## **Symmetry Reduction with STE Model Checking**

Ashish Darbari

Oxford University Computing Lab Oxford

20 Dec 2005



Discover Symmetry – FSM\* Symmetry and STE Reducing models Property Reduction

### Motivation

- Hardware designs have symmetry.
- For circuit designs that have symmetry, we aim to exploit reduction techniques that can make use of the symmetry property, to reduce the size of STE verification task needed for complete verification of that circuit design.

#### Motivation

Discover Symmetry – FSM\* Symmetry and STE Reducing models Property Reduction

### **Motivation**

- Hardware designs have symmetry.
- For circuit designs that have symmetry, we aim to exploit reduction techniques that can make use of the symmetry property, to reduce the size of STE verification task needed for complete verification of that circuit design.

### Motivation

iscover Symmetry – FSM\* ymmetry and STE educing models roperty Reduction

### What we want to achieve?



### Motivation

viscover Symmetry – FSM\* ymmetry and STE deducing models roperty Reduction

## **Proposed solution**



### Motivation

Discover Symmetry – FSM\* Symmetry and STE Reducing models Property Reduction

### In a nutshell

### Two key components

- Discover symmetry
- Do property reduction

### Motivation

Discover Symmetry – FSM\* Symmetry and STE Reducing models Property Reduction

### In a nutshell

### Two key components

- Discover symmetry
- Do property reduction

Motivation
Discover Symmetry – FSM\*
Symmetry and STE
Reducing models
Property Reduction

## **Discover Symmetry**

### **Key issues**

- Structural symmetry
- How to find them?
- What have symmetries in circuits got to do with STE?

Motivation
Discover Symmetry – FSM\*
Symmetry and STE
Reducing models
Property Reduction

# **Discover Symmetry**

### **Key issues**

- Structural symmetry
- How to find them?
- What have symmetries in circuits got to do with STE?

Motivation
Discover Symmetry – FSM\*
Symmetry and STE
Reducing models
Property Reduction

## **Discover Symmetry**

### Key issues

- Structural symmetry
- How to find them?
- What have symmetries in circuits got to do with STE?

# Structural symmetry

- We are interested in the symmetry amongst groups of wires.
   Wires are kept together in a group. Every wire in the group is treated in exactly the same way.
- If such is the case then the input-output behaviour of the circuit remains independent under permutations of its input and output groups of wires. This kind of symmetry is what we refer to as structural symmetry.

## How to find them?

- We want to capture symmetry in the structure of a circuit in its description right at the level of design, which means *structured high-level design via a structured data type*.
- Symmetry discovery then reduces to type checking. This idea by itself is not new — it has been around for a while in the model checking community. But for STE this is the very first time.
- We propose a structured data type of models, a type system for designing symmetric circuits and prove a type soundness theorem that says that if a circuit is well-behaved with respect to the typing rules then it has structural symmetry.

Motivation
Discover Symmetry – FSM\*
Symmetry and STE
Reducing models
Property Reduction

## **Relation of Symmetry with STE**

### Symmetric models and STE

Symmetry in circuit models is mirrored by symmetry in STE properties. We formalise this by a theorem that articulates this connection.

## Going from FSM\* to FSM'



## **Property Reduction – I**

### Two key issues

- We need to figure out the path from STE to STE'
- Verifying STE' and deducing that STE has been done

We present a novel set of inference rules that will help achieve both the above targets. Inference rules can help decompose STE to STE', if used like tactics, and help compose the overall correctness statement when used in the forward direction.

# **Property Reduction – II**

- Symmetry in circuit models lets us partition the decomposed STE properties into equivalence classes.
- We verify only the representatives and conclude that the other members of the same equivalence classes have been verified as well by way of deduction rather than explicit STE verification.

# **Proposed solution revisited**



Issues Structured Models Symmetry and Type Safety

# FSM\*

## **Designing the FSM\***

- design of a type of structured models
- define type checking rules
- keep the design of the type system simple
- prove the type soundness lemma
- figure out the path from FSM\* to FSM'

## **Designing the FSM\***

- design of a type of structured models
- define type checking rules
- keep the design of the type system simple
- prove the type soundness lemma
- figure out the path from FSM\* to FSM'

Issues Structured Models Symmetry and Type Safety

## **Designing the FSM\***

- design of a type of structured models
- define type checking rules
- keep the design of the type system simple
- prove the type soundness lemma
- figure out the path from FSM\* to FSM'

Issues Structured Models Symmetry and Type Safety

## **Designing the FSM\***

- design of a type of structured models
- define type checking rules
- keep the design of the type system simple
- prove the type soundness lemma
- figure out the path from FSM\* to FSM'

## **Designing the FSM\***

- design of a type of structured models
- define type checking rules
- keep the design of the type system simple
- prove the type soundness lemma
- figure out the path from FSM\* to FSM'

type of structured models

- want to model a collection of bit (Boolean) values
- treat them in a special way
- model the collection of values at wires by lists of Boolean value
- if there are several such bundles then we employ a list of Boolean lists modelling the inputs and outputs of circuits
- first argument acts as a placeholder for non-symmetric input bundles and the second argument of the circuit type denotes the symmetric input bundles. The third argument denotes the output bundles.

type of structured models

- want to model a collection of bit (Boolean) values
- treat them in a special way
- model the collection of values at wires by lists of Boolean value
- if there are several such bundles then we employ a list of Boolean lists modelling the inputs and outputs of circuits
- first argument acts as a placeholder for non-symmetric input bundles and the second argument of the circuit type denotes the symmetric input bundles. The third argument denotes the output bundles.

type of structured models

- want to model a collection of bit (Boolean) values
- treat them in a special way
- model the collection of values at wires by lists of Boolean value
- if there are several such bundles then we employ a list of Boolean lists modelling the inputs and outputs of circuits
- first argument acts as a placeholder for non-symmetric input bundles and the second argument of the circuit type denotes the symmetric input bundles. The third argument denotes the output bundles.

type of structured models

- want to model a collection of bit (Boolean) values
- treat them in a special way
- model the collection of values at wires by lists of Boolean value
- if there are several such bundles then we employ a list of Boolean lists modelling the inputs and outputs of circuits
- first argument acts as a placeholder for non-symmetric input bundles and the second argument of the circuit type denotes the symmetric input bundles. The third argument denotes the output bundles.

type of structured models

- want to model a collection of bit (Boolean) values
- treat them in a special way
- model the collection of values at wires by lists of Boolean value
- if there are several such bundles then we employ a list of Boolean lists modelling the inputs and outputs of circuits
- first argument acts as a placeholder for non-symmetric input bundles and the second argument of the circuit type denotes the symmetric input bundles. The third argument denotes the output bundles.

