GESTIÓN DEL RIESGO

Formal verification often has to cope with memories that have a large size and are addressed indirectly. Symbolic address relationships of the memory operations have to be considered. Addresses are compared in our approach using only the information of the EqvClasses. This allows a fast equivalence detection which can cope with complex reorderings of memory operations. Equivalence detection for memory operations was first presented in [RHE99].

Example 5.11

The two descriptions in Fig. 5.8 are computationally equivalent with respect to the final value of the relevant variable z. There are two examples for a reordering

Specification rf[adrA]←a; rf[adrB]←b; mem[adr1]←val; x←mem[adr2]; z←x+rf[adrR]; Implementation (rf[adrB]←b, x←mem[adr2]); (if adrA=adrB

then rf[adrA]←a, mem[adr1]←val); (if adr1=adr2

then z←val+rf[adrR] else z←x+rf[adrR]); Fig. 5.8: Examples for equivalent memory operations

of memory operations in Fig. 5.8. First, the order of the read- and the store- operation to mem is reversed in the implementation. Thus, val is forwarded if the addresses are identical, otherwise the value assigned to x is used. This is a typical forwarding example occurring in pipelined systems. Second, the order of

5.9.1 Overview 85

the store-operations to the register file rf is reversed. This may, for example, occur during synthesis of architectures using data memory mapping, i.e., some single registers can be addressed by instructions in the same manner as registers of the register file. This is common for many microcontrollers, e.g., Microchip PIC or Intel 8051. Synthesis may change the order of accesses to this “common” data memory, e.g., by introducing pipelining. Formal verification has to consider the access to registers and register file by a single memory model. Otherwise it may remain unrevealed that, for example, the program counter is erroneously overwritten by an instruction due to a lacking address comparison.

The memory model used by the symbolic simulator assumes an unlimited, but finite size for each memory in the descriptions. Memory access is modeled by the two array operations read and store. A new RegVal (for memories) with an incremented index is introduced after each store-operation to a memory. Only accesses to arrays that can be addressed by registers and not only by constants are considered by the read/store-model. Checking computational equivalence consists of comparing the respective final RegVals of the memories. The memory model, the indexing, equivalence of memory operations, and consideration of arrays addressed by constants are discussed in section 4.1.5.

Three types of equivalences have to be detected concerning memory-operations: • Value stored by a store is equivalent to a read Section 5.9.2 A read-operation reads for any acceptable initialization a value previously stored by a unique store-operation. Note that the read-operation occurs after the store-operation during simulation, i.e., this equivalence is only checked for read-operations.

• Equivalence of two read-operations Section 5.9.2

Two read-operations are equivalent since they yield the same value for any acceptable initialization.

• Equivalence of two store-operations Section 5.9.3

The resulting memory states are equivalent, i.e., the contents of the mem- ories after the two store-operations in the specification and in the imple- mentation are in any case identical. Often, the memory states before the store-operations are also equivalent, which is fast to check. The stores can also result in identical memory states in the opposite case for two reasons:

– a store-operation is overwritten by subsequent stores;

– the order of store-operations to the memory is different in the spec- ification and in the implementation.

Our equivalence detection is hierarchical: first an identical store-order in both descriptions is assumed, i.e., the memory states are pairwise identi-

86 CHAPTER 5 Detecting Equivalences of Terms

cal. Then possibly overwritten stores are considered. Only if a store- operation has still no equivalent counterpart in the other description and a fast pre-check is satisfied, the more time consuming technique presented in the last part of section 5.9.3 is used to detect a changed order of store- operations.

As described in the previous sections, equivalence of terms is often decided by simply testing if the arguments are ∼=_C or ∼=_C which avoids the expansion of the arguments. This is also consequently used for the equivalence detection of read- and store-operations. Only the information of the EqvClasses of the addresses is used, i.e., our address comparison checks if two addresses adr1 and adr2 are

i. in the same EqvClass, i.e., adr1 ∼=_C adr2

ii. are in inequivalent EqvClasses adr1∼=_C adr2, or

iii. if equivalence depends on the initial register or memory values.

Expansion of arguments as in [VB98], where Boolean expressions are evaluated, is avoided. The following abbreviations are used in the examples of the next sections 5.9.2 and 5.9.3:

• Only the relevant read-and store-operations and address relations are shown. The generally complex control structure (e.g., if-then-else-clauses) and all assignments to registers which do not include a read-operation are omitted. Therefore, always only one path of the symbolic simulation is considered. Note that our equivalence detection for memory operations does not require additional case-splits.

• It is assumed that equivalences/inequivalences of the addresses have either already been determined by the other equivalence detection techniques de- scribed in the other sections of this chapter and chapter 6; or they are caused by case-splits at preceding conditions of if-then-else-clauses which are omitted, see above.

• Addresses or values with identical name in the specification and in the implementation, i.e., without the upper index s or i stand for arbitrary terms, which are assumed to have previously been detected ∼=_C. Using adr1 can signify textually different terms in both descriptions, e.g., adr1s₄ = as₃+ bs2 and adr1i3 = ci1+ ai2, which are equivalent if bs2 ∼=C ci1 and as3 ∼=C ai2

holds.

• The boxes below the examples indicate which additional relationships of the addresses must hold for two terms or memory states to be equivalent.