Invoking the Equivalence Detection - Formal Sequential Equivalence Checking of Digital Systems

The symbolic simulator employs a number of techniques to determine equivalent terms during simulation. Re-checking equivalence for all terms already encoun- tered on a path after each simulation step would decrease the simulation speed unacceptably. Therefore, invoking the equivalence detection has to be controlled as discussed in this section. The dd-checks are usually just used at the end of a path if the veriﬁcation goal is not demonstrated. An exception represents symbolic simulation for gate-level veriﬁcation as discussed in section 6.4.

The transformation steps done during pre-processing preserve the timing struc- ture. In general, equivalence of the arguments of two terms is already known, when the second term is found on the path. Therefore, it is sufficient to check only at the first occurrence of a term whether it is equivalent to other terms previously found. Furthermore, equivalence checking for a term is stopped after the first union operation, since all equivalent terms are (ideally) already in the same equivalence class.

Invoking equivalence detection for a term only at its ﬁrst occurrence can be insuﬃcient because of successive case-splits. The set of possible initial RegVals is constrained by a case-split. Equivalence of two terms previously found on the path might be given only under this new decision.

Example 4.7

The last situation occurs especially in the case of operations to memories. The order of the read- and the store-operation is reversed in the implementation of the example of Fig. 4.10. Thus, val is forwarded if the addresses are identical. The problem is to detect that, in the opposite case, the ﬁnal values of x are identical, which is only obvious after the case-split (setting adr1 ∼=_C adr2) and not already after the assignments to x.

Speciﬁcation mems₁[adr1]←val; xs1←mems1[adr2];

zs1← xs1 +y;

Implementation xi₁←mem[adr2]; memi1[adr1]←val;

if adr1=adr2 then zi

1←val+y;

else zi1← xi1 +y;

4.2 Invoking the Equivalence Detection 49

The example indicates, that it is important to check read- and store-terms whenever the equivalence classes of the corresponding addresses are modiﬁed. Re-checking equivalence of all terms found on a path after each case-split is unacceptable, too. Equivalence detection is invoked again for a term in two cases:

• the value of a condition cannot be decided, i.e., its value seems to depend on the initial RegVals. This would make a case-split necessary. The terms of the condition are re-checked if there are additional case-splits after the ﬁrst occurrence of the terms. The repeated equivalence check veriﬁes if additional equivalences are given under the additional assumptions of the case-splits. Those equivalences may allow to decide the value of the condition and to avoid the case-split leading to one false path;

• the veriﬁcation goal, i.e., the equivalence of two terms or RegVals is not demonstrated since the terms are not in the same EqvClass.

Terms can have other terms, intermediate RegVals and initial RegVals as arguments. Invoking the equivalence detection for the arguments of a term, i.e., the subterms depends on whether the term is found for the ﬁrst time or whether the equivalence of the term is re-checked:

• a term is found for the ﬁrst time on a path: equivalence detection is called recursively only for those subterms, which have also been found for the ﬁrst time; note that the terms assigned to intermediate RegVals are guaranteed to be checked at least once;

• equivalence of a term is re-checked: all arguments are re-checked recursively; terms assigned to intermediate RegVals are re-checked, too. There- fore, invoking recursively the equivalence detection stops only at the initial RegVals or constants.

Invoking the equivalence detection only when a term is ﬁrst found, a condition has to be decided, or the veriﬁcation goal is not demonstrated need not be optimal. Invoking additionally the equivalence detection after case-splits can be useful if a term is frequently used as argument of other terms and

• if the equivalence of a term with a speciﬁc function to other terms often depends on successive case-splits,

• it is frequent that the assumption of a case-split establishes an equivalence between one of the terms or subterms of the condition and some other term, or/and

50 CHAPTER 4 Symbolic Simulation Procedure

Deciding if an additional check is useful is a trade-off between its computation time and the time for a possible re-check, which is often higher. If the equivalence of two terms has to be detected to decide a condition or to demonstrate the verification goal then a re-check is required as described above. This re- check considers all subterms and requires, therefore, more computation time. For example, a re-check of the final values of zs

1 and zi1 in Example 4.7 includes

re-checking the additions. This is avoided if equivalence detection is invoked again for the read-operation mems

1[adr2] directly after the case-split.

The eﬀect of invoking additionally the equivalence detection on the simulation speed has to be judged by experimental evidence. The following additional checks have turned out to be useful:

• memory operations are re-checked each time the EqvClass of the corresponding addresses is modiﬁed. This is necessary since the value of the addresses is often constrained by case-splits after the ﬁrst occurrence of the term as in Example 4.7;

• a case-split can constrain the value of a term so that the term is equivalent to a constant; since the domain of an n-bit-vector is restricted to 2n_values,

setting it ∼=_C to 2n − 1 values means that it must be equivalent to the remaining value. For example, if b, a vector of 2 bits, is set inequivalent to 00, 01, and 11, then b is equivalent to 10. Moreover, setting bit-selections of a term equivalent to a constant (e.g., a[3:4]∼=_C3) in a case-split constrains also the set of possible values of a term. Therefore, the technique described in section 5.10 is used to check whether a term is equivalent to a constant each time

– the term is set inequivalent to a term, which is in a EqvClass with a constant,

– a bit-selection of the term is set equivalent to a constant, or

– a bit-selection of the term is set inequivalent to a term, which is in an EqvClass with a constant.

Invoking equivalence detection in these cases is useful since knowledge about constant values of terms often simpliﬁes signiﬁcantly equivalence detection;

• the result of each dd-check is marked since it might be reused during the simulation of the remaining paths. If the conditions under which the previous dd-check was performed are also satisfied in the current path then the equivalence verified by the dd-check holds, too; section 6.6 describes how results of dd-checks are notified and when the conditions are checked.

In document Formal Sequential Equivalence Checking of Digital Systems by Symbolic Simulation (Page 62-65)