The Mathematical Foundation of Symbolic Trajectory ... - CiteSeerX

Download PDF
Comment
Report 1 Downloads 28 Views
The Mathematical Foundation of Symbolic Trajectory Evaluation Ching-Tsun Chou

[email protected] Intel Corporation 3600 Juliette Lane, SC12-401 Santa Clara, CA 95052, U.S.A.

Abstract. In this paper we elucidate the mathematical foundation underlying

both the basic and the extended forms of symbolic trajectory evaluation (STE), with emphasis on the latter. In addition, we make three contributions to the theory of STE which, we believe, are new. First, we provide a satisfactory answer to the question: what does it mean for a circuit to satisfy a trajectory assertion? Second, we make the observation that STE is a form of data ow analysis and, as a corollary, propose a conceptually simple algorithm for (extended) STE. Third, we show that the ternary model of circuits used by STE is an abstract interpretation of the ordinary boolean model via a Galois connection. We hope that our exposition will make STE, especially its extended form, less mysterious.

1 Introduction In BDD-based formal veri cation, symbolic trajectory evaluation (STE) [10, 6] is the main alternative to symbolic model checking (SMC) [3]. Compared with SMC, STE has the advantage that it can be applied to very large circuits directly, without the need to abstract the circuits before veri cation. This is made possible by a pleasant property of STE: the number of BDD variables needed in an STE run depends only on the assertion being checked, not on the circuit under analysis. Thus one can use STE to verify a collection of assertions against the same circuit without having to invent a di erent abstraction of the circuit for each assertion, as one often has to do when doing SMC. On the other hand, what STE can verify is more restricted than what SMC can. In its basic form [10], STE can only verify assertions over bounded intervals of time, possibly iterated by non-nested loops. But in its extended form [6]1 , STE can verify assertions expressed as arbitrary state-transition graphs, thus enabling STE to verify any safety properties. As far as we know, STE has not been generalized to reason about liveness properties. Unfortunately, STE seems to be much less well-known than SMC, certainly less than it deserves to be. In the hope of generating more interests in STE, we elucidate in this paper the mathematical foundation underlying both the basic [10] and the extended [6] forms of STE, with emphasis on the latter. We hope that our exposition will ll enough 1

According to Carl Seger, the basic ideas of extended (a.k.a. generalized ) STE came out of an e-mail brainstorming session in 1994 among Derek Beatty, Randy Bryant, and Carl Seger on an (unpublished) note written by Beatty. The author learned of the basic ideas of extended STE from Alok Jain's Ph.D. thesis, which was supervised by Randy Bryant [6].

2

Ching-Tsun Chou [email protected]

gaps and clarify enough obscurities in the existing literature to make STE, especially its extended form, less mysterious. In addition to this, we make three contributions to the theory of STE which, we believe, are new. First, we would like to clarify the semantics of STE by providing a satisfactory answer to the following question: What does it mean for a circuit to satisfy a trajectory assertion? More precisely, we propose to de ne the satisfaction relation for extended STE [6], in which trajectory assertions can have arbitrary state-transition graphs, as a universally quanti ed generalization of the form of basic STE [10] in which trajectory assertions are bounded sequences of states. Interestingly, this is not how the satisfaction relation for extended STE was originally de ned in [6], which uses a partially existentially quanti ed generalization. To justify our de nition, we show that it guarantees that a circuit satis es a trajectory assertion i (if and only if) the set-theoretic STE algorithm returns a positive answer, and that this is not the case for the de nition in [6]. Another advantage of our de nition is that it does not require us to make the distinction of whether a trajectory assertion is \oblivious" (which basically means \deterministic"), whereas the de nition in [6] does. Second, we would like to make the following observation: STE is a form of data ow analysis (DFA). More precisely, we show that, when properly formulated, what an STE algorithm computes is exactly the solution of a data ow equation in the classic format [8]. Though perhaps obvious in retrospect, this point seems to have never been noticed before. Furthermore, as a corollary of this DFA formulation, we propose a BDD-based, completely implicit algorithm for STE that is very easy to understand and, we hope, can lead to simple implementations of STE. (Of course, this hope can be con rmed or disproved only through experimentation, which is beyond the scope of this paper.) Third, we would like to propose an appropriate framework in which to address the following question: How is the ternary model of circuits that STE algorithms use related to the ordinary boolean model of circuits? Speci cally, we show that the ternary model is an abstract interpretation in the classic sense [9] of the boolean model via a Galois connection [4, 9]. We also point out a relationship between the two models (namely, the Galois connection should be a simulation from the boolean model to the ternary model) that seems to have never been articulated in the existing literature on STE [10, 6]. The rest of this paper is organized as follows. Section 2 presents STE from a \settheoretic" viewpoint, in which circuits are modeled as functions operating on sets of boolean vectors. Section 3 presents STE from a \lattice-theoretic" viewpoint, in which circuits are modeled as functions operating on ternary vectors, which form a lattice. Section 4 concludes this paper by discussing some directions for future research. Due to space limitations, the proofs of all theorems and the reviews of some mathematical machineries are relegated to the appendices.

