2068

IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 27, NO. 11, NOVEMBER 2008

Unbounded Protocol Compliance Verification Using Interval Property Checking With Invariants Minh D. Nguyen, Max Thalmaier, Markus Wedler, Jörg Bormann, Dominik Stoffel, Member, IEEE, and Wolfgang Kunz, Fellow, IEEE

Abstract—We propose a methodology to formally prove protocol compliance for communication blocks in System-on-Chip (SoC) designs. In this methodology, a set of operational properties is specified with respect to the states of a central finite state machine (FSM). This central FSM is called main FSM and controls the overall behavior of the design. In order to prove a set of compliance properties, we developed an approach that combines property checking on a bounded circuit model with an approximate reachability analysis. The property checker determines whether a property is valid for an arbitrary state of the design regardless of its reachability. In order to avoid false negatives, reachability constraints are added to the property, which are generated by an approximate FSM traversal algorithm. We show how the existence of a main FSM can be exploited systematically in the reachability analysis and how to partition both the transition relation and the state space such that the computational complexity is reduced drastically. This makes formal verification of protocol compliance tractable even for large designs with several thousand state variables. Our approach has been applied successfully to verify several industrial designs. Index Terms—Binary decision diagram (BDD), bounded model checking (BMC), finite state machine (FSM) traversal, model checking, protocol compliance verification, satisfiability solving (SAT).

I. I NTRODUCTION

T

HE PRESENT-DAY design flows for microelectronic systems confront hardware designers and verification engineers with great challenges related to System-on-Chip (SoC) integration. The integration of individual IP blocks into a single chip is a demanding design task and requires a sophisticated communication infrastructure. For this purpose, many different buses and protocols, such as ARM advanced microcontroller bus architecture (AMBA) or virtual component interface (VCI), have been introduced. These protocols are used to create interfaces between modules and ensure proper behavior of the entire chip. Manuscript received October 5, 2007; revised April 25, 2008. Current version published October 22, 2008. This is an extended version of a paper that appeared in the Proceedings of the International Conference on ComputerAided Design (ICCAD), pp. 1068–1075, November 6–10, 2005, San Jose, CA, USA. This work was supported in part by BMBF under Grant 01M3082D and Grant 01IS07008D. This paper was recommended by Associate Editor V. Bertacco. M. D. Nguyen, M. Thalmaier, M. Wedler, D. Stoffel, and W. Kunz are with the Department of Electrical and Computer Engineering, University of Kaiserslautern, 67653 Kaiserslautern, Germany (e-mail: [email protected] eit.uni-kl.de; [email protected]; [email protected]; [email protected]; [email protected]). J. Bormann is with OneSpin Solutions GmbH, 80339 Munich, Germany (e-mail: [email protected]). Digital Object Identifier 10.1109/TCAD.2008.2006092

In spite of continuous progress in formal verification technology, a complete SoC design clearly remains beyond the capacity of a state-of-the-art formal property checker. Therefore, formal property checking is usually applied at the block level and is used to achieve high-quality IP blocks. Moreover, this way, simulation at the chip level becomes less expensive because it can concentrate on the global system behavior and is relieved from hunting bugs in the individual SoC modules. By a “block” or “module”, we mean SoC components such as hardware accelerators; I/O controllers; or programmable blocks, such as digital signal processors and standard processor cores. A major area of potential innovation in industrial SoC verification is the extension of formal property checking to the interfaces between such modules. When it comes to ensuring system integrity, it is of great importance to verify that the components connected to the system buses comply with the respective protocols. In principle, the formal compliance check can be carried out using standard property checking techniques such as symbolic model checking [1] or bounded model checking (BMC) [2]. Although the state of the art in formal verification technology provides a rich set of methods and tools to formally verify the interfaces between SoC modules, severe problems still occur in practice. Considering that the control circuits for standard SoC protocols typically contain thousands of state variables, all methods that rely on an exact traversal of the state space are prohibitively expensive. More advanced methods are available, which decompose the state space and/or perform abstractions on it. However, most of these methods are of a generic nature and have been developed for a general spectrum of property checking applications. Unfortunately, they tend to fail in industrial practice when being applied specifically to the interfaces of modules. BMC, in principle, can handle the complexity of SoC module interfaces; however, proofs on bounded time intervals often remain incomplete when starting from initial states, or a tremendous manual effort is required to provide adequate state information for the start times of the considered time intervals. In this paper, we propose a new approach for protocol compliance verification. Our starting point is a specific property checking methodology based on a bounded circuit model. Here, this methodology is referred to as “interval property checking (IPC).” It was originally developed in the mid-1990s by the Siemens company and is commercially available [3]. IPC has proved very efficient for a wide range of SoC modules. In the case of protocol compliance verification, however, major challenges remain. Due to the nature of the underlying computational model, high manual efforts may be required to augment

0278-0070/$25.00 © 2008 IEEE

NGUYEN et al.: UNBOUNDED PROTOCOL COMPLIANCE VERIFICATION USING INTERVAL PROPERTY CHECKING

the model by important reachability information. In this paper, we propose to automate this process by an approximative reachability analysis which is well adapted to the IPC paradigm, as well as to the application of protocol compliance verification. Our approach is entirely based on register transfer level (RTL) design descriptions and is applied to concrete industrial implementations of SoC interfaces. Considering that current industrial practices usually require a manual translation of highlevel abstract models into RTL implementations, at this point, verification using RTL descriptions is unavoidable. The rest of this paper is organized as follows. In the remainder of this section, we present a brief comparison of our approach with the previous work and introduce the terminology and notations used in later sections. In Section II, we describe the overall property checking methodology which underlies this paper. First, in Section II-A, we introduce an operational style of writing properties and show an example of how to apply this for protocol compliance verification. Then, in Section II-B, we develop the computational model of IPC and discuss those methodological issues of IPC which are relevant for reaching our goal of highly automated protocol compliance verification. Section III presents our approach to compute invariants for IPC. We first present an exact approach that is only of conceptual value and then extend it to an approximative approach to handle large designs. We present implementations of our approach based on both, satisfiability solving (SAT) and binary decision diagrams (BDDs). Finally, Section IV presents the results on several case studies which we conducted on industrial, as well as public-domain, designs. A. Contribution and Comparison With Previous Work The proposed methodology for protocol compliance verification exploits the nature of protocol implementations which are often organized as a hierarchy of interacting finite state machines (FSMs), where a central FSM controls the overall behavior of the design. In the following, we denote such a central FSM in a protocol implementation as main FSM. Verification engineers, when verifying protocol compliance of a design, very commonly base the properties they write on the main FSM because the state transitions in this FSM reflect the individual protocol transactions executed by the hardware. The properties are specified by directly relating the intended design behavior in a certain state of a protocol transaction to the corresponding main state of the main FSM. This way, a suite of operational properties is created, covering the complete protocol specification. In our methodology, the properties are checked using an Interval Property Checker (cf. Section II-B) which uses the same circuit modeling as BMC [2] except that the circuit is not unrolled from the initial state but from an arbitrary state. If a counterexample is generated it may be spurious if the computed states are unreachable. False counterexamples are eliminated by strengthening the property with reachability information in the form of added invariants. However, at present, such invariants are mostly found manually by the verification engineer in a tedious and time-consuming process. To date, automatic techniques are not capable of generating the invariants

2069

necessary for verifying protocol implementations of industrial complexity. In this paper, we approach this problem with a novel FSM traversal algorithm specifically tailored to the computation of the reachability constraints needed in this context. In this method, the state space of the design is decomposed into sets of states corresponding to the main states. The transition relation is decomposed with respect to the transitions of the main FSM. During reachability analysis, the transitions in the main FSM (main transitions) are considered individually when calculating the image of a state set. The algorithm is therefore called Transition-By-Transition (TBT) FSM traversal. Furthermore, in order to avoid the state explosion problem of exact reachability computation, we develop a new approximation technique that partitions the design into sub-FSMs using the information of the main FSM. Each sub-FSM is traversed individually with the main FSM using the TBT algorithm. The computed reachability information for the design is an overapproximation of the design’s state space. There is a large amount of literature on partitioning, approximation, or abstraction in order to overcome the limitations of formal techniques when dealing with large designs. Partitioning techniques decompose the characteristic functions of the state set and the transition relation into partitions which are small enough for symbolic representation. In [4], the characteristic function of the transition relation is considered as a conjunction of partitioned functions and is manipulated using an early quantification operation. In other approaches, the state set and the transition relation are decomposed as a disjunction of the characteristic functions which are manipulated separately [5], [6]. In [7], the transition function is decomposed as a disjunction by means of input and output splitting. The combination of disjunctive and conjunctive decompositions is proposed in [8]. Cho et al. [9] presented an approximate FSM traversal method based on state space decomposition. Their basic idea is to partition the circuit into several sub-FSMs and to perform a symbolic traversal for each individual sub-FSM. There are two classes of approximate traversal algorithms in [9]: Machine By Machine (MBM) and Frame By Frame (FBF). The latter has two variants called Reached FBF (RFBF) and To FBF (TFBF). In [10], Cho et al. proposed methods to automatically determine good partitions of the circuit. Another method to partition the circuit using overlapping projections was presented in [11]. In [12], extensions were made to improve the convergence of the RFBF algorithm by proposing the Least Fixpoint Machine By Machine (LMBM) algorithm. Our approach is different from these methods, as our approach decomposes not only the state space but also the transition relation, and both with respect to a specific main FSM. Moreover, the sub-FSMs traversed in our approximation technique are not disjoint partitions as in [10] but they share the same main-state variables. In contrast to the overlapping projections of [11], our shared state variables are exactly the state variables of the main FSM and hence are the same for all traversed sub-FSMs. In Generalized Symbolic Trajectory Evaluation (GSTE), the property under verification is specified as an assertion graph

