USFDC Home  USF Electronic Theses and Dissertations   RSS 
Material Information
Subjects
Notes
Record Information

Full Text 
xml version 1.0 encoding UTF8 standalone no
record xmlns http:www.loc.govMARC21slim xmlns:xsi http:www.w3.org2001XMLSchemainstance xsi:schemaLocation http:www.loc.govstandardsmarcxmlschemaMARC21slim.xsd leader nam Ka controlfield tag 001 001915979 003 fts 005 20071107110515.0 006 med 007 cr mnuuuuuu 008 071107s2007 flu sbm 000 0 eng d datafield ind1 8 ind2 024 subfield code a E14SFE0002007 040 FHM c FHM 035 (OCoLC)180853395 049 FHMM 090 TK7885 (ONLINE) 1 100 Ahrens, Jared. 2 245 A compositional approach to asynchronous design verification with automated state space reduction h [electronic resource] / by Jared Ahrens. 260 [Tampa, Fla.] : b University of South Florida, 2007. 3 520 ABSTRACT: Model checking is the most effective means of verifying the correctness of asynchronous designs, and state space exploration is central to model checking. Although model checking can achieve very high verification coverage, the high degree of concurrency in asynchronous designs often leads to state explosion during state space exploration. To inhibit this explosion, our approach builds on the ideas of compositional verification. In our approach, a design modeled in a high level description is partitioned into a set of parallel components. Before state space exploration, each component is paired with an overapproximated environment to decouple it from the rest of the design. Then, a global state transition graph is constructed by reducing and incrementally composing component state transition graphs. We take great care during reduction and composition to preserve all failures found during the initial state space exploration of each component. To further reduce complexity, interface constraints are automatically derived for the overapproximated environment of each component. We prove that our approach is conservative in that false positive results are never produced. The effectiveness of our approach is demonstrated by the experimental results of several case studies showing that our approach can verify designs that cannot be handled by traditional flat approaches. The experiments also show that constraints can reduce the size of the global state transition graph and prevent some false failures. 502 Thesis (M.S.)University of South Florida, 2007. 504 Includes bibliographical references. 516 Text (Electronic thesis) in PDF format. 538 System requirements: World Wide Web browser and PDF reader. Mode of access: World Wide Web. 500 Title from PDF of title page. Document formatted into pages; contains 58 pages. 590 Advisor: Hao Zheng, Ph.D. 653 Model checking. Abstraction. Constraint. Autofailure. Formal verification. 0 690 Dissertations, Academic z USF x Computer Engineering Masters. 773 t USF Electronic Theses and Dissertations. 4 856 u http://digital.lib.usf.edu/?e14.2007 PAGE 1 A Comp ositional Approac h to Async hronous Design V erication with Automated State Space Reduction b y Jared Ahrens A thesis submitted in partial fulllmen t of the requiremen ts for the degree of Master of Science in Computer Science and Engineering Departmen t of Computer Science and Engineering College of Engineering Univ ersit y of South Florida Ma jor Professor: Hao Zheng, Ph.D. Sriniv as Katk o ori, Ph.D. Dew ey Rundus, Ph.D. Date of Appro v al: F ebruary 23, 2007 Keyw ords: Mo del Chec king, Abstraction, Constrain t, Autofailure, F ormal V erication c r Cop yrigh t 2007, Jared Ahrens PAGE 2 A CKNO WLEDGEMENTS This w ork has b een funded in part b y the National Institute for Systems T est and Pro ductivit y This thesis is also based up on w ork supp orted b y the National Science F oundation under gran t No. 0546492. I am thankful for this generous funding. I extend m y most sincere thanks to Dr. Zheng for in tro ducing me to suc h a fascinating topic. He has pro vided w onderful supp ort, guidance, and funding throughout this thesis. I w ould also lik e to thank Dr. Katk o ori and Dr. Rundus for b eing on m y committee and pro viding v aluable feedbac k. I am also grateful to m y wife and family for the supp ort they ha v e sho wn. PAGE 3 T ABLE OF CONTENTS LIST OF T ABLES ii LIST OF FIGURES iii ABSTRA CT v CHAPTER 1 INTR ODUCTION 1 1.1 Related W ork 2 1.2 Con tributions 4 1.3 Thesis Ov erview 5 CHAPTER 2 BA CK GR OUND 6 2.1 Bo olean Guarded P etrinets 6 2.1.1 Structural Denitions 6 2.1.2 Seman tics 10 2.1.3 BGPN Comp osition 11 2.2 State T ransition Graphs 12 2.3 Correctness Denitions of Async hronous Designs 16 2.4 Conformance Relation 18 CHAPTER 3 COMPOSITIONAL MINIMIZA TION AND VERIFICA TION 21 3.1 F ramew ork of the Comp ositional Metho d 21 3.2 Abstraction 23 3.3 F ailure Bac kw ard Propagation 28 3.4 Maximal En vironmen t 30 3.5 Comp osition with Reduction 31 CHAPTER 4 ST A TE SP A CE REFINEMENT WITH CONSTRAINTS 33 4.1 Constrain t Denition 34 4.2 Constrain t Deriv ation 38 CHAPTER 5 EXPERIMENT AL RESUL TS 42 CHAPTER 6 CONCLUSION 52 6.1 The Comp ositional F ramew ork 52 6.2 Constrain ts 54 REFERENCES 56 i PAGE 4 LIST OF T ABLES T able 5.1 T ruth table for the Celemen t 43 T able 5.2 Statistics for designs in BGPN and resources consumed b y traditional rat approac h 48 T able 5.3 Exp erimen tal results for comp ositional v erication without constrain ts 49 T able 5.4 Exp erimen tal results for comp ositional v erication using constrain ts 51 ii PAGE 5 LIST OF FIGURES Figure 2.1 T raditional P etrinet mo deling an ANDgate 9 Figure 2.2 The BGPN mo deling an ANDgate 9 Figure 2.3 Algorithm to nd the reac hable state space with failure preserv ation 15 Figure 2.4 STG comp osition algorithm 20 Figure 3.1 Comp ositional v erication algorithm 22 Figure 3.2 (a) STG b efore abstraction of t 0 (b) STG after abstraction of t 0 25 Figure 3.3 (a) STG b efore pro ducing additional traces (b) STG after producing additional traces 25 Figure 3.4 (a) STG b efore abstraction (b) Abstracted STG con taining addition failure traces (c) Abstracted STG that do es not con tain additional failure traces 26 Figure 3.5 In ternal state transition abstraction algorithm 27 Figure 3.6 Algorithm to bac kw ard propagate failures 28 Figure 3.7 (a) STG b efore autofailure reduction (b) STG after autofailure reduction 30 Figure 3.8 Comp ositional v erication algorithm with autofailure and abstraction 32 Figure 4.1 Algorithm to constrain an input of a BGPN 39 Figure 4.2 (a) Circuit diagram of an in v erter comp osed with a buer (b) G ( N 1 kE max 1 ) where eac h binary v ector corresp onds to the wires x y and z 39 Figure 4.3 (a) N 1 kE max 1 (b) ( N 2 kE max 2 ) C 2 40 Figure 4.4 (a) G ( N 1 kE max 1 ) (b) G (( N 1 kE max 1 ) C 1 ) 41 Figure 5.1 FIF O o v erview 42 Figure 5.2 The con trol circuit for a single stage FIF O 43 iii PAGE 6 Figure 5.3 DME o v erview 44 Figure 5.4 DME serv er circuit implemen tation 45 Figure 5.5 (a) Three cell arbiter (b) F our cell arbiter 46 Figure 5.6 Arbiter circuit implemen tation 46 iv PAGE 7 A COMPOSITIONAL APPR O A CH TO ASYNCHR ONOUS DESIGN VERIFICA TION WITH A UTOMA TED ST A TE SP A CE REDUCTION Jared Ahrens ABSTRA CT Mo del c hec king is the most eectiv e means of v erifying the correctness of async hronous designs, and state space exploration is cen tral to mo del c hec king. Although mo del c hec king can ac hiev e v ery high v erication co v erage, the high degree of concurrency in async hronous designs often leads to state explosion during state space exploration. T o inhibit this explosion, our approac h builds on the ideas of comp ositional v erication. In our approac h, a design mo deled in a high lev el description is partitioned in to a set of parallel comp onen ts. Before state space exploration, eac h comp onen t is paired with an o v erappro ximated en vironmen t to decouple it from the rest of the design. Then, a global state transition graph is constructed b y reducing and incremen tally comp osing comp onen t state transition graphs. W e tak e great care during reduction and comp osition to preserv e all failures found during the initial state space exploration of eac h comp onen t. T o further reduce complexit y in terface constrain ts are automatically deriv ed for the o v erappro ximated en vironmen t of eac h comp onen t. W e pro v e that our approac h is conserv ativ e in that false p ositiv e results are nev er pro duced. The eectiv eness of our approac h is demonstrated b y the exp erimen tal results of sev eral case studies sho wing that our approac h can v erify designs that cannot b e handled b y traditional rat approac hes. The exp erimen ts also sho w that constrain ts can reduce the size of the global state transition graph and prev en t some false failures. v PAGE 8 CHAPTER 1 INTR ODUCTION In an async hronous circuit, there is no global con trol signal to sync hronize the op erations of dieren t p ortions of the circuit. Without global sync hronization, dieren t orderings of signal transitions in a circuit ma y result in dieren t circuit b eha vior. Therefore, all p ossible orderings among signal transitions need to b e c hec k ed to assure correctness. When a circuit displa ys a high degree of concurrency the n um b er of all p ossible orderings of signal transitions can b e excessiv ely large, in whic h case the traditional sim ulationbased v erication approac h b ecomes inadequate. A b etter approac h is mo del c hec king whic h is an exhaustiv e metho d of v erication that guaran tees that a prop ert y holds for the all states of a design. T raditional rat mo del c hec king attempts to pro duce a single state transition graph represen ting the complete design, but this approac h quic kly fails when applied to b oth large and small designs con taining a high degree of concurren t activities. The high degree of concurrency requires an exp onen tial n um b er of states to represen t the design. This is kno wn as state sp ac e explosion T o o v ercome this problem, w e dev elop a framew ork wherein a reduced global state transition graph is built from the b ottom to the top in the design hierarc h y An async hronous circuit design is mo deled as a set of parallel comp onen ts running concurren tly; w e express this mo del as a b o olean guarded P etrinet. First, a state transition graph is found for eac h comp onen t. T o decouple the comp onen t from the rest of design, w e use an o v erappro ximated en vironmen t to sim ulate the rest of the design comm unicating with the comp onen t under consideration. The o v erappro ximated en vironmen t repro duces all input b eha vior that the complete design w ould supply to the comp onen t. It is p ossible that some failures will b e found during lo cal state space exploration, and an approac h is formalized 1 PAGE 9 to preserv e the failures found during this step. Next, the state transition graphs for the comp onen ts are comp osed to form the global state transition graph for the complete design. During comp osition, b eha vior not observ able on the in terface of the complete design is abstracted a w a y to con tain the size of the in termediate results. The result is a reduced represen tation of the complete design. The o v erappro ximated en vironmen t ma y pro duce extra input b eha vior whic h can cause a comp onen t to exude extra output b eha vior. When the comp onen t is em b edded in the complete design, this extra b eha vior is not pro duced. This extra b eha vior can create extra states and false failures in the state transition graphs. One alternativ e is a user generated en vironmen t. User generated en vironmen ts ma y b e highly accurate, but they are v ery dicult to deriv e. F or large designs, they b ecome nearly imp ossible. T o reduce the o ccurrence of these extra states and false failures, w e complemen t our framew ork with the automated generation of constrain ts. During comp osition, w e decouple a comp onen t from the rest of the design and add an o v erappro ximated en vironmen t to driv e its inputs. If the comp onen t w ere em b edded in the complete design, another comp onen t w ould driv e its inputs. T o rene the o v erappro ximation for a particular input, w e examine the state transition graph of the comp onen t whic h w ould driv e the input. Then w e generate a b o olean expression from the state transition graph. The b o olean expression, whic h w e refer to as a constrain t, describ es when an input ma y o ccur and is used to restrain the b eha vior of the o v erappro ximated environmen t. This results in a more accurate o v erappro ximated en vironmen t whic h pro duces few er extra states and false failures. 1.1 Related W ork Comp ositional r e asoning and abstr action are essen tial to v erifying large systems. Comp ositional reasoning, broadly referring to comp ositional v erication or comp ositional minimization, tak es adv an tage of the giv en design hierarc h y A general comp ositional v erication metho d is based on assumeguar ante e st yle reasoning, and v eries global prop erties b y v erifying lo cal prop erties of eac h comp onen t in a system [3, 4 5 6 7 ]. In a comp ositional 2 PAGE 10 v erication framew ork, eac h comp onen t of a system is considered separately During v erication, assumptions are made ab out the en vironmen t with whic h the comp onen t in teracts; then these assumptions need to b e disc harged later. Assumptions are t ypically generated b y the user. If the comp onen t has complex in teractions with its en vironmen t, it can b e difcult to mak e accurate assumptions. Recen t w orks ha v e attempted to deriv e assumptions automatically In [8], an automated approac h is describ ed to generate the assumptions for comp ositional v erication. This approac h starts with a set of the w eak est assumptions for a comp onen t, and iterativ ely renes these assumptions. Although the approac h guaran tees that the iteration terminates, it is not clear ho w ecien t the approac h w ould b e in terms of iterations necessary to generate a set of assumptions to pro v e the prop erties. Also, this approac h can only handle safet y prop erties. In addition, global sp ecication needs to b e brok en do wn to lo cal prop erties dened on the in terfaces of the comp onen ts, whic h can b e v ery dicult. [24 25 26 27] also prop ose metho ds to automate the generation of assumptions, but these metho ds are costly b ecause they m ust rst generate false coun terexamples. Abstraction pro duces the reduced mo del of a system b y abstracting a w a y certain details that are unnecessary when reasoning ab out the system [14 15 ]. Abstraction metho ds based on P etrinet reduction are describ ed in [1, 2]. These metho ds simplify P etrinet mo dels of async hronous circuits either b y follo wing the design partitions or as directed b y the prop erties to b e v eried. The reductions describ ed in these metho ds attempt to reduce the mo del b efore state space exploration. Although these metho ds are v ery eectiv e, they are limited to a particular kind of P etrinet. In [9 ], a comp ositional minimization metho d is describ ed where the global minimized state transition system is built b y iterativ ely minimizing and comp osing the comp onen ts in nite state system. T o con tain the size of the in termediate results, userpro vided con text constrain ts are required. This ma y b e a problem in that the state space ma y b e large in the rst place. The requiremen t of userpro vided con text constrain ts ma y also b e a problem in that the constrain ts ma y b e o v er restrictiv e, th us causing false p ositiv e v erication results. Similar w ork is also describ ed in [10 11 12 13 ]. In [16 ], a hierarc hical approac h similar to that in [17 ] is presen ted. In this approac h, an abstraction 3 PAGE 11 for eac h mo dule in a system is found and v erication is applied to the comp osition of those abstractions. In [18 ], a constrain t orien ted pro of metho dology is applied to v erify innite systems. Constrain ts on innite systems are brok en in to an innite n um b er of simple constrain ts on nite systems, then these constrain ts are group ed in to nite equiv alen t classes. Ho w ev er, this metho dology is not complete in that the reduction of innite systems is not guaran teed. In [19 ], a soft w are mo del c hec king metho d utilizing lazy abstr action is presen ted to impro v e p erformance b y adding information during abstraction renemen t only when necessary It w ould b e in teresting to see if this metho d can b e adapted to hardw are v erication. 1.2 Con tributions This thesis mak es t w o con tributions: a new automated comp ositional v erication ro w and automated generation of constrain ts to create a more accurate o v erappro ximated environmen t for the comp osition ro w. The rst con tribution is a new automated v erication ro w. Previous w orks require either user pro vided assumptions or iterativ e coun ter example renemen t. User pro vided assumptions are dangerous in that they ma y b e o v er restrictiv e and prev en t v alid b eha vior from app earing in the mo del. This could result in false p ositiv e v erication results. Automated approac hes based on coun terexample renemen t hold some promise but can tak e longer than the rat approac h. Our metho dology com bines sev eral existing metho dologies to reduce and v erify large prepartitioned designs without user in terv en tion. In a later c hapter w e pro v e that our metho d pro duces no false p ositiv es results for a design. The second and most signican t con tribution is the automated renemen t of the o v erappro ximated en vironmen t. During our design ro w, w e apply an o v erappro ximated en vironmen t to eac h comp onen t. The o v erappro ximated en vironmen t often supplies additional input to a comp onen t. The comp onen t can resp ond to this additional input with additional output. This additional input and output exacerbates state space explosion and increases the resource required to v erify the design. The other sideeect of the o v erappro ximated 4 PAGE 12 en vironmen t is the pro duction of false failures. T o restrain the o v erappro ximated en vironmen t, w e deriv e constrain ts from the state transition graphs of other comp onen ts. Our constrain ts can b e generated automatically to increase the accuracy of our o v erappro ximated en vironmen t. The increased accuracy of the en vironmen t con tains the size of state space explosion and prev en ts the creation of man y false failures. 1.3 Thesis Ov erview This thesis is organized suc h that eac h c hapter builds on the ideas of the previous c hapters. Chapter 2 describ es Bo olean Guarded P etrinets and State T ransition Graphs, the formalisms w e use to represen t an async hronous design. The c hapter also describ es the relationships w e ma y deriv e b et w een state transition graphs based on paths and traces. Chapter 3 la ys the framew ork of our automated metho dology The framew ork includes metho ds of state space reduction and automatic generation of o v erappro ximated en vironmen ts. Chapter 4 presen ts a metho d of rening the o v erappro ximated en vironmen t whic h Chapter 3 describ es. Chapter 5 describ es the exp erimen tal results using the metho ds presen ted in this thesis. Three approac hes are compared in this c hapter: rat v erication of the complete design, automated comp ositional v erication using an unrened o v erappro ximated en vironmen t, and automated comp ositional v erication using a rened o v erappro ximated en vironmen t. 5 PAGE 13 CHAPTER 2 BA CK GR OUND This c hapter presen ts an o v erview of P etrinets whic h are used to mo del async hronous circuits, state transition graphs for v erication, and related concepts up on whic h the later c hapters are based. 2.1 Bo olean Guarded P etrinets P etrinets are a common mo deling formalism for async hronous designs. There are man y dieren t forms of P etrinets for dieren t applications. This section presen ts a form of P etrinets whic h addresses certain mo deling diculties for async hronous designs with traditional P etrinets. 2.1.1 Structural Denitions A b o olean guarded P etrinet (BGPN) is a bipartite directed graph consisting of transitions and places. Its denition is giv en as follo ws. Denition 2.1.1 A Bo olean Guarded P etrinet N is a tuple ( W ; T ; P ; F ; 0 ; L; B ) where 1. W is the set of wires of the async hronous design b eing mo deled, 2. T is the set of transitions, 3. P is the set of places, 4. F is the ro w relation, 5. 0 is the initial marking, 6. L is the action lab eling function, 7. B is the b o olean lab eling function. 6 PAGE 14 A visual represen tation of a BGPN is sho wn in Figure 2.2. In a BGPN, the transitions in T are represen ted as the thic k bars, and the places in P are represen ted as the circles. Eac h transition is preceded and follo w ed b y one or more places in P and eac h place is preceded and follo w ed b y one or more transitions in T The connections b et w een transitions and places are dened with the ro w relations. Denition 2.1.2 The ro w relation of a BGPN N is F ( T P ) [ ( P T ). F or eac h transition, its preset is the set of places that are connected to the transition, and its p ostset is the set of places to whic h the transition is connected. The preset and p ostset of a place are dened similarly The preset and p ostset of b oth a transition and a place are dened as follo ws. Denition 2.1.3 F or a transition t in a BGPN N its preset is t = f p 2 P j ( p; t ) 2 F g and its p ostset is t = f p 2 P j ( t; p ) 2 F g F or a place p in a BGPN N its preset is p = f t 2 T j ( t; p ) 2 F g and its p ostset is p = f t 2 T j ( p; t ) 2 F g The dots found in some places are tok ens. Eac h place ma y con tain one or more tok ens. If a place has a tok en, it is mark ed. A set of mark ed places is a marking of a BGPN. The marking is dened as follo ws. Denition 2.1.4 The marking of a BGPN N is = f p 2 P j p is mark ed g As will b e seen later, a marking represen ts a state of a BGPN and the async hronous design b eing mo deled. In our metho d, w e use 1safe BGPNs suc h that a place can only ha v e at most one tok en in ev ery 0 is the initial marking of a BGPN. W is a nite set of wires in an async hronous circuit design. The set W consists of input and output wires whic h w e denote I and O Eac h wire w 2 W can tak e one of t w o actions at an y time. w + indicates that the v alue of w c hanges from 0 to 1, and w indicates that the v alue of w c hanges from 1 to 0. A rising transition on the wire ack is expressed ack +. Similarly ack expresses a falling transition on the wire ack The action lab eling function L maps a BGPN transition to an action on a wire, thereb y asso ciating BGPN transitions to the dynamic b eha vior in an async hronous design. T ransitions not asso ciated with an y 7 PAGE 15 action are called dumm y transitions. F or completeness w e map dumm y transitions to the nil action $. Dumm y transitions do not represen t an y b eha vior in the mo deled design. They are a mo deling construct generated when compiling a design in to a BGPN mo del to hold certain conditions in the design. The lab eling function is dened as follo ws. Denition 2.1.5 The transition lab eling function L of a BGPN N assigns eac h transition with an action on a wire or a dumm y action, L : T n W f + ; g o [ f $ g F or eac h transition t the ro w relations from the places in t to t are lab eled with b o olean form ulas. This mak es mo deling of async hronous designs less a wkw ard in situations where the transitions dep end not only on other transitions, but also on the v alues of some wires in a design. The b o olean lab eling function is dened as follo ws. Denition 2.1.6 The b o olean lab eling function of a BGPN N is B : ( P T ) F b where b is a b o olean form ula dened o v er W Let b ( p; t ) return the b o olean form ula lab eled for ( p; t ). Giv en a transition t the tuple ( p; b; t ) denotes an enabling rule of t where p 2 t and B ( p; t ) = b Giv en a transition t enabling rules ( t ) denotes the set of all enabling rules of t The enabling rules dene the condition when a transition can re, as will b e explained later. If the b o olean lab eling function of a BGPN N maps eac h rule to b o olean form ula true then the BGPN is con v erted to a traditional P etrinet. In general, the analysis complexit y for BGPNs is higher than that for the traditional P etrinets. BGPN b eha vior is dened b y b oth the marking and b o olean expressions. Ho w ev er, the structural complexit y of BGPNs can b e m uc h less than that of the traditional P etrinets, th us resulting in a large decrease in the analysis complexit y for BGPNs. The ab o v e p oin t is illustrated b y example in Figures 2.1 and 2.2. They sho w the BGPN and the traditional P etrinet mo del for an ANDgate describ ed in [20 ]. Both mo dels are driv en b y a maximal en vironmen t. The traditional P etrinet mo del requires ten places and sev en teen transitions, and its transitions are not required to satisfy an y b o olean expressions. The BGPN represen tation only requires six places and six transitions, but it also includes t w o b o olean expressions. 