Automated Verification with Abstract State Machines Using Multiway Decision Graphs

The presence of uninterpreted symbols in the logic means that we must distinguish between a state machine M and its abstract description D in the logic. A given abstract description D will determine a machine M for every interpretation ¢. For the purpose of hardware verification we are interested only in finite state machines (FSMs). However, an abstract description will represent infinite as well as finite state machines, since abstract sorts admit infinite interpretations. We call Abstract State Machine a state machine given by an abstract description in terms of MDGs, or equivalently DFs, as explained below. 2.3.1 Represen t ing sets using MDGs . Let P be an MDG of type U--+V. Then, for a given interpretation ¢, P can be used to represent the set of vectors SetCy(P) = {¢ e ~¢y J ¢ , ¢ ~ (~U)P}. In the next section, MDGs will thus be used in this fashion to represent sets of states and sets of output vectors. We shall also see how MDGs can be used to represent relations. 2.3.2 Describing s t a t e m a c h i n e s with MDGs . An abstract description of a state machine M is a tuple D = (X, Y, Z, FI, FT, Fo), where X, Y, Z are disjoint sets of variables, viz. the input, state, and output variables respectively. Let r/be a one-to-one function that maps each variable y to a distinct variable r/(y ) obtained, for example, by adorning y with a prime. The variables in Y~ = ~/(Y) are used as the next-state variables. X, Y and Z must be disjoint from Yq Given an interpretation ¢, an input vector of the state machine M represented by D is a C-compatible assignment to the set of input variables 94 E. Cerny, F. Corella, M. Langevin, X. Song, S. Tahar, and Z. Zhou X; thus the set of input vectors, or input alphabet, is (I)¢x . Similarly, ¢¢z is the output alphabet. A state is a C-compatible assignment to the set of state variables Y; hence the state space is ~¢y. A state ¢ can also be described by an assignment Ct = ¢o~-1 E ~¢, to the next state variables. Fx is an MDG representing the set of initial states, of type U-+ Y, where U is a set of abstract variables disjoint from X U Y U Y~ U Z. Typically, FI is a one-path MDG where each internal node N is labeled by a variable y E Y, and the edge that issues from N is labeled by the symbolic initial value of y, which can be an individual constant, an abstract generic constant, or an abstract variable u E U. It is possible to specify that two data registers have the same value, but that this common value is arbitrary, by using the same u as symbolic initial value of the abstract state variables representing the two registers. Given an interpretation ¢, a state ¢ E ibCy is an initial state iff ¢, ¢ (3U)F~. Thus the set of initial states of the state machine M represented b y D is s1 = {¢ e I¢, ¢ # (3U)Ft} = Set (Fx). FT is an MDG of type (XUY)-~ Y' representing the transition relation. Given an interpretation ¢, an input vector ¢ E q?Vx and a state ¢~ E ~0, a state ¢,t E ~¢y is a possible next state iff ¢, ¢ U ¢' U ¢" o ~?-I ~ FT. Thus the transition relation of the state machine M represented by D is RT = {(¢, ¢', ¢") E ffPCx v ~¢ × d,¢ (¢,, r . l ¢ , ¢ u ¢ ' u o y l ) # FT}. FO is an MDG of type (XUY)-+ Z representing the output relation. Given an interpretation ¢, the output relation of the state machine M represented by D is Ro = {(¢, ¢', ¢") E @Cx X@CyX@Cz I ¢ , ¢ U ¢' U¢" [= To}. To recapitulate, for every interpretation ~ of the sorts, constants and function symbols of the logic, the abstract description D = ( X, Y, Z, FI , FT , Fo ) represents the state machine M = (~2x,dPy,¢ ¢ dPCz, SI, RT, Ro) with input alphabet @:~, state space @¢y, output alphabet @¢ z, set of initial states $I, transition relation RT, and output relation Ro. 2.3.3 S ta t e explora t ion . Given an abstract state machine description D = (X, Y, Z, FI, FT, Fo) we can compute the set of reachable states of a state machine M ¢ ¢ ¢ = (~x, ~Y, ~z , $I, RT, Ro) represented by D, for any ¢, using the MDG algorithms mentioned above, while at the same time checking that a given condition on the outputs of the machine, the invariant, holds in all the reachable states. The invariant is represented by an MDG C of type W -+ Z, where W is a set of abstract variables disjoint from X, Y, Y', Z and U. (Recall that Fx is of type V -4 Y.) For a given ¢, an output vector is deemed to satisfy the invariant iff ¢, ¢ ~ (3W)C; thus SetCz(C) is the set of output vectors that satisfy the invariant. Verification with Abstract State Machines Using MDGs 95 The procedure, called ReAn for Reachability Analysis, is the result of lifting the algorithm given in [CoBM89b] to the realm of abstract types and MDGs. It can be described by the following pseudo-code: I. ReAn(D, C) 2. R := Fx; Q := Fx; K := 0; 3. loop 4. K := K + 1; 5. I := Fresh(X, K); 6. 0 := ReIP({I,Q, Fo},X U Y,0); 7. P := PbyS(O, C); 8. if P ~ F then return failure; 9. Y := ReRP({L Q, FT}, Z U Y, n); 10. Q := PbyS(g,R); 11. if Q = F then return success; 12. R := PbyS(R, Q); 13. R := Disj(R, Q); 14. end loop; 15. end ReAn; In this pseudo-code, I, N, P, Q and R are program variables that take as values MDGs representing sets of states, and O takes as values MDGs representing sets of output vectors. We will identify the program variables and their values in the following explanations when there is no risk of confusion. Before each loop iteration, R represents the set of reachable states found so far, while Q represents the frontier set, i.e., a subset of SetCy(R) containing at least all those states that entered Setey(R) for the first time in the previous iteration. In line 5, Fresh(X, K) constructs a one-path MDG representing a conjunction of equations x = u, one for each abstract input variable x E X, where u is a fresh variable from the set of auxiliary abstract variables U. The value of the loop counter K is used to generate the fresh variables. This one-path MDG is assigned to I, which represents the set of input vectors. In line 6, the relational product operation is used to compute the MDG representing the set of output vectors produced by the states in the frontier set. The resulting MDG is assigned to O. Then, in line 7, the pruning-bysubsumption operation is used to remove from O paths representing output vectors that satisfy the invariant C. The resulting MDG is assigned to P. In line 8, if P is not F, then the procedure stops and reports failure. We have implemented a counterexample facility that can then be invoked to produce a most general symbolic trace leading to a state for which the outputs do not satisfy the invariant. Examples of such a trace can be found in [ZSTC96]. If P is F, then SetCz(O) C SetCz(C), i.e. every output vector produced by a state in the frontier set satisfies the invariant, and the verification procedure continues. 96 E. Cerny, F. Corella, M. Langevin, X. Song, S. Tahar, and Z. Zhou In line 9, the relational product operation is used again, this time to compute the MDG representing the set of states that can be reached in one state from the frontier set. Note that the MDG Q representing the frontier set is of type U --+ Y, the MDG I representing the set of input vectors is of type U -+ X, and the MDG FT representing the transition relation is of type (XUY) --+ Y~. The result of taking the conjunction of these three MDGs would be of type U ~ (X U Y U Y~), the result of subsequently removing the variables in X U Y by existential quantification would be of type U--+ Y~, and the result of subsequently applying the renaming substitution 7/would be of type U-+ Y. The RelP operation performs these three operations in one pass, and assigns the resulting MDG of type U ~ Y to N. Lines 10 and i1 check whether SetCy(N) C_ SetCy(R) by the same method used in lines 7 and 8 to check whether SetCz(O) C_ SetCz(C). If this is indeed the case, then every state reachable from the frontier set was already in SetCy(R). The fixpoint has been reached and R represents all the reachable states. Therefore, the procedure terminates and reports success. Otherwise the MDG assigned to Q in line 10 represents the new frontier set. Line 12 simplifies R by removing from it any paths that are subsumed by Q, using PhyS. There may be such paths because Q was not computed earlier as an exact difference. Then line 13 computes the new value of R by taking the disjunction of R and Q, which represents the set of states SetCy(R)U Set ¢ (Q), and assigning it to R. In the general case, this procedure may not terminate and may produce false negatives. These limitations are discusses below, in Section 4.2.3 and Section 4.2.4 respectively. 3. M o d e l i n g H a r d w a r e w i t h M D G s A circuit is described at the RT level as a collection of components interconnected by nets that carry signals. Each signal is represented by a variable. Variables denoting control signals have concrete sorts, while variables denoting data values have abstract sorts. We show how various kinds of components can be represented by MDGs through the following examples. The parser in our MDG tools automatically transforms a component predefined in our Prolog-style MDG-HDL [ZhBo95] into its MDG representation. Gates: For gates, the input and output signals are always of Boolean sort. Figure 3.1(a) and Figure 3.1(b) show an OR gate and its MDG representation for a particular ordering of the variables. Boolean MDGs are essentially the same as ROBDDs. Multiplexer: For a two-way multiplexer as shown in Figure 3.2(a), we may have different MDGs depending on the signals being multiplexed. There is a very compact MDG (Figure 3.2(b)) if xl, x2 and y are all of an abstract