US20030208732A1 - Verification system using symbolic variable reduction - Google Patents

Verification system using symbolic variable reduction Download PDF

Info

Publication number
US20030208732A1
US20030208732A1 US10/422,267 US42226703A US2003208732A1 US 20030208732 A1 US20030208732 A1 US 20030208732A1 US 42226703 A US42226703 A US 42226703A US 2003208732 A1 US2003208732 A1 US 2003208732A1
Authority
US
United States
Prior art keywords
variable
argument
predicate
state
verification system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/422,267
Inventor
Jin Yang
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US10/422,267 priority Critical patent/US20030208732A1/en
Publication of US20030208732A1 publication Critical patent/US20030208732A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F30/00Computer-aided design [CAD]
    • G06F30/30Circuit design
    • G06F30/32Circuit design at the digital level
    • G06F30/33Design verification, e.g. functional simulation or model checking
    • G06F30/3323Design verification, e.g. functional simulation or model checking using formal methods, e.g. equivalence checking or property checking

Definitions

  • This invention relates generally to automated design verification, and in particular to more efficient use of binary decision diagrams to perform automated symbolic model checking for very large scale integrated circuit designs and other finite state systems.
  • BDD binary decision diagrams
  • a BDD is a directed acyclic graph that represents a Boolean expression. For each Boolean variable, there are two outgoing edges representing true or false assignments to the variable.
  • BDDs permits computation times, which are, for many practical cases, some polynomial function of the number of expression variables.
  • Alternative representations such as clauses or truth tables require execution times, which are some exponential function of the number of expression variables. Therefore, use of BDDs has been popular in the formal verification community since the late 1980's.
  • BDDs are not without drawbacks.
  • the ordering of variables is critical to an efficient use of BDDs. Poor variable ordering can increase a BDDs size and cause exponential execution times.
  • One method for symbolic model checking using BDDs comes from Carnegie Mellon University and is known as Symbolic Model Verifier (SMV).
  • SMV uses a well known heuristic based procedure named simplify 13 assuming that is aimed at reducing BDD representations by simplifying a predicate but may frequently leave variables in the representation that are unnecessary.
  • COI reduction an abstraction is built for a circuit model consisting of next state functions only for variables in the dependency closure of variables of interest in the circuit specification.
  • One drawback is that all variables in the dependency closure do not necessarily influence the variables of interest in the circuit specification.
  • a second drawback is that the abstraction that is built and used for each model-checking step may include portions that are useful in only a few of the model checking steps. Therefore needless extra computations are potentially performed, resulting in little benefit to the circuit verification.
  • BCOI bounded cone of influence
  • FIG. 1 illustrates an example of a circuit.
  • FIG. 2 a graphically illustrates a transition relation for a circuit.
  • FIG. 2 b shows another transition relation built as part of a lazy pre-image computation.
  • FIG. 3 a illustrates one embodiment of a method for performing lazy pre-image computations.
  • FIG. 3 b illustrates one embodiment of a more detailed method for performing lazy pre-image computations.
  • FIG. 4 a illustrates one embodiment of a method for computing a fixpoint using lazy pre-image computations.
  • FIG. 4 b shows an example of a lazy fixpoint computation for a circuit.
  • FIG. 5 a illustrates another embodiment of a method for computing a fixpoint using both lazy pre-image computations and symbolic variable reduction.
  • FIG. 5 b shows another example of a lazy fixpoint computation for a circuit using both lazy pre-image computations and symbolic variable reduction.
  • FIG. 6 a illustrates one embodiment of a detailed method for performing symbolic variable reduction.
  • FIG. 6 b shows one embodiment of a more detailed method for performing symbolic variable reduction.
  • FIG. 7 depicts a computing system for automated lazy symbolic model checking of finite state systems using symbolic variable reduction.
  • Methods for formal verification of circuits and other finite-state systems are disclosed herein, providing for improved efficiency and capacity of popular binary decision diagram (BDD) based algorithms.
  • BDD binary decision diagram
  • a lazy pre-image computation a method is disclosed that builds new transition relation partitions on-demand only for relevant next internal variables of a state predicate, and conjoins only next state relations for relevant next internal variables to a pre-image including the state predicate.
  • a symbolic variable reduction technique a method is disclosed that improves the efficiency for symbolic model checking computations especially lazy pre-image based computations providing means to handle very large scale integrated circuits and other finite state systems of problematic complexity for prior methods.
  • a method for one embodiment of a lazy fixpoint computation, a method is disclosed that makes iterative use of lazy pre-image computation and symbolic variable reduction to compute conditions that necessarily must be satisfied to produce a given set of states.
  • the teachings of these disclosed methods provide for symbolic model checking of circuits and other finite state systems previously too large to be completed successfully using BDD based algorithms.
  • FIG. 1 illustrates an example of a circuit 101 having internal state variables c, d, e and f; and input variables a and b.
  • the value of internal state variable c at its next transition can be determined to be the value of the Boolean expression a AND c.
  • the value of internal state variable d at its next transition can be determined to be the value of the input variable b.
  • the value of internal state variable e at its next transition can be determined to be the value of the Boolean expression c OR e.
  • the value of internal state variable f at its next transition can be determined to be the value of the Boolean expression c NAND d.
  • a partitioned transition relation, R, on a partitioning of the internal state variables ⁇ V1, V2, . . . , Vk ⁇ has the implicitly conjoined form:
  • R ( V, V′ ) R 1( V,V 1′) AND R 2( V,V 2′) . . . AND Rk ( V,Vk ′)
  • a set of states, S may be represented using a Boolean state predicate S(V). Operations on sets may be carried out as algebraic manipulations of state predicates.
  • the set of states that can move to S in one transition is called the pre-image of S and written
  • An existential operation ⁇ V′.[S(V′)] represents a quantification of state predicate S(V′) over the variables in V′.
  • an invocation of a pre-image computation that uses transition relation 201 may result in computations that are not relevant to that state predicate.
  • a lazy pre-image computation is disclosed which provides a relevant transition relation abstraction for each pre-image computation according to the state predicate of the invocation.
  • Such a lazy pre-image computation may be performed for a state predicate S(W), where W is contained in V and W S ′ is the set of next internal variables in the set of next variables W′, as follows:
  • lazy pre-image computation differs from previous COI reduction approaches in that it is not statically derived from a model specification and then used throughout. Instead, it dynamically provides an abstraction for each pre-image computation that is relevant to the particular state predicate associated with the invocation. Accordingly, lazy pre-image computation provides for greater efficiency and capacity improvements in popular BDD-based symbolic model checking methods than previously used pre-image computation methods.
  • FIG. 3 a illustrates performing a lazy pre-image computation.
  • transition relation partitions are updated as needed by adding new transition relations for only the relevant next internal variables.
  • a pre-image is initialized to the next state predicate of the invocation and existentially quantified over the relevant next input variables.
  • partitions with relevant next variables are identified.
  • next state relations for relevant variables from the partitions identified in processing block 313 are conjoined to the pre-image and quantified.
  • the lazy pre-image method disclosed above provides for greater efficiency and capacity for symbolic model checking operations, particularly on circuits with a large number of variables.
  • building transition relation partitions only as needed and only for relevant next internal variables is especially beneficial since the next state function for an internal variable is efficiently and implicitly encoded, but a BDD for the function must be explicitly built for symbolic model checking. Explicitly building BDDs unnecessarily may become computationally expensive.
  • FIG. 3 b details one embodiment of a method for performing a lazy pre-image computation on a state predicate S(W) involving a set W of internal variables and input variables.
  • W S ′ is initialized to be the set of next internal variables in W′.
  • W I ′ is initialized to be the set of next input variables in W′.
  • the transition relation partitions are built as needed for the relevant next internal variables.
  • processing block 324 When no more are found, flow proceeds at processing block 324 .
  • the pre-image is initialized to the state predicate existentially quantified for the relevant next input variables and partition counter i is set to k+1.
  • partition counter i is decremented.
  • partition counter i is tested to see if it has reached zero. If partition counter i has not reached zero, in processing block 327 partition Vi′ is checked against W′ to identify relevant variables. If no relevant variables are found, partition Vi′ is skipped and flow proceeds at processing block 325 .
  • the lazy pre-image computation disclosed above provides for potential improvements in key model checking techniques.
  • one embodiment of a lazy pre-image method provides an efficient general operation that may also be used effectively in performing fixpoint computations.
  • FIG. 4 a illustrates one embodiment of a fixpoint computation method which uses lazy pre-image computations.
  • a partial fixpoint state predicate, Fix 0 and an initial frontier predicate, Front 0 , are both set to the input predicate S(W), and counter i is initialized to 1.
  • the new frontier predicate, Front i is set to the lazy pre-image of the previous frontier predicate, Front i ⁇ 1 , intersected with the negated partial fixpoint predicate, Fix i ⁇ 1 , in order to exclude any states whose pre-images have already been computed. This computation is expressed symbolically as Pre(Front i ⁇ 1 ) Fix i ⁇ 1 .
  • a new fixpoint predicate Fix i is set to the union of the new frontier predicate, Front i , and the previous partial fixpoint predicate, Fix i ⁇ 1 .
  • Counter i is then incremented.
  • Front i is tested to see if any states from the previous iteration that need to have pre-images computed remain in the frontier. If so, processing beginning at processing block 412 repeats until Front i is emptied of such states, in which case processing terminates at processing block 419 .
  • the fixpoint Fix 0 predicate 420 for the states reachable to S(e) in zero transitions and the frontier Front 0 are initially set to e. Since no pre-image computation is required, no transition relation is built.
  • Lazy pre-image Pre(S(e)) can be computed as previously shown, and the lazy pre-image computation returns e OR c based on the partially computed transition relation.
  • the new frontier predicate Front 1 is set to (e OR c) AND NOT e in accordance with processing block 412 , which reduces to c AND NOT e.
  • Fixpoint Fix 1 predicate 421 for states reachable to S(e) in one transition is set to (c AND NOT e) OR e, which becomes e OR c.
  • the lazy pre-image of the frontier predicate Front 1 is computed and combined with NOT Fix 1 .
  • Lazy pre-image computation returns (c AND a) AND NOT (e OR c) based on the partially computed transition relation.
  • Fixpoint Fix 2 Predicate 422 for states reachable to S(e) in two transitions becomes just (e OR c).
  • processing block 412 may cause the number of variables in the frontier predicate Front i to grow, thereby causing the lazy pre-image computation to be less effective. Therefore, it is again desirable to reduce the number of variables in Front i through use of symbolic variable reduction.
  • a symbolic variable reduction technique will be disclosed.
  • Front i could be replaced by a simplified frontier predicate, Front 1 ′, having fewer variables than Front i , such that the simplified frontier predicate implicates the partial fixpoint predicate (i.e. Front i ′ Fix i ) and such that the original frontier predicate implicates the simplified frontier predicate (i.e. Front i Front i ′), then the efficiency of the lazy pre-image computation in the subsequent iteration could be improved. Hence, the overall efficiency of the fixpoint computation could also be improved.
  • v may be eliminated from Front i ′ by existential quantification. This can be expressed as follows:
  • v may be eliminated from Front i ′ if the intersection of both predicates is empty after v is assigned opposite Boolean values in the two predicates. This can be expressed as follows:
  • FIG. 5 a illustrates one embodiment of an improved fixpoint computation method which uses lazy pre-image computations and a symbolic variable reduction technique according to the observations disclosed above.
  • the new frontier predicate, Front i is set to the lazy pre-image of the previous frontier predicate, Front i ⁇ 1 , intersected with the negated partial fixpoint predicate, Fix i ⁇ 1 , in order to exclude any states whose pre-images have already been computed.
  • This computation is expressed symbolically as Pre(Front i ⁇ 1 ) Fix i ⁇ 1 .
  • a new fixpoint predicate Fix i is set to the union of the new frontier predicate, Front 1 , and the previous partial fixpoint predicate, Fix i ⁇ 1 , which may be seen as expressing conditions for reduction of “don't care” variables.
  • the variables in frontier predicate, Front i are reduced according to the above disclosed conditions with respect to the negated partial fixpoint predicate, Fix i .
  • Counter i is then incremented.
  • Front i is tested to see if any states that need to have pre-images computed remain in the frontier. If so, processing beginning at processing block 512 repeats until Front i is emptied of such states, in which case processing terminates at processing block 519 .
  • the fixpoint, Fix 0 predicate 520 for the states reachable to S(e) in zero transitions and the frontier Front 0 are initially set to e. Since no pre-image computation is required, no transition relation is built.
  • To compute the fixpoint Fix 1 predicate 521 for the states reachable to S(e) in one transition a lazy pre-image of the frontier predicate Front 0 is computed and combined with NOT Fix 0 .
  • frontier predicate Front 0 only involves signal e
  • a lazy pre-image Pre(S(e)) can be computed as previously shown, and the lazy pre-image computation returns e OR c based on the partially computed transition relation.
  • the new frontier predicate Front 1 is set to (e OR c) AND NOT e in accordance with processing block 512 , which reduces to c AND NOT e.
  • Fixpoint Fix 1 predicate 521 for states reachable to S(e) in one transition is set to (c AND NOT e) OR e, which becomes e OR c.
  • the frontier predicate Front 1 may be reduced to c.
  • the lazy pre-image of the reduced frontier predicate Front 1 is computed and combined with NOT Fix 1 .
  • Lazy pre-image computation returns (c AND a) based on the partially computed transition relation.
  • FIG. 6 a illustrates a more detailed method for one embodiment of a symbolic variable reduction computation according to a set of conditions with respect to a frontier predicate and a negated partial fixpoint predicate as disclosed above.
  • the recursive method entry point the negated partial fixpoint predicate is NOT Fix d
  • frontier predicate is Front i .
  • a variable v is selected from the variables in NOT Fix d , or Front d .
  • the recursive method terminates if Front d is constant, returning Front d as a result, or if NOT Fix d is constant, returning 1 as a result.
  • the recursive depth is increased to d+1.
  • processing proceeds to processing block 614 where v is eliminated from Front d by making a recursive call with arguments (Front d [1/v] OR Front d [0/v]) and NOT Fix d . Otherwise processing proceeds to processing block 615 .
  • processing block 615 if v is in frontier predicate, Front d , and also in negated partial fixpoint predicate, NOT Fix d , then processing proceeds to processing block 616 where v may be eliminated from Front d by making a recursive call with arguments (Front d [1/v] OR Front d [0/v]) and NOT Fix d if the intersection of NOT Fix d [0/v] when v set to zero (or false) and Front d [1/v] when v set to one (or true) and the intersection of NOT Fix d [1/v] when v set to one (or true) and Front d [0/v] when v set to zero (or false) are both empty. Otherwise processing proceeds in processing block 617 .
  • processing block 617 if v is in negated partial fixpoint predicate, NOT Fix d , but not in frontier predicate, Front d , then processing proceeds to processing block 618 where another variable w is eliminated from Front d if the intersection of Front d with NOT Fix d [1/v] when v set to one (or true) and also with NOT Fix d [0/v] when v set to zero (or false) are both empty by making a recursive call with arguments Front d and (NOT Fix d [1/v] OR NOT FiX d [0/V]). Upon return from a recursive call processing block 619, the result is returned as Front d .
  • the recursive method of FIG. 6 a may also be performed as an iterative method. It will also be appreciated that previously computed results may be stored, for example in a hash table, to further reduce recursive computations.
  • FIG. 6 b shows in detail, one alternative embodiment of the symbolic variable reduction of processing block 616 .
  • processing block 615 if v is in frontier predicate, Front d , and also in negated partial fixpoint predicate, NOT Fix d , then processing proceeds to processing block 621 . Otherwise processing proceeds in processing block 617 .
  • v may be eliminated from Front d if the intersection of NOT Fix d [0/v] when v set to zero (or false) and Front d [1/v] when v set to one (or true) and the intersection of NOT Fix d [1/v] when v set to one (or true) and Front d [0/v] when v set to zero (or false) are both empty.
  • a first recursive call is made with arguments Front d [1/v] and (NOT Fix d [1/v] OR NOT Fix d [0/v]).
  • Processing then proceeds to processing block 622 where a second recursive call is made with arguments Front d [0/v] and (NOT Fix d [1/v] OR NOT Fix d [0/V]).
  • processing proceeds in processing block 623 where the two results Front d [1/v] and Front d [0/v] are tested for equality. If they are found to be equal then processing terminates in processing block 624 and the result Front d [1/v] may be returned. Otherwise processing proceeds in processing block 625 where the two intersections NOT Fix d [0/v] AND Front d [1/v] and NOT Fix d [1/v] AND Front d [0/v] are checked.
  • processing block 626 If they are both empty then processing terminates in processing block 626 and the result (Front d [1/v] OR Front d [0/v]) may be returned. Otherwise processing terminates in processing block 627 and the result ((v AND Front d [1/v]) OR (NOT v AND Front d [0/v])) may be returned.
  • the above symbolic variable reduction method is illustrated by way of example and not limitation.
  • the method may also be applicable to any reduction of variables in a predicate P under a don't care condition Q by solving a symbolic variable reduction with the arguments P and NOT(P OR Q).
  • FIG. 7 illustrates a computer system to perform computations, for one such embodiment.
  • Processing device 722 is connectable with various recordable storage media, transmission media and I/O devices to receive data structures and programmed methods.
  • Representative data structures 701 may include circuit descriptions 711 , transition relations 712 , and finite state models 713 .
  • Representative programmed methods 702 may include symbolic variable reduction programs 714 , lazy pre-image programs 715 , lazy fixpoint computation programs 716 , and model checking programs 717 .
  • Components of either or both of the data structures and programmed methods may be stored or transmitted on recordable media such as removable storage disks 725 , which may be accessed through an access device 726 in processing device 722 or in a storage serving system 721 .
  • Storage serving system 721 or processing device 722 may also include other removable storage media or non-removable storage media suitable for storing or transmitting data structures 701 or programmed methods 702 .
  • Component data structures and programmed methods may also be stored or transmitted on transmission media such as network 724 for access by processing device 722 or entered by users through I/O device 723 .
  • networks 724 for access by processing device 722 or entered by users through I/O device 723 .

Abstract

Methods for formal verification of circuits and other finite-state systems are disclosed herein, providing for improved efficiency and capacity of popular binary decision diagram (BDD) based algorithms. A lazy pre-image computation method is disclosed that builds new transition relation partitions on-demand only for relevant next internal variables of a state predicate. A symbolic variable reduction method is disclosed to eliminate variables in a state predicate under “don't care” conditions. Symbolic variable reduction improves the efficiency for symbolic model checking computations especially lazy pre-image based computations providing means to handle very large-scale integrated circuits and other finite state systems of problematic complexity for prior methods. The teachings of these disclosed methods provide for automated symbolic model checking of circuits and other finite state systems previously too large to be completed successfully using BDD based algorithms.

Description

    RELATED APPLICATIONS
  • This is a divisional of application Ser. No. 09/675,539, filed Sep. 29, 2000, currently pending.[0001]
    • FIELD OF THE INVENTION
  • This invention relates generally to automated design verification, and in particular to more efficient use of binary decision diagrams to perform automated symbolic model checking for very large scale integrated circuit designs and other finite state systems. [0002]
    • BACKGROUND OF THE INVENTION
  • Modern design of very large-scale integrated circuits often involves years of research and the efforts of hundreds of engineers. Automated formal verification methods are an essential part of the design effort, reducing errors, lost time and risk to financial investment. [0003]
  • As the size and complexity of designs increase, much effort is expended to improve the efficiency of automated formal verification methods. One technique used in symbolic model checking to improve efficiency is to employ binary decision diagrams (BDDs). A BDD is a directed acyclic graph that represents a Boolean expression. For each Boolean variable, there are two outgoing edges representing true or false assignments to the variable. The use of BDDs permits computation times, which are, for many practical cases, some polynomial function of the number of expression variables. Alternative representations such as clauses or truth tables require execution times, which are some exponential function of the number of expression variables. Therefore, use of BDDs has been popular in the formal verification community since the late 1980's. [0004]
  • BDDs, however, are not without drawbacks. The ordering of variables is critical to an efficient use of BDDs. Poor variable ordering can increase a BDDs size and cause exponential execution times. One method for symbolic model checking using BDDs comes from Carnegie Mellon University and is known as Symbolic Model Verifier (SMV). [0005]
  • Alternatively SMV uses a well known heuristic based procedure named simplify[0006] 13 assuming that is aimed at reducing BDD representations by simplifying a predicate but may frequently leave variables in the representation that are unnecessary.
  • Over the years, techniques have been developed to improve performance and capacity of BDD-based algorithms. One technique is called Cone of Influence (COI) reduction. In COI reduction, an abstraction is built for a circuit model consisting of next state functions only for variables in the dependency closure of variables of interest in the circuit specification. One drawback is that all variables in the dependency closure do not necessarily influence the variables of interest in the circuit specification. A second drawback is that the abstraction that is built and used for each model-checking step may include portions that are useful in only a few of the model checking steps. Therefore needless extra computations are potentially performed, resulting in little benefit to the circuit verification. [0007]
  • Some methods have attempted to improve upon COI reduction by starting from a small portion of the dependency closure and extending the portion only when model checking fails to produce a satisfactory result. But these techniques also perform unnecessary computations on portions that are not relevant to the particular model-checking step being performed. [0008]
  • One method called the bounded cone of influence (BCOI) was proposed by A. Biere et al for symbolic model checking without BDDs [A. Biere, E. Clark, R. Raimi, and Y. Zhu; Verifying safety properties of a PowerPC™ microprocessor using symbolic model checking without BDDs; CAV'99; 1999]. However, even the BCOI method potentially includes irrelevant variables in the abstraction it builds, and the technique is not applicable to improve the widely used BDD-based approaches. [0009]
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The present invention is illustrated by way of example and not limitation in the figures of the accompanying drawings. [0010]
  • FIG. 1 illustrates an example of a circuit. FIG. 2[0011] a graphically illustrates a transition relation for a circuit.
  • FIG. 2[0012] b shows another transition relation built as part of a lazy pre-image computation.
  • FIG. 3[0013] a illustrates one embodiment of a method for performing lazy pre-image computations.
  • FIG. 3[0014] b illustrates one embodiment of a more detailed method for performing lazy pre-image computations.
  • FIG. 4[0015] a illustrates one embodiment of a method for computing a fixpoint using lazy pre-image computations.
  • FIG. 4[0016] b shows an example of a lazy fixpoint computation for a circuit.
  • FIG. 5[0017] a illustrates another embodiment of a method for computing a fixpoint using both lazy pre-image computations and symbolic variable reduction.
  • FIG. 5[0018] b shows another example of a lazy fixpoint computation for a circuit using both lazy pre-image computations and symbolic variable reduction.
  • FIG. 6[0019] a illustrates one embodiment of a detailed method for performing symbolic variable reduction.
  • FIG. 6[0020] b shows one embodiment of a more detailed method for performing symbolic variable reduction.
  • FIG. 7 depicts a computing system for automated lazy symbolic model checking of finite state systems using symbolic variable reduction. [0021]
    • DETAILED DESCRIPTION
  • These and other embodiments of the present invention may be realized in accordance with the following teachings and it should be evident that various modifications and changes may be made in the following teachings without departing from the broader spirit and scope of the invention. The specification and drawings are, accordingly, to be regarded in an illustrative rather than restrictive sense and the invention measured only in terms of the claims. [0022]
  • Methods for formal verification of circuits and other finite-state systems are disclosed herein, providing for improved efficiency and capacity of popular binary decision diagram (BDD) based algorithms. For one embodiment of a lazy pre-image computation, a method is disclosed that builds new transition relation partitions on-demand only for relevant next internal variables of a state predicate, and conjoins only next state relations for relevant next internal variables to a pre-image including the state predicate. For one embodiment of a symbolic variable reduction technique, a method is disclosed that improves the efficiency for symbolic model checking computations especially lazy pre-image based computations providing means to handle very large scale integrated circuits and other finite state systems of problematic complexity for prior methods. For one embodiment of a lazy fixpoint computation, a method is disclosed that makes iterative use of lazy pre-image computation and symbolic variable reduction to compute conditions that necessarily must be satisfied to produce a given set of states. The teachings of these disclosed methods provide for symbolic model checking of circuits and other finite state systems previously too large to be completed successfully using BDD based algorithms. [0023]
  • FIG. 1 illustrates an example of a circuit [0024] 101 having internal state variables c, d, e and f; and input variables a and b. According to the logical combination of inputs to memory element 102, the value of internal state variable c at its next transition can be determined to be the value of the Boolean expression a AND c. From the logical combination of inputs to memory element 103, the value of internal state variable d at its next transition can be determined to be the value of the input variable b. From the logical combination of inputs to memory element 104, the value of internal state variable e at its next transition can be determined to be the value of the Boolean expression c OR e. Finally, from the logical combination of inputs to memory element 105, the value of internal state variable f at its next transition can be determined to be the value of the Boolean expression c NAND d.