8 PAGE 16 PSfrag replacemen ts a + b + c + b b b + a $ c b + b + b + a + a $ b b b a + a + a + $ $ $ a a a Figure 2.1 T raditional P etrinet mo deling an ANDgate PSfrag replacemen ts a b c b + c + a ^ b a b a + Figure 2.2 The BGPN mo deling an ANDgate 9 PAGE 17 2.1.2 Seman tics This section presen ts the ring seman tics of transitions. Since the BGPN transitions in an async hronous design mo del are asso ciated with actions on wires, ring the transitions rerects the execution of the asso ciated actions, th us c hanging the states of the design. Executing an action is kno wn as an ev en t. Without inciden ts of confusion, ev en ts and transition rings are used in terc hangeably in the follo wing. The state of a BGPN is the pair ( ; ) where is a marking of the BGPN and is the v ector represen ting the b o olean v alues of the wires in W of the mo deled design in Giv en a state s the function ( s ) accesses the comp onen t of s Similarly the function ( s ) accesses the comp onen t of s A transition needs to b e enabled b efore it can re at a state. F or a transition to b e enabled, all of its enabling rules m ust b e satised. Giv en a transition t an enabling rule r of t is satised at a state if the place of r is mark ed and the b o olean form ula of r is satised at the curren t state. Giv en a state s = ( ; ), let eval ( s; b ) b e a function that returns true if b ev aluates to true with false otherwise. Denition 2.1.7 A rule ( p; b; t ) of t is satised at a state s = ( ; ) if p 2 and eval ( s; b ) = true A set of satised enabling rules of a transition t at a state s is denoted as satisfied ( t; s ). A transition is enabled if all its enabling rules are satised. Denition 2.1.8 A transition t is enabled at a state s if enabling rules ( t ) = satisfied ( t; s ). The set of transitions that are enabled at a state s is denoted as enabled ( s ). Giv en a set of enabled transitions at a state, w e exhaustiv ely re transitions from the enabled transition set. The ring of a transition c hanges the marking and causes the action asso ciated with the transition to o ccur. After ring a transition t the preset of the transition is remo v ed from the curren t marking, and the p ostset is added to the marking. This step is kno wn as the marking up date. Giv en a marking ring t results in a new marking 10 PAGE 18 0 = ( t ) + t Our metho d requires that the BGPNs are 1safe suc h that eac h place can con tain no more than one tok en at an y state. The v alue of the wire in the state v ector is also up dated accordingly dep ending on the asso ciated action of that transition after a transition ring. Let s = ( ; ) b e a state, and a transition t red at s Also, let a b e the asso ciated action of t The state v ector is up dated as follo ws after ring t : 8 w 2 W : ( w ) = 8>>>>><>>>>>: ( w ) if a is a dumm y action 1 if a = w + 0 if a = w Up dating the marking and state v ector of the mo del constitutes a c hange in the system's state. Later w e will see these ev en ts represen ted as state transitions in a state transition graph.2.1.3 BGPN Comp osition Usually an async hronous design consists of a n um b er of comp onen ts running in parallel. Eac h comp onen t is mo deled in a BGPN, and the mo del for the en tire design is the parallel comp osition of the comp onen t BGPNs. This section presen ts the denition of the parallel comp osition of BGPNs. Let N 1 = W 1 ; T 1 ; P 1 ; F 1 ; 01 ; L 1 ; B 1 and N 2 = W 2 ; T 2 ; P 2 ; F 2 ; 02 ; L 2 ; B 2 b e t w o BGPNs where W 1 = I 1 [ O 1 and W 2 = I 2 [ O 2 The parallel comp osition of N 1 and N 2 referred to as N 1 k N 2 is dened as follo ws: Denition 2.1.9 Giv en t w o BGPNs N 1 and N 2 if O 1 \ O 2 = ; the parallel comp osition of N 1 and N 2 N = W ; T ; P ; F ; 0 ; L; B is dened as follo ws: 1. W = W 1 [ W 2 2. T = T 1 [ T 2 3. P = P 1 [ P 2 4. F = F 1 [ F 2 5. 0 = ( 01 ; 02 ), 11 PAGE 19 6. L = L 1 [ L 2 7. B = B 1 [ B 2 2.2 State T ransition Graphs In the previous section, ring a BGPN transition at a state results in a new state b y up dating the marking and state v ector. By exhaustiv ely ring all enabled transitions at eac h state, a state transition graph con taining all reac hable states in a design can b e found. This step is often referred to as state space exploration. A state transition graph (STG) is a graph wherein the no des are states and the arcs are state transitions whic h are lab eled with the BGPN transition rings that cause the state transition. F or illustrativ e purp oses w e often lab el the arcs of a state transition graph with the BGPN transition's asso ciated action.Denition 2.2.1 A state transition graph G is the tuple ( N ; S [ f g ; R ; s 0 ) where: 1. N is the BGPN from whic h the STG is deriv ed, 2. S is the set of reac hable states, 3. is the failure state, 4. R is the set of state transitions S T ( S [ f g ) [ f g T f g 5. s 0 2 S is the initial state of the STG. A state transition is the tuple ( s; t; s 0 ), ( s; t; ), or ( ; ; ). The state transition ( s; t; s 0 ) indicates that a particular BGPN transition t is red from state s and c hanges the state of the system to s 0 F or the simplicit y of presen tation, w e also use R as a function. Giv en a state transition ( s; t; s 0 ), ( s; t; s 0 ) 2 R i R ( s; t; s 0 ) holds. Sometimes w e also use s t s 0 instead of ( s; t; s 0 ) to indicate a state transition. is a sp ecial state whic h denotes a failure in the mo deled design. This state is used to represen t unin tended b eha vior or b eha vior w e wish to prev en t. Once the system en ters this sp ecial state, the b eha vior pro duced afterw ards is irrelev an t, and the system is regarded to remain at this state forev er in our metho d. Let represen t an arbitrary transition on an y wire whic h is red from the failure state. Once 12 PAGE 20 a system en ters the failure state, all future BGPN transitions rings are represen ted in the STG using the notation ( ; ; ). A p ath in a STG G is an innite sequence of state transitions = ( s 0 t 0 s 1 t 1 s 2 ) suc h that s 0 = s 0 and R ( s n ; t n ; s n +1 ) holds for n = 0 ; 1 ; Giv en the paths 1 = ( s 0 t 0 s 1 t 1 t 2 t 3 ) and 2 = ( s 0 t 0 s 1 t 1 t 4 t 5 ), the notation 12 = ( s 0 t 0 s 1 t 1 ! ) describ es a set of failure paths including 1 and 2 A tr ac e is an innite sequence of BGPN transition rings. A tr ac e = ( t 0 ; t 1 ; ) of a STG is v alid if a path ( s 0 t 0 s 1 t 1 s 2 ) exists. F or traces con taining the failure state, w e use the notation = ( t 0 ; t 1 ; t 2 ; ; t n ; ). The sym b ol indicates an innite sequence of rings of arbitrary BGPN transitions after reac hing the failure state Giv en a BGPN N the function G ( N ) returns the STG G b y p erforming state space exploration on N According to the ring seman tics describ ed in Section 2.1.2, eac h BGPN has an unique STG. Therefore, w e also use P ( N ) to denote all v alid traces of the BGPN N P ( N ) can b e deriv ed from the corresp onding STG of N b y state space exploration from the initial state. Figure 2.3 sho ws the state space exploration algorithm that is used to pro duce a STG from a BGPN. The pro jection function, [ W 0 ] where W 0 W remo v es all ev en ts from a trace = ( t 0 ; t 1 ; t 2 ; : : : ) whose underlying wires are not in W 0 More formally if 6 = (i.e., the empt y trace) and giv en the subtrace x where x then [ W 0 ] = 8><>: ( t 0 ; x [ W 0 ]) if 9 w 2 W 0 : t 0 = w f + ; g ( x [ W 0 ]) otherwise If = then [ W 0 ] = f g This function is extended naturally to a set of traces. Giv en a STG G w e use G [ W 0 ] to denote the pro jection of G to W 0 b y applying [ W 0 ] to all traces in G F or con v enience w e will use W ( N ) to denote the set of wires used to lab el the transitions of the BGPN N and W ( G ) to denote the set of wires where G is dened. Similarly W ( ) denotes the set of wires where the BGPN transitions of are dened. The notations I ( N ) and O ( N ) are functions returning the input or output wires of a design 13 PAGE 21 represen ted in BGPN. Similarly I ( G ) and O ( G ) return the input and output wires of a design represen ted as an STG. F or a BGPN transition t w ( t ) returns the signal where t is dened. The pro jection function can also b e extended to b o olean expressions through existen tial quan tication. The pro jection of a b o olean form ula b [ W 0 ] pro duces a b o olean form ula o v er the wires W 0 Similar to BGPN comp osition, if a design consists of a set of parallel comp onen ts, eac h of whic h is mo deled as an STG, the global STG for the en tire design is the parallel comp osition of the individual ones. The parallel comp osition of STGs is dened as follo ws. Denition 2.2.2 Let G 1 = ( N 1 ; S 1 ; R 1 ; s 01 ) and G 2 = ( N 2 ; S 2 ; R 2 ; s 02 ) b e t w o STGs where W ( N 1 ) = I 1 [ O 1 and W ( N 1 ) = I 2 [ O 2 If O 1 \ O 2 = ; the parallel comp osition G = G 1 kG 2 denes G = ( N ; S; R ; s 0 ) as follo ws: 1. N = N 1 k N 2 2. S S 1 S 2 3. s 0 = ( s 01 ; s 02 ) 4. R = r 1 [ r 2 [ r 3 [ r 4 [ r 5 [ r 6 [ r 7 [ r 8 where for ev ery s 1 2 S 1 and s 2 2 S 2 a. If w ( t ) 2 W ( N 1 ) and w ( t ) = 2 W ( N 2 ) r 1 = f (( s 1 ; s 2 ) ; t; ( s 01 ; s 2 ) j ( s 1 ; t; s 01 ) 2 R 1 g r 2 = f (( s 1 ; s 2 ) ; t; ) j ( s 1 ; t; ) 2 R 1 g b. If w ( t ) = 2 W ( N 1 ) and w ( t ) 2 W ( N 2 ) r 3 = f (( s 1 ; s 2 ) ; t; ( s 1 ; s 02 )) j ( s 2 ; t; s 02 ) 2 R 2 g r 4 = f (( s 1 ; s 2 ) ; t; ) j ( s 2 ; t; ) 2 R 2 g c. If w ( t ) 2 W ( N 1 ) and w ( t ) 2 W ( N 2 ) r 5 = f (( s 1 ; s 2 ) ; t; ( s 01 ; s 02 )) j ( s 1 ; t; s 01 ) 2 R 1 and ( s 2 ; t; s 02 ) 2 R 2 g r 6 = f (( s 1 ; s 2 ) ; t; ) j ( s 1 ; t; ) 2 R 1 and ( s 2 ; t; s 02 ) 2 R 2 g r 7 = f (( s 1 ; s 2 ) ; t; ) j ( s 1 ; t; s 01 ) 2 R 1 and ( s 2 ; t; ) 2 R 2 g r 8 = f (( s 1 ; s 2 ) ; t; ) j ( s 1 ; t; ) 2 R 1 and ( s 2 ; t; ) 2 R 2 g 14 PAGE 22 find sg( ( W ; T ; P ; F ; 0 ; L; B ) s 0 ) T e = enabled ( s 0 ) push ( s 0 ; T e ) failure = false while stack is not empty do ( s; T e ) = pop() s 0 = s t = select ( T e ) if T e t 6 = ; then push ( s; T e f t g ) if ( ( s ) t ) \ t 6 = ; then // check safety failure failure = true ( s 0 ) = ( ( s ) t ) [ t if L ( t ) = w + then if ( s )[ w ] = 1 then // check complement failure failure = true ( s 0 )[ w ] = 1 else if L ( t ) = w then if ( s )[ w ] = 0 then // check complement failure failure = true ( s 0 )[ w ] = 0 T 0 e = enabled ( s 0 ) if T 0 e = ; and stack is empty then // check deadlock failure failure = true else if ( T e f t g ) 6 T 0 e then // check disabling failure failure = true if failure = true then R = R [ f ( s; t; ) g else if s 0 62 S then S = S [ f s 0 g if T 0 e 6 = ; then push ( s 0 ; T 0 e ) R = R [ f ( s; t; s 0 ) g return ( S; R ) Figure 2.3 Algorithm to nd the reac hable state space with failure preserv ation 15 PAGE 23 N of the comp osite STG is the BGPN comp osition of N 1 and N 2 S of G is a subset of all p ossible pairs of states from S 1 and S 2 S consists of those states in S 1 S 2 whic h are reac hable from s 0 Whether a state in S 1 S 2 is reac hable dep ends up on the set of state transitions R whic h is explained b elo w. Supp ose a design consists of t w o comp onen ts running in parallel. The sync hronization b et w een them is through wires from the outputs of one comp onen t to the inputs of another. In this case, b oth comp onen ts mak e a state transition in parallel b y c hanging the v alues of the common wires b et w een them. Otherwise, if one comp onen t mak es a transition not visible to another one, the state transition of the en tire design follo ws the comp onen t that mak es the transition while the state of the other comp onen t is regarded to remain the same. In other w ords, if a comp onen t mak es an in ternal state transition, it is rerected in the en tire design while the other comp onen t is view ed as not c hanging. All the follo wing cases are considered in the comp osition denition for R The rst case denes ho w a global state transition is pro duced from a state transition visible only to G 1 In addition, when G 1 mak es a transition to the failure state, the en tire design mak es a transition to the failure state regardless of the curren t state of G 2 The second case is symmetric to case 1 dening ho w a global state transition is pro duced from a state transitions only visible to G 2 Similarly when G 2 mak es a transition to the failure state, the en tire design mak es a transition to the failure state no matter what state of G 1 is. The third case denes global state transitions when b oth G 1 and G 2 mak e sync hronized transitions. If either one of G 1 or G 2 transitions to the failure state, the en tire design transitions to the failure state. It has b een pro v ed in [11 ] that the parallel comp osition of STGs is comm utativ e and asso ciativ e. The STG comp osition algorithm is sho wn in Figure 2.4. 2.3 Correctness Denitions of Async hronous Designs In Section 2.2, a sp ecial failure state is used to denote that the design mak es a wrong or unexp ected state transition. In this section, w e dene the conditions under whic h transition rings cause async hronous design failure. 16 PAGE 24 In our metho d, a design is considered correct if none of the follo wing failures are presen t in a mo del. There are four t yp es of failures considered in our metho d: safety failur es c omplement failur es disabling failur es and de ad lo cks These failures are dened as follo ws. Denition 2.3.1 Let = ( s 0 t 0 s 1 t 1 s 2 ) b e a path in a STG G where R ( s i ; t i ; s i +1 ) for all i 0. Firing t i causes 1. A safety failur e if ( ( s i ) t i ) \ t i 6 = ; 2. A c omplement failur e if a. t i = w + ^ ( s i )[ w ] = 1, or b. t i = w ^ ( s i )[ w ] = 0. 3. A disabling failur e if ( enabled ( s i ) f t i g ) 6 enabled ( s i +1 ). 