In the previous chapter we explained the equivalence between the block labelled FSM∗
and the block labelled Simulatable models in HOL. This can also be seen in Figure 7.2. Circuit models obtained by using the function Abs have symmetry whenever the corresponding structured circuit model has one. This is why we have shown in Figure 7.2, an equivalence between the block labelled FSM∗ and the block labelled STE models in HOL. We can observe this equivalence for each instance of the circuit model. We can conclude that the structured circuit model has symmetry by way of type checking, and using Lemma 6.33. Then we obtain the corresponding three-valued STE model in HOL by using the function Abs, and then prove for the specific instance that Symχ holds.
The STE model in HOL, obtained by using the function Abs is equivalent to the
FSM representation in Forte. This means that if we evaluate the run-time behaviour of a given STE model in HOL and the run-time behaviour of the FSM for the same
7.5. Summary 101 Structured Models Netlist term Exlif FSM STE models in HOL Simulatable models in HOL Equivalent HOL conversions Equivalent FSM* Equivalent ML program + Equivalent nexlif2exe netlist2exlif ckt2netlist Abs
Figure 7.2: Overall framework of circuit modelling.
model, it will be identical on all sets of input and output lattice states. We depict this equivalence graphically in Figure 7.2.
We showed in the previous chapter, how to interpret the run time behaviour of the structured models over Boolean streams, by using an ML pre-processing step and the HOL conversions. The run-time interpretation of those models is equivalent to the run- time behaviour of the corresponding FSMs. If we evaluate the run-time behaviour of those models in HOL, and evaluate the correspondingFSMsin Forte, we will get identical behaviour for all values over the Boolean domain. This is shown in the Figure 7.2 by an equivalence between the block labelled Simulatable models in HOLand the block labelled
FSM.
7.5
Summary
In this chapter we presented techniques to derive the STE model from the structured description. We showed two different approaches to doing this. One approach extracts the STE model in the HOL logic, so it can be simulated using the STE simulator in HOL, and the other approach derives the Forte’s FSM, where a three-valued model is constructed on-the-fly by the STE simulator in Forte. This approach enables us to extract several reasonably large FSMs, thereby enabling STE simulation in Forte. We
7.5. Summary 102 show that the extracted STE models are monotonic, and provide informal notions of equivalences of the different modelling formats for circuits.
Thus this chapter has provided both a theoretical and practical link between symme- try identification theory, that we presented in Chapter 6, and the theory of symmetry reduction that we will present in the next chapter.
Chapter 8
Reduction Methodology
This chapter examines the other side of our research, which is a strategy of reduction based on symmetry identification. Once we have diagnosed the presence of symmetries via type checking of circuit models, we need to carry out a process of property reduction and use arguments from the symmetry theory to justify a reduction of the verification problem. In this chapter, we present a novel set of inference rules that can be used for property decomposition in a tactical manner. We use symmetry based arguments to justify clustering of symmetric STE properties. Then we can pick one representative STE property from each equivalence class, verify that property by running an STE simulator, and conclude because of symmetry that all the other equivalent representatives have been verified as well. Once we have done this we can use the inference rules in the forward direction to deduce the overall statement of correctness of the original STE property. We show how this is done on the multiplexer and the comparator circuit, whose modelling we showed in the previous chapter.
8.1
Overview of reduction
In Figure 8.1, we show the big picture of the overall property reduction framework. The framework shows how by modelling circuits using a higher, more abstract and structured description (shown in Chapter 6) enables us to record that the equivalent FSM has symmetries (Chapter 7). This information is then used for performing a reduction based verification of STE properties. The reduction approach is centered around the use of a set of STE inference rules, and observing that symmetry in circuit models is mirrored by symmetry in STE properties. This gives us a sound basis for justifying that verifying reduced properties against the original circuit model (FSM) is sufficient to guarantee that the original STE properties have been verified against the FSM.
The question we ask in a typical property verification, is whether or not the FSM
satisfies (|=) the STE property. Rather than trying to feed the STE property directly into an STE simulator to verify it, we decompose the property using the STE inference rules into smaller properties.
The reduced STE properties are then partitioned into different equivalence classes, and one representative from each equivalence class is fed into Forte for explicit STE simulations.
8.1. Overview of reduction 104
Symmetry in STE model mirrored by symmetry in STE property
STE properties partitioned into equivalence classes
FSM STE property to be checked
Reduced STE properties
FSM
Representative STE
property
Pick reps from each equivalent class Whole class of equivalent STE properties verified FSM* FSM* to FSM Chapter 6 Chapter 7 FSM* has symmetry FSM has symmetry
STE Inference Rules
Figure 8.1: Reduction framework.
The partitioning of the properties is based on having identified the names of circuit nodes that belong to a bus in the symmetric inputs. Nodes that belong to the symmetric buses, and whose names appear in the decomposed STE properties, generate the notion of equivalence on the set of STE properties. Thus if we verify a decomposed STE prop- erty that talks about a node “a0” and there are other smaller properties that talk about
nodes “a1”, “a2”, and nodes “a0”, “a1” and “a2” form a symmetric bus then, having
verified the property that talks about “a0”, means we have verified the corresponding
8.2. Key components 105