#### First some loose ends

# Back to BDDs (from lec. 3, week 1)

First form of FV Equivalence Checking (EC,CEC) Boolean network comparison, also known as combinational equivalence checking

Straight BDD comparison works for moderately sized circuits. For larger circuits, more sophisticated methods are used.

Invisible to user, automatic, effective

#### Second form of FV Symbolic simulation

Take a simulator (can be quite low level, accurate one)

Make it work not only on 0, 1, X (unknown) (or a larger group of constants) but ALSO on symbols

## Ordinary simulation xor?



## simulation



## simulation



## simulation



4 runs to check exhaustively

Q: how many for n inputs?

## Symbolic simulation Idea 1



#### Use X values

#### Halves number of sim. runs!





(try on xor example)

## Symbolic simulation Idea 2



Use symbolic values

Think of giving input values names rather than constant values

Build up an expression in terms of (some of the) inputs

−а

May Rep. Using Binary Decision Diagrams (BDDs)









Widely used (applies also to sequential circuits)

Forms basis of model checking method called Symbolic Trajectory Evaluation (STE)

User must make judicious choice of 0,1 X a, b, ...

X halves sim runs, but may result in X at a point vital to the verification

Symbolic variable halves sim. runs without losing info. BUT BDD somewhere in the sim. may grow too big

#### Pro and Cons of BDDs

- + Powerful operations (create, manipulate,test) polynomial complexity, composable
- + Usually stay small enough given good variable order

+ Provide quantification operations (unlike plain SAT) (see MC!)

- sometimes explode in size
- important circuits (multipliers and shifters) are problematic => yet more special hacks in the tools
- variable ordering problem is NP-complete

In practice used together with SAT and other engines

## Model Checking I

#### What are LTL and CTL?



#### View circuit as a transition system

 $(dreq, q0, dack) \rightarrow (dreq', q0', dack')$ 

q0' = dreq dack' = dreq and (q0 or (not q0 and dack))







can also view transititon relation as a set of pairs of states, one pair per arrow {(000,000), (000,100), (001,000), (001,100), (011,000), (011,000), (011,000), (011,000), (011,000), (100,010), (100,110), (101,011), (101,111), (110,011), (110,011), (111,011), (111,111)}



Transition system

+ special temporal logic

+ automatic checking algorithm

Idea

#### Another view

computation tree from a state







Relation vs. Function?



#### Points to note

Transition system models circuit behaviour

We chose the tick of the transition system to be the same as one clock cycle. Gates have zero delay – a very standard choice for synchronous circuits

Could have had a finer degree of modelling of time (with delays in gates). Choices here determine what properties can be analysed

Model checker starts with transition system. It doesn't matter where it came from

#### Transition system M

- **S** set of states (finite)
- R binary relation on states assumed total, each state has at least one arrow out
- A set of atomic formulas
- L function S -> set of atomic formulas that hold in that state

Lars backwards ③ finite Kripke structure

#### Path in M

#### Infinite sequence of states $\pi = s0 s1 s2 \dots$ such that

#### Path in M

 $s0 \rightarrow s1 \rightarrow s2 \rightarrow ...$ 



(s0,s1) ¢ R

(s1,s2) c R

etc

#### Properties

## Express desired behaviour over time using special logic

- LTL (linear temporal logic)
- CTL (computation tree logic)
- CTL\* (more expressive logic with both. LTL and CTL as subsets)

#### 

path quantifers A "for all computation paths" E "for some computation path" can prefix assertions made from Linear operators G "globally=always" F "sometime" X "nexttime" U "until"

about a path

#### CTL\* formulas (syntax)

path formulas  
$$f ::= \mathbf{S} | \neg f | f1 \lor f2 | X f | f1 U f2$$

state formulas (about an individual state)  $S ::= a | \neg S | S1 \lor S2 | E f$ atomic formulas

## Build up from core

 $Af = \neg E \neg f$ 

F f = true U f $G f = \neg F \neg f$  Example

G (req -> F ack)



## G (req -> F ack)

# A request will eventually lead to an acknowledgement

liveness

linear

# Example



# Example



It is possible to get to a state where Started holds but Ready does not

It is possible to get to a state where Started holds but Ready does not

E (F (Started & ¬Ready))

 $\mathsf{M} = (\mathsf{L}, \mathsf{A}, \mathsf{R}, \mathsf{S})$ 

M, s f f holds at state s in M (and omit M if it is clear which M we are talking about)

M,  $\pi$  \_\_\_\_ g g holds for path  $\pi$  in M

Back to syntax and write down each case  $s \models a$  a in L(s) (atomic)

 $s \models \neg f \qquad \text{not} (s \models f)$   $s \models f1 \lor f2 \qquad s \models f1 \qquad \text{or} \qquad s \models f2$  $s \models E(g) \qquad \text{Exists } \pi \text{. head } (\pi) = s \qquad \text{and } \pi \models g$ 









# $\pi \models g1 \cup g2$ Exists $k \ge 0$ . drop $k \pi \models g2$ and Forall $0 \le j \le k$ . drop $j \pi \models g1$

(note: I mean tail in the Haskell sense)

# CTL

Restrict path formulas (compare with CTL\*)

$$f ::= \neg f | S1 \lor S2 | X S | S1 U S2$$
  
state formulas

Linear time ops (X,U,F,G) must be wrapped up in a path quantifier (A,E).

