J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In DAC91 [1], pages 403--407.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....approach works well only when BDD construction is possible for both present state sets and circuit transition relations. For large designs, OBDD representation for the entire transition relation usually cannot be constructed. Even when it can be constructed using methods such as partitioned BDDs [5, 6], the existential quantification operation can still cause memory explosion. On the other hand, an ATPG or SAT solver engine can be used to manipulate the circuit transition function instead of BDDs. The advantage is that they can handle much larger cir Supported in part by NSF Grant ....

J. M. Burch, E. M. Clarke, D. E. Long, "Representing Circuits More Efficiently in Symbolic Model Checking", Proc. DAC, 1991, pp. 403-407.

....for quantification is somewhat different from image computation [12] but the similarities largely outweigh the differences. In Section 7 we present results for computations based on both images and preimages. 4 Splitting versus Conjoining The effectiveness of the partitioned representation [4, 22] relative to the monolithic representation relies on three mechanisms. The conjunction with S may help keep the size of the BDDs small. Early quantification can be applied to eliminate variables from the BDDs as soon as possible. The image computation problem can be decomposed, thus ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the Design Automation Conference, pages 403--407, San Francisco, CA, June 1991.

....or data inputs which have no effect on the control. More reduction techniques identify equivalent sub components which may result from redundant logic or former reductions. Ordered Partitioned Transition Relation The technique of keeping the transition relation (TR) partitioned was presented in [BCL91] and implemented in SMV. Subsequently, an ordering heuristic for the partitions was described in [GB94] RuleBase employs these techniques when appropriate. The decision of when to leave the TR partitioned is based on the ratio of number of times the TR must be computed to the number of times it ....

J. Burch, E. Clark and D. Long, "Representing Circuits More Efficiently in Symbolic Model Checking", DAC'91, pp. 403-407.

....Efficient BDD Algorithms. RuleBase employs a variety of techniques and algorithms for handling BDD size problems. It uses variations of the dynamic reordering algorithm described in [14] Additionally, RuleBase employs techniques of keeping the transition relation partitioned, as presented in [4] and [10] Also, it combines BFS and DFS to maintain small BDD sizes during reachability analysis, following [13] Checking Safety Formulas On The Fly. Formulas belonging to a subset of the CTL logic can be verified while traversing the reachable state space, without the need for the full ....

....priority) means: if there is a request from a high priority device, then the next time there is a grant, the higher priority device is the one granted . Similarly next event(p) n] q) means that q must occur the nth time that p occurs. For example: AG( request next event(data)[4](last data) means: last data should be asserted together with the fourth data after a request . The CTL equivalent of this formula is: AG ( request E[ data U (data EX E[ data U ( data EX E[ data U (data EX E[ data U (data last data ) Strong and Weak Operators. Most ....

J. Burch, E. Clark and D. Long, "Representing Circuits More Efficiently in Symbolic Model Checking", DAC'91, pp. 403-407.

....of the characteristic function of the set listing the couples current state next state , independently of the inputs. It is difficult to build the transition relation for big circuits, as the BDDs rapidly grow too large. Partitioning techniques are manual and based on the designer s knowledge [2]. The transition function [8] 17] 18] overcomes this limit. A vector of Boolean functions represents the behavior of the FSM along each of the dimensions in the next state space. The associated recursive image computation algorithm is based on Boole s expansion theorem and exploits the ....

....state sets of a product machine is the issue. R(s) is the characteristic function of the set of reachable states of circuit s27, the smallest among the 5 ISCAS 89 benchmarks [1] 4 primary inputs, 1 primary output, 3 latches) states are described by three present state variables s[1] s[2]; s[3] reachable states are f0 Gamma Gamma; 10 Gammag, unreachable states are f11 Gammag. R p (s; s 0 ) represents the set of states reachable by the product machine s27 Theta s27 (self verification) it is easy to notice a relevant increase in the size of BDDs (from 2 to 8 non terminal ....

[Article contains additional citation context not shown here]

J.R. Burch, E.M. Clarke, D.E. Long: "Representing Circuits More Efficiently in Symbolic Model Checking," DAC'91: 28th ACM/IEEE Design Automation Conference, San Francisco, CA (USA), June 1991, pp. 403--407

....sufficiently. Experience indeed shows that bugs can show up after extensive testing, illustrated by numerous bugs in microprocessor designs, including the Pentium bug [21] Applying the same approaches to formal verification as on the high level models is infeasible. Model checking techniques [8, 7, 6] rely on either being able to separate the control from the datapath to avoid a state explosion due to the values in the datapath, or to abstract the datapath to a few state bits. However, there is no effective of developing a specification of the control alone. Furthermore, abstractions of the ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In 28th ACM/IEEE Design Automation Conference, 1991.

....to obtain, TR is usually represented as a product of terms. In this case the image computation is generally expensive because existential quantification and logical conjunction cannot distribute. Analyzing the sets of support of the functions involved in the conjunction, Burch et al. [4] determine whether existential quantification can be moved inside the conjunction (early quantification) This results in a simplification as the number of variables in the conjuncted terms is reduced. Several heuristics have been presented to sort the functions. Further improvements are obtained ....

J.R. Burch, E.M. Clarke, D.E. Long: "Representing Circuits More Efficiently in Symbolic Model Checking, " in Proc. ACM/IEEE DAC'91, pp. 403--407, June 1991

....improvements must be applied to the basic idea in order to make it work for realistic problems. The common aim of these improvements is to control the size of the BDDs created and manipulated during state exploration. This has been achieved by keeping the transition relation in partitioned form [28, 3, 10, 22]; by controlling the BDD variable order [12, 24] by abstracting the system to be verified [16, 13, 15, 7] or by abandoning pure breadthfirst search in favor of more flexible approaches [23, 5, 21, 19] Abstractions and methods that mix breadth first and depth first search rely, sometimes in ....

....Section 4. Methods that are not compound are simple. 3 Decomposition Decomposition is another important approach to reducing the size of large BDDs. Decomposition of BDDs is closely related to finding efficient partitioned representations of a given boolean function. Partitioned representations [20, 3] may be derived in the process of building a BDD or by decomposing a given BDD. The former is easier to obtain when some structural information, such as the network, is provided. Auxiliary variables are introduced while constructing the BDD. They alleviate ordering constraints and reduce the size ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the Design Automation Conference, pages 403--407, San Francisco, CA, June 1991.

....avoid building the global state transition relation, but the form of the checking conditions allows us to work exclusively with the disjuncts of the global relation. This form of partitioning is long known to result in a significant increase of the applicability of BDD based symbolic computations [BCM91] and can be directly derived from a given UNITY program at no extra cost. Although the locality of the verification conditions is responsible for the improved efficiency of verifying properties, it reduces the availability of debugging information that can be directly obtained from a failed ....

....in the literature. The techniques and methods currently implemented include the use of reduced OBDDs as described in [BBR90] of a combined and exists operation in computing relational products ( McM93] of quantification ordering in synchronous transitions similar to those described in [BCM91] of restriction [CM90] and generalized cofactoring [TSL 90] In addition to provisions for taking advantage of the monotonicity of predicate transformers in early termination of fixpoint computations, the current implementation also uses a special second level cache for memoizing certain ....

J. R. Burch, E. M. Clarke, and K. M. McMillan. Representing circuits more efficiently in symbolic model checking. In Proccedings of the 28th Design Automation Conference 1991, pages 403--407, 1991.

....over the product, if the terms of the product do not all depend on all the variables. Since the quantification of a variable normally simplifies the result, we can hope that by intertwining products and quantifications, the size of the intermediate BDDs will be better kept under control [11, 59]. The following example illustrates this point. Example 18 We want to compute Img(f; g) with f = f 1 ; f 2 ; f 3 ) f 1 = x 1 x 2 f 2 = x 0 2 x 3 f 3 = x 2 x 4 x 0 3 ; and g(x 1 ; x 4 ) x 1 x 2 . According to (7) we have: Img(f; g) 9 x1x2x3x4 [ y 1 (x 1 x 2 ) ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the Design Automation Conference, pages 403--407, San Francisco, CA, June 1991.

....final result may have a compact representation, the intermediate results may go beyond the computational limit. One 71 method that significantly minimizes this effect is to manipulate the transition relation R as a conjunction of relational blocks R = R 1 Delta Delta Delta Delta Delta R n [BCL91] The pre image is then obtained by successive steps of conjunction and existential abstraction. Several heuristics have been developed to compute the way the relation is broken into blocks, and the order of the blocks, as to minimize the size of the intermediate results (i.e. GB94] The type ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the Design Automation Conference, pages 403--407, San Francisco, CA, June 1991.

....restricted by the problem of state explosion , the capabilities of these techniques have been enhanced by the introduction of compact state space encodings, namely 2 The ELLA Project World Wide Web page is at URL: http: www.cs.man.ac. uk fmethods projects ella project.html 2 BDDs see [11, 12, 13] for key expositions. Commercial verification systems are now emerging, based on such techniques; for example the VFORMAL system (COMPASS) checks equivalence for synchronous systems described using VHDL. However, the state spaces of the systems under analysis must be identical here. Our work is ....

