Conditioned Slicing for Efficient Multiway Decision Graphs Model-Checker

Integrating formal verification techniques into the hardware design process provides the means to rigorously prove critical properties. However, most automatic verification techniques, such as model checking, are only effectively applicable to designs of limited sizes due to the state explosion problem. The Multiway Decision Graphs (MDG) method is an efficient method to define hardware designs into more abstract environments; however, the MDG model checker (MDG-MC) still suffers from the state explosion problem. Furthermore, all the backward reduction algorithms cannot be used in MDG, due to the presence of abstract state variables. In this study, an efficient extractor for MDG Hardware Descrpiton Languge (MDG-HDL) is introduced based on static (SS-MDG) and conditioned (CS-MDG) program slicing techniques. The techniques can obtain a chaining slice for given signals of interest. The main advantages of these techniques are: It has no MDG-HDL coding style limitation, it is accurate and it is competent in dealing with various MDG-HDL constructions. The main motivation for introducing this approach is to tackle the state explosion problem of MDG-MC that big MDG-HDL may cause. We apply our proposed techniques on different MDG-HDL designs and our analyses have shown that the proposed reduction techniques resulted in significantly improved performance of the MDG-MC. In this study, we present a general idea of program slicing, a discussion of how to slice MDG-HDL programs, implementation of the tool and a brief overview of some applications and experimental results. The underlying method and the tool based on it need to be empirically evaluated when applying to various applications.


INTRODUCTION
Nowadays, designers use Hardware Description Languages (HDLs) ) (Samat et al., 2011) to describe hardware designs at different levels, from high level of abstraction to low level circuits.One of the main advantages of using HDLs is that they can be formally verified to ensure the correctness of the designs at the different levels.However, as the complexity of modern circuit designs increase, verification of these designs has become the main bottleneck in the whole design process (Wang et al., 2009;Perry and Foster, 2005).
One of the interesting HDLs is the HDL of Multiway Decision Graphs (MDG-HDL) (Corella et al., 1997;Xu, 1999;Xu et al., 1998;Zhou et al., 1994;Zhou and Boulerice, 1996).The method of Multiway Decision Graphs (MDG) is efficient in representing a design with a large data-path, where the Reduced Order Binary Decision Diagram (ROBDD) (Aziz et al., 1994;Bryant, 1992) is less efficient.The MDG tool applies its own model checking (MDG-MC) to formally verify correctness of MDG-HDL designs.However, it is known that model checking (Burch et al., 1990;Clarke et al., 1992;1996;Jhala and Majumdar, 2009) suffers from state explosion problem due to the fact that as the number of state variables in the model being tested increases, the state spaces will increase exponentially.
Therefore, there is a need to reduce the size of MDG-HDL descriptions so that their equivalent models have fewer states.In many cases, it is not even possible to build the state transition relation of the design and the need for MDG-HDL reduction techniques is even more essential in these particular cases.

JCS
The idea of the reduction technique is as follows: if the model M can be reduced to M', then the property P can be checked on the reduced model M' and, in this case, we may avoid the state space explosion problem.Consequently, we need to ensure that P verified on M' will also be verified on M. In other words, we need to make sure that M|=P ⇔ M'|=P in order to proceed with the property checking on the reduced model.
Many of the most effective verification strategies are based on the idea of the extraction of useful verification knowledge from HDL description for design parts of interest.Program slicing which was originally proposed by (Weiser, 1984), is a static program analysis technique to extract appropriate fractions of sequential programs relevant to an application.These fractions are referred to as slices artifacts that preserve exact information about the program's behavior projected onto the relevant segments of the original program.These techniques has been widely studied and applied to numerous applications in software engineering such as debugging (Deng et al., 2000), testing (Lyle and Gallagher, 1998), maintenance (Gallagher and Lyle, 1991) and reuse (Lanubile and Visaggio, 1997).The slicing technique presents an opportunity to formulate an efficient method to extract a part of a design described in an HDL.
This study describes the theoretical basis of using program slicing for dealing with the descriptions of designs in a MDG-HDL.We propose a new structure to represent the signal dependency between source code's components of the MDG-HDL, the Components Dependence Graph (CDG).As a result, we can deal with slicing for given signals only with the relevant MDG-HDL's components.To the best of our knowledge, this is the first try to use program slicing to extract a part from MDG-HDL descriptions.Our method makes MDG-MC more efficient in dealing with bigger designs.Also, our method can be very helpful in debugging errors in a big MDG-HDL source code.
The contributions of this study are as follows: • We proposed and implemented static and conditioned slicer techniques for MDG-MC, called SS_MDG and CS-MDG • Our approaches are fully automatic.In other words, our approaches do not need a knowledgeable user to be able to generate meaningful slices • Our approaches are the first slicer techniques that can handle the inter-model signal dependency in MDG-based designs • We have validated our proposed technique using a simple case study.Our results show the remarkable efficiency of using our approaches in terms of time, size and memory The rest of this study is organized as follows.I give the related work, a preface the basic background.Alos, I describe the introduced Components Dependence Graph of MDG-HDL (CDG).Then I discusse conditioned slicing approaches for MDG-HDL.Then I describe how to apply slicing technique for efficient MDG-MC.Finally I show a case study with expermintal results, conclusion and future work.