2070

IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 27, NO. 11, NOVEMBER 2008

and is used for decomposing the problem [13]–[15]. The core algorithm in GSTE [13] has some similarities with the proposed FSM traversal algorithm. However, there are important differences. In GSTE, the state space satisfying the property is decomposed based on state predicates called antecedents being associated with the edges of the assertion graph. In our algorithm, not only the state space but also the transition relation is decomposed, and this decomposition is performed with respect to individual transitions in the main FSM. This can significantly reduce the computational complexity. In contrast, image computation in GSTE computes all successor states of a given state set regardless of the main-FSM transitions. In addition, due to the three-valued alphabet used in GSTE’s symbolic simulation, the state set computed there overapproximates the image. Another important difference is that TBT traversal can be applied as a preprocessing phase to the complete design. Unlike GSTE, it does not depend on the property to be proven. Techniques for abstraction/refinement, to some extent, are also related to our method. These techniques [16]–[21] check properties on an abstract model of the design. The abstract model overapproximates the state space of the system, and generated counterexamples may be spurious. The abstract model is iteratively refined (e.g., using information from the counterexample) until the property holds or the counterexample becomes a true one. A general property checking formulation which may be compared to IPC is k-step induction [22]. It is a SAT-based method for verifying general safety properties. In this technique, the induction base is a BMC proof with depth k starting from the initial state. The induction step is a proof that for an arbitrary state s0 , every loop-free finite path of k states s0 , s1 , . . . , sk−1 , where the property holds for all states si , leads to a state sk−1 such that in all direct successor states sk of sk−1 , the property also holds. Loop freedom is necessary for the completeness of the method. IPC may be seen as the degenerate case of k-step induction for k = 0 (although such a proof can hardly be called an “induction”). However, if a (false) counterexample is generated in IPC, the checker will not be rerun with incremented k. Instead, the property will be strengthened with an invariant. Typical IPC properties are often beyond the capacity of k-step induction because they require large values of k. On the other hand, both approaches can complement each other nicely. In our context, k-step induction has shown to be quite useful to prove invariants for IPC after they have been identified manually by the designer. B. Preliminaries Let M be a sequential circuit with primary inputs X = (x1 , . . . , xn ); present-state variables V = (v1 , . . . , vm ); next ); and primary outputs Y = state variables V = (v1 , . . . , vm (y1 , . . . , yw ). Sometimes, we consider a vector of variables, such as X, as a set of variables, e.g., x ∈ X is used as the abbreviation for x ∈ {x1 , . . . , xn }. A circuit is modeled as a binary-encoded FSM M = (I, S, S0 , Δ, Λ, O). The input alphabet I ⊆ B n and the output alphabet O ⊆ B w , with B = {0, 1}, are encoded by the primary inputs X and primary outputs Y , respectively. S ⊆ B m is the set of states encoded by

the state variables. The output function is a Boolean functional vector Λ = (λ1 , . . . , λw ), where λi is the output function for the output yi , i.e., yi = λi (V ). The value of a state variable vi in a state s is denoted by s(vi ). The set S0 ⊆ S is the set of initial states. Δ : B n × B m → B m is the next-state function. The next-state function can be considered as a Boolean functional vector Δ = (δ1 , . . . , δm ), where δi is the next-state function for a next-state variable vi , i.e., vi = δi (X, V ). For a state s = (s1 , . . . , sm ) ∈ S and a subvector U = (vj , . . . , vk ) of V , we call s(U ) = (sj , . . . , sk ) the projection of s on the state variables v ∈ U . Furthermore, with ΔU = (δj . . . , δk ), we denote the Boolean functional vector of next-state functions for state variables in U . The state transition graph (STG) of an FSM is a graph where the vertices are given by the set of states S, the source vertices correspond to the set of initial states S0 , and the edges are given by the transition relation T ⊆ S × S. The characteristic function of the transition relation is defined as T (V , V ) = ∃X∈B n

i=m

(vi ≡ δi (X, V )) .

i=1

The set of next states of a set of states F rom ⊆ S is calculated by the operation img defined as img(F rom) = {s ∈ S|∃s ∈ F rom : (s, s ) ∈ T } . An iterative circuit model of M , where the transition relation is unrolled k times, represents the circuit model in k clock cycles. With X j , Y j , and V j , we denote the primary inputs, primary outputs, and state variables at time point j.

II. M ETHODOLOGY FOR P ROTOCOL C OMPLIANCE V ERIFICATION A. Operational Property Template When proving the correctness of SoC modules and their interfaces at the RTL, in practice, the examined behavior can often be described in computation tree logic (CTL) by safety properties of the following format: f = AG(a → c).

(1)

These properties specify that the circuit exhibits the desired behavior described in c whenever the environment of the circuit fulfills the constraints described in a. In the following, we refer to a as assumption and to c as commitment. In this paper, we concentrate on a special style of writing properties, which is very common in SoC verification and which allows us to further specialize the aforementioned format. In fact, RTL designers very commonly adopt an operational view of the system, where the desired behavior is described clock tick by clock tick within a certain time interval. Consequently, the properties needed to verify this behavior can be specified by an assumption a and a commitment c describing finite design behaviors. These finite

NGUYEN et al.: UNBOUNDED PROTOCOL COMPLIANCE VERIFICATION USING INTERVAL PROPERTY CHECKING

Fig. 1.

ITL operational property (= “interval property”).

behaviors can be specified as conjunctions of propositions for the inputs and the outputs of the design at time j, as follows: a = as (V ) ∧

j=n

AXj (aj (X))

(2)

AXj (cj (X, Y )) ∧ AXn (ce (V ))

(3)

j=0

c=

j=n j=0

In these formulas, the variables are defined as follows. 1) n denotes the number of clock cycles that the design needs in order to perform a specific operation. 2) aj (X) is a Boolean proposition and specifies certain input conditions at time point j. 3) cj (X, Y ) is a Boolean proposition and specifies certain output conditions at time point j. 4) as (V ) and ce (V ) are Boolean propositions and specify a starting assumption and an ending commitment in terms of the state variables of the design. 5) AXn p is defined by AXn p = AXAXn−1 p for n > 0 and AX0 p = p. Considering that this style of writing properties leads to an intuitive methodology and is quite popular among industrial designers, commercial property checkers support this by special property templates or proprietary languages. In the proprietary Interval Language (ITL) [23], the aforementioned property looks as the one shown in Fig. 1. Usually, when inspecting the design to set up properties, as a first step, the designer identifies a set of important control states, which serves as an orientation in the overall verification methodology. For each operation, two important control states are chosen as its starting and ending states. In the property, this is reflected by the starting assumption as (V ) and the ending commitment ce (V ). The time window between the starting and the ending states is called the inspection interval. For example, when verifying a processor, the decode and the write-back phases of an instruction could be chosen to define the inspection interval of an operation. During the inspection interval, the correct input/output behavior is described by specifying the input conditions, aj (X), and output conditions, cj (X, Y ).

2071

Aside from the starting and ending states, in practice, a property may also relate to some intermediate states. This may sometimes be required to further constrain the behavior. On the other hand, considering that such additional state information can be tedious to derive, the verification engineer will prefer to limit the state specifications of an operational property to the important control states whenever possible. Note that practical tools will also allow us to include internal signals of the design into the property specification. However, by tracing the cone of influence of these signals, it is always possible to generate an equivalent property in the aforementioned scheme. As long as the maximum duration of an operation is bounded, it is also possible to express behaviors of variable length by disjunction of commitments for different time points. ITL supports such specifications by providing additional syntactic features such as a temporal operator within [ta , tb ]. The important control states provide an intuitive way of setting up a property suite by linking the individual properties by their starting and ending states. The verification engineer ensures that all operations between the important control states are covered by appropriate properties. This is even supported in commercial tools by specific completeness metrics [24]. A more detailed description of such a methodology is beyond the scope of this paper. However, the following observation is important in order to understand our approach to reachability analysis in Section III. In most cases, the important control states of a design are specified by only constraining a few state bits of the global state vector. For example, when verifying the instructions of a processor, only the state variables related to important control information such as opcode or certain status bits need to be specified. Nothing is said about the other state bits, such as the pipeline buffers. The important control states of a design are typically related to a small set of state variables. As the verification engineer moves along the important control states of a design, he traverses an abstract machine whose states are given by the important control states and whose transitions correspond to the operations that are verified. This abstract machine in the following will be called main FSM and plays a key role in the proposed approximative reachability analysis. Fortunately, complex control structures often expose hierarchical structures, and a main FSM can be identified easily. For reasons to be explained in Section II-B, we are particularly interested in finding such a main FSM in the context of protocol compliance verification. Although the main FSM in protocol implementations is usually quite small, it plays a very important role in the design. As an example, in an RTL description, we may find a piece of code, as shown in Fig. 2(a), which implements the main FSM. The main FSM is encoded by a small subvector Vˆ = (vp , . . . , vq ), with 1 ≤ p < q ≤ m, of the overall state vector V . It can be represented by an STG, where the vertices represent the main states Sˆ and the edges indicate main transitions Tˆ, as shown in Fig. 2(b). The size of the main FSM is usually small so that its STG can be represented explicitly. When the circuit performs a specific functionality, its main FSM is supposed to go through a certain sequence of the main s1 , . . . , sˆn ). From this sequence, the verification states πsˆ = (ˆ

2072

IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 27, NO. 11, NOVEMBER 2008

Fig. 2. Example of the RTL code, the STG of a main FSM and the property in proposed template. (a) Main code. (b) Main STG. (c) Property. (d) Strengthened property.

engineer can derive the following starting assumption and ending commitment for the corresponding property: 1) as = qi=p (ˆ vi ≡ sˆ1 (ˆ vi )); q vi ≡ sˆn (ˆ vi )). 2) ce = i=p (ˆ In short notation, we also write the following: 1) as = (Vˆ ≡ sˆ1 ); 2) ce = (Vˆ ≡ sˆn ). We obtain the following template for operational properties: ⎞ ⎡⎛ j=n AXj (aj (X))⎠ f = AG ⎣⎝(Vˆ ≡ sˆ1 ) ∧ j=0

⎛

j=n

→⎝

⎞⎤ AXj (cj (X, Y )) ∧ AXn (Vˆ ≡ sˆn )⎠⎦ . (4)

j=0

For an illustration of this template, consider again the STG shown in Fig. 2(b). In order to check that the timing for a data transfer is met, the verification engineer may specify that the output signal end will be asserted n clock cycles after the data transfer has been enabled (d_en = 1), provided that the circuit has been in the idle state. During the execution of this transfer, the main FSM will traverse the following path in its STG (idle, wait, . . ., wait, ready). In the idle state, the main FSM will enable an external counter to count the number of transferred blocks by setting the corresponding enable signal StartCnt of the counter. The output cnt of the counter will be evaluated in the wait state of the main FSM to decide whether the transfer is complete. If the transfer is complete, the main FSM will make a transition into state ready. Without looking at the details of the counter and by only inspecting the code of the main FSM, the aforementioned property template can be used to specify this operation, as follows: f = AG (Vˆ ≡ idle) ∧ (d_en ≡ 1)

