JP3600420B2 - Logic verification device - Google Patents

Logic verification device Download PDF

Info

Publication number
JP3600420B2
JP3600420B2 JP00136498A JP136498A JP3600420B2 JP 3600420 B2 JP3600420 B2 JP 3600420B2 JP 00136498 A JP00136498 A JP 00136498A JP 136498 A JP136498 A JP 136498A JP 3600420 B2 JP3600420 B2 JP 3600420B2
Authority
JP
Japan
Prior art keywords
state
set
verification
processing
calculation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
JP00136498A
Other languages
Japanese (ja)
Other versions
JPH10301963A (en
Inventor
恒夫 中田
洋哲 岩下
Original Assignee
富士通株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to JP4511497 priority Critical
Priority to JP9-45114 priority
Application filed by 富士通株式会社 filed Critical 富士通株式会社
Priority to JP00136498A priority patent/JP3600420B2/en
Publication of JPH10301963A publication Critical patent/JPH10301963A/en
Application granted granted Critical
Publication of JP3600420B2 publication Critical patent/JP3600420B2/en
Anticipated expiration legal-status Critical
Application status is Expired - Fee Related legal-status Critical

Links

Images

Description

[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention verifies whether a logic device model given a functional specification in a finite state machine satisfies the functional specification.Logic verification equipment.
[0002]
Finite state machines are widely used as mathematical models for synchronous sequential machines and protocols, and are also relevant to methods for verifying synchronous sequential circuits and protocols. A model checking method is known as a method for verifying whether the function design of a logic device correctly realizes specifications (see References 2 and 5). This mathematically proves that the finite state machine satisfies / does not satisfy the specification expressed in temporal logic.
[0003]
The operation of verifying a logic device by the model checking method includes various steps from verification of an abstract specification to verification of the operation of an actual circuit. Of these stages, the verification of the functional specification can be expected to detect errors at the earliest stage of the logic device. Therefore, it has been demanded to perform a quick and reliable verification process. Further, when performing the verification processing, it has been demanded that verification can be performed even for a complicated logic device whose memory capacity reaches a limit in a general method.
[0004]
[Prior art]
Hereinafter, a conventional technique will be described.
§1: Description of the prior art (Part 1)
The finite state machine is defined as a finite state automaton having an output. The general form of a finite state machine is given by the following equation (1).
[0005]
M = (Q, Σ, Φ, δ, λ, I) Equation (1)
The meanings of the above symbols are as follows.
Q: Set of states (finite)
Σ: Input alphabet (finite)
Φ: Output alphabet (finite)
δ: Transition relational expression
λ: Output relational expression
I: Initial state set
The transition relational expression δ is a function that determines the next state, but in order to express a non-deterministic transition, when the current state, the next state, and an input are given, the input is given in the current state. This function takes a value of 1 if the state sometimes transitions to the next state, and 0 otherwise. When the transition is deterministic, the state transition can be represented as a function for obtaining the next state from the current state and the input. The output relational expression λ also corresponds to the case where the output is non-deterministic.
[0006]
In principle, all synchronous sequential circuits can be modeled with finite state machines. For this reason, when designing a logic device, a method using a finite state machine as a specification is widely used. For example, in logic synthesis, after writing specifications of a device in a design description language, the description is converted into a finite state machine by a synthesis system, and the state is converted by a flip-flop circuit or a register into a transition relational expression δ or an output relational expression λ. Is generally realized by a combinational circuit.
[0007]
The basic theory of the finite state machine is discussed in detail in Chapter 2 of Reference Document 6. Verification of a device that uses a finite state machine refers to checking whether the device correctly implements the state transition of the finite state machine. Techniques used for this purpose include logic simulation and formal verification.
[0008]
The logic simulation is a process of simulating an operation by adding an appropriate input to a device model (description in a design description language, a gate-level circuit diagram, and the like). Confirm that the output obtained at this time matches the value obtained from the original finite state machine.
[0009]
The formal verification is an approach for mathematically proving whether a device model satisfies properties (properties) satisfied by an original finite state machine. As typical examples, symbol model checking, symbol simulation, and the like are known. Formal verifications are described in detail in Refs. 5, 3, 11, 11, and 8.
[0010]
The formal verification (formal verification method) is a technology that is currently moving from a research stage to a practical stage, and cases used for processor design verification have been reported. Above all, it is considered that the symbol model checking method (see Reference Document 2) is the most practical in verification of control logic.
[0011]
§2: Description of the prior art (No. 2): see FIG.
FIG. 11 is an explanatory diagram 1 of the prior art, showing an example of a finite state machine. Among the formal verification methods, the symbol model checking method uses a logical function to represent a logical device model having a Kripke structure and uses a non-empty state that satisfies a specification represented by a computation tree logic (CTL). This is a method of verifying whether a model of a logical device satisfies specifications by checking whether a set exists.
[0012]
Here, the Kripke structure is a finite set S of states, a transition relation R of states, and a set S of initial state points.0And a set L of primitive propositions that are true in each state, and is a kind of nondeterministic finite automaton expressed as in the following Expression (2).
[0013]
K = (S, R, S0, L) ··· Equation (2)
Computational tree logic is a kind of temporal logic. In addition to ordinary logical operators, a temporal operator F that represents "someday", an operator A that represents a generic name, an operator E that represents existence, It is represented using a temporal operator G representing “always”, a temporal operator X representing “next”, and a temporal operator U representing “to”.
[0014]
For example, the temporal operator AGa indicates that the logical expression a holds in all state sets reachable from the initial state. In this case, in the model of the logic device, it is sufficient to follow all the paths that can be transitioned from the initial state, and check whether or not all the paths reach the state where the logical expression a holds.
[0015]
That is, the verification work in the symbol model checking method is a work of tracing the state transition of the Kripke structure and confirming whether a calculation tree logical expression representing a specification is satisfied in each state. The result is a set operation for finding the minimum fixed point or the maximum fixed point on the model using.
[0016]
Such a set operation includes an image calculation Image ({q}) for obtaining a state set that can be reached in one transition from a certain state set {q}, and one state transition for a certain state set {q}. Image Calculation Image for Finding State Set Reachable by-1({Q}).
[0017]
For example, as shown in FIG.0~ Q8In the example of the finite state machine represented by the state transition between, an example of the result of performing the image calculation and the inverse image calculation is shown in the following Expressions (3) to (6).
[0018]
Image (@q0}) = {Q0, Q1, Q2, Q3} ... Equation (3)
Image (@q3, Q8}) = {Q2, Q3, Q5, Q6, Q8} ... Equation (4)
Image-1({Q0}) = {Q0, Q1} ... Equation (5)
Image-1({Q5}) = {Q1, Q2, Q3, Q4} ・ ・ ・ Equation (6)
In the finite state machine shown in FIG.7When verifying the temporal logic AFp using the logical expression p indicating the initial state q0The image calculation is sequentially repeated from, and all paths that can transition from the initial state are in the state q7It is sufficient to check whether or not to reach. On the other hand, when verifying the temporal logic EFp, the state q7From the initial state q0It is sufficient to check whether there is a route to reach.
[0019]
By the way, in the actual symbol model checking method, a method of replacing a set operation with a logical function process is generally used (see Reference Document 5). (See Reference Document 1).
[0020]
§3: Description of the prior art (part 3): see FIGS. 12 to 14
12 is an explanatory diagram 2 of the prior art, FIG. 13 is an explanatory diagram 3 of the prior art, and FIG. 14 is an explanatory diagram 4 of the prior art. In the symbol model checking method, a property verification device (see Japanese Patent Application No. Hei 8-220005) has been proposed which can achieve both reduction in memory size and processing time. Hereinafter, this conventional technique will be described with reference to FIGS.
[0021]
In FIG. 12, the property verification device converts a calculation tree logical expression received via an input receiving unit 211 as a logical expression input unit into a single-pass expression by a single-pass expression conversion unit 212, and further converts a procedure sequence. After being converted into a procedure sequence to be described later by the unit 213, it is subjected to the processing of the set operation unit 214, and whether the obtained state set is empty is determined by the determination processing unit 215, and the input property is verified. It has a configuration.
[0022]
In the input receiving unit 211, the operator determining unit 221 sends the calculated tree logical expression to the initial state adding unit 223 directly or via the negation processing unit 222 according to the first operator of the received calculated tree logical expression. Send out. Here, when the first operator is the operator A indicating the universal name, the operator determining unit 221 sends the entire computation tree logical expression to the negation processing unit 222, and on the other hand, the operator E indicates the existence. In this case, the data may be sent to the initial state adding unit 223 as it is.