Related Work and Backgrounds
The goal of model reduction techniques is to identify substructures of logic, which can be replaced by simpler equivalent pieces of logic.In general, there are two classes of reduction techniques: automatic techniques where the reduction can be done with no manual intervention and manual techniques which need some degree of manual effort to be able to identify irrelevant substructures.In the context of hardware verification, a majority of the reduction techniques are applied at the gate level (Boolean level) of the hardware design description.The following is an overview of the reduction techniques used in model checking; it is by no means comprehensive, but summarizes the most relevant reduction techniques.
Logic optimization techniques, including Boolean minimization and constant propagations, are the basic logic minimization algorithms of the reduction techniques (Hachtel and Somenzi, 1996;De Michelli, 1994).Fan-in cone reduction is the class of reduction techniques involved in identifying the set of environment/model signals that are essential for the specification being checked and in neglecting all others.The reduction of the independent state machines and unreachable states is another category of the automatic reduction techniques (FSM minimization) (Aziz et al., 1994).Another class of reduction techniques such as symmetry reduction, abstraction and compositional verification can significantly reduce state space.However, none of these methods are fully automated; therefore, they need some manual or full manual effort, or require the model to be expressed in an intermediate format.
Verification approaches are mainly based on the extraction of useful verification information from HDLs for design component of attention.Various researches give a lot of attention to extraction controller from datapath (Moundanos et al., 1998;Ho et al., 1995) and verifying the controller part only.Though, the introduced techniques are not capable to deal with big designs efficiently because the ability of separating controller form datapath depends on assigning specific labels Science Publications

JCS
manually.This process of labeling hundreds of control registers is difficult especially in the case where the original designers are not available.
Slicing technique (Tip, 1995) is a source to source transformation technique and it can be used to extract a part of interest from a design described in HDL.However, slicing algorithms are developed originally for sequential languages.Therefore, they cannot be used without modification for slicing HDLs which tolerate concurrent constructs.
Slicing technique has been extended to HDLs and the technique has effectively been applied to hardware verification.The study in (Hachtel and Somenzi, 1996) suggested an approach to use program slicing for analyzing VHDL designs.They used the VHDL simulation semantic to explain the slice model based on a new dependence graph called signal dependence to emulate the concurrent execution of HDL, which is an inter-process dependence.Clarke et al. (1999) proposed an automated slicing technique for VHDL.They introduced System Dependence Graphs (SDG) and presented a mapping from VHDL to generic graph-reachability representation.In the work (Vasudevan et al., 2006), which is the work most related to ours, the authors proposed a reduction technique that extends the conditioned slicing technique to HDLs' They have developed a technique for computing conditioned slicing to HDLs from the antecedent of property specifications.
In view of the fact that there is no pre-image operation in MDG due to the presence of abstract variables, none of the backward reduction algorithms are appropriate for MDG Consequently, it is desirable to apply the reduction techniques at a higher level of abstraction.There has been considerable work conducted over the years on developing model reduction techniques for the MDG-MC in order to solve the state space explosion problem (Abed et al., 2007;Al-Sammane et al., 2007;Hou and Cerny, 2000).The work in (Hou and Cerny, 2000) introduces a model reduction technique based on property dependent state variables of a property P that needs to be verified.The authors proposed a technique based on a heuristic iterative reduction algorithm.Moreover, the authors of (Al-Sammane et al., 2007) proposed another idea to construct a reduced MDG model for a circuit described in a more abstract level.By using a high level symbolic simulation and by running appropriate symbolic simulation patterns, the reduced model can be obtained from a circuit described in VHDL.Also, in (Abed et al., 2007), they used a rewriting based SAT solver to prune the transition relation Tr of the circuits in order to produce a smaller one that is fed to the MDG-MC.
Compared to other existing approaches our slicing techniques have several advantages such as: (a) our proposed techniques have no limitation on the MDG-HDL coding style.(b) our method is experimentally proven to be able to extract the part of MDG-HDL description that only contains the relevant components to the slicing criteria and that of course improve the efficiency of the verification process.(c) our techniques are fully automatic without user intervention.(d) it is known that the RTL design is the golden model for the low level design processing.Consequently, dealing with RTL design makes our proposed technique more efficient than other techniques that deal with designs in other levels.(e) Finally, our technique is intrinsically simpler than other MDG model reduction techniques and it lends itself easily to automation.
Flowing I give some definitions that are important to understand the basic concept of slicing technique and to explain our proposed techniques.The following definitions are derived from previous research in program slicing (Weiser, 1984;Samat et al., 2011;Tip, 1995).Interested researchers may check the given papers for detailed descriptions.

Definition 1
Assume that Prg is a sequential program, i represents a statement, ∑ is the variables set and V represents a subset of the variables in Prg.Let N be the set of nodes of the Control Flow Graph (CFG) of Prg On the CFG, i represent a nod.The slicing criterion C can be defined as a pair of (i, V) such that i∈N and V∈∑.
Suppose that we have a slicing criterion C = (I, V), we can say that a set of statements Is affect the values of V at i, when Is computes a subset of V that is used in i.In the same way, Is is said to be affected by the values of V at i, when a subset of V that is defined at i computes the variables used in Is.

Definition 2
Let S be a slice of Prg based on C = (I,V).We can say that S represents an executable subset of Prg that enclose all Is that possibly will affect or will be affected by the values of V at i.

Definition 3
Let n be a node in CFG of rg, D(n) be the set of variables that represent the left-part of an assignment defined at n. U (n) be the set of variables that represent the right-part of an assignment statement used at n. SUCC (n) be the set of successors of a node n in the CFG of the Prg.The superscript 0 show that this set of variables is immediately relevant.Consequently, computing the variables 0 c R (n) that are immediately relevant to C = (i,V) can be done by the following formula: The search to find the immediate relevant variables to 0 c R (n) starts from node i and goes backward.The primary subset {v ∈V|n = i}of the above formula is the base case; the following subset Computing the full slice S c that can be extracted from Prg can be done recursively based on the set of variables and statements that have either direct or indirect influence on V. Starting from zero, the superscripts define the level of recursion: The termination condition for the above formulas can be defined as: where, f is an iteration step such that:

Components Dependence Graph of MDG-HDL (CDG)
The MDG-HDL module is normally a non-halting program with several communicating components.Those components are executed concurrently.Also, the components communicate with other components via signals that are shared between them.The fundamental definitions that given for slicing sequential programs can be trivially extended to apply slicing techniques on a MDG-HDL source code.But, dealing with concurrent components is not the same as dealing with statement in procedures in sequential programs.Every component in MDG-HDL is not called explicitly, but is activated by appropriate changes in signal values in the inputs outputs sensitivity list of the component.These changes may be triggered by other components that being executed concurrently.To include this inter-components communication, a notion of Components Dependency is introduced.
I introduce in following some definitions for CDG.

Definition 6
Let IN (comp) the set of inputs of component (comp), OUT (comp) the set of outputs of component (comp) and IOL (comp) be the inputs/outputs list of comp.Let ST (Comp) be a set of statements in comp.

Definition 7
Let M be the MDG-HDL model and CDG M be its components Dependency Graph.CDG M (N comps , E,∑ M , IN comp, OUT comp I M , O M ), where N comps is the set of nodes of CDG M , which defines the components in M.E is the set of edges of CDG M .∑ M is the signals set in M. I M , O M are two sets of particular nodes, where I M ⊆∑ M is the set of primary inputs of M, O M ⊆∑ M is the set of primary outputs of M.
I treat all MDG-HDL components structures including functions and multiplexers as simple statements and can get the sets of IOL (comp) for every component from their declarations, which are the output and input ports, respectively.
Following I present an illustrative example, a simple alarm digital circuit, to explain the idea behind our proposed CDG and how it is used to extract a part from the MDG-HDL.

Conditioned Slicing Approaches for MDG-HDL
Based on the introduced detentions, we can conclude that CDG M can be applied in same way with minor modifications to slice MDG-HDL.

Definition 8
Let CFG comps be a set of control flow graphs of MDG-HDL components CFG comp ⊆CFG comps .Let C = (V TC , STO, I M ) is a slicing criteria where, V Tc is the assign constant variables that will use as a condition for slcing in every CFG comp , STO is the slicing target output.V TC ⊆ I M and STO ⊆ O M .
A chaining slice on a chaining slicing criterion C = (V TC , STO, I M ), represented by ChS, is an executable subset of M including all the component statements which contribute either directly or indirectly to the value of ∑ M starting from the STO.In order to apply slicing on the MDG-HDL which has concurrent structures, we need to extend the original Weiser algorithm based on CDG M and CFG comps .Our proposed method consists of three main computing steps: (1) Transforming the slicing criteria to conventional slicing criteria.( 2 Following I am going to discuss the three steps of our proposed technique.I make one realistic assumption on the MDG-HDL as follows: All the variables defined in MDG-HDL have to be declared as inputs and outputs.This assumption makes it easy to handle all MDG-HDL's components as simple sequential statements.Also, it ensures that our technique will not lose generality.

Slicing the CDG M and CFG comps
The slicing criterion that we use in our proposed technique differs from the usual sequential slicing criterion.Our proposed slicing criterion does not include the statements where the criterion variables are defined and where the backward slicing started.Consequently, we have to transform our criterion into conventional form.To do so, we need first to specify STO and then search through the CDG M to find the set of components nodes and mark it as relevant RCS, where RCS = {comp|comp∈N comps ) AND STO∈∑ M }.Once all the RCS are found, we need to deal with every comp included in RCS individually based on its CFG comp and search in its If-Then-Else statements.We slice away the statement where the condition value of V TC is not true.As a result of the slicing process, all the signals between components, the number components including flip flops will be reduced.
The method used to find comps based on CFG comps is a breadth first searching algorithm.It first marks all the nodes which have out edges pointing to the criterion component node comp.The set of nodes found in this step is represented by Pre comp .Then, for every comp in Pre comp , repeat the same process.The termination conditions are: (a) when reach primary inputs.(b) When reach previous reached component.(c) When reach conditioned signals.Figure 3 and 4 show the result after applying the slicing process on the abovemetnioed example.

Slicing for Efficient MDG-MC (CS-MDG)
Even though MDG-HDL slicing approaches have different application such debugging and fixing big MDG-HDL source code, our main aim to proposed this approaches is to tackle the state space explosion problem of MDG-MC that big MDG-HDL may cause.Therefore, following we are going to explain how to utilize these approaches to address the state explosion problem.
Basically, in MDG-MC, digital designs under verification are modeled by Abstract descriptions of State Machines (ASMs), where both sets of states and relations are encoded by MDGs.The specification

JCS
language called L MDG is used to express the properties to be verified in the MDG-MC.The approach to model checking is to build automatically additional ASMs that represent the property to be verified, connect the two ASMs to construct one ASM and then check a simpler property (flag) on the composite machine.I am not going to go in detail in this issue since it has been explained in detail in pervious MDG research papers.What I want to emphasize that this composite circuit is simply an MDG-HDL code and we can apply our proposed approaches on it with minor modification on the slicing criteria such that:  ( ) While the other part is the part that represents the circuit needs be verified (the model M).So, it clear that dealing with the code describing this circuit is just basically dealing with normal MDG-HDL.We need only to consider that the slicing target output is defined as (flag) and the V TC is defined as V antce in this case.Figure 7 demonstrate the CFG CM of the composite circuit, where CM means composite model.Figure 8 shows the reduced CDG CM .