J.R. Burch, E.M. Clarke, and D.E. Long. Representing Circuits More Efficiently in Symbolic Model Checking. In DAC91, 1991.

....desired behaviour. However, standard model checking approaches are limited as only finite state problems can be handled and, even then the number of states required soon becomes large due to the combinatorial explosion. Symbolic model checking, Binary Decision Diagrams (BDDs) Bry86, BCM 90, BCL91] have been introduced as a mechanism to overcome the state space explosion problem. Although this works well for restricted applications the combinatorial explosion can still occur. Alternatively one can adopt a theorem proving approach which is symbolic but the approach is not limited to ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing Circuits More Efficiently in Symbolic Model Checking. In Design Automation Conference 1991, 1991.

....the system subjected to symbolic model checking is given as a predicate T (y; w; x) that is true if there is a transition from State x to State y under Input w. The predicate is usually described by a Binary Decision Diagram [2] Representing T (y; w; x) by a single formula is often impractical [5, 14, 3]; a partitioned representation is used in those cases. The partitioned transition relation approach is especially natural when the system to be analyzed is a deterministic hardware circuit. Then, each binary memory element of the circuit gives rise to one term of the transition relation. When the ....

....of image and preimage computation. Though most of the results and ideas presented in this paper apply to preimage computation as well as to image computation, our discussion and experiments are currently restricted to the latter. The importance of the quantification schedule was recognized in [14, 3]. Geist and Beer [7] proposed a heuristic algorithm, later improved by Ranjan et al. 13] Hojati et al. 9] showed that the problem of finding a tree such that the support of the largest intermediate product is less than a given constant is NP complete under the simplifying assumption that the ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the Design Automation Conference, pages 403-- 407, San Francisco, CA, June 1991.

....for quantification is somewhat different from image computation [12] but the similarities largely outweigh the differences. In Section 7 we present results for computations based on both images and preimages. 4 Splitting versus Conjoining The effectiveness of the partitioned representation [4, 22] relative to the monolithic representation relies on three mechanisms. The conjunction with S(x) may help keep the size of the BDDs small. Early quantification can be applied to eliminate variables from the BDDs as soon as possible. The image computation problem can be decomposed, thus ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the Design Automation Conference, pages 403--407, San Francisco, CA, June 1991.

....exceed the capacity of explicit enumeration algorithms. BDDs can be manipulated efficiently; in particular, algorithms have been devised for the computation of all the successors (image computation) or predecessors (pre image computation) of a set of states according to a given transition relation [10, 5, 14, 31]. Symbolic model checking algorithms for various logics are based on the computation of fixpoints by repeated image or pre image computations. In the relational calculus (see, for instance, 26] the computation of the states reachable from S 0 is expressed by the formulae EY p = y:9x:T (x; ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the Design Automation Conference, pages 403-- 407, San Francisco, CA, June 1991.

.... verification methods such as model checking[CES86, BFG89] Although these have been traditionallyrestricted by the problem of state explosion , the capabilities of these techniques have been dramatically enhanced by the introduction of compact state space encodings, namely BDDs see [BCL91, BCMD90, CBM89] for key expositions. The process algebraic approach described here has its origins in the foundational works of CCS[Mil89] and CSP[Hoa85] There have recently emerged techniques for efficiently modelling systems; for example [HL93] describes a value passing process algebra, where ....

J.R. Burch, E.M. Clarke, and D.E. Long. Representing circuits more efficiently in symbolic model checking. In DAC91, 1991.

.... Clarke 85] to verify properties of sequential circuits. Recent work in this area relies on symbolic state encoding using Binary Decision Diagrams (BDDs) Bryant 86] This allows systems with large numbers of states to be verified (e.g. systems with 10 20 or in some cases even 10 120 states [Burch et al. 91] Model checking has typically been used to verify systems in which propagation delays between circuit elements do not vary and are assumed to be unit delays. Many verification problems can be expressed and solved using algorithms for language containment. In this approach, a formal language is ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In 28th ACM/IEEE Design Automation Conference, June 1991. 140

....Nevertheless, the complexity of the runtimes within such formalisms grows exponentially with the size of the problem. This limits the applicability of such approaches to only certain classes of problems, although considerable progress has been achieved in managing problems with large sizes [10]. Another major drawback of this approach is the difficulty in incorporating hierarchy, so as to have specifications at different abstraction levels and to perform verification between them. Such techniques are therefore not sufficient for verification while designing complex chips. The additional ....