→ AXn (end ≡ 1) ∧ AXn (Vˆ ≡ ready) . (5)

The corresponding ITL template is given in Fig. 2(c). Note that the starting and ending states are main states, and no other state information is specified in the property. Section II-B will elaborate how, in general, as and ce need to be refined in order to check this kind of property without a complete reachability analysis of the design. B. IPC In this section, we describe how to verify operational properties, as presented in Section II-A, in the context of protocol compliance checking. The approach is based on combining a bounded circuit model with certain invariants. It is therefore related to BMC [25], as well as to invariant checking [26]. As an initial invariant W , we choose the set W = S of all states that can be encoded by the state variables V of the circuit. Clearly, this invariant includes the initial states and is closed under reachability. Therefore, checking a safety property AGp, as given by the templates in the previous section, can be reduced to checking the validity of the internal formula p in every state s ∈ W . This can be solved with SAT based on a bounded circuit model of size n, where n results from the length of the inspection interval and is the highest power of subformulas AXn occurring in the formula for p. Compared with conventional BMC [25], the resulting SAT instances differ, however, by the absence of the initial state constraining the bounded circuit model. We now describe how the properties based on the template in (4) can be translated into a SAT instance. For this purpose, we consider the propositional formula [[f ]]t which checks the validity of the internal formula of the safety property in (4) at a point in time t. It is based on the bounded (or “iterative”) circuit model of length n derived from the original circuit in the usual way by making n copies of the transition and the output functions, where each copy represents the behavior of the original circuit at a specific time. The output values of the original circuit at time t + j are produced in the iterative circuit array at the outputs Y t+j and are computed based on state

NGUYEN et al.: UNBOUNDED PROTOCOL COMPLIANCE VERIFICATION USING INTERVAL PROPERTY CHECKING

variables V t+j and inputs X t+j . The transition functions are concatenated such that the next-state variables V t+j of the jth copy are the present-state variables V t+j+1 of the j + 1th copy. The propositional formula [[f ]]t results from the negation of the internal formula p of the safety property in (4) by replacing all instances of subformulas AXj by Boolean propositions in terms of inputs X t+j and outputs Y t+j . We obtain [[f ]]t = (Vˆ t ≡ sˆ1 ) ∧ ⎛ ∧⎝

j=n

aj (X t+j )

j=0

j=n

⎞ cj (X t+j , Y t+j ) ∨ (Vˆ t+n ≡ sˆn )⎠ . (6)

j=0

In the standard approach for BMC, a SAT instance can be created consisting of [[f ]]t , the iterative circuit model, and constraints I(V 0 ) for the initial state set. For a bound k, this instance can be expressed as follows: I(V 0 ) ∧

k+n i=0

T (V i , X i , V i+1 ) ∧

k

[[f ]]t .

(7)

t=0

In a conventional BMC procedure, k starts at zero and increases until a counterexample is found or the diameter of the circuit is reached. For the applications considered in this paper, huge values of k are required so that the resulting SAT instances, in most cases, would grow beyond the capacity of the solver. In order to overcome this problem, we remove the constraints for the initial state and consider a simplified SAT instance, as follows: φ(V t ) ∧

n

T (V t+i , X t+i , V t+i+1 ) ∧ [[f ]]t .

(8)

i=0

This proposition consists of only a single instance [[f ]]t of the property and of an iterative circuit model for n cycles. Note that n only results from the length of the property and does not depend on the diameter of the design (it is also different from k in BMC). Furthermore, the state vector V t for the starting states of the iterative circuit model are constrained by an invariant φ. This invariant is used to represent an overapproximation of the state set reachable at time t. Obviously, the unsatisfiability of the SAT instance in (8) implies the unsatisfiability of the instance in (7) for every depth k. Therefore, this formulation allows for an unbounded proof of the original property in (4). However, depending on what invariant φ is chosen in (8), a false counterexample may be generated based on some state for V t that is not reachable in the design. Hence, the quality of the invariant φ is crucial for the success of this method. This formulation of property checking is referred to as IPC throughout this paper. Fortunately, for most standard cases of SoC module verification, the trivial invariant φ = 1 is sufficient. This may be surprising at first glance but becomes intuitive if we realize that the iterative circuit model itself contains a lot of local reachability information which is sufficient for many interval properties. As a rule of thumb, we may state that verifying

2073

modules for computation, such as hardware accelerators or processor cores, usually does not require sophisticated invariants. This only changes when communication modules are considered. Here, global dependences between state information over long time windows exist and require significant effort to provide an invariant φ of sufficient strength. This is why we develop our approach for reachability analysis with a focus on protocol compliance verification. However, we envision that other applications may exist, where sophisticated invariants are needed and where the proposed approach can be useful. Due to the nature of our bounded circuit model, even in the case of communication modules, the required invariants are much weaker than we would expect from other property checking formulations. Moreover, they are often intuitive to the designer. Therefore, in the case of communication modules, it is a common practice to manually inspect the code and to define invariants that are appropriate for proving properties of the type described earlier. This is shown by means of our example in Fig. 2. The circuit uses a counter to keep track of time. The output cnt of the counter is evaluated whenever the circuit is in state wait and a transition from wait to state ready is performed if and only if cnt = n. Therefore, the proof of the property in (5) fails and a counterexample is generated when (8) is set up with the invariant φ = 1. This counterexample, however, turns out to be a false negative. For example, the property checker may claim that (Vˆ ≡ idle ∧ cnt ≡ 1) leads to (Vˆ ≡ ready ∧ end ≡ 1) after n − 1 cycles rather than n cycles. The obvious reason for this false negative to appear is that the value of the counter at the beginning of the considered transaction is neither defined by the property nor defined by the invariant φ. Nevertheless, inspecting the design reveals that the counter will always take the value cnt = 0 at this point in time. Specifying this in [[f ]]t would violate our template because the counter is not part of the main FSM. Note that the missing constraint is independent of the property and results from reachability in the overall circuit. Therefore, this information is taken into account by a refinement of the invariant φ. The new invariant becomes

φ(V t ) = (Vˆ t ≡ idle) → (cntt ≡ 0) .

(9)

This leads to a strengthened ITL property, as in Fig. 2(d). The implicative structure of the invariant required in this example is a typical representative for the invariants usually required when following the aforementioned methodology. Considering that each property based on the proposed template assumes a concrete state sˆ for the main FSM, it is usually sufficient to restrict the values for certain non-main-state variables (i.e., subFSM state variables) such that the encoded states are reachable simultaneously with the main-FSM state sˆ. This results in an invariant of the following form:

φ(V t ) = (Vˆ ≡ sˆ) → asˆ

(10)

where asˆ is a Boolean expression which has to be satisfied by the values of the sub-FSM variables that occur whenever the main FSM is in state sˆ.

2074

IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 27, NO. 11, NOVEMBER 2008

TABLE I COMPARISON WITH ABSTRACTION/REFINEMENT

TABLE II COMPARISON WITH PREDICATE ABSTRACTION

Fig. 3. IPC-based verification flow with the proposed algorithm (shaded part).

Taking into account such reachability constraints is very important to avoid false negatives when using the IPC based on (8). Note that the validity of reachability constraints obtained from manual analysis must be proven by writing additional properties. The proposed methodology for verifying protocol implementations in SoCs is shown in Fig. 3. The main FSM is usually determined manually in the RTL code of the design by identifying a set of important control states, as described before. Moreover, commercial tools, such as that reported in [27], are available, which can be used to automatically extract a main FSM from the RTL description and to visualize its STG. Fig. 3 shows how false negatives are treated in current industrial practice by manually refining invariants. We propose to reduce this effort by integrating TBT FSM traversal for approximative reachability analysis. Our ultimate goal is to avoid false negatives completely so that time-consuming code inspections of the design source code beyond the main FSM are no longer needed. C. Comparison With Other Abstraction Techniques Fig. 3 immediately raises the question of how this approach compares with well-known techniques for abstraction/ refinement, such as the ones mentioned in Section I. Table I summarizes some of the differences. The abstraction employed in IPC with invariants, in general, cannot be expressed efficiently by a single partitioning of the state set in abstract and concrete state variables. The reachability constraints, as used in IPC, may relate to a large number of state variables. If all these state variables were concretized, the resulting model would become prohibitively complex. Moreover, in order to capture the state information implicitly contained in the iterative circuit, it would be necessary to concretize specific state variables only at certain time points but not at others. Table II summarizes a comparison with predicate abstraction. While identifying the main FSM can be understood as identifying a special set of predicates, the overall approach is still

different. Considering that the main FSM is not sufficient as an abstraction to prove the considered properties, it is only used to decompose the state space of the concrete machine. In the conventional predicate abstraction approach, however, the goal is to prove the properties directly on the abstraction. III. C OMPUTING I NVARIANTS FOR IPC A. Decomposition of State Space and Transition Relation Using the Main FSM In the proposed approach, the state space and transition relation of the design are decomposed by the transitions of a main FSM whose STG is defined as follows. Definition 1: The STG of the main FSM of a circuit M is a ˆ Sˆ0 , Tˆ), where the components are defined as follows. triple (S, ˆ 1) Sˆ = {ˆ s ∈ B |V | |∃s ∈ S : s(Vˆ ) = sˆ} is the set of main states. ˆ 0 ∈ S0 : s0 (Vˆ ) = sˆ0 } is the set of inis0 ∈ S|∃s 2) Sˆ0 = {ˆ tial main states. 3) Tˆ = {(ˆ s1 , sˆ2 ) ∈ Sˆ2 |∃s1 , s2 ∈ S : (s1 , s2 ) ∈ T ∧ s1 (Vˆ ) = sˆ1 ∧ s2 (Vˆ ) = sˆ2 } is the main transition relation. ˆ Sˆ0 , Tˆ) describes the behavior In other words, the triple (S, of the isolated main FSM. The states in Sˆ are encoded solely by the state variables belonging to the main FSM such that an encoded main state is a subvector of the entire state vector V . Although the main FSM, as defined earlier, is a sound abstraction of the design, in contrast to other model checking techniques with abstraction, our approach does not rely on proving properties in the abstract machine. In fact, an abstract machine that would allow us to prove properties of the format given in the previous section would be significantly more complex than the main FSM. Such an abstraction would not only contain the main states but also many other states representing the input/output behavior of the concrete design. Instead, our approach uses the main FSM only to derive a decomposition of

NGUYEN et al.: UNBOUNDED PROTOCOL COMPLIANCE VERIFICATION USING INTERVAL PROPERTY CHECKING

Fig. 4.