MDG-HDL Slicing Algorithm
Basically, the MDG-HDL algorithm obtains the MDG-HDL source code and the slicing criteria as inputs, then iterates over all the criterion variables to compute the slice.The concluding slice for the criterion is the union of all the slices for the criterion variables.As we mentioned before, the termination condition is when slicing in CDG M reached all the relevant components.Figure 9 shows the schematic diagram of our proposed techniques.Figure 10 shows our MDG-HDL slicing algorithm.

A Case Study
Now we are going to use the same example in Fig. 6 with some modifications such as defining the entire signal in the circuit in Boolean level.The reason for that is to compare our work with previous work in (Hou and Cerny, 2000).--------------------

JCS
The structure of the circuit is somewhat familiar in data processing circuits.The suitable context (such as set of memory data, registers) is selected based on the control signals, then dealing out with the selected context and modified context is stored in the same memory element.This circuit is also used somewhat in telecommunication circuits in which channel or link number select the matching registers to be updated.The structure of this circuit can be simply extended and modified to build larger circuit by adding more registers and increasing the size of the registers.
In our care, we have defined all the signals in the circuit in Boolean level.The registers are represented as number of bits and every bit is treated as one Boolean signal.The properties to be verified are as follows: • P1: if x = 0, Reg1= 0 and the value of Reg2 = 0 in th current clock cycle, then the value of Reg2 will be 1 in the next clock cycle • P2: if x = 0, Reg1 = 0 and the value of Reg2[0] = 0 in th current clock cycle, then the value of Reg2[0] = 0 will be 1 in the next clock cycle The two properties were verified on the model with different register numbers and registers sizes.We compare our result with previous research work results.
Table 1 illustrates our experimental results by using MDG-MC.Base on the results we can conclude that our proposed technique has considerably improve the efficiency of MDG-MC.The (N.T) in the table stand for Not Terminate.

CONCLUSION
To alleviate the state explosion problem in the MDG model checking tool, we have proposed a reduction techniques called SS_MDG and CS-MDG.The goal of our technique is to construct a reduced MDG-HDL source code using the Composite Circuit Dependency Graph (CDG M ) and CFG comps .
Our technique consists of two phases: In the first phase of the reduction based on Static Slicing (SS-MDG), our technique extracts the relevant components that affect the flag using the CDG M .Then, in the second phase, the reduction that is based on the Conditioned Slicing (CS-MDG) is applied using the information in the property antecedent and CFGcompsCFG comps to reduce the components' statements and eliminate the irrelevant statements where the condition V antce is not true.
We have presented the essential foundation of how to use slicing techniques to extract a part of MDG-HDL.The technique was successfully implemented as a prototype tool and effectively used for improving verification of design in MDG-HDL.
Our analyses have shown that the proposed reduction technique resulted in significantly improved the performance of the MDG model checker.
In the future, we aim to apply our technique to more complex hardware designs in order to identify its strengths and limits.

ACKNOWLEDGEMENT
I would like to thank Libyan ministry of higher education and aide financiere aux etudes Quebec for their support.
marks the variables used to assign values to other relevant variables.

Figure 5 Figure 6
Figure5shows the structure of the MDG-MC, which includes the following modules:• MDG based model (MDG-HDL)• Desired property which is the specification being checked (In the L MDG specification language).(the form of property A((Next_let_formula) U (Next_let_formula) is not consider in our proposed technique) • Apl_parser (which takes the input files, the MDG based model and the desired property, to construct a composite circuit.This is done as follows • The property P is transferred into a simplified property (circuit).For example, the property AG(apl_formula) is transferred into a simplified property AG (flag = 1) • The simplified property (circuit) is plugged with the original model M.This is what we call a composite circuit • Property checking step is to verifies the property validation and return (fail/pass) as a result1.6.Illustrative ExampleFigure6shows an example of a composite circuit.The highlighted part of the circuit is the part that represents ASM of the property: