A Transformation-Based Approach to Implication of GSTE Assertion Graphs

Yang, Guowu; Hung, William N. N.; Song, Xiaoyu; Guo, Wensheng

doi:https://doi.org/10.1155/2013/709071

Journal of Applied Mathematics

On this page

Abstract Introduction Preliminaries Conclusion Acknowledgments References Copyright Related Articles

Special Issue

Intelligent Modeling and Verification

View this Special Issue

Research Article | Open Access

Volume 2013 | Article ID 709071 | https://doi.org/10.1155/2013/709071

A Transformation-Based Approach to Implication of GSTE Assertion Graphs

Guowu Yang,¹William N. N. Hung,²Xiaoyu Song,³and Wensheng Guo¹

Academic Editor: Guiming Luo

Received08 Feb 2013

Accepted13 May 2013

Published10 Jul 2013

Abstract

Generalized symbolic trajectory evaluation (GSTE) is a model checking approach and has successfully demonstrated its powerful capacity in formal verification of VLSI systems. GSTE is an extension of symbolic trajectory evaluation (STE) to the model checking of -regular properties. It is an alternative to classical model checking algorithms where properties are specified as finite-state automata. In GSTE, properties are specified as assertion graphs, which are labeled directed graphs where each edge is labeled with two labeling functions: antecedent and consequent. In this paper, we show the complement relation between GSTE assertion graphs and finite-state automata with the expressiveness of regular languages and -regular languages. We present an algorithm that transforms a GSTE assertion graph to a finite-state automaton and vice versa. By applying this algorithm, we transform the problem of GSTE assertion graphs implication to the problem of automata language containment. We demonstrate our approach with its application to verification of an FIFO circuit.

1. Introduction

Generalized symbolic trajectory evaluation (GSTE) [1–4] is a model checking approach which was originally developed at Intel and has successfully demonstrated its powerful capacity in formal verification of VLSI systems [1–7]. GSTE is extended from the lattice-based symbolic trajectory evaluation (STE) [8, 9] which can handle large industrial designs [10–13]. The STE theory consists of a simple specification language, a simulation-based model checking algorithm, and a powerful quaternary abstraction algorithm. Though STE is very efficient in automatic verification of large-scale industrial hardware designs at both gate and transistor levels, it has a limited specification language which only allows the specification of properties over finite time intervals.

In GSTE, all -regular properties can be expressed and verified with space and time efficiencies comparable with STE. Assertion graphs are introduced in GSTE as an extension of STE specification language and are the key to the usability of GSTE. An assertion graph is a labeled directed graph where each edge is labeled with two labeling functions: antecedent and consequent [3]. The existing GSTE theory provides an efficient model checking procedure for verifying that a circuit obeys an assertion graph as well as techniques based on abstract interpretation to combat state space explosion [3, 7].

How to establish that one specification implies another is a fundamental problem in formal verification. Hu et al. [6, 7] proposed some algorithms to decide whether one assertion graph implies another through building monitor circuits. Yang and Seger [2] verified assertion graphs through manually refining assertion graphs. Yang et al. [14] gave some conditions under which the assertion graphs implication is decided without reachability analysis if two assertion graphs have the same graph structure. Sebastiani et al. [15] gave the complement relation between an assertion graph and a finite-state automaton. An assertion graph with states resulted in a nondeterministic automaton with states.

In this paper, we consider both finite-state automata that accept regular languages and finite-state -automata with Büchi acceptance conditions that accept -regular languages. For a finite-state automaton over finite words, acceptance is defined according to the last state visited by a run of the automaton; while for a finite-state automaton with Büchi acceptance conditions, there is no such “the last state” and acceptance is defined according to the set of states that a run visits infinitely often [16].

We present a theory on the complement relation between GSTE assertion graphs and finite-state automata and an algorithm which automatically transforms assertion graphs to their equivalent finite-state automata, and vice versa. For an assertion graph , we construct a corresponding finite-state automaton such that and , the number of states in is only twice as many as that in , and a deterministic assertion graph is transformed to a deterministic automaton. On the other hand, for an arbitrary finite-state automaton , we construct a corresponding assertion graph such that and , the number of states in is the same as that in , and a deterministic automaton is transformed to a deterministic assertion graph.

