JPH09325975A - Verification method for logical device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enable the proof of general external specification and design specification which can not be verified by the conventional extension recursive induction method of a form verification system. SOLUTION: Structure description design specification data 112 of a logical device are converted to register transfer description design data 122, the design specification data 122 are converted to operation description design data 124, the line-up of states due to operation descriptions and the reload due to memory axiom are performed, and reloaded data 232 are found. Further, the reloaded data 232 are made abstract, abstract data 234 are found and concerning the fact that the design specification data 234 are equivalent with external specification data 110, the equivalency of functions to appear in the external specification data 110 and the design specification data 234 is proved by using the extension recursive induction method equipped with the processing of 'application of second extension recursive induction method' to be performed while using the exchange of main bodies of functions.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method for verifying a sequential logic device, and more particularly to a method for verifying a sequential logic device using a formal verification method.

[0002]

2. Description of the Related Art Conventionally, three methods have been known as a method for verifying a logic device (hereinafter, a logic device means a sequential logic device). The first is a method that uses simulation, the second is a method that uses a desk check,
The third is a method using formal proof.

At present, generally used methods are a method using simulation and a method using desk check.

In the method using simulation, first, the designer enumerates the cases to be tested and creates test test data. Then, a logic simulator is used to execute a simulation of the designed logic device based on the test test data. In this way, it is checked whether the designed logic device has a design error. This method can guarantee the correctness of the logic device in the case where the simulation is performed. However, it is not possible to guarantee that the designed logic device has no logic defects since it is not possible to perform simulations in all cases.

The desk check method means that the designer
This is a method of visually inspecting the designed logic device one by one on the desk to check whether it is correctly designed. This method is almost the same as the inspection used in program development. This method has a logic verification capability equal to or higher than the method using simulation. However, there is no way to verify that all cases have been checked, and there is no guarantee that the individual checking procedures will be correct.

From the above, the method using the simulation or the method using the desk check cannot be said to be a method which can completely verify the logic device.

The third method, that is, the method using formal proof, is to define and apply an informal check procedure in desk check exactly and accurately, and to use natural number theory, elementary geometry,
Just as the theorem is formally proved by abstract algebra, it is to formally prove the correctness of logic (correctness). This is a method capable of confirming whether all the cases have been checked and guaranteeing the correctness of the individual check procedure, and can guarantee that there is no logic failure.

In the method using formal proof, when the proof itself is the subject of discussion and consideration, the system including the proof is formalized to form a formal system, and then discussion and consideration are conducted. Therefore, the logical verification by the formal proof is also called the formal logical verification.

In formal logic verification, the design object to be verified is called implementation, realization, realization specification, or the like. Also, the items on which correctness is based upon verification are referred to as specifications, specifications, and external specifications. In the following, the former is referred to as an implementation specification and the latter is referred to as an external specification. The realization specifications represent what the internal structure of the designed logical device looks like. External specifications
It is a spec that can be observed from the outside without entering the internal structure of the logic device. In the formal logic verification, it is verified whether or not the realization specifications of the logic device satisfy the external specifications.

As a conventional technique for formal logic verification, for example, “Formal by M. Srivas and M. Bickford” is used.
Verification of a Pipelined Microprocessor
ed Micro-processor) "IEEE Software, 1990, pp. 52-64. There is a technology disclosed in this prior art. A pipeline control processor with a three-stage configuration is targeted for logic verification. , Formal logic verification is performed semi-automatically using a theorem proof program.

Further, JP-A-7-65046 and JP-A-6-21506.
No. 3 discloses a formal logic verification method for a pipeline control processor with an arbitrary stage configuration. However,
The formal logic verification methods disclosed in JP-A-7-65046 and JP-A-6-215063 convert external specifications into recursive functions and implementation specifications into behavior level descriptions, and then based on the initial state. This is a method that enumerates all possible states of a logic device as a recursive function system and uses extended recursive induction to verify whether the implementation specifications satisfy the external specifications. However, in the extended recursive induction shown here, even if the implementation specification satisfies the external specification (even if it is correct), it may be judged as an error (the concrete example is the implementation of the invention. (2) in the form of). Therefore, this method cannot be said to be a method capable of completely verifying the correctness of the implementation specifications.

[0012]

SUMMARY OF THE INVENTION An object of the present invention is to provide a verification method capable of more correctly verifying the equivalence of a recursive function of an external specification and a recursive function in a recursive function system of an implementation specification.

[0013]

In order to achieve the above object, the present invention provides an external specification data in the form of a recursive function representing the external specification of a sequential logic unit described by using a component that can be set / referenced from the outside. And realization specification data in the form of a recursive function representing the realization specifications of the sequential logic device described using not only externally settable / referenceable components but also externally settable / unreferenceable components. Then, by using the realization specification data, whether or not the realization specifications represented by the realization specification data satisfy the external specifications represented by the external specification data is sequentially simulated. In the step and the process of simulating the operation of the sequential logic device, it is determined whether or not the state of the constituent element used in the description of the implementation specification is valid, and the constituent element in the valid state is focused on in the above order. The step of accumulating different reachable states of the logical unit in the form of a recursive function system, and the extended recursive induction method are used to confirm that the recursive function representing the external specification and the accumulated recursive function system are equivalent. And a new recursive function obtained by replacing the recursive function in the accumulated recursive function system with a non-equivalent recursive function in the above-mentioned proofing step in the verification method of the logic device to be verified using It is characterized by including a step of proving that a recursive function representing an external specification is equivalent.

[0014]

DETAILED DESCRIPTION OF THE INVENTION An embodiment of the present invention will be described below with reference to the drawings. The description will be given in the following order.

(1) Outline of the logic verification system of the embodiment (2) Extended contents of extended recursive induction (2-1) Method 1: method of rewriting function F <j> (2-2) method 2: function Method of rewriting F and function F <j> (2-3) Method 3: Method of rewriting function F (3) Definition of correctness of logic device (4) External specifications and design specifications of example computer (4-1) ) External specifications of example computer (F) (4-2) Design specifications of example computer (G) (5) Conversion from structural description to RT description (6) Conversion from RT description to behavioral description (7) Proof search ( 7-1) State enumeration of G by behavior description (7-2) Abstraction (7-3) Application of extended recursive induction (8) Modified example (8-1) Modified example 1 (8-2) Modified example 2 In (1), an outline of the logic verification system in this embodiment will be described. In (2), the features of the present invention in the extended recursive induction of the logic verification system will be described.
In (3), the definition of the validity of the design of the logic device, which is the final purpose of the logic verification in this embodiment, will be described. (4)
Next, the external specifications and design specifications of the example computer that is an input in this embodiment will be described. In (5), the conversion from the structural description to the RT (register transfer) description in the logic verification system of this embodiment will be described.
In (6), RT in the logic verification system of this embodiment is used.
The conversion from the description to the behavioral description will be described. In (7), proof search in the logic verification system of the present embodiment will be described. In (8), a modification of this embodiment will be described.

(1) Outline of the logic verification system of the embodiment The logic verification system is a system for verifying whether or not the design of the logic device satisfies its specifications. As described in the related art, briefly, the external specifications are specifications of the external logic device that can be seen by the user of the logic device. The design specification is a specification of a logic device actually designed and realized by a designer based on an external specification, and is an internal logic specification that realizes the logic device.

FIG. 1 shows the configuration of a logic verification system (hereinafter abbreviated as verification system) of the embodiment. FIG. 2 is a flow showing the processing procedure and data flow of the verification program 120. Both the configuration of the verification system and the processing procedure of the verification program are described in JP-A-6-215063 and JP-A-7-
It is almost the same as that disclosed in 65046.

In FIG. 1, the verification system 100 includes a keyboard 102, a display 104, a bus 106, a secondary storage disk 108, a CPU 114, and a memory 116.
It has. External specification data 110 and structure description design specification data 112 are stored in the disk 108. These data 110 and 112 are input to the verification system. Details of these data 110 and 112 will be described later.

The memory 116 stores the input program 11
8, verification program 120, RT description design specification data 1
22, behavior description design specification data 124, and verification result 126 are stored.

The input program 118 inputs the external specification data 110 and the structure description design specification data 112 via the keyboard 102 and the display 104, and 2
This is a program for storing 110 and 112 in the next storage disk 108.

The verification program 120 is the disk 108.
The program is a program for automatically verifying whether or not the design specifications of the logic device represented by the design data 112 satisfy the specifications represented by the external specification data 110 by inputting the above two data 110 and 112. The verification result is
Verification result 126 as "Successful verification" or "Verification failure"
Is output to The verification program 120
The verification is performed while writing the RT description design specification data 122 and the behavior description design specification data 124 in the memory 116 as an intermediate result.

Next, an outline of the verification program 120, which is a feature of this embodiment, will be described. The verification program 120 will be described in detail in (5) to (7) below.

FIG. 2 is a flow showing the processing procedure and data flow of the verification program 120.

The input data to the verification program 120 is
Design specification data 112 and external specification data 110 expressed in a structure description language.

The structural description design specification data represents the entire design specification by the description of the partial constituent elements and the connection description between the partial constituent elements. That is, the hardware is defined by describing the partial components of the hardware (such as registers) and the relationship between these partial components. As will be described later in (4), FIG. 13 shows an example of the structure description design specification data. The external specification data will be described in (4), and FIG. 9 corresponds to it.

The processing of the verification program 120 will be described with reference to FIG. First, in a conversion process 202 from a structure description to an RT (register transfer) description, the design specification data 112 expressed by the structure description is converted into design specification data 122 expressed by the RT description. This conversion is an equivalent conversion performed for expressing the design specification in the form of a recursive function, and can be performed by a known technique. The recursive function is one of the forms for expressing iteration. The whole embodiment may be configured by using a form using a loop instead of recursion.

Conversion process 204 from RT description to behavioral description
Then, the design specification data 122 expressed by the RT description is converted into the design specification data 124 expressed by the behavioral description.

FIG. 14 shows an example of the design specification data 122 expressed by the RT description. FIG. 15 shows an example of the design specification data 124 expressed by the behavioral description. In the conversion process 204 from the RT description to the behavioral description, the behavioral description suitable for the later proof search is equivalently converted. This equivalent conversion can also be performed by a known technique.

Next, in the proof search 210, it is proved that the justification described in (3) holds between the design specification data 124 expressed by the behavioral description and the external specification data 110. The proof search 210 is composed of a state enumeration 220 by a behavioral description, a rewriting 222 by a memory axiom, an abstraction 224, and an application 226 of extended recursive induction.

The state enumeration 220 based on the behavioral description operates in pair with the rewriting 222 based on the memory axiom, and the behavioral description is used to simulate the operation of the design specification G data 124 to enumerate reachable states. The reachable state and the transition between the states are rewritten and converted into the G data 232 and stored.

The abstraction 224 is the G data 232 after rewriting.
On the other hand, the reachable state in the rewritten data is replaced with the state that appeared before that. The converted result is stored as the abstracted G data 234.

In the application 226 of the extended recursive induction, the extended recursive induction is used to verify whether or not the justification described in (3) holds between the post-abstraction G data 234 and the external specification data 110. Then, the verification result is output to the verification result 126 as verification success or verification failure.

When the user prepares the RT description design specification data 122 or the behavior description design specification data 124, instead of the structure description design specification data 112,
These are the inputs. At this time, the conversion process 202 from the structural description to the RT description or the conversion process 204 from the RT description to the behavioral description 204 is unnecessary.

(2) Extension of extended recursive induction method The method unique to the present invention, which is not included in the methods disclosed in Japanese Patent Laid-Open Nos. 6-215063 and 7-65046, is an application of the above-mentioned extended recursive induction method 226. Is in the way. Before describing the embodiments of the present invention in detail using specific examples, the features of the extended recursive induction method of the present invention will be described in detail.

In the formal verification, the external specification data 110 is a recursive function, and the rewritten G data 2 obtained by the state enumeration 220 is used.
32. Abstracted G data 234 obtained by applying abstraction 224 to 32
It has been described above that the (function group) is regarded as a recursive function system and the extended recursive induction is applied to these to prove the correctness, and it is disclosed in JP-A-6-215063 and JP-A-7-65046. But it is also disclosed. JP-A-6-215063 and JP-A-6-215063
The extended recursive induction in 7-65046 is described as follows.

The extended recursive induction method is a method showing the equivalence between a recursive function system and a recursive function. The following equations 1 and 2 show examples.

[0037]

[Equation 1] F (x) = if P (x) then A (x) elseif Q (x) then F (B (x)) ..... elseif R (x) then F (C (x)) ... (Equation 1)

[0038]

[Equation 2] F 〈1〉 (x) = if P (x) then A (x) elseif Q (x) & Q 〈11〉 (x) then F 〈n 〈q11 〉〉 (B (x)) elseif Q (x) & Q 〈12〉 (x) then F 〈n 〈q12 〉〉 (B (x)) ..... elesif Q (x) & Q 〈1a〉 (x) then F 〈n 〈q1a 〉〉 ( B (x)) ..... elseif R (x) & R 〈11〉 (x) then F 〈n 〈r11 〉〉 (C (x)) elseif R (x) & R 〈12〉 (x) then F <N <r12 >> (C (x)) ..... elesif R (x) & R <1b> (x) then F <n <r1b >> (C (x)), ..... F 〈M〉 (x) = if P (x) then A (x) elseif Q (x) & Q 〈m1〉 (x) then F 〈n 〈qm1 〉〉 (B (x)) elseif Q (x) & Q 〈 m2〉 (x) then F 〈n 〈qm2 〉〉 (B (x)) ..... elesif Q (x) & Q 〈ma〉 (x) then F 〈n 〈qma 〉〉 (B (x)) ..... elseif R (x) & R 〈m1〉 (x) then F 〈n 〈rm1 〉〉 (C (x)) elseif R (x) & R 〈m2〉 (x) then F 〈n 〈rm2> 〉 (C (x)) ..... elesif R (x) & R 〈mb〉 (x) then F 〈n 〈rmb 〉〉 (C (x)) ... (Equation 2) Equation 1 is a recursive function This is the definition of F. The recursive function F is an existing function P, Q, R, ..., A, B, C ,. . . Is defined using. Equation 2 is the definition of the recursive function system, and the recursive functions F <1> ,. . . , F <m> are defined. In Expression 2, in addition to the existing function used in Expression 1, Q <11> ,. . .
Q <1a>, R <11> ,. . . , R <1a>, Q <m
1> ,. . . , Q <ma>, R <m1> ,. . . , R <m
b> is used for the definition. Here, <i> represents a subscript. <N <q11 >> such as F <n <q11 >> indicates any one of <1> to <m>.

Comparing all the recursive functions F <i> of the recursive function system with the recursive function F, if condition (Q (x) of F <i>
& Q <i1> (x) etc., the F if condition (Q (x)
Etc. are always included, and the then clause (F <n <qi1>) (B
(x (x)) etc.) known functions (B (x) etc.) inside the recursive function must be inside the recursive function of the then clause (F (B (x)) etc.) corresponding to the if condition of this F. Known function (B
(x) etc.).

When all the recursive functions F <i> of the recursive function system and the recursive function F have such a relationship, it is claimed that any recursive function F <i> of the recursive function system and the recursive function F are equal. The extended recursive induction method disclosed in JP-A-6-215063 and JP-A-7-65046.

However, there are recursive function systems and recursive functions that are equivalent but do not satisfy the above conditions. Equivalence between such a recursive function system and a recursive function cannot be proved by the above-mentioned extended recursive induction.

Equations 3 and 4 show simple examples. Where d
It is assumed that there is a relationship of (x) = b (c '(x)). Also,
The function c ′ is an inverse function of the function c, that is, the function c ′ (y) = x when c (x) = y. At this time, f (x) and f1 (x) are equivalent. In both cases, the value is a (x) when p (x) and a when not (p (x)) & p (b (x)).
(b (x)), not (p (x)) & not (p (b
(x))) & p (b (b (x))) then a (b (b (x)))
Because the values are always equal.

According to the conventional extended recursive induction method, for example, n
When ot (p (x)) & q (x), then then clause f of Equation 3
The known function inside (b (x)) and t of the function f1 (x) of Equation 4
It must be equal to the known function inside the hen clause f2 (c (x)). However, in this example, since b (x) and c (x) are not equal to each other, it is determined that Equation 3 and Equation 4 are not equivalent, which is an error.

[0044]

[Equation 3] f (x) = if p (x) then a (x) else f (b (x)) .... (Equation 3)

[0045]

[Formula 4] f1 (x) = if p (x) then a (x) elseif q (x) then f2 (c (x)) else f1 (b (x)), f2 (x) = if p (d (x)) then a (d (x)) else f1 (b (d (x))) .. (Equation 4) The second extended recursive induction used in the present invention is the extended recursive induction of the formal verification system. In determining the equivalence of the function appearing in the then clause in the application 226 of, the general recursive function system is examined by checking not only the equivalence of the inner known function but also the equivalence of the entire function of the then clause. Is an extension to prove the equivalence of and recursive functions.

Comparing the recursive function F1 defined by the recursive function system with the recursive function F in the above equations 1 and 2, i of F1 is
Among the f conditions (Q (x) & Q <11> (x) etc.), i of F
The f condition (such as Q (x)) is always included, and the then clause (F <n <q1
1 >> (B (x)) etc. corresponds to the if condition of F.
It is assumed to be equivalent to a hen clause (F (B (x)), etc.).

The second extended recursive induction method asserts that the recursive function F1 and the recursive function F of the recursive function system are equal when the recursive function F1 and the recursive function F defined in the recursive function system have such a relationship. .

The method of "determining the equality of the then clause" used in the second extended recursive induction will be described below. Here, a description will be given using Equations 3 and 4.

(2-1) Method 1: Method of rewriting function F <j> Comparing f of Formula 3 with f1 of Formula 4, like the conventional extended recursive induction method, the inside of the corresponding then clause is By checking the equivalence of the known functions, the second then clause (f2
It can be seen that the then clauses other than (c (x))) are equivalent. The remaining problems as below are f (b (x)) and f2 (c
(x)) is equivalent to. If b ′ is the inverse function of b, then f2 (c (x)) = f2 (c (b ′ (b (x))))
Therefore, f (x) and f2 (c (b '
(x))), that is, a new function f2 'obtained by replacing all x appearing in the function f2 (x) with the function c (b' (x)).
Check if (x) is equivalent. To see this,
The if condition of f2 '(x) always includes the if condition of f (x), and the corresponding then clauses are always equivalent. All if-the
See if you can say about n clauses.

From f2 (x) in Equation 4, f2 '(x) = f2 (c
When (b '(x))) is calculated,

[0051]

F 2 ′ (x) = if p (d (c (b ′ (x)))) then a (d (c (b ′ (x)))) else f1 (b (d (c (b ′ (X))))) ... (Equation 5) Except for the function name, this has exactly the same form as Equation 3, d (c (b '(x))) = x, that is, d (x) = b
It may be (c '(x)). Then f (x) and f2
(C (b '(x))) is equivalent, and therefore t in Eq.
hen clause f (b (x)) and then clause f2 (c
(x)) are equivalent.

(2-2) Method 2: Function F and function F <j>
Here, a method of checking the equivalence of f (b (x)) and f2 (c (x)) will be considered. A new function f2 ″ (x) obtained by replacing all x appearing in the function f2 (x) with the function c (x), and all x appearing in the function f (x) by the function b (x) The new function obtained by replacement is f ′ (x). At this time, f2 ″
The if condition of (x) always includes the if condition of f ′ (x), and the corresponding then clauses are always equivalent, and the condition of f2 ″ (x) and f ′ (x) When all the if-then clauses can be said, the then clause of f1 (x) and the corresponding then of f (x) are equivalent.

Rewriting f (x) in Equation 3 and f2 (x) in Equation 4 gives

[0054]

[Equation 6] f ′ (x) = f (b (x)) = if p (b (x)) then a (b (x)) else f (b (b (x))) .... (Equation 6 )

[0055]

[Formula 7] f2 ″ (x) = f2 (c (x)) = if p (d (c (x))) then a (d (c))) else f1 (b (d (c (x))) )) .... (Equation 7) In order that Equation 6 and Equation 7 have exactly the same form except for the function name, d (c (x)) = b (x), that is, d (x) = b
It may be (c '(x)). At this time, f '(x) and f
2 ″ (x) is equivalent, and therefore the then clause f (b (x)) of Equation 3 and the then clause f2 (c (x)) of Equation 4 are equivalent.

(2-3) Method 3: Method of rewriting the function F Here, instead of looking at the equivalence of f (b (x)) and f2 (c (x)), f (b (c '( x))) and the method of checking the equivalence of f2 (x). When a new function obtained by replacing all the x appearing in the function f (x) with the function b (c ′ (x)) is f ″ (x), it is included in the if condition of f2 (x). Is f ″
The if condition of (x) is always included, and the corresponding t
If all hen-clauses of f2 (x) and f ″ (x) can be said to be equivalent to hen clauses, then f1 (x)
Then, the then clause of f (x) corresponding to the then clause of is equivalent.