[0023]
Further, the negation processing unit 222 negates the entire computation tree logical expression received from the operator discrimination unit 221 and further arranges the computation tree logical expression by performing necessary transformation of the expression according to the logical operation rules. The calculation tree logical expression is sent to the initial state adding unit 223. The initial state adding unit 223 adds the propositional logical expression corresponding to the initial state to the head of the received computational tree logical expression, thereby using this computational tree logical expression as a start state of the verification work. 212.
[0024]
Then, in the single-pass expression conversion unit 212, the expression transformation processing unit 224 receives the calculation tree logical expression from the input receiving unit 211 described above, and converts the calculation tree logical expression according to the conversion rule stored in the conversion rule storage unit 225. Deform and convert to single-pass representation. Here, the conversion rule storage unit 225 uses the propositional logical expressions p and q indicating the state set and the above-described sub-expression f of the above-described computational tree logical expression as a procedure for converting the computational tree logical expression into a single-pass expression. The conversion rules shown in the following equations (7) to (10) may be stored.
[0025]
R (p∧EX f) = pR (f) Equation (7)
R (p∧EF f) = {R (p∧f), pTrue*R (f)} ... Equation (8)
R (p∧EG q) = (p∧f) qω Equation (9)
R (p∧E (q∪f) = {R (p∧f), pq*R (f)} ... Equation (10)
In Expressions (7) to (10), the finite and infinite repetitions of the propositional logical expression p are represented by exponential codes “*”And the exponent sign“ ω ”, and the cases are enclosed in parentheses. In addition, the expression transformation processing unit 224 detects a portion that satisfies the above-described conversion rule from the received computation tree logical expression, and applies the corresponding conversion rule to perform the conversion process to the single-pass expression. good.
[0026]
Here, the single path expression is a state set sequence having no branching or a state set sequence in which a state set sequence forming an infinite loop is connected to a single state set sequence having no branching. Using a set P of propositional logical expressions representing sets, a set S of a single path expression s is defined as follows.
[0027]
{Circle around (1)} A state set where p∈P is a single-pass expression.
{Circle around (2)} The connection ps between the state set p where p あ る P and the state set sequence s where s∈S is a single-path expression.
[0028]
{Circle around (3)} Infinite repetition pω of the state set p where p∈P is a single-pass expression.
{Circle around (4)}: finite repetition p of state set p of state set p where p∈P*And the concatenation p of the state set sequence s such that s∈S*Is a single-pass expression.
[0029]
Therefore, the formula transformation processing unit 224 may transform the formula in accordance with the above-described conversion rule, and obtain the state set sequence represented by the single path expression defined above. For example, when a computation tree logical expression “AG (p → AFq)” indicating a property to be verified is input via the input receiving unit 211, the operator at the top is the operator A indicating all names, The negation processing unit 222 operates in response to an instruction from the determination unit 221, and as shown in FIG. No computational tree formula is obtained.
[0030]
Further, the initial state adding unit 223 adds a propositional logical expression pi corresponding to the initial state to the beginning of the computation tree logical expression, and the obtained computation tree logical expression is subjected to the processing of the expression transformation processing unit 224. . In response to the input of the computation tree logical expression, the expression transformation processing unit 224 operates, and in FIG. 13B, the above-described expressions (8) and (9) are added to the sub-expressions underlined, respectively. Are successively applied to arrange them, thereby obtaining a single-pass expression shown in FIG.
[0031]
In the procedure sequence conversion unit 213, the equation transformation processing unit 226 is configured to convert a single-pass expression into a verification procedure sequence described below according to the conversion rules stored in the conversion rule storage unit 227. Here, the basic verification procedure sequence is configured only by image calculation, and uses the propositional logical expressions p and q, an operator Image indicating image calculation, and an operator gfp 1fp representing a maximum fixed point and a minimum fixed point, respectively. Thus, it is expressed as in the following equations (11) to (13).
[0032]
FindTrans (p) = Img (p) (11)
FindTrail (p, q) = 1fpZ. [P @ Img (Z)] (11)
FindLoop (p) = gfp Z. p @ Img (Z)] (13)
The verification procedure FindTrans (p) shown in the above equation (11) is exactly an image calculation itself, and as shown in FIG. 14A, one state from the state set represented by the propositional logical equation p This is a procedure that returns a set of states that can be reached by transition. The verification procedure FindTrail (p, q) shown in the above equation (12) is, as shown in FIG. 14 (b), a state set in which the propositional logical expression q is satisfied from the state set expressed by the propositional logical expression p. Is a procedure that returns a set of states that can be reached via {} (shown by hatching in FIG. 14 (b)).
[0033]
The verification procedure FindLoop (p) shown in the expression (13) is included in the state set represented by the propositional logical expression p, and the propositional logical expression p is This is a procedure for returning a union of a subset constituting a loop that holds and a subset reachable from the loop {shown by hatching in FIG. 14 (c)}. Further, the conversion rule storage unit 227 stores a conversion rule S represented by the following Expressions (14) to (18) using the single-pass expression s and the propositional logical expression p.
[0034]
S (p) = p (14)
S (sp) = FindTrans (S (s)) ∧p (15)
S (sp*) = FindTrail (FindTrans (S (s), p)) (16)
S (spω) = FindLoop (FindTrail ((S (s), p) ∧p)) (17)
S ({s∧p, sp*}) = FindTrail (S (s), p) (18)
Therefore, the expression transformation processing unit 226 detects a portion that conforms to these conversion rules from the received single-pass expression, and converts the single-pass expression into a verification procedure sequence by sequentially applying the corresponding conversion rules. Just do it. For example, in response to the input of the single-pass expression shown in FIG. 13B, the expression transformation processing unit 226 sequentially applies the expressions (17) and (18), and further arranges the expressions. , Can be converted into a procedure sequence as shown in FIG.
[0035]
In response to the input of the procedural sequence obtained in this way, the set operation unit 214 executes the image calculation and the fixed point calculation shown in Expressions (11) to (13) described above, and performs single-pass expression. The state set to be represented may be obtained and input to the determination processing unit 215 to determine whether the state set is an empty set.
[0036]
As described above, since these procedure sequences can be executed using only the image calculation, even when the size of the binary tree decision graph is reduced by expressing the state transition relation as a function, a realistic computer system By executing a set operation process using the processing power, it is possible to verify whether or not the model of the logical device realizes a property that can be represented by a single path expression.
[0037]
As a result, regarding properties that can be represented in a single pass, it is possible to achieve both a reduction in the amount of memory and a reduction in processing time, which are problems when applying the symbol model checking method. It can be applied to property verification of a logical device having a general rule.
[0038]
§4: References
(Ref. 1): R. E. Bryant. Graph based algorithm for boolean function manipulation. IEEE Trans. Comput. , C-35 (8): 677-691, 1986.
(Reference 2): M. Clarke, E .; A. Emerson, and A. P. Sistla. Automatic Verification of Fine-State Concurrent Systems using Temporal Logic Specifications. ACM Trans. Prog. Lang. Syst. , 8 (2): 244-263, 1986.
(Reference 3): Fujita, Chen, Yamazaki. Example of application of formal verification method to actual design. Information Processing, 35 (8): 719-725, 1994.
(Reference 4): Fujita, E .; M. Clarke. Application of BDD to CAD. Information Processing, 34 (5): 609-616, 1993.
(Reference 5): Hiraishi, Hamaguchi, Formal verification method based on logic function processing. Information Processing, 35 (8): 710-718, 1994.
(Reference 6): E. FIG. Hopcroft and J.M. D. U11man. Introduction to Automation Theory, Languages, and Computation. Addison-Wesley Publishing Company, 1979.
(Reference 7): Minato. BDD processing technique on a computer. Information Processing, 34 (5): 593-599, 1993.
(Ref. 8): Taniguchi, Kita-michi. Specification description, design and verification using algebraic methods. Information Processing, 35 (8): 742-750, 1994.
(Reference 9): Ishiura. What is BDD? Information Processing, 34 (5): 585-592, 1993.
(Reference 10): Iwashita, S.M. Kowari, T .; Nakata, and F.S. Hirose. Automatic test program generation for pipelined processors. In Proceedings of the International Conference on Computer-Aided Design, pp. 580-583, 1994.
(Reference 11): Kimura. About formal timing verification. Information Processing, 35 (8): 726-735, 1994.
(Ref. 12): K. Ravi and F.R. Somenzi. High-density reachability analysis. In Proceedings of the International Conference on Computer-Aided Design, pp. 154-158, 1995.
(Reference 13): Plateau. Formal verification using process algebra. Information Processing, 35 (8): 736-741, 1994.
(Reference 14): Watanabe, H. H. Application of BDD. Information Processing, 34 (5): 600-608, 1993.
[0039]
[Problems to be solved by the invention]
The above-described conventional device has the following problems.
(1): In the symbol model checking method, the operation of the finite state machine is represented by a logical expression, and the verification procedure is realized by a logical function process. At that time, a binary tree decision diagram (BDD) is used as the expression form of the logical function. The number of states of the finite state machine handled in design verification is 1020It is not unusual that an implicit expression method using a logical function and efficient logical function processing using a BDD are indispensable.
[0040]
However, in a device having a large number of states and complicated state transitions, there is a problem that the scale of the BDD representing the transition relation of the finite state machine and the scale of the BDD generated during the logical function processing become enormous. The size of the BDD can be measured by the number of nodes of the BDD, but in the worst case, it may increase in exponential order with respect to the variable.
[0041]
(2): The problem of the above (1) is reduced by the proposed property verification device (see Japanese Patent Application No. Hei 8-220005). It is inevitable that will reach its limits. For some properties, a method of dividing the state set in the middle of the verification procedure to suppress the BDD scale (see References 10 and 12) is known. In this method, the process of counting the states by repeating the image calculation from the initial state (see Reference Document 5) is executed within the limited storage capacity.
[0042]
Since general symbol model checking is based on inverse image calculation (see Reference Document 5), the application range of this method is limited. On the other hand, the property verification device (see Japanese Patent Application No. Hei 8-220005) is based on image calculation, so that it can be applied to a wider range of applications. According to the property verification device (see Japanese Patent Application No. Hei 8-220005), the procedure of FindTrail () is based on counting of states, and can be calculated by dividing a state set.
[0043]
Also, FindTrans () can be easily calculated by dividing the state set. However, FindLoop () is a completely different procedure from state counting, and cannot process a state set by dividing it. Therefore, in many cases, the state set division method has not contributed to the reduction in storage capacity of the symbol model checking method.
[0044]
The present invention solves such a conventional problem, and makes it possible to use a state set division method in a symbol model checking method, to reduce storage capacity, and to verify a complicated logic device. The purpose is to do.
[0045]
[Means for Solving the Problems]
The present invention is configured as follows to achieve the above object.
(1): Finite state machine M representing the operation of the synchronous sequential circuit,MIs a logic verifier that determines whether there is a path of a state transition that starts from a certain state in p and does not go out of q forever in a subset q of states and a subset p of q. And the finite state machine M,MSubsets q of states andWhen the subset a [i] is input, a set a [i + 1] is obtained by calculating the image of a [i] in M and performing an intersection operation of the result and q.Calculation means;A subset [p] of the set p or the whole p is defined as a [0], and a [1], a [2], a [3],... Whether or not there exists a natural number k such that [k] is a subset of the union of the subsequent n sets a [k + 1], a [k + 2],... A [k + n]And a means for outputting that there is a path of a state transition that does not go out of q forever if there is the set p that satisfies the determination means. And
[0046]
(2):Said (1) Logic verification device,SaidJudgmentThe means starts from the state set p,State set partitioning and iterative application of the calculation meansIt is characterized in that it is performed recursively with depth priority.
[0051]
(Action)
The operation of the present invention based on the above configuration will be described with reference to FIGS. In addition, S1 to S38 indicate each processing step.
[0052]
(a):Action 1... See Figure 1
In the verification device of the logic device, when a finite state machine M, a subset q of the states of M (state set q) and a subset p of q are input (S1), an image calculation on the finite state machine M is performed (S2). ) And q are calculated (S3). Then, while repeatedly performing the processes of S2 and S3, the relation between the state sets in the calculation process is examined by state set comparison (S4), so that the state starts from a state in p and goes out of q forever. It is determined whether there is a state transition path that does not exist.
[0053]
In this way, in the process of determining whether there is a state transition path that starts from a certain state in p and does not go out of q forever, it is possible to divide and calculate the state set. Gives a basic algorithm to Then, in many cases of the symbol model check, the state set division technique can be used. Therefore, the storage capacity can be reduced, and a complicated logic device can be verified.
[0054]
(b):Action 2... See Fig. 2
When a finite state machine M, a subset q of states of M, and a subset p of q (state set p) are input (S11), the verification apparatus of the logic device starts from the state set p and splits the state set ( S12), image calculation on M (S13), calculation of set product with q (S14), and state set comparison (S15) are repeatedly performed. That is, starting from the state set p, the state set division, the image calculation on M, and the calculation of the set product with q are recursively repeated in a depth-first manner, and the calculation process is examined by state set comparison. Starting from a state in p, it is determined whether there is a path that does not go out of q forever.
[0055]
As a result, if at least one path is found, the processing is terminated at that point. However, if the path does not exist, backtrack determination is performed (S16). If the processing end condition is not satisfied, the state set remaining after the division is executed again from the processing in S13.
[0056]
In this way, in a process of determining whether there is a path of a state transition that starts from a certain state in p and does not go out of q forever, an algorithm that divides the state set each time iterative calculation is performed give. Therefore, the storage capacity can be reduced by the division of the state set.
[0057]
(c):Action 3... See Fig. 3
When the finite state machine M, the subset q of the states of M, and the subsets p1, p2,..., Pn (subsets already divided) of q are input to the verification device of the logic device (S21), .., Pn are each set to p (state set), and a start state set is set (S22). Then, starting from the state set p, the image calculation on M (S23), the calculation of the set product with q (S24), and the state set comparison (S25) are repeatedly performed.
[0058]
In this manner, the image calculation on the finite state machine M is performed on the set start state set, and the set product with q is calculated. Then, while repeatedly performing the processes of S23 and S24, by comparing and examining the relationship between the state sets in the calculation process, a state transition starting from a certain state in p and not going out of q forever is obtained. It is determined whether a path exists.
[0059]
As a result, if at least one path is found, the processing is terminated at that point. However, when the path does not exist, the update of the start state set is determined (S26), and when the update is necessary, the processing is repeated from the processing of S22. That is, starting from the state set p, the image calculation on M and the calculation of the set product with q are repeated, and by examining the relation of the state sets in the calculation process, p1∪p2∪p3. It is determined whether there is a state transition path which starts from a certain state in and does not go out of q all the time.
[0060]
In this manner, in the process of determining whether there is a state transition path that starts from a certain state in p and does not go out of q forever, p is already p1, p2,. If it is divided into pns, it gives an algorithm to calculate separately, without lumping it. Therefore, also in this case, the storage capacity can be reduced by the division of the state set.
[0061]
(d):Action 4... See Fig. 4
In the verification device of the logic device, when the finite state machines M, the state sets q of M, the subsets p1, p2,..., Pn (subsets already divided) of q are input (S31), the start state set (S32), and p1, p2,..., Pn are each set to p. Starting from the state set p, the state set division (S33), the image calculation on M (S34), and the calculation of the set product with q (S35) are recursively repeated in a depth-first manner. Is checked by a state set comparison (S36) to determine whether there is a path starting from a certain state in p1pp2∪p3... ∪pn and not going out of q forever.
[0062]
As a result, if at least one path is found, the processing is terminated at that point. However, if the path does not exist, backtrack determination is performed (S37), and if the processing end condition is not satisfied, the state set remaining after the division is executed again from the processing of S34. If at least one of the paths is found, the process is terminated at that point. If not found, the start state set update is determined when the process end condition is satisfied (S38). The process is repeated from S32 until the set update is no longer necessary. However, if even one of the paths is found, the processing is terminated at that point.
[0063]
In this manner, in the process of determining whether there is a state transition path that starts from a certain state in p and does not go out of q forever, p is already p1, p2,. If it is divided into pns, it gives an algorithm to calculate without grouping them. Further, since the state set is further divided during the calculation, the storage capacity can be reduced accordingly.
[0064]
(e):Action 5
The logic verification deviceIn the above, when there is an input of the finite state machine M and properties related to M, the input unit receives the input data, and if necessary, divides the input data beforehand and transfers the data to the control unit. However, if there is no need for division in advance, the data is directly transferred to the control unit.
[0065]
Thereafter, the control unit, upon receiving the input data, calls each of the operation units while dividing the state set, performs a verification process, and outputs a verification result to a verification result output unit. In this case, when the state transition determination operation unit is called, an operation is performed to obtain a state set that can be reached by one state transition from the elements of the state set p, and the operation result is returned to the control unit.
[0066]
When the reachability determination operation unit is called, an operation is performed to obtain a state set reachable from the elements of the state set p via the elements of the state set q, and the operation result is returned to the control unit. Further, when the loop determination calculation unit is called, the calculation is performed to determine whether there is a state transition path that does not go out of q forever starting from a certain state in p, and sends the calculation result to the control unit. return.
[0067]
This makes it possible to use the state set division method in the symbol model checking method. Therefore, the storage capacity can be reduced, and a complicated logic device can be verified.
[0070]
(f): Other
As described above, the following features are provided. That is, when the finite state machine M, the subset q of the states of M, and the subset p of q are input to the verification device of the logic device, starting from the state set p, the image calculation on M and the set of q By repeatedly calculating the product and examining the relationship between the state sets in the calculation process, it is determined whether there is a state transition path that starts from a certain state in p and does not go out of q forever.
[0071]
Therefore, in many cases of the symbol model check, the state set division technique can be used. If the state set division technique is used, it is possible to execute verification even for a complicated logic device in which the storage capacity of the memory reaches the limit in a general method. The storage capacity problem is a serious problem concerning the practicality of symbol model checking, and the present invention greatly contributes.
[0072]
Further, in some cases, property counterexamples or actual examples can be found in the initial stage of the division calculation. For example, in the initial stage of logic verification in which there are many design errors, a design error can be found faster than when no division is performed. .
[0073]
BEST MODE FOR CARRYING OUT THE INVENTION
Hereinafter, embodiments of the invention will be described in detail with reference to the drawings.
§1: Description of the device for verifying the logic device ... see FIG.
FIG. 5 is an explanatory diagram of the verification device. This device is an example of a logic device verification device (also simply referred to as a “verification device”) that verifies whether a finite state machine representing the operation of a synchronous sequential machine satisfies a property representing a functional specification.
[0074]
The verification device includes a finite state machine M, a finite state machine for inputting a property related to M, a property input unit 1, a verification result output unit 3 for outputting a verification result, and one time from the elements of the state set p. A state transition determination operation unit 4 for obtaining a set of states reachable by the state transition of the above; a reachability determination operation unit 6 for obtaining a set of states reachable from the elements of the state set p via the elements of the state set q; Starting from a certain state in p and determining whether there is a path of a state transition that does not go out of q forever, and a loop determination operation unit 5 that calls each of the operation units while dividing the state set , A state set division and operation unit call control unit 2 for obtaining a state transition path corresponding to the property. The finite state machine / property input unit 1 is provided with a division processing unit 7 for dividing input data in advance.
[0075]
When there are inputs of the properties regarding the finite state machines M and M, the input unit 1 receives the input data, and if necessary to divide the input data in advance, divides the data by the division processing unit 7, The state set is divided and transferred to the operation unit call control unit 2. If there is no need for division in advance, the data is transferred to the control unit 2 as it is.
[0076]
Thereafter, when receiving the input data, the state set division and operation unit call control unit 2 calls the operation units 4, 5, and 6 while dividing the state set, performs a verification process, and verifies the verification result. Output to the result output unit 3. In this case, when the state transition determination operation unit 4 (see Reference Document 12) is called, an operation is performed to obtain a state set that can be reached by one state transition from the elements of the state set p, and the operation result is determined by the control unit. Return to 2.
[0077]
When the reachability determination operation unit 6 (see Reference Document 12) is called, an operation is performed to obtain a state set that can be reached from the elements of the state set p via the elements of the state set q, and the operation result is calculated. Return to the control unit 2. Further, when the loop determination operation unit 5 is called, it starts from a certain state in p and performs an operation to determine whether or not there is a state transition path that does not go out of q forever, and outputs the operation result to the control unit. Return to 2.
[0078]
The input unit 1, the control unit 2, the verification result output unit 3, the state transition determination calculation unit 4, the loop determination calculation unit 5, and the reachability determination calculation unit 6 all perform the above-described processing by executing a program. In particular, in particular, the state transition determination calculation unit 4, the loop determination calculation unit 5, and the reachability determination calculation unit 6 are configured by, for example, a subroutine. That is, the control unit 2 (main routine) performs the verification process by calling each of the subroutines as needed.
[0079]
As the state transition judgment procedure of the state transition judgment operation section 4 and the reachability judgment procedure of the reachability judgment operation section 6, the property verification device described in the above-mentioned conventional example (see Japanese Patent Application No. Hei 8-220005). ), The procedures of FindTrans () and FindTrail () are used. As the loop determination procedure of the loop determination calculation unit 5, instead of determining whether the value returned by Findloop () is empty, the procedure in the third or fourth embodiment described below is used.
[0080]
Further, all of the state sets p1, p2,..., Pn in the third or fourth embodiment described below need not be given in advance. During the calculation of FindTrans () and FindTrail (), when a subset of the return values is obtained, the procedure of the third or fourth embodiment can be executed in advance. As a result, if a state transition path to be verified is found, the verification procedure can be terminated early.
[0081]
§2: Description of verification device by specific example ... See FIG.
FIG. 6 shows a specific example of the verification device. The verification device illustrated in FIG. 6 is an example of a device that embodies the verification device illustrated in FIG. 5. In each of the embodiments described below, a verification process is performed using the verification device.
[0082]
The verification device illustrated in FIG. 5 is a device realized by various computers such as an engineering workstation or a personal computer, and includes a computer main body 11, a display device 12, an input device 13, and an output device connected to the computer main body 11. The device 14 includes a hard disk device (HDD) 15 and the like. An input / output control unit 16, a CPU 17, a memory 18, and the like are provided in the computer main body 11.
[0083]
The storage medium of the hard disk device 15 stores a program for verifying a logical device (a program for realizing each unit shown in FIG. 5), other programs, data to be verified, and other various data. Is stored. When the verification of the logical device is performed, the program and data stored in the storage medium of the hard disk device 15 are read out under the control of the CPU 17 and taken into the computer main body 11, and the CPU 17 executes the program. Perform necessary processing.
[0084]
The memory 18 is used by the CPU 17 for work. The programs and data stored in the storage medium of the hard disk device 15 are stored as follows, for example.
[0085]
(1): Data (data created by another device) stored in a flexible disk (floppy disk) is read by a drive device provided in the computer main body 11, and is read into a storage medium (recording medium) of the hard disk device 15. Store.
[0086]
(2): Data stored in a storage medium such as a magneto-optical disk or a CD-ROM is read by a drive device provided in the computer main body 11, and stored in a storage medium (recording medium) of the hard disk device 15.
[0087]
(3): The data transmitted from another device via a communication line such as a LAN is received by the computer main body 11, and the data is stored in a storage medium (recording medium) of the hard disk device 15.
[0088]
§3: Description of the processing of the first embodiment: see FIG.
FIG. 7 is a processing flowchart of the first embodiment. Hereinafter, the processing of the first embodiment will be described with reference to FIG. This process is a process performed by the verification device shown in FIGS. 5 and 6, and S51 to S58 indicate each processing step. Image (a) is a function for calculating an image of the state set a in the finite state machine M, and i is an arbitrary parameter.
[0089]
This process is performed in a logic device verification process for verifying whether a finite state machine representing the operation of a synchronous sequential machine satisfies a property representing a functional specification. , And q, a given set p (state set p) is given, starting from the state set p, the image calculation on M and the calculation of the set product with q are repeated, and the relation between the state sets in the calculation process Is a process for determining whether or not there is a state transition path that starts from a certain state in p and does not go out of q forever.
[0090]
In the above processing, when a [i] becomes an empty set by repeating the operation of a [i] ← Image (a [i−1]) ∩q, when a [i] becomes an empty set, q always departs from the state in p. You can see that he goes out of the house. Then, if there exists k which is a [k] ⊆ (a [k + 1] ∪a [k + 2] ∪... ∪a [i]), a [k] reverses the time from any element. This indicates that there is a path that passes through only the element of q and reaches any of the elements of a [k].
[0091]
That is, it indicates that a loop passing through the element of a [k] exists outside q, and starts from a state in p, passes through a state in a [k], and goes out of q forever. It can be seen that there is no state transition path. Hereinafter, the verification processing will be described.
[0092]
When the subsets q of the states of the finite state machines M and M and the subset p of q are input (S51), first, a [0] ← p and i ← 0 are set as initialization processing (S52). Then, i is incremented (i ← i + 1) (S53), and the image calculation on M and the operation of the set product with q, that is, the operation of a [i] ← Image (a [i−1]) ∩q Is performed (S54).
[0093]
Thereafter, it is determined whether or not a [i] is an empty set (S55). If it is not an empty set, a [k] ⊆ (a [k + 1] ∪a [k + 2] ∪... ∪a [i]) It is determined whether or not k (0 ≦ k ≦ i−1) exists (S56). As a result, if there is no k that satisfies a [k] ⊆ (a [k + 1] ∪a [k + 2] ∪... ∪a [i]), the processing is repeated from the processing of S53.
[0094]
In this way, if there is a k such that a [k] ⊆ (a [k + 1] ∪a [k + 2] ∪... ∪a [i]), starting from a certain state in p, It is found that there is a state transition path that does not go out of q, and this verification processing ends (S57). However, if it is determined in the process of S55 that a [i] is an empty set, it is determined that there is no state transition path that starts from a certain state in p and never goes out of q. Since it is understood, the verification process ends (S58).
[0095]
According to the above-described processing, in a process of determining whether there is a path of a state transition that starts from a certain state in p and does not go out of q forever, a state set can be divided and calculated. Algorithm can be given.
[0096]
§4: Description of the processing of the second embodiment: see FIG.
FIG. 8 is a processing flowchart of the second embodiment. Hereinafter, the processing of the second embodiment will be described with reference to FIG. This process is a process performed by the verification device shown in FIGS. 5 and 6, and S61 to S74 indicate each processing step. Image (a) is a function for performing image calculation of the state set a in the finite state machine M, and i is a parameter.
[0097]
This process is performed in a logic device verification process for verifying whether a finite state machine representing the operation of a synchronous sequential machine satisfies a property representing a functional specification. , And q, given a subset p, start from the state set p and recursively repeat the state set partitioning, image computation on M, and the computation of the set product with q in a depth-first manner. By examining the calculation process, it is a process to determine whether there is a path that starts from a certain state in p and does not go out of q forever.
[0098]
In this process, a [i] = t, the t is divided into two, one of which is set as a new a [i], the other is stored in the stack as t, and the new a [ i] is verified. Then, verification processing is performed on the new a [i] while repeating the division, and it is determined whether or not the path exists.
[0099]
In this way, if at least one of the paths is found for the new a [i], the processing is terminated. However, if the path is not found to the end, the other t that has been stacked is deleted. Then, this t is set as a new a [i], and the same verification processing as described above is performed to determine whether or not the path exists. Specifically, it is as follows.
[0100]
When the subsets q of the states of the finite state machines M and M and the subset p of q are input (S61), first, as initialization processing, a [0] ← p, i ← 0 are set (S62). Then, t ← a [i] is set (S63), t is divided into two, and a [i] is substituted for t (however, a [i] ≠ φ) (S64). That is, a [i] is set to t, the t is divided into two, and one of the t is set to a [i]. Therefore, the divided t is divided into a new a [i] and the remaining t.
[0101]
Then, it is determined whether or not t is an empty set (S65). If t is not an empty set, the current variable value is stored on the stack (S66). If t is an empty set, nothing is performed. In this way, the following processing is performed for the one that has become a [i] after being divided into two, but for the other t, if it is not an empty set, it is stored in the stack, and If so, it is taken out and processed after the processing of the new a [i] is completed.
[0102]
When the process is newly performed on a [i], i is incremented (i ← i + 1) (S67), and the image calculation on M and the set product operation with q, that is, a [i] ← Image (a [i−1]) ∩q is calculated (S68).
[0103]
Thereafter, it is determined whether or not a [i] is an empty set (S69). If it is not an empty set, a [k] ⊆ (a [k + 1] ∪a [k + 2] ∪... ∪a [i]) It is determined whether or not k (0 ≦ k ≦ i−1) exists (S70). As a result, if there is no k that satisfies a [k] ⊆ (a [k + 1] ∪a [k + 2] ∪... ∪a [i]), the process is repeated from the process of S63.
[0104]
In this way, if there is a k such that a [k] ⊆ (a [k + 1] ∪a [k + 2] ∪... ∪a [i]), starting from a certain state in p, It is found that there is a state transition path that does not go out of q, and this verification processing ends (S71). However, when it is determined in the process of S69 that a [i] is an empty set, it is determined that there is no state transition path that starts from a certain state in p and never goes out of q. Since it is understood, the verification process for the new a [i] is terminated, and thereafter, it is determined whether or not the stack is empty (S72).
[0105]
As a result, if the stack is not empty, the variable value is restored from the stack (S72), and the process is repeated from the process of S67. However, if the stack is empty in the process of S72, the verification process is terminated assuming that the path does not exist (S74).
[0106]
§5: Description of the processing of the third embodiment: see FIG.
FIG. 9 is a processing flowchart of the third embodiment. Hereinafter, the processing of the third embodiment will be described with reference to FIG. This process is a process performed by the verification device shown in FIGS. 5 and 6, and S81 to S91 indicate each processing step. Image (a) is a function for calculating an image of the state set a in the finite state machine M, and i and j are arbitrary parameters.
[0107]
This process is performed in a logic device verification process for verifying whether a finite state machine representing the operation of a synchronous sequential machine satisfies a property representing a functional specification. , And a subset p [1], p [2],..., P [n] of q (hereinafter, a subset of q is referred to as p1, p2,. , Pn are q, and starting from the state set p, the image calculation on M and the calculation of the set product with q are repeated. By examining the relationship, it is a process to determine whether there is a state transition path that starts from a certain state in p1∪p2∪p3. Specifically, it is as follows.
[0108]
When the subsets q of the states of the finite state machines M and M and the subset p of q are input (S81), first, 1 is substituted for an arbitrary parameter j as initialization processing (j ← 1) (S82). It is assumed that a [0] ← p [j] and i ← 0 (S83). Then, i is incremented (i ← i + 1) (S84), and the image calculation on M and the operation of the set product with q, that is, the operation of a [i] ← Image (a [i−1]) ∩q Is performed (S85).
[0109]
Thereafter, it is determined whether or not a [i] is an empty set (S86). If it is not an empty set, a [k] ⊆ (a [k + 1] ∪a [k + 2] ∪... ∪a [i]) It is determined whether or not k (0 ≦ k ≦ i−1) exists (S87). As a result, if there is no k that satisfies a [k] ⊆ (a [k + 1] ∪a [k + 2] ∪... ∪a [i]), the processing is repeated from the processing of S84.
[0110]
In this way, if there is a k such that a [k] ⊆ (a [k + 1] ∪a [k + 2] ∪... ∪a [i]), starting from a certain state in p, It is found that there is a state transition path that does not go out of q, and this verification processing ends (S88). However, if it is determined in step S86 that a [i] is an empty set, it is determined that there is no state transition path that starts from a certain state in p and does not go out of q forever. Then, j is incremented (j ← j + 1) (S89), and it is determined whether or not the condition of j ≦ n is satisfied (S90).
[0111]
As a result, when the condition of j ≦ n is satisfied, the processing is repeated from the processing of S83. However, when the condition of j ≦ n is not satisfied, that is, when j> n, the path It is determined that there is no data, and the verification process ends (S91).
[0112]
§6: Description of the processing of the fourth embodiment: see FIG.
FIG. 10 is a processing flowchart of the fourth embodiment. Hereinafter, the processing of the fourth embodiment will be described with reference to FIG. Note that this process is a process performed by the verification device shown in FIGS. 5 and 6, and S101 to S117 indicate each processing step.
[0113]
This processing is performed by a logic device verification process for verifying whether a finite state machine representing the operation of a synchronous sequential machine satisfies a property representing a functional specification. , P [1], p [2],..., P [n] (hereinafter, a subset of q is referred to as p1, p2,. , P2,..., Pn are each p, and starting from the state p, the state set division, the image calculation on M, and the calculation of the set product with q are recursively repeated in a depth-first manner. By examining the calculation process, it is a process to determine whether there is a path starting from a certain state within p1∪p2∪p3... ∪pn and not going out of q forever. Specifically, it is as follows.
[0114]
When the subsets q of the states of the finite state machines M and M and the subsets p1, p2,..., Pn of q are input (S101), first, 1 is substituted into an arbitrary parameter j as initialization processing (j ← 1) (S102), a [0] ← p [j], and i ← 0 (S103). Then, t ← a [i] is set (S104), t is divided into two, and a [i] is substituted for t (however, a [i] ≠ φ) (S105). That is, a [i] is set to t, the t is divided into two, and one of the t is set to a [i]. Therefore, the divided t is divided into a new a [i] and the remaining t.
[0115]
Then, it is determined whether or not t is an empty set (S106). If t is not an empty set, the current variable value is stored on the stack (S107). If t is an empty set, nothing is performed. In this way, the following processing is performed for the one that has become a [i] after being divided into two, but for the other t, if it is not an empty set, it is stored in the stack, and If so, it is taken out and processed after the processing of the new a [i] is completed.
[0116]
When the process is newly performed on a [i], i is incremented (i ← i + 1) (S108), and the image calculation on M and the operation of the set product with q, that is, a [i] ← Image (a [i−1]) ∩q is calculated (S109). Then, it is determined whether or not a [i] is an empty set (S110). If not, a [k] (a [k + 1] ∪a [k + 2] ∪... ∪a [i]) It is determined whether or not k (0 ≦ k ≦ i−1) exists (S111). As a result, if there is no k that satisfies a [k] ⊆ (a [k + 1] ∪a [k + 2] ∪... ∪a [i]), the processing is repeated from the processing of S104.
[0117]
In this way, if there is a k such that a [k] ⊆ (a [k + 1] ∪a [k + 2] ∪... ∪a [i]), starting from a certain state in p, It is found that there is a state transition path that does not go out of q, and this verification processing ends (S112). However, when it is determined in the process of S110 that a [i] is an empty set, it is determined that there is no state transition path that starts from a certain state in p and does not go out of q forever. Since it is understood, the verification process for the new a [i] ends, and thereafter, it is determined whether the stack is empty (S113).
[0118]
As a result, if the stack is not empty, the variable value is restored from the stack (S114), and the processing is repeated from the processing of S108. However, if the stack in step S113 is empty, j is incremented (j ← j + 1) (S115), and it is determined whether or not the condition of j ≦ n is satisfied (S116). As a result, if the condition of j ≦ n is satisfied, the processing is repeated from the processing of S103. However, if the condition of j ≦ n is not satisfied, that is, if j> n, it is determined that there is no path, and the verification processing ends (S117).
[0119]
(Other embodiments)
Although the embodiment has been described above, the present invention can be implemented as follows.
[0120]
(1): In the logical device verification process, when dividing a state set, starting from a state in a certain set r, if it is determined that the state always goes out of q sometime, a state transition is made in r. It can be seen that no loop exists. Therefore, in subsequent calculations, instead of q,
[0121]
(Equation 1)
[0122]
May be used.
[0123]
【The invention's effect】
As described above, the present invention has the following effects.
(1): Given a finite state machine M, a subset q of the states of M, and a subset p of q, starting from the state set p, calculate the image on M and calculate the set product with q Is repeated, and by examining the relation of the state sets in the calculation process, a verification method that determines whether there is a state transition path that starts from a certain state in p and does not go out of q forever is applied. In many cases of symbol model checking, it becomes possible to use the state set division technique.
[0124]
(2): Since the method of state set division can be used, it is possible to execute verification even for a complicated logic device in which the storage capacity of the memory reaches the limit by the conventional general method. The storage capacity problem is a serious problem concerning the practicality of symbol model checking, and the present invention greatly contributes.
[0125]
(3): In the initial stage of the division calculation, a property counterexample or an actual example may be found. For example, in the initial stage of logic verification where there are many design errors, design is performed faster than in the case where division is not performed. Find errors.
[0126]
(Four) : LimitedGiven a state machine M, a subset q of states of M, and a subset p of q, starting from the state set p, repeat the image computation on M and the computation of the set product with q. By examining the relationship between the state sets of the process, it is determined whether there is a state transition path that starts from a certain state in p and does not go out of q forever.
[0127]
In this way, in the process of determining whether there is a state transition path that starts from a certain state in p and does not go out of q forever, it is possible to divide and calculate the state set. Gives a basic algorithm to As a result, in many cases of the symbol model check, the state set division technique can be used.
[0128]
If the state set division technique is used, it is possible to execute verification even for a complicated logic device in which the storage capacity of the memory reaches the limit in a general method. The storage capacity problem is a serious problem concerning the practicality of symbol model checking, and the present invention greatly contributes.
[0129]
Furthermore, in some cases, property counterexamples or actual examples can be found in the initial stage of the division calculation. For example, in the initial stage of logic verification where there are many design errors, a design error is found faster than when no division is performed. it can.
[0130]
(Five) : LimitedGiven a state machine M, a subset q of states of M, and a subset p of q, starting with state p, split the state set, compute the image on M, and compute the set product with q. By recursively repeating in a depth-first manner and examining the calculation process, it is determined whether there is a path that starts from a certain state in p and does not go out of q forever.
[0131]
In this way, in a process of determining whether there is a path of a state transition that starts from a certain state in p and does not go out of q forever, an algorithm that divides the state set each time iterative calculation is performed give. Therefore, the memory capacity can be reduced by the division of the state set, and verification can be performed even for a complicated logic device in which the storage capacity of the memory reaches the limit by the conventional general method. .
[0132]
(6) : LimitedGiven a subset q of the states of the state machines M, M and subsets p1, p2,..., Pn of q, the subsets p1, p2,. Starting from the state set p, the image calculation on M and the calculation of the set product with q are repeated, and by examining the relationship between the state sets in the calculation process, p1∪p2∪p3... ∪pn It is determined whether there is a state transition path that starts from the state and does not go out of q.
[0133]
In this manner, in the process of determining whether there is a state transition path that starts from a certain state in p and does not go out of q forever, p is already p1, p2,. If it is divided into pns, it gives an algorithm to calculate without grouping them. Therefore, the verification can be performed even for a complicated logic device in which the storage capacity of the memory reaches the limit by the conventional general method.
[0134]
(7) : LimitedGiven a state set q of the state machines M, M, a subset p1, p2,..., Pn of q, the above p1, p2,. Then, the state set division, the image calculation on M, and the calculation of the set product with q are recursively repeated in a depth-first manner, and by examining the calculation process, p1∪p2∪p3... It is determined whether there is a path that starts from a certain state and does not go out of q forever.
[0135]
In this manner, in the process of determining whether there is a state transition path that starts from a certain state in p and does not go out of q forever, p is already p1, p2,. If it is divided into pns, it gives an algorithm to calculate without grouping them. Therefore, the verification can be performed even for a complicated logic device in which the storage capacity of the memory reaches the limit by the conventional general method.
[0136]
(8) : LimitedAn input unit for the state machine M and a property related to M, an output unit for the verification result, a state transition determination operation unit for obtaining a state set reachable by one state transition from the elements of the state set p, A reachability determination operation unit that obtains a state set reachable from an element via an element of the state set q, and a state transition path that starts from a certain state in p and does not go out of q forever exist And a control unit that calls each of the arithmetic units while dividing the state set and obtains a state transition path corresponding to the property.
[0137]
In this way, it is possible to call each operation unit while dividing the state set, and obtain the state transition path corresponding to the property. As described above, since the state set division method can be used, it is possible to execute verification even for a complicated logic device in which the storage capacity of the memory reaches its limit in the conventional general method.
[Brief description of the drawings]
FIG. 1 is a diagram illustrating the principle of the present invention.
FIG. 2 is a diagram illustrating the principle of the present invention.
FIG. 3 is a diagram illustrating the principle of the present invention.
FIG. 4 is a diagram illustrating the principle of the present invention.
FIG. 5 is an explanatory diagram of a verification device according to an embodiment.
FIG. 6 is a specific example of a verification device according to the embodiment.
FIG. 7 is a processing flowchart of the first embodiment.
FIG. 8 is a processing flowchart according to the second embodiment.
FIG. 9 is a processing flowchart according to the third embodiment.
FIG. 10 is a processing flowchart according to the fourth embodiment.
FIG. 11 is an explanatory diagram 1 of the prior art.
FIG. 12 is an explanatory view 2 of a conventional technique.
FIG. 13 is an explanatory diagram of a conventional technique.
FIG. 14 is an explanatory diagram 4 of the related art.
[Explanation of symbols]
1 Finite state machine, property input section
2 State set division and operation unit call control unit
3 Verification result output section
4 State transition judgment operation unit
5 Loop judgment operation part
6 Reachability judgment calculation unit
7 division processing part
11 Computer body
12 Display device
13 Input device
14 Output device
15 Hard disk drive
16 I / O controller
17 CPU (Central Processing Unit)
18 memory