We apply the proposed theory and algorithm to the GSTE assertion graphs implication problem by transforming this problem to the automata language containment problem. Since, in many cases, assertion graphs are nondeterministic, their corresponding finite-state automata are also nondeterministic. This may cause exponential state space blowups in checking automata language containment [16–22]. We avoid such blowups in determining the implication relation between a nondeterministic assertion graph and its refinement derived following the refinement strategies given in [2], by transforming the implication relation between nondeterministic assertion graphs to the implication relation between deterministic assertion graphs without adding any states. This application is illustrated with a case study for verifying correctness properties of an FIFO circuit.

The remainder of this paper is organized as follows. In Section 2, we introduce the preliminaries of finite-state automata and GSTE assertion graphs. In Section 3, we present the transformation algorithm and prove its correctness. In Section 4, we propose an application of the transformation algorithm to determine the implication relation between GSTE assertion graphs and demonstrate its effectiveness with a case study. We conclude in Section 5.

2. Preliminaries

In this section, we give the definitions of finite-state automata and GSTE assertion graphs and of their finite and infinite languages. We also show that the fairness edge constraints for GSTE assertion graphs [1] are equivalent to the fairness state constraints.

Definition 1. A finite-state automaton is a tuple , where is a finite set of states, is a finite alphabet, is a set of directed edges over , is the labeling function for all edges, is the initial state, and is a subset of whose elements are called acceptance states.

Definition 2. A finite word (or string) is accepted by a finite-state automaton (denoted as ) if there exists a path such that , , and , denoted as .

Definition 3. An infinite word (or string) is accepted by a finite-state automaton (denoted as ) if there exists an infinite path such that , , where is the set of states occurring infinitely often in , and , denoted as .

Definition 4. The finite language of is . The infinite language of is .

Definition 5. Given a finite-state automaton , and for are called the set of incoming edges of and the set of outgoing edges of , respectively; that is, and .

Definition 6. If for all and for all , and , is called a deterministic finite-state automaton (DFA). Otherwise, is called a nondeterministic finite-state automaton (NFA).
Traditionally, an NFA may have a set of initial states. The expressiveness of an NFA with multiple initial states is the same as that of an NFA with a unique initial state. The transformation is easy.

Definition 7. An assertion graph is a tuple , where is a finite set of states, is a finite alphabet, is a set of directed edges over , and are the labeling functions for all edges, is the initial state, and is a subset of and elements of are called acceptance states.

Definition 8. A finite word (or string) is accepted by an assertion graph (denoted as ) if for each finite path with (where ) and such that , where denotes and denotes for . An infinite word (or string) is accepted by (denoted as ) if for all infinite path with (where ) and such that . The finite language of is . The infinite language of is .

Remark 9. In [1], an assertion graph has a set of acceptance (fair) edges. The final edge of a finite path must be in and for an infinite path; at least one edge in must appear in the path infinitely often. This can be transformed to the above definitions by the following construction. For any , if the incoming edges have both acceptance edges and nonacceptance edges, is substituted with and such that , ; that is, the incoming edges of are all acceptance edges, the incoming edges of are nonacceptance edges (See Figure 1). The outgoing edges of and are the same as the outgoing edges of , and the labeling function and are the same. All such are included the acceptance state set in the transformed assertion graph.

Definition 10. Given an assertion graph , if for all, for all and , , is called a deterministic assertion graph (DAG). Otherwise, is called a nondeterministic assertion graph (NAG).

For any assertion graph , we can assume that is a nonrestarting assertion graph (i.e., ); otherwise, we construct a nonrestarting assertion graph from : (add a new state to ), ,, ,, ,. Basically, we copy the edges and the related labeling functions and of to and delete the incoming edges of . The other edges and labeling functions remain the same.

3. Transformations between GSTE Assertion Graphs and Finite-State Automata

In this section, we present the transformations between a GSTE assertion graph and a finite-state automaton. Given an assertion graph , we build a finite-state automaton such that and . And if is a deterministic assertion graph, then is also a deterministic finite-state automaton. Let :(1), ; (2) (See Figure 2); (3), , ; (4).

Intuitively, is constructed to accept all strings (or words) that are not accepted by . Such a string (or word) satisfies the antecedent of each edge traversed while violating the consequent of at least of such edge.

Theorem 11. If is a DAG, then is a DFA.

Proof. We prove the following two cases.
(i) For any state in and any two outgoing edges and , (the construction of ) (the definition of DAG).
(ii) For any state in and any two outgoing edges and . (a)If , then ,, = (the construction of ) .(b)If , then ⊆ (the construction of ) (the definition of DAG). Therefore, is a DFA.

Theorem 12. .