## FSM\* – Some useful functions I

$$\vdash hd \ (h :: t) = h$$

$$\vdash tl \ (h :: t) = t$$

$$\vdash el \ 0 \ l = hd \ l$$

$$\land el \ (n+1) \ l = el \ n \ (tl \ l)$$

$$\vdash append \ [] \ l = l$$

$$\land append \ (x :: l_1) \ l_2 = (x :: (append \ l_1 \ l_2))$$

## FSM\* – Some useful functions II

## FSM\* – Some useful functions III

```
\vdash (drop \ 0 \ l = tl \ l)
\land (drop \ (i+1) \ l = drop \ i \ (tl \ l))
\vdash (take \ 0 \ l = tl \ l)
\land (take \ (i+1) \ (x :: xs) = (x :: (take \ i \ xs)))
\vdash (insert \ elem \ i \ lst = append(take \ i \ lst)(elem :: (drop \ i \ lst)))
```

## FSM\* - Level 0 functional blocks

$$⊢ id = λinp : bool list. inp$$

$$⊢ f ∘ g = (λx. f (g x))$$

$$⊢ (map f [] = [])$$

$$∧ (map f (h :: t) = f h :: map f t)$$

$$⊢ fold f (c : bool list → bool list) =$$

$$λinp. [foldr f (hd (c inp)) (tl (c inp))]$$

## FSM\* – Safe functional blocks

# **FSM\* – The Function Swap**

## FSM\* – Symmetric Functional Blocks

$$\vdash$$
 sym  $c$  =  $\forall inp \ i \ j. \ (c \ (swap \ (i,j) \ inp)$  =  $swap \ (i,j) \ (c \ inp))$ 

### Level 0 safety lemma

$$\vdash \ \forall c. \ safe \ c \supset sym \ c$$

## **FSM\*** – Helper functions

### Buses of equal length

$$\vdash CheckLength \ inp = \\ \forall l. \ l \in inp \supset \forall m. \ m \in inp \\ \supset \exists k. \ (length \ l = k) \land (length \ m = k)$$

### **Associativity and Commutativity**

$$\vdash$$
 comm  $f = \forall xy. f x y = f y x$ 

$$\vdash$$
 assoc  $f = \forall xyz$ .  $f x (f y z) = f (f x y) z$ 

## **Constructing symmetric circuits – Level I**

```
\vdash Null = \lambda inp. []
\vdash Id = \lambda inp : (bool \ list) \ list. \ inp
\vdash (c1 || c2) = \lambda sym. \ if \ CheckLength \ (append \ (c1 \ sym)(c2 \ sym))
then \ append \ (c1 \ sym)(c2 \ sym) \ else \ []
```

 $\vdash$  Fork  $c = \lambda sym$ . append (c sym)(c sym)

## **Constructing symmetric circuits – Level I**

```
\vdash Select \ n \ c = \lambda sym. \ if \ (length(c \ sym) > n) \\ then \ [el \ n \ (c \ sym)] \ else \ []
\vdash Tail \ c = \lambda sym. \ if \ (length(c \ sym)) > 1 \\ then \ tl \ (c \ sym) \ else \ []
\vdash Bitwise \ f \ c = \lambda sym. \ if \ (length(c \ sym) > 0) \\ then \ [foldr \ (map2 \ f)(hd \ (c \ sym))(tl \ (c \ sym))] \\ else \ []
```

## **Typing rules for symmetric circuits – I**

SS Null

SS Id

$$\frac{SS \ c_1}{SS \ (c_1 \circ c_2)}$$

## **Typing rules for symmetric circuits – II**

$$\frac{SS \ c_1}{SS \ (c_1 \parallel c_2)}$$

$$\frac{SS \ c}{SS \ (Fork \ c)}$$

$$\frac{SS \ c}{SS \ (Select \ n \ c)}$$

$$\frac{SS \ c}{SS \ (Tail \ c)}$$

$$\frac{SS \ c}{SS \ (Bitwise \ f \ c)}$$

## **Definition of symmetry**

### Symmetry

Sym 
$$c \triangleq \forall inp. CheckLength inp \supset \forall ij. map(swap(i,j))(c inp) = c (map(swap(i,j)) inp)$$

## **Type Soundness Theorem**

Structurally safe implies symmetry

$$\vdash \forall c. \ SS \ c \supset Sym \ c$$

## Validating circuits

$$\vdash$$
 Validate (c: bool list list  $\rightarrow$  bool list list  $\rightarrow$  bool list list)  
=  $\forall nsym. \ SS \ (c \ nsym)$ 

### Validated circuits have symmetry

 $\vdash \ \forall c. \ Validate \ c \supset \ \forall nsym. \ Sym \ (c \ nsym)$ 

## Adding time to combinational layer

Abstractions of delay elements

### rising edge latch

$$DEL(clk:bool) \stackrel{\triangle}{=} \lambda inp:bool.inp$$

#### active high latch

$$AH(clk:bool) \stackrel{\triangle}{=} \lambda inp:bool.inp$$

Note that structurally they are equivalent, the behaviours are different and these get interpreted for simulation in HOL, by semantic functions.

## FSM\* to FSM'



In a nutshell FSM\*
STE Theory
Symmetry and STE
Reduction methodology
Examples and Case Studies
Related and Future Work

States, sequences and orderings STE Models Syntax and Semantics of STE

# STE Theory

## **States and sequences**

### States and sequences

 $s: string \rightarrow bool \times bool$ 

 $\sigma: \textit{num} \rightarrow \textit{string} \rightarrow \textit{bool} \times \textit{bool}$ 

### Suffix of a sequence

$$\sigma_i \stackrel{\triangle}{=} \lambda t n. \sigma (t+i) n$$

States, sequences and orderings STE Models Syntax and Semantics of STE

## **Information Ordering**



### **Information ordering on states**

$$s_1 \stackrel{.}{\sqsubseteq} s_2 \stackrel{\triangle}{=} \forall n : string. \ s_1 \ n \sqsubseteq s_2 \ n$$

### Information ordering on sequences

$$\sigma_1 \stackrel{..}{\sqsubseteq} \sigma_2 \stackrel{\triangle}{=} \forall t : num. \forall n : string. \ \sigma_1 \ t \ n \sqsubseteq \sigma_2 \ t \ n$$

## Circuit models

### STE Models – Implemented as FSM in Forte

$$\mathcal{M}: (string \rightarrow bool \times bool) \rightarrow (string \rightarrow bool \times bool)$$

### Monotonicity

Monotonic 
$$\mathcal{M} \stackrel{\triangle}{=} \forall s \ s'. \ (s \sqsubseteq s') \supset ((\mathcal{M} \ s) \sqsubseteq (\mathcal{M} \ s'))$$

# **Syntax of STE formulas**

$$\begin{array}{ccc} f \stackrel{\triangle}{=} & n \text{ is } 0 \\ & | n \text{ is } 1 \\ & | f \text{ and } g \\ & | f \text{ when } P \\ & | Nf \end{array}$$

## **Semantics of STE**

where  $\phi \models P$  means the assignment of truth-values given by  $\phi$  satisfies the formula P. The formal definition of  $\phi \models P$  is the usual definition for the semantics of propositional formulas.

# **Defining Sequence**

$$[m \text{ is } 0]^{\phi} t n$$
  $\stackrel{\triangle}{=}$  0 if  $m=n$  and  $t=0$ , otherwise  $X$   $[m \text{ is } 1]^{\phi} t n$   $\stackrel{\triangle}{=}$  1 if  $m=n$  and  $t=0$ , otherwise  $X$   $[f_1 \text{ and } f_2]^{\phi} t n$   $\stackrel{\triangle}{=}$   $([f_1]^{\phi} t n) \sqcup ([f_2]^{\phi} t n)$   $[f \text{ when } P]^{\phi} t n$   $\stackrel{\triangle}{=}$   $[f]^{\phi} t n \text{ if } \phi \models P$ , otherwise  $X$   $[Nf]^{\phi} t n$   $\stackrel{\triangle}{=}$   $[f]^{\phi} (t-1) n \text{ if } t \neq 0$ , otherwise  $X$ 

States, sequences and orderings STE Models Syntax and Semantics of STE

# **Defining Trajectory**

States, sequences and orderings STE Models Syntax and Semantics of STE

## **STE Implementation**

$$\vdash \mathcal{M} \models A \Rightarrow C \equiv \forall t \, n. \, [C]^{\phi} \, t \, n \sqsubseteq [A]]^{\phi} \, \mathcal{M} \, t \, n$$

In a nutshell
FSM\*
STE Theory
Symmetry and STE
Reduction methodology
Examples and Case Studies
Related and Future Work

Symmetry Theory for STE Symmetry Soundness Theorem Relating Symmetries

# Symmetry and STE

## **Symmetry Theory for STE**

Permutation on states

$$apply_s \pi s \stackrel{\triangle}{=} \lambda n. \ s(\pi n)$$

Permutation on sequences

$$apply_{\sigma} \pi \sigma \stackrel{\triangle}{=} \lambda t n. \ \sigma \ t \ (\pi \ n)$$

Property of swap

is\_swap 
$$\pi \stackrel{\triangle}{=} \forall a b. (\pi(a) = b) \supset (\pi(b) = a)$$



# **Symmetry of STE models**

$$Sym_{\chi} \mathcal{M} \pi \stackrel{\triangle}{=} \forall s. \ apply_{s} \pi (\mathcal{M} s) = \mathcal{M} (apply_{s} \pi s)$$

## **Permutation and Sequences**

$$\vdash \ \forall \pi. \ \textit{is\_swap} \ \pi \ \supset \\ \forall \sigma_1 \ \sigma_2. \ (\sigma_1 \ \stackrel{..}{\sqsubseteq} \ \sigma_2 \ \equiv \ (\textit{apply}_{\sigma} \ \pi \ \sigma_1) \ \stackrel{..}{\sqsubseteq} \ (\textit{apply}_{\sigma} \ \pi \ \sigma_2))$$

# **Permutation on Trajectory Formulas**

$$apply_f \pi f \stackrel{\triangle}{=} (\pi n) \text{ is } 0$$

$$\mid (\pi n) \text{ is } 1$$

$$\mid (\pi f) \text{ and } (\pi g)$$

$$\mid (\pi f) \text{ when } P$$

$$\mid \mathbf{N} (\pi f)$$

## **Two Important Lemmas**

### **Defining Sequence Lemma**

$$\forall \pi. \ is\_swap \ \pi \supset \forall \phi f \ t \ n. \ (apply_{\sigma} \pi [f]^{\phi} \ t \ n = [apply_{f} \pi f]^{\phi} \ t \ n)$$

### **Defining Trajectory Lemma**

$$\forall \pi. \ is\_swap \ \pi \supset \\ \forall \mathcal{M}. \ Sym_\chi \ \mathcal{M} \ \pi \supset \\ \forall \phi f \ t \ n. \ (apply_\sigma \ \pi \ [\![f]\!]^\phi \ \mathcal{M} \ t \ n \ = \ [\![apply_f \ \pi f]\!]^\phi \ \mathcal{M} \ t \ n)$$

## **Symmetry Soundness Theorem**

### **Symmetry Soundness Theorem**

$$\forall \vdash \mathcal{M} \pi A C. \text{ is\_swap } \pi \supset Sym_{\chi} \mathcal{M} \pi$$

$$\supset \qquad \qquad \qquad \supset \qquad \qquad \qquad (\mathcal{M} \models A \Rightarrow C \equiv \mathcal{M} \models (apply_f \pi A) \Rightarrow (apply_f \pi C))$$

## FSM\* to FSM'



## FSM\* to FSM'



Symmetry Theory for STE Symmetry Soundness Theorem Relating Symmetries

### flat

$$⊢ flat c nsym sym (sb : string → bool) = c (map (map sb) nsym)(map(map sb) sym)$$

### ckt2netlist

```
\vdash ckt2netlist \ c \ nsym \ sym \ outp \ (s_b: string \to bool) 
= let \ auxflat \ c \ nsym \ sym \ outp \ s_b \ s_b'
= (map(map \ s_b') \ outp) = flat \ c \ nsym \ sym \ s_b
in
auxflat \ c \ nsym \ sym \ outp \ s_b \ s_b'
```

## Drop

### **Dropping Boolean Values**

$$\vdash drop \ F = 0$$
$$\land drop \ T = 1$$

$$\vdash (drop_b [] [] (s : string \rightarrow bool \times bool) n = X)$$

$$\land (drop_b [] \_ s \ n = X)$$

$$\land (drop_b \_ [] \ s \ n = X)$$

$$\land (drop_b \ ((a : string) :: alist) \ (b :: blist) \ s \ n = (if \ (n = a)$$

$$then \ (drop \ b)$$

$$else \ drop_b \ alist \ blist \ s \ n))$$

### bool2STE

```
 \vdash (bool2STE [] [] s n = X) 
 \land (bool2STE [] \_ s n = X) 
 \land (bool2STE \_ [] s n = X) 
 \land (bool2STE (a :: alist) (b :: blist) s n = 
 (drop_b \ a \ b \ s \ n) \ \sqcup \ (bool2STE \ alist \ blist \ s \ n) )
```

### **ABS**

### Generating three-valued models from FSM\*

```
\vdash ABS c nsym sym outp (s_b : string \rightarrow bool) = \lambda s : string \rightarrow bool \times bool. \lambda n.
(let outp1 = flat c nsym sym s_b in (bool2STE outp outp1 s n))
```

Symmetry Theory for STE Symmetry Soundness Theorem Relating Symmetries

## **ABS** generates monotonic models

#### Three valued model is monotonic

 $\vdash \forall c \text{ nsym sym outp } s_b. \text{ Monotonic } (ABS c \text{ nsym sym outp } s_b)$ 

# Relating swap and $\pi$

$$\vdash (pi (i,j) x = \lambda n. if (n = el i x) then (el j x)$$

$$else if (n = el j x)$$

$$then (el i x) else n)$$

$$\vdash (perm (i,j) [x] = pi (i,j) x)$$

$$\land (perm (i,j) (x :: xs) = (pi (i,j) x) \circ perm (i,j) xs)$$

# **Relating** Sym and Sym $_{\chi}$

```
\vdash \forall c. \ \forall s_b \ nsym. \ Sym \ (c \ (map(map \ s_b) \ nsym)) \supset \\ \forall sym. \ CheckLength \ (map(map \ s_b) \ sym) \supset \\ \forall i \ j. \ \forall outp. \\ Sym_{\chi} \ (ABS \ c \ nsym \ sym \ outp \ s_b) \\ (perm \ (i,j) \ (append \ sym \ outp))
```

Philosophy Inference Rules

# Reduction Methodology

# **Reduction Philosophy**

- We present a novel set of inference rules that will help decompose STE to STE', if used like tactics, and help compose the overall correctness statement STE from STE', when used in the forward direction.
- Symmetry in circuit models lets us partition the decomposed STE properties into equivalence classes.
- We verify only the representatives and conclude that the other members of the same equivalence classes have been verified as well by way of deduction rather than explicit STE verification.

### **Inference Rules I**

### Reflexivity

$$\mathcal{M} \models A \Rightarrow A$$

#### Conjunction

$$\frac{\mathcal{M} \models A_1 \Rightarrow B_1 \qquad \mathcal{M} \models A_2 \Rightarrow B_2}{\mathcal{M} \models (A_1 \text{ and } A_2) \Rightarrow (B_1 \text{ and } B_2)}$$

#### **Transitivity**

$$\frac{\mathcal{M} \models A \Rightarrow B \qquad \mathcal{M} \models B \Rightarrow C}{\mathcal{M} \models A \Rightarrow C}$$



### **Inference Rules II**

#### **Constraint Implication 1**

$$\frac{\mathcal{M} \models A \Rightarrow (C \text{ when } G)}{G \supset (\mathcal{M} \models A \Rightarrow C)}$$

#### **Constraint Implication 2**

$$\frac{G \supset (\mathcal{M} \models A \Rightarrow C)}{\mathcal{M} \models A \Rightarrow (C \text{ when } G)}$$

### **Inference Rules III**

Cut

$$\frac{G_1 \supset (\mathcal{M} \models A_1 \Rightarrow B_1) \qquad G_2 \supset (\mathcal{M} \models (B_1 \text{ and } A_2) \Rightarrow C)}{(G_1 \land G_2) \supset (\mathcal{M} \models (A_1 \text{ and } A_2) \Rightarrow C)}$$

#### **Specialised Cut**

$$G_1 \supset (\mathcal{M} \models (A \Rightarrow B)) \qquad G_2 \supset (\mathcal{M} \models (B \Rightarrow C))$$
$$(G_1 \land G_2) \supset (\mathcal{M} \models (A \Rightarrow C))$$



### **Inference Rules IV**

#### **Guard Conjunction**

$$\frac{G_1\supset (\mathcal{M}\models A\Rightarrow C) \qquad G_2\supset (\mathcal{M}\models B\Rightarrow D)}{G_1\land G_2\supset (\mathcal{M}\models (A \text{ and } B)\Rightarrow C \text{ and } D)}$$

#### **Guard Disjunction**

$$G_1 \supset (\mathcal{M} \models A \Rightarrow C) \qquad G_2 \supset (\mathcal{M} \models B \Rightarrow C)$$

$$G_1 \lor G_2 \supset (\mathcal{M} \models (A \text{ and } B) \Rightarrow C)$$

### **Inference Rules V**

#### **Antecedent Strengthening 1**

$$\frac{\mathcal{M} \models A' \Rightarrow C \qquad [A']^{\phi} \sqsubseteq [A]^{\phi}}{\mathcal{M} \models A \Rightarrow C}$$

#### **Antecedent Strengthening 2**

$$\frac{G \supset (\mathcal{M} \models A' \Rightarrow C) \qquad [A']^{\phi} \sqsubseteq [A]^{\phi}}{G \supset (\mathcal{M} \models A \Rightarrow C)}$$

### **Inference Rules VI**

#### **Consequent Weakening 1**

$$\mathcal{M} \models A \Rightarrow C' \qquad [C]^{\phi} \sqsubseteq [C']^{\phi}$$
$$\mathcal{M} \models A \Rightarrow C$$

#### **Consequent Weakening 2**

$$\frac{G \supset \mathcal{M} \models A \Rightarrow C' \qquad [C]^{\phi} \sqsubseteq [C']^{\phi}}{G \supset \mathcal{M} \models A \Rightarrow C}$$

In a nutshell
FSM\*
STE Theory
Symmetry and STE
Reduction methodology
Examples and Case Studies
Related and Future Work

Basic Gates Multiplexer Comparator Random Access Memory (RAM) Content Addressable Memory (CAM)

# **Examples and Case Studies**

### **Examples**

- Gates And, Or, Nand, Xor, Xnor etc.
- Comparator
- Mux
- Steering Circuit
- Random Access Memory (RAM)
- Content Addressable Memory (CAM)
- Other circuits with CAMs

### **Basic gates**

#### Safe functional blocks

#### **Basic circuit blocks**

```
\vdash Inv = map inv

\vdash And = map and

\vdash Or = map or

\vdash Nand = map nand
```

In a nutshell
FSM\*
STE Theory
Symmetry and STE
Reduction methodology
Examples and Case Studies
Related and Future Work

Basic Gates
Multiplexer
Comparator
Random Access Memory (RAM)
Content Addressable Memory (CAM)