  • A model of a circuit or other finite state system can be formally defined as: a nonempty finite set of Boolean variables, V=V[0025] S∪VIconsisting of a union V of internal state variables VS with input variables VI; and a next state function N(v) for each v in VS, which is an assignment mapping of internal state variables according to Boolean (true or false) valued expressions on V. A partitioned transition relation, R, on a partitioning of the internal state variables {V1, V2, . . . , Vk} has the implicitly conjoined form:
  • R(V, V′)=R1(V,V1′)AND R2(V,V2′) . . . AND Rk(V,Vk′)
  • where the ith partition is Ri(V,Vi′)=AND[0026] for all V′ in Vi′(v′=N(v)). The assertion v′=N(v) is called the next state relation for v and v′ is a copy of v to record the value taken on by v at the next transition.
  • A set of states, S, may be represented using a Boolean state predicate S(V). Operations on sets may be carried out as algebraic manipulations of state predicates. The set of states that can move to S in one transition is called the pre-image of S and written [0027]
  • Pre(S(V))=∃V′.[AND for all v′ in V S ′(v′=N(v))AND S(V′)].
  • An existential operation ∃V′.[S(V′)] represents a quantification of state predicate S(V′) over the variables in V′. Typically, in order to more efficiently use computation resources, the operation of computing the pre-image of a set of states is carried out as a relation product of state predicates using early variable quantification for partitioned transition relations, thereby permitting staged reductions of Boolean expressions, as follows: [0028] Pre ( S ( V ) ) = V1 . [ R1 ( V , V1 ) AND ( V2 . [ R2 ( V , V2 ) AND ( Vk . [ Rk ( V , Vk ) AND ( VI . S ( V ) ) ] ) ] ) ] .
    Figure US20030208732A1-20031106-M00001
  • One drawback of a typical pre-image computation is that it involves the entire partitioned transition relation. But S(V) may involve only a few variables. Consequently, not all next state relations are relevant in any particular invocation of a pre-image computation. [0029]
  • For example, FIG. 2[0030] a graphically illustrates a possible transition relation 201 for circuit 101 having VS ={c, d, e, f} and VI={a, b}. The next state function for variable c is N(c)=a AND c. Therefore, in order for the circuit to reach a state, S(c), where c=1 it must have made transition 211 from a state S(a AND c) where a=1 and c=1. The next state function for variable d is N(d)=b. Therefore, in order for the circuit to reach a state, S(d), where d=1 it must have made transition 219 from a state S(b) where b=1. The next state function for variable e is N(e)=e OR c. Therefore, in order for the circuit to reach a state, S(e), where e=1 it must have made transition 212 from a state S(c) where c=1 or it must have made transition 213 from a state S(e) where e=1. The next state function for variable f is N(f)=d NAND c. Therefore, in order for the circuit to reach a state, S(f), where f=1 it must have made transition 215 from a state S(NOT c) where c=0 or it must have made transition 218 from a state S(NOT d) where d=0.
  • Computing all states reachable to S(e) in two or more transitions includes the next state function for variable c, which has already been shown as N(c)=a AND c represented by [0031] transition 211. The next state function for variable NOT c is N(NOT c)=NOT(a AND c)=(NOT a) OR (NOT c). Therefore, in order for the circuit 101 to reach a state, S(NOT c), where c=0 it must have made transition 214 from a state S(NOT a) where a=0 or it must have made transition 216 from a state S(NOT c) where c=0. The next state function for variable NOT d is N(NOT d)=NOT b. Therefore, in order for the circuit to reach a state, S(NOT d), where d=0 it must have made transition 217 from a state S(NOT b) where b=0.
  • For a given state predicate, an invocation of a pre-image computation that uses [0032] transition relation 201 may result in computations that are not relevant to that state predicate. For one embodiment, a lazy pre-image computation is disclosed which provides a relevant transition relation abstraction for each pre-image computation according to the state predicate of the invocation. Such a lazy pre-image computation may be performed for a state predicate S(W), where W is contained in V and WS′ is the set of next internal variables in the set of next variables W′, as follows:
  • Pre(S(W))=∃W′.[AND for all v′ in W S ′(v′=N(v))AND S(W′)].
  • The approach provided by the lazy pre-image computation disclosed above differs from previous COI reduction approaches in that it is not statically derived from a model specification and then used throughout. Instead, it dynamically provides an abstraction for each pre-image computation that is relevant to the particular state predicate associated with the invocation. Accordingly, lazy pre-image computation provides for greater efficiency and capacity improvements in popular BDD-based symbolic model checking methods than previously used pre-image computation methods. [0033]
  • For example, the lazy pre-image of a state predicate S(e) for circuit [0034] 101 where e=1 can be computed: Pre ( S ( e ) ) = e . [ ( e = N ( e ) ) AND S ( e ) ] . = e . [ ( e = e OR c ) AND 3 ] . = ( e OR c ) .
    Figure US20030208732A1-20031106-M00002
  • FIG. 2[0035] b graphically illustrates a possible transition relation 202 for circuit 101 built as a result of an invocation of the lazy pre-image computation Pre(S(e)) on the state predicate S(e) where e=1. The next state function for variable e is N(e)=e OR c. Therefore, in order for the circuit to reach a state, S(e), where e=1 it must have made transition 222 from a state S(c) where c=1 or it must have made transition 223 from a state S(e) where e=1. Since no other transitions are relevant to reaching state S(e), the lazy pre-image method need not build them. As seen in the above example, this lazy pre-image method potentially reduces the number of transition relation partitions involved and also the sizes of partitions. Therefore computations required to explicitly build a BDD for a desired function may be significantly reduced.
  • For one embodiment, FIG. 3[0036] a illustrates performing a lazy pre-image computation. In processing block 311 transition relation partitions are updated as needed by adding new transition relations for only the relevant next internal variables. In processing block 312 a pre-image is initialized to the next state predicate of the invocation and existentially quantified over the relevant next input variables. In processing block 313, partitions with relevant next variables are identified. Finally in processing block 314, next state relations for relevant variables from the partitions identified in processing block 313 are conjoined to the pre-image and quantified.
  • The lazy pre-image method disclosed above provides for greater efficiency and capacity for symbolic model checking operations, particularly on circuits with a large number of variables. In a BDD based implementation, building transition relation partitions only as needed and only for relevant next internal variables is especially beneficial since the next state function for an internal variable is efficiently and implicitly encoded, but a BDD for the function must be explicitly built for symbolic model checking. Explicitly building BDDs unnecessarily may become computationally expensive. [0037]
  • FIG. 3[0038] b details one embodiment of a method for performing a lazy pre-image computation on a state predicate S(W) involving a set W of internal variables and input variables. In processing block 320, WS′ is initialized to be the set of next internal variables in W′. In processing block 321, WI′ is initialized to be the set of next input variables in W′. In processing block 322, the next internal variables are checked to identify some variable w′ that has not been evaluated. If one is identified, w′=N(w) is conjoined to the partition including w′ and flow returns to processing block 322 to look for more next variables that have not been evaluated. Thus the transition relation partitions are built as needed for the relevant next internal variables. When no more are found, flow proceeds at processing block 324. In processing block 324 the pre-image is initialized to the state predicate existentially quantified for the relevant next input variables and partition counter i is set to k+1. In processing block 325, i is decremented. Then in processing block 326, partition counter i is tested to see if it has reached zero. If partition counter i has not reached zero, in processing block 327 partition Vi′ is checked against W′ to identify relevant variables. If no relevant variables are found, partition Vi′ is skipped and flow proceeds at processing block 325. Otherwise in processing block 328, all next variables in Vi′ that are not in W′ are existentially quantified out from partition Vi′ and the remaining relevant variables are evaluated according to their next state relations and assigned to Ra. Then in processing block 329, Ra is conjoined with the pre-image Pre and flow proceeds with the next i at processing block 325. When i=0 indicating no more partitions remain at processing block 326, the processing terminates and pre-image Pre is complete.
  • In one embodiment, the lazy pre-image computation disclosed above provides for potential improvements in key model checking techniques. For example one embodiment of a lazy pre-image method provides an efficient general operation that may also be used effectively in performing fixpoint computations. [0039]
  • FIG. 4[0040] a illustrates one embodiment of a fixpoint computation method which uses lazy pre-image computations. In processing block 411, a partial fixpoint state predicate, Fix0, and an initial frontier predicate, Front0, are both set to the input predicate S(W), and counter i is initialized to 1. In processing block 412, the new frontier predicate, Fronti, is set to the lazy pre-image of the previous frontier predicate, Fronti−1, intersected with the negated partial fixpoint predicate,
    Figure US20030208732A1-20031106-P00005
    Fixi−1, in order to exclude any states whose pre-images have already been computed. This computation is expressed symbolically as Pre(Fronti−1)
    Figure US20030208732A1-20031106-P00006
    Figure US20030208732A1-20031106-P00005
    Fixi−1. In processing block 413 a new fixpoint predicate Fixi is set to the union of the new frontier predicate, Fronti, and the previous partial fixpoint predicate, Fixi−1. Counter i is then incremented. In processing block 419, Fronti is tested to see if any states from the previous iteration that need to have pre-images computed remain in the frontier. If so, processing beginning at processing block 412 repeats until Fronti is emptied of such states, in which case processing terminates at processing block 419.
  • FIG. 4[0041] b illustrates an example of one embodiment of performing a lazy fixpoint computation for state predicate, S(e), where e=1, on circuit 101. The fixpoint Fix0 predicate 420 for the states reachable to S(e) in zero transitions and the frontier Front0 are initially set to e. Since no pre-image computation is required, no transition relation is built. To compute the fixpoint Fix1 predicate 421 for the states reachable to S(e) in one transition a lazy pre-image of the frontier predicate Front0 is computed and combined with NOT Fix0. Since frontier predicate Front0 only involves signal e, lazy transition relation building only computes a transition relation partition for e, as [N(e)=e OR c]. Lazy pre-image Pre(S(e)) can be computed as previously shown, and the lazy pre-image computation returns e OR c based on the partially computed transition relation. The new frontier predicate Front1 is set to (e OR c) AND NOT e in accordance with processing block 412, which reduces to c AND NOT e. Fixpoint Fix1 predicate 421 for states reachable to S(e) in one transition is set to (c AND NOT e) OR e, which becomes e OR c.
  • To compute the fixpoint Fix[0042] 2 predicate 422 for those states reachable to S(e) in two transitions, the lazy pre-image of the frontier predicate Front1 is computed and combined with NOT Fix1. The pre-image is calculated as follows: Pre ( C AND NOT e ) = e , c . [ ( e = N ( e ) ) AND ( c = N ( c ) ) AND S ( e , c ) ] . = e , c . [ ( e = e OR c ) AND ( c = c AND a ) AND ( c = c AND a ) AND ( c AND NOT e ) ] . = ( c AND a ) AND NOT ( e OR c ) .
    Figure US20030208732A1-20031106-M00003
  • Alternatively, since Pre(e) has already been computed, what needs to be computed is Pre(c). It will be appreciated that reduction of frontier variables can be an extremely useful operation, providing for improved efficiency in each iteration. A frontier reduction may be accomplished through use of a symbolic variable reduction technique prior to computing the subsequent pre-image so that the pre-image computation may be performed on a smaller predicate. This symbolic variable reduction technique is below disclosed in greater detail. [0043]
  • Predicate (c AND NOT e) requires lazy transition relation building of the translation relation partition for c, as [N(c)=c AND a]. Lazy pre-image computation returns (c AND a) AND NOT (e OR c) based on the partially computed transition relation. The new frontier predicate Front[0044] 2 is set to (c AND a) AND NOT (e OR c) in accordance with processing block 412, which reduces to (c AND a AND NOT e AND NOT c)=0. Fixpoint Fix2 Predicate 422 for states reachable to S(e) in two transitions becomes just (e OR c).
  • Since frontier predicate Front[0045] 2=0 the lazy fixpoint computation terminates. The transition relations for b, d and f are not needed and therefore they are not built.
  • It will be appreciated that the operations performed in [0046] processing block 412 may cause the number of variables in the frontier predicate Fronti to grow, thereby causing the lazy pre-image computation to be less effective. Therefore, it is again desirable to reduce the number of variables in Fronti through use of symbolic variable reduction. Herein, details of one embodiment of a symbolic variable reduction technique will be disclosed.
  • If, for example, at each iteration, Front[0047] i could be replaced by a simplified frontier predicate, Front1′, having fewer variables than Fronti, such that the simplified frontier predicate implicates the partial fixpoint predicate (i.e. Fronti
    Figure US20030208732A1-20031106-P00001
    Fixi) and such that the original frontier predicate implicates the simplified frontier predicate (i.e. Fronti
    Figure US20030208732A1-20031106-P00001
    Fronti′), then the efficiency of the lazy pre-image computation in the subsequent iteration could be improved. Hence, the overall efficiency of the fixpoint computation could also be improved. It will be appreciated that the first condition (Fronti
    Figure US20030208732A1-20031106-P00001
    Fixi) may be expressed in an equivalent logical form as (Fronti′ AND NOT Fixi=0). Since it is known that (Fronti AND NOT Fixi=0), it is possible to derive some conditions for which a “don't care” variable may be eliminated from Fronti′.
  • If there is a variable v in Front[0048] i but not in NOT Fixi then v may be eliminated from Fronti′ by existential quantification. This can be expressed as follows:
  • [(∃v. Front i)AND NOT Fix i=0] for any v in Fronti but not in NOT Fix i.
  • If there is a variable v in Front[0049] i and also in NOT Fixi then v may be eliminated from Fronti′ if the intersection of both predicates is empty after v is assigned opposite Boolean values in the two predicates. This can be expressed as follows:
  • [(∃v.Front i)AND NOT Fix i=0]
    Figure US20030208732A1-20031106-P00012
    [(Front i[1/v]AND NOT Fix i[0/v]=0)AND(Front i[0/v]AND NOT Fix i[1/v]=0)].
  • If there is a variable w in Front[0050] i such that for any variable v in NOT Fixi the intersection of the two predicates is empty for all assignments to v, then w may be eliminated from Fronti′ by existential quantification. This can be expressed as follows:
  • [(∃w.Front i)AND NOT Fix i=0]
    Figure US20030208732A1-20031106-P00012
    [(∃w.Front i)AND(NOT Fix i[0/v]=0)]AND[(∃w.Front i)AND(NOT Fix i[1/v]=0)].
  • FIG. 5[0051] a illustrates one embodiment of an improved fixpoint computation method which uses lazy pre-image computations and a symbolic variable reduction technique according to the observations disclosed above. In processing block 511, a partial fixpoint state predicate, Fix0, and an initial frontier predicate, Front0, are both set to S(W), and counter i is initialized to 1. In processing block 512, the new frontier predicate, Fronti, is set to the lazy pre-image of the previous frontier predicate, Fronti−1, intersected with the negated partial fixpoint predicate,
    Figure US20030208732A1-20031106-P00005
    Fixi−1, in order to exclude any states whose pre-images have already been computed. This computation is expressed symbolically as Pre(Fronti−1)
    Figure US20030208732A1-20031106-P00006
    Figure US20030208732A1-20031106-P00005
    Fixi−1. In processing block 513 a new fixpoint predicate Fixi is set to the union of the new frontier predicate, Front1, and the previous partial fixpoint predicate, Fixi−1, which may be seen as expressing conditions for reduction of “don't care” variables. In processing block 518, the variables in frontier predicate, Fronti, are reduced according to the above disclosed conditions with respect to the negated partial fixpoint predicate,
    Figure US20030208732A1-20031106-P00005
    Fixi. Counter i is then incremented. In processing block 519, Fronti is tested to see if any states that need to have pre-images computed remain in the frontier. If so, processing beginning at processing block 512 repeats until Fronti is emptied of such states, in which case processing terminates at processing block 519.
  • FIG. 5[0052] b illustrates an example of one embodiment of performing a lazy fixpoint computation using a symbolic variable reduction technique for state predicate, S(e), where e=1, on circuit 101. The fixpoint, Fix0 predicate 520 for the states reachable to S(e) in zero transitions and the frontier Front0 are initially set to e. Since no pre-image computation is required, no transition relation is built. To compute the fixpoint Fix1 predicate 521 for the states reachable to S(e) in one transition a lazy pre-image of the frontier predicate Front0 is computed and combined with NOT Fix0. Since frontier predicate Front0 only involves signal e, lazy transition relation building only computes a transition relation partition for e, as [N(e)=e OR c]. A lazy pre-image Pre(S(e)) can be computed as previously shown, and the lazy pre-image computation returns e OR c based on the partially computed transition relation. The new frontier predicate Front1 is set to (e OR c) AND NOT e in accordance with processing block 512, which reduces to c AND NOT e. Fixpoint Fix1 predicate 521 for states reachable to S(e) in one transition is set to (c AND NOT e) OR e, which becomes e OR c.
  • This time, in accordance with [0053] processing block 518 the variables may be reduced for Front1=(c AND NOT e) using NOT Fix1=NOT(e OR c). Since the variable e appears in both predicates, the following conditions are checked: ( Front 1 [ 1 / e ] AND NOT Fix 1 [ 0 / e ] ) = ( c AND NOT 1 ) AND NOT ( 0 OR c ) = 0 AND NOT c = 0. AND ( Front 1 [ 0 / e ] AND NOT Fix 1 [ 1 / e ] = 0 ) ( c AND NOT 0 ) AND NOT ( 1 OR c ) = c AND NOT 1 = 0.
    Figure US20030208732A1-20031106-M00004
  • Accordingly, the frontier predicate Front[0054] 1 may be reduced to c.
  • To compute the fixpoint Fix[0055] 2 predicate 522 for those states reachable to S(e) in two transitions, the lazy pre-image of the reduced frontier predicate Front1 is computed and combined with NOT Fix1. The pre-image is calculated as follows: Pre ( c ) = c . [ ( c = N ( c ) ) AND S ( c ) ] . = c . [ ( c = c AND a ) AND ( c ) ] . = ( c AND a ) .
    Figure US20030208732A1-20031106-M00005
  • The predicate c requires lazy transition relation building of the translation relation partition for c, as [N(c)=c AND a]. Lazy pre-image computation returns (c AND a) based on the partially computed transition relation. The new frontier predicate Front[0056] 2 is set to (c AND a) AND NOT (e OR c) in accordance with processing block 512, which reduces to (c AND a AND NOT e AND NOT c)=0. Fixpoint Fix2 Predicate 522 for states reachable to S(e) in two transitions becomes just (e OR c).
  • Since frontier predicate Front[0057] 2=0 the lazy fixpoint computation terminates. The transition relations for b, d and f are not needed and therefore they are not built and the number of variables in the frontier are reduced by a symbolic variable reduction technique further providing reduced computational complexity and storage requirements for the lazy pre-image computations.
  • FIG. 6[0058] a illustrates a more detailed method for one embodiment of a symbolic variable reduction computation according to a set of conditions with respect to a frontier predicate and a negated partial fixpoint predicate as disclosed above.
  • In [0059] processing block 611, the recursive method entry point, the negated partial fixpoint predicate is NOT Fixd, and frontier predicate is Fronti. A variable v is selected from the variables in NOT Fixd, or Frontd. In processing block 612, the recursive method terminates if Frontd is constant, returning Frontd as a result, or if NOT Fixd is constant, returning 1 as a result. In processing block 613 the recursive depth is increased to d+1. If v is in frontier predicate, Frontd, but not in negated partial fixpoint predicate, NOT Fixd, then processing proceeds to processing block 614 where v is eliminated from Frontd by making a recursive call with arguments (Frontd[1/v] OR Frontd[0/v]) and NOT Fixd. Otherwise processing proceeds to processing block 615.
  • In [0060] processing block 615, if v is in frontier predicate, Frontd, and also in negated partial fixpoint predicate, NOT Fixd, then processing proceeds to processing block 616 where v may be eliminated from Frontd by making a recursive call with arguments (Frontd[1/v] OR Frontd[0/v]) and NOT Fixd if the intersection of NOT Fixd[0/v] when v set to zero (or false) and Frontd[1/v] when v set to one (or true) and the intersection of NOT Fixd[1/v] when v set to one (or true) and Frontd [0/v] when v set to zero (or false) are both empty. Otherwise processing proceeds in processing block 617.
  • In [0061] processing block 617, if v is in negated partial fixpoint predicate, NOT Fixd, but not in frontier predicate, Frontd, then processing proceeds to processing block 618 where another variable w is eliminated from Frontd if the intersection of Frontd with NOT Fixd[1/v] when v set to one (or true) and also with NOT Fixd[0/v] when v set to zero (or false) are both empty by making a recursive call with arguments Frontd and (NOT Fixd[1/v] OR NOT FiXd [0/V]). Upon return from a recursive call processing block 619, the result is returned as Front d.
  • It will be appreciated that the recursive method of FIG. 6[0062] a may also be performed as an iterative method. It will also be appreciated that previously computed results may be stored, for example in a hash table, to further reduce recursive computations.
  • FIG. 6[0063] b shows in detail, one alternative embodiment of the symbolic variable reduction of processing block 616. In processing block 615, if v is in frontier predicate, Frontd, and also in negated partial fixpoint predicate, NOT Fixd, then processing proceeds to processing block 621. Otherwise processing proceeds in processing block 617.
  • In [0064] processing block 621, it is understood that v may be eliminated from Frontd if the intersection of NOT Fixd[0/v] when v set to zero (or false) and Frontd [1/v] when v set to one (or true) and the intersection of NOT Fix d[1/v] when v set to one (or true) and Frontd[0/v] when v set to zero (or false) are both empty. To accomplish this, a first recursive call is made with arguments Frontd[1/v] and (NOT Fixd[1/v] OR NOT Fixd[0/v]). Processing then proceeds to processing block 622 where a second recursive call is made with arguments Frontd[0/v] and (NOT Fixd[1/v] OR NOT Fixd[0/V]). Upon return from the recursion processing proceeds in processing block 623 where the two results Frontd [1/v] and Frontd [0/v] are tested for equality. If they are found to be equal then processing terminates in processing block 624 and the result Frontd[1/v] may be returned. Otherwise processing proceeds in processing block 625 where the two intersections NOT Fixd[0/v] AND Frontd [1/v] and NOT Fix d [1/v] AND Front d[0/v] are checked. If they are both empty then processing terminates in processing block 626 and the result (Frontd [1/v] OR Frontd [0/v]) may be returned. Otherwise processing terminates in processing block 627 and the result ((v AND Frontd [1/v]) OR (NOT v AND Frontd [0/v])) may be returned.
  • The above symbolic variable reduction method is illustrated by way of example and not limitation. The method may also be applicable to any reduction of variables in a predicate P under a don't care condition Q by solving a symbolic variable reduction with the arguments P and NOT(P OR Q). [0065]
  • It will be appreciated that the methods herein disclosed or methods substantially similar to those herein disclosed may be implemented in one of many programming languages for performing automated computations including but not limited to lazy pre-image computations, symbolic variable reduction, lazy fixpoint computations using symbolic variable reduction, and lazy model checking using symbolic variable reduction on high-speed computing devices. [0066]
  • For example, FIG. 7 illustrates a computer system to perform computations, for one such embodiment. [0067] Processing device 722 is connectable with various recordable storage media, transmission media and I/O devices to receive data structures and programmed methods. Representative data structures 701 may include circuit descriptions 711, transition relations 712, and finite state models 713. Representative programmed methods 702 may include symbolic variable reduction programs 714, lazy pre-image programs 715, lazy fixpoint computation programs 716, and model checking programs 717. Components of either or both of the data structures and programmed methods may be stored or transmitted on recordable media such as removable storage disks 725, which may be accessed through an access device 726 in processing device 722 or in a storage serving system 721. Storage serving system 721 or processing device 722 may also include other removable storage media or non-removable storage media suitable for storing or transmitting data structures 701 or programmed methods 702. Component data structures and programmed methods may also be stored or transmitted on transmission media such as network 724 for access by processing device 722 or entered by users through I/O device 723. It will be appreciated that systems such as the one illustrated are commonly available and widely used in the art of designing finite state hardware and software systems. It will also be appreciated that the complexity, capabilities, and physical forms of such design systems improves and changes rapidly, and therefore understood that the design system illustrated is by way of example and not limitation.
  • The above description is intended to illustrate preferred embodiments of the present invention. From the discussion above it should also be apparent that the invention can be modified in arrangement and detail by those skilled in the art without departing from the principles of the present invention within the scope of the accompanying claims. [0068]

Claims (20)

What is claimed is:
1. A verification system comprising:
means for identifying a don't care variable in a first state predicate; and
means for producing a reduced second state predicate from the first state predicate.
2. The verification system of claim 1 further comprising:
means for performing lazy pre-image computations on the reduced second predicate.
3. A verification system comprising:
means for identifying a don't care variable in a first state predicate and a don't care condition; and
means for producing a reduced second state predicate from the first state predicate.
4. The verification system of claim 3 wherein the second state predicate is implied by the first state predicate and wherein the second state predicate implies the first state predicate or the don't care condition.
5. The verification system of claim 3 further comprising:
means for performing lazy pre-image computations on the reduced second predicate.
6. A verification system comprising:
a recordable medium to store executable instructions;
a processing device to execute executable instruction; and
a plurality of executable instructions to cause the processing device to:
identify a first variable of a state predicate, P, under a condition predicate, Q; such that there exists a reduced state predicate, P′, not including the first variable and satisfying the relation:
(P
Figure US20030208732A1-20031106-P00001
P′) AND (P′
Figure US20030208732A1-20031106-P00001
(P OR Q)); and
produce the state predicate, P′, by eliminating the first variable from the state predicate, P.
7. The verification system of claim 6 wherein a first value is substituted for said first variable.
8. The verification system of claim 7 wherein a constant logical value is substituted for the first variable in (P OR Q).
9. A verification system comprising:
a recordable medium to store executable instructions;
a processing device to execute executable instruction; and
a plurality of executable instructions to cause the processing device to:
eliminate a variable in a state predicate under a don't care condition by a symbolic variable reduction having a first argument involving the state predicate and a second argument involving a union of the state predicate and the don't care condition.
10. The verification system of claim 9 wherein said plurality of executable instructions are further to cause the processing device to:
identify a first case when the variable is in the first argument and not in the second argument.
11. The verification system of claim 10 wherein said plurality of executable instructions are further to cause the processing device to:
identify a second case when the variable is in the first argument and in the second argument.
12. The verification system of claim 11 wherein said second case being identified, said plurality of executable instructions are further to cause the processing device to:
substitute a first value for the variable in the first argument and substitute a second value for the variable in the second argument
check if an intersection of the first argument having the first value substituted for the variable with the second argument having the second value substituted for the variable is empty.
13. A verification system comprising:
a recordable medium to store executable instructions;
a processing device to execute executable instruction; and
a plurality of executable instructions to cause the processing device to:
eliminate a variable, v, in a state predicate, P, under a don't care condition, Q.
14. The verification system of claim 13 wherein said plurality of executable instructions cause the processing device to:
eliminate said variable, v, by a symbolic variable reduction having a first argument involving the state predicate, P, and a second argument involving a union of the state predicate, P, and the don't care condition, Q.
15. The verification system of claim 14 wherein said wherein the second argument is a negated union of the state predicate, P, and the don't care condition, Q.
16. The verification system of claim 14 wherein said wherein a first value is substituted for the variable the first argument.
17. The verification system of claim 16 wherein said wherein a second value is substituted for the variable the second argument.
18. The verification system of claim 14 wherein said wherein said plurality of executable instructions cause the processing device to:
eliminate said variable, v, from the first argument if it can be identified that said variable, v, is in the first argument and is not in the second argument;
else if it can be identified that said variable, v, is in the first argument and in the second argument, substitute a first value and a second value for said variable, v, in the first argument and for said variable, v, in the second argument,
form a first intersection of the first argument having the first value substituted for said variable, v, with the second argument having the second value substituted for said variable, v,
form a second intersection of the first argument having the second value substituted for said variable, v, with the second argument having the first value substituted for said variable, v, and if the first intersection and the second intersection are empty, eliminate said variable, v, from the first argument.
19. The verification system of claim 18 wherein it can be identified that said variable, v, is in the second argument and is not in the first argument, said plurality of executable instructions cause the processing device to:
eliminate a variable, w, by a recursive symbolic variable reduction having a first recursive argument involving the state predicate, P, and a second recursive argument involving the second argument having said variable, v, eliminated.
20. The verification system of claim 19 wherein said second recursive argument involves a negated intersection of the second argument having the first value substituted for said variable, v, with the second argument having the second value substituted for said variable, v.
US10/422,267 2000-09-29 2003-04-23 Verification system using symbolic variable reduction Abandoned US20030208732A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10/422,267 US20030208732A1 (en) 2000-09-29 2003-04-23 Verification system using symbolic variable reduction

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US09/675,539 US6591400B1 (en) 2000-09-29 2000-09-29 Symbolic variable reduction
US10/422,267 US20030208732A1 (en) 2000-09-29 2003-04-23 Verification system using symbolic variable reduction

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US09/675,539 Division US6591400B1 (en) 2000-09-29 2000-09-29 Symbolic variable reduction

Publications (1)

Publication Number Publication Date
US20030208732A1 true US20030208732A1 (en) 2003-11-06

Family

ID=24710940

Family Applications (2)

Application Number Title Priority Date Filing Date
US09/675,539 Expired - Lifetime US6591400B1 (en) 2000-09-29 2000-09-29 Symbolic variable reduction
US10/422,267 Abandoned US20030208732A1 (en) 2000-09-29 2003-04-23 Verification system using symbolic variable reduction

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US09/675,539 Expired - Lifetime US6591400B1 (en) 2000-09-29 2000-09-29 Symbolic variable reduction

Country Status (1)

Country Link
US (2) US6591400B1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040064794A1 (en) * 2000-09-30 2004-04-01 Jin Yang Symbolic model checking with dynamic model pruning
US20040123254A1 (en) * 2002-12-20 2004-06-24 International Business Machines Corporation Model checking with layered localization reduction
US7487073B2 (en) 2003-05-21 2009-02-03 At&T Corp. Using symbolic evaluation to validate models that have incomplete information

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6728665B1 (en) * 2000-03-20 2004-04-27 Nec Corporation SAT-based image computation with application in reachability analysis
US6591400B1 (en) * 2000-09-29 2003-07-08 Intel Corporation Symbolic variable reduction
US7283945B2 (en) * 2000-11-03 2007-10-16 Fujitsu Limited High level verification of software and hardware descriptions by symbolic simulation using assume-guarantee relationships with linear arithmetic assumptions
US7047139B2 (en) * 2000-12-22 2006-05-16 International Business Machines Corporation Sharing information between instances of a propositional satisfiability (SAT) problem
US7653520B2 (en) * 2002-07-19 2010-01-26 Sri International Method for combining decision procedures with satisfiability solvers
US6842884B2 (en) * 2002-08-28 2005-01-11 Verplex Systems, Inc. Combinational equivalence checking methods and systems with internal don't cares
US7310790B2 (en) * 2002-12-03 2007-12-18 Intel Corporation Automatic symbolic indexing methods for formal verification on a symbolic lattice domain
US20040107174A1 (en) * 2002-12-03 2004-06-03 Jones Robert B. Parametric representation methods for formal verification on a symbolic lattice domain
US7627842B1 (en) 2003-06-03 2009-12-01 Cadence Design Systems, Inc. Method and system for verification of circuits with encoded signals
US7213220B2 (en) * 2003-12-19 2007-05-01 International Business Machines Corporation Method for verification of gate level netlists using colored bits
US7398494B2 (en) 2005-08-30 2008-07-08 International Business Machines Corporation Method for performing verification of logic circuits
US8533680B2 (en) * 2005-12-30 2013-09-10 Microsoft Corporation Approximating finite domains in symbolic state exploration
US8862439B1 (en) * 2009-06-25 2014-10-14 Cadence Design Systems, Inc. General numeric backtracking algorithm for solving satifiability problems to verify functionality of circuits and software

Citations (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5119318A (en) * 1989-04-17 1992-06-02 Del Partners L.P. Expert control system for real time management of automated factory equipment
US5469367A (en) * 1994-06-06 1995-11-21 University Technologies International Inc. Methodology and apparatus for modular partitioning for the machine design of asynchronous circuits
US5481717A (en) * 1993-04-12 1996-01-02 Kabushiki Kaisha Toshiba Logic program comparison method for verifying a computer program in relation to a system specification
US5491639A (en) * 1991-04-17 1996-02-13 Siemens Aktiengesellschaft Procedure for verifying data-processing systems
US5594656A (en) * 1993-11-02 1997-01-14 Bull S.A. Method of verification of a finite state sequential machine and resulting information support and verification tool
US5691925A (en) * 1992-06-29 1997-11-25 Lucent Technologies Inc. Deriving tractable sub-system for model of larger system
US5754454A (en) * 1997-03-03 1998-05-19 Motorola, Inc. Method for determining functional equivalence between design models
US5768498A (en) * 1996-01-23 1998-06-16 Lucent Technologies Protocol verification using symbolic representations of queues
US5774370A (en) * 1995-09-18 1998-06-30 Vlsi Technology, Inc. Method of extracting implicit sequential behavior from hardware description languages
US5805462A (en) * 1995-08-18 1998-09-08 Vlsi Technology, Inc. Automatic synthesis of integrated circuits employing boolean decomposition
US5905977A (en) * 1993-09-17 1999-05-18 Bull S.A. Method for automatic demonstration
US5937183A (en) * 1996-11-05 1999-08-10 Nec Usa, Inc. Enhanced binary decision diagram-based functional simulation
US6026222A (en) * 1997-12-23 2000-02-15 Nec Usa, Inc. System for combinational equivalence checking
US6035109A (en) * 1997-04-22 2000-03-07 Nec Usa, Inc. Method for using complete-1-distinguishability for FSM equivalence checking
US6086626A (en) * 1997-05-16 2000-07-11 Fijutsu Limited Method for verification of combinational circuits using a filtering oriented approach
US6131078A (en) * 1999-05-06 2000-10-10 Plaisted; David A. Method for design verification of hardware and non-hardware systems
US6148436A (en) * 1998-03-31 2000-11-14 Synopsys, Inc. System and method for automatic generation of gate-level descriptions from table-based descriptions for electronic design automation
US6185516B1 (en) * 1990-03-06 2001-02-06 Lucent Technologies Inc. Automata-theoretic verification of systems
US6209120B1 (en) * 1997-11-03 2001-03-27 Lucent Technologies, Inc. Verifying hardware in its software context and vice-versa
US6247165B1 (en) * 1998-03-31 2001-06-12 Synopsys, Inc. System and process of extracting gate-level descriptions from simulation tables for formal verification
US6292916B1 (en) * 1998-12-10 2001-09-18 Lucent Technologies Inc. Parallel backtracing for satisfiability on reconfigurable hardware
US6308299B1 (en) * 1998-07-17 2001-10-23 Cadence Design Systems, Inc. Method and system for combinational verification having tight integration of verification techniques
US6321186B1 (en) * 1999-05-03 2001-11-20 Motorola, Inc. Method and apparatus for integrated circuit design verification
US6339837B1 (en) * 1998-02-25 2002-01-15 Zhe Li Hybrid method for design verification
US6341367B1 (en) * 2000-07-25 2002-01-22 Lsi Logic Corporation Hardware realized state machine
US6389374B1 (en) * 1998-06-03 2002-05-14 Fujitsu Limited OBDD variable ordering using sampling based schemes
US6397370B1 (en) * 1998-12-18 2002-05-28 Candence Design Systems, Inc. Method and system for breaking complex Boolean networks
US6473885B1 (en) * 1998-07-17 2002-10-29 Mentor Graphics Corporation Digital circuit layout techniques using circuit decomposition and pin swapping
US6591400B1 (en) * 2000-09-29 2003-07-08 Intel Corporation Symbolic variable reduction
US6701499B2 (en) * 2002-06-13 2004-03-02 Lsi Logic Corporation Effective approximated calculation of smooth functions

Patent Citations (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5119318A (en) * 1989-04-17 1992-06-02 Del Partners L.P. Expert control system for real time management of automated factory equipment
US6185516B1 (en) * 1990-03-06 2001-02-06 Lucent Technologies Inc. Automata-theoretic verification of systems
US5491639A (en) * 1991-04-17 1996-02-13 Siemens Aktiengesellschaft Procedure for verifying data-processing systems
US5691925A (en) * 1992-06-29 1997-11-25 Lucent Technologies Inc. Deriving tractable sub-system for model of larger system
US5481717A (en) * 1993-04-12 1996-01-02 Kabushiki Kaisha Toshiba Logic program comparison method for verifying a computer program in relation to a system specification
US5905977A (en) * 1993-09-17 1999-05-18 Bull S.A. Method for automatic demonstration
US5594656A (en) * 1993-11-02 1997-01-14 Bull S.A. Method of verification of a finite state sequential machine and resulting information support and verification tool
US5469367A (en) * 1994-06-06 1995-11-21 University Technologies International Inc. Methodology and apparatus for modular partitioning for the machine design of asynchronous circuits
US5805462A (en) * 1995-08-18 1998-09-08 Vlsi Technology, Inc. Automatic synthesis of integrated circuits employing boolean decomposition
US5774370A (en) * 1995-09-18 1998-06-30 Vlsi Technology, Inc. Method of extracting implicit sequential behavior from hardware description languages
US5768498A (en) * 1996-01-23 1998-06-16 Lucent Technologies Protocol verification using symbolic representations of queues
US5937183A (en) * 1996-11-05 1999-08-10 Nec Usa, Inc. Enhanced binary decision diagram-based functional simulation
US5754454A (en) * 1997-03-03 1998-05-19 Motorola, Inc. Method for determining functional equivalence between design models
US6035109A (en) * 1997-04-22 2000-03-07 Nec Usa, Inc. Method for using complete-1-distinguishability for FSM equivalence checking
US6086626A (en) * 1997-05-16 2000-07-11 Fijutsu Limited Method for verification of combinational circuits using a filtering oriented approach
US6301687B1 (en) * 1997-05-16 2001-10-09 Fujitsu Limited Method for verification of combinational circuits using a filtering oriented approach
US6209120B1 (en) * 1997-11-03 2001-03-27 Lucent Technologies, Inc. Verifying hardware in its software context and vice-versa
US6026222A (en) * 1997-12-23 2000-02-15 Nec Usa, Inc. System for combinational equivalence checking
US6339837B1 (en) * 1998-02-25 2002-01-15 Zhe Li Hybrid method for design verification
US6148436A (en) * 1998-03-31 2000-11-14 Synopsys, Inc. System and method for automatic generation of gate-level descriptions from table-based descriptions for electronic design automation
US6247165B1 (en) * 1998-03-31 2001-06-12 Synopsys, Inc. System and process of extracting gate-level descriptions from simulation tables for formal verification
US6389374B1 (en) * 1998-06-03 2002-05-14 Fujitsu Limited OBDD variable ordering using sampling based schemes
US6308299B1 (en) * 1998-07-17 2001-10-23 Cadence Design Systems, Inc. Method and system for combinational verification having tight integration of verification techniques
US6473885B1 (en) * 1998-07-17 2002-10-29 Mentor Graphics Corporation Digital circuit layout techniques using circuit decomposition and pin swapping
US6292916B1 (en) * 1998-12-10 2001-09-18 Lucent Technologies Inc. Parallel backtracing for satisfiability on reconfigurable hardware
US6397370B1 (en) * 1998-12-18 2002-05-28 Candence Design Systems, Inc. Method and system for breaking complex Boolean networks
US6321186B1 (en) * 1999-05-03 2001-11-20 Motorola, Inc. Method and apparatus for integrated circuit design verification
US6131078A (en) * 1999-05-06 2000-10-10 Plaisted; David A. Method for design verification of hardware and non-hardware systems
US6341367B1 (en) * 2000-07-25 2002-01-22 Lsi Logic Corporation Hardware realized state machine
US6591400B1 (en) * 2000-09-29 2003-07-08 Intel Corporation Symbolic variable reduction
US6701499B2 (en) * 2002-06-13 2004-03-02 Lsi Logic Corporation Effective approximated calculation of smooth functions

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040064794A1 (en) * 2000-09-30 2004-04-01 Jin Yang Symbolic model checking with dynamic model pruning
US20040123254A1 (en) * 2002-12-20 2004-06-24 International Business Machines Corporation Model checking with layered localization reduction
US6957404B2 (en) * 2002-12-20 2005-10-18 International Business Machines Corporation Model checking with layered localization reduction
US7487073B2 (en) 2003-05-21 2009-02-03 At&T Corp. Using symbolic evaluation to validate models that have incomplete information
US7827013B1 (en) * 2003-05-21 2010-11-02 At&T Intellectual Property Ii, L.P. Using symbolic evaluation to validate models that have incomplete information
US20100318333A1 (en) * 2003-05-21 2010-12-16 Hall Robert J Using symbolic evaluation to validate models that have incomplete information
US8065125B2 (en) * 2003-05-21 2011-11-22 At&T Intellectual Property Ii, L.P. Using symbolic evaluation to validate models that have incomplete information

Also Published As

Publication number Publication date
US6591400B1 (en) 2003-07-08

Similar Documents

Publication Publication Date Title
US6591400B1 (en) Symbolic variable reduction
Berezin et al. Compositional reasoning in model checking
Geist et al. Efficient model checking by automated ordering of transition relation partitions
Clarke et al. Model checking and abstraction
Bloem et al. Efficient decision procedures for model checking of linear time logic properties
Pastor et al. Petri net analysis using boolean manipulation
McMillan Applying SAT methods in unbounded symbolic model checking
Biere et al. Verifying safety properties of a PowerPC− microprocessor using symbolic model checking without BDDs
Bhat et al. Efficient on-the-fly model checking for CTL
Ball et al. Boolean and Cartesian abstraction for model checking C programs
Grumberg et al. Model checking and modular verification
Ranjan et al. Efficient BDD algorithms for FSM synthesis and verification
Seger et al. Formal verification by symbolic evaluation of partially-ordered trajectories
Munoz et al. Formalization of Bernstein polynomials and applications to global optimization
US7380224B2 (en) Method and system for non-linear state based satisfiability
US6643827B1 (en) Symbolic model checking with dynamic model pruning
US8131532B2 (en) Software verification using range analysis
Grumberg et al. Distributed symbolic model checking for μ-calculus
EP1913472A2 (en) Disjunctive image computation for sequential systems
Jin et al. Efficient conflict analysis for finding all satisfying assignments of a Boolean circuit
Chauhan et al. Using SAT based image computation for reachability analysis
Shoham et al. 3-valued abstraction: More precision at less cost
US6725431B1 (en) Lazy symbolic model checking
Pan et al. Optimizing a BDD-based modal solver
WO2002091177A1 (en) Transforming variable loops into constant loops

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO PAY ISSUE FEE