Title Page

1. Implicit and Explicit Reachable State Space Exploration Of Esterel Logical Circuits Title Page Yannis.BRES@sophia.inria.fr Advisor : Gerard.Berry@esterel-technologies.com 10th International Workshop on Synchronous Reactive Languages Agelonde, France  November 26th, 2002

2. Introduction Introduction Context of our work : Synchronous logical circuits (RTL) derived from high-level hierarchical designs written in SyncCharts, ECL or Esterel Computing the Reachable State Space (RSS) of a design is used for : Formal verification by observers Equivalence checking (somewhat a special case of formal verification) Explicit automaton generation Exhaustive test sequence generation … Several approaches to RSS computation : Implicit : using BDDs Explicit : state enumeration + recursive branchings on inputs Hybrid : state enumeration + BDDs representing input combinations

3. Binary Decision Diagrams (BDDs) Binary Decision Diagrams (BDDs) A data structure for Boolean functions that usually provide : Very compact representations Very efficient algorithms BDDs allow manipulating sets through their characteristic function However, BDDs may blow up impredictibly on complex computations ! =, - : constant in time and space ,  : quadratic in time and space , substitutions : exponential in time and space

4. RSS Computation using BDDs RSS Computation using BDDs Exponentially complex wrt. involved variables, in both memory and time : 1 BBD variable per input Input variables have to be existentially quantified 2 BDD variables per state variable (register) State variables have to be existentially quantified and substituted  Reduce state variables ! A usual technique to reduce state variables : Replacing state variables by free inputs (inputization) Less variables to substitute As many variables to existentially quantify Our approach : abstracting variables using a ternary-valued logic (0,1,) Variables to be abstracted are replaced by the constant  Less variables to substitute Less variables to existentially quantify

5. Over-approximation Over-approximation Inputization and variable abstraction relax constraints between variables  Over-approximation, conservative wrt. reachable states  No false positive for formal verification, only false negative  “Snow-ball effect” Inputization keeps correlation between variable instances r r i i = 0 r r i i = 1 Variable abstraction looses correlation between variable instances r r   =  r r   =  Another source of over-approximation within ternary-valued RSS compu-tation algorithm : set widening Three disjoint set (f0,f1,f)  two set partition (¬f1,¬f0) In practice, if over-approximation gets too important, false negatives quickly appear and computation stops  worth trying

6. Our formal verifier : evcl Our formal verifier : evcl Esterel Verification Command Line Built upon the TiGeR BDD package Features : Variable inputization / abstraction Use of structural information (Selection Tree) to reduce over-approximation White-Box (embed. observers) / Black-Box (external obs.) Model Checking … Variable abstraction up to 23 times faster than inputization on a few experi-ments on industrial designs, although current implementation is rather crude Variable inputization/abstraction not applicable on any design Selection of variables to inputize/abstract not automatized at all (although easy to perform in a IDE providing a hierarchical view of the model to be verified)

7. Explicit or hybrid implicit/explicit RSS computation Explicit or hybrid implicit/explicit RSS computation A multi-purpose engine for the exploration of the RSS of Esterel circuits : States are analyzed one after another Known states are stored in a hashtable and identified by their state vector States are analyzed through propagation of data until circuit stabilization, as electric current would do Two flavours : Pure explicit approach : Stabilization through recursive branchings on inputs Hybrid implicit/explicit approach : Stabilization through BDD (referencing only inputs) propagation Support for (constructive) cyclic circuits is transparent Deeply tuned and optimized, many heuristics to avoid time/space explosion  high performances Engine used for several purposes : Automaton generation, formal verification, test sequence generation

8. Automaton generation Application to automaton generation Esterel v1, v2, v3 used automata as internal model representation Automata can be exponential both in construction time and storage size Since v4, Esterel use circuits as internal model representation Circuits are almost linear with code size Automaton generation became less important v4 automaton generator became out-of-sync Worked only on acyclic circuits, poor performances, hard to maintain However, automata are still interesting : Automata often provide the most efficient implementation : All control flow is computed at compile-time Only input/test dependant stuff remain to be evaluated at run-time Lot of information on the design are directly available with automata

9. Automaton generation Application to automaton generation How to generate automata ? Enumerative approach almost required (to respect action causality) Implicit/explicit approach more expensive than pure explicit approach : Too much BDD cofactoring required Our automaton generator : By far much more efficient than the v4 one Bundled with the Esterel Compiler since v5_91

10. Application to Formal Verification Application to formal verification For most designs, pure implicit approach is much more efficient However, pure implicit approach : Behaves impredictibly and may blow-up Cannot work on cyclic circuits Is very sensitive to redundant registers Enumerative approaches : Behave very regularly on most designs, although usually much slower Provide transparent support for cyclic circuits Don’t care about redundant registers or design depth

11. Formal verification case studies Formal verification case studies Purely linear testbench (depth = 243, 243 states) Pure implicit approach : 39mn, 8.5Mb SAT (Prover) : still no answer at all after >3h, <40Mb Pure explicit approach : 1.6s, insignificant memory Hybrid implicit/explicit approach : 1.8s, insignificant memory TI data bus (depth= 181, 652 948 states, lot of redundant registers) Pure implicit approach : blow-up at depth 9 in 17mn (2Gb) SAT (Prover) : still no answer at all after many hours Pure explicit approach : 2h 33mn, 104Mb Hybrid implicit/explicit approach : 3h 09mn, 110Mb

12. Application to exhaustive test sequence generation Application to exhaustive test sequence generation The Finite State Machine model allows the generation of exhaustive test sequences… on designs of small to average size Several coverage goals : State coverage Output coverage (pathes leading to output emission) Transition coverage … A test generation tool based on a pure implicit approach, providing these coverage goals, has been develop-ped at Esterel Technologies Transition coverage cannot be performed Only connected state pair coverage, at the expense of twice more state variables involved in image computations Enumerative approaches can provide any kind of coverage without signifi-cant overhead Comparison on state coverage : Enumerative approach always more efficient, up to 86 times faster

13. Conclusion Conclusion A formal verification tool based on implicit methods, allowing variable abs-traction and many other features A multi-purpose explicit or hybrid implicit/explicit RSS exploration engine : Explicit automaton generation Exhaustive test sequence generation Formal verification