4. A de ad lo ck if enabled ( s i +1 ) = ; In tuitiv ely a v alid trace causes a safety failur e if after ring a transition, the marking up date adds a tok en to a place that already exists in the marking. The 1safe requiremen t of P etrinets is common for state space exploration algorithms. An unsafe net (i.e., one that is not 1safe) t ypically indicates a problem with the underlying design. A v alid trace causes a c omplement failur e on wire w if there exist t w o rising (falling) ev en ts on w without a falling (rising) ev en t inb et w een. Complemen t failures are a common mo deling error and usually o ccur when the set and reset phase of a signal are similar. A disabling failur e happ ens if the b o olean guard of a satised rule b ecomes disabled b efore the corresp onding enabled transition is red. It ma y indicate a violation of hold time requiremen t of the underlying design. A v alid trace causes a de ad lo ck if a state is reac hed where there is no transition enabled. Giv en a BGPN N the set of failure traces of N is F ( N ) P ( N ). Giv en t w o BGPNs N 1 and N 2 the follo wing prop ert y holds: F ( N 1 ) F ( N 2 ) if P ( N 1 ) P ( N 2 ) (2.1) A design N is said correct or failurefree if F ( N ) = ; 17 PAGE 25 2.4 Conformance Relation In this section, w e describ e conformance relation b et w een mo dels of a design and its implication to v erication. The purp ose of conformance relation is to nd a mo del of smaller size for a design while preserving enough information for sound v erication. First, the denition of conformance is giv en as follo ws: Denition 2.4.1 Giv en t w o BGPNs N 1 and N 2 where W 1 = I 1 [ O 1 and W 2 = I 2 [ O 2 N 1 c onforms to N 2 denoted as N 1 N 2 if I 1 = I 2 O 1 = O 2 and P ( N 1 k N ) P ( N 2 k N ) for all N The or em 2.4.1 Giv en BGPNs N 1 N 2 and N 2 N 3 then N 1 N 3 Pr o of : According to Denition 2.4.1, N 1 N 2 implies P ( N 1 ) P ( N 2 ), and N 2 N 3 implies P ( N 2 ) P ( N 3 ). F rom P ( N 1 ) P ( N 2 ) P ( N 3 ) w e ma y conclude P ( N 1 ) P ( N 3 ) making conformance transitiv e. F rom the denition, w e see that conformance is dened o v er the same set of input and output wires. This is sensible b ecause conformance is often applied to mo dels of a design at the dieren t abstraction lev els. According to Equation 2.1, if a concrete mo del conforms to an abstract one, then failures displa y ed b y the concrete mo del are also displa y ed b y the abstract one. In other w ords, an y failures caugh t when v erifying the abstract mo del includes those in the concrete one. If no failures are found in the abstract mo del, w e can conclude the un v eried concrete mo del also con tains no failures. Therefore, the v erication complexit y can b e greatly reduced b y nding an abstract mo del if abstract mo del is smaller than the concrete mo del and the concrete mo del conforms to the abstract mo del. The follo wing lemmas sho w that conformance is preserv ed for parallel comp osition. The pro of for Lemma 2.4.1 can b e found in [21 ] L emma 2.4.1 Giv en BGPNs N 1 N 2 and N 3 N 1 k N 3 N 2 k N 3 if N 1 N 2 L emma 2.4.2 Giv en BGPNs N 1 N 2 N 3 and N 4 N 1 k N 2 N 3 k N 4 if N 1 N 3 and N 2 N 4 18 PAGE 26 Pr o of : According to Lemma 2.4.1, N 1 k N 2 N 2 k N 3 since N 1 N 3 and N 2 k N 3 N 3 k N 4 since N 2 N 4 Giv en N 1 k N 2 N 2 k N 3 N 3 k N 4 according to Theorem 2.4.1 w e conclude N 1 k N 2 N 3 k N 4 19 PAGE 27 compose ( G 1 ; G 2 ) unexplored = f s 01 ; s 02 g while unexplored 6 = f g ( s 1 ; s 2 ) = select( unexplored ) explored = explored [ ( s 1 ; s 2 ) foreach t 1 in G 1 where w ( t 2 ) = 2 W ( G 2 ) if R 1 ( s 1 ; t 1 ; s 01 ) then R (( s 1 ; s 2 ) ; t; ( s 01 ; s 2 )) if ( s 01 ; s 2 ) = 2 explored then unexplored = f unexplored [ ( s 01 ; s 2 ) g if R 1 ( s 1 ; t 1 ; ) then R (( s 1 ; s 2 ) ; t; ) end foreach foreach t 2 in G 2 where w ( t 2 ) = 2 W ( G 1 ) if R 2 ( s 2 ; t; s 02 ) then R (( s 1 ; s 2 ) ; t; ( s 1 ; s 02 )) if ( s 1 ; s 02 ) = 2 explored then unexplored = f unexplored [ ( s 1 ; s 02 ) g if R 2 ( s 2 ; t; ) then R (( s 1 ; s 2 ) ; t; ) end foreach foreach t 1 in G 1 and t 2 in G 2 where w ( t 1 ) 2 D and w ( t 2 ) 2 D if R 1 ( s 1 ; t 1 ; s 01 ) and R 2 ( s 2 ; t 2 ; s 02 ) and w ( t 1 ) = w ( t 2 ) then R (( s 1 ; s 2 ) ; t; ( s 01 ; s 02 )) if ( s 01 ; s 02 ) = 2 explored then unexplored = f unexplored [ ( s 01 ; s 02 ) g if R 1 ( s 1 ; t 1 ; ) and R 2 ( s 2 ; t 2 ; s 02 ) and w ( t 1 ) = w ( t 2 ) then R (( s 1 ; s 2 ) ; t; ) if R 1 ( s 1 ; t 1 ; s 01 ) and R 2 ( s 2 ; t 2 ; ) and w ( t 1 ) = w ( t 2 ) then R (( s 1 ; s 2 ) ; t; ) if R 1 ( s 1 ; t 1 ; ) and R 2 ( s 2 ; t 2 ; ) and w ( t 1 ) = w ( t 2 ) then R (( s 1 ; s 2 ) ; t; ) end foreach end while Figure 2.4 STG comp osition algorithm 20 PAGE 28 CHAPTER 3 COMPOSITIONAL MINIMIZA TION AND VERIFICA TION In this c hapter, w e describ e our comp ositional approac h to v erication. The traditional rat approac h fails when state space explosion o ccurs for large design mo dels. Our metho dology builds on the previous w ork of comp ositional v erication. Lik e traditional comp ositional v erication, w e individually examine comp onen ts of a system and then merge the results to form a global STG. T o pro duce a reduced global STG whic h is an abstract mo del of the concrete global STG, the STG for eac h comp onen t is abstracted to reduce complexit y The reduced STGs are then incremen tally comp osed. After eac h comp osition, the STG is again abstracted to remo v e state transitions that ha v e b een made in ternal b y comp osition. When comp osition is complete, the global STG mo dels the in terface b eha vior of the concrete global STG. Throughout this approac h, w e preserv e failures during comp osition and abstraction therefore no failure can b e missed. W e also pro v e that our comp ositional approac h is sound in that no false p ositiv e results can b e pro duced. 3.1 F ramew ork of the Comp ositional Metho d This section presen ts a general framew ork of comp ositional v erication. In our metho d, a circuit is mo deled as a set of parallel comp onen ts formally describ ed using BGPNs. Eac h BGPN describ es a single comp onen t. Rather than attac k the complexit y of the complete system, comp onen ts are assessed autonomously Eac h comp onen t BGPN is extracted from the complete system and comp osed with another BGPN describing an o v erappro ximated en vironmen t. The o v erappro ximated en vironmen t repro duces all input b eha vior that w ould b e supplied b y the actual en vironmen t and p erhaps more. State space exploration is then 21 PAGE 29 verify ( N = N 1 k k N n ) find STG G i for N i kE appr ox i (1 i n ) forall 1 i n; 1 j n; and i 6 = j G = compose ( G i ; G j ) if reachable from s 0 of G then return N has an failure else return N is correct end if Figure 3.1 Comp ositional v erication algorithm p erformed on eac h comp onen t to obtain an STG. Eac h STG describ es all b eha vior a comp onen t can pro duce when it is em b edded in the complete system. Then the comp onen t STGs are incremen tally comp osed to form a global STG describing the complete system. The algorithm for comp ositional v erication is sho wn in Figure 3.1. The complete system N is describ ed as the comp osition n jj i =1 N i where eac h BGPN N i describ es a comp onen t of N W e b egin b y regarding the rest of the system as E i the en vironmen t to N i F or the comp onen t N i let E actual i denote the actual en vironmen t n jj j =1 N j where j 6 = i Equation 3.1 describ es the relationship b et w een N and N i kE actual i for all i N N i kE actual i (3.1) Often E actual i is a v ery complex BGPN. E actual i ma y con tain man y wires that are in visible to N i The wires in visible to N i in the BGPN N i kE actual i ma y signican tly con tribute to state space explosion when nding G ( N i kE actual i ). T o remo v e these in visible wires and decouple the comp onen t from its actual en vironmen t, w e devise E appr ox i whic h is an o v erappro ximation of E actual i Denition 3.1.1 Giv en an arbitrary BGPN N w e sa y E appr ox is an o v erappro ximation of E actual if G ( N kE actual ) G ( N kE appr ox ). An o v erappro ximated en vironmen t is simpler than the actual en vironmen t and exhibits at least as m uc h b eha vior as the actual en vironmen t on the in terface wires facilitating 22 PAGE 30 comm unication b et w een N i and E i F or no w w e omit the pro cedure to pro duce suc h an appro ximation. F or eac h comp onen t in the complete system N the algorithm seen in Figure 3.1 comp oses comp onen t N i with its o v erappro ximated en vironmen t E appr ox i State space exploration is then p erformed on eac h BGPN N i kE appr ox i to form an STG G i The comp onen t STGs G i are then incremen tally comp osed to form the global STG G Theorem 3.1.1 pro v es that STG G pro duced b y the rat approac h conforms to the global STG G 0 pro duced b y the comp ositional approac h. According to Denition 2.4.1, P ( G ) P ( G 0 ) suc h that all failure traces in G also app ear in G 0 Therefore, if the failure state is reac hable from the initial state in the nal comp osition G 0 then w e cannot sa y the design is failure free. Ho w ev er, if there is no path from the initial state to the failure state, w e can conclude the complete design is failure free. The or em 3.1.1 Let N = n jj i =1 N i G b e the STG deriv ed from N and G 0 i b e the STG deriv ed from N i kE appr ox i where 1 i n The follo wing equation holds: G n jj i =1 G 0 i Pr o of : F or 1 i n E actual i is the comp osition of all the BGPNs of N excluding N i Therefore, N n jj i =1 N i N i kE actual i Let G i b e the STG deriv ed from N i kE actual i and G 0 i b e the STG deriv ed from N i kE appr ox i According to Denition 3.1.1, G i G 0 i Similarly for 1 j n G j is the STG deriv ed from N j kE actual j and G 0 j is the STG deriv ed from N j kE appr ox j Since N N i kE actual i N j kE actual j G G i G j Then according to Lemma 2.4.2, G G 0 i kG 0 j The ab o v e argumen t can b e rep eated for all 1 i j n pro ving Theorem 3.1.1. 3.2 Abstraction The comp ositional approac h is c hosen when the resources required b y the rat approac h exceed the a v ailable resources. The nal STG pro duced b y the algorithm seen in Figure 3.1 23 PAGE 31 is at least as large as the STG pro duced in the rat approac h. If the STG pro duced b y the comp ositional approac h is as large as that of the rat approac h, the comp ositional approac h holds no adv an tage. In order to reduce complexit y and remain within the connes of a v ailable resources, abstraction is added to the comp ositional metho d. In this section, w e describ e a metho d of abstraction that preserv es the soundness of comp ositional v erication. Abstraction remo v es details unnecessary to v erication. T o ensure the soundness of the abstraction metho d, traces are nev er remo v ed from the p ossible trace set. Rather, traces are shortened b y remo ving the unnecessary ev en ts from a trace. An y trace ending in the failure state will still end in the failure state after abstraction. W e b egin b y partitioning the set of wires W of a comp onen t in to t w o sets V and D where W = V [ D V is the set of in terface wires and D is the set of in ternal wires. Giv en a comp onen t's STG G i a wire w 2 W ma y b e either an in terface wire or an in ternal wire. In terface wires facilitate in tercomp onen t comm unication. The in terface wires of a comp onen t can b e either inputs denoted I or outputs denoted O The set of wires D only pro vide in tracomp onen t comm unication. State transitions on these wires are not visible to other comp onen ts. During abstraction, all state transitions on the wires in D are remo v ed while state transitions on the wires in V are preserv ed. This results in a blac k b o x represen tation of the comp onen t where state transitions only o ccur on input and output wires. Supp ose there exists a state transition ( s i ; t 0 ; s j ) in an STG G where w ( t 0 ) 2 D T o abstract this state transition, w e simply com bine s i and s j to form a single merged state s ij All state transitions that either en tered or exited s i no w en ter or exit s ij The result is the same for state transitions en tering or exiting s j Then the state transition t 0 in G is deleted. T o preserv e failure traces, if s j is the failure state then the state formed b y merging s i and s j is also the failure state By strictly adhering to this rule, failure traces are nev er lost. An example of abstraction is sho wn in Figure 3.2. A sideeect of abstraction is that the p ossible trace set ma y b e enlarged. F or the STG G seen in Figure 3.3(a), all traces b egin with the prex ( t 0 ; t 1 ; t 2 ). After abstracting t 0 24 PAGE 32 PSfrag replacemen ts s i s j t 0 t m t n t o t p PSfrag replacemen ts s ij t m t n t o t p (a) (b) Figure 3.2 (a) STG b efore abstraction of t 0 (b) STG after abstraction of t 0 PSfrag replacemen ts s j s h s k s i t 0 t 0 t 1 t 2 t 3 PSfrag replacemen ts s h s k s ij t 0 t 2 t 1 t 3 (a) (b) Figure 3.3 (a) STG b efore pro ducing additional traces (b) STG after pro ducing additional tracesthe trace set for G has b een enlarged suc h that all traces b egin with the prex ( t 0 ; t 1 ; t 2 ; ) or ( t 0 ; t 3 ; ). The abstracted STG con taining additional traces is sho wn in Figure 3.3(b). Additional failure traces created b y abstraction are kno wn as false failures. These false failures do not threaten the correctness of our metho d, but in tro ducing additional false failures can increase the resource usage required during failure trace renemen t. By rst abstracting state transitions adjacen t to the failure state, w e can prev en t abstraction from pro ducing some false failures. Figure 3.4(a) sho ws an STG G con taining t w o abstractable state transitions t 03 and t 04 If w e abstract state transition t 04 b efore t 03 The trace = 25 PAGE 33 PSfrag replacemen ts s j s h s k s i t 04 t 0 t 1 t 2 t 03 PSfrag replacemen ts s h s k s ij t 0 t 2 t 1 t 03 PSfrag replacemen ts s h s k s i t 0 t 1 t 2 (a) (b) (c) Figure 3.4 (a) STG b efore abstraction (b) Abstracted STG con taining addition failure traces (c) Abstracted STG that do es not con tain additional failure traces ( t 0 ; t 03 ; ) is added to the trace set. The resulting STG is seen in Figure 3.4(b). Ho w ev er, if w e rst abstract t 03 the state transition closest to the failure state, no new traces are added to the STG. The abstracted STG con taining no additional traces is sho wn in Figure 3.4(c). The abstraction algorithm sho wn in Figure 3.5 attempts to a v oid in tro ducing false failures whenev er p ossible b y rst abstracting in ternal transitions adjacen t to the failure state. T o con tain state space explosion during the comp ositional approac h, w e augmen t the original comp ositional v erication algorithm to include abstraction. Before eac h comp osition, w e abstract the STGs supplied as input to the comp osition function. Giv en an y substan tial n um b er of in ternal wires, the comp osition can b e signican tly smaller than one for whic h the input STGs w ere not abstracted. The STG pro duced b y comp osition with abstraction is usually m uc h less complex than the STG pro duced b y the rat approac h. In order to main tain the soundness of the v erication algorithm, G m ust conform to abstract ( G ). As previously discussed, abstraction nev er remo v es traces from P ( G ), but simply shortens existing traces. In some cases, it ma y add traces to the p ossible trace set. F ortunately conformance allo ws this to happ en. The follo wing theorem pro v es that an STG G conforms to its abstraction G 0 26 PAGE 34 abstract ( G ) foreach ( s i ; t; ) 2 R where w ( t ) 2 D ( G ) foreach ( s j ; t 0 ; s i ) 2 R replace ( s j ; t 0 ; s i ) with ( s j ; t 0 ; ) foreach ( s i ; t 0 ; s j ) 2 R replace ( s i ; t 0 ; s j ) with ( ; ; ) S = S [ f s j g delete R ( s i ; t; ) foreach s i 2 S if unreachable( s i ) foreach ( s i ; t; s j ) 2 R replace R ( s i ; t; s j ) with R ( ; ; ) S = S [ f s j g foreach ( s i ; t; s j ) 2 R where w ( t ) 2 D ( G ) delete R ( s i ; t; s j ) foreach ( s k ; t 0 ; s i ) 2 R replace ( s k ; t 0 ; s i ) with ( s k ; t 0 ; s ij ) foreach ( s i ; t 0 ; s k ) 2 R replace ( s i ; t 0 ; s k ) with ( s ij ; t 0 ; s k ) foreach ( s k ; t 0 ; s j ) 2 R replace ( s k ; t 0 ; s j ) with ( s k ; t 0 ; s ij ) foreach ( s j ; t 0 ; s k ) 2 R replace ( s j ; t 0 ; s k ) with ( s ij ; t 0 ; s k ) Figure 3.5 In ternal state transition abstraction algorithm The or em 3.2.1 Giv en an STG G where V = W D G [ V ] abstract ( G ). Pr o of : G [ V ] abstract ( G ) if for ev ery 2 P ( G ) there exists 0 2 P ( abstract ( G )) suc h that [ V ] 0 Let ( s h ; t i ; s i ) 2 R ( s i ; t 0 ; s j ) 2 R and ( s j ; t j ; s k ) 2 R where where w ( t 0 ) = 2 V F or eac h ( s i ; t 0 ; s j ) 2 R there are one or more paths in G con taining ( s i ; t 0 ; s j ). A path in G con taining ( s i ; t 0 ; s j ) is = ( s h t i s i t 0 s j t j s k ). The trace corresp onding to is = ( ; t i ; t 0 ; t j ; ). T o abstract ( s i ; t 0 ; s j ), the states s i and s j are merged to form a single state s ij Then the state transition ( s i ; t 0 ; s j ) is then deleted from R This pro cess is rep eated for eac h instance of ( s; t 0 ; s 0 ) 2 R in the path where the BGPN transition t 0 = 2 V As a result, abstract ( ) = 0 = ( s h t i s ij t j s k ). Its corresp onding trace is 0 = ( ; t i ; t j ; ) where all t i and t j retain their relativ e order. If w e pro ject the trace to the set of wires V according to the denition of the pro jection function in Chapter 2, the result ( ; t i ; t j ; ) is equiv alen t to 0 The same argumen t is applied for all traces in G Since P ( G )[ W 0 ] P ( abstract ( G )), b y Denition 2.4.1 G [ V ] abstract ( G ). 27 PAGE 35 autofailure ( G ) foreach ( s j ; t; ) 2 R where w ( t ) = 2 I ( G ) if s j = s 0 return component failure replace ( s j ; t; ) with ( ; ; ) foreach ( s i ; t; s j ) 2 R replace ( s i ; t; s j ) with ( s i ; t; ) foreach ( s j ; t; s k ) 2 R S = S [ f s k g replace ( s j ; t; s k ) with ( ; ; ) foreach s i 2 S if unreachable( s i ) foreach ( s i ; t; s j ) 2 R replace ( s i ; t; s j ) with ( ; ; ) S = S [ f s j g Figure 3.6 Algorithm to bac kw ard propagate failures 3.3 F ailure Bac kw ard Propagation The failure state of an STG ma y b e caused b y an output or in ternal BGPN transition ring. Ho w ev er, in most cases the cause of the failure can b e traced bac k to an input BGPN transition where the en vironmen t supplied some input the design could not handle. If an output or in ternal BGPN transition ring causes a failure, the state from whic h the BGPN transition res is also a failure state. W e refer to these states as failure states b ecause the en vironmen t cannot prev en t the failure from o ccurring. [21 ] refers to this new failure state as the autofailur e state. Ho w ev er, [21 ] presen ts autofailure as a means of canonicalizing automatons represen ting async hronous circuit designs. Lik e [21 ], w e consider p oten tial failure states to b e failure states, though our motiv e diers. Our metho d is similar to [25 ] in that b y treating p oten tial failure states as actual failure states, w e are able to reduce the size of an STG. In this section, w e describ e a metho d of shortening the represen tation of traces in an STG through autofailure reduction. When a failure o ccurs, its autofailure state can b e found b y tra v ersing eac h path in the STG bac kw ards from un til an input ev en t is reac hed. The state transition ( s i ; t; ) replaces ( s i ; t; s j ) where t is the input ev en t found in the previous step, and all states that w ere reac hable from s j are mark ed as failure states. The algorithm sho wn in Figure 3.6 28 PAGE 36 starts from the failure state and c hec ks all incoming paths to bac kw ards. If, whenev er during bac kw ard tra v ersal, the initial state is encoun tered b efore an input transition is found, that indicates the comp onen t fails righ t from the initial state, and it is rep orted bac k to users righ t a w a y Otherwise, supp ose there is a failure state transition ( s j ; t; ) where the BGPN transition t is not an input. The state s j is mark ed as a failure state, and the BGPN transition t is represen ted as Then ev ery state transition ( s i ; t; s j ) is up dated to ( s i ; t; ). This pro cess rep eats un til only state transitions on inputs en ter the failure state. Then ev ery state transition ( s k ; t; s l ) that is reac hable from the new autofailure state is c hanged to ( ; ; ). Figure 3.7(a) is an STG consisting on input and noninput state transitions. The input transitions are denoted as ( s; t; s 0 ) where t 2 I Similarly w e use ( s; t 0 ; s 0 ) where t 0 = 2 I to represen t an output or in ternal transition. Autofailure reduction b egins b y lo cating a noninput state transition to the failure state. The state transition ( s k ; t 0 ; ) is found, and the p oten tial failure state s k is mark ed as a failure state. Afterw ard, w e con v ert the state transition ( s k ; t 0 ; ) to ( ; ; ). By rep eating this pro cess w e nd another noninput state transition ( s i ; t 0 ; ) en tering the failure state. The pro cess is rep eated and s i is mark ed as failure. Then states reac hable from a failure state are mark ed as failure states. After autofailure, the state transition ( ; ; ) represen ts all transitions that exit the failure states and p oten tial failure states. Lik e abstraction, applying autofailure reduction immediately b efore eac h comp osition safely reduces p eak complexit y Autofailure is safe b ecause it do es not remo v e traces from the p ossible trace set of a design. Chapter 2 in tro duced the sp ecial state transition ( ; ; ) whic h represen ts b eha vior o ccurring after the failure state with less detail. By applying bac kw ards failure propagation, w e reduced the size of state transition graph b y represen ting man y BGPN transition rings with the single state transition ( ; ; ). This creates an STG smaller in size. Theorem 3.3.1 pro v es that the STG G conforms to the autofailure of G The or em 3.3.1 Giv en an STG G G autofailure ( G ). 29 PAGE 37 PSfrag replacemen ts s i s j s k s l t t 0 t t 0 t t t t t t 0 t 0 t 0 PSfrag replacemen ts s j t 0 t t t (a) (b) Figure 3.7 (a) STG b efore autofailure reduction (b) STG after autofailure reduction Pr o of : Let G b e an STG represen ting the rings of BGPN transitions t and t 0 where w ( t ) 2 I and w ( t 0 ) = 2 I Let b e a path in G suc h that = ( t s i t s j t 0 s k t 0 ! ). Its corresp onding traces is = ( ; t; t; t 0 ; t 0 ; ). P erforming autofailure on G relab els the states and state transitions of suc h that autofailure ( ) = 0 and 0 = ( t s i t ! ! ). 0 is the trace corresp onding to 0 where 0 = ( ; t; t; ). After autofailure reduction, the trace = ( ; t; t; t 0 ; t 0 ; ) has b een reduced to 0 = ( ; t; t; ). Recall that represen ts an innite n um b er of arbitrary transition rings in a BGPN N th us the trace 0 = ( ; t; t; ) is equiv alen t to the trace 00 = ( ; t; t; ; ; ). In the case of 00 eac h represen ts a corresp onding t 0 in th us and 0 are equiv alen t traces diering only in notation. Giv en that P ( G ) P ( autofailure ( G )), b y Denition 2.4.1 w e kno w G autofailure ( G ). 3.4 Maximal En vironmen t As discussed ab o v e, w e wish to decouple a comp onen t from the rest of the design b y replacing the actual en vironmen t with an o v erappro ximated en vironmen t. The simplest 30 PAGE 38 approac h is to use a maximal envir onment The concept of the maximal en vironmen t w as in tro duced in [5]. The maximal en vironmen t for a comp onen t ma y pro duce an y ev en t on an y input wire at an y momen t. Its b eha vior is larger than an y other en vironmen t p ossible for the same comp onen t in terms of conformance. The maximal en vironmen t is formally describ ed in Denition 3.4.1. Denition 3.4.1 Giv en an arbitrary BGPN N w e sa y E max is the maximal en vironmen t to N if G ( N kE ) G ( N kE max ) for all E The more input b eha vior supplied to a design, the more output b eha vior that design ma y exude in resp onse to the input. Design N w ould displa y all p ossible b eha vior if comp osed with the maximal en vironmen t. Therefore, E max is an o v erappro ximated en vironmen t. The maximal en vironmen t denes b eha vior for all input wires of a design. The b eha vior of eac h input wire is completely indep enden t to other input wires; ho w eac h input wire c hanges its v alues is completely nondeterministic. In other w ords, the b eha vior of eac h input wire is unconstrained. Figure 2.2 in the previous c hapter sho ws an ANDgate driv en b y a maximal en vironmen t. W e also note that ev ery design has an unique maximal en vironmen t. 3.5 Comp osition with Reduction In the previous sections w e ha v e seen t w o metho ds to reduce the complexit y of an STG. Both abstraction and autofailure ma y b e com bined to minimize the size of the nal STG. F or no w, w e c ho ose our appro ximated en vironmen t to b e the maximal en vironmen t b ecause nding a more accurate appro ximation is nontrivial. Figure 3.8 sho ws an augmen ted v erication algorithm that includes abstraction and autofailure. This new algorithm p erforms reductions on the STGs immediately b efore comp osition. Theorem 3.2.1 pro v es that an y STG G i conforms to its autofailure reduction G 0 i Also, Theorem 3.3.1 pro v es that an y STG G 0 i conforms to its abstraction G 00 i By using the output of autofailure as the input to abstraction, w e can apply Lemma 2.4.1 and conclude G i G 0 i G 00 i 31 PAGE 39 verify ( N = N 1 k k N n ) find STG G i for N i kE max i (1 i n ) 8 1 i n; 1 i n; and i 6 = j G = compose ( autofailure ( abstract ( G i )) ; autofailure ( abstract ( G j ))) if reachable from s 0 of G then return N has an failure else return N is correct Figure 3.8 Comp ositional v erication algorithm with autofailure and abstraction 32 PAGE 40 CHAPTER 4 ST A TE SP A CE REFINEMENT WITH CONSTRAINTS As describ ed in the previous c hapter, comp ositional v erication p erforms state space exploration for eac h comp onen t in the system. F or eac h comp onen t, an o v erappro ximated en vironmen t is used in place of the actual en vironmen t. A maximal en vironmen t is the w orst case appro ximation. The input b eha viors supplied b y the o v erappro ximated en vironmen t are a sup erset of those supplied b y the actual en vironmen t. Supplying additional input b eha viors can cause a design to pro duce additional output b eha vior. This extra b eha vior creates inessential state sp ac e during state space exploration. Inessen tial state space describ es b eha vior whic h cannot o ccur when the comp onen t is em b edded within its actual en vironmen t. Sometimes this inessen tial state space is remo v ed when a comp onen t's STG is comp osed with the STG of its actual en vironmen t. Ho w ev er, the temp orary existence of this inessen tial state space increases the p eak n um b er of states in the in termediate STGs during comp osition. The most undesirable outcome is for the inessen tial state space to app ear in the nal global STG. Larger state space consumes more memory and increases computation time. The inessen tial state space ma y also con tain false failures. Ev ery failure pro duced b y our metho d m ust b e v eried through coun ter example renemen t. Eliminating false failures can exp edite the renemen t and v erication of true design failures. In this c hapter, w e presen t a metho d of constrain t deriv ation that attempts to reduce these extra states b y generating a more accurate appro ximation of the en vironmen t. This metho d can b e used along with the reduction metho ds describ ed in the previous c hapter to further con tain the p eak size of the in termediate results during comp osition. W e wish to pro duce a constrained o v erappro ximated en vironmen t, E constr ained i suc h that E actual E constr ained E appr ox W e 33 PAGE 41 rst giv e the denition of constrain ts and ho w they aect BGPN ring seman tics. W e then describ e ho w to deriv e them. 4.1 