J.R. Burch, E.M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In 28th Design Automation Conference, pages 403--407, 1991.

.... techniques for finite state machines (FSMs) Since satisfiability checking in propositional logic as well as checking the equivalence of two FMSs is decidable, these approaches lead to fully automated tools [2] Although tremendous progresses in the manageable problem size have been achieved [3] and approaches combined with test generation are possible [4] they are only capable of handling medium sized circuits at gate level. Moreover, the underlying formalisms are not capable of expressing design hierarchies and complex data types like natural numbers may not be directly used. Hence, ....

J.R. Burch, E.M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In 28th Design Automation Conference, pages 403--407, 1991.

....containment techniques to verify that the language generated by the circuit is included in the language of the specification. Burch et al. have applied BDDbased symbolic techniques to represent the state graphs and verify both synchronous and asynchronous circuits against CTL specifications [BCL91, BCL 92] More recently, McMillan [McM92] has verified asynchronous circuits, by modeling both the circuit and the specification as Petri nets, and avoiding the state explosion problem by means of Petri net unfolding techniques. Finally, Kishinevsky et al. KKTV94] use Change Diagrams and ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proc. of DAC, pages 403--407, San Francisco, CA, June 1991.

....With much less effort, we were able to find all the bugs in the unit that were found earlier by manually strengthening the invariants. 1 Introduction Existing formal verification methods do not handle systems that combine finite state machines (FSMs) and data paths very well. Model checking [6, 5, 4] the full design is infeasible because of the large amount of state in the data path. Verifying the control FSMs in isolation is difficult, because specifying them independently is difficult the design requirements are usually stated as properties of the data path, not the FSMs themselves. The ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In 28th ACM/IEEE Design Automation Conference, 1991.

....assignments. CHAPTER 6. OBLIVIOUS READ ONCE DECISION GRAPHS 184 OBDDs have been used for automatically verifying finite state machines, including 64bit ALUs, with up to 10 120 states by representing the state space symbolically instead of explicitly (Burch, Clarke, McMillan, Dill Hwang 1990, Burch, Clarke Long 1991). These applications show, at least empirically, that many functions occurring in engineering domains seem to be representable in small (polynomial) OBDD structures (and hence in OODGs) Chakravarty (1993) characterizes BDDs in terms of the complexity of computational problems. He showed that free ....

Burch, J. R., Clarke, E. M. & Long, D. E. (1991), Representing circuits more efficiently in symbolic model checking, in "Proceedings of the 28th ACM/IEEE Design Automation Conference", pp. 403--407.

....explicitly represent each memory bit. This is not a problem for conventional simulation which uses a single logic value to denote the state of a memory bit. However, symbolic simulation would require a symbolic variable for every bit of the memory. Furthermore, bit level symbolic model checking [4][5] would need two symbolic variables per memory bit, in order to build the transition relation. Therefore, in both methods the number of variables is proportional to the size of the memory, and is prohibitive for large memory arrays. This limitation is overcome in our previous work [13] by replacing ....

J.R. Burch, E.M. Clarke, and D.E. Long, "Representing Circuits More Efficiently in Symbolic Model Checking," 28th Design Automation Conference, June, 1991, pp. 403-407.

....is possible because all operations used in performing the fixed point computation can be performed directly on the BED without first expanding it to an ROBDD. In fact, many of the tricks researchers have used to make ROBDDs more efficient are embodied in BEDs. For example, Burch, Clarke, and Long [6] demonstrated that the complexity of BDD based symbolic verification is drastically reduced by using a partitioned transition relation where the transition relation is represented as an implicit conjunction of ROBDDs. This corresponds to representing the transition relation as a BED with ....

J. R. Burch, E.M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proc. ACM/IEEE Design Automation Conference (DAC), pages 403--407, 1991.

....product machine. However, this is not necessary for traversal; in fact building and manipulating the monolithic product transition relation is a more time consuming and expensive method of fsm traversal. In practise, traversal may be done using the partial product heuristics, as described in [6] [12] [13] and [14] Thus, traversal requires computing the fixed point of f(Q) Q(x) ffiQ(x) ffiQ(x) 9 x;i T 1 (x; y 1 ; i) Tn (x; yn ; i) Delta Q(x) y x R(x) LFP (f(Q) I(x) where9 i (T 1 (x; y 1 ; i) Delta T 2 (x; y 2 ; i) Tn (x; yn ; i) T (x; y) the product transition ....

