## Symbolic Trajectory Evaluation (1996)

Venue: | Formal Hardware Verification |

Citations: | 26 - 6 self |

### BibTeX

@INPROCEEDINGS{Hazelhurst96symbolictrajectory,

author = {Scott Hazelhurst and Carl-johan H. Seger},

title = {Symbolic Trajectory Evaluation},

booktitle = {Formal Hardware Verification},

year = {1996},

pages = {3--78},

publisher = {Springer Verlag}

}

### OpenURL

### Abstract

ion The main problem with model checking is the state explosion problem -- the state space grows exponentially with system size. Two methods have some popularity in attacking this problem: compositional methods and abstraction. While they cannot solve the problem in general, they do offer significant improvements in performance. The direct method of verifying that a circuit has a property f is to show the model M satisfies f . The idea behind abstraction is that instead of verifying property f of model M , we verify property f A of model MA and the answer we get helps us answer the original problem. The system MA is an abstraction of the system M . One possibility is to build an abstraction MA that is equivalent (e.g. bisimilar [48]) to M . This sometimes leads to performance advantages if the state space of MA is smaller than M . This type of abstraction would more likely be used in model comparison (e.g. as in [38]). Typically, the behaviour of an abstraction is not equivalent...

### Citations

3224 |
Communication and Concurrency
- Milner
- 1989
(Show Context)
Citation Context ...model MA and the answer we get helps us answer the original problem. The system MA is an abstraction of the system M . One possibility is to build an abstraction MA that is equivalent (e.g. bisimilar =-=[48]-=-) to M . This sometimes leads to performance advantages if the state space of MA is smaller than M . This type of abstraction would more likely be used in model comparison (e.g. as in [38]). Typically... |

2952 | Graph-based algorithms for Boolean function manipulation
- BRYANT
- 1986
(Show Context)
Citation Context ...lic simulation did not evolve much further until more efficient methods of manipulating symbols emerged. The development of Ordered Binary Decision Diagrams (OBDDs) for representing Boolean functions =-=[13]-=- radically transformed symbolic simulation. The first `post-OBDD' symbolic simulators were simple extensions of traditional logic simulators [12]. In these symbolic simulators the input values could b... |

1185 | Automatic verification of finite-state concurrent systems using temporal logic specifications
- CLARKE, EMERSON, et al.
- 1986
(Show Context)
Citation Context ...g conditions in a compact form. By allowing only the most elementary of temporal operators, the class of properties we can express is relatively restricted, as compared to other temporal logics (e.g. =-=[26]-=-). Nonetheless, our experience is that we can readily express many aspects of synchronous digital systems at various levels of abstraction. For example, it is quite adequate for expressing many of the... |

886 | Symbolic Boolean manipulation with ordered binary-decision diagrams
- BRYANT
- 1992
(Show Context)
Citation Context ...by increasing by orders of magnitude the size of the state space that can be dealt with. Other approaches exist too [10, 31]: however BDDs seem to be most effective for a large class of problems (see =-=[17] for-=- a survey of different approaches). The most well-known work based on symbolic model checking and BDDs has emerged at the end of the 1980s. A number of model checking algorithms for the modal ��-c... |

625 | Model Checking and Abstraction
- Clarke, Grumberg, et al.
- 1992
(Show Context)
Citation Context ...rcuits with wide data paths are not suitable for verification with SMV, which itself is unable to verify circuits with arithmetic data. However, by extending the method through the use of abstraction =-=[28]-=- or more sophisticated data structures [25] such circuits can be verified. There are other symbolic model checking approaches, with different methods of representing state spaces and next state functi... |

537 | Conjoining specification
- Abadi, Lamport
- 1995
(Show Context)
Citation Context ...s called DataAndWeighSetThm. always [(11200, 12799)] StreamIn.0 = d[5] and always [(9600, 11199)] StreamIn.0 = d[4] and always [(8000, 9599)] StreamIn.0 = d[3] and always [(6400, 7999)] StreamIn.0 = d=-=[2]-=- and always [(4800, 6399)] StreamIn.0 = d[1] and always [(3200, 4799)] StreamIn.0 = d[0] and ClockingInfo and ControlInfo and always [(0, 799)] StreamIn.0 = w[0] and always [(800, 1599)] StreamIn.0 = ... |

