generator. Table 4 presents a special case where next state (state) depends only on design inputs (di).
Complexity Analysis
We now analyze the complexity of the SSD trace checking technique in accordance with an embodiment of the present invention. There is a one-time cost to compute BDD R by quantifying parametric inputs p. For each simulation cycle, there is a cost to verify the correctness of design outputs and compute the next state of the generator. Design outputs are verified by evaluating R(state, νI, νO) and checking for the zero result. The cost of the operation is O(|S|+|DI|+|DO|), where |S|, |DI| and |DO| denote the numbers of state variables, design inputs and design outputs, respectively. Note that the complexity is independent of the size of BDD R, which in the worst case is exponential in the total number of variables. The next state is computed by evaluating {circumflex over (ƒ)}s(state, νI, νO). This cost is linear in the size of generator representation. In practice, if a generator is written in RTL, its next state can be computed using RTL simulation.
Table 5 outlines a technique for stimulus generation for comparison. Let us suppose that a checker {haeck over (M)} and a generator {right arrow over (M)} specify a set of traces using the same state encoding. In this case, the two BDDs (R) of stimulus generation and trace checking are equal. In each simulation cycle, stimulus generation obtains an assignment νI of design input signals dI from a simulator. The cofactor operation to compute the set R′ of legal assignments of design outputs dO is O(|R|). If all variables dO are ordered at the bottom of BDD R, the cofactor R′ can be computed in O(|S|+|DI|). Such variable orderings, however, often lead to BDD size explosion. Note that interleaving bits of a data path is a way to achieve a compact BDD representation.
To pick an arbitrary assignment νO from R′ is O(|DO|). It is desirable in practice to generate νO with certain probability distributions. One can bias individual bits of dO by traversing the BDD R′ and assigning weights to its BDD nodes. The time complexity of this technique is O(|R′|). This technique assumes independence among individual bits and cannot achieve all possible word level distributions. The technique we have described is essentially the SimGen technique (described in J. Yuan, K. Shultz, C. Pixley, H. Miller and A. Aziz, “Modeling Design Constraints and Biasing in Simulation using BDDs,” Proc. Intl. Conference on Computer-Aided Design, pp. 584-589, November 1999) and has the same complexity. Note that SimGen achieves more practical speed by avoiding BDD operations, operating instead directly on the fixed BDD R.
We now compare the costs of trace checking and stimulus generation. In the both approaches, there is one-time cost to compute BDD R and the memory usage is dominated by computing BDD R and storing R during simulation. The difference is in simulation time cost. For trace checking, per cycle cost is O(|S|+|DI|+|DO|). For stimulus generation, the cost is O(|R|). The size of BDD R is in the worst case exponential in the number of variables. Therefore, per cycle time cost of stimulus generation can be much higher than that of trace checking. It is important to minimize per cycle simulation overhead, as a thorough simulation can require thousands or even millions of cycles.
FSD
In some cases, a generator obeys equation (1), but its next state function is not expressed as a composition ƒS={circumflex over (ƒ)}S∘ƒO. We call such generators functionally sequentially deterministic (FSD). The condition defined by Equation (1) can be verified by evaluating the expression using BDD operations. This evaluation involves building BDDs for the next state function and can be expensive. Alternatively, the condition can be checked dynamically as a part of trace checking.
A technique for FSD trace checking is illustrated in Table 6. The cofactor operation returns a set of parametric inputs assignments P that can produce generator outputs νO. With the CHECK-FSD option turned on, the technique computes the set of next states by image computation while constraining design inputs to be νI and parametric inputs to be in P, and it checks that the set is a singleton, i.e. all parametric inputs in P lead to a single next state. In fact, the FSD technique is sound with a somewhat more general condition Equation (1) only has to hold for the specified design inputs from a trace and reached states.
Optimizations
So far, we have proposed to use BDDs to implement trace checking techniques. In particular, relation R is represented as a BDD with s, dI and dO as variables. The advantage of this static approach is that per cycle cost of trace checking is minimized. In some cases, however, computing the BDD may be too expensive in either time or memory usage.
Let us re-examine the technique illustrated in Table 3. An important operation on R is its evaluation after substitution of state, design input and output variables. Rather than building a BDD for R, we can simply maintain dO=ƒO(s, dI, p) as a boolean expression, i.e. we can omit the explicit quantification of the p variables. At each cycle, we substitute the dO, s, and dI variables in this expression with their assigned values and obtain a much simplified expression with only p variables. Now there are two choices.