TBT traversal algorithm.

the concrete design and to conduct an approximative reachability analysis. The state space of the design can be partitioned into sets of design states corresponding to main states. Whenever the main FSM is in one of its states, the other FSMs in the circuit may each be in one of many different states. Each single state of the main FSM therefore corresponds to a set of states of the complete circuit M . Definition 2: Let sˆ ∈ Sˆ be a main state of a circuit M . The set of states corresponding to sˆ is Ssˆ = s ∈ S|s(Vˆ ) = sˆ . In the same way, we can describe the transitions of the complete design M in terms of the transitions of the main FSM. When the main FSM moves from one of its states sˆ1 to another state sˆ2 the circuit M correspondingly moves from a state in Ssˆ1 to another state in Ssˆ2 . By considering all possible transitions between such states corresponding to sˆ1 and sˆ2 we define the transition relation of the design corresponding to a transition of the main FSM as follows. Definition 3: Let (ˆ s1 , sˆ2 ) ∈ Tˆ be a main transition of a circuit M . The transition relation corresponding to (ˆ s1 , sˆ2 ) is Tsˆ1 →ˆs2 = {(s1 , s2 ) ∈ T |s1 ∈ Ssˆ1 ∧ s2 ∈ Ssˆ2 } . Given this definition of the transition relation Tsˆ1 →ˆs2 , we define image computation corresponding to a transition sˆ1 → sˆ2 of the main FSM. Definition 4: Let (ˆ s1 , sˆ2 ) ∈ Tˆ be a main transition of a circuit M . The constrained image operation corresponding to (ˆ s1 , sˆ2 ) is imgsˆ1 →ˆs2 (F rom) = {s2 ∈ S|∃s1 ∈ F rom ∧ (s1 , s2 ) ∈ Tsˆ1 →ˆs2 } where F rom ⊆ S. With these notations, we can formulate the algorithm in Fig. 4. As proven in [28], this algorithm exactly calculates the set of reachable states for a circuit by decomposing the state space and the transition relation based on the main FSM. The procedure tbt_traversal takes the transition relation, the set of initial states, and the main FSM of the circuit as inputs.

2075

It returns the sets of reachable states corresponding to the main states. At the beginning of a procedure call, the sets of states corresponding to the main states are empty except for the sets of states corresponding to the initial main states, which contain the given initial states. A queue is used to keep track of the main states that need to be processed next. First, the queue contains the initial main states. A main state sˆ is added to the queue if and only if its corresponding set of states changes. In this case, the sets of states corresponding to the next states of sˆ have to be recalculated. For a main state sˆ in the queue, the algorithm considers all its next states. The s → sˆ ) is set of states Ssˆ→ˆs corresponding to a transition (ˆ calculated by the constrained image operation. The set of states Ssˆ corresponding to the main state sˆ is extended by Ssˆ→ˆs . If new states are added to Ssˆ by this operation, sˆ is entered into the queue. The procedure tbt_traversal implements a fixedpoint calculation for the sets of reachable states corresponding to the main states. The fixed point is reached if and only if the queue is empty. An illustration of the algorithm by means of an example is given in [28]. B. Decomposing the State Space Using Sub-FSMs In the previous section, we outlined how to partition the traversal of a circuit using the transitions of a main FSM. As a next step, we study how the main FSM can be used for automatically decomposing the circuit into sub-FSMs to be individually traversed. We perform the individual traversals following the hierarchy of the sub-FSM. This reachability analysis for the overall circuit is approximative because we may miss correlations between sub-FSMs in the same level of the hierarchy. 1) Partitioning the Circuit Into Sub-FSMS: We proceed in three steps. 1) For each next-state function δi , we calculate the support sets under the constraints imposed by main-FSM transitions. 2) Based on the constrained support sets, we build a variant of latch dependency graph and decompose it into strongly connected components (SCCs). 3) The latches within each SCC are grouped together and treated as a sub-FSM. The hypergraph of SCCs, each representing a sub-FSM, is a directed acyclic graph (DAG) and can be levelized. This results in a hierarchy for the sub-FSM. For the remainder of this section, we follow these steps and formally define the required notations and procedures. Step 1: Our goal is to determine functional dependences between the circuit registers under the individual transitions of the main FSM. We need to define different notions of support set. For a next-state variable vi , the syntactic support set or cone of influence is given, as usual, by the connectivity between the gates implementing the transition functions δi . It can be easily determined by a structural analysis of the gate netlist. Depending on the representation of δi , the syntactic support set may, however, suggest pseudo-dependencies that do not exist in the implemented function itself. In order to avoid such

2076

IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 27, NO. 11, NOVEMBER 2008

pseudo-dependencies, we consider the semantic support set supp(δi ) = {vj ∈ V |δi |vj =0 = δi |vj =1 }. The difference between the semantic and syntactic support set can be illustrated by the example δ1 (x1 , (v1 , v2 )) = v1 ∨ x1 ∧ v2 ∨ v2 ∧ x1 . In this example, the syntactic support set includes v2 , while the semantic support set does not. Unless it is not explicitly stated in the remainder of this paper, we always consider the semantic support sets. Next, we constrain the support set by considering a specific main transition (ˆ s1 , sˆ2 ) ∈ Tˆ. Consider a generalized cofactor δi |Vˆ =ˆs1 ∧δ(X,V ˆ )=ˆ s2 and its support set suppsˆ1 →ˆs2 (δi ) = supp(δi |Vˆ =ˆs1 ∧δ(X,V ˆ )=ˆ s2 ). We call suppsˆ1 →ˆs2 (δi ) a constrained support set for δi . Note that, by definition, every function f with f ∧ g = f ∧ g is a generalized cofactor f |g . Hence, the constrained support set is not uniquely determined. However, as it turns out, small constrained support sets are beneficial to partition the circuit into sub-FSMs. Therefore, in Sections III-C and -D, we will study SAT- and BDD-based approximations of a minimal constrained support set. Step 2: We use the constrained support set to build a constrained variant of latch dependency graph, as follows. Definition 5: Let Tˆ be the main transition relation of a circuit M with the next-state function Δ. Let (ˆ s1 , sˆ2 ) ∈ Tˆ be a main transition. The constrained dependency graph of the state variables is a directed graph G(V, E), where the set of vertices is given by the set of state variables V . The set of edges E is defined as ⎧ ⎫ ⎨ ⎬ E = (vi , vj ) ∈ V 2 |vi ∈ suppsˆ1 →ˆs2 (δj ) . ⎩ ⎭ (ˆ s1 ,ˆ s2 )∈Tˆ

Note that the constrained dependency graph differs from the usual latch dependency graph based on the standard support set operator, where the edges are defined by E = (vi , vj ) ∈ V 2 |vi ∈ supp(δj ) . We illustrate the difference of the non-constrained versus the constrained dependency graphs by means of an example. Consider a circuit with a main FSM encoded by a singlestate variable vˆ. Further, let the circuit have two non-main-state variables v1 , v2 . Finally, the transition functions for vˆ and v2 shall be given by v2 = v1 ∧ vˆ and vˆ, if v1 = 0 vˆ = vˆ, else. In this case, we have v1 ∈ supp(δ2 ). On the other hand, v1 is constant under any transition of the main FSM and, therefore, will not be an element of any constrained support set. Step 3: The constrained dependency graph is partitioned using a simple algorithm to identify SCC. Each SCC corresponds to a sub-FSM. The graph of sub-FSMs is a DAG which can be levelized by a depth-first search algorithm. The level of each sub-FSM k is denoted by level(k). An example of the

Fig. 5.

Partitioned structure of a circuit.

hierarchical structure of the circuit after being partitioned is shown in Fig. 5. The circuit consists of a main FSM and five sub-FSMs. The sets of state variables of the main FSM and the five sub-FSMs are Vˆ , V1 , . . . , V5 , respectively. Sub-FSMs 1 and 2 are on level 1; the other sub-FSMs are on level 2. As shown in Fig. 5, the SCC decomposition produces unidirectional interactions among the sub-FSMs of the circuit. The control information stored in the state variables is only passed in one direction from the lower to the higher level sub-FSMs. Note that a non-constrained decomposition into SCCs is generally not useful for industrial designs because this type of decomposition often produces only a single large SCC containing the whole design. If, however, the dependency graph is constrained by the transitions of the main FSM, the situation is different, and many small SCCs can often be identified. 2) Traversing the Sub-FSMS: For the individual traversal of the sub-FSMs determined in the previous section, we consider the corresponding state vectors V1 , . . . , Vr . Without loss of generality, we may assume that these vectors are topologically sorted with respect to the SCC graph, i.e., level(j) < level(k) for j < k. For each sub-FSM k = 1, . . . , r, together with the main FSM, we generate an abstract circuit model Mk by apply/ Vˆ ∪ Vk . ing localization abstraction to the state variables vj ∈ In other words, in Mk , only the state variables of the subFSM Vk and the main FSM Vˆ are considered as state variables. All other state variables are treated as pseudo-inputs. In the same manner as the MBM approach of [9], we traverse the individual abstract machines Mk separately and constrain the pseudo-inputs V1 , . . . , Vk−1 with the reachability constraints Reach1 , . . . , Reachk−1 calculated for the corresponding subFSMs in previous runs. This results in the following expression for the transition relation used in the respective run of the TBT traversal algorithm: (vi ≡ δi ) · Vl ∈ (Reachl ). Tk = vi ∈{Vˆ ∪Vk }

l

IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 27, NO. 11, NOVEMBER 2008

Unbounded Protocol Compliance Verification Using Interval Property Checking With Invariants Minh D. Nguyen, Max Thalmaier, Markus Wedler, Jörg Bormann, Dominik Stoffel, Member, IEEE, and Wolfgang Kunz, Fellow, IEEE

Abstract—We propose a methodology to formally prove protocol compliance for communication blocks in System-on-Chip (SoC) designs. In this methodology, a set of operational properties is specified with respect to the states of a central finite state machine (FSM). This central FSM is called main FSM and controls the overall behavior of the design. In order to prove a set of compliance properties, we developed an approach that combines property checking on a bounded circuit model with an approximate reachability analysis. The property checker determines whether a property is valid for an arbitrary state of the design regardless of its reachability. In order to avoid false negatives, reachability constraints are added to the property, which are generated by an approximate FSM traversal algorithm. We show how the existence of a main FSM can be exploited systematically in the reachability analysis and how to partition both the transition relation and the state space such that the computational complexity is reduced drastically. This makes formal verification of protocol compliance tractable even for large designs with several thousand state variables. Our approach has been applied successfully to verify several industrial designs. Index Terms—Binary decision diagram (BDD), bounded model checking (BMC), finite state machine (FSM) traversal, model checking, protocol compliance verification, satisfiability solving (SAT).

I. I NTRODUCTION

T

HE PRESENT-DAY design flows for microelectronic systems confront hardware designers and verification engineers with great challenges related to System-on-Chip (SoC) integration. The integration of individual IP blocks into a single chip is a demanding design task and requires a sophisticated communication infrastructure. For this purpose, many different buses and protocols, such as ARM advanced microcontroller bus architecture (AMBA) or virtual component interface (VCI), have been introduced. These protocols are used to create interfaces between modules and ensure proper behavior of the entire chip. Manuscript received October 5, 2007; revised April 25, 2008. Current version published October 22, 2008. This is an extended version of a paper that appeared in the Proceedings of the International Conference on ComputerAided Design (ICCAD), pp. 1068–1075, November 6–10, 2005, San Jose, CA, USA. This work was supported in part by BMBF under Grant 01M3082D and Grant 01IS07008D. This paper was recommended by Associate Editor V. Bertacco. M. D. Nguyen, M. Thalmaier, M. Wedler, D. Stoffel, and W. Kunz are with the Department of Electrical and Computer Engineering, University of Kaiserslautern, 67653 Kaiserslautern, Germany (e-mail: [email protected] eit.uni-kl.de; [email protected]; [email protected]; [email protected]; [email protected]). J. Bormann is with OneSpin Solutions GmbH, 80339 Munich, Germany (e-mail: [email protected]). Digital Object Identifier 10.1109/TCAD.2008.2006092

In spite of continuous progress in formal verification technology, a complete SoC design clearly remains beyond the capacity of a state-of-the-art formal property checker. Therefore, formal property checking is usually applied at the block level and is used to achieve high-quality IP blocks. Moreover, this way, simulation at the chip level becomes less expensive because it can concentrate on the global system behavior and is relieved from hunting bugs in the individual SoC modules. By a “block” or “module”, we mean SoC components such as hardware accelerators; I/O controllers; or programmable blocks, such as digital signal processors and standard processor cores. A major area of potential innovation in industrial SoC verification is the extension of formal property checking to the interfaces between such modules. When it comes to ensuring system integrity, it is of great importance to verify that the components connected to the system buses comply with the respective protocols. In principle, the formal compliance check can be carried out using standard property checking techniques such as symbolic model checking [1] or bounded model checking (BMC) [2]. Although the state of the art in formal verification technology provides a rich set of methods and tools to formally verify the interfaces between SoC modules, severe problems still occur in practice. Considering that the control circuits for standard SoC protocols typically contain thousands of state variables, all methods that rely on an exact traversal of the state space are prohibitively expensive. More advanced methods are available, which decompose the state space and/or perform abstractions on it. However, most of these methods are of a generic nature and have been developed for a general spectrum of property checking applications. Unfortunately, they tend to fail in industrial practice when being applied specifically to the interfaces of modules. BMC, in principle, can handle the complexity of SoC module interfaces; however, proofs on bounded time intervals often remain incomplete when starting from initial states, or a tremendous manual effort is required to provide adequate state information for the start times of the considered time intervals. In this paper, we propose a new approach for protocol compliance verification. Our starting point is a specific property checking methodology based on a bounded circuit model. Here, this methodology is referred to as “interval property checking (IPC).” It was originally developed in the mid-1990s by the Siemens company and is commercially available [3]. IPC has proved very efficient for a wide range of SoC modules. In the case of protocol compliance verification, however, major challenges remain. Due to the nature of the underlying computational model, high manual efforts may be required to augment

0278-0070/$25.00 © 2008 IEEE

NGUYEN et al.: UNBOUNDED PROTOCOL COMPLIANCE VERIFICATION USING INTERVAL PROPERTY CHECKING

the model by important reachability information. In this paper, we propose to automate this process by an approximative reachability analysis which is well adapted to the IPC paradigm, as well as to the application of protocol compliance verification. Our approach is entirely based on register transfer level (RTL) design descriptions and is applied to concrete industrial implementations of SoC interfaces. Considering that current industrial practices usually require a manual translation of highlevel abstract models into RTL implementations, at this point, verification using RTL descriptions is unavoidable. The rest of this paper is organized as follows. In the remainder of this section, we present a brief comparison of our approach with the previous work and introduce the terminology and notations used in later sections. In Section II, we describe the overall property checking methodology which underlies this paper. First, in Section II-A, we introduce an operational style of writing properties and show an example of how to apply this for protocol compliance verification. Then, in Section II-B, we develop the computational model of IPC and discuss those methodological issues of IPC which are relevant for reaching our goal of highly automated protocol compliance verification. Section III presents our approach to compute invariants for IPC. We first present an exact approach that is only of conceptual value and then extend it to an approximative approach to handle large designs. We present implementations of our approach based on both, satisfiability solving (SAT) and binary decision diagrams (BDDs). Finally, Section IV presents the results on several case studies which we conducted on industrial, as well as public-domain, designs. A. Contribution and Comparison With Previous Work The proposed methodology for protocol compliance verification exploits the nature of protocol implementations which are often organized as a hierarchy of interacting finite state machines (FSMs), where a central FSM controls the overall behavior of the design. In the following, we denote such a central FSM in a protocol implementation as main FSM. Verification engineers, when verifying protocol compliance of a design, very commonly base the properties they write on the main FSM because the state transitions in this FSM reflect the individual protocol transactions executed by the hardware. The properties are specified by directly relating the intended design behavior in a certain state of a protocol transaction to the corresponding main state of the main FSM. This way, a suite of operational properties is created, covering the complete protocol specification. In our methodology, the properties are checked using an Interval Property Checker (cf. Section II-B) which uses the same circuit modeling as BMC [2] except that the circuit is not unrolled from the initial state but from an arbitrary state. If a counterexample is generated it may be spurious if the computed states are unreachable. False counterexamples are eliminated by strengthening the property with reachability information in the form of added invariants. However, at present, such invariants are mostly found manually by the verification engineer in a tedious and time-consuming process. To date, automatic techniques are not capable of generating the invariants

2069

necessary for verifying protocol implementations of industrial complexity. In this paper, we approach this problem with a novel FSM traversal algorithm specifically tailored to the computation of the reachability constraints needed in this context. In this method, the state space of the design is decomposed into sets of states corresponding to the main states. The transition relation is decomposed with respect to the transitions of the main FSM. During reachability analysis, the transitions in the main FSM (main transitions) are considered individually when calculating the image of a state set. The algorithm is therefore called Transition-By-Transition (TBT) FSM traversal. Furthermore, in order to avoid the state explosion problem of exact reachability computation, we develop a new approximation technique that partitions the design into sub-FSMs using the information of the main FSM. Each sub-FSM is traversed individually with the main FSM using the TBT algorithm. The computed reachability information for the design is an overapproximation of the design’s state space. There is a large amount of literature on partitioning, approximation, or abstraction in order to overcome the limitations of formal techniques when dealing with large designs. Partitioning techniques decompose the characteristic functions of the state set and the transition relation into partitions which are small enough for symbolic representation. In [4], the characteristic function of the transition relation is considered as a conjunction of partitioned functions and is manipulated using an early quantification operation. In other approaches, the state set and the transition relation are decomposed as a disjunction of the characteristic functions which are manipulated separately [5], [6]. In [7], the transition function is decomposed as a disjunction by means of input and output splitting. The combination of disjunctive and conjunctive decompositions is proposed in [8]. Cho et al. [9] presented an approximate FSM traversal method based on state space decomposition. Their basic idea is to partition the circuit into several sub-FSMs and to perform a symbolic traversal for each individual sub-FSM. There are two classes of approximate traversal algorithms in [9]: Machine By Machine (MBM) and Frame By Frame (FBF). The latter has two variants called Reached FBF (RFBF) and To FBF (TFBF). In [10], Cho et al. proposed methods to automatically determine good partitions of the circuit. Another method to partition the circuit using overlapping projections was presented in [11]. In [12], extensions were made to improve the convergence of the RFBF algorithm by proposing the Least Fixpoint Machine By Machine (LMBM) algorithm. Our approach is different from these methods, as our approach decomposes not only the state space but also the transition relation, and both with respect to a specific main FSM. Moreover, the sub-FSMs traversed in our approximation technique are not disjoint partitions as in [10] but they share the same main-state variables. In contrast to the overlapping projections of [11], our shared state variables are exactly the state variables of the main FSM and hence are the same for all traversed sub-FSMs. In Generalized Symbolic Trajectory Evaluation (GSTE), the property under verification is specified as an assertion graph

2070

IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 27, NO. 11, NOVEMBER 2008

and is used for decomposing the problem [13]–[15]. The core algorithm in GSTE [13] has some similarities with the proposed FSM traversal algorithm. However, there are important differences. In GSTE, the state space satisfying the property is decomposed based on state predicates called antecedents being associated with the edges of the assertion graph. In our algorithm, not only the state space but also the transition relation is decomposed, and this decomposition is performed with respect to individual transitions in the main FSM. This can significantly reduce the computational complexity. In contrast, image computation in GSTE computes all successor states of a given state set regardless of the main-FSM transitions. In addition, due to the three-valued alphabet used in GSTE’s symbolic simulation, the state set computed there overapproximates the image. Another important difference is that TBT traversal can be applied as a preprocessing phase to the complete design. Unlike GSTE, it does not depend on the property to be proven. Techniques for abstraction/refinement, to some extent, are also related to our method. These techniques [16]–[21] check properties on an abstract model of the design. The abstract model overapproximates the state space of the system, and generated counterexamples may be spurious. The abstract model is iteratively refined (e.g., using information from the counterexample) until the property holds or the counterexample becomes a true one. A general property checking formulation which may be compared to IPC is k-step induction [22]. It is a SAT-based method for verifying general safety properties. In this technique, the induction base is a BMC proof with depth k starting from the initial state. The induction step is a proof that for an arbitrary state s0 , every loop-free finite path of k states s0 , s1 , . . . , sk−1 , where the property holds for all states si , leads to a state sk−1 such that in all direct successor states sk of sk−1 , the property also holds. Loop freedom is necessary for the completeness of the method. IPC may be seen as the degenerate case of k-step induction for k = 0 (although such a proof can hardly be called an “induction”). However, if a (false) counterexample is generated in IPC, the checker will not be rerun with incremented k. Instead, the property will be strengthened with an invariant. Typical IPC properties are often beyond the capacity of k-step induction because they require large values of k. On the other hand, both approaches can complement each other nicely. In our context, k-step induction has shown to be quite useful to prove invariants for IPC after they have been identified manually by the designer. B. Preliminaries Let M be a sequential circuit with primary inputs X = (x1 , . . . , xn ); present-state variables V = (v1 , . . . , vm ); next ); and primary outputs Y = state variables V = (v1 , . . . , vm (y1 , . . . , yw ). Sometimes, we consider a vector of variables, such as X, as a set of variables, e.g., x ∈ X is used as the abbreviation for x ∈ {x1 , . . . , xn }. A circuit is modeled as a binary-encoded FSM M = (I, S, S0 , Δ, Λ, O). The input alphabet I ⊆ B n and the output alphabet O ⊆ B w , with B = {0, 1}, are encoded by the primary inputs X and primary outputs Y , respectively. S ⊆ B m is the set of states encoded by

the state variables. The output function is a Boolean functional vector Λ = (λ1 , . . . , λw ), where λi is the output function for the output yi , i.e., yi = λi (V ). The value of a state variable vi in a state s is denoted by s(vi ). The set S0 ⊆ S is the set of initial states. Δ : B n × B m → B m is the next-state function. The next-state function can be considered as a Boolean functional vector Δ = (δ1 , . . . , δm ), where δi is the next-state function for a next-state variable vi , i.e., vi = δi (X, V ). For a state s = (s1 , . . . , sm ) ∈ S and a subvector U = (vj , . . . , vk ) of V , we call s(U ) = (sj , . . . , sk ) the projection of s on the state variables v ∈ U . Furthermore, with ΔU = (δj . . . , δk ), we denote the Boolean functional vector of next-state functions for state variables in U . The state transition graph (STG) of an FSM is a graph where the vertices are given by the set of states S, the source vertices correspond to the set of initial states S0 , and the edges are given by the transition relation T ⊆ S × S. The characteristic function of the transition relation is defined as T (V , V ) = ∃X∈B n

i=m

(vi ≡ δi (X, V )) .

i=1

The set of next states of a set of states F rom ⊆ S is calculated by the operation img defined as img(F rom) = {s ∈ S|∃s ∈ F rom : (s, s ) ∈ T } . An iterative circuit model of M , where the transition relation is unrolled k times, represents the circuit model in k clock cycles. With X j , Y j , and V j , we denote the primary inputs, primary outputs, and state variables at time point j.

II. M ETHODOLOGY FOR P ROTOCOL C OMPLIANCE V ERIFICATION A. Operational Property Template When proving the correctness of SoC modules and their interfaces at the RTL, in practice, the examined behavior can often be described in computation tree logic (CTL) by safety properties of the following format: f = AG(a → c).

(1)

These properties specify that the circuit exhibits the desired behavior described in c whenever the environment of the circuit fulfills the constraints described in a. In the following, we refer to a as assumption and to c as commitment. In this paper, we concentrate on a special style of writing properties, which is very common in SoC verification and which allows us to further specialize the aforementioned format. In fact, RTL designers very commonly adopt an operational view of the system, where the desired behavior is described clock tick by clock tick within a certain time interval. Consequently, the properties needed to verify this behavior can be specified by an assumption a and a commitment c describing finite design behaviors. These finite

NGUYEN et al.: UNBOUNDED PROTOCOL COMPLIANCE VERIFICATION USING INTERVAL PROPERTY CHECKING

Fig. 1.

ITL operational property (= “interval property”).

behaviors can be specified as conjunctions of propositions for the inputs and the outputs of the design at time j, as follows: a = as (V ) ∧

j=n

AXj (aj (X))

(2)

AXj (cj (X, Y )) ∧ AXn (ce (V ))

(3)

j=0

c=

j=n j=0

In these formulas, the variables are defined as follows. 1) n denotes the number of clock cycles that the design needs in order to perform a specific operation. 2) aj (X) is a Boolean proposition and specifies certain input conditions at time point j. 3) cj (X, Y ) is a Boolean proposition and specifies certain output conditions at time point j. 4) as (V ) and ce (V ) are Boolean propositions and specify a starting assumption and an ending commitment in terms of the state variables of the design. 5) AXn p is defined by AXn p = AXAXn−1 p for n > 0 and AX0 p = p. Considering that this style of writing properties leads to an intuitive methodology and is quite popular among industrial designers, commercial property checkers support this by special property templates or proprietary languages. In the proprietary Interval Language (ITL) [23], the aforementioned property looks as the one shown in Fig. 1. Usually, when inspecting the design to set up properties, as a first step, the designer identifies a set of important control states, which serves as an orientation in the overall verification methodology. For each operation, two important control states are chosen as its starting and ending states. In the property, this is reflected by the starting assumption as (V ) and the ending commitment ce (V ). The time window between the starting and the ending states is called the inspection interval. For example, when verifying a processor, the decode and the write-back phases of an instruction could be chosen to define the inspection interval of an operation. During the inspection interval, the correct input/output behavior is described by specifying the input conditions, aj (X), and output conditions, cj (X, Y ).

2071

Aside from the starting and ending states, in practice, a property may also relate to some intermediate states. This may sometimes be required to further constrain the behavior. On the other hand, considering that such additional state information can be tedious to derive, the verification engineer will prefer to limit the state specifications of an operational property to the important control states whenever possible. Note that practical tools will also allow us to include internal signals of the design into the property specification. However, by tracing the cone of influence of these signals, it is always possible to generate an equivalent property in the aforementioned scheme. As long as the maximum duration of an operation is bounded, it is also possible to express behaviors of variable length by disjunction of commitments for different time points. ITL supports such specifications by providing additional syntactic features such as a temporal operator within [ta , tb ]. The important control states provide an intuitive way of setting up a property suite by linking the individual properties by their starting and ending states. The verification engineer ensures that all operations between the important control states are covered by appropriate properties. This is even supported in commercial tools by specific completeness metrics [24]. A more detailed description of such a methodology is beyond the scope of this paper. However, the following observation is important in order to understand our approach to reachability analysis in Section III. In most cases, the important control states of a design are specified by only constraining a few state bits of the global state vector. For example, when verifying the instructions of a processor, only the state variables related to important control information such as opcode or certain status bits need to be specified. Nothing is said about the other state bits, such as the pipeline buffers. The important control states of a design are typically related to a small set of state variables. As the verification engineer moves along the important control states of a design, he traverses an abstract machine whose states are given by the important control states and whose transitions correspond to the operations that are verified. This abstract machine in the following will be called main FSM and plays a key role in the proposed approximative reachability analysis. Fortunately, complex control structures often expose hierarchical structures, and a main FSM can be identified easily. For reasons to be explained in Section II-B, we are particularly interested in finding such a main FSM in the context of protocol compliance verification. Although the main FSM in protocol implementations is usually quite small, it plays a very important role in the design. As an example, in an RTL description, we may find a piece of code, as shown in Fig. 2(a), which implements the main FSM. The main FSM is encoded by a small subvector Vˆ = (vp , . . . , vq ), with 1 ≤ p < q ≤ m, of the overall state vector V . It can be represented by an STG, where the vertices represent the main states Sˆ and the edges indicate main transitions Tˆ, as shown in Fig. 2(b). The size of the main FSM is usually small so that its STG can be represented explicitly. When the circuit performs a specific functionality, its main FSM is supposed to go through a certain sequence of the main s1 , . . . , sˆn ). From this sequence, the verification states πsˆ = (ˆ

2072

IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 27, NO. 11, NOVEMBER 2008

Fig. 2. Example of the RTL code, the STG of a main FSM and the property in proposed template. (a) Main code. (b) Main STG. (c) Property. (d) Strengthened property.

engineer can derive the following starting assumption and ending commitment for the corresponding property: 1) as = qi=p (ˆ vi ≡ sˆ1 (ˆ vi )); q vi ≡ sˆn (ˆ vi )). 2) ce = i=p (ˆ In short notation, we also write the following: 1) as = (Vˆ ≡ sˆ1 ); 2) ce = (Vˆ ≡ sˆn ). We obtain the following template for operational properties: ⎞ ⎡⎛ j=n AXj (aj (X))⎠ f = AG ⎣⎝(Vˆ ≡ sˆ1 ) ∧ j=0

⎛

j=n

→⎝

⎞⎤ AXj (cj (X, Y )) ∧ AXn (Vˆ ≡ sˆn )⎠⎦ . (4)

j=0

For an illustration of this template, consider again the STG shown in Fig. 2(b). In order to check that the timing for a data transfer is met, the verification engineer may specify that the output signal end will be asserted n clock cycles after the data transfer has been enabled (d_en = 1), provided that the circuit has been in the idle state. During the execution of this transfer, the main FSM will traverse the following path in its STG (idle, wait, . . ., wait, ready). In the idle state, the main FSM will enable an external counter to count the number of transferred blocks by setting the corresponding enable signal StartCnt of the counter. The output cnt of the counter will be evaluated in the wait state of the main FSM to decide whether the transfer is complete. If the transfer is complete, the main FSM will make a transition into state ready. Without looking at the details of the counter and by only inspecting the code of the main FSM, the aforementioned property template can be used to specify this operation, as follows: f = AG (Vˆ ≡ idle) ∧ (d_en ≡ 1)

→ AXn (end ≡ 1) ∧ AXn (Vˆ ≡ ready) . (5)

The corresponding ITL template is given in Fig. 2(c). Note that the starting and ending states are main states, and no other state information is specified in the property. Section II-B will elaborate how, in general, as and ce need to be refined in order to check this kind of property without a complete reachability analysis of the design. B. IPC In this section, we describe how to verify operational properties, as presented in Section II-A, in the context of protocol compliance checking. The approach is based on combining a bounded circuit model with certain invariants. It is therefore related to BMC [25], as well as to invariant checking [26]. As an initial invariant W , we choose the set W = S of all states that can be encoded by the state variables V of the circuit. Clearly, this invariant includes the initial states and is closed under reachability. Therefore, checking a safety property AGp, as given by the templates in the previous section, can be reduced to checking the validity of the internal formula p in every state s ∈ W . This can be solved with SAT based on a bounded circuit model of size n, where n results from the length of the inspection interval and is the highest power of subformulas AXn occurring in the formula for p. Compared with conventional BMC [25], the resulting SAT instances differ, however, by the absence of the initial state constraining the bounded circuit model. We now describe how the properties based on the template in (4) can be translated into a SAT instance. For this purpose, we consider the propositional formula [[f ]]t which checks the validity of the internal formula of the safety property in (4) at a point in time t. It is based on the bounded (or “iterative”) circuit model of length n derived from the original circuit in the usual way by making n copies of the transition and the output functions, where each copy represents the behavior of the original circuit at a specific time. The output values of the original circuit at time t + j are produced in the iterative circuit array at the outputs Y t+j and are computed based on state

NGUYEN et al.: UNBOUNDED PROTOCOL COMPLIANCE VERIFICATION USING INTERVAL PROPERTY CHECKING

variables V t+j and inputs X t+j . The transition functions are concatenated such that the next-state variables V t+j of the jth copy are the present-state variables V t+j+1 of the j + 1th copy. The propositional formula [[f ]]t results from the negation of the internal formula p of the safety property in (4) by replacing all instances of subformulas AXj by Boolean propositions in terms of inputs X t+j and outputs Y t+j . We obtain [[f ]]t = (Vˆ t ≡ sˆ1 ) ∧ ⎛ ∧⎝

j=n

aj (X t+j )

j=0

j=n

⎞ cj (X t+j , Y t+j ) ∨ (Vˆ t+n ≡ sˆn )⎠ . (6)

j=0

In the standard approach for BMC, a SAT instance can be created consisting of [[f ]]t , the iterative circuit model, and constraints I(V 0 ) for the initial state set. For a bound k, this instance can be expressed as follows: I(V 0 ) ∧

k+n i=0

T (V i , X i , V i+1 ) ∧

k

[[f ]]t .

(7)

t=0

In a conventional BMC procedure, k starts at zero and increases until a counterexample is found or the diameter of the circuit is reached. For the applications considered in this paper, huge values of k are required so that the resulting SAT instances, in most cases, would grow beyond the capacity of the solver. In order to overcome this problem, we remove the constraints for the initial state and consider a simplified SAT instance, as follows: φ(V t ) ∧

n

T (V t+i , X t+i , V t+i+1 ) ∧ [[f ]]t .

(8)

i=0

This proposition consists of only a single instance [[f ]]t of the property and of an iterative circuit model for n cycles. Note that n only results from the length of the property and does not depend on the diameter of the design (it is also different from k in BMC). Furthermore, the state vector V t for the starting states of the iterative circuit model are constrained by an invariant φ. This invariant is used to represent an overapproximation of the state set reachable at time t. Obviously, the unsatisfiability of the SAT instance in (8) implies the unsatisfiability of the instance in (7) for every depth k. Therefore, this formulation allows for an unbounded proof of the original property in (4). However, depending on what invariant φ is chosen in (8), a false counterexample may be generated based on some state for V t that is not reachable in the design. Hence, the quality of the invariant φ is crucial for the success of this method. This formulation of property checking is referred to as IPC throughout this paper. Fortunately, for most standard cases of SoC module verification, the trivial invariant φ = 1 is sufficient. This may be surprising at first glance but becomes intuitive if we realize that the iterative circuit model itself contains a lot of local reachability information which is sufficient for many interval properties. As a rule of thumb, we may state that verifying

2073

modules for computation, such as hardware accelerators or processor cores, usually does not require sophisticated invariants. This only changes when communication modules are considered. Here, global dependences between state information over long time windows exist and require significant effort to provide an invariant φ of sufficient strength. This is why we develop our approach for reachability analysis with a focus on protocol compliance verification. However, we envision that other applications may exist, where sophisticated invariants are needed and where the proposed approach can be useful. Due to the nature of our bounded circuit model, even in the case of communication modules, the required invariants are much weaker than we would expect from other property checking formulations. Moreover, they are often intuitive to the designer. Therefore, in the case of communication modules, it is a common practice to manually inspect the code and to define invariants that are appropriate for proving properties of the type described earlier. This is shown by means of our example in Fig. 2. The circuit uses a counter to keep track of time. The output cnt of the counter is evaluated whenever the circuit is in state wait and a transition from wait to state ready is performed if and only if cnt = n. Therefore, the proof of the property in (5) fails and a counterexample is generated when (8) is set up with the invariant φ = 1. This counterexample, however, turns out to be a false negative. For example, the property checker may claim that (Vˆ ≡ idle ∧ cnt ≡ 1) leads to (Vˆ ≡ ready ∧ end ≡ 1) after n − 1 cycles rather than n cycles. The obvious reason for this false negative to appear is that the value of the counter at the beginning of the considered transaction is neither defined by the property nor defined by the invariant φ. Nevertheless, inspecting the design reveals that the counter will always take the value cnt = 0 at this point in time. Specifying this in [[f ]]t would violate our template because the counter is not part of the main FSM. Note that the missing constraint is independent of the property and results from reachability in the overall circuit. Therefore, this information is taken into account by a refinement of the invariant φ. The new invariant becomes

φ(V t ) = (Vˆ t ≡ idle) → (cntt ≡ 0) .

(9)

This leads to a strengthened ITL property, as in Fig. 2(d). The implicative structure of the invariant required in this example is a typical representative for the invariants usually required when following the aforementioned methodology. Considering that each property based on the proposed template assumes a concrete state sˆ for the main FSM, it is usually sufficient to restrict the values for certain non-main-state variables (i.e., subFSM state variables) such that the encoded states are reachable simultaneously with the main-FSM state sˆ. This results in an invariant of the following form:

φ(V t ) = (Vˆ ≡ sˆ) → asˆ

(10)

where asˆ is a Boolean expression which has to be satisfied by the values of the sub-FSM variables that occur whenever the main FSM is in state sˆ.

2074

IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 27, NO. 11, NOVEMBER 2008

TABLE I COMPARISON WITH ABSTRACTION/REFINEMENT

TABLE II COMPARISON WITH PREDICATE ABSTRACTION

Fig. 3. IPC-based verification flow with the proposed algorithm (shaded part).

Taking into account such reachability constraints is very important to avoid false negatives when using the IPC based on (8). Note that the validity of reachability constraints obtained from manual analysis must be proven by writing additional properties. The proposed methodology for verifying protocol implementations in SoCs is shown in Fig. 3. The main FSM is usually determined manually in the RTL code of the design by identifying a set of important control states, as described before. Moreover, commercial tools, such as that reported in [27], are available, which can be used to automatically extract a main FSM from the RTL description and to visualize its STG. Fig. 3 shows how false negatives are treated in current industrial practice by manually refining invariants. We propose to reduce this effort by integrating TBT FSM traversal for approximative reachability analysis. Our ultimate goal is to avoid false negatives completely so that time-consuming code inspections of the design source code beyond the main FSM are no longer needed. C. Comparison With Other Abstraction Techniques Fig. 3 immediately raises the question of how this approach compares with well-known techniques for abstraction/ refinement, such as the ones mentioned in Section I. Table I summarizes some of the differences. The abstraction employed in IPC with invariants, in general, cannot be expressed efficiently by a single partitioning of the state set in abstract and concrete state variables. The reachability constraints, as used in IPC, may relate to a large number of state variables. If all these state variables were concretized, the resulting model would become prohibitively complex. Moreover, in order to capture the state information implicitly contained in the iterative circuit, it would be necessary to concretize specific state variables only at certain time points but not at others. Table II summarizes a comparison with predicate abstraction. While identifying the main FSM can be understood as identifying a special set of predicates, the overall approach is still

different. Considering that the main FSM is not sufficient as an abstraction to prove the considered properties, it is only used to decompose the state space of the concrete machine. In the conventional predicate abstraction approach, however, the goal is to prove the properties directly on the abstraction. III. C OMPUTING I NVARIANTS FOR IPC A. Decomposition of State Space and Transition Relation Using the Main FSM In the proposed approach, the state space and transition relation of the design are decomposed by the transitions of a main FSM whose STG is defined as follows. Definition 1: The STG of the main FSM of a circuit M is a ˆ Sˆ0 , Tˆ), where the components are defined as follows. triple (S, ˆ 1) Sˆ = {ˆ s ∈ B |V | |∃s ∈ S : s(Vˆ ) = sˆ} is the set of main states. ˆ 0 ∈ S0 : s0 (Vˆ ) = sˆ0 } is the set of inis0 ∈ S|∃s 2) Sˆ0 = {ˆ tial main states. 3) Tˆ = {(ˆ s1 , sˆ2 ) ∈ Sˆ2 |∃s1 , s2 ∈ S : (s1 , s2 ) ∈ T ∧ s1 (Vˆ ) = sˆ1 ∧ s2 (Vˆ ) = sˆ2 } is the main transition relation. ˆ Sˆ0 , Tˆ) describes the behavior In other words, the triple (S, of the isolated main FSM. The states in Sˆ are encoded solely by the state variables belonging to the main FSM such that an encoded main state is a subvector of the entire state vector V . Although the main FSM, as defined earlier, is a sound abstraction of the design, in contrast to other model checking techniques with abstraction, our approach does not rely on proving properties in the abstract machine. In fact, an abstract machine that would allow us to prove properties of the format given in the previous section would be significantly more complex than the main FSM. Such an abstraction would not only contain the main states but also many other states representing the input/output behavior of the concrete design. Instead, our approach uses the main FSM only to derive a decomposition of

NGUYEN et al.: UNBOUNDED PROTOCOL COMPLIANCE VERIFICATION USING INTERVAL PROPERTY CHECKING

Fig. 4.

TBT traversal algorithm.

the concrete design and to conduct an approximative reachability analysis. The state space of the design can be partitioned into sets of design states corresponding to main states. Whenever the main FSM is in one of its states, the other FSMs in the circuit may each be in one of many different states. Each single state of the main FSM therefore corresponds to a set of states of the complete circuit M . Definition 2: Let sˆ ∈ Sˆ be a main state of a circuit M . The set of states corresponding to sˆ is Ssˆ = s ∈ S|s(Vˆ ) = sˆ . In the same way, we can describe the transitions of the complete design M in terms of the transitions of the main FSM. When the main FSM moves from one of its states sˆ1 to another state sˆ2 the circuit M correspondingly moves from a state in Ssˆ1 to another state in Ssˆ2 . By considering all possible transitions between such states corresponding to sˆ1 and sˆ2 we define the transition relation of the design corresponding to a transition of the main FSM as follows. Definition 3: Let (ˆ s1 , sˆ2 ) ∈ Tˆ be a main transition of a circuit M . The transition relation corresponding to (ˆ s1 , sˆ2 ) is Tsˆ1 →ˆs2 = {(s1 , s2 ) ∈ T |s1 ∈ Ssˆ1 ∧ s2 ∈ Ssˆ2 } . Given this definition of the transition relation Tsˆ1 →ˆs2 , we define image computation corresponding to a transition sˆ1 → sˆ2 of the main FSM. Definition 4: Let (ˆ s1 , sˆ2 ) ∈ Tˆ be a main transition of a circuit M . The constrained image operation corresponding to (ˆ s1 , sˆ2 ) is imgsˆ1 →ˆs2 (F rom) = {s2 ∈ S|∃s1 ∈ F rom ∧ (s1 , s2 ) ∈ Tsˆ1 →ˆs2 } where F rom ⊆ S. With these notations, we can formulate the algorithm in Fig. 4. As proven in [28], this algorithm exactly calculates the set of reachable states for a circuit by decomposing the state space and the transition relation based on the main FSM. The procedure tbt_traversal takes the transition relation, the set of initial states, and the main FSM of the circuit as inputs.

2075

It returns the sets of reachable states corresponding to the main states. At the beginning of a procedure call, the sets of states corresponding to the main states are empty except for the sets of states corresponding to the initial main states, which contain the given initial states. A queue is used to keep track of the main states that need to be processed next. First, the queue contains the initial main states. A main state sˆ is added to the queue if and only if its corresponding set of states changes. In this case, the sets of states corresponding to the next states of sˆ have to be recalculated. For a main state sˆ in the queue, the algorithm considers all its next states. The s → sˆ ) is set of states Ssˆ→ˆs corresponding to a transition (ˆ calculated by the constrained image operation. The set of states Ssˆ corresponding to the main state sˆ is extended by Ssˆ→ˆs . If new states are added to Ssˆ by this operation, sˆ is entered into the queue. The procedure tbt_traversal implements a fixedpoint calculation for the sets of reachable states corresponding to the main states. The fixed point is reached if and only if the queue is empty. An illustration of the algorithm by means of an example is given in [28]. B. Decomposing the State Space Using Sub-FSMs In the previous section, we outlined how to partition the traversal of a circuit using the transitions of a main FSM. As a next step, we study how the main FSM can be used for automatically decomposing the circuit into sub-FSMs to be individually traversed. We perform the individual traversals following the hierarchy of the sub-FSM. This reachability analysis for the overall circuit is approximative because we may miss correlations between sub-FSMs in the same level of the hierarchy. 1) Partitioning the Circuit Into Sub-FSMS: We proceed in three steps. 1) For each next-state function δi , we calculate the support sets under the constraints imposed by main-FSM transitions. 2) Based on the constrained support sets, we build a variant of latch dependency graph and decompose it into strongly connected components (SCCs). 3) The latches within each SCC are grouped together and treated as a sub-FSM. The hypergraph of SCCs, each representing a sub-FSM, is a directed acyclic graph (DAG) and can be levelized. This results in a hierarchy for the sub-FSM. For the remainder of this section, we follow these steps and formally define the required notations and procedures. Step 1: Our goal is to determine functional dependences between the circuit registers under the individual transitions of the main FSM. We need to define different notions of support set. For a next-state variable vi , the syntactic support set or cone of influence is given, as usual, by the connectivity between the gates implementing the transition functions δi . It can be easily determined by a structural analysis of the gate netlist. Depending on the representation of δi , the syntactic support set may, however, suggest pseudo-dependencies that do not exist in the implemented function itself. In order to avoid such

2076

IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 27, NO. 11, NOVEMBER 2008

pseudo-dependencies, we consider the semantic support set supp(δi ) = {vj ∈ V |δi |vj =0 = δi |vj =1 }. The difference between the semantic and syntactic support set can be illustrated by the example δ1 (x1 , (v1 , v2 )) = v1 ∨ x1 ∧ v2 ∨ v2 ∧ x1 . In this example, the syntactic support set includes v2 , while the semantic support set does not. Unless it is not explicitly stated in the remainder of this paper, we always consider the semantic support sets. Next, we constrain the support set by considering a specific main transition (ˆ s1 , sˆ2 ) ∈ Tˆ. Consider a generalized cofactor δi |Vˆ =ˆs1 ∧δ(X,V ˆ )=ˆ s2 and its support set suppsˆ1 →ˆs2 (δi ) = supp(δi |Vˆ =ˆs1 ∧δ(X,V ˆ )=ˆ s2 ). We call suppsˆ1 →ˆs2 (δi ) a constrained support set for δi . Note that, by definition, every function f with f ∧ g = f ∧ g is a generalized cofactor f |g . Hence, the constrained support set is not uniquely determined. However, as it turns out, small constrained support sets are beneficial to partition the circuit into sub-FSMs. Therefore, in Sections III-C and -D, we will study SAT- and BDD-based approximations of a minimal constrained support set. Step 2: We use the constrained support set to build a constrained variant of latch dependency graph, as follows. Definition 5: Let Tˆ be the main transition relation of a circuit M with the next-state function Δ. Let (ˆ s1 , sˆ2 ) ∈ Tˆ be a main transition. The constrained dependency graph of the state variables is a directed graph G(V, E), where the set of vertices is given by the set of state variables V . The set of edges E is defined as ⎧ ⎫ ⎨ ⎬ E = (vi , vj ) ∈ V 2 |vi ∈ suppsˆ1 →ˆs2 (δj ) . ⎩ ⎭ (ˆ s1 ,ˆ s2 )∈Tˆ

Note that the constrained dependency graph differs from the usual latch dependency graph based on the standard support set operator, where the edges are defined by E = (vi , vj ) ∈ V 2 |vi ∈ supp(δj ) . We illustrate the difference of the non-constrained versus the constrained dependency graphs by means of an example. Consider a circuit with a main FSM encoded by a singlestate variable vˆ. Further, let the circuit have two non-main-state variables v1 , v2 . Finally, the transition functions for vˆ and v2 shall be given by v2 = v1 ∧ vˆ and vˆ, if v1 = 0 vˆ = vˆ, else. In this case, we have v1 ∈ supp(δ2 ). On the other hand, v1 is constant under any transition of the main FSM and, therefore, will not be an element of any constrained support set. Step 3: The constrained dependency graph is partitioned using a simple algorithm to identify SCC. Each SCC corresponds to a sub-FSM. The graph of sub-FSMs is a DAG which can be levelized by a depth-first search algorithm. The level of each sub-FSM k is denoted by level(k). An example of the

Fig. 5.

Partitioned structure of a circuit.

hierarchical structure of the circuit after being partitioned is shown in Fig. 5. The circuit consists of a main FSM and five sub-FSMs. The sets of state variables of the main FSM and the five sub-FSMs are Vˆ , V1 , . . . , V5 , respectively. Sub-FSMs 1 and 2 are on level 1; the other sub-FSMs are on level 2. As shown in Fig. 5, the SCC decomposition produces unidirectional interactions among the sub-FSMs of the circuit. The control information stored in the state variables is only passed in one direction from the lower to the higher level sub-FSMs. Note that a non-constrained decomposition into SCCs is generally not useful for industrial designs because this type of decomposition often produces only a single large SCC containing the whole design. If, however, the dependency graph is constrained by the transitions of the main FSM, the situation is different, and many small SCCs can often be identified. 2) Traversing the Sub-FSMS: For the individual traversal of the sub-FSMs determined in the previous section, we consider the corresponding state vectors V1 , . . . , Vr . Without loss of generality, we may assume that these vectors are topologically sorted with respect to the SCC graph, i.e., level(j) < level(k) for j < k. For each sub-FSM k = 1, . . . , r, together with the main FSM, we generate an abstract circuit model Mk by apply/ Vˆ ∪ Vk . ing localization abstraction to the state variables vj ∈ In other words, in Mk , only the state variables of the subFSM Vk and the main FSM Vˆ are considered as state variables. All other state variables are treated as pseudo-inputs. In the same manner as the MBM approach of [9], we traverse the individual abstract machines Mk separately and constrain the pseudo-inputs V1 , . . . , Vk−1 with the reachability constraints Reach1 , . . . , Reachk−1 calculated for the corresponding subFSMs in previous runs. This results in the following expression for the transition relation used in the respective run of the TBT traversal algorithm: (vi ≡ δi ) · Vl ∈ (Reachl ). Tk = vi ∈{Vˆ ∪Vk }

l