JPH09319782A - Logical unit verification method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To convert the description of a Boolean expression level into a higher arithmetic expression level by comparing a design specification described in a Boolean expression with an external specification described in an arithmetic expression via the support of description of a Boolean expression level. SOLUTION: The data inputted to a verification program 124 include the design specification data 112 expressed in a structure description language, the external specification data 110, a limit condition 114 and an arithmetic library 116. The data 112 show the total design specification in description of the part component elements and in the inter-part component element connection description. The condition 114 serves as the information which limits the memory contents when the verification of the program 124 is carried out with every instruction. In this verification system 100, the description of an arithmetic expression level is sometimes compared with the description of a Boolean expression level in a verification mode. The library 116 is referred to when an arithmetic expression is converted into a Boolean expression for comparison of both expressions. If coincidence is confirmed between both expressions, the Boolean expression is converted into the arithmetic expression and the description level can be converted into the higher arithmetic expression level.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a verification method for a sequential logic device, and more particularly to a verification method for a sequential logic device using a formal verification method.

[0002]

2. Description of the Related Art Conventionally, three methods have been known as a method for verifying a logical device (hereinafter, "logical device" means "sequential logical device"). The first is a method using a simulation, the second is a method using a desk check, and the third is a method using formal proof.

At present, generally used methods are a method using simulation and a method using desk check.

In the method using simulation, first, the designer enumerates the cases to be tested and creates test test data. Then, a logic simulator is used to execute a simulation of the designed logic device based on the test test data. In this way, it is checked whether the designed logic device has a design error. This method can guarantee the correctness of the logic device in the case where the simulation is performed. However, it is not possible to guarantee that the designed logic device has no logic defects since it is not possible to perform simulations in all cases.

The desk check method means that the designer
This is a method of visually inspecting the designed logic device one by one on the desk to check whether it is correctly designed. This method is almost the same as the inspection used in program development. This method has a logic verification capability equal to or higher than the method using simulation. However, there is no way to verify that all cases have been checked, and there is no guarantee that the individual checking procedures will be correct.

From the above, the method using the simulation or the method using the desk check cannot be said to be a method which can completely verify the logic device.

The third method, that is, the method using formal proof, is to define and apply an informal check procedure in desk check exactly and accurately, and to use natural number theory, elementary geometry,
Just as the theorem is formally proved by abstract algebra, it is to formally prove the correctness of logic (correctness). This is a method capable of confirming whether all the cases have been checked and guaranteeing the correctness of the individual check procedure, and can guarantee that there is no logic failure.

In the method using formal proof, when the proof itself is the subject of discussion and consideration, the system including the proof is formalized to form a formal system, and then discussion and consideration are conducted. Therefore, the logical verification by the formal proof is also called the formal logical verification.

In the formal logic verification, the design object to be verified is called "implementation", "design", "design specification" or the like. The items on which the correctness is based upon verification are called “specification”, “specification”, “external specification” and the like. In the following, the former is referred to as “design specifications”,
The latter is called "external specification". What are design specifications?
It shows what the internal structure of the designed logic device looks like. The external specifications are specifications that can be observed from the outside without entering the internal structure of the logic device. Formal logic verification verifies whether the design specification of the logic device meets its external specifications.

Prior arts related to formal logic verification include, for example, M.Srivas and M.Srivas. "F of Bickford"
normal Verification of a P
ipeled Micro-processo
r, "IEEE Software, 1990, pp. 52-64. There is a technique disclosed in this prior art, in which a pipeline control processor with a three-stage configuration is targeted for logic verification and semi-automatically using a theorem proof program. Formal logic verification is performed, and Japanese Patent Laid-Open No. 7-65046 discloses a formal logic verification method for a pipeline control processor having an arbitrary stage configuration.

On the other hand, due to the recent increase in scale and complexity of microprocessors, verification of logic devices by computers (methods using simulation, methods using formal proof)
Processing time and calculation cost have increased. Especially, in the method using formal proof, since all the states generated by the microprocessor are verified, the processing time and the calculation cost thereof are only increasing. In addition, there is a need to convert the description level of the design specification to a higher level in order to improve the efficiency of verification of the logic device. By converting the hierarchy expressing the logical device into a more abstract, that is, higher description level, the calculation cost for verification can be reduced and the processing time can be improved.

[0012]

SUMMARY OF THE INVENTION An object of the present invention is to perform a partial verification in a formal verification, in order to reduce the processing time and the calculation cost at the time of verification, for the part the designer is paying attention to. It is to provide a method of verifying a logic device. A second object is to provide a formal verification method of a logic device capable of converting a description level of a design specification to a higher level in order to improve verification efficiency.

[0013]

In order to achieve the above object, the present invention represents an external specification of a sequential logic device in which constituent elements which can be set / referenced from the outside and their functions are described also by using arithmetic expressions. Design specifications representing the design specifications of the above sequential logic device, which describe the external specification data and the components that cannot be set / referenced from outside as well as the components that cannot be set / referenced from outside using Boolean expressions. A verification method of a logic device for inputting data and verifying whether a design specification represented by the design specification data satisfies an external specification represented by the external specification data. The above-mentioned design specification data is given a limiting condition such that it operates on an instruction-by-command basis.
Sequentially simulating the operation of the sequential logic device when the limiting condition is given to the sequential logic device,
In the process of simulating the operation of the sequential logic device, it is determined whether the Boolean expression used in the description of the design specification is equivalent to the arithmetic expression that appears in the process of simulating the operation. In the process of converting to an arithmetic expression and in the process of simulating the operation of the sequential logic device using the design specification data, it is determined whether the states of the constituent elements used in the description of the design specification are valid, and A step of accumulating different reachable states of the sequential logic device focusing on the constituent elements of different states, giving the limiting condition to the external specification data, and using the external specification data, In the process of sequentially simulating the operation of the sequential logic device when a limiting condition is given, and in the process of simulating the operation of the sequential logic device using the external specification data, the external specification The step of determining whether or not the state of the constituent element used in the description is valid, accumulating different reachable states of the sequential logic device focusing on the constituent element in the valid state, and the result of design specification data accumulation Is a step of certifying whether or not it is equivalent to the external specification data accumulation result, and the Boolean expression used in the description of the design specification is used in the description of the external specification in the process of proof of the equivalence. Determining whether it is equivalent to an arithmetic expression, and if it is equivalent, converting the Boolean expression into the arithmetic expression.

[0014]

DETAILED DESCRIPTION OF THE INVENTION An embodiment of the present invention will be described below with reference to the drawings. The description will be given in the following order.

(1) Outline of the logic verification system of the embodiment (2) Definition of correctness of computer design (3) External specifications and design specifications of example computer (3-1) External specifications of example computer (F) (3) -2) Design specifications of example computer (G) (4) Conversion from structural description to RT description (5) Conversion from RT description to behavioral description (6) Proof search (verification with one instruction with limited conditions) (6- 1) Limited condition management table (6-2) Arithmetic expression library (6-3) Limitation of next state by application of limited condition (6-4) Judgment level conversion judgment when applying limited condition (6-5) Memory axiom Description level conversion judgment at the time of application (6-6) State enumeration of G by behavioral description and rewriting by memory axiom (6-7) Abstraction (6-8) Application of limiting condition to external specifications (6-9) Extended recursive return Description level conversion judgment at the time of applying the delivery method (6-10) Application of the extended recursive induction method (7) Overall verification In this embodiment, (1) to (6) describes the one-instruction unit verification with a limited condition. The whole verification will be described in (7).

In (1), an outline of the logic verification system in this embodiment will be described. In (2), the definition of the validity of the logic device design, which is the final purpose of the logic verification in this embodiment, will be described. In (3), the external specifications and design specifications of the example computer, which is an input in this embodiment, will be described. In (4), the conversion from the structural description to the RT (register transfer) description in the logic verification system of this embodiment will be described. In (5), the conversion from the RT description to the behavioral description in the logic verification system of this embodiment will be described. In (6), the proof search of the verification by one instruction unit with a limited condition in the logic verification system of this embodiment will be described. In (7), overall verification in the logic verification system of this embodiment will be described.

(1) Outline of Logic Verification System of Embodiment A logic verification system is a system for verifying whether a design of a logic device satisfies its specifications. As described in the section of the related art, briefly, the external specifications are specifications of the external logic device that can be seen by the user of the logic device. The design specification is a specification of a logic device actually designed and realized by a designer based on an external specification, and is an internal logic specification that realizes the logic device.

The feature of this verification system is that it enables the description at the Boolean expression level, so that the design specification described by the Boolean expression can be compared with the external specification described by the arithmetic expression, and thereby, the Boolean expression level. Is that the description of can be converted to the arithmetic expression level. In addition, by enabling data setting to the memory (called a limiting condition),
Rather than verifying all states of the logic device, it is possible to perform verification limited to the state set in the memory.

FIG. 1 shows the configuration of a logic verification system (hereinafter abbreviated as "verification system") of the embodiment. This block diagram shows the case of verification by one instruction unit with a limiting condition.

In FIG. 1, the verification system 100 includes a keyboard 102, a display 104, a bus 106, a secondary storage disk 108, a CPU 118, and a memory 120. In the disk 108, the external specification data 11
0, structure description design specification data 112, limiting condition 114,
And an arithmetic expression library 116 are stored. These data 110, 112, 114, 116 are input to the verification system. These data 110, 112, 1
Details of 14, 116 will be described later.

In the memory 120, the input program 12
2, verification program 124, RT description design specification data 1
28, behavior description design specification data 130, and verification result 132 are stored.

The input program 122 includes external specification data, structure description design specification data, limiting conditions, and an arithmetic expression library on the keyboard 102 and the display 1.
Input via 04 to the secondary storage disk 108.
This is a program for storing as 10, 112, 114, 116.

The verification program 124 is the disk 108.
It is a program for automatically verifying whether or not the design specifications of the logical device represented by the design data 112 satisfy the specifications represented by the external specification data 110 by inputting the above four data 110, 112, 114, 116. . The verification result is output to the verification result 132 as “successful verification” or “failed verification”. Also, during the process,
Verification is performed while writing the RT description design specification data 128 and the behavior description design specification data 130 in the memory 120 as an intermediate result.

Next, an outline of the verification program 124, which is a feature of this embodiment, will be described. The verification program 124 will be described in detail in (4) to (7) below.

FIG. 2 is a flow chart showing the processing procedure and data flow of the verification program 124.

The input data to the verification program 124 is
It is design specification data 112 expressed in a structure description language, external specification data 110, limiting conditions 114, and an arithmetic expression library 116.

The structural description design specification data 112 represents the entire design specification by the description of the sub-components and the connection description between the sub-components. That is, the hardware is defined by describing the partial components of the hardware (such as registers) and the relationship between these partial components. As will be described later in (3), FIG. 16 shows an example of the structure description design specification data.

The external specification data 110 will be described in (3), and FIG. 12 corresponds to it.

The limiting condition 114 is the verification program 124.
This is information that limits the contents of the memory when the verification by is executed in units of one instruction. As described in detail in (6), FIG. 20 corresponds to this.

The arithmetic expression library 116 converts an arithmetic expression into a Boolean expression in order to compare the arithmetic expression with a Boolean expression. Details will be described in (6), and FIG. 18 corresponds to this.

The processing of the verification program 124 will be described with reference to FIG. First, in a conversion process 202 from a structure description to an RT (register transfer) description, the design specification data 112 expressed by the structure description is converted into design specification data 128 expressed by the RT description. This conversion is an equivalent conversion performed for expressing the design specification in the form of a recursive function, and can be performed by a known technique. The recursive function is one of the forms for expressing iteration. The whole embodiment may be configured by using a form using a loop instead of recursion.

Conversion process 206 from RT description to behavioral description
Then, the design specification data 128 expressed by the RT description is converted into the design specification data 130 expressed by the behavioral description.

FIG. 21 shows an example of the design specification data 128 expressed by the RT description. FIG. 22 shows an example of the design specification data 130 expressed as a behavioral description. In the conversion process 206 from the RT description to the behavioral description, the behavioral description suitable for the later proof search is equivalently converted. This equivalent conversion can also be performed by a known technique.

Next, in the proof search 210, it is proved that the legitimacy described in (2) holds between the design specification data 130 expressed by the behavioral description and the external specification data 110. The proof search 210 includes state enumeration 220 by behavioral description, restriction 224 of the next state by application of a limiting condition.
Descriptive level conversion possibility determination 222 when applying a limiting condition
Rewriting by memory axiom 226, description level conversion possibility determination 228 when applying memory axiom, abstraction 230, application of extended recursive induction 224, description level conversion possibility determination 236 when extended recursive induction is applied, and external specifications The application of the limiting condition of and the respective processes of the external specification data abstraction 232.

The state enumeration 220 based on the behavioral description includes the restriction 224 of the next state by applying the limiting condition, the determination level conversion possibility determination 222 when the limiting condition is applied, the rewriting 226 by the memory axiom, and the description level conversion when the memory axiom is applied. It operates in cooperation with each process of the possibility determination 228, simulates the operation of the design specification G using the operation description, and enumerates the reachable states. At that time, each processing uses the limiting condition 114 and the arithmetic library 116 as auxiliary inputs. The reachable state and the transition between the states are converted and stored in the G data 240 after rewriting.

The abstraction 230 is the rewritten G data 24.
For 0, the reachable state in the rewritten data is replaced with the state that appeared before that. The converted result is
It is stored as G data 242 after abstraction.

The application of the limiting condition to the external specification and the external specification data abstraction 232 perform the same processing as the design specification data 130 expressed by the operation description for the external specification data 110. The result of the processing is F data 244 after abstraction.
Is stored as

In the application 234 of the extended recursive induction, whether the justification described in (2) is established between the post-abstraction G data 242 and the post-abstraction F data 244 by using the extended recursive induction. Is verified and the verification result is "verification successful"
Alternatively, it is output to the verification result 128 as “verification failed”.
Simultaneously with this processing, the description level conversion possibility determination 236 when the extended recursive induction is applied is executed.

When the user prepares the RT description design specification data 128, the structure description design specification data 11
Instead of 2, it becomes the input. At this time, the conversion process 202 from the structure description to the RT description is unnecessary.

(2) Definition of Validity of Computer Design Here, the definitions of "external specifications", "design specifications", and "validity of logic device design" in this embodiment will be described in detail.

As described above, in simple terms, the external specifications are the specifications of the logic device as seen by the user, and the design specifications are the specifications of the logic device actually designed and realized by the designer based on the external specifications. It is a specification. Strictly speaking, the details are as defined below.

[Definition 1: External Storage Area and External Storage Area Variable] Of the storage areas constituting the logical device, the user of the logical device can access (that is, can be set / referenced from outside the logical device). A storage area such as a memory, a register, and a flag is called an “external storage area”. Not only storage areas such as memories and registers for holding data, but also storage elements such as flags are external storage areas if the user can access them. External storage memory,
Variables S1, representing values such as registers and flags
..., SN is called an "external storage area variable". The external storage area may be called a "programmable register".

[Definition 2: External storage area state set: S] The set of states created by the entire external storage area is called the "external storage area state set". One state of the external storage area is defined by a set of values taken by the external storage area variables S1, ..., SN. The external storage area state set is a set of such states.

[Definition 3: Internal storage area and internal storage area variable] Of the storage areas constituting the logical device, storage areas other than the external storage area, that is, the user of the logical device cannot access (that is, the logical device). Storage areas such as memory, registers, and flags (which cannot be set / referenced from outside) are called "internal storage areas". Not only storage areas such as memories and registers for holding data, but also storage elements such as flags for holding control signals are internal storage areas if the user cannot access them. The variables T1, ..., TM that represent the values of the memories, registers, and flags in the internal storage area are called "internal storage area variables". The internal storage area may be called a "non-programmable register".

[Definition 4: Internal storage area state set: T] A set of states created by the entire internal storage area is called an "internal storage area state set". One state of the internal storage area is defined by a set of values taken by the internal storage area variables T1, ..., TM. The internal storage area state set is a set of such states.

[Definition 5: Basic function: A, ...] External specifications,
A known function that appears in the design specification is called a "basic function".

[Definition 6: Basic predicate: P, ...] External specifications,
A known predicate that appears in the design specification is called a "basic predicate".

[Definition 7: External specification: F] "External specification" F
Is a function from the external storage area state set S to S,
S1, ..., SN are variables (arguments), and are functions composed of basic functions, basic predicates, if-then-else clauses, and recursive function definitions.

F (s1) = s2 (s1 and s2 are elements of S) means that when this logical unit starts execution from the initial state s1, this logical unit will stop execution sometime and reach the final state s2. Is the meaning.

The fact that F (s1) does not exist (s1 is an element of S) means that execution does not stop forever when this logical device starts execution from the initial state s1 (for example, in an infinite loop).

[Definition 8: Design specifications: G] "Design specifications" G
Is a function from the external storage area state set S to S, and G (S1, ..., SN) = G0 (S1, ..., SN, t1,
, TM). However, G0 is S × T to S
, TM, T1, ..., TM as variables (arguments), and basic functions, basic predicates, and if-then-else
It is a function composed of clauses and recursive function definitions.

G is an internal storage area T1 of the design specifications of the logic device at the time of initial setting (power-on-reset, etc.).
, TM is an initialization function that initializes t1, ..., Tm to activate the design specification, and G0 is a behavior display function that represents the behavior of the design specification as the clock time advances.

G (s1) = s2 (s1 and s2 are elements of S) means that when the logic device starts execution from the initial state s1, it will stop execution sometime and reach the final state s2.

The absence of G (s1) (s1 is an element of S) means that the execution does not stop forever when this logical device starts execution from the initial state s1 (for example, in an infinite loop).

[Definition 9: Validity of design of logic device] S,
If F and G are defined as above, then for any element s of S, if either F (s) or G (s) is present, then the other is always present, and F ( The logical unit is defined as correct when s) = G (s).

(3) Example External Specification (F) and Design Specification (G) of Computer In (4) and later described later, an example having a register with a bit width of 3 bits is a target of verification by the verification system of this embodiment. A computer will be described as an example. Here, the external specifications and the design specifications of the verification target example computer will be described. Although the example computer described here is simple, it reproduces the basic operation of an actual computer in a compact manner.

(3-1) External Specifications of Example Computer (F) First, the external specifications of the example computer will be described.

FIG. 11 shows an outline of the structure of the example computer 1100. Computer 1100
Is a CPU 1102 and 3 bits x 8 main memory (M) 1108
It has. CPU1102 is a program counter (C)
1104 and an arithmetic unit (I
NC) 1106. Main memory is addressed 0-7 in 3-bit units.

The function of the example computer 1100 starts from the value C of the program counter 1104 and ends at C + 1,
It is assumed that the data in the main memory 1108 whose addresses are C + 2, ... Are sequentially examined, and the data in the main memory 1108 whose addresses are the data are incremented until 0 data appears. When 0 appears, the example computer 11
00 stops and the program counter 1104 receives the address +1 in which 0 was stored.

FIG. 12 shows the example computer 11 of FIG.
The external specification of 00 is expressed using a recursive function. In the present embodiment, this description is one of the inputs of the verification system as the external specification data 110. Function syntax and semantics
`` Pure LISP (J. McCarthy, et al. LISP 1.5 Pr
ogrammer's Manual.MIT Press, Cambridge, Mass.,
USA, 1962) ". In this syntax, an object is described by using a recursive function definition method using an if statement.

In FIG. 12, 1202 is a main function F representing external specifications. The variable C represents the program counter and the variable M represents the main memory. C and M are programmable registers (meaning registers accessible by the programmer, also known as external storage area).

<C + 1, M> represents a binary term of C + 1 and M. M (a) represents the 3-bit memory contents starting from address a. M [b / a] represents a memory in which the 3-bit memory content starting from the address a is rewritten with b. MM (a) represents an abbreviated description of M (M (a)).

The if statement on the right side represents stop processing, and the processing after else represents processing when it is not. Stop condition (M
When (P) = 0) is satisfied, the value of the programmable register given by the binomial set is returned as the finally obtained value. Otherwise, it updates each register to the value corresponding to the next program counter value and calls itself again.

When F is called, F repeats the recursive call as described above, and finally returns the value obtained in the programmable register. Therefore, when a specific value is set in the programmable register, the function F goes through the above process and finally returns the value obtained in the programmable register.

(3-2) Design Specifications of Example Computer (G) Next, design specifications of the example computer 1100 will be described.

FIG. 13 describes the design specifications of the example computer 1100 in the form of a logical block configuration diagram. The design specifications of the example computer 1100 will be described with reference to FIG.

In FIG. 13, the example computer 13
00 is controlled by the two-phase clock output from the clock generator 1302. The clock starts to be generated when the ON signal becomes "1" and stops when the STOP signal becomes "1".

The example computer 1300 includes a main memory 1108 shown in FIG. 11, a 3-bit program counter (C) 1104 (hereinafter, referred to as a C register 1104), an arithmetic unit (FUNCa) 1324 and an arithmetic unit (FUNCb). In addition to 1326, a register group that cannot be set / referenced by the programmer, a selector 1320, and a conflict detection circuit 1322 are provided.

The S register 1306 is used for the main memory 110.
It is a register that holds 3-bit data read from C register 1104.

The D register 1310 is used for the main memory 110.
It is a register for holding 3-bit data read from S register 1306.

The V register 1312 is a 1-bit flag register that holds the determination result of the conflict detection circuit.

The arithmetic unit (FUNCa) 1324 is a logic circuit which inputs a 3-bit value and outputs a 3-bit value. In this case, the input is the C register 1104, and the calculation result is output to the selector 1320.

The arithmetic unit (FUNCb) 1326 is a logic circuit which inputs a 3-bit value and outputs a 3-bit value. In this case, the input is the D register 1310, and the calculation result is output to the main memory 1108.

1320 is a selector. As shown in FIG. 13, the output value is the value of the C register 1104 or the operation unit (FUNCa) 1 depending on the stop and conf values.
It will be one of the values of the output of 324.

Conflict / stop condition detection circuit 132
2 detects whether or not the storage of the preceding data in the memory to be performed rewrites the read data by the subsequent data processing (memory conflict: M-conflict), and determines whether or not to stop the computer. It is a combinational circuit. When a memory conflict is detected is when there is a dependency between data.

The main memory 1108 can process two data reads and one data write (storing) in one clock. However, when the writing area and the reading area overlap, the writing operation to the main memory 808 is guaranteed, but the reading operation is not guaranteed.
The guarantee of the read operation in that case is performed by the conflict / stop condition detection circuit 1322 or the like.

The design specifications of the example computer 1300 to be verified have been described above with reference to FIG. Note that this design specification is merely an example of the external specification (FIG. 12) of the example computer 1100, and other design specifications are possible. Of course, the present invention is similarly applicable to other design specifications having different numbers of instructions.

The design specifications shown in these figures are suitable for human reference, but not suitable for the verification program to operate as design specification data. Therefore, the design specification data is represented in a format that the verification program can easily operate.

FIG. 16 shows this example computer 1100.
The structure description design specification data 112 of FIG. This is shown in FIG.
The design specifications described in Section 3 are described using a structure description language, that is, expressed as a netlist that is easy for the verification program to operate.

The grammar of the netlist element is shown in FIG.
5 shows the syntax of the netlist. As shown in FIG. 15, the netlist is a list (a list) in which a finite number of netlist elements are arranged and enclosed in parentheses. Netlist elements include registers and combinatorial logic.

In the netlist element representing the register shown in FIG. 14A, the keyword "Register" is first, and in the following order, resource name, bit width, source resource name / output pin number / divided signal name, sync. There is a finite list of resource names, input pin numbers, and split signal names. Here, the divided signal is an expression used when a register having a bit width is handled in 1-bit units (such as a Boolean expression).

In the netlist element representing the combinatorial logic shown in FIG. 14B, the keyword "Combinatio" is first set.
nal−logic ”, and in the following order, a finite list of resource name, source resource name / output pin number / input parameter set, finite list of sink resource name / input pin number / output parameter set, and output parameter input parameter. There is a finite list of equations represented by.

In the structure description design specification data 112 (FIG. 16) of the example computer 1100 described in the netlist format of such a grammar, SEL (13
20), FUNCa (1324), and C (110
Only 4) is shown. The rest is omitted, but it can be easily expressed in the above format. Naturally, the design specification expressed in the format of FIG. 13 is equivalent to the design specification expressed in the netlist format (structure description) of FIG.

In the following (4) to (6), the conversion process 202 from the structural description to the RT description shown in FIG. 2, the conversion process 206 from the RT description to the behavioral description 206, and the proof search 210.
Will be sequentially described in detail. First, the conversion process 202 from the structural description to the RT description will be described.

(4) Conversion from Structural Description to RT Description Referring again to FIGS. 1 and 2, in the conversion process 202 from the structural description to the RT description, the design specification data 112 (FIG. 16) expressed by the structural description Is converted into design specification data 128 (FIG. 21) expressed by RT description. A known technique may be used for this conversion processing. For example, Dominique D. Borrion
e et al., “Formal Verification of VHDL Descriptions in
the Prevail Environment, ”IEEE Design and Test of
Computers, 1992, pp. 42-56. And the method described in JP-A-6-215063 may be used. This conversion is an equivalent conversion performed for expressing the design specification in the form of a recursive function.

In FIG. 21, 2100 is R of the main function G.
T description is shown, and 2102 is RT description of the auxiliary function G0.

Here, the notation method of a register having a bit width will be described. When referred to only by a resource name such as “C, S”, it represents the entire register having a bit width, and when referred by a divided signal name such as “C [0], S [1]”. Is one of the registers with bit width
Represents the value of a bit.

The main function G2100 is a non-programmable register (meaning a register inaccessible by the programmer) while leaving a programmable register (meaning a register accessible by the programmer, also known as an external storage area).
Set an initial value to the internal storage area)
Call G02102.

When the clock stop condition is satisfied, the auxiliary function G02102 returns the value of the programmable register at that time as a value finally obtained, and otherwise updates each register to the value of the next clock time. Call the auxiliary function G0 again. That is, the auxiliary function G0 is
When a specific value is set in the programmable register and the non-programmable register and called, the above recursive call is repeated, and the value finally obtained in the programmable register is returned.

Therefore, when a specific value is set in the programmable register, the main function G goes through the above process and finally returns the value obtained in the programmable register.

The main function G is the initialization function described in (2), and the auxiliary function G0 is the behavior display function.

In the RT description of FIG. 21, the update of the value of each register at each clock time is represented by using the recursive call of the function G0. The updated value of each register at the next clock time is described for each register collectively in one place.
nsfer: Register transfer).

(5) Conversion from RT Description to Behavior Description Next, the conversion processing 206 from the RT description to the behavior description will be described.

Conversion processing 206 from RT description to behavioral description
Then, the design specification 128 (FIG. 21) expressed by the RT description is converted into the design specification 130 (FIG. 22) expressed by the behavioral description. In this conversion, inside the function G0 to call recursively
If there is an if, the process of moving the if to the outside of the function and simplifying it is repeated until there is no if inside the function G0. That is, since an if statement appears in the argument of the function G0 that is recursively called on the right side of 2102 in FIG.
The if statement is moved to the outside of the function G0 for simplification processing.
As a result, the RT description is equivalently converted into a behavioral description suitable for later proof search.

A publicly known technique may be used for the conversion process 206. For example, the technique disclosed in the method for verifying a logic device in Japanese Patent Application Laid-Open No. 6-215063 may be used. In this conversion, first, if inside the function is moved to the outside of the function, and then it is simplified, and the design specification 130 (FIG.
2) is obtained. The design specification 130 shown in FIG. 22 expressed by the behavioral description cannot be further simplified, and it can be used inside the function G0.
if does not remain. That is, all if conditions are functions G0
, And the processing operations for each condition are collectively described in one place. Such a description is called a behavioral description here.

Note that such a simplification technique is known, and its details are described in, for example, Boyer and Moore, “A Computati.
onal Logic Handbook ”, 1988, Academic Press.

(6) Proof Search (Verification with One Instruction Unit with Limited Condition) Next, the proof search process 210 will be described.

In the proof search process 210 of FIG. 2, the justification explained in the above (2) is established between the design specification data 130 (FIG. 22) expressed by the behavioral description and the external specification data 110 (FIG. 12). Prove that.

The proof search process 210 includes state enumeration 220 by behavioral description, and next state limitation 22 by application of a limiting condition.
4, Possibility of description level conversion when applying the limiting condition 22
2, rewriting by memory axiom 226, description level conversion possibility determination 228 when memory axiom is applied, abstraction 230,
It is composed of application 224 of the extended recursive induction, determination level conversion possibility determination 236 when the extended recursive induction is applied, application of a limiting condition to an external specification, and external specification data abstraction 232.

First, in (6-1), the verification system is set to 1
The limiting condition 114 necessary for executing the instruction unit
In (6-2), the arithmetic expression library 116 required when converting the description level from the Boolean expression level to the arithmetic expression level will be described. Then, from (6-3) to (6-10)
Each process of the proof search 210 will be described in order.

(6-1) Limiting Condition Next, the limiting condition 114 will be described.

In order to execute this verification system in units of one instruction, the contents of the memory are restricted, so that the movement of the computer to be verified is restricted. The limiting condition is a management table for the contents of the memory of the verification system. Further, when the contents of the memory are rewritten by M [a / b] or the like during the execution of verification, the rewritten memory needs to be rewritten from the memory before rewriting, and the limiting condition also needs to be rewritten. A new rewriting table having the values and is generated and the rewritten values are managed.

In the grammar of the limiting condition shown in FIG. 19A, there is a keyword "Memory-main" at the beginning, and a finite list of pairs of memory name, address name, value, and limiting condition is arranged in this order. . Here, when the value is limited to the condition of =, the value is directly input. If it is limited under other conditions, write in the limited conditions. When the memory is referenced, the value corresponding to the address and the limiting condition are extracted from this limiting condition.

In the rewrite table shown in FIG. 19B, the keyword "Memory-write" is first provided, and the set of memory name, address name / value / reference memory name is arranged in the following order. Here, the reference memory name indicates the name of the memory before rewriting, and when the content other than the rewritten address is referred to the memory in which the rewriting has occurred, the memory having this name is referred to. By doing so, only the rewritten contents need to be managed in the rewriting table.

FIG. 20 shows the limiting condition 114 of the example computer described by such a grammar. This is because when the main memory M1108 of the example computer is referred to by M (C) (M (C) ≠ 0) & (M (C) ≠ C + 1).
If the condition is referred to by M (C + 1), M (C
The condition is +1) = 0.

Since M (C + 1) = 0 is a condition of =, it is directly written in the value.

This limiting condition is a condition intended to stop the computer at the second instruction, and 0, which is the stopping condition of the example computer, is written in M (C + 1) corresponding to the second instruction. In the case of M (C) corresponding to the first instruction, the condition of M (C) ≠ 0 is set so as not to stop at the first instruction, and M (C +
1) M (C) ≠ C + so as not to increment 0
The condition of 1 is given.

(6-2) Arithmetic Expression Library Next, the arithmetic expression library 116 will be described.

In this verification system, the description at the arithmetic expression level may be compared with the description at the Boolean expression level at the time of verification. The arithmetic expression library 116 is referred to when converting an arithmetic expression into a Boolean expression in order to compare such an arithmetic expression with a Boolean expression. If they match, the description level can be upgraded from the Boolean expression level to the arithmetic expression level by replacing the Boolean expression with the matched arithmetic expression.

FIG. 17 shows the grammar of the arithmetic expression library.
As shown in FIG. 17, the arithmetic expression library has a finite list of a finite list of arithmetic operators / arguments, a finite list of input parameters, and a finite list of Boolean expressions in which output parameters are represented by expressions consisting of input parameters. . Here, arithmetic operators are operators such as + and =. An argument is any argument that the operator takes. Further, the input parameter is an argument taken by the operator divided into bits, and the number is the number of arguments × bit width.

FIG. 18 shows the arithmetic expression library 116 of the example computer described by such a grammar. This is a library of increment operator (+1) and equal decision predicate operator (=). The number of arguments of each arithmetic expression is 1 for +1 and 2 for =. Therefore, since the bit width of the register is 3 bits, the arguments of the Boolean expression are 3 bits for +1 and 6 bits for =. The output of the Boolean expression is +1 for 3 bits and = for 1 bit.

This arithmetic expression library has a description level conversion possibility judgment 222 when a limiting condition is applied, a description level conversion possibility judgment 228 when a memory axiom is applied, and a description level conversion possibility judgment when an extended recursive induction is applied. Referenced in each processing of 236.

(6-3) Limitation of Next State by Applying Limiting Condition Next, the limitation 224 of the next state by applying the limiting condition will be described.

In the G state enumeration 220 by the behavioral description, which will be described in detail in (6-6), the behavior of the design specification is simulated using the behavioral description to enumerate reachable states. The restriction 224 of the next state by application of the restriction condition applies the restriction condition to the memory expression in the if conditional expression in the restriction of the next state by application of the restriction condition of the processing 309 of the G state enumeration 220 by the behavioral description. By applying the if condition to true or false, the next state is limited, and execution in units of one instruction can be realized.

FIG. 5 is a flow chart showing the procedure of application 224 of the limiting condition. In this procedure, process 506
222 Possibility of description level conversion when applying the limiting condition
Then, the procedure of FIG. 4 is called.

First, in process 502, processes 504 to 514 are applied to the if condition after the calculation of the transition condition of the next state. Hereinafter, these processes will be described.

First, in process 504, the current focus is on.
It is checked whether a memory expression is included in the if condition.
If it is included, the process proceeds to step 505. If it is not included, the process of step 502 and subsequent steps is performed again for the next if condition. Next, in the process 505, the limiting condition 11 is determined in order to determine whether the memory expression of the process 504 has a limiting condition.
Refer to FIG. At this time, the description level conversion possibility determination 222 when the limiting condition is applied is applied. This will be described in detail in (6-4).

As a result of the processing 505, if the limiting condition is given to the memory expression in the processing 506, the processing proceeds to the processing 508, and if not, the processing of the processing 502 and the subsequent steps is performed again.

In processing 508, if
Determine if the condition is true. This determination may be performed using a known technique, that is, a known theorem proof program. For the theorem proof program, for example,
It is disclosed in Chang &Lee's"Proof of Theorem by Computer" (published by Japan Computer Association, 1983).

If the truth is established in process 508, process 5
Go to 10, if-after the current if-then clause
Delete the then clause and end the process.

If true is not established in process 508, process 5
At 12, it is determined whether the if condition becomes false by applying the limiting condition. This determination can be made by a known technique as in the process 508.

If false is established in process 512, process 5
In step 14, the if-then clause currently being focused on is deleted, and the processing after the processing 502 is performed again. Process if not established
Perform processing after 502.

(6-4) Judgment Level Conversion Possibility Judgment When Applying Limiting Condition Next, description level conversion possibility judgment 2 when applying a limiting condition
22 will be described.

In the G state enumeration 220 by the behavioral description which will be described in detail in (6-6), in order to evaluate the memory expression, the limiting condition 114 is referred to so that the address of the memory expression matches the address of the limiting condition 114. You may decide to do. If they match, if one of the address expressions is an arithmetic expression and the other is a Boolean expression, the Boolean expression can be converted into an arithmetic expression.

FIG. 4 is a flowchart showing the procedure of the description level conversion possibility determination 222 when the limiting condition is applied. First, in process 402, processes 404 to 408 are performed for all the addresses of the limiting conditions. Hereinafter, these processes will be described.

First, in process 404, it is determined whether the memory address matches the address of the limiting condition. At this time, if one is an arithmetic expression and the other is a Boolean expression, the arithmetic expression library 116 is used to convert the arithmetic expression into a Boolean expression, and then the Boolean expression is used to determine whether or not there is a match. A publicly known technique may be used for determining the coincidence by the Boolean expression. As a result of the determination, if they match, the process proceeds to step 406, and if they do not match, the process after step 402 is performed again for the address next to the limiting condition. In process 406, process 40
It is determined whether the arithmetic expression library 116 is used in 4,
If it is used, process 408 converts the Boolean expression to an arithmetic expression,
The processing after the processing 402 is performed again. 4 if not used
The processing after 02 is performed.

(6-5) Judgment Level Conversion Possibility When Applying Memory Axiom Next, description level conversion possibility judgment 2 when applying memory axiom
28 will be described.

In the G state enumeration 220 by the behavioral description, the rewriting 226 by the memory axiom is applied after the calculation of the next state and the transition condition of the process 310. As will be described in detail in (6-6), in the rewriting 226 based on the memory axiom, if the if condition is satisfied, it is determined whether the arithmetic expression ≠. If the judgment is satisfied, the if condition and the arithmetic expression of ≠ may be equal. Also, the arithmetic expression ≠ is else
If it is satisfied by if condition, if condition before that condition,
Or elseif condition may be equal to = arithmetic expression. Therefore, in the description level conversion 228 when the memory axiom is applied, if the if condition is a Boolean expression and the if condition and the arithmetic expression are determined to be equal, the if condition is converted to the arithmetic expression.

FIG. 7 is a flow chart showing the procedure of the description level conversion possibility determination 228 when the memory axiom is applied.
First, in process 702, processes 704 to 706 are performed for all Boolean expressions of the if condition that are currently focused (that is, the memory axiom can be applied). In process 704, it is determined whether the arithmetic expression of ≠ and the Boolean expression of the if condition are equal. For the judgment of arithmetic expressions and Boolean expressions, that is, the coincidence judgment, see (6
The technique of -4) may be used. If the result of determination is that they match, the Boolean expression is converted to an arithmetic expression ≠ in processing 706, and the processing for the if condition ends. If they do not match,
The process 702 is performed again, and if all the Boolean expressions do not match, the process proceeds to the process 708.

In process 708, attention was paid to process 702.
The process 710 is performed for the if condition before the if condition.
In process 710, processes 712 to 714 are performed on all the Boolean expressions of the if condition which are currently focused. Process 71
In 2, it is determined whether the expression obtained by replacing ≠ in an arithmetic expression of ≠ with a Boolean expression. If the result of determination is that they match, in step 714, the Boolean expression is converted into an arithmetic expression of =, and the processing ends. If they do not match, the process 710 is performed again, and if all Boolean expressions do not match, the process 708 is performed for the next if condition.

(6-6) Enumerate G states by behavioral description,
And Rewriting by Memory Axiom Next, the G state enumeration 220 by behavioral description and the rewriting 226 by memory axiom will be described.

The G state enumeration 220 by the behavioral description and the rewriting 226 by the memory axiom operate as a pair,
Enumerate reachable states by simulating the behavior of design specifications using behavioral descriptions. The reachable states and the transitions between them are
After rewriting, the data is converted into the G data 240 and stored.

FIG. 3 shows the G state enumeration 22 by the behavioral description.
It is a flowchart which shows the procedure of 0. In this procedure, the next state is restricted by applying the restriction condition of the process 309 2
In 24, the procedure of FIG. 5 is called, and in rewriting 226 to which the memory axiom of the process 311 is applied, the procedure of FIG. 6 is called.

In FIG. 3, first, in process 302, variables are initialized. The variables to be initialized are N, post-rewrite function FIFO, pre-rewrite function FIFO, and rewrite wait list.

Next, in process 304, the pre-rewriting function F
The functions are extracted from the IFO one by one, and the processes 306 to 3 are performed.
22 is applied. Hereinafter, these processes will be described.

First, in process 306, the right side of this function G (initialization function), that is, the definition body (initial value state) of this function G is added to the rewriting waiting list A. next,
In process 308, the behavior description G0 (behavior display function) is applied to enumerate the states. Next, in process 309, the next state restriction 224 is applied by applying the limiting condition to limit the next appearing state. If the result of processing 309 indicates that the memory has been rewritten, the limiting condition is rewritten in processing 310 using the rewriting table shown in FIG.
The result is further rewritten by processing 311 by applying the memory axiom.

This rewriting is equivalent to calculating the next state by simulating the operation of the design specification for only one clock, and the rewriting result represents the next state.

Here, the G0 term means G0 (a,
b, ...) is a conditional expression that defines the values that programmable registers and non-programmable registers can take. Can be seen.

The rewritten function definition is added to the rewritten function FIFO in the process 312, and each rewritten G0 is rewritten.
The term is added to the rewrite waiting list B in process 314.

At the time of rewriting the G0 term, at the time of rewriting the definition body, the rewriting result is added via the equal sign immediately after the definition body. When rewriting an expression via the equal sign immediately after the definition body, this expression is replaced with the rewriting result. Details of rewriting to which the memory axiom is applied will be described later.

Next, in process 316, processes 318 to 322 are performed for each G0 item in the rewriting waiting list B.

First, in process 318, "GN (P, M)"
= This G0 term "is substituted into TEMP. Here," G
The value of N at this time is used as N of N ″. When N = 1, it becomes G1, and when N = 2, it becomes G2.

This operation corresponds to defining as equivalent to a state consisting only of programmable register values named G1, G2, ....

Next, in process 320, it is determined whether or not the next state has already appeared. That is, it is checked whether or not the next state (right side of TEMP) is already on the right side of the pre-rewrite function FIFO or the middle side of the post-rewrite function FIFO.
The process 322 is performed only when it has not appeared.

In process 322, the next state (GX) with the name GN is added to the pre-rewriting function FIFO, and the variable N
Is added to 1. The function added to the pre-rewriting function FIFO is subjected to the processing after the processing 304. Also, since N is incremented by +1 here, the name of GN is updated only when the next state is new (not already appearing).

The state enumeration 212 of G (initialization function) by the above-mentioned behavioral description G0 (behavior display function) is simply described as follows.
Expanding the right side of G (initial value state) steadily,
This is a process to wash out all the states that appear. This is a state in which the G0 term appears on the way. Expanding and rewriting the G0 term using G0 (behavior display function) means 1
This is equivalent to advancing time by the clock. By expanding the G0 term steadily, all reachable states can be obtained. Since the initial value states include external storage area variables such as C and M, they are not a single state but a group of states. The state represented by the G0 term is not a single state, but indicates a group of states defined by the conditional expression represented by the G0 term. Therefore, in the expansion of the G0 term, a plurality of reachable states are required in one expansion.

The reachable state thus obtained is th
The G0 term in the en clause and the conditions for transition to that state are
The if clause is stored in the function FIFO after rewriting in the form of a function definition. The left side of the function definition represents the state before the transition.

Next, the rewriting 226 based on the memory axiom will be described.

FIG. 6 shows a rewriting 226 based on the memory axiom.
6 is a flowchart showing the processing procedure of FIG. In this procedure, the procedure of FIG. 7 is called in the description level conversion possibility determination 228 when the memory axiom is applied in the processing 610.

The memory axiom is an abbreviation for "memory data invariant axiom without rewriting" and is expressed by the following equation.

S ≠ f → M [c / s] (f) = M (f) where f is a fetch address, s is a store address,
c is store data. This expression has the following meaning: "If f and s are different, the address f after writing c to address s
The memory data of is the same as the memory data when it is not written. "

Referring to FIG. 6, in the rewriting 226 based on the memory axiom, first, in process 602, each of the right side of the behavioral description is processed.
The if-then clause is searched for, and the processing after the processing 604 is applied to each G0 term.

In process 604, candidates to which the above memory axiom is applied are extracted. That is, M [c / s] and M
It is checked whether or not the element of the form (f) is included. If it is included, the process proceeds to step 606. If it is not included, the process after step 604 is performed again for the next G0 term.

In step 608, the memory axiom application condition is confirmed. That is, it is checked whether s ≠ f is true. This determination may be performed using a known technique, that is, a known theorem proof program. The theorem proof program is disclosed, for example, in “Proof of a Theorem by Computer” by Chang & Lee (published by Japan Computer Association, 1983).

Processes 610 and 611 are executed only when true is established in process 608. In process 610, M
Replace (f) with M [c / s] (f). Further processing 61
In No. 1, the description level conversion possibility determination 228 when the memory axiom is applied is applied.

In process 612, all G0 terms after replacement are examined, and if there is the same G0 term, if-then of the same G0 term is found.
Integrate clauses. That is, the if-then clause to be integrated is deleted, and instead the logical sum (or) of all the deleted if conditions.
Is placed in the if clause, and the if-then clause having the same G0 term in the then clause is placed.

Next, using the description 2200 of the main function G and the description 2202 of the auxiliary function G0 of FIG. 22, the operation of the G state enumeration 220 according to the operation description of FIG. 3 will be specifically described. At this time, the state-enumerated G data 2300 in FIG. 23 and the rewritten G-data 240 in FIG. 24 are also referred to.

First, in process 302, variables are initialized to N = 1, post-rewriting function FIFO = empty, pre-rewriting function FIFO = G definition 2200, rewriting waiting list = empty.

Next, in process 304, the definition 220 of G is set.
Processes 306 to 322 are performed for 0. First, in process 306, the definition body 2200 of G is added to the rewriting waiting list A. In process 308, the definition body 2200
The behavioral description 2202 is applied to enumerate the states. Processing 3
In 09, the next state restriction 224 (FIG. 5) and the description level conversion possibility determination 222 (FIG. 4) at the time of memory access are performed by applying the limiting condition to the rewriting result of the process 308.
Since the memory is not rewritten, the process 310 does not rewrite the limiting condition. The result of rewriting the state enumeration is shown in FIG. Since there is no if condition in the rewriting result, the next state is not restricted 224 by applying the limiting condition. Further, since there is no reference to the limiting condition 114, the description level conversion judgment 222 when the limiting condition is applied is also not performed.

Further, in process 311, rewriting 226 (FIG. 6) by the memory axiom is performed. However, FIG.
In the description of (a), since there is no if condition, rewriting by the memory axiom is not performed.

In process 312, the function definition, that is, FIG.
(A) is added to the FIFO after rewriting, and in processing 314,
The G0 term after rewriting, that is, G0 ((FUNCaC),
M, 1, M (C) and MM (C)) are added to the rewriting waiting list B.

By the processing 316, the rewriting waiting list B
G0 term of G0, that is, G0 ((FUNCa C), M, 1, M (C),
Processes 318 to 322 are performed on MM (C)).

In process 318, "GN (P, M) = this term", that is, the following expression 1 is substituted into TEMP.

[0164]

## EQU1 ## G1 (C, M) = G0 ((FUNCaC), M, 1, M (C), MM (C)) (Equation 1) In process 320, the right side of TEMP, that is, the right side of Equation 1 Is the right side of pre-rewrite function FIFO or post-rewrite function F
It is checked if it is already in the middle of the IFO. Since this is a new state, the process proceeds to step 322, TEMP is assigned to the pre-rewriting FIFO, and N = N + 1 is executed. At this time, since the rewriting waiting list B is empty, the process proceeds to the process 304 again, and the next process is performed.

By the process 304 again, the processes 306 to 322 are performed for the definition number 1 of G. First, processing 306
Then, the right side of the definition body number 1 of G is the rewriting waiting list A
Is added to In process 308, the behavior description 2202 is applied to the right side of the definition body number 1 to enumerate states, and process 309
Then, the next state restriction 224 (FIG. 5) by applying the limiting condition to the rewriting result and the description level conversion possibility determination 222 (FIG. 4) when the limiting condition is applied are performed. The result of rewriting the state enumeration is shown in FIG.

The next state is limited 224 by applying the limiting condition to the result of rewriting. First, by the process 502, the first
The processings 504 to 514 are performed for the if condition. In process 504, it is checked whether or not the memory expression is included. First
Since if condition of No. includes M (C), processing 506
Check the limited conditions with. Since the limiting condition 114 is referenced, the description level conversion possibility determination 222 when the limiting condition is applied is executed.

By the process 402, the processes 404 to 408 are performed with reference to the limiting condition 114 for M (C).
First, in process 404, the address coincidence determination is performed.

As a result, it matches the first address C of the limiting condition 114. Arithmetic expression library 11 in processing 406
A determination is made whether a reference to 6 has been made. In this case, since the reference is not made, the process ends.

As a result of referring to the limiting condition 114, the limiting condition of M (C) is (M (C) ≠ 0) & (M (C) ≠ C + 1). Therefore, in process 508, it is determined whether the if condition is true. As a result, since it is not true, the process proceeds to step 512, and it is determined whether the if condition is false. As a result, since it becomes false, the process proceeds to step 514, and the first if-then clause is deleted.

Returning again to the process 502, the processes 504 to 514 are applied to the second if condition. In process 504, it is checked whether or not the memory expression is included. Since the second if condition includes M ((FUNCaC)) and M (C), the limiting condition is confirmed in processing 506. Limited condition 114
Is referred to, the description level conversion possibility determination 222 (FIG. 4) when the limiting condition is applied is executed.

By the processing 402, M ((FUNCa C))
About processing 404-40 with reference to limiting condition 114
8 is applied. First, in process 404, the address coincidence determination is performed. Second address C + 1 of limiting condition 114
Is an arithmetic expression and (FUNCa C) is a Boolean expression, so the arithmetic expression library 116 is referenced for matching. As a result, since they match, the arithmetic expression library 11 is processed in step 406.
A determination is made whether a reference to 6 has been made. In this case, all references to (FUNCa) Boolean expressions appearing in the G data are replaced with +1 because a reference is made.

As for the M (C), similar to the first if condition, a limiting condition of (M (C) ≠ 0) & (M (C) ≠ C + 1) is given.

As a result of referring to the limiting condition 114, M (C +
1), M (C + 1) = 0, and M (C) has (M (C) ≠
0) & (M (C) ≠ C + 1). Therefore, in process 508, it is determined whether the if condition is true. As a result, since it is not true, the processing 51
Proceeding to 2, it is determined whether the if condition becomes false. As a result, since it is not false, the process proceeds to step 502 again.

Since the third if condition is an else clause, the limitation 224 of the next state due to the application of the limiting condition ends.

By the process 310, memory rewriting M [(FUNCb MM (C)) / is written in the second and third then clauses.
M (C)], a rewriting table shown in FIG. 23D is generated, and the rewritten memory is named m.

The result of the above rewriting is shown in FIG.

Further, in process 311, rewriting 216 (FIG. 4) by the memory axiom is performed. First, processing 60
In step 2, find the if-then clause on the right side of the description, and
The processing after the processing 604 is applied to the then clause. FIG. 23 (c)
In the above description, there are two if-then clauses (including the last else clause) on the right side.

In processing 604, M [c / s] and M (f)
Check whether the element of the form is included. First if-
In the then clause, m [M [(FUNCb
MM (C)) / M (C)]), and M (f) includes M (C + 1) and MM (C + 1).

In step 608, it is checked whether s ≠ f is true when the first if condition is true. Therefore, ((C
ONFa C + 1 M (C)) or (CONFb M (C +
1) When M (C))) is true, it is first checked whether M (C) ≠ C + 1 is true. As a result, it is found that M (C) ≠ C + 1 is false, and the process returns to 606. Next time,
((CONFa C + 1 M (C)) or (CONFb M
When (C + 1) M (C)) is true, M (C) ≠ M (C +
1) is checked for truth, and as a result, M (C) ≠ M
(C + 1) is found to be false, and the process returns to 402.

Returning to the processing 602 again, the second processing is executed in the processing 604.
Of the if-then clause of M [c / s] and M (f). In the second if-then clause, M
M (M [(FUNCb MM (C))) as [c / s]
/ M (C)]) is included, and M (C + is included as M (f).
1) and MM (C + 1) are included.

In process 608, it is checked whether s ≠ f is true. The second if-then clause is the second if if the first if condition is false.
Since it is executed when the condition is true, it is then checked whether s ≠ f is true. Therefore, ((CONFa C + 1 M
(C)) o (CONFb M (C + 1) M (C)))
When is false, it is first checked whether M (C) ≠ C + 1 is true. As a result, it is found that M (C) ≠ C + 1 is true, and the processing advances to 610, where M (C + 1) is m (C + 1).
Is replaced by. Further, the description level conversion possibility determination 228 (FIG. 7) when the memory axiom is applied is performed.

In step 702, steps 704 to 706 are executed for the second if condition. Since the second if-then clause is an else clause, there is no Boolean expression in the condition. Therefore, the processing proceeds to the processing 708, and the processing 710 is performed for the first if condition.

In process 710, it is checked whether or not the first if condition includes a Boolean expression.

((CONFa C + 1 M (C)) or (C
ONFb M (C + 1) M (C))) is (CONFa
C + 1 M (C)) and (CONFb M (C + 1) M
(C)) is included.

First, in process 712, the arithmetic expression library 11
6 using M (C) = C + 1 and (CONFa C + 1 M
It is determined whether (C)) matches. As a result, all (CONFa) appearing in the G data match because they match.
The Boolean expression is replaced with =, and the description level conversion possibility determination 228 when the memory axiom is applied ends.

Returning to processing 606, this time ((CONF
a C + 1 M (C)) or (CONFb M (C + 1) M
(C))) is false, it is checked whether M (C) ≠ M (C + 1) is true. As a result, it is found that M (C) ≠ M (C + 1) is true, and the process proceeds to 610. . MM (C +
1) is replaced with mm (C + 1), and the description level conversion possibility determination 228 (FIG. 7) when the memory axiom is applied is further performed.

In step 702, steps 704 to 706 are performed on the second if condition. Since the second if-then clause is an else clause, there is no Boolean expression in the condition. Therefore, the processing proceeds to step 708, and the processing 710 is performed for the first if condition.

In step 710, it is checked whether or not the first if condition includes a Boolean expression.

((CONFa C + 1 M (C)) or (C
ONFb M (C + 1) M (C))) is (CONFa
C + 1 M (C)) and (CONFb M (C + 1) M
(C)) is included.

First, in step 712, the arithmetic expression library 11
6 using M (C) = M (C + 1) and (CONFa C
+1 M (C)) is determined. As a result, since they do not match, it is determined whether or not M (C) = M (C + 1) and (CONFb M (C + 1) M (C)) match this time. As a result, since they match, all (CONFb) Boolean expressions appearing in the G data are replaced with =, and the description level conversion possibility determination 228 when the memory axiom is applied ends.

The result of rewriting by the above memory axiom is (e) of FIG.

In the process 312, the function definition, that is, the whole (e) of FIG. 23 is added to the FIFO after rewriting, and the process 31
G0 term after rewriting at 6, that is, G0 (C + 1, m, 0,
M (C + 1), MM (C + 1)) and G0 (C + 1) +
1, m, 1, m (C + 1), mm (C + 1)) are added to the rewriting waiting list B.

By the processing 316, the rewriting waiting list B
The first G0 term of G0, that is, G0 (C + 1, m, 0, M (C +
1) and MM (C + 1)) are processed 318 to 322.

In process 318, "GN (P, M) = this term", that is, the following equation 2 is substituted into TEMP.

[0195]

## EQU00002 ## G2 (C, M) = G0 (C + 1, m, 0, M (C + 1), MM (C + 1)) (Equation 2) In process 320, the right side of TEMP, that is, the right side of Equation 2, is rewritten. Right side of previous function FIFO or function F after rewriting
It is checked if it is already in the middle of the IFO. Since this is a new state, the process proceeds to step 322, TEMP is assigned to the pre-rewriting FIFO and N = N + 1 is executed, and the next G
0 term G0 (C + 1) + 1, m, 1, m (C + 1), mm
The process proceeds to (C + 1)).

In process 318, "GN (P, M) = this term", that is, the expression 3 is substituted into TEMP.

[0197]

## EQU00003 ## G3 (C, M) = G0 (C + 1) + 1, m, 1, m (C + 1), mm (C + 1)) (Equation 3) In process 320, the right side of TEMP, that is, the right side of Equation 3 is , The right side of pre-rewrite function FIFO or post-rewrite function F
It is checked if it is already in the middle of the IFO. Since this is a new state, the process proceeds to step 322, TEMP is assigned to the pre-rewriting FIFO, and N = N + 1 is executed. At this time, since the rewriting waiting list B is empty, the process proceeds to the process 304 again.

The above-mentioned processing is performed by the pre-rewriting function FI.
This is performed for the remaining number 2 and number 3 of FO.

At the end, the rewritten function FIFO stores the rewritten G data 240 (FIG. 24), which is used in the next application of the extended recursive induction.

(6-7) Abstraction The procedure of the abstraction 230 of FIG. 2 will be described with reference to FIG.

First, in the process 802, first, each term on the right side of each function of the post-rewrite function FIFO is set to the post-rewrite function F.
Replace with "left side = middle side" of the function in the IFO. By this replacement, the G0 term representing the state created by the values of the programmable register and the non-programmable register becomes
, G1, G2, ..., Representing the states created only by the programmable register values defined in 8. At this time, the actual arguments of the terms G1, G2, ... After replacement represent the conversion performed on the programmable register value.

Next, in process 804, the rewritten function FIF
The middle side of each function of O is deleted and only "left side = right side" is left.

The result of abstraction of the rewritten G data 240 (FIG. 24) is shown in 242 (FIG. 25).
In FIG. 25, it is understood that each item on the middle side is deleted and only the item representing the state created by the programmable register value is described.

(6-8) Application of limited conditions to external specifications Next, application of limited conditions to external specifications will be described.

G data after abstraction 24 to which the limiting condition is applied
It is necessary to apply a limiting condition to the external specification data 110 in order to determine whether the 2 and the external specification data 110 match.

The application of the limiting condition to the external specification is the same as the application of the limiting condition to the design specification data.
The limiting condition is applied by applying the state enumeration to 10. The application is state enumeration 220 by behavioral description (FIG. 3).
The procedure can be performed.

By setting the external specification data 110 as shown in Equations 4 and 5, the state listing 220 based on the behavioral description is performed.
(FIG. 3) can be applied.

[0208]

F (C, M) = F0 (C, M) (Equation 4)

[0209]

F0 (C, M) = if M (C) = 0 then <C + 1, M> else F0 (C + 1, M [MM (C) + 1 / M (C)]) (Equation 5) After state enumeration 26 shows the external specification data 244 of the above. After this, abstraction is performed. This is also an abstraction of design specification data 2
The procedure is 30 (Fig. 8).

(6-9) Description Level Conversion Judgment When Applying Extended Recursive Induction Next, description level conversion judgment when applying extended recursive induction will be described.

In the application 234 (described later) of the extended recursive induction method, it is determined whether the design specification data G after abstraction and the external specification data F are the same. At this time, if the argument of the design specification data has a Boolean expression, the Boolean expression can be converted into an arithmetic expression by determining whether the argument matches the arithmetic expression of the external specification data.

FIG. 10 is a flow chart showing the procedure of the description level conversion judgment 236 when the extended recursive induction is applied.

First, in the process 1002, the processes 1004 and 1006 are performed on the arguments of the GN term determined to be the same in the application 234 of the extended recursive induction. Processing 100
At 4, it is determined whether the argument of the GN term is a Boolean expression. If the result of determination is that it is a Boolean expression, the processing proceeds to step 1006, and the Boolean expression is replaced with an arithmetic expression. If it is not a Boolean expression, the process returns to the process 1002 again to process the next argument.

By the above processing, the description of the Boolean expression in the argument of the GN term can be converted into the arithmetic expression.

(6-10) Application of Extended Recursive Induction Method Next, application 234 of the extended recursive induction method in FIG. 2 will be described. First, the extended recursive induction itself will be described, and then details of the application 234 of the extended recursive induction will be described with reference to FIG. These explanations are almost the same as in Japanese Patent Application No. 5-230941.

The extended recursive induction method is a method showing the equivalence between a recursive function system and a recursive function.

The following Equations 6 and 7 show examples.

[0218]

F (x) = if P (x) then A (x) elseif Q (x) then F (B (x)) ..... elseif R (x) then F (C (x)) ． … (Equation 6)

[0219]

F <1> (x) = if P (x) then A (x) elseif Q (x) & Q <11> (x) then F <n <q11 >> (B (x)) elseif Q (x) & Q <12> (x) then F <n <q12 >> (B (x)) ... elesif Q (x) & Q <1a> (x) then F <n <q1a >> ( B (x)) ..... elseif R (x) & R <11> (x) then F <n <r11 >> (C (x)) elseif R (x) & R <12> (x) then F <N <r12 >> (C (x)) ..... elesif R (x) & R <1b> (x) then F <n <r1b >> (C (x)), ..... F <M> (x) = if P (x) then A (x) elseif Q (x) & Q <m1> (x) then F <n <qm1 >> (B (x)) elseif Q (x) & Q <m2> (x) then F <n <qm2 >> (B (x)) ..... elesif Q (x) & Q <ma> (x) then F <n <qma >> (B (x)) ..... elseif R (x) & R <m1> (x) then F <n <rm1 >> (C (x)) elseif R (x) & R <m2> (x) then F <n <rm2 >> (C (x)) ..... elesif R (x) & R <mb> (x) then F <n <rmb >> (C
(x)). (Equation 7) Equation 6 is a definition of the recursive function F. The recursive function F is defined using the existing functions P, Q, R, ..., A, B, C ,. Equation 7 is the definition of the recursive function system, and the recursive function F
<1>, ..., F <m> are defined. In Equation 7, Equation 6
Q <11>, ..., Q <1a in addition to the existing functions used in
>, R <11>, ..., R <1a>, Q <m1>, ..., Q
It is defined using <ma>, R <m1>, ..., R <mb>. Here, <i> represents a subscript. F <n <q1
<N <q11 >> such as 1 >> indicates any one of <1> to <m>.

Comparing all the recursive functions F <i> of the recursive function system with the recursive function F, the if condition (Q (x) &
Q <i1> (x) etc.), and if condition of F (Q (x) etc.)
Is always included, and the known function (B (x) inside the recursive function of the then clause (F <n <qi1 >> (B (x)) etc.) corresponding to the if condition of F <i> is included. ), Etc.) is always in this F
It is equal to the known function (B (x) etc.) inside the recursive function of the then clause (F (B (x)) etc.) corresponding to the if condition.

When all the recursive functions F <i> of the recursive function system and the recursive function F have such a relationship, it is claimed that any recursive function F <i> of the recursive function system is equal to the recursive function F. Is the extended recursive induction.

The reason why equivalence can be shown by the extended recursive induction is
In the recursive function F <i> and the recursive function F of the recursive function system, the processing performed in the then clause when the if conditions P (x), Q (x), R (x) and the like are satisfied is A (x) Or B
(x) or C (x) and recursively call itself (or its own function) with the result, and both are always equal, and if the same processing is performed, the values of both are Because they are always equal.

Equations 8 and 9 are simple examples, but they are equivalent by the extended recursive induction.

[0224]

F (x) = if p (x) then a (x) else f (b (x)). (Equation 8) f1 (x) = if p (x) then a (x) elseif q (x) then f2 (b (x)) else f1 (b (x)),

[0225]

F2 (x) = if p (x) then a (x) else f1 (b (x)). (Equation 9) In both cases, when p (x), the value is a (x), and not (p
(x)) & p (b (x)) is a (b (x)), not
This is because when (p (x)) & not (p (b (x))) & p (b (b (x)), it is a (b (b (x)) and the values are always the same.

Next, the procedure of the application 234 of the extended recursive induction will be described with reference to FIG. In this procedure, description level upper conversion when applying the extended recursive induction of process 910
At 236, the procedure of FIG. 10 is called.

First, pretreatment 902 is performed. Pretreatment 9
In 02, if there is a simple equality f (x) = g (x) in the post-abstraction G data 242 and the post-abstraction F data, all occurrences of g are replaced with f and f (x) = f ( Delete x).

Processes 904 to 910 are confirmation of the application conditions of the extended recursive induction.

First, in process 904, processes 906 and 90 are performed for each function of the abstracted G data 242 after middle edge deletion.
Apply 8,910. In process 906, each if- of this function
Processes 908 and 910 are applied to the then clause. Process 908
Then, if conditions (b1, b2, ...
In (), the post-abstraction G data 242 currently being watched
If condition (a) and “a if bi (i = 1, 2, ...
・) ”” Is checked to see if any of them satisfies the above condition. If there is the above if condition, the process proceeds to step 910, and if not, the process proceeds to step 918.

The processing 910 corresponds to the if condition (a).
It is checked whether the then clause and the then clause corresponding to the if condition (bi) are the same except for the difference in the recursive function names. If they are not the same, the process proceeds to step 916. If they are the same, the description level upper conversion 236 when the extended recursive induction is applied is applied, and the remaining if-
Processes 908 and 910 are performed on the then clause. Process 910
If all are the same, the proof is successful, the verification result is printed as proof successful, and all processing is finished (23
8). Whether or not there is an equivalence relation can be examined by using a known technique, that is, a theorem proof program or a formal verification technique of equivalence between combinatorial logics.

The extended recursive induction is applied to the post-abstraction G data 242 and the post-abstraction F data 246. By the processing 902 which is the pre-processing, each data becomes the following expression 10 and expression 11.

[0232]

G (C, M) = if ((CONFa C + 1 M (C)) or (CONFb M (C + 1) M (C))) then <(C + 1) +1, m> else <(C + 1) +1, m> ... (Equation 10)

[0233]

F (C, M) = <(C + 1) +1, m1> (Equation 11) Comparing Eq. 10 and Eq. 11 in Processes 904 to 910, in Process 908, if condition of Eq. Therefore, it is interpreted that the condition is satisfied for all the if conditions of Expression 10, and the process proceeds to step 910. In process 910, <(C + 1) + 1, m1> of the equation 11 and <(C + of the equation 10
1) Determine whether +1, m> are the same. As a result, C
Are the same. For m and m1, it is confirmed that the address and its value match the referenced memory. Since the addresses match in M (C), if a match is determined for that value, (FUNCb MM (C)) and (MM (C) +1)
Matches. Therefore, the description level conversion 236 (FIG. 10) when applying the extended recursive induction is applied to replace all (FUNCb) Boolean expressions appearing in the description with +1. The referenced memory also matches in M, so <(C + 1) +1,
m1> and <(C + 1) +1, m> are the same.

The second if-then clause of Expression 10 is also matched.

From the above, it is found that the two are equivalent by the extended recursive induction method, and it is printed as proof success and processed 238.
Proceed to and the proof is completed and all processing is completed.

As described above, according to this embodiment,
With the support of Boolean expression level description, the Boolean expression level description can be converted to the arithmetic expression level by comparing the design specification described by the Boolean expression with the external specification described by the arithmetic expression. Further, by supporting the data input (limited condition) to the memory, it is possible to perform not only the entire state of the logic device but also the state created by the instruction input to the memory.

(7) Overall Verification Next, the overall verification will be described.

In (1) to (6), the one-instruction unit verification by application of the limiting condition has been described, but here, the verification for all states without the limiting condition is called the overall verification. By performing this overall verification, description level upper conversion can be performed while verifying all states.

The entire verification can be realized by removing the processing relating to the application of the limiting condition from the verification of the one instruction unit with the limiting condition.

FIG. 27 shows the configuration of the logic verification system of the embodiment of the overall verification. This configuration is the same as the configuration diagram of FIG. 1 except for the limited condition management table 114 and the verification program 3124. The limited condition management table 114 is not necessary for the overall verification. The verification program 3124 is shown in FIG.

FIG. 28 is a flow chart showing the processing procedure and data flow of the verification program 3124. This flow is also the same as that of FIG. 2, which is a one-instruction-unit verification flow with a limiting condition, except for the processing relating to the application of the limiting condition. In FIG. 2, the processing relating to the application of the limiting condition is performed by limiting the next state 224 by applying the limiting condition, describing level conversion 222 when applying the limiting condition, applying the limiting condition to the external specification, and abstracting 244 the external specification data. is there. The flow of FIG. 28 is obtained by removing these processes.

Restricting the next state 224 by applying the restrictive condition 224
Is a process called when a memory appears in the if condition in the calculation 308 of the next state and transition condition of the state enumeration 220 (FIG. 3) by the behavioral description. Then calculate the next state 3
At 08, this process is changed so as not to be called. Application of limiting conditions to external specifications and abstraction of external specification data 2
For 44, the external specification data 110 is directly applied to the application 234 of the extended recursive induction method.

By making the above changes, the whole verification becomes possible. This whole verification is equivalent to the case where no limiting condition is input in the verification up to (6),
No further detailed description will be given.

As described above, according to this embodiment,
With the support of Boolean expression level description, the Boolean expression level description can be converted to the arithmetic expression level by comparing the design specification described by the Boolean expression with the external specification described by the arithmetic expression.

[0245]

According to the present invention, by supporting the description at the Boolean expression level, the description at the Boolean expression level can be obtained by comparing the design specification described by the Boolean expression with the external specification described by the arithmetic expression. Can be converted to the arithmetic expression level. Further, by supporting the data input (limited condition) to the memory, it is possible to perform not only the entire state of the logic device but also the state created by the instruction input to the memory.

[Brief description of drawings]

FIG. 1 is a block diagram of a logic verification system (verification with one instruction unit with limited conditions).

FIG. 2 is a flowchart showing a processing procedure and a data flow of a verification program (verification with one instruction unit with limited condition).

FIG. 3 is a flowchart showing a processing procedure for listing G states by a behavioral description.

FIG. 4 is a flowchart showing a description level conversion possibility determination processing procedure when a limiting condition is applied.

FIG. 5 is a flowchart showing a processing procedure for limiting a next state by applying a limiting condition.

FIG. 6 is a flowchart showing a processing procedure of rewriting a behavioral description based on a memory axiom.

FIG. 7 is a flowchart showing a description level conversion possibility determination processing procedure when a memory axiom is applied.

FIG. 8 is a flowchart showing an abstraction processing procedure.

FIG. 9 is a flowchart showing a processing procedure for applying extended recursive induction.

FIG. 10 is a flowchart showing a description level conversion possibility determination processing procedure when the extended recursive induction is applied.

FIG. 11 is an explanatory diagram of a structure of external specifications of the example computer.

FIG. 12 is an explanatory diagram showing external specification data of the example computer.

FIG. 13 is an explanatory diagram of design specifications of an example computer.

FIG. 14 is an explanatory diagram of a netlist element grammar.

FIG. 15 is an explanatory diagram of a netlist grammar.

FIG. 16 is an explanatory diagram showing structure description design specification data of the example computer.

FIG. 17 is an explanatory diagram of an arithmetic expression library grammar.

FIG. 18 is an explanatory diagram showing arithmetic expression library data of the example computer.

FIG. 19 is an explanatory diagram of a limited condition grammar.

FIG. 20 is an explanatory diagram showing limiting condition data in the initial state of the example computer.

FIG. 21 is an explanatory diagram showing RT description design specification data of the example computer.

FIG. 22 is an explanatory diagram showing operation description design specification data of the example computer.

FIG. 23 is an explanatory diagram showing G data after state listing.

FIG. 24 is an explanatory diagram showing G data after rewriting.

FIG. 25 is an explanatory diagram showing post-abstraction G data.

FIG. 26 is an explanatory diagram showing F data after application of a limiting condition and after abstraction.

FIG. 27 is an explanatory diagram of a logic verification system (whole verification).

FIG. 28 is a flowchart showing a processing procedure and data flow of a verification program (entire verification).

[Explanation of symbols]

100 ... Verification system, 102 ... Keyboard, 104 ...
Display, 106 ... Bus, 108 ... Secondary storage disk, 118 ... CPU, 120 ... Memory, 110 ... External specification data, 112 ... Structural description design specification data, 114 ...
Limiting conditions, 116 ... Arithmetic expression library, 122 ... Input program, 124 ... Verification program, 128 ... RT description design specification data, 130 ... Behavior description design specification data, 132
…inspection result.

 ─────────────────────────────────────────────────── ─── Continuation of the front page (72) Inventor Kenzo Goto 5-20-1 Kamimizuhonmachi, Kodaira-shi, Tokyo Inside Hiritsu Cho-LS Engineering Co., Ltd.

Claims (10)

[Claims] 1. External specification data representing the external specifications of a sequential logic device described using externally settable / referenceable components, and not only externally settable / referenceable components but also externally set / referenceable data. Input the design specification data representing the design specification of the sequential logic device described also using the possible constituent elements, and the design specification represented by the design specification data satisfies the external specification represented by the external specification data. A method of verifying whether or not there is a logic device, wherein a limiting condition that limits the operation of the sequential logic device is given to the design specification data, and the limiting condition is applied to the sequential logic device using the design specification data. In the process of sequentially simulating the operation of the sequential logic device when given, and in the process of simulating the operation of the sequential logic device using the design specification data. A step of accumulating different reachable states of the sequential logic device, and giving the limiting condition to the external specification data, and using the external specification data, the above-mentioned condition when the limiting condition is given to the sequential logic device. Sequentially simulating the operation of the sequential logic device; accumulating different reachable states of the sequential logic device in the process of simulating the operation of the sequential logic device using the external specification data; And a step of certifying whether or not the design specification data storage result is equivalent to the external specification data storage result. 2. External specification data representing external specifications of a sequential logic device, which describes externally settable / referenceable elements and their functions using arithmetic expressions, and only externally settable / referenceable elements. The design represented by the design specification data described above is input by inputting the design specification data representing the design specification of the sequential logic device in which the constituent elements that cannot be set / referenced from outside and their functions are described by using Boolean expressions as well. A verification method of a logic device for verifying whether a specification satisfies an external specification represented by the external specification data, wherein the operation of the sequential logic device is sequentially simulated by using the design specification data. In the step and the process of simulating the operation of the sequential logic device, it is determined whether the Boolean expression used in the description of the design specification is equivalent to the arithmetic expression that appears in the process of simulating the operation, and it is equivalent. If so, in the step of converting a Boolean expression into an arithmetic expression and in the process of simulating the operation of the sequential logic device, it is determined whether or not the states of the components used in the description of the design specification are valid, and A step of accumulating different reachable states of the sequential logic device focusing on the constituent elements of the state, a step of certifying whether the accumulation result is equivalent to the external specification, and a step of proof of the equivalence. In the process, determining whether the Boolean expression used to describe the design specification is equivalent to the arithmetic expression used to describe the external specification, and if they are equivalent, converting the Boolean expression to the arithmetic expression. A method for verifying a logic device, comprising: 3. The design specification data according to claim 1, wherein the function is described by a Boolean expression, and the limiting condition can refer to the contents of the sequential logic device by designating an address. In the step of simulating the operation of the sequential logic device using the design specification data given to the storage device, if the limiting condition is referred from the storage device with an address described in a Boolean expression, the storage device is A method of verifying a logic device, comprising: determining whether an arithmetic expression used in the address of the above is equivalent to the above Boolean expression, and if they are equivalent, converting the above Boolean expression into the above arithmetic expression. 4. The arithmetic expression according to claim 2, wherein in the step of converting the Boolean expression into an arithmetic expression, it is possible to replace a storage device which has not been rewritten with a storage device which has been rewritten. And a Boolean expression of the above design specification data are judged to be equivalent, and if they are equivalent, a method for verifying a logic device comprising a step of converting the Boolean expression into an arithmetic expression. 5. A method of verifying a logic device, wherein a computer verifies that the design specification of a sequential logic device having a plurality of registers designed to satisfy the external specification satisfies the external specification, By giving a limiting condition that limits the operation of the sequential logic device to the design specification, and rewriting the design specification itself using the design specification, the realization specification given the limiting condition is operated, and it is possible to reach it. By accumulating the state as the rewriting result, giving the limiting condition to the external specification, and rewriting the external specification itself by using the external specification, the external specification given the limiting condition is operated, Accumulating the reachable state as the rewriting result, and the rewriting result of the design specification is the rewriting result of the external specification. A method of verifying a logic device, comprising the step of attempting verification using extended recursive induction for equality. 6. A logic device verification method for verifying by a computer that a sequential logic device design specification having a plurality of registers whose circuits are designed by Boolean expressions so as to satisfy the external specifications satisfies the external specifications. Therefore, the step of operating the design specification by rewriting the design specification itself using the design specification, and the Boolean expression of the design specification and the arithmetic expression appearing at the time of the rewriting are equal in the rewriting of the design specification. If it is equivalent, the step of converting a Boolean expression into an arithmetic expression, and the verification that the rewriting result of the above design specification is equivalent to the above rewriting result of the above external specification is verified using extended recursive induction. In the step to try and the verification using the extended recursive induction, whether the Boolean expression of the above design specification and the arithmetic expression of the above external specification are equivalent And a step of converting a Boolean expression into an arithmetic expression if they are equivalent. 7. An external storage area state set S, which is a set of states that can be set in an external storage area that can be set / referenced from outside of a sequential logic device that internally has a plurality of stages that operate in a pipeline manner. External specification data of the above-mentioned sequential logic device expressed by a recursive function to S, and an external storage area state set of an internal storage area that cannot be set / referenced externally By inputting the design specification data of the sequential logic device expressed by a recursive function configured by using the state also as an argument, the design specification represented by the design specification data satisfies the external specification represented by the external specification data. The external specification data is a recursive function representing a conversion from the current state of the external storage area to the next state, and the external specification data is one or more. A predetermined known function symbol and one or more if-th
It is described by the function including the en clause and the above design specification data is
A recursive function representing the conversion of the current state of the external storage area and the internal storage area to the next state, which includes one or more predetermined known function symbols and one or more if-then clauses. The external storage area in the next state when each of the if clauses appearing in the design specification data is true from the current state of the external storage area and the internal storage area, which is described by a function and uses the design specification data. And the state of the internal storage area are calculated for each if clause, and at that time, a limiting condition that the sequential logic device operates in units of one instruction is given to the realization specification data,
By applying the limiting condition to the if clause and calculating only the state when the if clause is true, the next state is limited to only the state when the sequential logic unit is given the limiting condition, Each if clause has an if clause, and each if clause has an if-then clause that has the state of the external storage area and the internal storage area in the next state when it is true. Calculation / storing step of storing as a description representing conversion of the external storage area and internal storage area to each state in the next state when each if clause is true, and a predetermined initial state of the external storage area and internal storage area From the above, the calculation / storing step is executed, and subsequently, the calculation / storing is performed on each of the states of the external storage area and the internal storage area when the calculated if clauses are true as the current state. In the step of repeatedly executing the step and the calculation / storing step, when the respective states of the external storage area and the internal storage area in the next state when the if clauses are true, the calculated values are In order to check whether or not it has already been calculated / stored, the description of the states of the external storage area and the internal storage area represented by the calculated value is included in the description of the current state already stored in the calculation / storing step. If it is included, the step of canceling the calculation / storing step regarding the state after the calculated state and the current state of the external storage area using the external specification data,
The state of the external storage area in the next state when each of the if clauses appearing in the design specification data is true is calculated for each if clause, and at that time, the sequential logic device operates in units of one instruction. When the above limiting condition is given to the above external specification data, by applying the above limiting condition to the above if clause and calculating only the state when the above if clause is true,
The next state is limited to only the state when the sequential logic unit is given the limiting condition, each of the if clauses has an if clause, and the state of the external storage area in the next state when each of the if clauses is true Computation / storing step, which is composed of if-then clauses each having a then clause, and is stored as a description representing conversion from the current state to each state of the external storage area in the next state when the above if clauses are true Then, the calculation / storing step is executed from a predetermined initial state of the external storage area, and subsequently, the states of the external storage area when the if clauses in the calculated next state are true are successively displayed. The step of repeatedly executing the calculation / storing step as a state and the calculation / storing step when the respective states of the external storage areas in the next states when the if clauses are true are calculated. In order to check whether the calculated value has already been calculated / stored, is the description of the state of the external storage area represented by the calculated value included in the description of the current state already stored in the calculating / storing step? When included, the step of stopping the calculation / storing step for the state after the calculated state, the iterative step using the design specification data and the iterative step using the external specification data are all stopped. Sometimes, the external storage area is converted from all the stored descriptions that represent the conversion from the current state of the design specification data to each state of the external storage area and the internal storage area in the next state when each if clause is true. The conversion applied to the variable that represents the initial value of is calculated, and when the conversion and the if clause corresponding to the conversion are satisfied, the external specification data described above is displayed. A method for verifying a logic device, comprising the step of verifying whether or not the conversion of the partial storage area group from the current state to the next state is equal and attempting verification. 8. An external storage area state set S, which is a set of states that can be set in an external storage area that can be set / referenced from outside of a sequential logic device that internally has a plurality of stages that operate like pipelines. External specification data of the above-mentioned sequential logic device expressed by a recursive function to S, and an external storage area state set of an internal storage area that cannot be set / referenced externally By inputting the design specification data of the sequential logic device expressed by a recursive function configured by using the state also as an argument, the design specification represented by the design specification data satisfies the external specification represented by the external specification data. The external specification data is a recursive function representing a conversion from the current state of the external storage area to the next state, and the external specification data is one or more. A predetermined known function symbol and one or more if-th
It is described by a function including an en clause and an arithmetic expression description for the calculation of the conversion of the external storage area to the next state. The design specification data is written from the current state of the external storage area and the internal storage area to the next state. A recursive function representing a conversion to a state,
One or more predetermined known function symbols and one or more
If-then clause and described by a function including a Boolean expression description for the operation of conversion to the next state of the external storage area and the internal storage area, using the design specification data,
From the current states of the external storage area and the internal storage area, the states of the external storage area and the internal storage area in the next state when the if clauses appearing in the design specification data are true are calculated for each if clause. , If-then clause having each of the above if clauses in the if clause, and each state of the external storage area and the internal storage area in the next state when each of the above if clauses is true, from the current state A calculation / storing step of storing as a description representing the conversion of the external storage area and the internal storage area to each state in the next state when each of the if clauses is true, and the design specification in the process of the calculation / storing step. Determine whether the Boolean expression used to describe the data is equivalent to the arithmetic expression that appears in the process of calculating the next state for each if clause, and if so, convert the Boolean expression to an arithmetic expression. From the predetermined initial state of the external storage area and the internal storage area, the calculation / storing step is executed, and subsequently, the external storage area and the internal storage when the if clause in the calculated next state is true, respectively. The step of repeatedly executing the calculation / storing step by setting each state of the storage area as the current state one after another, and the external storage area and the internal state in the next state when each if clause is true in the calculation / storing step. When calculating each state of the storage area, in order to check whether the calculated value is already calculated and stored, the description of the state of the external storage area and the internal storage area represented by the calculated value is calculated as described above. -Check whether it is included in the description of the current state already stored in the storing step, and if it is included, calculate / store the above-mentioned calculation / storage step regarding the states after the calculated state. When all the if clauses are true from the current state of the design specification data when all the steps of stopping the design specification data, the iteration step using the design specification data and the iteration step using the external specification data are canceled. The conversion applied to the variable representing the initial value of the external storage area is calculated from all the stored descriptions representing the conversion of the external storage area and the internal storage area to the respective states in the next state. When the if clause corresponding to the conversion is established, it is verified whether the conversion from the current state of the external storage area group indicated by the external specification data to the next state is equal, and the step of attempting verification and the above verification are performed. In the process of trying steps, when it is verified whether the conversion of the design specification data to each state is equal to the conversion to the next state indicated by the external specification data, the design specification data of The step of determining whether the Boolean expression used in the above description is equivalent to the arithmetic expression used in the description of the external specification data and converting the Boolean expression to the above arithmetic expression if they are equivalent is provided. A method of verifying a characteristic logic device. 9. The external specification data according to claim 7, wherein the external specification data is a recursive function representing conversion from a current state of the external storage area to a next state, and one or more predetermined known function symbols. It is described by a function that also includes one or more if-then clauses and an arithmetic expression description for the calculation of conversion of the external storage area to the next state, and the design specification data includes the external storage area and the internal storage area. Is a recursive function that represents the conversion of the current state to the next state of the one or more predetermined known function symbols, one or more if-then clauses, and the external storage area and the internal storage area. It is described by a function including a Boolean expression for the operation of conversion to the next state, and the limiting condition that the sequential logic device operates in the unit of one instruction specifies the address of the sequential logic device. Refer to its content by It is given to the storage device, and it is judged whether the above arithmetic expression and the above Boolean expression are equivalent by the address described in the Boolean expression to apply the limiting condition to the above if clause. A method for verifying a logic device, comprising the step of converting the arithmetic expression. 10. The step of determining whether the Boolean expression used to describe the design specification data is equivalent to an arithmetic expression that appears in the process of calculating the next state for each if clause, Judge whether the arithmetic expression that expresses whether or not the memory device that has not been rewritten can be replaced with the memory device that has been rewritten is equivalent to the Boolean expression that represents the condition of the if clause of the above design specification data. Then, if they are equivalent, a method for verifying a logic device, including a step of converting a Boolean expression into an arithmetic expression.