#### **Bitwise operations**

$$\vdash bAND = Bitwise (\land) Id$$
  
 $\vdash bOR = Bitwise (\lor) Id$ 

#### 2-to-1 Multiplexer – FSM\*

```
\vdash ctrl\_and inp = map (\land (hd inp))
```

$$\vdash$$
 not\_ctrl\_and inp = map  $(\land (\sim (hd inp)))$ 

$$\vdash$$
 M1 inp =  $(map(ctrl\_and\ inp)) \circ Select\ 0\ Id$ 

$$\vdash$$
 M2 inp = (map(not\_ctrl\_and inp))  $\circ$  Select 1 Id

$$\vdash Auxmux inp = ((M1 inp) || (M2 inp))$$

$$\vdash Mux [clk; ctrl] = (map(map (DEL (hd clk))) \circ Bitwise (\lor) (Auxmux ctrl))$$

#### 2-to-1 Multiplexer – Netlist Term

```
- ckt2netlist Mux [["clk"];["ctrl"]][["a0";"a1"];["b0";"b1"]][["out0";"out1"]] sb sb'

val mux_thm = \( \text{ckt2netlist Mux [["clk"];["ctrl"]]} \\
\[ [["a0";"a1"];["b0";"b1"]] \\
\[ [["out0";"out1"]] sb sb' = \\
(sb' "out0" = DEL (sb "clk")(\( \sigma \) sb "ctrl" \( \sigma \) sb "b0" \( \sigma \) sb "ctrl" \( \sigma \) sb "a0"))
\( \Lambda \)
(sb' "out1" = DEL (sb "clk") ( sb "ctrl" \( \sigma \) sb "b1" \( \sigma \) sb "ctrl" \( \sigma \) sb "a1")) : thm
```

#### 2-to-1 Multiplexer – hol2exlif

- hol2exlif [mux\_thm] "mux" "clock"

### exlif2exe

[ashish@clpc1 ashish] nexlif2exe2 mux.exlif

### **Exlif for Mux**

```
.model testmux .inputs a0 a1 b0 b1
.outputs out0
.expr n18 = ctrl '
.expr n16 = a0 '
.expr n15 = ctrl '
.expr n13 = b0 '
.expr n12 = n18 '
.expr n10 = n15 & n16
.expr n9 = n12 & n13
.expr n5 = n9 + n10
.expr n4 = clk '
.latch n5 out0 re clock
.inputs a0 a1 b0 b1
.outputs out1
.expr n42 = ctrl '
.expr n40 = a1 '
.expr n39 = ctrl '
.expr n37 = b1 '
.expr n36 = n42 '
.expr n34 = n39 & n40
.expr n33 = n36 & n37
.expr n29 = n33 + n34
.expr n28 = clk '
.latch n29 out1 re clock .end
```

### 2-to-1 Multiplexer – STE Model

## **Property verification**

```
Mux \models ("a_0" \text{ is } a_0) \text{ and } ("a_1" \text{ is } a_1) \text{ and } ("a_2" \text{ is } a_2)
\text{ and } ("b_0" \text{ is } b_0) \text{ and } ("b_1" \text{ is } b_1) \text{ and } ("b_2" \text{ is } b_2)
\text{ and } ("ctrl" \text{ is } c) \Rightarrow
(("out_0" \text{ is } a_0) \text{ and } ("out_1" \text{ is } a_1) \text{ and } ("out_2" \text{ is } a_2)) \text{ when } c
\text{ and }
(("out_0" \text{ is } b_0) \text{ and } ("out_1" \text{ is } b_1) \text{ and } ("out_2" \text{ is } b_2)) \text{ when } \bar{c})
```

We shall use STE inference rules to decompose this property into several smaller properties.

## **Verification in the presence of symmetry – I**

Using *Conjunction* on the antecedent and consequent, we get the following goals

- (1)  $Mux \models ("a_0" \text{ is } a_0) \text{ and } ("b_0" \text{ is } b_0) \text{ and } ("ctrl" \text{ is } c)$  $\Rightarrow (("out_0" \text{ is } a_0) \text{ when } c) \text{ and } (("out_0" \text{ is } b_0) \text{ when } \overline{c})$
- (2)  $Mux \models ("a_1" \text{ is } a_1) \text{ and } ("b_1" \text{ is } b_1) \text{ and } ("ctrl" \text{ is } c) \Rightarrow (("out_1" \text{ is } a_1) \text{ when } c) \text{ and } (("out_1" \text{ is } b_1) \text{ when } \bar{c})$
- (3)  $Mux \models ("a_2" \text{ is } a_2) \text{ and } ("b_2" \text{ is } b_2) \text{ and } ("ctrl" \text{ is } c) \Rightarrow (("out_2" \text{ is } a_2) \text{ when } c) \text{ and } (("out_2" \text{ is } b_2) \text{ when } \bar{c})$



### **Verification in the presence of symmetry – II**

We do an STE run to verify (1). Mux exhibits symmetry - exchange the first line with the second, and the first with the third, and  $Sym_\chi$  Mux  $\pi$  holds, therefore by using Symmetry Soundness Theorem we can conclude that (2) and (3) are verified as well.

#### Gist

Thus verifying an n-bit 2-to-1 mux entails verifying a 1-bit mux using only two symbolic variables, and by way of using symmetry arguments, and inference rules, we can conclude that the n-bit mux is verified as well. In general verifying an m-to-1 Mux with n-bit wide input buses will require m distinct symbolic variables for input buses and  $\log m$  variable for selecting one of the m inputs.

### Comparator

#### FSM\*

```
\vdash xnor \ a \ b = (a \land b) \lor (\sim a \land \sim b)
\vdash Comp [[ck]] = let \ comp1 = Bitwise \ xnor \ Id \ in map(map(DEL \ ck)) \circ And \circ comp1
```

# **Property Reduction**

$$Comp \models ("a_0" \text{ is } a_0) \text{ and } ("b_0" \text{ is } b_0) \text{ and } ("a_1" \text{ is } a_1) \text{ and } ("b_1" \text{ is } b_1) \Rightarrow ("out" \text{ is } 1) \text{ when } ((a_0 = b_0) \land (a_1 = b_1)) \text{ and } ("out" \text{ is } 0) \text{ when } (\sim (a_0 = b_0) \lor (\sim (a_1 = b_1)))$$

### Verification in the presence of symmetry – I

### **Equality**

$$Comp \models ("a_0" \text{ is } a_0) \text{ and } ("b_0" \text{ is } b_0) \text{ and } ("a_1" \text{ is } a_1) \text{ and } ("b_1" \text{ is } b_1) \\ \Rightarrow ("out" \text{ is } 1) \text{ when } ((a_0 = b_0) \land (a_1 = b_1))$$

#### Inequality

$$\begin{array}{lll} \textit{Comp} & \models & ("a_0" \text{ is } a_0) \text{ and } ("b_0" \text{ is } b_0) \text{ and } \\ & & ("a_1" \text{ is } a_1) \text{ and } ("b_1" \text{ is } b_1) \\ & \Rightarrow ("\textit{out"} \text{ is } 0) \text{ when } (\sim (a_0 = b_0) \vee (\sim (a_1 = b_1))) \end{array}$$

## Verification in the presence of symmetry – Equality

The goal is to show that

```
Comp \models ("a_0" \text{ is } a_0) \text{ and } ("b_0" \text{ is } b_0) \text{ and } ("a_1" \text{ is } a_1) \text{ and } ("b_1" \text{ is } b_1) 
\Rightarrow ("out" \text{ is } 1) \text{ when } ((a_0 = b_0) \land (a_1 = b_1))
let \ B_0 = ("I_0" \text{ is } 1)
let \ B_1 = ("I_1" \text{ is } 1)
let \ A_0 = ("a_0" \text{ is } a_0) \text{ and } ("b_0" \text{ is } b_0)
let \ A_1 = ("a_1" \text{ is } a_1) \text{ and } ("b_1" \text{ is } b_1)
let \ G_0 = (a_0 = b_0)
let \ G_1 = (a_1 = b_1)
let \ C = "out" \text{ is } 1
```

## Verification in the presence of symmetry – Equality

$$Comp \models A_0 \Rightarrow (B_0 \text{ when } G_0)$$
 (STE run)  
 $Comp \models A_1 \Rightarrow (B_1 \text{ when } G_1)$  (Symmetry)  
 $G_0 \supset (Comp \models A_0 \Rightarrow B_0)$  (Constraint Implication 1)  
 $G_1 \supset (Comp \models A_1 \Rightarrow B_1)$  (Constraint Implication 1)

## Verification in the presence of symmetry – Equality

$$(G_0 \wedge G_1) \supset (Comp \models (A_0 \text{ and } A_1) \Rightarrow (B_0 \text{ and } B_1))$$

$$Comp \models (B_0 \text{ and } B_1) \Rightarrow C$$

By Specialised Cut we get

$$(G_0 \land G_1) \supset (Comp \models A_0 \text{ and } A_1 \Rightarrow C)$$

By Constraint Implication 2 we get

$$Comp \models (A_0 \text{ and } A_1) \Rightarrow (C \text{ when } (G_0 \land G_1))$$



# Verification in the presence of symmetry – Equality

Replacing the values of  $A_0, A_1, C, G_0$  and  $G_1$  we get

$$Comp \models ("a_0" \text{ is } a_0) \text{ and } ("b_0" \text{ is } b_0) \text{ and } ("a_1" \text{ is } a_1) \text{ and } ("b_1" \text{ is } b_1) \\ \Rightarrow ("out" \text{ is } 1) \text{ when } ((a_0 = b_0) \land (a_1 = b_1))$$

## Verification in the presence of symmetry – Inequality

$$Comp \models ("a_0" \text{ is } a_0) \text{ and } ("b_0" \text{ is } b_0) \text{ and } ("a_1" \text{ is } a_1) \text{ and } ("b_1" \text{ is } b_1) \\ \Rightarrow ("out" \text{ is } 0) \text{ when } (\sim (a_0 = b_0) \lor (\sim (a_1 = b_1)))$$

$$let \ A = ("a_0" \text{ is } a_0) \text{ and } ("b_0" \text{ is } b_0) \text{ and } ("a_1" \text{ is } a_1) \text{ and } ("b_1" \text{ is } b_1)$$

$$let \ A_0 = ("a_0" \text{ is } a_0) \text{ and } ("b_0" \text{ is } b_0) \text{ let } A_1 = ("a_1" \text{ is } a_1) \text{ and } ("b_1" \text{ is } b_1)$$

$$let \ C = ("out" \text{ is } 0)$$

$$let \ G_0 = \sim (a_0 = b_0)$$

$$let \ G_1 = \sim (a_1 = b_1)$$

# **Verification in the presence of symmetry – Inequality**

$$Comp \models A_0 \Rightarrow C \text{ when } G_0 \quad (STE \, run)$$
 $Comp \models A_1 \Rightarrow C \text{ when } G_1 \quad (Symmetry)$ 
 $G_0 \supset (Comp \models A_0 \Rightarrow C) \quad (Constraint \, Implication \, 1)$ 
 $G_1 \supset (Comp \models A_1 \Rightarrow C) \quad (Constraint \, Implication \, 1)$ 
 $G_0 \lor G_1 \supset (Comp \models ((A_0 \text{ and } A_1) \Rightarrow C))(Constraint \, Disjunction)$ 
 $Comp \models (A_0 \text{ and } A_1) \Rightarrow C \text{ when } (G_0 \lor G_1) \quad (Constraint \, Implication \, 2)$ 

**Basic Gates** 

### Verification in the presence of symmetry – Inequality

Replacing values we get

$$Comp \models ("a_0" \text{ is } a_0) \text{ and } ("b_0" \text{ is } b_0) \text{ and } ("a_1" \text{ is } a_1) \text{ and } ("b_1" \text{ is } b_1)$$

$$\Rightarrow ("out" \text{ is } 0) \text{ when } (\sim(a_0 = b_0) \lor (\sim(a_1 = b_1)))$$

#### Gist

We can verify an n-bit comparator requires only two variables instead of 2n. Therefore the BDDs that get built stay really small.



#### RAM – FSM\*

```
⊢ CTRL_AND inp = MAP (∧ (HD inp)) o id
//for a given addr line does the and with all the data bits
⊢ (NBITS [] = NULL)
\land (NBITS ([]::xs) = NULL)
A (NBITS [a::addr_list] =
let n = (LENGTH (a::addr_list) - 1) in
(NBITS [addr_list]) || (MAP (CTRL_AND [a]) o (SELECT n ID)))
\land (NBITS ((x::y)::xs) = NULL)
//one line of memory --n bits
⊢ oneline [[rw]] [[addr]] =
MAP (CTRL_AND [addr]) o (MAP (CTRL_AND [rw])) o
(MAP (MAP (AH ( rw)))) o NBITS [[addr]]
//generate n lines
⊢ (NLineMem en [[]] = NULL)
\land (NLineMem en [(x::xs)] =
let n = (LENGTH (x::xs) - 1) in
(((oneline en [[x]]) o (SELECT n ID)) || (NLineMem en [xs])))
// m X n memory
⊢ memorv en addr =
(BITWISE V ID) o (NLineMem en addr)
```

### RAM – Memory Lines as seen in Forte I



### RAM – Memory Lines as seen in Forte II



### RAM - Memory Lines as seen in Forte III





```
//A0 \Rightarrow B0 (by STE run)
STE "-s -w" memory [] (A0 and D0 and en) B0 trace

// output of the 0th bit
let C0 = ("out0" is ((addr0 \land d00) \lor (addr1 \land d10))) from 1 to 2

//B0 \Rightarrow C0 (by STE run)
STE "-s -w" memory [] B0 C0 trace

// Specialised Cut
STE "-s -w" memory [] (A0 and D0 and en) C0 trace
```

**Basic Gates** 

```
// Now for the second column.
// of course we never do this but infer from Symmetry
pi = "d00" \rightarrow "d01",
    "d10" → "d11",
    "n5" \rightarrow "n56",
    "n4" \sim "n55".
    "out 0" ~ "out 1"
let A1 = (("addr0" is addr0) and ("addr1" is addr1)) from 0 to 5
let D1 = (("d01" is d01) and ("d11" is d11)) from 0 to 1
let B1 = (("n55" is (addr0 \land d01)) from 1 to 2) and
          (("n56" is (addr1 ∧ d11)) from 1 to 2)
//A1 ⇒ B1 (by STE run)
STE "-s -w" memory [] (A1 and D1 and en) B1 trace
// output of the 1st bit
let C1 = ("out1" is ((addr0 \wedge d01) \vee (addr1 \wedge d11))) from 1 to 2
//B1 ⇒ C1 (by STE run)
STE "-s -w" memory [] B1 C1 trace
```

```
// Specialised Cut
STE "-s -w" memory [] (A1 and D1 and en) C1 trace

//STE Conjunction
STE "-s -w" memory [] (A0 and A1 and D0 and D1 and en) (C0 and C1) trace

// Antecedent Weakening
STE "-s -w" memory [] (A0 and D0 and D1 and en) (C0 and C1) trace
```

# RAM - Our memory requirement I



# RAM – Our memory requirement II



# **RAM – Our memory requirement III**

|                   |               | 0.1. )           |                            |
|-------------------|---------------|------------------|----------------------------|
| width of addr bus | address lines | memory sz (bits) | variables reqd             |
|                   |               | data=32 bits     | (symmetry + symb indexing) |
| 1                 | 2             | 64               | 2                          |
| 2                 | 4             | 128              | 4                          |
| 3                 | 8             | 256              | 6                          |
| 4                 | 16            | 512              | 8                          |
| 5                 | 32            | 1k               | 10                         |
| 6                 | 64            | 2k               | 12                         |
| 7                 | 128           | 4k               | 14                         |
| 8                 | 256           | 8k               | 16                         |
| 9                 | 512           | 16k              | 18                         |
| 10                | 1k            | 32k              | 20                         |
| 11                | 2k            | 64k              | 22                         |
| 12                | 4k            | 128k             | 24                         |
| 13                | 8k            | 256k             | 26                         |
| 14                | 16k           | 512k             | 28                         |
| 15                | 32k           | 1M               | 30                         |
| 16                | 64k           | 2M               | 32                         |

## Pandey's RAM Verification



### Pandey's RAM Verification versus Us

#### Pandey's method

- Even though the verification memory requirment seems to scale nearly linearly.
- Substantial time and memory is used in isomorphism checks.
- Computing reduced models by using symmetry, costing substantial extra time and memory (see page 76-78 of Pandey's thesis).
- Heuristics employed for symmetry detection in SRAM may not be useful for symmetry detection for other circuits for example a CAM.

#### Our method

- Our requirement for symbolic variables is independent of the size of data bits, it only depends on the number of address lines.
- Our type checking is independent of the size of the RAM, and the type checking takes about a second.
- Type checking and a structured ADT gives us a general method of circuit design and verification.



### CAM - FSM\*

### CAM - FSM\*

### **CAM – Towards the Netlist**

```
val cam_thm = \( \text{ckt2netlist cam [["tagen"]; ["dataen"];} \)
                     ["Tag[0]"; "Tag[1]"];
                     ["t0[0]";"t0[1]"];
                     ["t1[0]";"t1[1]"]]
                    [["d0[0]";"d0[1]"];
                     ["d1[0]";"d1[1]"]]
                    [["out[0]";"out[1]"]] sb sb'
val hit_thm = \( \text{ckt2netlist (hit 2) [["tagen"]]}\)
                [["Tag[0]"; "Tag[1]"];
                 ["t0[0]";"t0[1]"];
                 ["t1[0]";"t1[1]"]] [["hit"]] sb sb'
```

### hol2exlif

- hol2exlif [cam\_thm, hit\_thm] "cam" "";

### exlif2exe

[ashish@clpc1 ashish] nexlif2exe2 cam.exlif

## **Property Reduction – Initialising values**

```
//initialising variables
//data stored in both the lines
let d00 = variable "d0[0]";
let d01 = variable "d0[1]";
let d10 = variable "d1[0]";
let d11 = variable "d1[1]":
//tags stored in the lines
let t00 = variable "t0[0]";
let t01 = variable "t0[1]";
let t10 = variable "t1[0]";
let t11 = variable "t1[1]":
//input tags
let Tag0 = variable "Tag[0]";
let Tag1 = variable "Tag[1]";
//read enabled and incoming tag takes on symbolic values
let base_ant = ((("Tag[0]" is Tag0) and ("Tag[1]" is Tag1)) from 0 to 2)
                 and ("tagen" is F from 0 to 1) and ("tagen" is T from 1 to 2)
                 and ("dataen" is F from 0 to 1) and ("dataen" is T from 1 to 2);;
```

## **Property Reduction – Initialising values**

```
//populate the tags in the first line
let A0_0 = ((("T0[0]" is t10) and ("T0[1]" is t11)) from 0 to 1) and base_ant;
//populate the data in the first line
let A0_1 = ((("d0[0]" is d10) and ("d0[1]" is d11)) from 0 to 1) and base_ant;
//populate the tags in the second line
let A1_0 = ((("T1[0]" is t10) and ("T1[1]" is t11)) from 0 to 1) and base_ant;
//populate the data in the second line
let A1.1 = ((("d1[0]" is d10) and ("d1[1]" is d11)) from 0 to 1) and base_ant;
let A0 = A0_0 and A0_1:
let A1 = A1_0 and A1_1;
//data stored at the first line appears at the output
let C0 = (("out[0]" is d00) and ("out[1]" is d01)) from 1 to 2;
//data stored at the second line appears at the output
let C1 = (("out[0]" is d10) and ("out[1]" is d11)) from 1 to 2;
```

## **Property Reduction – Initialising values**

```
//incoming tags match the tags stored at the first line
let G0 = (Tag0 = t00) \land (Tag1 = t01);
//incoming tags match the tags stored at the second line
let G1 = (Tag0 = t10) \land (Tag1 = t11);
//incoming tags don't match the tags stored at the first line
let nG0 = NOT G0:
//incoming tags don't match the tags stored at the second line
let nG1 = NOT G1;
//hit[0] is 0
let B0_0 = "hit[0]" is F from 1 to 2;
//hit[0] is 1
let B0_{-1} = "hit[0]" is T from 1 to 2:
//hit[1] is 0
let B1_0 = "hit[1]" is F from 1 to 2;
//hit[1] is 1
let B1_1 = "hit[1]" is T from 1 to 2;
```

## **Property Reduction – CAM read**

#### Correct Data is read I

```
let trace = map (\lambdan.n,0,2) (nodes cam.fsm);

//By STE run, using the comparator verification strategy as in inequality case using only two variables for tag comparison nGO \supset (STE "-s -w" cam.fsm [] A0.0 B0.0 trace);

//Using Antecedent Strengthening nGO \supset (STE "-s -w" cam.fsm [] (A0.0 and A0.1) B0.0 trace);

//But (A0.0 and A0.1) = A0, so we have nGO \supset (STE "-s -w" cam.fsm A0 B0.0) (1)

//Now we shall show how to deduce the correctness property G1 \supset (STE "-s -w" cam.fsm [] (B0.0 and A1) C1 trace);
```

## **Property Reduction – CAM read**

#### Correct Data is read I

```
//comparator verification strategy,
//using only variables for the tag of the second line
G1 \( \) (STE "-s -w" cam [] Al_0 Bl_1 trace); (2)

// STE run using only one data variable, and using symmetry of the data bus to deduce
(STE "-s -w" cam [] (Bl_1 and (Al_1 and B0_0)) C1 trace); (3)

//Using Cut on (2) and (3) we get
G1 \( \) (STE "-s -w" cam [] (B0_0 and Al_0 and Al_1) C1 trace); (4)

//But Al_0 and Al_1 = Al, therefore
G1 \( \) (STE "-s -w" cam [] (B0_0 and Al) C1 trace); (5)

//By Guard Conjunction and the Cut Rule on (1) and (5), we can deduce
(nG0 \( \) G1) \( \) (STE "-s -w" cam_fsm [] (A0 and Al) C1 trace);

//By Constraint Implication 2, we can deduce
(STE "-s -w" cam_fsm [] (A0 and Al) (C1 when (nG0 \( \) G1)) trace);
```

In a nutshell
FSM\*
STE Theory
Symmetry and STE
Reduction methodology
Examples and Case Studies
Related and Future Work

Multiplexer Comparator Random Access Memory (RAM) Content Addressable Memory (CAM)

## **Property Reduction – CAM read**

### Correct Data is read II

```
//By repeating the same strategy for the second CAM line (STE "-s -w" cam.fsm [] (A0 and A1)(C0 when (nG1 \land G0)) trace);
```

## **Property Reduction - Correct Data Read**

### Overall correctness assertion

```
//By STE Conjunction
(STE "-s -w" cam.fsm [] (AO and A1) ((CO when (nG1 \( \Lambda \) 0)) and
(C1 when (nG0 \( \Lambda \) G1))) trace);
```

## **Property Reduction – Hit Logic**

### Hit rises if there is a match

```
//hit is 1
let C = "hit" is T from 1 to 2;

//hit is 1 if the tags match at the first line
// STE run uses only two variables, comparator reduction strategy
GO \( \subseteq (STE "-s -w" cam_fsm [] AO C trace);

//hit is 1 if the tags match at the second line
// STE run uses only two variables, comparator reduction strategy
G1 \( \subseteq (STE "-s -w" cam_fsm [] Al C trace);

//By Guard Disjunction we conclude
(GO V G1) \( \subseteq (STE "-s -w" cam_fsm [] (AO and Al) C trace);
```

### Hit stays low of there is no match

```
//hit[0] is 0
let hit0 = "hit0" is F from 1 to 2;
//hit[1] is 0
let hit1 = "hit1" is F from 1 to 2;
//hit is 0
let C = "hit" is F from 0 to 2:
//By STE run using only two variables, comparator verification strategy
nG0 ⊃ (STE "-s -w" cam_fsm [] A0 hit0 trace);
//By STE run using only two variables, comparator verification strategy
nG1 ) (STE "-s -w" cam_fsm [] A1 hit1 trace);
//By Guard Conjunction
(nG0 ∧ nG1) ⊃ (STE"-s -w" cam_fsm [](A0 and A1) (hit0 and hit1) trace);
//By STE run
(STE "-s -w" cam_fsm [] (hit0 and hit1) C trace);
//Applying the Specialised Cut we conclude
(nG0 ∧ nG1) ⊃ (STE "-s -w" cam_fsm [] (A0 and A1) C trace);
```

## Our memory and time requirement

#### Gist - Correct Data Read

For a CAM with n lines and tag width t and data width d, we need to use only two variables at any one time for tag comparison and one variable for data bit to verify the correct data read property. The space complexity is reduced from n\*(t+d)+t to 3.

The time complexity is linear with respect to the number of CAM lines.

### Gist - Hit Logic

For verifying the hit logic, we need only two variables at any point of time, for any number of CAM lines, tag entries and data entries! The time complexity is linear with respect to the number of CAM lines.



## Pandey's CAM verification

### Pandey's CAM verification

- Pandey's CAM encoding requires  $\log_2 n + n * \log_2 t + t + d$  variables for verification of data read and hit logic. Symmetry is not used at all, only symbolic indexing used.
- For a 64 line CAM with 32 bit tags and 32 bit data, he would need 6+(64\*5)+32+32=390 variables whereas we would need 3 for correct data read property and 2 for the hit logic.

## **CAM – BDD Variables Required wrt CAM size**



## **CAM – BDD Variables Required wrt tag size**



Tag Size for n=4, d=4

## CAM - BDD Variables Required wrt data size



### **Related Work**

### Symmetry in Model Checking

- Pandey and Bryant Verification of memory arrays
- Ip and Dill, Ken McMillan Scalarsets in Murphi and SMV
- Sistla, Emerson and Jha Symmetry and model checking
- Sistla Symmetry based model checker
- Bill Roscoe, Ranko Lazic, Tom Newcomb Data independence

#### Designing structured models

- Mary Sheeran, Wayne Luk Ruby
- Mary Sheeran, Satnam Singh et.al. Lava
- O' Donnell Netlist generator from functional language
- Chavan, Woo Min and Shiu-Kai Chin HOL2GDT Designig a mulitplier chip from specifications in HOL
- Tom Melham Mini-Lava in reFLect



### **Conclusions and Future Work**

- Dealing with other kinds of structural symmetry perhaps more richer type of structured models is needed.
- Data symmetry and temporal symmetry.
- Feedback is not implemented at present.
- Lists are not the most appropriate data structure.