Proof. First, we show .
Suppose .
Then there exists a finite path in with and such that for ; and ,, when , , .
Let a path of be as follows:
Then , where if , if ; and .
Therefore, .
Second, we show .
Suppose .
Then there exists a path as follows: such that , where if , if ; and .
According to the construction of from , we know that is a path of ; if, =.
, that is, , but .
If , .
Therefore, .

Theorem 13. .

Proof. First, we prove .
Suppose .
Then there exists an infinite path in with and such that for ; and ,, . Let a path of be . This path will visit infinitely often every if . And , where if , if .
Thus .
Second, we prove .
Suppose .
Then there exists an infinite path in with and such that , where if , if .
According to the construction of from , we know that is a path of , and ; for , and , that is, .
Therefore, , that is, .

Given a finite-state automaton , build an assertion graph as where , for all . This construction is the same as the construction proposed in [15].

Theorem 14. and .

Proof. Directly from the construction of and the language definitions in [15].

Theorem 15. If is a DFA, then is a DAG.

Proof . Directly from the construction of and the deterministic definition.

4. Application to GSTE Assertion Graphs Implication

4.1. Transforming GSTE Assertion Graphs Implication to Automata Language Containment

The complement relation between an assertion graph and a finite-state automaton can be applied to determine the implication relation between assertion graphs by transforming the GSTE assertion graphs implication to the finite-state automata language containment.

Definition 16. Given two assertion graphs and , if and only if and if and only if .

Let be an automaton whose finite language is the complement of the finite language of an automaton ; that is, . Let be an automaton whose infinite language is the complement of the infinite language of an automaton ; that is, .

Theorem 17. iff .
iff .

Proof. .
.

In GSTE, because of its aggressive abstraction, abstraction refinement is often necessary [2]. Verifying whether a circuit satisfies an assertion graph , , using the GSTE engine may produce false negative if is too abstract. Thus, it is necessary to refine into a refined assertion graph . If we can verify , then we can conclude . But how can we guarantee that if the assertion graph is complex? We must establish . We can verify by transforming it to an automata language containment test using Theorem 17.

A critical difficulty in checking the language containment, , is the construction of a complement finite-state automaton of . Complementing a nondeterministic automaton with states resulted in an automaton with [23]. Some optimized complementing constructions were introduced with [16–22]. However, the complexity is still exponential.

Although we can transform deterministic assertion graphs to deterministic finite-state automata, in many cases, assertion graphs are nondeterministic. This may cause state space blowups when checking language containment between automata corresponding to these assertion graphs. We observe that in determining the implication relation between an assertion graph and its refinements constructed using the refinement strategies in [2], we can transform the nondeterministic assertion graph to deterministic assertion graph by adding only one variable without adding any states and then apply the refinements to . The requirement of our method is that the refinements applied to will not cause nondeterminism. The refinement strategies in [2] satisfy our requirement. The language containment of deterministic finite state automata can be checked in polynomial time [19]. Therefore, the state space blowup problem can be avoided in determining the implication relation between a refined assertion graph and an original assertion graph.

For any given assertion graph , let be a refined assertion graph of . If is a non-deterministic assertion graph, we add an additional variable “” to constrain the overlapped antecedents of the outgoing edges of every state in and the resulting assertion graph is denoted as ; that is, . The value domain of “” is from 1 to the maximal number that we need to distinguish the overlapped antecedents of the outgoing edges of every state in the assertion graph , denoted as .

Figure 3 illustrates the determinization process: there are three outgoing edges from state : ,, and . Two of these three antecedents and in Figure 3(a) are overlapped. So, it is a non-deterministic transition. We constrain these two antecedents by adding a variable “” with a domain of and changing to and to in Figure 3(b), the determinized assertion graph . For simplification, the consequents and the antecedents which are not needed to be constrained will not be followed by .

The projection of the (finite or infinite) language of is defined as , .

Lemma 18. , .

Proof. First, suppose . For any finite path in , it is also a path in according to the construction of (because it does not change the graph structure of the assertion graph ). If , that is, for , then , namely, for . According to the definition of , there exists such that is the of the edge in if there is a constraint for this , or a subset of the of the edge in if there is no constraint for this . Therefore, , and because there is no constraint for the . Thus, . According to the definition of the projection language of , .
Second, suppose that . Then there exists such that , which implies that if for , then . And implies , implies .
Therefore .
Combining these two cases, we have .
Similarly, is also true.

Theorem 19. .

Proof. (definition of implication).
(definition of projection language).
(Lemma 18).
(definition of implication).