502 |
Symbolic model checking: An approach to the state explosion problem
- MCMILLAN
- 1992
(Show Context)
Citation Context ... number of model checking algorithms for the modal ��-calculus and other logics have been developed [20]. The SMV verification system based on these ideas has successfully verified a range of syst=-=ems [20, 46]-=-. The basic idea of these approaches is to represent the transition relation of the system under consideration with a BDD. A set of states is also represented with a BDD. Given a formula of a temporal... |

381 | A Kripke-Kleene Semantics for Logic Programs
- Fitting
- 1985
(Show Context)
Citation Context ...efined (or unknown) and overdefined (or inconsistent). Such a logic was proposed by Belnap [8], and has since been elaborated upon and different application areas discussed in a number of other works =-=[35, 52]-=-. This section first gives some mathematical background, based on [34, 49], and then definitions are given and justified. There are two major motivations for using a four-valued logic rather than a tw... |

292 |
A useful four-valued logic
- Belnap
- 1977
(Show Context)
Citation Context ...quaternary propositional logic, are used as the basis for this. The four values represent truth, falsity, undefined (or unknown) and overdefined (or inconsistent). Such a logic was proposed by Belnap =-=[8]-=-, and has since been elaborated upon and different application areas discussed in a number of other works [35, 52]. This section first gives some mathematical background, based on [34, 49], and then d... |

272 | Model Checking and Modular Verification
- Grumberg, Long
- 1994
(Show Context)
Citation Context ...or some discussion of the issues involved in this type of reasoning. Another approach to compositional reasoning -- modular verification -- is based on defining a preorder relation,��, between mod=-=els [37, 45]. Th-=-is preorder is based on a simulation relationship between the models and has the property that if M 1 �� M 2 and M 2 satisfies OE then M 1 satisfies OE. Suppose we wish to show that a process M wh... |

262 | Automatic verification of pipelined microprocessor control
- Burch, Dill
- 1994
(Show Context)
Citation Context ... A drawback of abstraction is that it takes effort to both come up with the suitable abstraction (see [27]) and to prove that the abstraction is conservative. For an example of this type of proof see =-=[21]-=-. Clarke et al. define abstractions and approximations [28]. They show how an approximation can be abstracted from the program text without having to construct the model of the system. They provide a ... |

234 | On the Complexity of VLSI Implementations and Graph Representations of Boolean Functions with Application to Integer Multiplication
- Bryant
- 1991
(Show Context)
Citation Context ...rithmetic with multiplication do not exist. BDD-based approaches have some difficulty in dealing with multiplication as the representation of the multiplication of two integers is exponential in size =-=[16]-=-. Other data structures, such as newer types of decision diagrams and the symbolic representation method used in the VossProver, do not have this problem. However, if the circuit design is given at th... |

223 | Symbolic model checking for sequential circuit verification
- Burch, Clarke, et al.
(Show Context)
Citation Context ...ost well-known work based on symbolic model checking and BDDs has emerged at the end of the 1980s. A number of model checking algorithms for the modal ��-calculus and other logics have been develo=-=ped [20]-=-. The SMV verification system based on these ideas has successfully verified a range of systems [20, 46]. The basic idea of these approaches is to represent the transition relation of the system under... |

145 |
Exploiting symmetry in temporal logic model checking
- CLARKE, FILKORN, et al.
- 1993
(Show Context)
Citation Context ...aling with the data path of circuits since large data paths increase the state space considerably. A drawback of abstraction is that it takes effort to both come up with the suitable abstraction (see =-=[27]-=-) and to prove that the abstraction is conservative. For an example of this type of proof see [21]. Clarke et al. define abstractions and approximations [28]. They show how an approximation can be abs... |

103 |
Verification of sequential machines using boolean functional vectors
- Coudert, Berthet, et al.
- 1990
(Show Context)
Citation Context ...representations for state and specification, there is similarity in the approach to STE. Previous work showing the successful use of STE includes [7, 32]. Other symbolic methods have been proposed in =-=[11, 29]-=-. 1 Some of these approaches are applicable to other model checking approaches too. 2.2 Abstraction The main problem with model checking is the state explosion problem -- the state space grows exponen... |