Claims (2)

  1. In a finite state machine M representing the operation of a synchronous sequential circuit, a subset q of the states of M , and a subset p of q, a path of state transitions starting from a state in p and not egressing out of q forever A logic verification device that determines whether or not
    When the finite state machine M, a subset q of the states of M , and a subset a [i] of q are input, an image calculation of a [i] in M and a set product operation of q with the result are performed. Calculating means for obtaining the set a [i + 1] ;
    A set [a], a [2], a [3],. Whether or not there exists a natural number k such that [k] is a subset of the union of the subsequent n sets a [k + 1], a [k + 2],... A [k + n] Determining means for determining;
    Output means for outputting that there is a state transition path that does not go out of q forever if there is the set p that satisfies the determination means;
    A logic verification device comprising:
  2. 2. The logic verification apparatus according to claim 1, wherein the determination unit starts from a state set p and recursively performs the state set division and the repetitive application of the calculation unit on a depth-first basis.
JP00136498A 1997-02-28 1998-01-07 Logic verification device Expired - Fee Related JP3600420B2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
JP4511497 1997-02-28
JP9-45114 1997-02-28
JP00136498A JP3600420B2 (en) 1997-02-28 1998-01-07 Logic verification device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP00136498A JP3600420B2 (en) 1997-02-28 1998-01-07 Logic verification device