In the above proof, the language can be finite language or infinite language . Thus, Theorem 19 holds for both finite and infinite languages, respectively.

4.2. Case Study

An FIFO is a common circuit within a microprocessor design. The design requirements of an FIFO can be fairly complex due to the variable lengths, different rates of data throughput, and timing. Therefore, it makes a good practice to verify the FIFO design against these requirements. In general, the behavior of an FIFO must meet the following requirements: (1) correctness of full and empty flags, and (2) enqueued data must be dequeued in the correct order while maintaining uncorrupted data. The FIFO has 0 entry after the reset. If an enqueue only operation occurred, the total number of entries increases by 1. On the other hand, if a dequeue only operation occurred, the total number of entries decreases by 1 when the number of entries is bigger than 0. The empty flag is set when the number of entries is 0 and the full flag is set when contents reach the depth of the FIFO.

An assertion graph of a 3-deep FIFO circuit is shown in Figure 4 without determinization variable .

The top part of the assertion graph specifies the number of filled entries. However, it cannot guarantee whether the enqueued data is corrupted or not. In order to overcome this situation, an enqueued vector of distinct symbolic constants is used at an arbitrary time as shown in the bottom portion of the graph.

The assertion graph shown in Figure 4 without determinization variable has the potential problem of overapproximation. In order to overcome this problem, a refined assertion graph shown in Figure 5 without determinization variable is introduced.

It unfolds the graph at the states where the precision is lost.

Using the GSTE engine, we can verify the refined assertion graph on the FIFO circuit. To conclude that the original assertion graph also holds on the circuit, we must establish that the refined assertion graph implies the original assertion graph. Since both assertion graphs are non-deterministic, we first determinize the original assertion graph. A variable “” whose domain is is added to determinize the original assertion graph. We add “” in the antecedents on the edges (-filled, -filled) and “” in the antecedents on the edges (-filled, -ahead), respectively, for . And We add “” in the antecedents on the edges (-filled, -filled) and “” in the antecedents on the edges (-filled, -ahead), respectively, for . The determinized assertion graph is shown in Figure 4. We then refine the assertion graph in Figure 4 by applying the same refinements that refine the original assertion graph to the refined assertion graph and get the determinized and refined assertion graph shown in Figure 5.

We select COSPAN [24, 25] as the model checking engine to perform language containment test. We code the automata corresponding to the assertion graphs in Figures 4 and 5 in S/R, the input language of COSPAN, and use COSPAN to verify that the language of the automaton corresponding to the assertion graph in Figure 4 is contained in the language of the assertion graph in Figure 5. COSPAN establishes the language containment using 0.156 megabytes memory and 0.02 CPU seconds on a Pentium IV 2.8 GHz computer.

5. Conclusion

In this paper, we have established the complement relation between GSTE assertion graphs and finite-state automata with expressiveness of regular languages and -regular languages. We present an algorithm that transforms a GSTE assertion graph to a finite-state automaton and vice versa. Using this algorithm, we transform the problem of GSTE assertion graphs implication to the problem of automata language containment. We avoid the exponential state space blowups in checking language containment of non-deterministic finite-state automata when determining the implication relation between a nondeterministic assertion graph and its refinement derived following the refinement strategies given in [2]. This avoidance is achieved by transforming the implication relation between nondeterministic assertion graphs to the implication relation between deterministic assertion graphs without adding any states. This application has been illustrated with a case study for verifying properties of an FIFO circuit.

Acknowledgments

This paper is partially supported by the National Natural Science Foundation of China (no. 60973016 and no. 61272175), and the National Basic Research Program of China (973 Program: no. 2010CB328004).

References

J. Yang and C. J. H. Seger, “Generalized symbolic trajectory evaluation,” Technical Report, 2002.
View at: Google Scholar
J. Yang and C. J. H. Seger, “Generalized symbolic trajectory evaluation-abstraction in action,” in FMCAD, vol. 2517, pp. 70–87, 2002.
View at: Google Scholar
J. Yang and C. J. H. Seger, “Introduction to generalized symbolic trajectory evaluation,” IEEE Transactions on VLSI Systems, vol. 11, no. 3, pp. 345–353, 2003.
View at: Publisher Site | Google Scholar
J. Yang and C. J. H. Seger, “Compositional specification and model checking in GSTE,” in Computer-Aided Verification, vol. 3114, pp. 216–228, 2004.
View at: Google Scholar
B. Bentley, “High level validation of next generation microprocessors,” in IEEE High Level Design Validation and Test Workshop, 2002.
View at: Google Scholar
A. J. Hu, J. Casas, and J. Yang, “Efficient generation of monitor circuits for GSTE assertion graphs,” in IEEE/ACM International Conference on Computer-Aided Design, pp. 154–159, 2003.
View at: Google Scholar
A. J. Hu, J. Casas, and J. Yang, “Reasoning about GSTE assertion graphs,” in Proceedings of the 12th Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME '03), pp. 170–184, 2003.
View at: Google Scholar
C. T. Chou, “The mathematical foundation of symbolic trajectory evaluation,” in Computer-Aided Verification, vol. 1633, pp. 196–207, 1999.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
C. J. H. Seger and R. E. Bryant, “Formal verification by symbolic evaluation of partially-ordered trajectories,” Formal Methods in System Design, vol. 6, no. 2, pp. 147–190, 1995.
View at: Publisher Site | Google Scholar
M. Aagaard, R. B. Jones, and C. J. H. Seger, “Combining theorem proving and trajectory evaluation in an industrial environment,” in Design Automation Conference, pp. 538–541, 1998.
View at: Google Scholar
P. Bjesse, T. Leonard, and A. Mokkedem, “Finding bugs in an α microprocessor using satisfiability solvers,” in Computer-Aided Verification, pp. 454–464, 2001.
View at: Google Scholar
K. L. Nelson, A. Jain, and R. E. Bryant, “Formal verification of a superscalar execution unit,” in Design Automation Conference, pp. 161–167, 1997.
View at: Google Scholar
M. Pandey, R. Raimi, D. L. Beatty, and R. E. Bryant, “Formal verification of PowerPC arrays using symbolic trajectory evaluation,” in Design Automation Conference, pp. 649–654, 1996.
View at: Google Scholar
G. Yang, J. Yang, W. N. N. Hung, and X. Song, “Implication of assertion graphs in GSTE,” in Asia South Pacific Design Automation Conference, pp. 1060–1063, 2005.
View at: Google Scholar
R. Sebastiani, E. Singerman, S. Tonetta, and M. Y. Vardi, “GSTE is partitioned model checking,” in Computer-Aided Verification, vol. 3114, pp. 229–241, Springer, Berlin, Germany, 2004.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
E. Friedgut, O. Kupferman, and M. Vardi, “Büchi complementation made tighter,” in Proceedings of the 2nd International Symposium on Automated Technology for Verification and Analysis, pp. 64–78, 2004, Lecture Notes in Computer Science.
View at: Google Scholar
N. Klarlund, “Progress measures for complementation of ω-automata with applications to temporal logic,” in Proceedings of the 32nd Annual Symposium of Foundations of Computer Science, pp. 358–367, 1991.
View at: Google Scholar
O. Kupferman and M. Y. Vardi, “From complementation to certification,” in Proceedings of the Tools and algorithms for the construction and analysis of systems (TACAS '04), vol. 2988, pp. 591–606, 2004, Lecture Notes on Computer Science.
View at: Google Scholar
R. P. Kurshan, “Complementing deterministic Büchi automata in polynomial time,” Journal of Computer and System Sciences, vol. 35, no. 1, pp. 59–71, 1987.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
M. Michel, “Complementation is more difficult with automata on infinite words,” in CNET, Paris, France, 1988.
View at: Google Scholar
S. Safra, “On the complexity of omega-automata,” in Foundations of Computer Science, pp. 319–327, 1988.
View at: Google Scholar
S. Tasiran, R. Hojati, and R. K. Brayton, “Language containment of non-deterministic omega-automata,” in Proceedings of the IFIP WG 10. 5 Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME '95), pp. 261–277, Springer, London, UK, 1995.
View at: Google Scholar
J. R. B. Büchi, “On a decision method in restricted second order arithmetic,” in International Congress For Logic, Methodology and Philosophy of Science, pp. 1–12, 1962.
View at: Google Scholar
K. Fisler and R. P. Kurshan, “Verifying vhdl designs with cospan,” in Formal Hardware Verification—Methods and Systems in Comparison, pp. 206–247, Springer, London, UK, 1997.
View at: Google Scholar
R. P. Kurshan, Computer-Aided Verification of Coordinating Processes, Princeton Series in Computer Science, Princeton University Press, Princeton, NJ, USA, 1994, The automata-theoretic approach.
View at: MathSciNet

Copyright

Copyright © 2013 Guowu Yang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1063

Downloads

928

Citations