J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In DAC91 [1], pages 403--407.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....approach works well only when BDD construction is possible for both present state sets and circuit transition relations. For large designs, OBDD representation for the entire transition relation usually cannot be constructed. Even when it can be constructed using methods such as partitioned BDDs [5, 6], the existential quantification operation can still cause memory explosion. On the other hand, an ATPG or SAT solver engine can be used to manipulate the circuit transition function instead of BDDs. The advantage is that they can handle much larger cir Supported in part by NSF Grant ....

J. M. Burch, E. M. Clarke, D. E. Long, "Representing Circuits More Efficiently in Symbolic Model Checking", Proc. DAC, 1991, pp. 403-407.

....for quantification is somewhat different from image computation [12] but the similarities largely outweigh the differences. In Section 7 we present results for computations based on both images and preimages. 4 Splitting versus Conjoining The effectiveness of the partitioned representation [4, 22] relative to the monolithic representation relies on three mechanisms. The conjunction with S may help keep the size of the BDDs small. Early quantification can be applied to eliminate variables from the BDDs as soon as possible. The image computation problem can be decomposed, thus ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the Design Automation Conference, pages 403--407, San Francisco, CA, June 1991.

....or data inputs which have no effect on the control. More reduction techniques identify equivalent sub components which may result from redundant logic or former reductions. Ordered Partitioned Transition Relation The technique of keeping the transition relation (TR) partitioned was presented in [BCL91] and implemented in SMV. Subsequently, an ordering heuristic for the partitions was described in [GB94] RuleBase employs these techniques when appropriate. The decision of when to leave the TR partitioned is based on the ratio of number of times the TR must be computed to the number of times it ....

J. Burch, E. Clark and D. Long, "Representing Circuits More Efficiently in Symbolic Model Checking", DAC'91, pp. 403-407.

....Efficient BDD Algorithms. RuleBase employs a variety of techniques and algorithms for handling BDD size problems. It uses variations of the dynamic reordering algorithm described in [14] Additionally, RuleBase employs techniques of keeping the transition relation partitioned, as presented in [4] and [10] Also, it combines BFS and DFS to maintain small BDD sizes during reachability analysis, following [13] Checking Safety Formulas On The Fly. Formulas belonging to a subset of the CTL logic can be verified while traversing the reachable state space, without the need for the full ....

....priority) means: if there is a request from a high priority device, then the next time there is a grant, the higher priority device is the one granted . Similarly next event(p) n] q) means that q must occur the nth time that p occurs. For example: AG( request next event(data)[4](last data) means: last data should be asserted together with the fourth data after a request . The CTL equivalent of this formula is: AG ( request E[ data U (data EX E[ data U ( data EX E[ data U (data EX E[ data U (data last data ) Strong and Weak Operators. Most ....

J. Burch, E. Clark and D. Long, "Representing Circuits More Efficiently in Symbolic Model Checking", DAC'91, pp. 403-407.

....of the characteristic function of the set listing the couples current state next state , independently of the inputs. It is difficult to build the transition relation for big circuits, as the BDDs rapidly grow too large. Partitioning techniques are manual and based on the designer s knowledge [2]. The transition function [8] 17] 18] overcomes this limit. A vector of Boolean functions represents the behavior of the FSM along each of the dimensions in the next state space. The associated recursive image computation algorithm is based on Boole s expansion theorem and exploits the ....

....state sets of a product machine is the issue. R(s) is the characteristic function of the set of reachable states of circuit s27, the smallest among the 5 ISCAS 89 benchmarks [1] 4 primary inputs, 1 primary output, 3 latches) states are described by three present state variables s[1] s[2]; s[3] reachable states are f0 Gamma Gamma; 10 Gammag, unreachable states are f11 Gammag. R p (s; s 0 ) represents the set of states reachable by the product machine s27 Theta s27 (self verification) it is easy to notice a relevant increase in the size of BDDs (from 2 to 8 non terminal ....

[Article contains additional citation context not shown here]

J.R. Burch, E.M. Clarke, D.E. Long: "Representing Circuits More Efficiently in Symbolic Model Checking," DAC'91: 28th ACM/IEEE Design Automation Conference, San Francisco, CA (USA), June 1991, pp. 403--407

....sufficiently. Experience indeed shows that bugs can show up after extensive testing, illustrated by numerous bugs in microprocessor designs, including the Pentium bug [21] Applying the same approaches to formal verification as on the high level models is infeasible. Model checking techniques [8, 7, 6] rely on either being able to separate the control from the datapath to avoid a state explosion due to the values in the datapath, or to abstract the datapath to a few state bits. However, there is no effective of developing a specification of the control alone. Furthermore, abstractions of the ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In 28th ACM/IEEE Design Automation Conference, 1991.

....to obtain, TR is usually represented as a product of terms. In this case the image computation is generally expensive because existential quantification and logical conjunction cannot distribute. Analyzing the sets of support of the functions involved in the conjunction, Burch et al. [4] determine whether existential quantification can be moved inside the conjunction (early quantification) This results in a simplification as the number of variables in the conjuncted terms is reduced. Several heuristics have been presented to sort the functions. Further improvements are obtained ....

J.R. Burch, E.M. Clarke, D.E. Long: "Representing Circuits More Efficiently in Symbolic Model Checking, " in Proc. ACM/IEEE DAC'91, pp. 403--407, June 1991

....improvements must be applied to the basic idea in order to make it work for realistic problems. The common aim of these improvements is to control the size of the BDDs created and manipulated during state exploration. This has been achieved by keeping the transition relation in partitioned form [28, 3, 10, 22]; by controlling the BDD variable order [12, 24] by abstracting the system to be verified [16, 13, 15, 7] or by abandoning pure breadthfirst search in favor of more flexible approaches [23, 5, 21, 19] Abstractions and methods that mix breadth first and depth first search rely, sometimes in ....

....Section 4. Methods that are not compound are simple. 3 Decomposition Decomposition is another important approach to reducing the size of large BDDs. Decomposition of BDDs is closely related to finding efficient partitioned representations of a given boolean function. Partitioned representations [20, 3] may be derived in the process of building a BDD or by decomposing a given BDD. The former is easier to obtain when some structural information, such as the network, is provided. Auxiliary variables are introduced while constructing the BDD. They alleviate ordering constraints and reduce the size ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the Design Automation Conference, pages 403--407, San Francisco, CA, June 1991.

....avoid building the global state transition relation, but the form of the checking conditions allows us to work exclusively with the disjuncts of the global relation. This form of partitioning is long known to result in a significant increase of the applicability of BDD based symbolic computations [BCM91] and can be directly derived from a given UNITY program at no extra cost. Although the locality of the verification conditions is responsible for the improved efficiency of verifying properties, it reduces the availability of debugging information that can be directly obtained from a failed ....

....in the literature. The techniques and methods currently implemented include the use of reduced OBDDs as described in [BBR90] of a combined and exists operation in computing relational products ( McM93] of quantification ordering in synchronous transitions similar to those described in [BCM91] of restriction [CM90] and generalized cofactoring [TSL 90] In addition to provisions for taking advantage of the monotonicity of predicate transformers in early termination of fixpoint computations, the current implementation also uses a special second level cache for memoizing certain ....

J. R. Burch, E. M. Clarke, and K. M. McMillan. Representing circuits more efficiently in symbolic model checking. In Proccedings of the 28th Design Automation Conference 1991, pages 403--407, 1991.

....over the product, if the terms of the product do not all depend on all the variables. Since the quantification of a variable normally simplifies the result, we can hope that by intertwining products and quantifications, the size of the intermediate BDDs will be better kept under control [11, 59]. The following example illustrates this point. Example 18 We want to compute Img(f; g) with f = f 1 ; f 2 ; f 3 ) f 1 = x 1 x 2 f 2 = x 0 2 x 3 f 3 = x 2 x 4 x 0 3 ; and g(x 1 ; x 4 ) x 1 x 2 . According to (7) we have: Img(f; g) 9 x1x2x3x4 [ y 1 (x 1 x 2 ) ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the Design Automation Conference, pages 403--407, San Francisco, CA, June 1991.

....final result may have a compact representation, the intermediate results may go beyond the computational limit. One 71 method that significantly minimizes this effect is to manipulate the transition relation R as a conjunction of relational blocks R = R 1 Delta Delta Delta Delta Delta R n [BCL91] The pre image is then obtained by successive steps of conjunction and existential abstraction. Several heuristics have been developed to compute the way the relation is broken into blocks, and the order of the blocks, as to minimize the size of the intermediate results (i.e. GB94] The type ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the Design Automation Conference, pages 403--407, San Francisco, CA, June 1991.

....restricted by the problem of state explosion , the capabilities of these techniques have been enhanced by the introduction of compact state space encodings, namely 2 The ELLA Project World Wide Web page is at URL: http: www.cs.man.ac. uk fmethods projects ella project.html 2 BDDs see [11, 12, 13] for key expositions. Commercial verification systems are now emerging, based on such techniques; for example the VFORMAL system (COMPASS) checks equivalence for synchronous systems described using VHDL. However, the state spaces of the systems under analysis must be identical here. Our work is ....

J.R. Burch, E.M. Clarke, and D.E. Long. Representing Circuits More Efficiently in Symbolic Model Checking. In DAC91, 1991.

....desired behaviour. However, standard model checking approaches are limited as only finite state problems can be handled and, even then the number of states required soon becomes large due to the combinatorial explosion. Symbolic model checking, Binary Decision Diagrams (BDDs) Bry86, BCM 90, BCL91] have been introduced as a mechanism to overcome the state space explosion problem. Although this works well for restricted applications the combinatorial explosion can still occur. Alternatively one can adopt a theorem proving approach which is symbolic but the approach is not limited to ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing Circuits More Efficiently in Symbolic Model Checking. In Design Automation Conference 1991, 1991.

....the system subjected to symbolic model checking is given as a predicate T (y; w; x) that is true if there is a transition from State x to State y under Input w. The predicate is usually described by a Binary Decision Diagram [2] Representing T (y; w; x) by a single formula is often impractical [5, 14, 3]; a partitioned representation is used in those cases. The partitioned transition relation approach is especially natural when the system to be analyzed is a deterministic hardware circuit. Then, each binary memory element of the circuit gives rise to one term of the transition relation. When the ....

....of image and preimage computation. Though most of the results and ideas presented in this paper apply to preimage computation as well as to image computation, our discussion and experiments are currently restricted to the latter. The importance of the quantification schedule was recognized in [14, 3]. Geist and Beer [7] proposed a heuristic algorithm, later improved by Ranjan et al. 13] Hojati et al. 9] showed that the problem of finding a tree such that the support of the largest intermediate product is less than a given constant is NP complete under the simplifying assumption that the ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the Design Automation Conference, pages 403-- 407, San Francisco, CA, June 1991.

....for quantification is somewhat different from image computation [12] but the similarities largely outweigh the differences. In Section 7 we present results for computations based on both images and preimages. 4 Splitting versus Conjoining The effectiveness of the partitioned representation [4, 22] relative to the monolithic representation relies on three mechanisms. The conjunction with S(x) may help keep the size of the BDDs small. Early quantification can be applied to eliminate variables from the BDDs as soon as possible. The image computation problem can be decomposed, thus ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the Design Automation Conference, pages 403--407, San Francisco, CA, June 1991.

....exceed the capacity of explicit enumeration algorithms. BDDs can be manipulated efficiently; in particular, algorithms have been devised for the computation of all the successors (image computation) or predecessors (pre image computation) of a set of states according to a given transition relation [10, 5, 14, 31]. Symbolic model checking algorithms for various logics are based on the computation of fixpoints by repeated image or pre image computations. In the relational calculus (see, for instance, 26] the computation of the states reachable from S 0 is expressed by the formulae EY p = y:9x:T (x; ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proceedings of the Design Automation Conference, pages 403-- 407, San Francisco, CA, June 1991.

.... verification methods such as model checking[CES86, BFG89] Although these have been traditionallyrestricted by the problem of state explosion , the capabilities of these techniques have been dramatically enhanced by the introduction of compact state space encodings, namely BDDs see [BCL91, BCMD90, CBM89] for key expositions. The process algebraic approach described here has its origins in the foundational works of CCS[Mil89] and CSP[Hoa85] There have recently emerged techniques for efficiently modelling systems; for example [HL93] describes a value passing process algebra, where ....

J.R. Burch, E.M. Clarke, and D.E. Long. Representing circuits more efficiently in symbolic model checking. In DAC91, 1991.

No context found.

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In DAC91 [1], pages 403--407.

....and approximation techniques have been proposed for this process, since it is often possible to build BDDs for the individual latch transition relations, but difficult to build the BDD for the conjunction of these. Techniques for partitioning the transition relation into clusters are discussed in [7, 31]. Once the transition relation is represented in BDD format, it can be manipulated to traverse the underlying transition system. Traversals are done by obtaining images or preimages of sets of states, these being sets of successor or predecessor states, respectively. The following is the Boolean ....

J. R. Burch, E. M. Clarke, and D. Long. Representing Circuits more Efficiently in Symbolic Model Checking. Proc. Design Automation Conference, 1991.

....Results In this section, we describe empirical results for applying our verification method to a pipelined ALU [5] and a subset of the DLX processor [14] 4. 1 Pipelined ALU The 3 stage pipelined ALU we considered (figure 3) has been used as a benchmark for BDD based verification methods [3, 4, 5, 6]. A natural way to compare the performance of these methods is to see how the CPU time needed for veri fication grows as the pipeline is increased in size by (for example) increasing its datapath width w or its register file size r. For Burch, Clarke and Long [4] the CPU time grew roughly ....

....verification methods [3, 4, 5, 6] A natural way to compare the performance of these methods is to see how the CPU time needed for veri fication grows as the pipeline is increased in size by (for example) increasing its datapath width w or its register file size r. For Burch, Clarke and Long [4] the CPU time grew roughly quadratically in w and cubically in r. Clarke, Grumberg and Long [6] using a simple abstraction provided by the user, demonstrated lin ear growth in both w and v. Sublinear growth in v and subquadratic growth in w was achieved by Bryant, Beatty and Seger [3] Read ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In 28th A UM/IEEE Design Automation Uonference, 1991.

....path) The FSM Compiler submodule provides the routines for constructing and manipulating FSM s at the BDD level. It is responsible of all the necessary semantic checks on the read model, such as the absence of circular definitions. The FSM s can be represented in monolithic or partitioned form [3]. The heuristics used to perform the conjunctive partitioning of the transition relation and reordering of the clusters [7] have been developed to work at the BDD level, independently of the input language. The interface to other modules is given by the primitives for the computation of the image ....

J. Burch, E. Clarke, and D. Long. Representing Circuits More Efficiently in Symbolic Model Checking. In Proc. of the 28th ACM/IEEE Design Automation Conference, pages 403--407, Los Alamitos, CA, June 1991. IEEE Computer Society Press.

....not be feasible. In many cases, however, it is possible to exploit the structure of the system and build the transition relation as a list of small BDDs, called clusters, which are implicitly disjoined (e.g. with an asynchronous model of concurrency) or conjoined (e.g. with synchronous systems) [9, 10, 11]. T ( i T i ( disjunctive T ( i T i ( conjunctive In both cases the monolithic relational product is reduced to a sequence of disjunctively conjunctively composed relational products on the clusters. With a disjunctively partitioned transition relation, the ....

....monolithic transition relation by distributing the existential quantification over disjunctions. The relational product is decomposed into a series of relational products involving relatively small BDDs. For synchronous systems, NUSMV implements techniques based on early variable quantifications [59, 9, 10]. The basic idea is to find an ordering of the partitions T i ( such that the quantification can be pushed inside the formula as much as possible, thus allowing relational products between small BDDs and existential quantification on a small number of variables, and thus reducing the ....

[Article contains additional citation context not shown here]

J. R. Burch, E. M. Clarke, and D. E. Long. Representing Circuits More Efficiently in Symbolic Model Checking. In Proceedings of the 28th ACM/IEEE Design Automation Conference, pages 403--407, Los Alamitos, CA, June 1991. IEEE Computer Society Press.

....binary decision diagrams (BDDs) 5] led to an even greater increase in size. Representing transition relations implicitly using BDDs made it possible to verify examples that would have required 10 20 states with the original version of the algorithm [7] Refinements of the BDD based techniques [6] have pushed the state count up over 10 100 states. In this paper, we show that by combining model checking with abstraction, we are able to handle even larger systems. In one example, we are able to verify a pipelined ALU circuit with 64 registers, each 64 bits wide, and more than 10 1300 ....

....over 10 1300 28 Delta reachable states. The verification required slightly less than six and one half hours of CPU time. In addition the verification times scale linearly in both the number of registers and the width of the registers. For comparison, the largest circuit verified by Burch et al. [6] had 8 registers, each 32 bits, and the verification required about four and one half hours of CPU time on a Sun 4. In addition the verification times there were growing quadratically in the register width and cubicly in the number of registers. We also note that the complexity of verifying ....

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In DAC91 [1], pages 403--407.

No context found.

J.R. Burch, E.M. Clarke, and D.E. Long. Representing circuits more efficiently in symbolic model checking. In Design Automation Conf., pages 403--407, 1991.

No context found.

J. R. Burch, E. M. Clarke, and D. E. Long. Representing circuits more efficiently in symbolic model checking. In Proc. Design Automation Conference, pages 403--407, 1991.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC