simulator, and it does not have to build expressions for combinations of values that are not of interest. The actual param function can be found in [5, 60].
Symmetry [82] has been used with STE model checking to reduce the number of explicit STE cases one needs to verify. A central problem in using symmetry based reduction approach is theidentification of symmetry in circuit models. If not addressed properly, it could have a substantial effect on the overall verification time. We shall talk about this in more detail when we explain the problem of symmetry reduction for STE model checking in Chapter 5.
3.9
Related work
We have explained in this chapter that STE is an efficient model checking technique, principally because it encapsulates symbolic simulation over a three-valued logic, with limited temporal features. The ability to reason with X’s in the logic of STE gives an automatic and powerful data abstraction. Ching-Tsun Chou [34] showed that the data abstraction in STE using X’s corresponds to a Galois connection. Recent work by Roorda and Claessen clarifies the semantics of STE model checking by providing closure semantics [92]. They claim that the original semantics of STE [96], also explained in this chapter, is not faithfully implemented in industrial versions of STE simulators such as Forte [97]. The reason stems from the fact that the excitation function in STE only relates the present state (current time point) to the next-state (one unit of time later), and says nothing about the propagation of information between nodes in the same time point. The closure semantics of STE takes as an input a state of the circuit, and calculates all information about the circuit state at the same point in time that can be derived by propagating the information in the input state in a forwards fashion. Subsequently the definition of defining trajectory and the STE implementation is refined to deal with the closure functions rather than the next-state function.
We showed in this chapter, that STE can deal with a restricted form of temporal behaviour, only one next-time operator in the STE logic. However there have been advances in extended forms of STE based model checking [112] that can express all forms of temporal properties that one is able to express using conventional symbolic model checking [35, 43, 63].
Chapter 4
Symmetry
The focus of our research is to exploit symmetry in circuit models, for property reduction with STE model checking. Symmetry has been used by a number of researchers in the past to achieve significant reduction in the size of model checking problems [30, 39, 40, 64, 82, 83, 103].
In this chapter we introduce the basic mathematical foundations of symmetry and its application to the reduction of properties and models during the verification of systems. In the next section we will introduce the basic concepts of symmetry, and we will present some of the key work done in symmetry based reduction to model checking in Section 4.2. The concept of symmetry is closely linked to the notion of data indepen- dence [68], this is reviewed in Section 4.3. Section 4.4 presents another perspective on symmetry; it views symmetry as an instance of abstraction [59]. In the last section of this chapter we will discuss the current state-of-the-art symmetry based reduction in STE model checking, and study its limitations.
4.1
The mathematical foundation of symmetry
An object is said to have symmetry with respect to a given set ofoperations if whenever one of the operations is applied to the object it does not appear to change a certain property of the object. An object has a symmetry if we can define a set of operations and identify a property of that object that these set of operations will leave unchanged when applied to that object. These operations that preserve the given property of an object form a group. Symmetries of an object can be characterised by a special kind of group known as the automorphism group. In the subsequent section we shall review the basics of group theory in more detail and its relation to symmetry.
4.1.1
Group
A group is given by a triple (G,∗,I) whereGis a set of elements,∗is a binary operation, and I ∈G an identity element such that they satisfy the following four axioms:
1. Closure:∀a b∈G. (a∗b) ∈ G
2. Associativity :∀a b c ∈G.(a ∗ b) ∗ c = a ∗ (b∗c)
4.1. The mathematical foundation of symmetry 35 3. Identity :∀a∈G. I ∗a=a∗I =a
4. Inverse:∀a∈G.∃a−1 ∈G. a∗a−1 =I
For a given group, whenever we fix an identity element I and the binary operator ∗, we will just use G to denote the group, rather than the triple notation. Whenever ∗ is commutative, the group is said to be Abelian.
A group is called finite if the underlying set has finitely many elements. A subset of a group that is itslef a group is called a subgroup.
4.1.2
Permutation and symmetric groups
Permutation is defined as a bijective mapping of an ordered set onto itself [13]. If we denote a set of elements by S, then the collection of all permutations of S forms a group SymS under the function composition◦ which is known as the symmetric group. For a set consisting of n elements, the order of the symmetric group is n!. The term permutation group refers to any subgroup of the symmetric group.
The symmetry group of an object is referred to the group of all symmetry preserving operations under which the object is invariant with respect to the function composition operation. For many geometric objects this often includes operations such as rotation, reflection and inversions. In our treatment of symmetry for STE, we are interested in the symmetric group SymS which consists of n! permutation operations. We do not
deal with other kinds of symmetry preserving operations such as bit inversion in this dissertation.
Let S be a set consisting of the following k elements: {a1,a2,. . .,an}. Then the
expression (a1, a2, . . . , an) denotes a cyclic permutation that takes a1 to a2, a2 to a3,
. . .,an−1 toan and an to a1. The number n is the length of this permutation and cyclic
permutation of this length n is called a n-cycle. A cyclic permutation of length 2 is usually referred to as a transposition, or a swap.
4.1.3
Generator of a group
A set of elements P of a group G generates the group G, if every element of G can be written as the product of a finite number of factors, each of which is either an element of P or the inverse of such an element. The definition of a group by means of its generators is an exceedingly useful device. For a set S consisting of n elements, pair-wise distinct transpositions (12),(23),. . .,(n−1n) together generate the symmetric groupSymS [13].
This means that for a set consisting of n elements we only ever have to consider n−1 pair-wise distinct transpositions rather than n! permutations to completely generate the symmetric group.
4.1.4
Equivalence classes and orbits
Given a groupG⊆SymS, any operation ofGon a setS, defines an equivalence relation
on S: two elements x and y are called equivalent if there exists a g in G with gx = y.
4.2. Applications of symmetry reduction in model checking 36