Constrain t Denition T o create a more accurate appro ximation, w e restrict the rings of BGPN transitions when their o ccurrence w ould cause an STG to en ter inessen tial state space. In general, a constrain t imp oses additional logic for a BGPN transition ring that prev en ts suc h a transition from b eing red unless the imp osed constrain t is satised. In a BGPN, a constrain t is asso ciated with eac h transition. The augmen ted denition of BGPNs including a b o olean constrain t mapping function C is giv en as follo ws. Denition 4.1.1 A BGPN N is the tuple ( W ; T ; P ; F ; 0 ; L; B ; C ) where C is the b o olean constrain t lab eling function suc h that C : T b where b is a b o olean expression o v er W while the other elemen ts in N are dened the same as in Denition 2.1.1. The addition of the constrain t mapping function c hanges the BGPN ring seman tics. First, let c ( t ) denote the constrain t lab eling a BGPN transition t 2 T Recall that the function eval ( s; b ), where s = ( ; ), returns true if b ev aluates to true with and false otherwise.Denition 4.1.2 Let N b e a BGPN, and s a state of N Giv en a BGPN transition t 2 T its constrain t c ( t ) is satised at a state s if eval ( s; c ( t )) = true F or a BGPN transition to b e enabled at a state, all enabling rules m ust b e satised at that state; plus, the transition's constrain t m ust also b e satised at the same state. The mo died denition of the BGPN transition enabling condition is giv en in Denition 4.1.3. Denition 4.1.3 Let N b e a BGPN, and s a state of N A transition t 2 T is enabled at state s if enabling rules ( t ) = satisfied ( t; s ) ^ eval ( s; c ( t )) = true : 34 PAGE 42 The addition of constrain ts also requires mo dication of our failure denitions. The previous denition stated that a BGPN transition ring causes a failure if certain a condition is satised. With constrain ts, failure conditions are restricted and v alid only when the constrain ts are also satised. In other w ords, transition rings are not considered when the constrain ts are not satised, ev en though these rings w ould cause failures without considering constrain ts. The up dated failure denitions are giv en as follo ws. Denition 4.1.4 Let = ( s 0 t 0 s 1 t 1 s 2 ) b e a path in a STG G where R ( s i ; t i ; s i +1 ) for all i 0, and c ( t i ) a constrain t on t i suc h that eval ( s i ; c ( t i )) = true for all i 1. Firing t i causes 1. A safety failur e if ( ( s i ) t i ) \ t i 6 = ; 2. A c omplement failur e if a. t i = w + ^ ( s i )[ w ] = 1, or b. t i = w ^ ( s i )[ w ] = 0. 3. A disabling failur e if ( enabled ( s i ) f t i g ) 6 enabled ( s i +1 ). 4. A de ad lo ck if enabled ( s i +1 ) = ; In a STG G = ( N ; S; R ; s 0 ), a BGPN transition t 2 T is enabled at a state s 2 S if R ( s; t; s 0 ) holds. According to the denition of constrain ts describ ed ab o v e, a constrain t is a condition that m ust b e satised in ev ery state where the BGPN transition is enabled. Therefore, c ( t ) corresp onds to a set of state transitions R c ( t ) R suc h that BGPN transition t is enabled and its constrain t c ( t ) is satised at state s for ev ery ( s; t; s 0 ) 2 R c ( t ) Ob viously the follo wing prop ert y holds. c 1 ( t ) c 2 ( t ) R c 1 ( t ) R c 2 ( t ) (4.1) where c 1 ( t ) and c 2 ( t ) are t w o constrain ts on t This prop ert y states that the b eha vior in a mo del regarding t is reduced b y imp osing a stronger constrain t on t and vice v ersa. F or example, R c 2 ( t ) includes all state transitions ( s; t; s 0 ) 2 R if c 2 ( t ) = true and R c 1 ( t ) R c 2 ( t ) for all other c 1 ( t ). Let C ( T 0 ) b e a set of constrain ts for all BGPN transitions in T 0 T 35 PAGE 43 C 1 ( T 0 ) C 2 ( T 0 ) if c 1 ( t ) c 2 ( t ) for ev ery t 2 T 0 It is easy to see that the follo wing prop ert y also holds. C 1 ( T 0 ) C 2 ( T 0 ) R C 1 ( T 0 ) R C 2 ( T 0 ) (4.2) where R c ( T 0 ) = S R c ( t ) for all t 2 T 0 and c ( t ) 2 C ( T 0 ). Giv en a BGPN N and a set of constrain ts C 0 ( T 0 ) suc h that T 0 T w e denote the imp osition of constrain ts on N as N C 0 ( T 0 ). This function up dates the constrain ts of N with C 0 ( T 0 ) as sho wn in Denition 4.1.5. Denition 4.1.5 Let N b e a BGPN and C 0 ( T 0 ) b e a set of constrain ts. N C 0 ( T 0 ) up dates C ( T ) of N as follo ws. 8 t 2 T : c ( t ) = 8><>: c ( t ) ^ c 0 ( t )[ W ] if t 2 T 0 c ( t ) otherwise This denition ensures that constrain t up date do es not w eak en the existing constrain ts in a BGPN. Since imp osing constrain ts on BGPN transitions of a mo del reduces the p ossible state transitions caused b y ring these BGPN transitions, this reduces the n um b er of traces pro duced b y state space exploration. W e can also conclude that one constrain t is stronger than the other if one mo del displa ys less b eha vior then the other in terms of p ossible traces. This conclusion is formalized in Lemma 4.1.1. L emma 4.1.1 Let N = ( W ; T ; P ; F ; 0 ; L; B ; C ) b e a BGPN, C 1 ( T ) and C 2 ( T ) t w o constrain ts on T C 1 ( T ) C 2 ( T ) if and only if N C 1 ( T ) N C 2 ( T ) Pr o of : First, w e pro v e that N C 1 ( T ) N C 2 ( T ) if C 1 ( T ) C 2 ( T ). Let = ( s 0 t 0 s 1 t 1 ) b e a path in G ( N ) suc h that it satises the conditions eval ( s i ; c 1 ( t i )) = true and R ( s i ; t i ; s i +1 ) holds for all i 0 where c 1 ( t i ) 2 C 1 ( T ). W e can nd all paths satisfying the ab o v e condition and group them in P ( N C 1 ( T )). Since C 1 ( T ) C 2 ( T ), = ( s 0 t 0 s 1 t 1 ) 2 P ( N C 1 ( T )) also satises 36 PAGE 44 the conditions eval ( s i ; c 2 ( t i ) = true and R ( s i ; t i ; s i +1 ) holds for all i 0 where c 2 ( t i ) 2 C 2 ( T ). Similarly w e can group all paths satisfying the ab o v e condition in P ( N C 2 ( T )). Ob viously P ( N C 1 ( T )) P ( N C 2 ( T )). Then according to the denition of conformance, w e ha v e N C 1 ( T ) N C 2 ( T ). Next, w e pro v e that C 1 ( T ) C 2 ( T ) if N C 1 ( T ) N C 2 ( T ). Since N C 1 ( T ) N C 2 ( T ), ev ery = ( s 0 t 0 s 1 t 1 ) 2 P ( N C 1 ( T )) is also in P ( N C 2 ( T )). Let R C 1 ( T ) and R C 2 ( T ) b e the sets of state transitions extracted from ev ery path in P ( N C 1 ( T )) and P ( N C 2 ( T )), resp ectiv ely And w e ha v e R C 1 ( T ) R C 2 ( T ) According to Equation 4.2, w e ha v e C 1 ( T ) C 2 ( T ). This completes the pro of. L emma 4.1.2 Let N 1 and N 2 b e t w o BGPNs, C ( T ) constrain ts on T If N 1 N 2 then N 1 C ( T ) N 2 C ( T ). Pr o of : Since N 1 N 2 w e ha v e P ( N 1 ) P ( N 2 ). F or ev ery path = ( s 0 t 0 s 1 t 1 ) in P ( N 1 ) suc h that for all i 0 c ( t i ) is satised at state s i on where c ( t i ) 2 C ( T ), it m ust b e in P ( N 2 ) to o. Since suc h a path b elongs to P ( N 1 C ( T )), it also b elongs to P ( N 2 C ( T )). According to the denition of conformance, w e ha v e N 1 C ( T ) N 2 C ( T ). Next, w e sho w a lemma that is trivial but useful for pro ving a theorem later in this c hapter. L emma 4.1.3 Let N b e a BGPN, and C ( T ) constrain ts on T suc h that ev ery c ( t i ) 2 C ( T ) is satised at state s i for all i 0 on ev ery path = ( s 0 t 0 s 1 t 1 ) in P ( N ). Then, N ( N C ( T )), and ( N C ( T )) N : Pr o of : F or ev ery = ( s 0 t 0 s 1 t 1 ) in P ( N ), ev ery c ( t i ) 2 C ( T ) is satised at state s i for all i 0, therefore, this path b elongs to P ( N C ( T )). According to the denition of conformance, N N C ( T ). 37 PAGE 45 T o pro v e N C ( T ) N rst notice that N is the same as N C 0 ( T ) where for ev ery t 2 T c 0 ( t i ) 2 C 0 ( T ) is true Ob viously C ( T ) C 0 ( T ). According to Lemma 4.1.1, N C ( T ) N holds. 4.2 Constrain t Deriv ation In this section, w e rst describ e ho w to deriv e the b o olean constrain t for a t w o comp onen t design. Next, w e describ e the more general case where a system consists of man y comp onen ts. W e then sho w a simple example of constrain t generation. Finally w e pro v e that constrain t deriv ation do es not in v alidate the soundness of our comp ositional metho d. Consider a t w o comp onen t system consisting of N i and N j where I ( N i ) \ O ( N j ) 6 = ; If w e wish to p erform constrained comp ositional v erication, an o v erappro ximated en vironmen t m ust b e applied to eac h BGPN. No w supp ose w e wish to rene the o v erappro ximated en vironmen t applied to N i The rst step in constrained comp ositional v erication is to pro duce the STG G ( N j kE appr ox j ), whic h w e denote as G j No w, G j is regarded as the environmen t to N i F or eac h wire w j 2 I ( N i ) \ O ( N j ) w e examine G j and iden tify the states where w j + and w j are enabled to re. These states are collected and stored in t w o sets. S + is the set of states in the STG where w j + is enabled, and S is the set of states where w j is enabled. The state v ectors of S + are disjuncted to form the b o olean expression c ( w j +). Similarly the state v ectors of S are disjuncted to form the b o olean expression c ( w j ). A t this p oin t c ( w j +) is a b o olean expression describing the states in the STG G j where the BGPN transition w j + ma y b e red. Equally imp ortan tly the negation of c ( w j +) describ es states where the BGPN transition w j + cannot b e red. c ( w j ) pro vides a similar stipulation for the BGPN transition w j Rep eating this pro cedure for all w j 2 I ( N i ) \ O ( N j ) pro duces the set of constrain ts C j whic h is applied to BGPN N i when it is considered. The algorithm for constrain t deriv ation is sho wn in Figure 4.1. Constrain t deriv ation is similar for designs con taining m ultiple comp onen ts. Let us consider a design where the comp osition n jj i =1 N i forms the complete system N F rom the 38 PAGE 46 constrainPN ( G ; N ) foreach w 2 I ( N ) \ O ( G ) S + = f s 2 S j R ( s i ; t; s i +1 ) and t = w + g S = f s 2 S j R ( s j ; t; s j +1 ) and t = w g for all s 1 2 S + and s 2 2 S + c ( w +) = ( s 1 ) ( s 2 ) for all s 1 2 S and s 2 2 S c ( w ) = ( s 1 ) ( s 2 ) C = C [ c ( w +) [ c ( w ) return ( N C ) Figure 4.1 Algorithm to constrain an input of a BGPN PSfrag replacemen ts N 2 z x y N 1 p 010 100 001 101 011 110 z+ x+zyy+ x+ x+ xxxt (a) (b) Figure 4.2 (a) Circuit diagram of an in v erter comp osed with a buer (b) G ( N 1 kE max 1 ) where eac h binary v ector corresp onds to the wires x y and z set of comp onen ts w e select a BGPN N i F or N i its en vironmen t is n jj j =1 N j where j 6 = i F or eac h N j kE j w e pro duce an STG G j from whic h C j can b e deriv ed. W e then constrain the en vironmen t of N i b y imp osing constrain ts suc h that N i kE i C j for all C j As a simple example, Figure 4.2 (a) sho ws a circuit diagram of an in v erter comp osed with a buer. F or this example, w e shall consider the single in v erter to b e N 2 and the buer to b e N 1 During constrained comp ositional v erication, w e apply a maximal en vironmen t to b oth N 1 and N 2 W e then p erform state space exploration and autofailure reduction on N 1 kE max 1 G ( N 1 kE max 1 ) after reduction is sho wn in Figure 4.2(b). W e no w wish to constrain the BGPN N 2 kE max 2 sho wn in Figure 4.3(a). z is the only wire in the set I ( N i ) \ O ( N j ). W e searc h G ( N 1 kE max 1 ) and store eac h state enabling z + in the set S + Similarly eac h 39 PAGE 47 PSfrag replacemen ts x + z + z z x z PSfrag replacemen ts z x + z + z z x z xz x (a) (b) Figure 4.3 (a) N 1 kE max 1 (b) ( N 2 kE max 2 ) C 2 state enabling z is stored in S F rom Figure 4.2(b) w e see that S + and S eac h con tain a single state. Disjuncting the state v ectors in the set S + pro duces a b o olean expression c ( z +) = x y z c ( z ) = x y z is pro duced b y disjuncting the state v ectors of S In this example, c ( z +) and c ( z ) form the set C 1 W e then imp ose C 1 on the BGPN N 2 kE max 2 using the function ( N 2 kE max 2 ) C 1 By Denition 4.1.5, the b o olean expression of eac h constrain t is pro jected to the set of wires W [ N 2 kE max 2 ]. Then the deriv ed constrain ts on wire z are conjuncted with existing constrain t on z F or the maximal en vironmen t, constrain ts on z are true Constrain t imp osition up dates the constrain ts for N 2 kE max 2 suc h that c 2 ( z +) = x z and c 2 ( z ) = xz The constrained BGPN ( N 2 kE max 2 ) C 2 is sho wn in Figure 4.3(b). The reduction in inessen tial state space is sho wn in Figure 4.4, where the STG in Figure 4.4(a) is deriv ed from N 2 kE max 2 and the STG in Figure 4.4(b) is deriv ed from N 2 kE max 2 C 2 The follo wing theorem pro v es that our metho d of deriving and applying constrain ts to our comp ositional v erication metho d main tains soundness The or em 4.2.1 Let N = N i k N j N j E appr ox i and N i E appr ox j Also, let C ( T ) b e the constrain ts deriv ed for T of N from G ( N j kE appr ox j ). The follo wing equation holds: N i k N j ( N i kE appr ox i ) C ( T ) 40 PAGE 48 00 10 11 p 01 x+z+ z+ zxzt 10 11 01 00 z+ zx+x(a) (b) Figure 4.4 (a) G ( N 1 kE max 1 ) (b) G (( N 1 kE max 1 ) C 1 ) Pr o of : Let C ij C i and C j b e constrain ts deriv ed from N i k N j N i kE appr ox i and E appr ox j k N j resp ectiv ely and C j = C ( T ). According to Lemma 4.1.3, w e ha v e N i k N j ( N i k N j ) C ij : (4.3) Since ( N i k N j ) ( N i kE appr ox i ), according to Lemma 4.1.2, w e ha v e ( N i k N j ) C ij ( N i kE appr ox i ) C ij (4.4) Since ( N i k N j ) ( N j kE appr ox j ), according to Lemma 4.1.1, C ij C j holds. Next, according to Lemma 4.1.2, w e can ha v e