103 |
Associative Memory: A system-theoretical approach
- Kohonen
- 1977
(Show Context)
Citation Context ...e effective in dealing with arithmetic circuits. Benchmark 20 -- an associative memory circuit -- is a very different type of circuit. 6.6.1 Implementation The circuit is based on a design by Kohonen =-=[44]-=-. The entire memory contains a memory of w words of n bits each, and some control circuitry. For the purpose of this exposition, a simplified version of the circuit description can be found in Figure ... |

99 | Formal Verification by Symbolic Evaluation of Partially-Ordered Trajectories
- Seger, Bryant
- 1995
(Show Context)
Citation Context ...a set of symbolic Boolean variables. In essence, ternary symbolic simulation allows us to combine multiple ternary simulation sequences into a single symbolic sequence. Symbolic trajectory evaluation =-=[51]-=- takes the notion of ternary symbolic simulation one step further by providing a concrete means of specifying and verifying the desired behaviour of the system operating over time. The specifications ... |

98 | Verification of arithmetic functions with binary moment diagrams
- Bryant, Chen
- 1995
(Show Context)
Citation Context ...king indicates the importance of good and appropriate data structures, and motivates the search for new ones. Considerable work is being done on extending BDD-style structures and developing new ones =-=[18, 24]-=-). 1 All these approaches to improve symbolic model checking need to be pursued. Circuits with wide data paths are not suitable for verification with SMV, which itself is unable to verify circuits wit... |

83 |
Model Checking, Abstraction, and Compositional Verification
- Long
- 1993
(Show Context)
Citation Context ... equivalent to the underlying model. The abstractions are conservative in that MA satisfies f A implies that M satisfies f (but not necessarily the converse). Some examples of abstraction methods are =-=[36, 45]-=-. In hardware verification, abstraction is often particularly needed in dealing with the data path of circuits since large data paths increase the state space considerably. A drawback of abstraction i... |

72 | Symbolic verification with periodic sets
- Boigelot, Wolper
- 1994
(Show Context)
Citation Context ...odel checking by providing a compact method for implicit state representation, thereby increasing by orders of magnitude the size of the state space that can be dealt with. Other approaches exist too =-=[10, 31]-=-: however BDDs seem to be most effective for a large class of problems (see [17] for a survey of different approaches). The most well-known work based on symbolic model checking and BDDs has emerged a... |

55 | Hybrid decision diagrams overcoming the limitations of MTBDDs and BMDs
- CLARKE, FUJITA, et al.
- 1995
(Show Context)
Citation Context ...king indicates the importance of good and appropriate data structures, and motivates the search for new ones. Considerable work is being done on extending BDD-style structures and developing new ones =-=[18, 24]-=-). 1 All these approaches to improve symbolic model checking need to be pursued. Circuits with wide data paths are not suitable for verification with SMV, which itself is unable to verify circuits wit... |

44 |
Formal hardware verification by symbolic ternary trajectory evaluation
- Bryant, Beatty, et al.
- 1991
(Show Context)
Citation Context ...lows us to cover many conditions with a single simulation sequence, it lacks the analytic power required for complete verification, except for restricted classes of circuits such as memories [15]. In =-=[6]-=-, Beatty, Bryant and Seger showed that by combining ternary modelling with symbolic simulation, even more complex behaviours can be modelled with a single simulation run than when using ternary modell... |

37 | A methodology for hardware verification based on logic simulation
- Bryant
- 1991
(Show Context)
Citation Context ...model checking technique that grew out of multi-level simulation on the one hand, and symbolic simulation on the other hand. It is the formal verification method closest to traditional simulation. In =-=[14, 15]-=-, Bryant demonstrated the usefulness of ternary modelling for verifying a variety of circuits. The methodology is based on ternary simulation of VLSI circuits, where a third value U is added to the se... |

36 | The formal verification of a pipelined double-precision IEEE floating-point multiplier
- Aagaard, Seger
- 1995
(Show Context)
Citation Context ...have a simple two cell memory, depicted in Figure 5.4. The input to the circuit is an address, and the output is the contents of memory. Suppose that we prove, using STE, that j= hj [AddIn] = a)s([Mem=-=[1]-=-] = m 1 )==AENext ((a = 1) ) [Out] = m 1 ) ji and j= hj [AddIn] = a)s([Mem[2]] = m 2 )==AENext ((a = 2) ) [Out] = m 2 ) ji: - AddIn Selector - - Mem[2] Mem[1] - Out Figure 5.4: A Simple Memory Now usi... |

35 |
Linking BDD-based symbolic evaluation to interactive theorem-proving
- Joyce, Seger
- 1993
(Show Context)
Citation Context ...improves performance considerably. A simple compositional theory is a good basis for a theorem prover The experience with the HOL-Voss system showed the potential of combining STE and theorem-proving =-=[43]-=-. However, the use of a full-blown theorem prover was unnecessary, and in some environments might be a practical problem as the learning curve for such systems is much higher than for model checkers. ... |

34 | A tool for symbolic program verification and abstraction
- GRAF, LOISEAUX
- 1993
(Show Context)
Citation Context ... equivalent to the underlying model. The abstractions are conservative in that MA satisfies f A implies that M satisfies f (but not necessarily the converse). Some examples of abstraction methods are =-=[36, 45]-=-. In hardware verification, abstraction is often particularly needed in dealing with the data path of circuits since large data paths increase the state space considerably. A drawback of abstraction i... |

32 |
A Compositional Proof System for the Modal ��-Calculus. //To appear
- Andersen, Winskel
(Show Context)
Citation Context ...e sub-models, and then using appropriate reasoning dependent on the technical framework, results are inferred of the overall system. Compositional reasoning has a number of advantages in verification =-=[4]-=-: ffl Modularity: if a module of a system is replaced, only the module need be verified; ffl In design or synthesis it is possible to have undefined parts of a system and still be able to reason about... |

31 |
A Methodology for Formal Hardware Verification, with Application to Microprocessors
- Beatty
- 1993
(Show Context)
Citation Context ...Although symbolic trajectory evaluation has different representations for state and specification, there is similarity in the approach to STE. Previous work showing the successful use of STE includes =-=[7, 32]-=-. Other symbolic methods have been proposed in [11, 29]. 1 Some of these approaches are applicable to other model checking approaches too. 2.2 Abstraction The main problem with model checking is the s... |

30 | Formuladependent equivalence for compositional ctl model checking
- Aziz, Shiple, et al.
(Show Context)
Citation Context ...0, 299)] StreamIn.0 = w[2] and always [(300, 399)] StoreWgt = T and StoreStr = F and SelectWgtStr = F and StreamIn.0 = w[3] ==>> always [(1550, 1600)] ResultOut = d[2]*w[0] + d[3]*w[1] + d[4]*w[2] + d=-=[5]-=-*w[3]and always [(1350, 1400)] ResultOut = d[1]*w[0] + d[2]*w[1] + d[3]*w[2] + d[4]*w[3] and always [(1150, 1200)] ResultOut = d[0]*w[0] + d[1]*w[1] + d[2]*w[2] + d[3] * w[3] Figure 6.7: Proof of Benc... |

28 |
Bilattices and the theory of truth
- Fitting
- 1989
(Show Context)
Citation Context ...oposed by Belnap [8], and has since been elaborated upon and different application areas discussed in a number of other works [35, 52]. This section first gives some mathematical background, based on =-=[34, 49]-=-, and then definitions are given and justified. There are two major motivations for using a four-valued logic rather than a two-valued logic. As it is easier to explain these motivations properly afte... |

27 |
Automatic Verification of Synchronous Circuits Using Symbolic Logic Simulation
- Bose, Fisher
- 1989
(Show Context)
Citation Context ...representations for state and specification, there is similarity in the approach to STE. Previous work showing the successful use of STE includes [7, 32]. Other symbolic methods have been proposed in =-=[11, 29]-=-. 1 Some of these approaches are applicable to other model checking approaches too. 2.2 Abstraction The main problem with model checking is the state explosion problem -- the state space grows exponen... |

25 | A simple theorem prover based on symbolic trajectory evaluation and BDDs
- Hazelhurst, Seger
- 1995
(Show Context)
Citation Context ...y decision diagrams (BDDs) for STE; symbolic representations for using the compositional theory. The compositional theory is outlined below. An earlier version of the compositional theory appeared in =-=[40]-=- and the version presented here is described in detail (with proofs) in [39]. Many of the rules described below have analogies in logic. Some of these are worth stating as an introduction to our rules... |

19 |
Word level symbolic model checking - a new approach for verifying arithmetic circuits
- Clarke, Zhao
- 1995
(Show Context)
Citation Context ...e for verification with SMV, which itself is unable to verify circuits with arithmetic data. However, by extending the method through the use of abstraction [28] or more sophisticated data structures =-=[25]-=- such circuits can be verified. There are other symbolic model checking approaches, with different methods of representing state spaces and next state functions. For example, Jain and Gopalakrishnan h... |

16 | Algebraic models of correctness for microprocessors
- Fox, Harman
(Show Context)
Citation Context .... bisimilar [48]) to M . This sometimes leads to performance advantages if the state space of MA is smaller than M . This type of abstraction would more likely be used in model comparison (e.g. as in =-=[38]-=-). Typically, the behaviour of an abstraction is not equivalent to the underlying model. The abstractions are conservative in that MA satisfies f A implies that M satisfies f (but not necessarily the ... |

15 |
Efficient symbolic simulation-based verification using the parametric form of boolean expressions
- Jain, Gopalakrishnan
- 1994
(Show Context)
Citation Context ...bolic model checking approaches, with different methods of representing state spaces and next state functions. For example, Jain and Gopalakrishnan have proposed a method based on symbolic simulation =-=[41]-=-. Rather than representing the state of the system with one boolean expression (i.e. a BDD), they convert such a formula to a parametric representation. This is then used by a symbolic simulator as in... |

13 | Symbolic Verification of MOS Circuits
- Bryant
- 1985
(Show Context)
Citation Context ...on Diagrams (OBDDs) for representing Boolean functions [13] radically transformed symbolic simulation. The first `post-OBDD' symbolic simulators were simple extensions of traditional logic simulators =-=[12]-=-. In these symbolic simulators the input values could be arbitrary Boolean expressions over some Boolean variables rather than only Ls and Hs as in traditional logic simulators. Consequently, the resu... |

11 |
Four Valued Semantics and the Liar
- Visser
- 1984
(Show Context)
Citation Context ...efined (or unknown) and overdefined (or inconsistent). Such a logic was proposed by Belnap [8], and has since been elaborated upon and different application areas discussed in a number of other works =-=[35, 52]-=-. This section first gives some mathematical background, based on [34, 49], and then definitions are given and justified. There are two major motivations for using a four-valued logic rather than a tw... |

10 |
Valuation systems and consequence relations
- Ryan, Sadler
- 1992
(Show Context)
Citation Context ...oposed by Belnap [8], and has since been elaborated upon and different application areas discussed in a number of other works [35, 52]. This section first gives some mathematical background, based on =-=[34, 49]-=-, and then definitions are given and justified. There are two major motivations for using a four-valued logic rather than a two-valued logic. As it is easier to explain these motivations properly afte... |

8 |
Symbolic simulation for correct machine design
- Carter, Joyner, et al.
- 1979
(Show Context)
Citation Context ...n must also hold for the original circuit. The concept of symbolic simulation was first proposed by researchers in the late 1970s as a method for evaluating register transfer language representations =-=[22]-=-. The early programs were very limited in their analytical power since their symbolic manipulation methods were weak. Consequently, symbolic simulation did not evolve much further until more efficient... |

7 | Performance improvement of state space exploration by regular and differential hashing functions
- Cousin, Helary
- 1994
(Show Context)
Citation Context ...odel checking by providing a compact method for implicit state representation, thereby increasing by orders of magnitude the size of the state space that can be dealt with. Other approaches exist too =-=[10, 31]-=-: however BDDs seem to be most effective for a large class of problems (see [17] for a survey of different approaches). The most well-known work based on symbolic model checking and BDDs has emerged a... |

7 |
a formal hardware verification system user’s guide
- Voss
- 1993
(Show Context)
Citation Context ...se FSMs looks like, and also shows that a simple version of TL is appropriate for circuit models. 4.1 Modelling issues The tool that we use is called the VossProver, based on the original Voss system =-=[50]-=-. In the next section we discuss the front-end, the interface which the verifier sees. This section discusses the back-end -- how circuits are modelled and manipulated. Since the basic engine in Voss ... |

6 |
Studies of the single pulser in various reasoning systems
- Johnson, Miner, et al.
- 1994
(Show Context)
Citation Context ... on time, composite, problem-specific inference rules can be developed. 6.7.1 Single Pulser Johnson has used the Single Pulser -- a textbook example circuit -- to study different verification methods =-=[42]-=-. The original problem statement for the circuit is: We have a debounced pushbutton, on (true) in the down position, off (false) in the up position. Devise a circuit to sense the depression of the but... |

5 |
Formal verification of a 32-bit pipelined RISC processor
- Darwish
- 1994
(Show Context)
Citation Context ...Although symbolic trajectory evaluation has different representations for state and specification, there is similarity in the approach to STE. Previous work showing the successful use of STE includes =-=[7, 32]-=-. Other symbolic methods have been proposed in [11, 29]. 1 Some of these approaches are applicable to other model checking approaches too. 2.2 Abstraction The main problem with model checking is the s... |

5 |
Introduction to VLSI Design
- Mead, Conway
- 1980
(Show Context)
Citation Context ...iarity with the detail of the design added to the cost. 6.5 Benchmark 22: Two Dimensional Systolic Array A filter circuit based on a design of Mead and Conway is Benchmark 22 of the IFIP WG10.5 suite =-=[47]-=-. The filter is a matrix multiplication circuit for band matrices. A band matrix of band width w is a matrix in which zeros must be in certain positions (the matrices contain natural numbers), and the... |

4 |
Compositional Model Checking of Partially-Ordered State Spaces
- Hazelhurst
- 1996
(Show Context)
Citation Context ...L ::= G j TLsTL j : : :TL j Next TL j TLUntil TL Restricting the base of TL to be the simple predicates is only a syntactic restriction, since all monotonic predicates can be expressed as TL formulas =-=[39]-=-. The semantics of a formula is given by the satisfaction relation Sat relating sequences of states to TL formulas. We consider sequences of states as ordered lists of states, and do not formally defi... |

3 |
The Completeness of a Hardware Inference System
- Zhu, Seger
- 1994
(Show Context)
Citation Context ...t time t cannot affect events at time t \Gamma 1) to allow precondition weakening in some situations. For some discussion of the deductive power of an earlier version of this compositional theory see =-=[53]-=-. 5.3.1 Voss This is the rule of Symbolic Trajectory Evaluation: \Delta t (h) vP T t (g) j= hj g==AEh ji 5.3.2 Identity This trivial rule says: j= hj g==AEg ji : Although it is very simple, it does ha... |

2 |
Formal Verification of Memory-Circuits by Symbolic-Logic Simulation
- Bryant
- 1991
(Show Context)
Citation Context ...model checking technique that grew out of multi-level simulation on the one hand, and symbolic simulation on the other hand. It is the formal verification method closest to traditional simulation. In =-=[14, 15]-=-, Bryant demonstrated the usefulness of ternary modelling for verifying a variety of circuits. The methodology is based on ternary simulation of VLSI circuits, where a third value U is added to the se... |

2 |
Formal Verification of Digital Circuits by Symbolic Ternary System Models
- Bryant, Seger
- 1991
(Show Context)
Citation Context ...e minimal sets of formulas is based on symbolic trajectory evaluation (STE), a model checking algorithm for checking partially-ordered state spaces. The original version of STE was first presented in =-=[19]-=- and a full description of STE can be found in [51]. In these presentations, the algorithm is applied only to trajectory formulas, a restricted, two-valued temporal logic. This chapter generalises ear... |

1 |
Mathematical Analysis
- Binmore
- 1977
(Show Context)
Citation Context ...mantics of a formula is given by the satisfaction relation Sat relating sequences of states to TL formulas. We consider sequences of states as ordered lists of states, and do not formally define them =-=[9]-=-. Let S ! be the set of all infinite sequences, thus Sat : S ! \Theta TL ! Q. Given a sequence oe and a TL formula g, Sat returns the degree to which oe satisfies g. Suppose g and h are TL formulas. I... |