J. Burch, E. Clarke, and D. E. Long, "Representing Circuits More Efficiently in Symbolic Model Checking," in Proc. of the Design Automation Conf., June 1991.

....product of the corresponding latch transition relations. If there are K clusters C 1 ; C 2 ; Delta Delta Delta C k of latches, then the image computation can be equivalently written as, Img(A( x) 9 x; i) A( x) Delta Y k TC i ] 3) where TCk = Q j2Ck T j ( x; i; y j ) In [4], Burch also proposed the use of clustered transition relations to represent circuits more efficiently. Latches were grouped together to form clusters but no automatic way to form clusters was given. Their technique possibly required user expertise, based on circuit structure. 3.2.1 Proposed ....

.... i; y k ) with respect to A( x) This range computation is performed using a balanced binary tree leaves correspond to terms and variables at nodes of the tree that do not appear in the support of nodes elsewhere are existentially quantified. They reported better performance than [10] Burch [4] criticized this approach on the grounds that generalized co factor may introduce new variables in the supports of the terms, which delays the ability to quantify out variables. Heuristically, this would lead to larger BDD size of the intermediate product terms. Note that if T k ( x; i; y k ) ....

[Article contains additional citation context not shown here]

J. R. Burch, E. M. Clarke, and D. E. Long. Representing Circuits More Efficiently in Symbolic Model Checking. In Proc. of the Design Automation Conf., June 1991.

....which the main machine cannot observe. This reduction is property independent in that the reduction is valid for any property on the main machine. The main limitation of this approach is that it cannot handle CTL formulas which specify properties of multiple interacting machines. Finally, Burch [4] describes a technique for efficiently computing the existential quantification of variables from a product of component transition relations, a central computation in symbolic model checking. By quantifying out variables from such a product as early as possible, one can avoid forming explicitly ....

J. R. Burch, E. M. Clarke, and D. E. Long, "Representing Circuits More Efficiently in Symbolic Model Checking," in Proc. of 28th Design Automation Conference, pp. 403-407, June 1991.

....as the number of states can increase exponentially with the number of bits in the implementation. It also necessitates a bit level description of alus and adders. To deal with this problem current research relies on tools such as BDD s to encode a large number of states into a small representation [3, 6, 5]. 8] makes use of abstractions to significantly reduce the state space that needs to be explored. However, the correctness argument for many of these circuits does not depend on a bit level description of the circuit but only on a RTL description of the circuit. In such cases the correct ....

....a bit level description of the counter and thus obtain a more concise proof of correctness, that is independent of the size of the counter. Our fragment is also expressive enough to express the correctness of the pipelined ALU circuit that has become a benchmark in the model checking community [8, 6, 5]. A goal of the model checking community is to find techniques that allow them to effectively verify the pipelined ALU with increasingly larger datapaths and register file. Our logic lets us verify the pipelined ALU once and for all for arbitrarily large datapaths and register file and for an ....

J. R. Burch, E.M. Clarke, and D.E. Long. Representing circuits more efficiently in symbolic model checking. In 28th ACM/IEEE Design Automation Conference, 1991.

....containment techniques to verify that the language generated by the circuit is included in the language of the specification. Burch et al. have applied BDD based symbolic techniques to represent the state graphs and verify both synchronous and asynchronous circuits against CTL specifications [BCL91, BCL 94] More recently, McMillan [McM92] has verified asynchronous circuits, by modeling both the circuit and the specification as Petri nets, and avoiding the state explosion problem by means of Petri net unfolding techniques. Finally, Kishinevsky et al. KKTV94] use Change Diagrams and ....

Jerry R. Burch, Edmund M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the 28th Design Automation Conference, pages 403-- 407, San Francisco, CA, June 1991.

.... OBDDs [ Bryant, 1992, Brace et al. 1990, Minato et al. 1990, Fujita et al. 1993 ] OBDDs have been used for automatically verifying finite state machines, including 64 bit ALUs, with up to 10 120 states by representing the state space symbolically instead of explicitly [ Burch et al. 1990, Burch et al. 1991 ] In the machine learning community, Kohavi [ 1994a, 1994b ] investigated the possibility of using oblivious decision graphs as the underlying hypothesis space for supervised classification learning. Modrzejewski s work on feature selection [ Modrzejewski, 1993 ] uses oblivious trees (called ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the 28th ACM/IEEE Design Automation Conference, pages 403--407, 1991.

....while overcoming the two problems mentioned above. OODGs are similar to Ordered Binary Decision Diagrams (OBDDs) Bryant 1986) which have been used in the engineering community to represent state graph models of systems, allowing verification of finite state systems with up to 10 120 states (Burch, Clarke, Long 1991). We refer the reader to (Kohavi 1994) for a discussion of related work. OODGs have a different bias from that of decision trees, and thus some concepts that are hard to represent as trees are easy to represent as OODGs, and vice versa. Since OODGs are graphs, they are easy for humans to perceive, ....

Burch, J. R.; Clarke, E. M.; and Long, D. E. 1991. Representing circuits more efficiently in symbolic model checking. In Proceedings of the 28th ACM/IEEE Design Automation Conference, 403-- 407.

....all satisfying assignments is O(n Delta jS f j) where jS f j is the number of such satisfying assignments. OBDDs have been used for automatically verifying finite state machines, including 64 bit ALUs, with up to 10 120 states by representing the state space symbolically instead of explicitly [9, 8]. These applications show, at least empirically, that many functions occurring in engineering domains seem to be representable in small (polynomial) OBDD structures (and hence in OODGs) In the computer science theory community, binary decision graphs have been called branching programs, and have ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In 28th ACM/IEEE Design Automation Conference. Proceedings, pages 403--407, 1991.

.... and 3 E : 2 A : The advantage of CTL is that there is model checking algorithm for CTL which runs in a time of O (kMk k k) for a given model M and a formula [SiCl85] For this reason, CTL is commonly used for the verification of systems with parallel processes, as e.g. digital circuits [BCMD90a, BCMD90b, BuCL90, BuCL91, Long93]. However, CTL is a quite simple logic with a relative weak expressiveness [Lamp80, LiPn85] This is due to the strong restrictions on the syntax of the formulas: the path quantifiers are coupled with temporal operators. Therefore 2 A 3 a is not a CTL formula as the 3 operator has no path ....

J.R. Burch, E.M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In 28th Design Automation Conference, pages 403--407, 1991.

....Symbolic model checking has also been used to verify a pipelined data path [3] However, the limitation of the method is that it requires the next state relation for the entire circuit, which leads to introducing two symbolic variables for every state bit in the circuit. Burch, Clarke, and Long [4] represent the transition relation as an implicit conjunction of transition relations for parts of the circuit. In this way, they avoid building a monolithic BDD for the transition relation of the entire circuit, but still need two symbolic variables for each memory bit. Clarke, Grumberg, and Long ....

....the EMM advantage increasing with the memory size. Table 1. Experimental results. The asymptotic growth of STE, when used together with the TLM and the EMM, is summarized in Table 2, which also does a comparison with symbolic model checking, combined with either a partitioned transition relation [4] or with abstraction functions [6] Table 2. Asymptotic growth comparison of symbolic model checking and STE when verifying simple pipelined data paths. # Addresses # Data Bits CPU Time (s) Memory (MB) TLM EMM TLM EMM TLM EMM TLM EMM 16 16 557 81 6.9 4.2 2.2 1.9 32 1 095 161 6.8 7.3 3.2 2.3 ....

[Article contains additional citation context not shown here]

J. R. Burch, E. M. Clarke, and D. E. Long, "Representing Circuits More Efficiently in Symbolic Model Checking," 28th Design Automation Conference, June, 1991, pp. 403-407.

....process. Even though both the operands and the final result may have a compact representation, the intermediate results may go beyond the computational limit. One method that significantly minimizes this effect is to manipulate the transition relation as a conjunction of relational blocks [4]. The reverse image is now obtained by successive steps of conjunction and variable existential abstraction. Several heuristics have been develop to compute the way the relation is broken into blocks and the order of the blocks so to minimize the size of the intermediate results (i.e. 10] The ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the Design Automation Conference, pages 403--407, San Francisco, CA, June 1991.

....take the product of the corresponding transition relations. If there are K clusters C 1 ; C 2 ; Delta Delta Delta C k of latches, then the image computation can be equivalently written as, Image(A( x) 9 x; u [ A( x) i=K Y i=1 TC i ] 9) where TC i = Q j2C i T j ( x; u; y j ) In [8], Burch also proposed the use of clustered transition relations to represent circuits more efficiently. Latches were grouped together to form clusters but no automatic way to form clusters was given. Their technique possibly required user expertise, based on circuit structure. 4.2.1 Proposed ....