By rewriting f (x) in the equation 3,

[0058]

(8) f ″ (x) = if p (b (c ′ (x))) then a (b (c ′ (x))) else f (b (b (c ′ (x)))). (Equation 8) In order for this to be exactly the same as f2 (x) in Equation 4 except for the function name, d (x) = b (c '(x)). At this time, f (b (x)) and f2 (c (x)) are equivalent, and therefore the then clause f (b (x)) of equation 3 and the then clause f2 (c (x)) of equation 4 Are equivalent.

Note that f (x) and f (x) in the method (2-1) are
Equivalence determination of 2 '(x), f'in the method of (2-2)
In both the equivalence determination of (x) and f2 ″ (x) and the equivalence determination of f ″ (x) and f2 (x) in the method (2-3), t
When the known function inside the hen clause is again inconsistent, the same processing is applied to the corresponding function of the then clause.

Hereinafter, in (3) to (7), the above (2-3)
An example using the method will be described.

(3) Definition of Validity of Design of Logic Device Here, the definitions of “external specification”, “implementation specification”, and “validity of design of logic device” in this embodiment will be described in detail.

As described above, in simple terms, the external specifications are the specifications of the logic device that can be seen by the user, and the realization specifications are the specifications of the logic device actually designed and realized by the designer based on the external specifications. It is a specification. Strictly speaking, the details are as defined below.

[Definition 1: External storage area and external storage area variable] Of the storage areas constituting the logical device, the user of the logical device can access (that is, can be set / referenced from outside the logical device). A storage area such as a memory, a register, and a flag is called an “external storage area”. Not only storage areas such as memories and registers for holding data, but also storage elements such as flags are external storage areas if the user can access them. External storage memory,
Variables S that represent values such as registers and flags
1 ,. . , SN are called “external storage area variables”. The external storage area may be called a "programmable register".

[Definition 2: External storage area state set: S] The set of states created by the entire external storage area is called the "external storage area state set". External storage area variables S1 ,. . . , S
One state of the external storage area is defined by a set of values taken by N. The external storage area state set is a set of such states.

[Definition 3: Internal Storage Area and Internal Storage Area Variable] Of the storage areas constituting the logical device, storage areas other than the external storage area, that is, the user of the logical device cannot access (that is, the logical device). Storage areas such as memory, registers, and flags (which cannot be set / referenced from outside) are called "internal storage areas". Not only storage areas such as memories and registers for holding data, but also storage elements such as flags for holding control signals are internal storage areas if the user cannot access them. Variables T1, ... Representing values of memory, registers, flags, etc. in the internal storage area. . . , TM are called "internal storage area variables". The internal storage area may be called a "non-programmable register".

[Definition 4: Internal storage area state set: T] A set of states created by the entire internal storage area is called an "internal storage area state set". Internal storage area variables T1 ,. . . , T
One state of the internal storage area is defined by a set of values taken by M. The internal storage area state set is a set of such states.

[Definition 5: Basic function: A ,. . . ] The known functions that appear in the external specifications and the realization specifications are called “basic functions”.

[Definition 6: Basic predicate: P ,. . . ] Known predicates appearing in external specifications and realization specifications are called "basic predicates".

[Definition 7: External specification: F] "External specification" F
Is a function from the external storage area state set S to S,
S1 ,. . . , SN is a variable (argument), and is composed of a basic function, a basic predicate, an if-then-else clause, and a recursive function definition.

F (s1) = s2 (s1 and s2 are elements of S) means that when this logical unit starts execution from the initial state s1, this logical unit will stop execution sometime and become the final state s2. Is the meaning.

The fact that F (s1) does not exist (s1 is an element of S) means that execution does not stop forever when this logical device starts execution from the initial state s1 (for example, in an infinite loop).

[Definition 8: Realization specification: G] "Realization specification" G
Is a function from the external storage area state set S to S, and G (S1, ... SN) = G0 (S1, ..., SN, t
1 ,. . . , TM). However, G0 is S × T to S
To S1 ,. . . , SN, T1 ,. . . T
With M as a variable (argument), the basic function, basic predicate, and if-t
It is a function composed of a hen-else clause and a recursive function definition.

G is an internal storage area T of the realization specifications of the logic device at the time of initial setting (power-on-reset, etc.)
1 ,. . . TM to t1 ,. . . An initialization function that initializes to tM and activates the implementation specifications, and G0 is a behavior display function that represents the behavior of the implementation specifications as the clock time advances.

G (s1) = s2 (s1 and s2 are elements of S) means that when the logic device starts execution from the initial state s1, it will stop execution sometime and reach the final state s2.

When G (s1) does not exist (s1 is an element of S), it means that the execution does not stop forever when this logical device starts execution from the initial state s1 (for example, in an infinite loop).

[Definition 9: Validity of design of logic device] S,
If F and G are defined as above, then for any element s of S, if either F (s) or G (s) is present, then the other is always present, and F ( The logical unit is defined as correct when s) = G (s).

(4) External Specifications and Design Specifications of Example Computer In (5) and later described below, an example computer of a pipeline control system with three pipeline stages is taken as an example of the verification target of the verification system of this embodiment. Explain.
Here, the external specifications and the design specifications of the verification target example computer will be described. Although simple, the example computer described here reproduces the complexity of an actual pipeline control processor in a compact manner.

(4-1) External Specifications of Example Computer (F) First, the external specifications of the example computer will be described.

FIG. 8 shows an outline of the structure of the example computer 800. The computer 800 is C
It has a PU 802 and a main memory (M) 808 of 256 bytes. The CPU 802 is a program counter (C)
804 and an arithmetic unit having only an increment function (IN
C) 806. Main memory is 0 in 1-byte units
Addressed at ~ 255.

The function of the example computer 800 starts from the value C of the program counter 804 and ends at C + 1, C +.
It is assumed that the data in the main memory 808 having the addresses 2, ... Are sequentially examined, and the data in the main memory 708 having the data as the address are incremented until the data 0 appears. When 0 appears, the example computer 800 stops, and the program counter 804 receives the address +1 where 0 was stored.

FIG. 9 is a description showing the external specifications of the example computer 800 of FIG. 8 using a recursive function. In this embodiment, this description is one of the inputs of the verification system as the external specification data 110. The syntax and semantics of functions are
ure LISP (J.McCarthy, et al. LISP 1.5Programmer'sM
anual.MIT Press, Cambridge, Mass., USA, 1962) ''
It was almost the same as that described in. In this syntax, the target is described using a recursive function definition method using an if statement.

In FIG. 9, 902 is a main function F representing the external specifications. The variable C represents the program counter and the variable M represents the main memory. C and M are programmable
Register (means a register accessible to the programmer.
External storage area).

<C + 1, M> represents a binary set of C + 1 and M. M (a) represents 1-byte memory contents starting from the address a. M [b / a] represents a memory in which 1-byte memory contents starting from the address a are rewritten with b. MM (a) represents an abbreviated description of M (M (a)).

The if statement on the right side represents stop processing, and el
The process after se represents the process when it is not. When the stop condition (M (C) = 0) is satisfied, the value of the programmable register given in the binary group is returned as the value finally obtained. Otherwise, it updates each register to the value corresponding to the next program counter value and calls itself again.

When F is called, F repeats the recursive call as described above, and finally returns the value obtained in the programmable register. Therefore,
When a specific value is set in the programmable register, the function F goes through the above process and finally becomes programmable.
The value obtained in the register will be returned.

(4-2) Design Specifications of Example Computer (G) Next, design specifications of the example computer 800 will be described.

The computer 800 employs a pipeline control method with three pipeline stages, which is used in an actual computer, and an interference (memory conflict) control method between a store and data after it. The memory conflict control provides the execution result of the instruction example such as when the next instruction is started after the processing of the immediately preceding instruction is completely completed.

This pipelined (pipeline control) processor has three pipeline stages. This processor can process three data simultaneously using three stages only when there is no dependency between the data. Therefore, this processor can process a maximum of three instructions (data) at the same time. The actual number of data that can be processed simultaneously depends on the degree of dependency between the data.

FIG. 10 describes the design specifications of the example computer 800 in the form of a logical block configuration diagram. The design specifications of the example computer 800 will be described with reference to FIG.

In FIG. 10, the entire example computer 1000 is controlled by the clock output from the clock generator 1002. The clock starts to be generated when the ON signal becomes "1" and stops when the stop signal becomes "1".

The example computer 1000 includes a main memory 808 and a program counter (C) 804 shown in FIG.
(Hereinafter referred to as C register 804), and arithmetic unit (IN
In addition to Cc) 1018, a register group, a decoder, and a conflict detection circuit, which cannot be set / referenced by the programmer, are provided.

The S register 1008 is a register for holding the data on the memory M read by using the contents of the C register as an address.

The Z register 1012 is a register for holding a value obtained by adding 1 to the data on the memory M read by using the contents of the S register as an address by the arithmetic unit INCc. The contents of the Z register are data to be written in the memory M.

The S2 register 1010 is a register for holding the data stored in the S register one clock before. The content of the S2 register becomes an address when the content of the Z register is written in the memory M as data.

C1 register 1004 and C2 register 1
Reference numeral 006 is a register that holds the contents of the C register one clock before and two clocks before.

1030 is a selector. As shown in Fig. 10, the SEL line values are stop, conf1, conf.
Depending on the value of 0, it is either the value of the INCa line, the value of the C1 register line, the value of the C register line, or the value of the INCb line.

· Conflict / stop condition detection circuit 104
0 detects whether the storage of the preceding data in the memory is a rewriting of the data read by the subsequent processing of the data (memory conflict: M-conflict), and whether the computer is stopped or not. This is a combinational circuit for judging. When a memory conflict is detected is when there is a dependency between data. The read data in which the memory conflict has occurred is discarded. If there are no memory conflicts, this processor will process 3 data simultaneously. If there is a memory conflict, this processor will
It cannot process data at the same time, only 2 to 1 data. The read data in which the memory conflict has occurred is discarded.

The V1 register 1014 checks whether or not valid values are stored in the C1 register and the S register by V2.
The register 1016 is a C2 register, an S2 register and a Z.
It is a register that holds information indicating whether or not a valid value is stored in the register using a value 1 or a value 0, respectively.

The main memory 808 stores 2 in 1 clock.
Data reading and 1 data writing (storing) can be processed. However, when the writing area and the reading area overlap, the writing operation to the main memory 808 is guaranteed, but the reading operation is not guaranteed. In that case, the read operation is guaranteed by the conflict / stop condition detection circuit 10
40 or the like.

The design specifications of the verification target example computer 800 have been described above with reference to FIG. It should be noted that this design specification is just an example of the external specification (FIG. 8) of the example computer 800, and there may be other design specifications. Of course, the present invention is similarly applicable to other design specifications having different numbers of pipeline stages.

The design specifications shown in these figures are suitable for human reference, but not suitable for the verification program to operate as design specification data. Therefore, the design specification data is represented in a format that the verification program can easily operate.

FIG. 13 shows the structure description design specification data 112 of this example computer 800. This is shown in FIG.
It is a description of the design specifications described in Section 2 above using a structure description language, that is, a netlist that is easy for the verification program to operate.

The grammar of the netlist element is shown in FIG.
2 shows the syntax of the netlist. As shown in FIG. 12, the netlist is a list (a list) in which a finite number of netlist elements are arranged and enclosed in parentheses. Netlist elements include registers and combinatorial logic.

In the netlist element representing the register shown in FIG. 11A, the keyword "Register" is at the beginning, and in the following order, the resource name, clock phase, source resource name / output pin number pair, and sink resource name.・ There is a finite list of pairs of input pin numbers.

In the netlist element representing the combinational logic shown in FIG. 11B, first, the keyword "Combinatio
nal-logic ”, and in the following order, a resource name, a finite list of source resource names, output pin numbers, and input parameters, a finite list of sink resource names, input pin numbers, and output parameters, and output parameters as input parameters. There is a finite list of equations represented by.

In the structure description design specification data 112 (FIG. 13) of the example computer 800 described in the netlist format of such a grammar, SEL (103
0), INCa (1032), and C (804) are shown. The rest is omitted, but it can be easily expressed in the above format. Naturally, the design specification expressed in the format of FIG. 9 is equivalent to the design specification expressed in the netlist format (structure description) of FIG.

In the following (5) to (7), the conversion process 202 from the structural description to the RT description shown in FIG. 2, the conversion process 204 from the RT description to the behavioral description 204, and the proof search 210.
Will be sequentially described in detail. First, from the structure description to R
The conversion process 202 to the T description will be described.

(5) Conversion from Structural Description to RT Description Referring again to FIGS. 1 and 2, in the conversion process 202 from the structural description to the RT description, the design specification data 112 (FIG. 13) expressed by the structural description Is converted into design specification data 122 (FIG. 14) expressed by RT description. A known technique may be used for this conversion processing. For example, Dominique D. Borrion
e et al., “Formal Verification of VHDL Descriptions in
the Prevail Environment, ”IEEE Design and Test of
Computers, 1992, pp.42-56. Alternatively, the method described in JP-A-6-215063 may be used. This conversion is an equivalent conversion performed for expressing the design specification in the form of a recursive function.

In FIG. 14, reference numeral 1402 indicates the RT description of the main function G, and 1404 indicates the RT description of the auxiliary function G0.

The main function G is a non-programmable register (meaning a register that cannot be accessed by the programmer; an internal storage area) while leaving a programmable register (meaning a register accessible by the programmer; another name for external storage area). Set an initial value to another name), and the auxiliary function G
Call 0.

When the clock stop condition is satisfied, the auxiliary function G0 returns the value of the programmable register at that time as a value finally obtained, and otherwise updates each register to the value of the next clock time. To call the auxiliary function G0 again. That is, the auxiliary function G0 is
When a specific value is set in the programmable register and the non-programmable register and called, the above recursive call is repeated and the value finally obtained in the programmable register is returned.

Therefore, when a specific value is set in the programmable register, the main function G goes through the above process and finally returns the value obtained in the programmable register.

The main function G is the initialization function described in (3), and the auxiliary function G0 is the behavior display function.

In the RT description of FIG. 14, the updating of the value of each register at each clock time is represented by using the recursive call of the function G0. The updated value of each register at the next clock time is described in one place for each register, so such a description is given here in RT (register tra
nsfer: Register transfer) is called.

(6) Conversion from RT Description to Behavioral Description Next, the conversion processing 204 from the RT description to the behavioral description will be described.

Conversion processing 204 from RT description to behavioral description
Then, the design specification 122 (FIG. 14) expressed by the RT description is converted into the design specification 124 (FIG. 15) expressed by the behavioral description. In this conversion, if there is an if inside the function G0 to be recursively called, a process of moving the if to the outside of the function and simplifying it is repeated until there is no if inside the function G0. That is, since the if statement appears in the argument of the function G0 called recursively on the right side of 1404 in FIG.
These if statements are moved to the outside of the function G0 for simplification processing. As a result, the RT description is equivalently converted into a behavioral description suitable for later proof search.

A publicly known technique may be used for the conversion processing 204. For example, the technique described in the method for verifying a logic device in Japanese Patent Application Laid-Open No. 6-215063 may be used. In this conversion, first, if inside the function is moved to the outside of the function, and then it is simplified and the design specification 124 expressed in the behavioral description is used.
(Fig. 15). The design specification 124 of FIG. 15 expressed by the behavioral description cannot be further simplified, and if is not left inside the function G0. That is, all if conditions are outside the function G0, and the processing operations for each condition are collectively described in one place. Such a description is called a behavioral description here.

Note that such a simplification technique is known, and the details thereof are described in, for example, Boyer and Moore, "A Computati.
onal Logic Handbook ”, 1988, Academic Press.

(7) Proof Search Next, the proof search process 210 will be described.

In the proof search process 210 of FIG. 2, the justification explained in the above (3) is established between the design specification data 124 (FIG. 15) expressed by the behavioral description and the external specification data 110 (FIG. 9). Prove that.

The proof search process 210 is composed of state enumeration 220 by behavioral description, rewriting 222 by memory axiom, abstraction 224, and application 226 of extended recursive induction. Hereinafter, in (7-1) to (7-3),
It will be described in order.

(7-1) G State Listing by Behavior Description and Rewriting by Memory Axiom Next, G state listing 220 by behavior description and rewriting 222 by memory axiom will be described.

The G state enumeration 220 based on the behavioral description and the rewriting 222 based on the memory axiom operate as a pair, and the behavioral description is used to simulate the behavior of the realization specification to enumerate the reachable states. The reachable state and the transition between the states are converted into the G data 232 after rewriting and stored.

First, a method of expressing a state by a conditional expression will be described. However, the following notation is used.

As an example, having registers P and Q, G0
(P, Q) =. . . Consider the design specifications given in. At this time, G0 (R, R + 4) can be regarded as representing the conditional expression Q = P + 4 (P = R, Q = R + 4 minus R). Therefore, it is considered that this notation represents a state that satisfies the above conditional expression.

FIG. 3 is a state list 22 of G according to the behavioral description.
It is a flowchart which shows the procedure of 0. In the rewriting 222 to which the memory axiom of the process 310 is applied in this procedure, the procedure of FIG. 4 is called.

In FIG. 3, first, in process 302, variables are initialized. Variable to be initialized is N, function FIF after rewriting
O, a pre-rewriting function FIFO, and a rewriting waiting list.

Next, in process 304, the pre-rewrite function FI
The functions are extracted from the FO one by one, and the processes 306 to 32 are performed.
Apply 2. Hereinafter, these processes will be described.

First, in process 306, the right side of this function G (initialization function), that is, the definition body (initial value state) of this function G is added to the rewriting waiting list A. Next, in process 308, the behavior description G0 (behavior display function) is applied to enumerate the states. The result is further rewritten by the process 310 by applying the memory axiom. This rewriting is equivalent to simulating the operation of the design specification for only one clock to calculate the next state, and the rewriting result represents the next state.

Here, the term G0 means G0 (a,
b,. . . ) Is a conditional expression that defines the values that the programmable register and the non-programmable register can take, and can also be regarded as a state in which the values of the programmable register and the non-programmable register that are defined by this conditional expression are created.

The rewritten function definition is added to the rewritten function FIFO in the process 312, and each G0 term after the rewriting is
It is added to the rewriting waiting list B in process 314. When rewriting the definition body when rewriting the G0 item, the rewriting result is added immediately after the definition body through the equal sign. When an expression is rewritten via the equal sign immediately after the definition body, this expression is replaced with the rewriting result. Details of rewriting to which the memory axiom is applied will be described later.

Next, in process 316, processes 318 to 322 are performed for each G0 item in the rewriting waiting list B.

First, in process 318, "" GN (C *,
M *) = “G0 term“ C *, M * replaced by C, M ”” is substituted into TEMP. Here, the value of N at this time is used as N of “GN”. G when N = 1
1 and G2 when N = 2.

This operation is performed for G1, G2 ,. . . It is equivalent to defining a state consisting only of programmable register values named.

“C *, M *” in “GN (C *, M *) = this G0 term” means all C + p, M [c / s]. . . [D / t]
P in the form of [c / s]. . . Indicates the smallest value in [d / t]. For example, C * for C, C + 4, C + 8 is C, and C * for C + 4, C + 8, C + 12 is C
It is +4. Also, M, M [c / s], M [c / s]
M * for [d / t] is M, and M [c / s], M
[C / s] [d / t], M [c / s] [d / t] [e /
M * for u] is M [c / s].

In this operation, when there is a state represented by a notation such as G0 (R + 4, R + 8), this is changed to G0 (R + 4, R + 8).
This is equivalent to conversion to (R, R + 4). The conditional expression expressed by the former is P = R + 4 & Q = R + 8, and the conditional expression expressed by the latter is P = R & Q = R + 4, both of which are equivalent to the conditional expression Q = P + 4. Therefore, the two states are also equivalent, and this conversion is an equivalent conversion. The expression after this conversion is called a normal form.

Next, in process 320, it is judged whether or not the next state converted into the normal form has already appeared. That is, it is checked whether or not the next state converted to the normal form (right side of TEMP) is already on the right side of the pre-rewriting function FIFO or the middle side of the post-rewriting function FIFO. The process 322 is performed only when it has not appeared.

In process 322, the next state (GX) converted into the normal form with the name GN is the pre-rewriting function FI.
It is added to FO and 1 is added to the variable N. The function added to the pre-rewriting function FIFO is subjected to the processing of the processing 304 and thereafter. Also, since N is incremented by 1 here, the next state converted to the normal form is new (not already appearing).
Only then will the GN name be updated.

The state enumeration 220 of G (initialization function) by the above-described behavioral description G0 (behavior display function) is simply expressed by expanding the right side of G (initial value state) more and more. This is a process to wash out the condition. This is a state in which the G0 term appears on the way. Expanding and rewriting the G0 term using G0 (behavior display function) means 1
This is equivalent to advancing time by the clock. By expanding the G0 term steadily, all reachable states can be obtained. Since the initial value states include external storage area variables such as C and M, they are not a single state but a group of states. The state represented by the G0 term is not a single state, but indicates a state group defined by the conditional expression represented by the G0 term. Therefore, in the expansion of the G0 term, a plurality of reachable states are required in one expansion.

The reachable state obtained in this way is t
The G0 term in the hen clause and the condition for making a transition to that state are accumulated in the post-rewriting function FIFO in the form of a function definition as an if clause. The left side of the function definition represents the state before the transition.