The Mathematical Foundation of Symbolic Trajectory Evaluation

3

2 Set-Theoretic STE Following [6], we start with set-theoretic STE, which manipulates sets of con gurations of circuits. As will be seen, set-theoretic STE is impractical except on small circuits. But it provides an easy-to-understand semantic foundation by which STE can be related to symbolic model checking, which takes a set-theoretic view of circuits. Furthermore, the development of lattice-theoretic STE in the next section closely parallels that of set-theoretic STE.

2.1 Set-Theoretic Models of Circuits Circuits as Relations. Consider a digital circuit M operating in discrete time. A con-

guration of M is an assignment of \values" to \signals" in M , representing a snapshot of M at a discrete point in time. In this section, exactly what \values" and \signals" are, is actually not important. We will only assume that the set of all con gurations of M , denoted by C , is nonempty and nite. The conceptually simplest model of M is a transition relation, MRel  C  C , where (c; c0 ) 2 MRel means that M can in one step move from con guration c to con guration c0 . Note that since M cannot control its input signals, MRel is in general a relation rather than a function.

Circuits as Functions. The power set of C , denoted by P (C ), can be viewed as the set of predicates on con gurations, where \, [, and  correspond to conjunction, T disjunction, and implication, respectively. For any Q  P (C ), we denote by Q and S Q the intersection and union of all members of Q, respectively. Using the relational image operation, the transition relation MRel induces a predicate transformer MFun 2 P (C ) !P (C ) in a natural way: MFun (p) = fc0 2 C j 9 c 2 p : (c; c0 ) 2 MRel g (1) for all p 2 P (C ). Intuitively, if M is in one of the con gurations in p, then in one step it must be in one of the con gurations in MFun (p). It is easy to show from (1) that MFun distributes over arbitrary union:

[

MFun( Q) =

[

fMFun(q) j q 2 Qg

(2)

for all Q  P (C ). Conversely, for any MFun 2 P (C ) ! P (C ) that satis es (2), the equivalence: (c; c0 ) 2 MRel , c0 2 MFun (fcg), where c; c0 2 C , de nes a MRel  C  C that satis es (1). Thus there is no loss of information in going from MRel to MFun and vice versa. In the remainder of this paper we will use the functional model of circuits exclusively and drop the subscript Fun . Note that it follows from distributivity (2) that M (= MFun ) both preserves ; and is monotonic:

M (;) = ; p  q ) M (p)  M (q) for all p; q 2 P (C ).

(3) (4)

4

Ching-Tsun Chou [email protected]

2.2 Set-Theoretic Trajectory Assertions

From now on we focus on a xed, but arbitrary, circuit M 2 P (C ) !P (C ), where C is nonempty and nite, such that (2) is true.

De nition of a Trajectory Assertion. A trajectory assertion for M is a quintuple A = (S; s0 ; R; a; c ), where S is a nite set of states, s0 2 S is an initial state, R  S  S is a transition relation, and a 2 S !P (C ) and c 2 S !P (C ) label each state s with an antecedent a (s) and a consequent c (s), such that: 8 s 2 S : (s; s0 ) 62 R

(5)

Assumption (5) is made for the technical reason that in formulating data ow algorithms, it is convenient to have a unique source node whose ow value never needs changing. No generality is lost by assuming (5).

Satisfaction of a Trajectory Assertion by a Circuit. What does it mean for the

circuit M to satisfy the trajectory assertion A = (S; s0 ; R; a ; c )? Roughly speaking, it means that for every trajectory  of M and every run  of A, as long as  satis es the antecedents in ,  satis es the consequents in . To state this precisely, we have to introduce some terminologies. (Also, see Appendix A for notations about sequences.) A trajectory of M is a nonempty sequence of con gurations,  2 C + , such that:

8 i 2 N : 0 < i < j j )  [i] 2 M (f [i ? 1]g) The set of trajectories of M is denoted by Traj(M ). A run of A is a nonempty sequence of states,  2 S + , such that:

[0] = s0 ^ 8 i 2 N : 0 < i < jj ) ([i ? 1]; [i]) 2 R The set of runs of A is denoted by Runs(A). Note that both Traj(M ) and Runs(A) are pre x-closed :

8 ;  0 2 C + :    0 ) (  0 2 Traj(M ) )  2 Traj(M ) ) 8 ; 0 2 S + :   0 ) ( 0 2 Runs(A) )  2 Runs(A) ) For any  2 Traj(M ) and  2 Runs(A) such that j j = jj, we say  a-satis es , denoted by  j=a , i every con guration in  satis es the corresponding antecedent in : 8 i 2 N : 0  i < jj )  [i] 2 a ([i]) Similarly, we say  c-satis es , denoted by  j=c , i every con guration in  satis es the corresponding consequent in :

8 i 2 N : 0  i < jj )  [i] 2 c ([i]) Finally, we say the circuit M satis es the trajectory assertion A, denoted by M j= A, i : 8  2 Traj(M ) : 8  2 Runs(A) : j j = jj ) (  j=a  )  j=c  ) (6)

The Mathematical Foundation of Symbolic Trajectory Evaluation

5

Comparison with Another De nition of Satisfaction. It is instructive to compare our de nition of the satisfaction relation, (6), with the de nition used in [6]: 8  2 Traj(M ) : ( 9  2 Runs(A) : j j = jj ^  j=a  ^  j=c  ) _ (7) 0 0 0 0 0 0 0 0 ( 8    : 8  2 Runs(A) : j j = j j ) ( j=a  )  j=c  ) ) Note that (6) implies (7), because Traj(M ) is pre x-closed. The converse is not true, but if its rst disjunct were removed, (7) would indeed be equivalent to (6). That rst disjunct, which contains an existential quanti er, makes (7) harder to implement than (6). Intuitively, the existential quanti er requires backtracking to implement. Formally, we will show in the next subsection that (6) holds i the set-theoretic STE algorithm returns a positive answer, and that (7) lacks this nice property. To get around this diculty, [6] introduces the notion of oblivious trajectory assertions. A trajectory assertion A = (S; s0 ; R; a ; c ) is oblivious i for any s; s0 ; s00 2 S such that (s; s0 ) 2 R and (s; s00 ) 2 R, it must be the case that a (s0 ) \ a (s00 ) = ;. Consequently, given any trajectory  , there is at most one run  of A such that  asatis es . It is not hard to see that for an oblivious trajectory assertion, (7) implies (6), which then implies that (7) is equivalent to the set-theoretic STE algorithm returning a positive answer. With our de nition (6), there is no need to introduce the notion of obliviousness. 2.3 Set-Theoretic STE as DFA

In this subsection we show that the checking of M j= A can be formulated as a DFA problem [8]. De ne F 2 S ! (P (C ) !P (C )) such that F (s)(p) = M (a (s) \ p) for all s 2 S and p 2 P (C ). It follows from (2) that: F (s)(;) = ; (8) p  q ) F (s)(p)  F (s)(q) (9) [ [ F (s)( Q) = fF (s)(q) j q 2 Qg (10) for all s 2 S , p; q 2 P (C ), and Q  P (C ). Next, de ne F 2 (S !P (C )) ! (S !P (C )) such that: (C if s = s0 F ()(s) = [f F (s0 )((s0 )) j (s0 ; s) 2 R g otherwise for all  2 S ! P (C ) and s 2 S . Since F (s) is monotonic for all s 2 S (see (9) above), F is monotonic as well, where the function space S !P (C ) is ordered as follows:  v 0 , 8 s 2 S : (s)  0 (s), for all ; 0 2 S ! P (C ). Hence, by Knaster-Tarski Fixpoint Theorem [4], the following xpoint equation:  = F () (11) has a least solution  2 S ! P (C ). Furthermore, since both S and C are nite,  is the limit of the sequence hn 2 S !P (C ) j n 2 Ni de ned by: (  s 2 S : ; if n = 0 n = (12) F (n?1 ) if n > 0

6

Ching-Tsun Chou [email protected]

in the sense that there exists a suciently large k 2 N such that n =  for all n  k. We say the circuit M satis es the trajectory assertion A by set-theoretic STE, denoted by M j=Set A, i 8 s 2 S :  (s) \ a (s)  c (s). Now we are ready to state our rst main result:

Theorem 1. M j=Set A , M j= A Proof. See Appendix D.

Had we used the de nition adopted in [6] for M j= A (viz., (7) above), the ) direction of Theorem 1 would still be true (furthermore, notice that the obliviousness condition used in [6] is unnecessary for this part of the proof), but the ( direction would be false, as the following example shows. Consider a trivial circuit M with only one signal whose value is either 0 or 1 (i.e., C = f0; 1g), and this signal is the output of the constant source 1 (i.e., M (p) = f1g for ; 6= p  f0; 1g). Suppose that the trajectory assertion A has only three states S = fs0; s1 ; s2 g and two transitions R = f(s0; s1 ); (s0 ; s2 )g such that a (s0 ) = a (s1 ) = a (s2 ) = c (s0 ) = f0; 1g and c (s1 ) = f1g and c (s2 ) = f0g. Then (7) is satis ed, because for any trajectory  of M with j j = 2, the run  = hs0 ; s1 i satis es both  j=a  and  j=c . But M 6j=Set A, since  (s2 ) = f1g, a (s2 ) = f0; 1g, but c (s2 ) = f0g.