.... u; y i ) with respect to A( x) This range computation is performed using a balanced binary tree leaves correspond to terms and variables at nodes of the tree that do not appear in the support of nodes elsewhere are existentially quantified. They reported better performance than [15] Burch [8] criticized this approach on the grounds that generalized co factor may introduce new variables in the supports of the terms, which delays the ability to quantify out variables. Heuristically, this would lead to larger BDD size of the intermediate product terms. Note that if T i ( x; u; y i ) is ....

[Article contains additional citation context not shown here]

J. R. Burch, E. M. Clarke, and D. E. Long. Representing Circuits More Efficiently in Symbolic Model Checking. In Proc. of the Design Automation Conf., June 1991.

.... stems from a careful implementation of the BDD package [BRBr90] from the use of a special boolean operator, the generalized cofactor [CHJP91] that simplifies functions being manipulated according to some constraints, and from the adoption of partitioning techniques to avoid BDD explosion [BCLo91]. Error Bookmark not defined.An Example In order to show how the high level description strategy, the fault model, and the test pattern generation algorithm may be applied, a small example will be presented. It models a simple communication protocol obeyed by computers willing to exchange ....

J. R. Burch, E. M. Clarke, D. E. Long: "Representing Circuits More Efficiently in Symbolic Model Checking," DAC'91: 28th ACM/IEEE Design Automation Conference, San Francisco, CA (USA), June 1991, pp. 403-407

No context found.

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In DAC91 [1], pages 403--407.

....and approximation techniques have been proposed for this process, since it is often possible to build BDDs for the individual latch transition relations, but difficult to build the BDD for the conjunction of these. Techniques for partitioning the transition relation into clusters are discussed in [7, 31]. Once the transition relation is represented in BDD format, it can be manipulated to traverse the underlying transition system. Traversals are done by obtaining images or preimages of sets of states, these being sets of successor or predecessor states, respectively. The following is the Boolean ....

J. R. Burch, E. M. Clarke, and D. Long. Representing Circuits more Efficiently in Symbolic Model Checking. Proc. Design Automation Conference, 1991.

....Results In this section, we describe empirical results for applying our verification method to a pipelined ALU [5] and a subset of the DLX processor [14] 4. 1 Pipelined ALU The 3 stage pipelined ALU we considered (figure 3) has been used as a benchmark for BDD based verification methods [3, 4, 5, 6]. A natural way to compare the performance of these methods is to see how the CPU time needed for veri fication grows as the pipeline is increased in size by (for example) increasing its datapath width w or its register file size r. For Burch, Clarke and Long [4] the CPU time grew roughly ....

....verification methods [3, 4, 5, 6] A natural way to compare the performance of these methods is to see how the CPU time needed for veri fication grows as the pipeline is increased in size by (for example) increasing its datapath width w or its register file size r. For Burch, Clarke and Long [4] the CPU time grew roughly quadratically in w and cubically in r. Clarke, Grumberg and Long [6] using a simple abstraction provided by the user, demonstrated lin ear growth in both w and v. Sublinear growth in v and subquadratic growth in w was achieved by Bryant, Beatty and Seger [3] Read ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In 28th A UM/IEEE Design Automation Uonference, 1991.

....path) The FSM Compiler submodule provides the routines for constructing and manipulating FSM s at the BDD level. It is responsible of all the necessary semantic checks on the read model, such as the absence of circular definitions. The FSM s can be represented in monolithic or partitioned form [3]. The heuristics used to perform the conjunctive partitioning of the transition relation and reordering of the clusters [7] have been developed to work at the BDD level, independently of the input language. The interface to other modules is given by the primitives for the computation of the image ....

J. Burch, E. Clarke, and D. Long. Representing Circuits More Efficiently in Symbolic Model Checking. In Proc. of the 28th ACM/IEEE Design Automation Conference, pages 403--407, Los Alamitos, CA, June 1991. IEEE Computer Society Press.

....not be feasible. In many cases, however, it is possible to exploit the structure of the system and build the transition relation as a list of small BDDs, called clusters, which are implicitly disjoined (e.g. with an asynchronous model of concurrency) or conjoined (e.g. with synchronous systems) [9, 10, 11]. T ( i T i ( disjunctive T ( i T i ( conjunctive In both cases the monolithic relational product is reduced to a sequence of disjunctively conjunctively composed relational products on the clusters. With a disjunctively partitioned transition relation, the ....

....monolithic transition relation by distributing the existential quantification over disjunctions. The relational product is decomposed into a series of relational products involving relatively small BDDs. For synchronous systems, NUSMV implements techniques based on early variable quantifications [59, 9, 10]. The basic idea is to find an ordering of the partitions T i ( such that the quantification can be pushed inside the formula as much as possible, thus allowing relational products between small BDDs and existential quantification on a small number of variables, and thus reducing the ....