the follo wing equation: ( N i kE appr ox j ) C ij ( N i kE appr ox j ) C j (4.5) Com bining Equation 4.3, 4.4, 4.5, and C j = C ( T ), w e can conclude that N i k N j N i kE appr ox i C ( T ) 41 PAGE 49 CHAPTER 5 EXPERIMENT AL RESUL TS The metho ds discussed in previous c hapters ha v e b een implemen ted in the v erication to ol SoftInsp e ct T o test the results of our reduction metho d w e p erformed v erication on three async hronous designs: a FIF O con troller, a tree arbiter, and a distributed m utual exclusion circuit. All designs ha v e regular structures, th us simplifying creation of larger designs b y replicating the same cells. Ho w ev er, the regularit y is not exploited in all exp erimen ts. The FIF O con troller c hosen is selftimed con trolled as describ ed in [22 ]. Figure 5.1 pro vides a high lev el description of a FIF O with n cells. The comp onen t connected to the left side of the FIF O is the pro ducer. The righ t side of the FIF O is connected to the consumer. When the pro ducer wishes to insert data in to the FIF O, it rst c hec ks to see if there is ro om for additional data. If additional ro om exists, the data is added to the FIF O data structure. When the FIF O is not empt y it signals the consumer. The consumer then consumes the data after a p erio d of time. When the pro ducer wishes to insert data, it mak es a request b y setting the v alue of wire l i to high. The FIF O stores the data supplied b y the pro ducer. Then the FIF O ac kno wledges the pro ducer b y setting l o to high. After receiving the ac kno wledgmen t, the pro ducer c hanges l i to lo w. Once the FIF O is ready to accept additional input, it lo w ers l o If the FIF O is full, l o remains high un til the consumer consumes a unit of data. When the FIFO 2 FIFO 3 FIFO 1 FIFO n ri ro lo li Figure 5.1 FIF O o v erview 42 PAGE 50 lilo ri ro C C Figure 5.2 The con trol circuit for a single stage FIF O T able 5.1 T ruth table for the Celemen t a b c 0 0 0 0 1 c 1 0 c 1 1 1 FIF O is ready to supply the consumer with data, r o is raised to high. Once the data is read, the consumer ac kno wledges the FIF O b y setting r i to high. When the data transaction is completed, and the FIF O lo w ers its request on r o The wire r i remains high un til the consumer nishes pro cessing the data it read. r i is lo w ered when r o is lo w and all data pro cessing is completed. Figure 5.2 sho ws the con trol circuit for a single stage of the FIF O without data storage. The circuit consists of an ANDgate, a NORgate, and t w o Celemen ts. A Celemen t is a common comp onen t of async hronous circuit designs. It is represen ted as a circle with a \C" in the cen ter. The circuit has t w o inputs and a single output. Its output is lo w when b oth inputs are also lo w. Similarly its output is high when b oth inputs are high. The Celemen t's output retains its previous v alue for all other input v ectors. The truth table for the Celemen t is sho wn in T able 5.1. The second design used in testing our metho d is the distributed m utual exclusion elemen t in [23 ]. The distributed m utual exclusion elemen t (DME) is a selftimed circuit whic h allo ws m ultiple devices to use a single shared resource. A master M ma y request access to the shared resource b y comm unicating with its serv er. F or ev ery master device, there is one serv er. The serv ers are connected in a ring, and eac h serv er comm unicates with its 43 PAGE 51 Master 1 Master 2 Master 3 Master n n slreq slack 1 slreq 1 slack 2 slreq 2 slack 3 slreq 3 slack 4 slreq n1 slack n slack 1 n slreq req 1 ack 1 req 2 ack 2 req 3 ack 3 req n ack n Server 1 Server 2 Server 3 Server n Figure 5.3 DME o v erview neigh b oring serv ers. A t an y giv en time, one serv er in the ring holds 'privilege'. 'Privilege' giv es a serv er the exclusiv e righ t to gran t its master access to the resource. Figure 5.3 sho ws the high lev el arc hitecture of a design con taining n masters and serv ers. If a serv er has 'privilege' and its master requests access to the resource, access can b e immediately gran ted. If the serv er is not 'privileged', it requests privilege from the neigh b or to its righ t. If a serv er receiv es a request for privilege from its lefthand neigh b or and it is unprivileged, it propagates the request it the serv er on its righ t. When the request reac hes a serv er with privilege, privilege is passed to the left. In this manner, requests for privilege are transmitted clo c kwise in the ring, while privilege is passed coun terclo c kwise in the ring from one serv er to another. Should b oth the left neigh b or and the master request access to the resource at the same time, the circuit con tains an arbiter whic h c ho oses exactly one request to satisfy Eac h DME cell also con tains an SRlatc h. The latc h is set to high when a serv er has privilege. The circuit implemen tation for a single DME cell is sho wn in Figure 5.4. F ull details of the implemen tation ma y b e found in [23 ]. The third circuit c hosen to test our metho d is an arbiter. The arbiter describ ed in [21 ] allo ws sev eral devices to share a resource. A single arbiter accepts requests from t w o users and gran ts a single user access to a resource at an y giv en time. T o allo w more users to access the same resource, m ultiple arbiters ma y b e connected as sho wn in Figure 5.5. In a m ulticelled arbiter, a cell lo w er in the hierarc h y regards another cell higher in the hierarc h y as the serv er. F or the exp erimen ts sho wn in this c hapter, w e connect the arbiters as a complete or nearly complete binary tree. 44 PAGE 52 uililo ro riArbiterS R b b l' u' uo FlipFlop CC Figure 5.4 DME serv er circuit implemen tation Figure 5.6 sho ws the circuit implemen tation for a single arbiter cell. In the arbiter implemen tation, user requests for the resources are sen t to a m utual exclusion elemen t. The m utual exclusion elemen t ensures that the rest of the circuit receiv es exactly one request for the resource at an y time. When a user i mak es a request, it sets the wire ur i to high. The arbiter then requests access to the serv er b y setting sr i to high and w aits. When the serv er gran ts the request, it raises sa to high. The arbiter propagates this message to the user b y setting ua i to high. When the user nishes using the resource, it lo w ers ur i whic h causes the arbiter to lo w er sr The serv er then lo w ers sa Then then arbiter lo w ers ua i completing the transaction b et w een the user and the serv er. Comp ositional v erication requires us to partition the design in to comp onen ts. F or simplicit y w e partition our designs suc h that eac h comp onen t consists of a single cell. The order in whic h w e c hose to comp ose these comp onen ts w as dictated b y the in terface of eac h design. In general, w e attempted to minimize the n um b er of in terface signals presen t in a comp onen t. T o do this w e strictly comp osed comp onen t with common in terface wires. This allo ws for early abstraction as in terface wires b ecome in ternal to a comp onen t after comp osition. F or the FIF O design, w e b egin with the cell adjacen t to the pro ducer and 45 PAGE 53 ur3 ua3 ur4 ua4 ur1 ua1 ur2 ua2 sr sa CELL 1 CELL 2 CELL 3 ur4 ua4 ur5 ua5 sr sa CELL 1 CELL 3 CELL 2 ur1 ua1 ur2 ua2 CELL 4 ur3 ua3 (a) (b) Figure 5.5 (a) Three cell arbiter (b) F our cell arbiter MEua2 ua1 sa sa sr ur2 ur1 CC Figure 5.6 Arbiter circuit implemen tation 46 PAGE 54 iterativ ely comp ose eac h adjacen t cell un til w e reac hed the consumer. Since the DME design is circular, where w e b egin b egan the pro cess of comp osition has no eect. Optimal comp osition for the DME design simply requires us to comp ose comp onen ts with a common in terface and attempt to main tain comp onen ts of a balanced size. F or the arbiter example w e b egin at the b ottom of the tree and incremen tally comp ose comp onen ts as w e mo v e up the tree. Because w e form our arbiter trees as complete or nearly complete binary trees, the comp onen ts of the nal comp osition are fairly balanced in size. T able 5.2 sho ws the statistics of eac h design in BGPN and the v erication results from using the rat approac h. Eac h ro w c haracterizes a design con taining a particular n um b er of cells. Columns three, four, and v e describ e the sizes of designs in BGPN. j P j is the n um b er of places, j T j is the n um b er of BGPN transitions, and j W j is the total n um b er of wires in a design. Columns six, sev en, eigh t, nine, and ten describ e an STG pro duced b y rat state space exploration. j S j is the n um b er of states, and j R j is the n um b er of state transitions. Time is recorded in seconds and memory in megab ytes. All time and memory statistics greater than one are rounded. The column lab eled indicates whether or not the failure state is reac hable for an STG. F rom the table, w e see that the size of the BGPNs gro ws linearly while the size of the STGs gro w exp onen tially as the n um b er of cells increases. With regard to the n um b er of cells v eried, the FIF O circuit seems to do w ell compare to the other t w o designs. Ho w ev er, if w e compare the FIF O design to the other designs in terms of places, transitions, and wires, the FIF O design p erforms the p o orest during rat v erication. This underscores the unpredictabilit y of state space explosion. W e note that all of the designs are sho wn to b e correct during rat v erication. Comp ositional v erication of the same designs without using constrain ts is sho wn in T able 5.3. F or eac h comp onen t, the maximal en vironmen t is used as an o v erappro ximated en vironmen t. j S F j and j R F j describ e the size of the global STG pro duced b y comp ositional v erication. Ho w ev er, the more imp ortan t metric of this metho d is the p eak n um b er of states and state transitions. j S P j and j R P j describ e the n um b er of states and state transitions for the largest STG pro duced during v erication. The FIF O exp erimen ts pro duce 47 PAGE 55 T able 5.2 Statistics for designs in BGPN and resources consumed b y traditional rat approac h Design # Cells Design Statistics Flat j P j j T j j W j j S j j R j Time Mem 2 20 20 10 116 240 < 1 < 1 N 3 28 28 14 644 1724 < 1 < 1 N 4 36 36 18 3620 11968 1 3 N FIF O 5 44 44 22 20276 79644 8 21 N 6 52 52 26 113684 517520 72 152 N 7 60 60 34 * * N 8 68 68 38 * * N 9 76 76 42 * * N 10 84 84 46 * * N 2 48 60 22 1052 2770 < 1 1 N 3 72 90 33 53094 215847 27 59 N 4 96 120 44 * * N DME 5 120 150 55 * * N 6 144 180 66 * * N 7 168 210 77 * * N 8 192 240 88 * * N 2 34 36 18 444 1054 < 1 < 1 N 3 49 52 26 3756 11600 1 4 N 4 64 68 34 30164 116776 21 36 N ARB 5 79 84 42 227472 1041792 254 347 N 6 94 100 50 * * N 7 109 116 58 * * N 8 124 132 66 * * N Indicates the design w as to o large to complete. 48 PAGE 56 T able 5.3 Exp erimen tal results for comp ositional v erication without constrain ts Design # Cells j S F j j R F j j S P j j R P j Time Mem 2 43 88 56 160 < 1 < 1 Y 3 4 3 63 252 < 1 < 1 Y 4 4 3 63 252 < 1 < 1 Y FIF O 5 4 3 63 252 < 1 < 1 Y 6 4 3 63 252 < 1 < 1 Y 7 4 3 63 252 < 1 1 Y 8 4 3 63 252 < 1 1 Y 9 4 3 63 252 < 1 1 Y 10 4 3 63 252 < 1 1 Y 2 49 86 360 1236 < 1 1 N 3 230 543 995 4206 < 1 3 N 4 823 2444 995 4206 1 5 N DME 5 2467 8760 8335 42864 6 20 N 6 7039 29040 8335 42864 16 38 N 7 18735 87728 71859 436592 554 189 N 8 48895 256000 71859 436592 714.49 350 N 2 159 377 646 2924 < 1 1 Y 3 603 1938 701 3485 < 1 2 Y 4 2254 9163 2254 9163 2 5 Y ARB 5 4347 20502 4347 20502 10 13 Y 6 15083 84278 15083 84278 25 31 Y 7 24843 147466 24843 147466 34 49 Y 8 63275 421110 63275 421110 350 123 Y extremely small results b ecause eac h STG quic kly en ters the failure state. By using the maximal en vironmen t, w e ha v e in tro duced false failures. W e kno w these failures are false b ecause the rat STGs con tained no failure states. These failures can also b e pro v ed false using failure trace v erication as describ ed in [2 ]. The STGs for the DME designs con tain no failures. The resources consumed b y comp ositional v erication of DME are signican tly less than the rat approac h. This is due to the man y in ternal wires whic h w e abstract. The p eak size of the arbiter is also m uc h less than the rat STG. Unfortunately the maximal en vironmen t used in the comp ositional approac h also pro duces false failures in the arbiter examples. 49 PAGE 57 T able 5.4 sho ws the results of comp ositional v erication with constrain t generation. The most apparen t dierences is the increased STG size for the FIF O designs. In the previous metho d, the states and transitions that o ccurred after the false failures w ere recorded with the single state transition ( ; ; ). By applying constrain ts, w e ha v e remo v ed all of the false failures from the FIF O design, th us increasing the size of the STG represen tation. The FIF O design exhibits near linear gro wth under constrained v erication and do es not requires failure trace v erication. Applying constrain ts to the DME design reduces runtime, memory usage, and the size of the largest in termediate STG. F or the DME design, constrained v erication pro duces the same v erication results as unconstrained v erication, but it do es it m uc h more ecien tly This is b ecause constrain ts eliminate most of the extra b eha vior cause b y the o v erappro ximated en vironmen t. The b enets of constrain ts are not as dramatic for the arbiter design. The constrain ts remo v e some false failures, but the nal global STG still con tains failure. There is little b enet for the arbiter design with resp ect to p eak STG size, but constrain ts do decrease the runtime signican tly b y prev en ting some extra b eha vior from app earing in the in termediate STGs. 50 PAGE 58 T able 5.4 Exp erimen tal results for comp ositional v erication using constrain ts Design # Cells j S F j j R F j j S P j j R P j Time Mem 2 43 80 56 160 < 1 < 1 N 3 91 192 91 192 < 1 < 1 N 4 139 304 139 304 < 1 < 1 N FIF O 5 187 416 187 416 < 1 1 N 6 235 528 235 528 < 1 1 N 7 283 640 283 640 < 1 2 N 8 331 752 331 752 < 1 2 N 9 379 864 379 864 < 1 3 N 10 427 976 427 976 < 1 4 N 2 49 86 360 1236 < 1 1 N 3 230 543 447 1152 1 2 N 4 823 2444 775 2700 1 5 N DME 5 2467 8760 3935 13872 4 13 N 6 7039 29040 6815 30208 13 30 N 7 18735 87728 34383 153424 56 107 N 8 122688 256000 59540 319700 472 223 N 2 159 377 646 2924 < 1 1 Y 3 603 1938 701 3485 2 3 Y 4 2254 9163 2254 9163 3 7 Y ARB 5 4459 20414 4459 20414 11 14 Y 6 15511 84492 15511 84492 24 32 Y 7 25983 146240 25983 146240 28 47 Y 8 67711 432728 67711 432728 286 123 Y 51 PAGE 59 CHAPTER 6 CONCLUSION Async hronous designs con tain complex proto cols whic h ma y hide failures o ccurring deep in the state space. T raditional approac hes lik e sim ulation are unlik ely to disco v er deep failures. Because mo del c hec king exhaustiv ely explores all the b eha vior of a design, it either guaran tees that a design is correct or pro duces a coun terexample. The guaran tee of correctness comes with a hea vy price. All approac hes to mo del c hec king suer from state space explosion. This thesis has presen ted t w o metho ds to con tain state space explosion and ecien tly v erify async hronous designs. 6.1 The Comp ositional F ramew ork As illustrated in Chapter 5, it is imp ossible to v erify most designs as a single unit. By partitioning a design, our metho d reduces concurrency whic h is the driving force of state space explosion. Although appro ximating an en vironmen t ma y elicit additional b eha vior from a comp onen t, our metho d scales m uc h b etter than state space exploration of a rat design. Abstraction is largely resp onsible for pro ducing state transition graphs of manageable size. The greatest reductions o ccur when a comp onen t con tains man y concurren t in ternal b eha viors. Although the DME and arbiter examples sho w exp onen tial gro wth in state space under the comp ositional approac h, there is a signican t reduction in state space size relativ e to the rat approac h. Without constrain ts, our metho d fails to pro v e the correctness of the arbiter and FIF O designs, but its strength is exemplied b y correctly v erifying four times as man y DME cells as the rat approac h. An impro v ed v ersion of this metho d could use failure trace v erication and renemen t to completely v erify the FIF O and arbiter examples. This 52 PAGE 60 impro v emen t w ould expand abstracted failure traces to create concrete failure traces. W e could then use the original BGPN mo del to v erify the concrete trace is a v alid failure. F uture w orks include automated partitioning of a design and optimal comp osition ordering. F or large designs, partitioning a design in to appropriately sized comp onen ts is v ery time consuming and nontrivial. Though one comp onen t ma y con tain man y more wires than another, the concurrency of the b eha vior on those wires dominates state space explosion. When partitioning a design, the user m ust also consider the degree to whic h the concurrency is restricted. Often, t w o wires ma y c hange v alues concurren tly but their transitions ma y b e restricted b y some complex proto col. It is dicult to iden tify the degree of state space explosion without p erforming state space exploration. Extremely large designs will require an automated partitioning heuristic. Man y of the problems of partitioning are also the problems of optimal comp osition order. When comp osing state transition graphs, some orderings pro duce m uc h higher p eak graph sizes than others. The w orst p ossible comp osition is the state transition graphs of t w o comp onen ts that do not comm unicate o v er m utual in terface wires. The state size of this comp osition is the crosspro duct of the states in eac h comp onen t. Usually w e attempt to com bine comp onen ts whic h comm unicate o v er some m utual set of in terface wires. If these m utual wires are in ternal to the comp onen t after comp osition, abstraction remo v es them thereb y reducing the size of the state transition graph. When comp osing comp onen ts, w e m ust also consider the n um b er of inputs whic h are driv en b y a maximal en vironmen t. If an inecien t ordering com bines sev eral maximal en vironmen ts, a state transition graph of the maximal en vironmen ts alone ma y exceed the a v ailable resources. Ecien t orderings are essen tial for v erifying large designs. Insp ection is a p o or approac h to ordering and often leads to trial and error. Automating ordering ecien tly will remo v e a large burden from the user. 53 PAGE 61 6.2 Constrain ts The most ob vious w eaknesses in the comp ositional framew ork is the creation of false failures. When p erforming comp ositional v erication without constrain ts, false failure traces cause the FIF O design to ha v e p eculiarly small state transition graphs. These false failures ha v e then b een in tro duced b y the maximal en vironmen t. By generating constrain ts w e restrict the b eha vior supplied b y the maximal en vironmen t and prev en t these false failures from o ccurring. The p o w er of this metho d is demonstrated b y the near linear state space gro wth of the FIF O example. W e also see resp ectable reductions in the state space size of the DME example. Constrain ts actually increase the size of the state transition graph for the arbiter example. By remo ving false failures, few er state transition rings are represen ted using the single state transition ( ; ; ) thereb y increasing the n um b er of state transitions in the state transition graph. Although the state space size of the arbiter is increased b y constrain ts, designs with a large n um b er of arbiter cells b enet from signican t runtime reductions when constrain ts are applied. This is b ecause the constrained en vironmen t reduces the amoun t of b eha vior pro duce b y eac h comp onen t th us reducing the time to abstract eac h comp onen t. Often, the generated constrain ts restrict the o v erappro ximated en vironmen t suc h that it pro duces less b eha vior than the maximal en vironmen t but more b eha vior than the actual en vironmen t. This means that w e sometimes deriv e constrain ts that are not optimal. W e can iden tify t w o primary causes for this. The rst is simply a c haracteristic of the design. When the output of the state transition graph dep ends on some in ternal signal, our metho d ma y not b e able to iden tify the a dep endency on some input transition in the state transition graph. Supp ose the v alue of an in ternal register determines output b eha vior of a state transition graph. Constrain ts generation will pro duce a b o olean expression represen ting this, but the expression is not useful to other comp onen ts b ecause the register's v alue is not visible on an y in terface wires. The o v erappro ximated en vironmen t is the second cause for suboptimal constrain ts. When creating a state transition graph, w e apply o v erappro ximated en viron54 PAGE 62 men t to the comp onen t. As previously discussed, the o v erappro ximated en vironmen t ma y in tro duce extra b eha vior in to the state transition graph. If this state transition graph is then used for constrain ts generation, the extra states ma y w eak en the deriv ed constrain ts. F uture w orks should iden tify starting comp onen t least aected b y constrain ts. Another solutions ma y include iterativ e renemen t of the constrain ts. By rep eatedly applying constrain ts and deriving new state transitions graphs, w e ma y b e able to nd some xed p oin t in terms of constrain t strength. Giv en enough dep endency in the comm unication proto cols, w e should b e able to deriv e optimal or nearoptimal constrain ts. 55 PAGE 63 REFERENCES [1] H. Zheng, E. Mercer, and C. My ers, \Mo dular v erication of timed circuits using automatic abstraction," IEEE T r ansactions on ComputerA ide d Design v ol. 22, no. 9, pp. 1138{1153, 2003. [2] H. Zheng, C. My ers, D. W alter, S. Little, and T. Y oneda, \V erication of timed circuits with failure directed abstractions," IEEE T r ansactions on ComputerA ide d Design v ol. 25, no. 3, pp. 403{412, 2006. [3] J. Misra and K. M. Chandy \Pro ofs of net w orks of pro cesses," IEEE T r ans. on Softwar e Eng. v ol. SE7, no. 4, pp. 417{426, 1981. [4] C. Jones, \T en tativ e steps to w ard a dev elopmen t for in terfering programs," A CM TOPLAS v ol. 5, no. 4, pp. 596{619, 1983. [5] O. Grum b erg and D. E. Long, \Mo del c hec king and mo dular v erication," A CM T r ansactions on Pr o gr amming L anguages and Systems v ol. 16, no. 3, pp. 843{871, Ma y 1994. [Online]. Av ailable: citeseer.ist.psu.edu/grum b erg91mo del.h tml. [6] T. A. Henzinger, S. Qadeer, and S. K. Ra jamani, \Y ou assume, w e guaran tee: Metho dology and case studies," in Pr o c. Int. Conf. on Computer A ide d V eric ation SpringerV erlag, 1998, pp. 440{451. [7] K. L. Mcmillan, \A metho dology for hardw are v erication using comp ositional mo del c hec king," Cadence Berk eley Labs, T ec h. Rep., 1999. [8] J. M. Jensen, D. Giannak op oulou, and C. S. P asarean u, \Learning assumptions for comp ositional v erication," in LNCS v ol. 2619, 2003, pp. 331{346. [9] S. Graf and B. Steen, \Comp ositional minimization of nite state systems," in Computer A ide d V eric ation 1990, pp. 186{196. [Online]. Av ailable: citeseer.ist.psu.edu/graf91comp ositional.h tml. [10] S. C. Cheung and J. Kramer, \Con text constrain ts for comp ositional reac habilit y analysis," A CM T r ans. Softw. Eng. Metho dol. v ol. 5, no. 4, pp. 334{377, 1996. [11] , \Chec king safet y prop erties using comp ositional reac habilit y analysis," A CM T r ans. Softw. Eng. Metho dol. v ol. 8, no. 1, pp. 49{78, 1999. 56 PAGE 64 [12] J.P Krimm and L. Mounier, \Comp ositional state space generation from Lotos programs," in To ols and A lgorithms for the Construction and A nalysis of Systems E. Brinksma, Ed. Ensc hede, The Netherlands: Springer V erlag, LNCS 1217, 1997, pp. 239{258. [13] D. Bustan and O. Grum b erg, \Mo dular minimization of deterministic nitestate mac hines," in Pr o c e e dings of the 6th International workshop on F ormal Metho ds for Industrial Critic al Systems (FMICS'01) 2001. [14] E. Clark e, O. Grum b erg, and D. Long, \Mo del c hec king and abstraction," A CM T r ansactions on Pr o gr amming L anguages and Systems v ol. 16, no. 5, pp. 1512{1542, 1994. [15] D. Dams, R. Gerth, and O. Grum b erg, \Abstract in terpretation of reactiv e systems," A CM T r ansactions on Pr o gr amming L anguages and Systems v ol. 19, no. 2, pp. 253{ 291, 1997. [16] H. E. Jensen, K. G. Larsen, and A. Sk ou, \Scaling up uppaal automatic v erication of realtime systems using comp ositionalit y and abstraction," in FTR TFT 2000, pp. 19{30. [Online]. Av ailable: citeseer.nj.nec.com/jensen00scaling.h tml. [17] D. Dill, T r ac e The ory for A utomatic Hier ar chic al V eric ation of Sp e e dIndep endent Cir cuits ser. A CM Distinguished Dissertations. MIT Press, 1989. [18] K. Larsen, B. Steen, and C. W eise, \A constrain t orien ted pro of metho dology ," in F ormal Systems V eric ation ser. LNCS, v ol. 1169. SpringerV erlag, No v. 1996, pp. 405{435. [19] T. A. Henzinger, R. Jhala, R. Ma jumdar, and G. Sutre, \Lazy abstraction," in The 29th Symp osium on Principles of Pr o gr amming L anguages Jan. 2002, pp. 58{70. [20] E. Mercer, \Correctness and reduction in timed circuit analysis," Ph.D. dissertation, Univ ersit y of Utah, 2002. [21] D. Dill, \T race theory for automatic hierarc hical v erication of sp eed indep enden t circuits," Ph.D. dissertation, Carnegie Mellon Univ ersit y 1988. [22] A. J. Martin, Selftimed fo: An exercise in compiling programs in to vlsi circuits, California Institute of T ec hnology T ec h. Rep. 1986.5211tr86, 1986. [23] A. J. Martin, The Design of a Selftimed Circuit for Distributed Mutual Exclusion, California Institute of T ec hnology T ec h. Rep. 1983.5097tr83, 1983. [24] J. Cobleigh, D. Giannak op ouluo, and C. P asarean u. \Learning assumptions for comp ositional v erication." In Pr o c. Int. Conf. on T o ols and A lgorithms for Construction and A nalysis of Systems (T A CAS) SpringerV erlag, 2003. [25] D. Giannak op oulou, C. P asarean u, and H. Barringer. \Assumption generation for softw are comp onen t v erication." In Pr o c e e dings of the 17th Int. Confer enc e on A utomate d Softwar e Engine ering Sept. 2002. 57 PAGE 65 [26] S. Chaki, E. Clark e, N. Sinha, and P Thati. \Automated assumeguaran tee reasoning for sim ulation conformance." In Pr o c. International Workshop on Computer A ide d V eric ation SpringerV erlag, 2005. [27] R. Alur, P Madh usudan, and W. Nam. \Sym b olic comp ositional v erication b y learning assumptions." In Pr o c. International Workshop on Computer A ide d V eric ation. SpringerV erlag, 2005. 58 