# Back to CTL\* formulas (syntax)

# path formulas $f ::= \mathbf{S} | \neg f | f1 \lor f2 | X f | f1 U f2$

state formulas (about an individual state)  $S ::= a | \neg S | S1 \lor S2 | E f$   $\uparrow$ atomic formulas

# CTL\* yes CTL ?

E X X f E (f U (g U j))

A (fUXg)

A (fUg)  $\lor$  E k

# CTL\* yes CTL ?

E X X f E (f U (g U j))

A (fUXg)

A (fUg)  $\lor$  E k

Yes

# CTL

# Another view is that we just have the combined operators AU, AX, AF, AG and EU, EX, EF, EG and only need to think about state formulas

A operators for necessity

E operators for possibility

f ::=

All immediate successors Some immediate succesor All paths always Some path always All paths eventually Some path eventually atomic -f AX f EX f AG f EG f AF f EF f f1 v f2 A (f1 U f2) E (f1 U f2)



It is possible to get to a state where Started holds but Ready does not

It is possible to get to a state where Started holds but Ready does not

EF (Started & ¬Ready)

If a request Req occurs, then it will eventually be acknowledged by Ack

If a request Req occurs, then it will eventually be acknowledged by Ack

AG (Req -> AF Ack)

If a request Req occurs, then it continues to hold, until it is eventually acknowledged

If a request Req occurs, then it continues to hold, until it is eventually acknowledged

AG (Req -> A [Req U Ack])

# EX E (f U g)

LTL formula is of form A f where f is a path formula with subformulas that are atomic (The f is what we write down. The A is implicit.)

Restrict path formulas (compare with CTL\*)

$$f ::= a | \neg f | f1 \lor f2 | X f | f1 U f2$$
  
atomic formulas (Talk about a single state)



It is the restricted path formulas that we think of as LTL specifications (See P&R again)

 $G \neg (critical1 \& critical2)$ 

mutex

FG initialised eventually stays initialised

- GF myMove myMove will always eventually hold
- G (req -> F ack)

request acknowledge pattern

Responsiveness (more examples)

G (req -> XF ack)

G (req -> X(req U ack))

G (req -> X((req & ¬ ack) U (¬ req & ack) ))

p holds at the even states and does not hold at the odd states

```
p & G (p <-> ¬ (X p))
```

It is not possible to express that p holds in the even states (while not saying anything about the odd states) in LTL

# In CTL but not LTL

# AG EF start

Regardless of what state the program enters, there exists a computation leading back to the start state

#### In CTL but not LTL

# AG (R $\rightarrow$ EX S)

"non-blocking"

Even **EX P** is an example

In both

# AG ( $p \rightarrow AF q$ ) in CTL G( $p \rightarrow F q$ ) in LTL

# In LTL but not CTL

# $G \mathrel{\mathsf{F}} p \to {\mathsf{F}} \mathrel{q}$

# if there are infinitely many p along the path, then there is an occurrence of q

FGp

### In CTL\* but not in LTL or CTL

# **E** [**G F p**] there is a path with infinitely many **p**

Further reading

### Ed Clarke's course on **Bug Catching: Automated Program Verification and Testing**

complete with moving bug on the home page!

Covers model checking relevant to hardware too.

http://www.cs.cmu.edu/afs/cs.cmu.edu/academic/class/15414-f06/www/index.html The sub-page called Reading has slides and paper links

For some history (by the inventors themselves) see this workshop celebrating 25 years of MC http://www.easychair.org/FLoC-06/25MC-day227.html

# Example revisited

- A sequence beginning with the assertion of signal strt, and containing two not necessarily consecutive assertions of signal get, during which signal kill is not asserted, must be followed by a sequence containing two assertions of signal put before signal end can be asserted
- AG~(strt & EX E[~get & ~kill U get & ~kill & EX E[~get & ~kill U get & ~kill & E[~put U end] or E[~put & ~end U (put & ~end & EX E[~put U end])]])

AG ~ ...

strt & EX E[ ~get & ~kill U get & ~kill & ...]

EX E [~get & ~kill U get & ~kill & ...]

E[~put U end] or E[~put & ~end U (put & ~end & EX E[~put U end])]] strt & EX E[ ~get & ~kill U get & ~kill & ...]



AG ~ ...

AG ~ ...

strt & EX E[ ~get & ~kill U get & ~kill & ...]



Next lecture

#### How to model check CTL formulas