We can either build a BDD for the simplified expression and test for its emptiness or use a SAT solver to test the unsatisfiability of the expression. Both operations are much cheaper than computing a BDD for R. Unfortunately, the operations must be repeated for each cycle of the simulation. This technique also applies to the FSD procedure illustrated in Table 6. In particular, we can use a SAT solver to find an assignment “p” of parametric inputs instead of computing cofactor of BDD R. The FSD condition can be verified by proving any two legal parametric input assignments lead to a same next state. This verification can be expressed as an unsatisfiablity problem and therefore can be handled by a SAT solver as well.
Sequentially Non-Deterministic
A generator is sequentially non-deterministic (SND) if legal parametric inputs can lead to distinct next states, each of which may later pass or fail the trace under test. In this case, a set of “accepting” generator states must be maintained for each simulation cycle, and trace checking is essentially reachability analysis with input/output constraints. Table 7 presents a technique for this general case of generators.
Refinement Checking
We consider formal refinement checking as a comparison of two Mealy machines, a module machine {right arrow over (M)}m=<Sm, s0m, DI, O, ƒOm, ƒSm>, and a generator machine {right arrow over (M)}g=<Sg, s0g, I, O, ƒOg, ƒSg>, where I=DI∪P, i.e. the generator has some extra parametric inputs to model non-determinism. The general refinement checking problem is to verify whether every input/output trace of the module can be observed in the generator (after projecting out the parametric inputs). The special case of sequentially deterministic generators permits a more efficient solution than the general case. In this special case, we can explore the state space of the product machine, considering only transitions for which the output of the generator matches the output of the module, i.e. we can form the constrained product machine transition relation
At each state of the product machine reachable by way of these transitions, there must be a generator output corresponding to every module output, i.e. the product state must satisfy
ν(sm, sg)=∃dI∃p[(ƒOm(sm,dI)=ƒOg(sg, dI, p))] (3)
Thus, the special case of refinement checking for sequentially deterministic generators can be reduced to a classical model checking problem of a safety property, checking that the initial state (s0m, s0g) satisfies the CTL property AGν in the transition system defined by T.
This approach to refinement checking actually handles a somewhat broader class of generators than just sequentially deterministic. In a sequentially deterministic generator there will be only one generator next states sng corresponding to a product machine present state (spm, spg) and design input dI. But our refinement check will allow several corresponding next states, as long as each of them satisfies AGν. While we can thus verify refinement in a somewhat broader class of generators than the sequentially deterministic class, this is still much narrower than refinement in general, where an arbitrary non-empty subset of corresponding generator next states needs to exist that can carry forward the correspondence.
Formal Checking
As discussed above, refinement checking for sequentially deterministic generators reduces to a safety property check. A wide variety of techniques have been explored for such checks. In one embodiment of the present invention, we can use the abstraction refinement approach described in D. Wang, P.-H. Ho, J. Long, J. H. Kukula, Y. Zhu, H.-K. T Ma and R. Damaino, “Formal Property Verification by Abstraction Refinement with Formal, Simulation and Hybrid Engines,” Design Automation Conference, pp. 35-40, 2001. This embodiment requires the transition system and property to be provided in the form of an RTL circuit. A BDD can be computed for property ν of equation (3). A circuit for ν can then be synthesized from this BDD, in the form of a multiplexer network.
Building a circuit for the transition system T of equation (2) is a bit more challenging. What is required is that the parametric inputs p of the generator be constrained so that the module and generator outputs correspond at every cycle. In a simulation-based methodology, this would form a classical constrained stimulus generation problem. For our formal refinement checking implementation we used a simpler method. We added an auxiliary state bit to the product machine, initially assigned to 1 and remaining 1 just as long as the input constraint is satisfied. This bit is then used to qualify the predicate ν, so a property violating state is one where ν=0, reached by a path on which the module and generator outputs have corresponded at all previous time steps.
The foregoing descriptions of embodiments of the present invention have been presented only for purposes of illustration and description. They are not intended to be exhaustive or to limit the present invention to the forms disclosed. Accordingly, many modifications and variations will be apparent to practitioners skilled in the art. Additionally, the above description is not intended to limit the present invention. The scope of the present invention is defined by the appended claims.