3 Lattice-Theoretic STE The de nition (12) of the sequence hn j n 2 Ni above yields a simple method for computing the least xpoint solution  of (11): just compute 0 ; 1 ; 2 ; : : : one by one until a xpoint, which must be  , is reached. Then, by Theorem 1, M j= A can be checked by checking M j=Set A. Since all objects involved are nite, this scheme for checking M j= A, which we call the set-theoretic STE algorithm, is clearly e ective. Unfortunately, the set-theoretic STE algorithm is not practical except for small circuits. For, if the circuit M has m boolean signals, then its set of con gurations is Bm , where B = f0; 1g is the set of boolean values. Even with state-of-the-art BDD technologies, manipulating subsets of Bm is impractical for even moderately large m, say several hundred signals. But interesting circuits in the real world often contain thousands of (if not more!) signals, on which set-theoretic STE is powerless. In this section we will describe what can be regarded as the key insight of the STE paradigm. Namely, instead of manipulating subsets of Bm directly, we approximate them with ternary vectors, whose sizes are only linear in m. But, to compensate for possible loss of information in the approximation process, we may have to complicate the trajectory assertion, or use a family of trajectory assertions, or both. Yet, in both cases, the number of BDD variables depends only on the trajectory assertion(s) and not on the circuit under analysis. This makes it possible to do STE on very large circuits without rst abstracting them. We will use many concepts and notations from the theory of partial orders and lattices [4]. In particular, the notions of complete lattices and Galois connections are reviewed in Appendices B and C, respectively.

The Mathematical Foundation of Symbolic Trajectory Evaluation

7

3.1 Lattice-Theoretic Models of Circuits Recall that M 2 P (C ) !P (C ) represents a circuit (i.e., (2) is true), and that the set C of con gurations of M is nite. What exactly C is, is not important until Section 3.4. ^ v) be a nite complete lattice of abstract predicates such that there is a Let (P; Galois connection   P (C )  P^ . An abstract predicate transformer M^ 2 P^ ! P^ is an abstract interpretation [9] of M 2 P (C ) !P (C ) i all of the following conditions hold: M^ (?^ ) = ?^ (13) ^ ^ p^ v q^ ) M (^p) v M (^q) (14) ^ p  p^ ) M (p)  M (^p) (15) for all p^; q^ 2 P^ and p 2 P (C ). (13) says that M^ preserves the bottom ?^ of P^ , (14) that M^ is monotonic, and (15) that the Galois connection  is a simulation relation between the two predicate lattices. Just as the Galois connection   P (C )  P^ can be equivalently de ned using an abstraction function : P (C ) ! P^ or a concretization function : P^ !P (C ), (15) can be equivalently stated as one of the following [9]: (M (p)) v M^ ( (p)) (16) ^ M ( (^p))  (M (^p)) (17) for all p^ 2 P^ and p 2 P (C ). As far as we know, none of (15){(17) has been explicitly stated in the existing literature on STE [10, 6]. It would be interesting to check whether actual implementations of STE satisfy this condition. Note that we do not require of M^ the counterpart of (2): M^ (tQ^ ) = tfM^ (^q ) j q^ 2 Q^ g

where Q^  P^ , because it is not true in general. For example, suppose M^ abstracts a unit-delay two-input AND-gate using ternary values. Then it is reasonable to require: M^ (h0; 1; Xi t h1; 0; Xi) = M^ (hX; X; Xi) = hX; X; Xi M^ (h0; 1; Xi) t M^ (h1; 0; Xi) = hX; X; 0i t hX; X; 0i = hX; X; 0i

where the rst two vector components correspond to the two inputs and the last component the output. Intuitively, the join operation h0; 1; Xi t h1; 0; Xi = hX; X; Xi throws away the information that one of the inputs is 0, so M^ can no longer assign 0 to the output. Note, however, that the following inequality does hold: M^ (tQ^ ) w tfM^ (^q ) j q^ 2 Q^ g for all Q^  P^ . It follows from the monotonicity of M^ .

3.2 Lattice-Theoretic Trajectory Assertions

A trajectory assertion for M^ is a quintuple A^ = (S; s0 ; R; ^a ; ^c ), where the assumptions on S , s0 , and R are the same as in Section 2.2 (including (5)), and ^a 2 S ! P^ and ^c 2 S ! P^ are the antecedent and consequent labeling functions, respectively. De ne

(A^) = (S; s0 ; R; (^a ); (^c )), where (^a ) =  s 2 S : (^a (s)) and (^c ) =  s 2 S :

(^c (s)). Note that (A^) is a trajectory assertion for M .

8

Ching-Tsun Chou [email protected]

3.3 Lattice-Theoretic STE as DFA De ne F^ 2 S ! (P^ ! P^ ) such that F^ (s)(^p) = M^ (^a (s) u p^) for all s 2 S and p^ 2 P^ . Using (13) and (14), it is easy to verify that F^ (s) 2 P^ ! P^ satis es: F^ (s)(?^ ) = ?^ (18) p^ v q^ ) F^ (s)(^p) v F^ (s)(^q ) (19) for all s 2 S and p^; q^ 2 P^ . Next, de ne F^ 2 (S ! P^ ) ! (S ! P^ ) such that: (^ if s = s0 F^(^)(s) = > ^ 0 ^ 0 0 tf F (s )((s )) j (s ; s) 2 R g otherwise for all ^ 2 S ! P^ and s 2 S . Since F^ (s) is monotonic for all s 2 S (see (19) above), F^ is monotonic as well, where the function space S ! P^ is ordered as follows: ^ v ^0 , 8 s 2 ^ ^0 2 S ! P^ . Hence, by Knaster-Tarski Fixpoint Theorem [4], S : ^(s) v ^0 (s), for all ; the following xpoint equation:

^ = F^(^)

(20) has a least solution ^ 2 S ! P^ . Furthermore, since both S and P^ are nite, ^ is the limit of the sequence h^n 2 S ! P^ j n 2 Ni de ned by: ( ^ ^n =  s 2 S : ? if n = 0 (21) F^(^n?1 ) if n > 0 in the sense that there exists a suciently large k 2 N such that ^n = ^ for all n  k. We say the abstract circuit M^ satis es the abstract trajectory assertion A^ by latticetheoretic STE, denoted by M^ j=Lat A^, i 8 s 2 S : ^ (s) u ^a (s) v ^c (s). Now we are ready to state our second main result: Theorem 2. If M^ is an abstract interpretation of M , then: M^ j=Lat A^ ) M j=Set (A^) Proof. See Appendix E. The converse of Theorem 2 is not true. For example, consider a circuit with ve signals hi1 ; i2 ; j1 ; j2 ; oi, where j1 (resp., j2 ) is i1 (i2 ) delayed by one unit of time and o is the unit-delayed AND of j1 and j2 . Suppose the trajectory assertion has ve states fs0 ; s1 ; s01 ; s2 ; s3 g and ve transitions f(s0 ; s1 ); (s0 ; s01 ); (s1 ; s2 ); (s01 ; s2 ); (s2 ; s3 )g and the following labeling: a (s1 ) = h0; 1; X; X; Xi, a (s01 ) = h1; 0; X; X; Xi, c (s3 ) = hX; X; X; X; 0i; all other labels are hX; X; X; X; Xi. Intuitively, the antecedent at s1 (resp., s01 ) assumes that i1 = 0 and i2 = 1 (resp., i1 = 1 and i2 = 0) at time 1, and the consequent at s3 checks that at time 3, o = 0 regardless of which assumption was used. It is easy to verify that for this example, M j=Set (A^) but M^ 6j=Lat A^. And the reason is simple: at time 2, when the information from s1 and s01 is merged at s2 , we have: fh0; 1ig [ fh1; 0ig = fh0; 1i; h1; 0ig but h0; 1i t h1; 0i = hX; Xi the latter of which loses information. Clearly, this merge could be avoided by duplicating s2 and s3 , so that there is a separate copy of them to deal with each of the assumptions a (s1 ) and a (s01 ). But then the number of states in the trajectory assertion increases. This kind of trade-o s between complexity and precision is typical of STE.

The Mathematical Foundation of Symbolic Trajectory Evaluation

9

3.4 A BDD-Based Algorithm for Lattice-Theoretic STE Up to this point, except in a few examples, we have not needed to specify what exactly the set C of con gurations is, except that C should be nite. This makes our theory more general. But in order to have a BDD-based implementation, we have to make up our mind now as to what C is. Thus, in this subsection, we shall assume that C = Bm for some m 2 N. In other words, M is a boolean circuit with m signals. Furthermore, we assume that the abstract circuit M^ operates on ternary vectors, i.e., P^ = Tm ? . How sets of boolean vectors can be approximated by ternary vectors is explained in Appendix C.3. Similar to the set-theoretic case, the de nition (21) of the sequence h^n j n 2 Ni yields a simple algorithm for checking M^ j=Lat A^: compute ^0 ; ^1 ; ^2 ; : : : one by one until a xpoint, which must be ^ , is reached; then check M^ j=Lat A^ using its de nition. Note that since the converse of Theorem 2 is not true, this algorithm, which we call the lattice-theoretic STE algorithm, can give falsely negative answers (i.e., when M^ 6j=Lat A^ but M j= (A^)). But, by virtue of Theorems 1 and 2, it can never produce falsely positive answers (i.e., M^ j=Lat A^ does imply M j= (A^)). We now argue that the lattice-theoretic STE algorithm can be implemented using BDDs in a straightforward manner. First, notice that every ternaray value t 2 T can be encoded with two boolean values: B0 (t) = (0 v t) and B1 (t) = (1 v t). With this encoding, join and meet are implemented by: Bi (t t t0 ) = Bi (t) _ Bi (t0 ) and Bi (t u t0 ) = Bi (t) ^ Bi (t0 ), where i 2 B. For any m 2 N, this encoding and the associated join and meet operations can be extended componentwise to Tm ? . Note that ? has multiple encodings (viz., all m-tuples of boolean pairs in which at least one of the pairs is such that B0 = B1 = 0). Without loss of generality, suppose the state space S of the trajectory assertion is Bk , for some k 2 N. With the above encoding of ternary values, the objects manipulated by the lattice-theoretic STE algorithm have the following \types": R 2 Bk  Bk ! B and ^a ; ^c ; ^n ; ^ 2 Bk ! (B  B)m , for all n 2 N. It is not hard to see that these objects can all be represented by BDDs on at most 2k variables, and that F^ and the checking of M^ j=Lat A^ can be implemented by BDD operations on these BDDs provided that the m output of the abstract circuit M^ 2 Tm ? ! T? for any given input can be computed without ever having to represent M^ itself as BDDs (which would require 2m variables). Real-world STE implementations amply demonstrate that this proviso is practical. We emphasize again that the maximum number of boolean variables needed by our algorithm, 2k, depends only on the trajectory assertion and not on the circuit. Of course, this independence is somewhat illusory, since the possible loss of information in the approximation by ternary vectors may necessitate more complex state-transition structure in the trajectory assertion, which would increase k. Furthermore, note that our formulation so far has been \unparameterized" in the sense that the antecedents and consequents are simple ternary vectors without parameters. In fact, they can be parameterized by boolean variables, so that a single run of the parameterized algorithm is equivalent to multiple runs of the unparameterized algorithm, one for each truth assignment to the boolean parameters. Needless to say, such parameters increase further the total number of boolean variables.

4 Future Research Despite its simplicity, the lattice-theoretic STE algorithm described above does not seem to have ever been implemented. Since we do not see any reason a priori why it should

10

Ching-Tsun Chou [email protected]

not give rise to implementations as ecient as any current implementations of STE, it would be interesting to try to implement it and use it on real-world circuits. For specifying properties of hardware, which are usually highly parallel, one would like to have powerful parallel programming constructs in order to express the nitestate machine part of the trajectory assertion in an elegant manner. Our past experience [2] shows that synchronous languages [1, 5] may provide such constructs. Furthermore, programs in synchronous languages can be automatically translated into nite-state machines in the form of circuits, which are then readily representable by BDDs [1, 2]. Given our observation that STE is a form of DFA, two natural questions arise. First, is there anything in the vast literature on DFA [8] that is useful to STE? Conversely, since most traditional DFA algorithms operate on bit vectors [8], could some forms of BDD-based algorithms (such as our STE algorithm) bene t traditional DFA? We hope that our observation about the connection between STE and DFA can lead to crossfertilization of research ideas between these two elds. Last but not least, it may be possible to generalize STE to express and reason about liveness properties. Doing so would make STE even more useful than it already is now. Unfortunately, we do not have anything concrete to report on this problem.

Acknowledgments The author is grateful to Pascalin Amagbegnon, John Mark Bouler, Pei-Hsin Ho, Marten van Hulst, and Carl Seger for comments and encouragements, and especially to Victor Konrad for giving him time to work on this paper.

References 1. Gerard Berry, \The Foundations of Esterel", in Proof, Language and Interaction: Essays in Honour of Robin Milner, G. Plotkin, C. Stirling and M. Tofte, editors, MIT Press, 1998. 2. Ching-Tsun Chou, Jiun-Lang Huang, and Masahiro Fujita, \A High-Level Language for Programming Complex Temporal Behaviors and Its Translation into Synchronous Circuits", poster presentation, IFIP Conference on Hardware Description Languages, Apr. 1997. 3. E.M. Clarke, O. Grumberg, and D. Peled, Model Checking, MIT Press, 1999. 4. B.A. Davey and H.A. Priestley, Introduction to Lattices and Order, Cambridge University Press, 1990. 5. N. Halbwachs, Synchronous Programming of Reactive Systems, Kluwer Academic Publishers, 1993. 6. Alok Jain, \Formal Hardware Veri cation by Symbolic Trajectory Evaluation", Ph.D. Dissertation supervised by Randal E. Bryant, Carnegie-Mellon University, July 1997. 7. G.A. Kildall, \A Uni ed Approach to Global Program Optimization", pp.194{206 of Conf. Rec. of 1st ACM Symp. on Principles of Programming Languages (POPL'73), Oct. 1973. 8. Steven S. Muchnick, Advanced Compiler Design and Implementation, Morgan Kaufmann Publishers, 1997. 9. D.A. Schmidt and B. Ste en, \Data-Flow Analysis as Model Checking of Abstract Interpretations", invited tutorial paper, Proc. 5th Static Analysis Symposium, G. Levi (ed.), Pisa, Sep. 1998, Springer LNCS 1503. 10. Carl-Johan H. Seger and Randal E. Bryant, \Formal Veri cation by Symbolic Evaluation of Partially-Ordered Trajectories", Formal Methods in System Designs, Vol. 6, No. 2, pp. 147{ 189, March 1995.

The Mathematical Foundation of Symbolic Trajectory Evaluation

11

A Sequences Let N = f0; 1; 2;   g be the set of natural numbers. For any set V and any n 2 N, V n (resp., V + and V  ) denotes the set of all nite sequences of length n (resp., positive and nonnegative lengths) over V . Let ;  2 V  . The length of  is denoted by jj, the concatenation of  followed by  by _  , and  being a pre x of  by    . For any i 2 N with 0  i < jj, the i-th element of  is denoted by ]. (Note that we index sequence elements starting from 0 instead of 1.) The last element of  is denoted by last(), i.e., last() = [ jj ? 1 ]. The empty sequence (i.e., the sequence whose length is 0) is denoted by h i. A sequence consisting of elements v0 ; v1 ; v2 ;    ; vn?1 2 V (in that order) is written as hv0 ; v1 ; v2 ;    ; vn?1 i. We use the terms \sequences" and \vectors" interchangeably; the elements of vectors are sometimes referred to as \components".

B Complete Lattices A complete lattice is a poset (P; v) in which the meet and join of elements of any subset Q  P , denoted by u Q and t Q respectively, always exist. Intuitively, we think of the elements of a complete lattice as \predicates", so that u, t, and v corresponds to \conjunction", \disjunction", and \implication", respectively. For any set V , its power set P (V ), ordered by set inclusion , forms a complete lattice. Here u, t, and v are \, [, and , respectively. Let T = f0; 1; Xg be the set of ternary values, where X denotes an unknown value. Intuitively, X signi es a lack of information: it could be 0, it could be 1; we simply don't know. We partially order T as follows:2 0 v X and 1 v X. For any m 2 N, this order on T can be extended component-wise to Tm:

ht0 ;    ; tm?1 i v ht00 ;    ; t0m?1i , t0 v t00 ^    ^ tm?1 v t0m?1 But (Tm ; v) is not a complete lattice, because it lacks a bottom. We can x this by introducing a special bottom element, ?, such that ? v t and ? = 6 t for all t 2 Tm . m m Now T? = T [ f?g, ordered by v, is indeed a complete lattice. We denote the top element hX;    ; Xi of Tm ? by >.

C Galois Connections C.1 Galois Connections as Relations Let (P [ ; v[ ) and (P ] ; v] ) be complete lattices3 of \concrete predicates" and \abstract predicates", respectively. In the sequel we will drop the superscripts \[" and \]" from the partial orders v[ and v] and the meet and join operations they induce, since they will always be clear from the context.

Note that our ordering of T is the reverse of that used in [10, 6]. We do so because we want to make clear that the ordering of T is an abstraction of set inclusion. 3 The theory of Galois connections can in fact be developed for general posets, but doing so requires the introduction of many inconvenient side-conditions. In any case, we only need Galois connections between complete lattices in this paper. 2

12

Ching-Tsun Chou [email protected]

A Galois connection [4, 9]4 from P [ to P ] is a binary relation   P [  P ] , where [ p  p] reads: \p[ can be approximated by p] ", such that for all Q[  P [ and Q]  P ] : Q[  Q] , t Q[  u Q] (22)

where we de ne: Q[  Q] , 8 p[ 2 Q[ : 8 p] 2 Q] : p[  p] . Intuitively, (22) says that the approximation relation  is an \extension" of the partial orders inside P [ and P ] to between P [ and P ] .

C.2 Galois Connections as Functions

The usual de nitions of Galois connections in the literature [4, 9] are in terms of an abstraction function : P [ ! P ] and a concretization function : P ] ! P [ , which in our framework can be derived from  as follows: (p[ ) = u fp] 2 P ] j p[  p] g (23) ] [ [ [ ]

(p ) = t fp 2 P j p  p g (24) for all p[ 2 P [ and p] 2 P ] . Intuitively, (p[ ) (respectively, (p])) is the \most precise approximation" of p[ (p] ) in P ] (P [ ). Conversely, the relation  can be derived from or as follows: p[  p] , (p[ ) v p] (25) [ ] [ ] p  p , p v (p ) (26) for all p[ 2 P [ and p] 2 P ] . It is easy to see from (23){(26) how and can be derived from each other. It is not hard to show that has the following properties: (?[ ) = ?] (27) [ [ [ [ p v q ) (p ) v (q ) (28) [ [ ] [ [ (tQ ) = tf (q ) 2 P j q 2 Q g (29) [ [ [ [ [ for all p ; q 2 P and Q  P . (In fact, (29) implies both (27) and (28).) Similarly, has the following properties:

(>] ) = >[ (30) ] ] ] ] p v q ) (p ) v (q ) (31) ] ] [ ] ]

(uQ ) = uf (q ) 2 P j q 2 Q g (32) ] ] ] ] ] for all p ; q 2 P and Q  P . (And (32) implies both (30) and (31).)

C.3 Galois Connection from P (Bm) to Tm ? For any m 2 N, there is a natural Galois connection  from P (Bm ) to Tm is ? , which m ): most conveniently de ned by specifying its concretization function : Tm !P ( B ? m

(ht0 ;    ; tm?1 i) = f hb0 ;    ; bm?1i 2 B j 8i 2 N : 0  i < m ^ ti = 6 X ) b i = ti g

(?) = ; 4

We should point out that in the formulation in [4], the partial order on P ] is reversed.

The Mathematical Foundation of Symbolic Trajectory Evaluation

13

for all ht0 ;    ; tm?1 i 2 Tm . In other words, for any ternary vector t 2 Tm , (t) is the set of all boolean vectors 2 Bm that agree with t on all non-X components (so X's can be thought of as \wild cards"), and (?) is the empty set. Note that is in fact a bijection m from Tm ? to those subsets of B that are (hyper)cubes. From , the Galois connection   P (Bm )  Tm ? and the abstraction function : P (Bm ) ! Tm? can be easily derived:

b  t , b  (t) (b) = u ft 2 Tm? j b  (t)g for all b 2 P (Bm ) and t 2 Tm ? . In other words, b  t i the cube corresponding tomt contains b, and (b) is the element of Tm ? that corresponds to the smallest cube in B that contains b.

D Proof of Theorem 1 We prove the two directions of , separately. The ) direction: Suppose this is not true, i.e., M j=Set A but M 6j= A. Then M 6j= A implies that there exist  2 Traj(M ) and  2 Runs(A) such that j j = jj,  j=a , and  0 j=c 0 , but last( ) 62 c (last()), where  0 and 0 are the pre xes of  and  respectively such that j 0 j = j j ? 1 and j0 j = jj ? 1. We claim that for all i 2 N with 0  i < j j,  [i] 2  ([i]). This is proved by induction on i. The base case i = 0 is trivial, since  (s0 ) = C . For the induction step, assume the claim is true for i < j j ? 1. Then  [i] 2  ([i]) \ a ([i]), since  j=a . So  [i + 1] 2 F ([i])( ([i])), since  2 Traj(M ). But, since  is a solution of (11), F ([i])( ([i]))   ([i + 1]). This completes the induction step, so the claim is true. But the claim implies that last( ) 2  (last()) \ a (last()), which implies last( ) 2 c (last()) because M j=Set A. So last( ) 2 c (last()) and last( ) 62 c (last()), a contradiction. The ( direction: Since F (s) is distributive over arbitrary union for all s 2 S (see (10) above), a well-known result from DFA [7] states that the least xpoint solution  of (11) is in fact the same as the union-over-all-runs solution of (11). More precisely,  satis es the following equation:

(C if s = s0  (s) = [ 0 0 0 f G( ) j  2 Runs(A) ^ (last( ); s) 2 R g otherwise

(33)

for all s 2 S , where G : Runs(A) [ fh ig ! P (C ) is de ned inductively by:

G(h i) = C G(_ hsi) = F (s)(G()) Let c 2 C and s 2 S . Using the de nitions of G, F , and M , (33) can be rephrased as:

c 2  (s) , 9  2 Traj(M ) : 9  2 Runs(A) : j j = jj ^ last( ) = c ^ last() = s ^ 8 i 2 N : 0  i < j j ? 1 )  [i] 2 a ([i])

14

Ching-Tsun Chou [email protected]

Conjoining c 2 a (s) to both sides, we get: c 2  (s) \ a (s) , 9  2 Traj(M ) : 9  2 Runs(A) : j j = jj ^ last( ) = c ^ last() = s ^  j=a  Now the de nition of M j= A shows that the ( direction is indeed true.

E Proof of Theorem 2

Throughout this proof, we will freely use the equivalence (26) that p  p^ , p  (^p) for all p 2 P (C ) and p^ 2 P^ . For set-theoretic STE, the notations are exactly the same as in Section 2.3 and Appendix D, except that the (concrete) trajectory assertion is

(A^) = (S; s0 ; R; (^a ); (^c )) instead of A. First, we claim that: p  p^ ) F (s)(p)  F^ (s)(^p) (34) for all p 2 P (C ), p^ 2 P^ , and s 2 S . This is proved as follows:

(F^ (s)(^p)) = (M^ (^a (s) u p^ )) f De nition of F^ g  M ( (^a (s) u p^ )) f (17) g = M ( (^a (s)) \ (^p)) f (32) g  M ( (^a (s)) \ p) f p  p^ and (4) g = F (s)(p) f De nition of F g where f   g's on the right give the justi cations of the steps. Second, we claim that:  (s)  ^ (s) (35) for all s 2 S . Since  (s) = lim n (s) and ^ (s) = lim ^n (s), it suces to prove that n (s)  ^n (s) for all s 2 S and n 2 N. This is proved by induction on n. The base case is trivial, since a Galois connection always relates the two bottoms. For the induction step, assume n (s)  ^n (s) for all s 2 S . That n+1 (s0 )  ^n+1 (s0 ) is also trivial, since a Galois connection always relates the two tops. For any s0 6= s 2 S , we have:

(^n+1 (s)) = (tfF^ (s0 )(^n (s0 )) j (s0 ; s) 2 Rg) f (21) g 0 0 0 ^ ^  [f (F (s )(n (s ))) j (s ; s) 2 Rg f (31) g 0 0 0  [fF (s )(n (s )) j (s ; s) 2 Rg f n (s)  ^n (s) and (34) g = n+1 (s) f (12) g This completes the induction step, so the claim is true. Finally, suppose M^ j=Lat A^. Then, for all s 2 S , we have:

(^c (s))  (^ (s) u ^a (s)) f M^ j=Lat A^ and (31) g = (^ (s)) \ (^a (s)) f (32) g   (s) \ (^a (s)) f (35) g Therefore, M j=Set (A^).

Recommend Documents