[Article contains additional citation context not shown here]

J. R. Burch, E. M. Clarke, and D. E. Long. Representing Circuits More Efficiently in Symbolic Model Checking. In Proceedings of the 28th ACM/IEEE Design Automation Conference, pages 403--407, Los Alamitos, CA, June 1991. IEEE Computer Society Press.

....binary decision diagrams (BDDs) 5] led to an even greater increase in size. Representing transition relations implicitly using BDDs made it possible to verify examples that would have required 10 20 states with the original version of the algorithm [7] Refinements of the BDD based techniques [6] have pushed the state count up over 10 100 states. In this paper, we show that by combining model checking with abstraction, we are able to handle even larger systems. In one example, we are able to verify a pipelined ALU circuit with 64 registers, each 64 bits wide, and more than 10 1300 ....

....over 10 1300 28 Delta reachable states. The verification required slightly less than six and one half hours of CPU time. In addition the verification times scale linearly in both the number of registers and the width of the registers. For comparison, the largest circuit verified by Burch et al. [6] had 8 registers, each 32 bits, and the verification required about four and one half hours of CPU time on a Sun 4. In addition the verification times there were growing quadratically in the register width and cubicly in the number of registers. We also note that the complexity of verifying ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In DAC91 [1], pages 403--407.

....with 8 registers, each 32 bits wide, 2 pipe registers, and one operation. This example had 406 state variables resulting in more than 10 120 reachable states, and the verification took 4 hours and 20 minutes of CPU time on a Sun 4. Details of the verification of the pipeline can be found in [4]. 8 Discussion and future research Using partitioned transition relations significantly improves the efficiency of symbolic verification. We verified a stack with over 950 state variables and more than 10 50 reachable states and a pipeline with more than 400 state variables and over 10 120 ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In 28th ACM/IEEE Design Automation Conference, 1991.

....9. 2 Degree of Automation : 45 Abstract The temporal logic model checking algorithm of Clarke, Emerson, and Sistla [17] is modified to represent state graphs using binary decision diagrams (BDDs) 7] and partitioned transition relations [10, 11]. Because this representation captures some of the regularity in the state space of circuits with data path logic, we are able to verify circuits with an extremely large number of states. We demonstrate this new technique on a synchronous pipelined design with approximately 5 Theta 10 120 ....

....the efficiency of verification methods based on reachability analysis by viewing such verification as automatically constructing and checking an invariant. Several of the above contributions are full length descriptions of results the current authors first described in the conference literature [10, 11, 12, 13, 14]. 1.2 Related Work There are a number of approaches for verifying sequential circuits by state exploration techniques. Not long after Bryant described BDDs [7] several groups began adapting state exploration algorithms for use with BDDs. Coudert, Berthet, and Madre developed a method for ....

[Article contains additional citation context not shown here]

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In 28th ACM/IEEE Design Automation Conference, 1991.

....(BDDs) 1] BDDs are a canonical form for boolean formulas that is often substantially more compact than conjunctive or disjunctive normal form. Using this representation does not alter the worst case complexity of the algorithm, but in practice, it makes the procedure much more efficient [2, 3, 4]. In a number of cases, we have found that verification time scales polynomially with the number of components in the system. Sets of states and transitions are represented with BDDs as follows. Let V be the set of state components of the system. Here, we assume all components are boolean. A ....

....It does this in a bottom up fashion starting from the atomic propositions in the formula. Handling atomic propositions and logical connectives is straightforward. For the formula = EX , we want to find those states having a successor for which is true. This is done using an image computation [2, 3]. For a formula such as EF , we use a fixed point characterization of the temporal operator: EF = EXEF : The fixed point is computed by iterating, starting from the empty set of states. Other temporal operators are handled in similar ways. 3 SMV SMV ( Symbolic Model Verifier ) is a tool for ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the 28th ACM/IEEE Design Automation Conference. IEEE Computer Society Press, June 1991.

No context found.

J.R. Burch, E.M. Clarke, and D.E. Long. Representing circuits more efficiently in symbolic model checking. In Design Automation Conf., pages 403--407, 1991.

No context found.

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proc. Design Automation Conference, pages 403--407, 1991.

No context found.

J. R. Burch, E. M. Clarke, D. E. Long; Representing Circuits More Efficiently in Symbolic Model Checking. 28th DAC, 1991, 403 -- 407.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC