PRINCIPALES ACTIVIDADES DE LA ENTIDAD EMISORA

The number of RegVals of a register need not be identical in the specification and in the implementation, see the example given by Fig. 4.8. Therefore, the final RegVals are separately marked. Checking computational equivalence consists in

asma as ma−1 as 2 as 1 bs_mb bs 2 bs 1 csmc cs mc−1 cs 2 cs 1 ai na ai na−1 ai 2 ai 1 bi_nb bi 2 bi 1 ci nc ci nc−1 ci 2 ci 1

have to be in one EqvClass ⇐ for computational equivalence ⇒

with respect to a and c need not be equivalent ⇐ and may differ ⇒

in number initial register values

a b c



Specification Implementation

Fig. 4.8: Relation between RegVals for computational equivalence

verifying that the final RegVals in the specification with the highest index are equivalent to the corresponding final RegVals in the implementation on each path, e.g., as

ma / aina and csmc / cinc in Fig. 4.8.

The introduction of RegVals makes all information about the sequential or parallel execution of assignments redundant which is, therefore, removed after- wards.

Formula based techniques like SVC do not use distinct RegVals because they represent the modifications of register values in the term-hierarchy implicitly. Expressing the timing structure explicitly has several advantages. Term size explosion is avoided, because terms can be expressed by intermediate RegVals. We do not lose information about intermediate relationships by rewriting or canonizing so that arbitrary additional techniques can be used to demonstrate the verification goal. In addition, support of debugging is improved by using the supplementary information.

4.1.5

Memory Operations

The memory model used by the symbolic simulator assumes an unlimited, but fi- nite size for each memory in the descriptions. Similar to [Sho79, BD94, BDL96], two array operations are used to model memory access: read(mem,adr) re- turns the value stored at the address adr of memory mem. The second operation store(mem,adr,val) returns the whole memory state of mem after changing the memory state only at adr to val.

46 CHAPTER 4 Symbolic Simulation Procedure

Memories are modeled as vectors (one-dimensional arrays) of words, where a word is in fact a register. We distinguish the two terms for better readability. The words in a memory are numbered with ascending integers starting with 0. Thus mem[i] denotes the i + 1-th word. Let & denote the concatenation of two words. The j-th RegVal of a memory mem is determined by the concatenation of all corresponding words, i.e., RegValmem

j =

size(mem)−1

&

i=0 memj[i] . The number of

words of the memory is given by size(mem).

Read-and store-operations are used for all accesses to arrays that are ad- dressed by registers instead of constants. This includes not only, e.g., the data memory of a processor but also the register file. On the other hand, arrays ad- dressed in the descriptions by constants need not be modeled by the read/store- scheme. A memory word addressed only by a constant can also be considered as a register. This is practically done by replacing all these memory operations by a new distinct register name, e.g., dmem[3]←x becomes dmem3←x.

Similar to our procedure for registers, the inherent timing structure of the initial description is expressed explicitly by indexing the memory names. A new RegVal (for memories) with an incremented index is introduced after each store- operation. For example, the third store-operation to a memory dmem[adr]←val becomes dmems

3 ← store(dmems2, adrs4, vals1). Note that the indexes of adr and

val are arbitrarily chosen in this example. The RegVals dmems₂ and dmems

3 rep-

resent the memory state before and after the store-operation. Only the initial register/memory names as anchors are, again, identical in the specification and in the implementation, since the equivalence of the two descriptions is tested with regard to arbitrary but identical initial register values and memory states. Checking computational equivalence consists in verifying that the state of two memories is identical, i.e., the respective RegVals of the memories have to be equivalent. Definition of equivalence requires that eval(t) (see page 12) returns a constant for an acceptable initialization. Definition 2.4 of acceptable initializa- tions has to be modified according to Fig. 4.9 to consider memory operations. M comprises all memories. The set R describes all RegVals of registers.

acceptable(initRegV als_)⇔



∀RegV alinitial,k ∈ R : init(RegV alinitial,k) is a constant ∧

init(RegV alinitial,k)∈ domain(RegV alinitial,k)

     

∀mem ∈ M : ∀i = 0, · · · , size(mem) − 1 :

meminitial[i] is a constant ∧

meminitial[i]∈ domain-of-words(mem)

        ∀Ci ∈ C : eval(C i) is a constant ∧

Ci decided true : eval(Ci) = 1

Ci decided false : eval(Ci) = 0

   

4.1.5 Memory Operations 47

The modified definition of an acceptable initialization guarantees only that the words of the initial RegVal of a memory are constants. Therefore, defining a read as the selection of the corresponding word is only possible if the initial RegVal of the memory is read. Furthermore, only the initial RegVal of a memory can be evaluated as a concatenation of the corresponding memory words. Definition 4.1 (read- and store-operations)

RegV almem

initial :

size(mem)−1

&

i=0 meminitial[i]

read(RegV almem_initial, adr) : meminitial[adr]

read(RegV almem_j=initial, adr) : t =

                 RegV almem

j−1 : read(RegV almemj−1 , adr)

store(RegV almem

j−1 , sadr, val) :

if adr = sadr then val

else read(RegV al_jmem₋₁ , adr) t : right-hand side term of

assignment to RegV almem j

store(RegV al_jmem, adr, val) :

 adr−1 & i=0 read(RegV al mem j , i)  & val & _{size(mem)−1} & i=adr+1 read(RegV al mem j , i) 

The definition of read- and store-operations supposes that only (preceding) RegVals of the same memory or stores are assigned to RegVals of memories. If the read-operation accesses an initial memory state then the corresponding initialization of the data word meminitial[adr] of memory mem is returned. Oth-

erwise the read-operation is applied to the last preceding store-operation. If the values of the addresses are the same then the corresponding value stored is read. Otherwise it seems for the read that the preceding store was not executed and the value at the same address is read from the previous memory state.

The value of a store-operation, which returns the entire new memory state, is defined as a concatenation of read-operations of all words, considering the new value val at adr. The value of RegVals of memories is defined by the store- operation or the RegVal assigned, see Definition 2.3 of eval(t). Two memory states are identical iff all data words are identical. As in Definition 2.6, two terms are intuitively equivalent if an exhaustive numerical simulation of each possible initialization of the registers and memories result in the same value for both terms.

48 CHAPTER 4 Symbolic Simulation Procedure

The assumption of an arbitrary memory size requires verifying that the address is not out of range of the actual memory. This is trivial in most of the cases, where memory size is size(mem) = 2addresslines_.

Note that addresses and values in Fig. 4.9 are constants while the equiva- lence detection for memory operations described in section 5.9 has to cope with symbolic addresses.