Publications (2)

Publication Number Publication Date
JPH10301963A JPH10301963A (en) 1998-11-13
JP3600420B2 true JP3600420B2 (en) 2004-12-15

Family

ID=26334573

Family Applications (1)

Application Number Title Priority Date Filing Date
JP00136498A Expired - Fee Related JP3600420B2 (en) 1997-02-28 1998-01-07 Logic verification device

Country Status (1)

Country Link
JP (1) JP3600420B2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007206855A (en) * 2006-01-31 2007-08-16 Toshiba Corp Automatic design device, automatic design method and automatic design program for digital circuit

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7685547B1 (en) * 2007-07-02 2010-03-23 Cadence Design Systems, Inc. Method, system, and computer program product for generating automated assumption for compositional verification
US10078502B2 (en) * 2014-06-19 2018-09-18 Fujitsu Limited Verification of a model of a GUI-based application

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007206855A (en) * 2006-01-31 2007-08-16 Toshiba Corp Automatic design device, automatic design method and automatic design program for digital circuit
US7363097B2 (en) 2006-01-31 2008-04-22 Kabushiki Kaisha Toshiba Automatic design apparatus, automatic design method, and automatic design program of digital circuit
JP4528728B2 (en) * 2006-01-31 2010-08-18 株式会社東芝 Digital circuit automatic design apparatus, automatic design method, and automatic design program

Also Published As

Publication number Publication date
JPH10301963A (en) 1998-11-13

Similar Documents

Publication Publication Date Title
Baier et al. Approximative symbolic model checking of continuous-time Markov chains
Seger et al. Formal verification by symbolic evaluation of partially-ordered trajectories
Ranjan et al. Efficient BDD algorithms for FSM synthesis and verification
Alur et al. Model checking of hierarchical state machines
Wolper et al. Verifying systems with infinite but regular state spaces
Biere et al. Symbolic model checking without BDDs
US7673263B2 (en) Method for verifying and representing hardware by decomposition and partitioning
Zhang et al. Validating SAT solvers using an independent resolution-based checker: Practical implementations and other applications
Minato Zero-suppressed BDDs and their applications
Clarke et al. Progress on the state explosion problem in model checking
Seger et al. An industrially effective environment for formal hardware verification
US6904578B2 (en) System and method for verifying a plurality of states associated with a target circuit
US7383166B2 (en) Verification of scheduling in the presence of loops using uninterpreted symbolic simulation
Abdulla et al. A survey of regular model checking
Roig et al. Verification of asynchronous circuits by BDD-based model checking of Petri nets
Darwiche A compiler for deterministic, decomposable negation normal form
Burch et al. Symbolic model checking: 1020 states and beyond
US6816825B1 (en) Simulation vector generation from HDL descriptions for observability-enhanced statement coverage
Kuehlmann et al. Verity—a formal verification program for custom CMOS circuits
Pixley et al. Exact calculation of synchronizing sequences based on binary decision diagrams
Abbas et al. Probabilistic temporal logic falsification of cyber-physical systems
Ali et al. Generating test data from OCL constraints with search techniques
Bryant Symbolic Boolean manipulation with ordered binary-decision diagrams
McFarland Formal verification of sequential hardware: A tutorial
Chow Testing software design modeled by finite-state machines

Legal Events

Date Code Title Description
A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20040210

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20040408

A02 Decision of refusal

Free format text: JAPANESE INTERMEDIATE CODE: A02

Effective date: 20040608

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20040708

A911 Transfer of reconsideration by examiner before appeal (zenchi)

Free format text: JAPANESE INTERMEDIATE CODE: A911

Effective date: 20040820

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20040914

R150 Certificate of patent or registration of utility model

Free format text: JAPANESE INTERMEDIATE CODE: R150

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20040916

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20080924

Year of fee payment: 4

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20080924

Year of fee payment: 4

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20090924

Year of fee payment: 5

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20090924

Year of fee payment: 5

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20100924

Year of fee payment: 6

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20100924

Year of fee payment: 6

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20110924

Year of fee payment: 7

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20120924

Year of fee payment: 8

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20120924

Year of fee payment: 8

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20130924

Year of fee payment: 9

LAPS Cancellation because of no payment of annual fees