Next, the rewriting 222 based on the memory axiom will be described.

FIG. 4 is a flowchart showing the processing procedure of the rewriting 222 by the memory axiom. The memory axiom is an abbreviation of "memory data invariant axiom without rewriting" and is represented by the following formula.

S ≠ f → M [c / s] (f) = M (f) where f is a fetch address, s is a store address, and c
Is store data. The meaning of this expression is that "if f and s are different, the memory data at address f after writing c at address s is the same as the memory data at the time of not writing".

Referring to FIG. 4, in rewriting 222 by the memory axiom, first, in process 402, each i on the right side of the behavioral description is processed.
The f-then clause is searched for, and each G0 term is subjected to the processing from step 404 onward.

In process 404, candidates to which the above memory axiom is applied are extracted. That is, M [c / s] and M
It is checked whether or not the element of the form (f) is included. If it is included, the process proceeds to step 406, and if it is not included, the process after step 404 is performed again for the next G0 term.

In step 408, the memory axiom application condition is confirmed. That is, it is checked whether s ≠ f is true. This determination may be performed using a known technique, that is, a known theorem proof program. The theorem proof program is disclosed, for example, in “Proof of a Theorem by Computer” by Chang & Lee (published by Japan Computer Association, 1983).

The process 410 is executed only when true is established in the process 412. In process 414, M (f) is changed to M
Replace with [c / s] (f).

In the process 411, all G0 terms after replacement are examined, and if there is the same G0 term, if-t of the same G0 term is found.
Integrate the hen clause. That is, if-th to be integrated
The en clause is deleted, and instead, the logical sum (or) of all the deleted if conditions is included in the if clause and the same G0 term is set to the
The if-then clause which is included in the n clause is set.

Next, using the description 1502 of the main function G and the description 1504 of the auxiliary function G0 of FIG. 15, the operation of the G state enumeration 220 according to the operation description of FIG. 3 will be specifically described. At this time, the G data after rewriting in FIG. 16 is also referred to.

First, in process 302, variables are initialized,
N = 1, post-rewrite function FIFO = empty, pre-rewrite function FI
FO = G definition 1502, rewriting waiting list = empty.

Next, in process 304, the definition 150 of G is set.
Processes 306 to 322 are performed for 2. First, in process 306, the definition body 1502 of G is added to the rewriting waiting list A. In step 308, the definition body 1502 is applied with the behavioral description 1504 to enumerate the states. The result of rewriting is

[0152]

[Equation 9] G (C, M) = G0 (C, M, 0,0,-,-,-,-,-) = G0 (C + 1, M, 1,0, C,-, M ( C),-,-) (Equation 9) Further, in the process 310, rewriting by the memory axiom 22
2 (FIG. 4) is performed. First, in process 402, the if-then clause on the right side of the description is searched for, and each if-then is searched.
The processing after the processing 404 is applied to the n-th node. However, since there is no if-then clause on the right side of Equation 9, processing 2
22 ends immediately.

By the process 312, the function definition, that is, the whole equation 9 is added to the rewritten FIFO (rewritten G data 232). At this point, only equation 1602 in FIG. 16 is entered. Further, by the processing 314, the G0 term, that is, the expression 9

[0154]

[Equation 10] G0 (C + 1, M, 1,0, C,-, M (C),-,-) (Equation 10) is added to the rewriting waiting list B.

By the process 316, the processes 318 to 322 are performed for each G0 item of the rewriting waiting list, that is, the expression 10.

In the process 318, "" GN (C *, M *)
= Expression in which C * and M * of this term are replaced with C and M, that is, the following Expression 11 is substituted into TEMP. Here, C * is C and M * is M.

[0157]

[Equation 11] G1 (C, M) = G0 (C + 1, M, 1,0, C,-, M (C),-,-) (Equation 11) In process 320, the right side of TEMP, that is, The right side of equation 11 is
Right side of pre-rewrite function FIFO or post-rewrite function FIFO
It is checked whether it is already on the middle side of O. Since it has not appeared, it is added to the pre-rewriting function FIFO.

Since there are no more functions in the rewriting waiting list, the processing of the processings 316 to 322 ends, the processing returns to the processing 304, and the G0 term added to the pre-rewriting function FIFO,
That is, the processes 306 to 322 are performed on the right side of Expression 11. As a result, the rewritten function FIFO is newly added to FIG.
Expression 1604 of is entered, and the pre-rewriting function FIFO is

[0159]

G2 (C, M) = G0 (C + 2, M, 1,1, C + 1, C, M (C + 1), M (C), MM (C) +1) ( Number 12) enters. Processing 306 to 322 for this pre-rewriting function
Is applied.

First, in step 306, the pre-rewrite function FIFO is
Is added to the rewriting waiting list A, and then the process 3 is performed.
At 08, the state is enumerated by applying the expression 12 to the behavioral description 1404. The enumeration result is the following Expression 13. Here, m is an abbreviation for M [MM (C) + 1 / M (C)].

[0161]

[Equation 13] G2 (C, M) = G0 (C + 2, M, 1,1, C + 1, C, M (C + 1), M (C), MM (C) +1) = if M (C) = 0 then <C + 1, M> else if M (C) = M (C + 1) or M (C) = C + 1 then G0 (C + 1, m, 0,0, C + 2, C + 1, M (C + 2), M (C + 1), M (C + 1) +1) else if M (C) = C + 2 then G0 (C + 2, m, 0 , 1, C + 2, C + 1, M (C + 2), M (C + 1), M (C + 1) +1) else G0 (C + 3, m, 1,1, C + 2 , C + 1, M (C + 2), M (C + 1), M (C + 1) +1) .. (Equation 13) In process 310, rewriting 222 by the memory axiom (FIG. 4) is performed. First, in process 402, if on the right side of the description
The -then clause is searched for, and the processing of the processing 404 and the subsequent steps is performed on each if-then clause. In the description of Expression 13, there are four if-then clauses (including the last else clause) on the right side.

In processing 404, M [c / s] and M (f)
Check whether the element of the form is included. First if
Since the -then clause does not include an expression of the form M [c / s], returning to 402, the next second if-then clause is processed.

In the processing 404 again, M [c / s] and M
It is checked whether or not the element of the form (f) is included. Second
In the if-then clause of M [MM / MM] as M [MM / MM]
(C) + 1 / M (C)] is included and M (f) is M
(C + 2), M (C + 1), MM (C + 1) are included.

In process 408, it is checked whether s ≠ f is true. Since the second if-then clause is executed when the first if condition is false and the second if condition is true, then s
Check if f is true. Therefore, M (C) = 0 is false and M (C) = C + 1 or M (C) = M (C + 1)
When is true, it is first checked whether M (C) ≠ C + 2 is true.
If M (C + 1) = C + 2, then M (C) = C +
2 and it cannot be said that M (C) ≠ C + 2 and M (C)
It can be seen that ≠ C + 2 is false. The process returns to 406. This time, when M (C) = 0 is false and M (C) = C + 1 or M (C) = M (C + 1) is true, M (C) ≠ C + 1
Is true, but obviously M (C) ≠ C + 1 is false, and the process returns to 406. This time M (C) = 0 is false and M (C) = C + 1 or M (C) = M (C + 1)
Is true, it is checked whether M (C) ≠ M (C + 1) is true, but this is also obviously false, and as a result, the second if-th
The memory axiom is not applied to the en clause, and the process returns to 402 and the processing is performed on the next third and fourth if-then clauses.

In process 404, M [c / s] and M (f)
Check whether the element of the form is included. Third if
Also in the -then clause, M [MM (C) + as M [c / s]
1 / M (C)] is included, and M (C +
2), M (C + 1), MM (C + 1) are included.
The third if-then clause is executed when the first and second if conditions are false and the third if condition is true, so that the first and second if conditions are false and the third if condition is Is true, it is checked whether s ≠ f is true. Therefore, M (C) = 0, M
(C) = M (C + 1), M (C) = C + 1 is false and M
When (C) = C + 2 is true, M (C) ≠ C + 2 or M
(C) ≠ C + 1 or M (C) ≠ M (C + 1) is examined. Since M (C) = C + 2 is true, M (C) ≠ C + 2 is false, but M (C) = C + 1, M (C) = M (C + 1).
Is false, M (C) ≠ C + 1 and M (C) ≠ M (C + 1)
Is true. The process proceeds to 410, where M (C + 1) is m
In (C + 1), MM (C + 1) is replaced with mM (C + 1). Furthermore, M (C + 1) of mM (C + 1) is m (C +
It is replaced with 1) to be mm (C + 1).

In the fourth if-then clause, M [c / s] is also included.
As M [MM (C) + 1 / M (C)] is included as M (f)
, M (C + 2), M (C + 1), MM (C + 1) are included. The fourth if-then clause is the first and second
And the third if condition are false, it is checked whether s ≠ f is true when the first, second and third if conditions are false. Therefore, M (C) = 0, M (C) = M (C +
1), M (C) = C + 1, and M (C) = C + 2 are all false, M (C) ≠ C + 2 or M (C) ≠ C + 1 or M (C) ≠ M (C + 1) is checked. M from the above conditions
(C) ≠ C + 2 and M (C) ≠ C + 1 and M (C) ≠ M (C
+1) are all true. The process is 410, M (C + 2) is changed to m (C + 2), M (C + 1) is changed to m (C + 1), MM
(C + 1) is replaced with mm (C + 1).

The expressions obtained by the above processing 402 to processing 411 are added to the FIFO after rewriting (G data 232 after rewriting) by processing 312 (equation 160 in FIG. 16).
6).

Further, by the processing 314, the G0 term, that is, the right side of the equation 1506,

[0169]

[Equation 14] G0 (C + 1, m, 0,0, C + 2, C + 1, M (C + 2), M (C + 1), MM (C + 1) +1) (Number 14)

[0170]

[Equation 15] G0 (C + 2, m, 0,1, C + 2, C + 1, M (C + 2), m (C + 1), mm (C + 1) +1) (Number 15)

[0171]

[Equation 16] G0 (C + 3, m, 1,1, C + 2, C + 1, m (C + 2), m (C + 1), mm (C + 1) +1) (Number 16) is added to the rewriting waiting list B.

By the process 316, a process 318 is performed for the first G0 item of the rewriting waiting list B, that is, the equation (14).
~ 322 are applied.

In the process 318, "" GN (C *, M *)
= Equation "C *, M * of this term is replaced by C, M", that is, the following Expression 17 is substituted into TEMP. Here, C * is C and M * is M. m is M [MM (C)
+ 1 / M (C)] and includes the term C, so C
* Is C, not C + 1.

[0174]

G3 (C, M) = G0 (C + 1, m, 0,0, C + 2, C + 1, M (C + 2), M (C + 1), MM (C + 1 ) +1) (Equation 17) In process 320, the right side of TEMP, that is, the right side of Equation 17, is the right side of the pre-rewriting function FIFO or the post-rewriting function FIF.
It is checked whether it is already on the middle side of O. Since the pre-rewrite function FIFO is still empty, the post-rewrite function FIFO is examined. First, the relationship between the middle side of the equation 1502 of the post-rewriting function FIFO and the right side of Expression 17 will be examined. The fifth side of the middle side of Equation 1502
Since the 9 arguments are don't cares and may be arbitrary, the formula 1
Try to transform the right side of 7 as shown in the following Eq.

[0175]

[Equation 18] G0 (C + 1, m, 0,0,-,-,-,-,-) (Equation 18) When Equation 18 is normalized by the same processing as the processing 318, C *
Is C + 1 and M * is m,

[0176]

[Equation 19] G0 (C, M, 0,0,-,-,-,-,-) becomes (Equation 19), and since it is equal to the middle side of the expression 1502, it can be considered that Equation 18 has already occurred, and the process 316 is performed. Return The process proceeds to the next G0 term number 15.

In the process 318, "" GN (C *, M *)
= Equation "C *, M * of this term is replaced by C, M", that is, the following Expression 20 is substituted into TEMP. Here, C * is C and M * is M.

[0178]

[Equation 20] G3 (C, M) = G0 (C + 2, m, 0,1, C + 2, C + 1, M (C + 2), m (C + 1), mm (C + 1 ) +1) (Equation 20) In the process 320, the right side of TEMP, that is, the right side of Equation 20, is the right side of the pre-rewriting function FIFO or the post-rewriting function FIF.
It is checked whether it is already on the middle side of O. The pre-rewrite function FIFO is still empty, and since it has not appeared in the middle side of the post-rewrite function FIFO, the process proceeds to step 322.

In process 322, TEMP is added to the pre-rewriting function FIFO, and the process returns to process 316, and the next G0 term number 16
To process.

In the process 318, C * is C + 1 and M
Since * is m, the following equation 21 is substituted into TEMP.

[0181]

(21) G4 (C, M) = G0 (C + 2, M, 1,1, C + 1, C, M (C + 2), M (C), MM (C) +1) ( (Equation 21) In the process 320, it is checked whether or not the right side of TEMP, that is, the right side of Equation 21 is already on the right side of the pre-rewrite function FIFO or the middle side of the post-rewrite function FIFO. Since it has already appeared on the middle side, the process returns to the process 316. At this time, since the rewriting waiting list B is no longer empty, the process returns to step 304.

Now, the number 20 is registered in the pre-rewriting function FIFO. Processing 306 to processing 322 similar to the above
Applying to Equation 20, the pre-rewrite function FIFO becomes empty,
The G state enumeration 220 based on the behavioral description ends.

At the end, the post-rewrite function FIFO has
232 (FIG. 16) is stored and is used in the next application of extended recursive induction.

(7-2) Abstraction The procedure of abstraction 224 in FIG. 2 will be described with reference to FIG.

First, in the process 502, each term on the right side of each function of the post-rewrite function FIFO is set to the post-rewrite function FIFO.
Replace with "left side = middle side" of the function in O. This replacement allows programmable registers and non-programmable
The G0 term representing the state of the register value is processed 31
.., G1, G2, ... Representing states created by programmable register values only. . . Is replaced by a term. At this time, G1, G2 ,. . . The actual argument of the term represents the conversion applied to the programmable register value. next,
After rewriting, the middle side of each function of the function FIFO is deleted to leave only “left side = right side”.

The result of abstraction of the rewritten G data 232 (FIG. 16) is shown in 234 (FIG. 17). In FIG. 17, it can be seen that the terms on the middle side are deleted and only the terms representing the states created by the programmable register values are described.

(7-3) Application of Extended Recursive Induction Method Next, the procedure of application 226 of the extended recursive induction method of FIG. 2 will be described with reference to FIG.

First, pretreatments 602 and 604 are performed.
In the process 602, first, each G0 term on the right side of each function of the post-rewrite function FIFO is replaced with “left side = middle side” of the function in the post-rewrite function FIFO. With this replacement, the G0 term representing the states of the programmable register and the non-programmable register producing the values G1, G2 ,. . . Is replaced by a term. At this time, G1, G2 ,. . . The actual argument of the term represents the conversion applied to the programmable register value. Next, the rewritten function F
The middle side of each function of the IFO is deleted so that only “left side = right side”. In the deletion of the simple equation in the process 604, the process 602 is executed.
If the result is a simple equality f (x) = g (x), then replace all occurrences of g with f and delete those for which f (x) = f (x). The result of performing the processes 602 and 604 is saved as the G data 606 after the preprocessing for applying the extended recursive induction method. The result of applying the processings 602 and 604 to the post-abstraction G data 234 is as shown in FIG.

Processes 608 to 616 are confirmation of application conditions of the extended recursive induction.

First, in processing 608, processing 6 is performed for each function of the FIFO (606) after pre-application of extended recursive induction.
Apply 10 to 616. In process 610, each i of this function is
Processes 612 to 616 are performed on the f-then clause. In process 612, it is checked whether or not an if clause equivalent to this if clause is included in the if clause of the external specification data. Whether or not there is an equivalence relation can be checked by using a known technique, that is, a theorem proof program or a formal verification technique of equivalence between combinatorial logics. If so, the process proceeds to step 614, and if not, the process proceeds to step 622.

In process 614, it is checked whether the corresponding then clauses are exactly the same except for the recursive function name. If they are equal, the process returns to step 610, and steps 612 to 616 are repeated for the next if-then clause of the function. If they are not equal, the process proceeds to step 616. In process 616, it is checked whether or not the function in the then clause satisfies the new external specification rewritten using the argument of the function. If not satisfied, process 62
Go to 0.

If all the then clauses of all the functions of the pre-processing and post-function FIFO (606) are equivalent to the external specifications in the processing 614 and the processing 616, the proof is successful and the proof is printed as the verification result. (228) is completed.

Next, the processing 616 will be described with reference to FIG. The processing 616 is performed in JP-A-7-65046 and JP-A-6-21506.
This process is unique to this verification method, which is not found in the recursive induction method shown in No. 3.

First, in process 702, the G0 term GN on the right side of the function currently inspected is converted into the preprocessed function FIFO (60
Delete from 6). External specification data t corresponding to GN
Since the equivalence with the function of the hen clause is checked in the processing 616, it is for preventing it from being checked again in the processing 608 to 616. Next, in process 704, the replacement of the dummy argument vector of the external specification function F with the actual argument vector of the then clause of F is set to A. In process 706, from the above dummy argument vector,
Let B be the replacement of GN with an actual argument vector. In the process 708, each element of the dummy argument vector appearing in the external specification function F is combined and replaced by a composite substitution AB ′ (temporary replacement), where B ′ is the inverse replacement of B (that is, replacement of the actual argument vector of GN with the dummy argument of F). The elements of the argument vector are first replaced by the replacement A, and then replaced again by the replacement B), and are replaced by F '.

In process 710, the function G is calculated by using F '.
Process if the if-then clause on the right side of N 712, 71
4,616 are applied. In process 714, as in process 612, the if clause equivalent to this if clause is i of the external specification data F ′.
Check if it is in section f. If there is, it proceeds to processing 714. Otherwise, GN and F'are not equivalent, that is, GN "not satisfies"F'and the entire process 616 ends.

In process 714, similarly to process 614, it is checked whether the corresponding then clauses are exactly the same except for the recursive function name. If they are equal, the process returns to the process 710 and processes 712, 714 and 616 for the next if-then clause of the function.
repeat. If not equal to this then
The process 616 is applied recursively to the corresponding then clauses of the clause and F '. If the then clause satisfies F ′, the process returns to step 710 and the steps 712, 714 and 616 are repeated for the next if-then clause of the function. If not satisfied, GN and F ′ are not equivalent, that is, GN does not satisfy F ′, and the whole process 616 ends.

For all if-then clauses of GN,
If all are equivalent to F ′, GN is “satisfied” with F, and the entire process 616 ends.

The external specification data 110 of FIG. 9 and the extended recursive induction preprocessed G data 606 of FIG.
Comparing in steps 616 to 616, first, the processing 612 gives the expression 18
When a condition having the same condition as the if condition of the first if-then clause of 02 is searched from Formula 902, the first if- of Formula 902 is searched.
The if condition of the then clause is equal with M (C) = 0. Processing 6
Comparing the then clauses in 14, both <C + 1, M
> Is equal. Similarly, when the second, third, and fourth if-then clauses of the expression 1802 are searched from the expression 902 by the processing 612, it is found that they are equal to the if conditions of the second if-then clause of the expression 902, respectively. . In process 614
Comparing the clauses, the arguments of the second and fourth then clauses are exactly the same except for the function name, but the third then clause is G3.
In (C, M), the argument is different from that of F (C + 1, m) in Expression 902. Therefore, the processing proceeds to step 616, and it is checked whether these are equivalent.

First, in process 704, the substitution of the function argument F from the dummy argument vector (C, M) to the actual argument vector (C + 1, m) is set to A. In process 706, B is the replacement of the parameter G3 of the function G3 with the parameter vector C, M. In process 708, the function F is rewritten using the substitutions A and B. In the synthetic substitution AB ′, since the reverse substitution B ′ is the substitution from (C, M) to (C, M), (C, M) to (C +
1, m). When F is rewritten using the synthetic substitution AB ′, the equation 1902 in FIG. 19 is obtained. In the process 710, it is checked that the function G3 (equation 1804) is equivalent to F ′ (equation 1902). In the case of this example, since the expression 1804 and the expression 1902 are completely the same except for the function name, the third then clause of the function G is also equivalent to the function F, and all then clauses are equivalent to F. I know there is.

From the above, it is found that the two are equivalent by the extended recursive induction method, and it is printed as proof success and processed 228.
Proceed to and the proof is completed and all processing is completed.

As described above, when judging the equivalence of the functions in the then clause, the general external specification data and the behavior description design specification data in which the function arguments do not necessarily match can be verified. Verification errors can be prevented.

(8) Modifications (3) to (7) show examples using the function equivalence determination method of the extended recursive induction described in (2-3).
As described in (2), there is a method different from this for functional equivalence determination. In (8), these modified examples will be described.

These modified examples are different from the flow 200 of the verification program in FIG. 2 only in the application 616 of the second extended recursive induction in the application 226 (FIG. 6) of the extended recursive induction. The following is the progress of the process in (7).

The external specification data 110 of FIG. 9 and the extended recursive induction preprocessed G data 606 of FIG.
˜616, the third if-th of Expression 1802
When the en clause is searched from the expression 902 by the processing 612,
It was found to be equal to the if condition of the second if-then clause in equation 902. Comparing the then clauses in process 614, the third then clause is G3 (C, M) and F (C +
1, m) have different arguments. Therefore, process 616
Proceed to to find out that they are equivalent. In the first modification, this equivalence determination is performed by the second extended recursive induction 2 in FIG.
000, and in the second modification, this equivalence determination is performed using the second extended recursive induction 2200 of FIG.

(8-1) Modified Example 1 In modified example 1, the equivalence judgment method described in (2-1) is used. The processing flow will be described with reference to FIG. The processes 702 to 706 and 714 are the same as those of 616.

First, in process 704, the substitution of the function argument F from the dummy argument vector (C, M) to the actual argument vector (C + 1, m) is A. In process 706, B is the replacement of the parameter G3 of the function G3 with the parameter vector C, M. In the process 2008, the function G is generated by using the substitutions A and B.
Rewrite 3. In the synthetic substitution A′B, the reverse substitution A ′ is (C +
Since the substitution from (1, m) to (C, M) and the substitution B are
Since (C, M) is replaced with (C, M), (C + 1,
Substitution of (m) to (C, M). When G3 is rewritten using the synthetic substitution A′B, the equation 2102 in FIG. 21 is obtained. In the process 2010, the function G3 ′ (equation 2102) is F (equation 9).
02) to be equivalent. In this example, Equation 2
Since 102 and the expression 902 are completely the same except for the function name, it can be seen that the third then clause of the above function G is also equivalent to the function F, and all the then clauses are equivalent to F.

(8-2) Modified Example 2 In modified example 2, the equivalence judgment method described in (2-2) is used. The processing flow will be described with reference to FIG. The processes 702 to 706 and 714 are the same as those of 616.

First, in process 704, the substitution of the function argument F from the dummy argument vector (C, M) to the actual argument vector (C + 1, m) is A. In process 706, B is the replacement of the parameter G3 of the function G3 with the parameter vector C, M. In process 2208, the function F is calculated using the substitutions A and B.
And rewrite G3. The rewrite results are Equation 2302 and Equation 2402 in FIGS. 23 and 24, respectively. Process 2210
Then, the function G3 ′ (equation 2402) is F ′ (equation 2302)
Is equivalent to. Also in the case of this example, Equation 240
Since 2 and the expression 2302 are completely the same except for the function name, it can be seen that the third then clause of the above function G is also equivalent to the function F, and all the then clauses are equivalent to F.

[0209]

According to the present invention, by applying the extended recursive induction of the formal verification system, it is possible to prove even when the arguments of the function in the then clause do not always match, and general external specifications and design specifications Can be verified.

[Brief description of drawings]

FIG. 1 is a block diagram of a logic verification system according to an embodiment.

FIG. 2 is a flowchart showing a processing procedure and data flow of a verification program.

FIG. 3 is a flowchart showing a processing procedure for listing G states by a behavioral description.

FIG. 4 is a flowchart showing a processing procedure for rewriting a behavioral description based on a memory axiom.

FIG. 5 is a flowchart showing an abstraction processing procedure.

FIG. 6 is a flowchart showing a processing procedure for applying extended recursive induction.

FIG. 7 is a flowchart showing a processing procedure for applying a second extended recursive induction method.

FIG. 8 is an explanatory diagram of external specifications of the example computer.

FIG. 9 is an explanatory diagram showing external specification data of the example computer.

FIG. 10 is an explanatory diagram of the overall structure of design specifications of an example computer.

FIG. 11 is an explanatory diagram of a netlist element grammar.

FIG. 12 is an explanatory diagram of a netlist grammar.

FIG. 13 is an explanatory diagram showing structure description design specification data of an example computer.

FIG. 14 is an explanatory diagram showing RT description design specification data of an example computer.

FIG. 15 is an explanatory diagram showing behavior description design specification data of the example computer.

FIG. 16 is an explanatory diagram showing G data after rewriting.

FIG. 17 is an explanatory diagram showing post-abstraction G data.

FIG. 18 is an explanatory diagram showing post-processing G data after application of extended recursive induction.

FIG. 19 is an explanatory diagram showing external specification F data after replacement.

FIG. 20 is a flowchart showing a processing procedure of application of a second extended recursive induction method in the modified example 1.

FIG. 21 is an explanatory view showing the design specification G data after replacement in the modified example 1.

FIG. 22 is a flowchart showing a processing procedure for applying a second extended recursive induction method in the second modification.

FIG. 23 is an explanatory diagram showing the external specification F data after replacement in Modification 2.

FIG. 24 is an explanatory diagram showing the design specification G data after replacement in the second modification.

[Explanation of symbols]

100 ... Verification system, 102 ... Keyboard, 104 ...
Display, 106 ... Bus, 108 ... Secondary storage disk, 114 ... CPU, 116 ... Memory, 110 ... External specification data, 112 ... Structural description design specification data, 118 ...
Input program, 120 ... Verification program, 122 ... R
T description design specification data, 124 ... Behavior description design specification data, 126 ... Verification result.

Front Page Continuation (72) Inventor Yuji Onishi 5-20-1 Kamimizuhonmachi, Kodaira-shi, Tokyo Inside Hitate Cho-LS Engineering Co., Ltd.

Claims (9)

[Claims] 1. External specification data in the form of a recursive function that represents the external specifications of a sequential logic device described using externally settable / referenceable components, and external as well as externally settable / referenceable components. Input the realization specification data in the form of a recursive function that represents the realization specification of the sequential logic device described using the constituent elements that cannot be set / referenced from, and the realization specification represented by the realization specification data is the external specification. In the process of sequentially simulating the operation of the sequential logic device by using the realization specification data as to whether or not the external specifications represented by data are satisfied, and in the process of simulating the operation of the sequential logic device, It is determined whether or not the states of the constituent elements used in the description of the implementation specifications are valid, and focusing on the constituent elements in the valid states, the different reachable states of the sequential logic device are set to the recursive function system. Verification of a logical device to be verified using a step of accumulating in a form and a step of proving that the recursive function representing the external specification and the accumulated recursive function system are equivalent by using the extended recursive induction method. In the method, in the proof step, a new recursive function obtained by replacing the recursive function in the accumulated recursive function system with a non-equivalent recursive function is equivalent to the recursive function representing the external specification. A method for verifying a logic device, comprising a proof step. 2. External specification data in the form of a recursive function representing the external specifications of a sequential logic unit described by using externally settable / referenceable components, and not only externally settable / referenceable components Input the realization specification data in the form of a recursive function that represents the realization specification of the sequential logic device described using the constituent elements that cannot be set / referenced from, and the realization specification represented by the realization specification data is the external specification. In the process of sequentially simulating the operation of the sequential logic device by using the realization specification data as to whether or not the external specifications represented by data are satisfied, and in the process of simulating the operation of the sequential logic device, It is determined whether or not the states of the constituent elements used in the description of the implementation specifications are valid, and focusing on the constituent elements in the valid states, the different reachable states of the sequential logic device are set to the recursive function system. Verification of a logical device to be verified using a step of accumulating in a form and a step of proving that the recursive function representing the external specification and the accumulated recursive function system are equivalent by using the extended recursive induction method. In the method, in the above proof step, a non-equivalent recursive function is used to replace a new recursive function that replaces the recursive function representing the external specification with a recursive function in the accumulated recursive function system. A method for verifying a logic device, comprising the step of proving that a new recursive function is equivalent. 3. External specification data in the form of a recursive function representing the external specifications of a sequential logic device described by using externally settable / referenceable components, and external as well as externally settable / referenceable components. Input the realization specification data in the form of a recursive function that represents the realization specification of the sequential logic device described using the constituent elements that cannot be set / referenced from, and the realization specification represented by the realization specification data is the external specification. In the process of sequentially simulating the operation of the sequential logic device by using the realization specification data as to whether or not the external specifications represented by data are satisfied, and in the process of simulating the operation of the sequential logic device, It is determined whether or not the states of the constituent elements used in the description of the implementation specifications are valid, and focusing on the constituent elements in the valid states, the different reachable states of the sequential logic device are set to the recursive function system. Verification of a logical device to be verified using a step of accumulating in a form and a step of proving that the recursive function representing the external specification and the accumulated recursive function system are equivalent by using the extended recursive induction method. In the method, in the proof step, it is proved that the new recursive function obtained by replacing the recursive function representing the external specification with the non-equivalent recursive function and the recursive function in the recursive function system are equivalent. A method for verifying a logic device, comprising: 4. External specification data in the form of a recursive function representing the external specifications of a sequential logic device described using externally settable / referenceable components, and external as well as externally settable / referenceable components. From the implementation specification data in the form of a recursive function that represents the implementation specifications of the sequential logic device having multiple stages that operate in a pipeline and that are described using components that cannot be set / referenced. Whether or not the realization specifications represented by the specification data satisfy the external specifications represented by the external specification data is checked by using the realization specification data to perform a pipeline-like operation of the sequential logic device in each stage. In the step of sequentially simulating and in the process of simulating the operation of the sequential logic device,
When each stage of the pipeline has a component in a valid state, the stage is considered to be busy, and when the stage is not busy, the components belonging to that stage are don't cares, and the components in a valid state are focused. And a step of accumulating all reachable states of the sequential logic unit in the form of a recursive function system, and using the extended recursive induction method, the recursive function representing the external specification and the accumulated recursive function system are In the method of verifying a logic device using the step of proof of equivalence and the proof step, a non-equivalent recursive function is used to replace the recursive function in the accumulated recursive function system. A method of verifying a logic device, comprising the step of proving that a new recursive function and a recursive function representing an external specification are equivalent. 5. External specification data in the form of a recursive function representing the external specifications of a sequential logic device described by using externally settable / referenceable components, and not only externally settable / referenceable components From the implementation specification data in the form of a recursive function that represents the implementation specifications of the sequential logic device having multiple stages that operate in a pipeline and that are described using components that cannot be set / referenced. Whether or not the realization specifications represented by the specification data satisfy the external specifications represented by the external specification data is checked by using the realization specification data to perform a pipeline-like operation of the sequential logic device in each stage. In the step of sequentially simulating and in the process of simulating the operation of the sequential logic device,
When each stage of the pipeline has a component in a valid state, the stage is considered to be busy, and when the stage is not busy, the components belonging to that stage are don't cares, and the components in a valid state are focused. And a step of accumulating all reachable states of the sequential logic unit in the form of a recursive function system, and using the extended recursive induction method, the recursive function representing the external specification and the accumulated recursive function system are In the method of verifying a logic device using the step of proving equality, a new recursive function obtained by replacing the recursive function representing the external specification with the non-equivalent recursive function in the above step , A step of proving that a new recursive function obtained by replacing the recursive function in the accumulated recursive function system is equivalent is provided. Method of verifying logical device. 6. External specification data in the form of a recursive function representing the external specifications of a sequential logic device described by using externally settable / referenceable components, and not only externally settable / referenceable components From the implementation specification data in the form of a recursive function that represents the implementation specifications of the sequential logic device having multiple stages that operate in a pipeline and that are described using components that cannot be set / referenced. Whether or not the realization specifications represented by the specification data satisfy the external specifications represented by the external specification data is checked by using the realization specification data to perform a pipeline-like operation of the sequential logic device in each stage. In the step of sequentially simulating and in the process of simulating the operation of the sequential logic device,
When each stage of the pipeline has a component in a valid state, the stage is considered to be busy, and when the stage is not busy, the components belonging to that stage are don't cares, and the components in a valid state are focused. And a step of accumulating all reachable states of the sequential logic unit in the form of a recursive function system, and using the extended recursive induction method, the recursive function representing the external specification and the accumulated recursive function system are In the method of verifying a logic device using the steps of proof of equivalence, a new recursive function obtained by replacing a recursive function representing an external specification with a non-equivalent recursive function in the above proof step. And a step of proving that the above recursive function in the recursive function system is equivalent to each other, a method for verifying a logic device. 7. External specification data of the sequential logic device represented by a recursive function from an external storage area state set S to S, which is a set of states that can be set in an external storage area that can be set / referenced from the outside, Although it is also represented by a recursive function from the external storage area state set S to S, the above sequential logic device is represented by a recursive function configured by using the state of the internal storage area that cannot be set / referenced from the outside as an argument. Input the realization specification data and determine whether the realization specifications represented by the realization specification data satisfy the external specifications represented by the external specification data. The external specification data indicates the current state of the external storage area. To a next state, which is a recursive function, and is described by a function including one or more predetermined known function symbols and one or more if-then clauses. A recursive function representing a conversion from a current state of a partial storage area and an internal storage area to a next state, the function including one or more predetermined known function symbols and one or more if-then clauses And using the realization specification data, the external storage area in the next state when the if clause appearing in the realization specification data is true from the current state of the external storage area and the internal storage area, and The state of the internal storage area is calculated for each if clause, each of the if clauses is included in the if clause, and the states of the external storage area and the internal storage area in the next state when the if clauses are true are set to the
A calculation which is made up of an if-then clause having as an n clause and is stored as a description representing the conversion from the current state to each state of the external storage area and the internal storage area in the next state when each of the if clauses is true. The calculation / storage step is executed from the storage step and the predetermined initial states of the external storage area and the internal storage area, and subsequently, the external storage area and the internal storage when the if clauses in the calculated next state are true. A step of repeatedly executing the calculation / storing step with each state of the storage area as the current state one after another,
In the calculation / storing step, when the respective states of the external storage area and the internal storage area in the next state when the if clauses are true are calculated, the calculated values are already calculated.
In order to check whether or not it is stored, for each variable that appears in the description that represents the calculated value, find the maximum expression that commonly appears in all expressions that include that variable, and set each of the maximum expressions to the above variable. A description representing the same set of states of the external storage area and the internal storage area represented by the description before the replacement, which is obtained by replacing each of them, is added to the description of the current state already stored in the calculation / storing step. If it is included, and if it is included, the step of stopping the calculation / storing step for the state after the calculated state and the step of canceling all the iterative steps, and each if clause is true from the current state. From the above-mentioned stored descriptions representing the conversion of the external storage area and the internal storage area to the respective states in the next state at The conversion applied to the variable is obtained, and when the above conversion is equivalent to the conversion from the current state of the external storage area group indicated by the external specification data to the next state when the if clause is satisfied. In the method of verifying a logic device that uses the two unequal conversions in the above verification step, the current specification in the realization specification data corresponding to the next state of the above conversion is used. Each if of the new current state that can be created by replacing the state of
For each clause, the above-mentioned stored variables representing the conversion of the external storage area and the internal storage area to the respective states in the next state when the if clause is true are applied to the above-mentioned variable representing the initial value of the external storage area. And then convert it to
When the if clause corresponding to the conversion is satisfied, the step of verifying by comparing whether the conversion from the current state of the external storage area group indicated by the external specification data to the next state is equal, and the step of attempting verification are not equal. In this case, a method for verifying a logic device comprising the step of recursively trying the above steps. 8. External specification data of the sequential logic device represented by a recursive function from an external storage area state set S to S, which is a set of states that can be set in an external storage area that can be set / referenced from the outside, Although it is also represented by a recursive function from the external storage area state set S to S, the above sequential logic device is represented by a recursive function configured by using the state of the internal storage area that cannot be set / referenced from the outside as an argument. Input the realization specification data and determine whether the realization specifications represented by the realization specification data satisfy the external specifications represented by the external specification data. The external specification data indicates the current state of the external storage area. To a next state, which is a recursive function, and is described by a function including one or more predetermined known function symbols and one or more if-then clauses. A recursive function representing a conversion from a current state of a partial storage area and an internal storage area to a next state, the function including one or more predetermined known function symbols and one or more if-then clauses And using the realization specification data, the external storage area in the next state when the if clause appearing in the realization specification data is true from the current state of the external storage area and the internal storage area, and The state of the internal storage area is calculated for each if clause, each of the if clauses is included in the if clause, and the states of the external storage area and the internal storage area in the next state when the if clauses are true are set to the
A calculation which is made up of an if-then clause having as an n clause and is stored as a description representing the conversion from the current state to each state of the external storage area and the internal storage area in the next state when each of the if clauses is true. The calculation / storage step is executed from the storage step and the predetermined initial states of the external storage area and the internal storage area, and subsequently, the external storage area and the internal storage when the if clauses in the calculated next state are true. A step of repeatedly executing the calculation / storing step with each state of the storage area as the current state one after another,
In the calculation / storing step, when the respective states of the external storage area and the internal storage area in the next state when the if clauses are true are calculated, the calculated values are already calculated.
In order to check whether or not it is stored, for each variable that appears in the description representing the calculated value, find the maximum expression that commonly appears in all expressions that include that variable, Obtained by substituting each variable,
The description representing the same set as the set of states of the external storage area and the internal storage area represented by the description before replacement is
It is checked whether or not it is included in the description of the current state already stored in the storing step, and when it is included, the step of stopping the calculation / storing step for the states after the calculated state and the repeating step are all stopped. Sometimes, the initial value of the external storage area is calculated from all the stored descriptions that represent the conversion from the current state to each state of the external storage area and the internal storage area in the next state when each if clause is true. Find the transformation applied to the above variables,
A step of verifying whether the above conversion is equivalent to the conversion from the current state of the external storage area group indicated by the external specification data to the next state when the if clause corresponding to the conversion is established In the method of verifying a logic device that is verified by using and, two new conversions that are not equal in the above verification step are used to replace the current state in the realization specification data corresponding to the next state of the above conversion. Each if of current state
For each clause, the above-mentioned stored variables representing the conversion of the external storage area and the internal storage area to the respective states in the next state when the if clause is true are applied to the above-mentioned variable representing the initial value of the external storage area. And then convert it to
When the if clause corresponding to the above conversion is satisfied, the external storage indicated by the new current state formed by replacing the current state in the external specification data by using two unequal conversions in the above verification step It is characterized in that it comprises a step of verifying by checking whether the conversion from the current state of the region group to the next state is equal, and a step of trying the above step recursively if they are not equal. Logic device verification method. 9. External specification data of the sequential logic device represented by a recursive function from an external storage area state set S to S, which is a set of states that can be set in an external storage area that can be set / referenced externally, Although it is also represented by a recursive function from the external storage area state set S to S, the above sequential logic device is represented by a recursive function configured by using the state of the internal storage area that cannot be set / referenced from the outside as an argument. Input the realization specification data and determine whether the realization specifications represented by the realization specification data satisfy the external specifications represented by the external specification data. The external specification data indicates the current state of the external storage area. To a next state, which is a recursive function, and is described by a function including one or more predetermined known function symbols and one or more if-then clauses. A recursive function representing a conversion from a current state of a partial storage area and an internal storage area to a next state, the function including one or more predetermined known function symbols and one or more if-then clauses And using the realization specification data, the external storage area in the next state when the if clause appearing in the realization specification data is true from the current state of the external storage area and the internal storage area, and The state of the internal storage area is calculated for each if clause, each of the if clauses is included in the if clause, and the states of the external storage area and the internal storage area in the next state when the if clauses are true are set to the
A calculation which is made up of an if-then clause having as an n clause and is stored as a description representing the conversion from the current state to each state of the external storage area and the internal storage area in the next state when each of the if clauses is true. The calculation / storage step is executed from the storage step and the predetermined initial states of the external storage area and the internal storage area, and subsequently, the external storage area and the internal storage when the if clauses in the calculated next state are true. A step of repeatedly executing the calculation / storing step with each state of the storage area as the current state one after another,
In the calculation / storing step, when the respective states of the external storage area and the internal storage area in the next state when the if clauses are true are calculated, the calculated values are already calculated.
In order to check whether or not it is stored, for each variable that appears in the description that represents the calculated value, find the maximum expression that commonly appears in all expressions that include that variable, and set each of the maximum expressions to the above variable. A description representing the same set of states of the external storage area and the internal storage area represented by the description before the replacement, which is obtained by replacing each of them, is added to the description of the current state already stored in the calculation / storing step. If it is included, and if it is included, the step of stopping the calculation / storing step for the state after the calculated state and the step of canceling all the iterative steps, and each if clause is true from the current state. From the above-mentioned stored descriptions representing the conversion of the external storage area and the internal storage area to the respective states in the next state at The conversion applied to the variable is obtained, and when the above conversion is equivalent to the conversion from the current state of the external storage area group indicated by the external specification data to the next state when the if clause is satisfied. In the method for verifying a logic device that uses the two unequal conversions in the verification step, the current specification in the realization specification data corresponding to the next state of the conversion is used. For each if clause of a state, from all the stored descriptions that describe the conversion of the external and internal storage areas to each state in the next state when the if clause is true, the initial value of the external storage area is represented. The conversion applied to the variable is obtained, and when the above conversion and the if clause corresponding to the above conversion are satisfied, the external specification data is obtained by using two conversions that are not equal in the verification step. Of the current state from the current state of the external storage region group indicated a new current state that can be replaced by matching equality and conversion to the next state,
A method of verifying a logic device, comprising: a step of attempting verification; and a step of recursively trying the above step if they are not equal.