1 Introduction

Equivalence Checking in Embedded Systems Design Verification

Soumyadip Bandyopadhyay


1 Introduction

In this paper we focus on some aspects related to modeling and formal verification of embedded systems. Many models have been proposed to represent embedded systems [1] [2]. These models encompass a broad range of styles, characteristics, and application domains and include the extensions of finite state machines, data flow graphs, communication processes and Petri nets. In this report, we have used a PRES+ model (Petri net based Representation for Embedded Systems) as an extension of classical Petri net model that captures concurrency, timing behaviour of embedded systems; it allows systems to be representative in different levels of abstraction and improves expressiveness by allowing the token to carry information [3]. This modeling formalism has a well defined semantics so that it supports a precise representation of system. As a first step, we have taken an untimed PRES+ model which captures all the features of PRES+ model except the time behaviour which have reported in earlier report.

A typical synthesis flow of complex systems like VLSI circuits or embedded systems comprises several phases. Each phase transforms/refines the input behavioural specification (of the systems to be designed) with a view to optimize time and physical resources. Behavioural verification involves demonstrating the equivalence between the input behaviour and the final design which is the output of the last phase. In computational terms, it is required to show that all the computations represented by the input behavioural description, and exactly those, are captured by the output description.

Modeling using PRES+, as discussed above, may be convenient for specifying the input behaviour because it supports concurrency. However, there is no equivalence checking method reported in the literature for PRES+ models to the best of our knowledge. In contrast, equivalence checking of FSMD models exist [4]. Although Transformation procedure from non-pipelined version PRES+ to pipelined version PRES+ is reported [3]. As a first step, we seek to hand execute our reported algorithm on a real life example and we have to translate two versions of PRES+ models to FSMD models.

The rest of the paper is organized as follows. Section 2 presents the definition of PRES+ and FSMD models. Section 3 presents Proposed algorithm for conversion from an untimed PRES+ models to an FSMD models. Section 4 presents notion of equivalence, abstraction. In this section we have also presented the working principal of an example of real life embedded systems. Section 5 verify the equivalence between initial and transformed behaviour using FSMD equivalence checking method. Finally, some future works are identified in Section 6

2 Brief description of PRES+ and FSMD model

Before the conversion mechanism we discuss the design representation of PRES+ models.

2.1 Description of PRES+ models

A PRES+ model is a seven tuple , where the members are defined as follows. The set is a finite non-empty set of places; : the set of variables. A place is associated with a variable ; therefore, . Every place is capable of holding a token having a value. A token value may be of any type, such as, Boolean, integer, etc., or a user-defined type of any complexity (for instance, a structure, a set, or a record). The set denotes the set of all possible token types. Thus, is a set of sets. The set is a finite non-empty set of transitions; is a finite non-empty set of input arcs which define the flow relation from places to transitions “input” with respect to transitions; is a finite non empty set of output arcs which define the flow relation from transitions to places. A marking is the assignment of tokens to places of the net; hence, . The marking of a place , denoted , is either or . For a particular marking M, a place p is said to be marked iff . is the initial marking of the net, depicting the places having tokens initially.

The type function : associates every place with a token type.

The pre-set of a transition is the set of input places of . Thus, . Similarly, the post-set of a transition is the set of output places of . So, and and . The subset is the set of variables associated with places from which input arcs lead to the transition . Similarly, the pre-set and the post-set of a place are given by and , respectively.

For every transition , there exists a transition function associated with ; that is, for all , : , where and . The functions ’s are used to capture the functional transforms that take place of the variable associated with the output places of the transitions i.e, .

A transition may have a guard associated with it. The guard of a transition is a predicate : , where over the variable set .

2.2 Description of FSMD model

A finite state machine with data path (FSMD) is a universal specification model. An FSMD is defined as an ordered tuple where

is a finite set of control states. is the reset state. is the set of primary input signals. is the set of storage variables. is the set of primary output signals, . : is the state transition function. : is the update function of the output and the storage variables, where S and U are as defined below is the set of boolean literals of the form or , is a boolean variable and ; its represent the set of status expression over , where represents a set of arithmetic expression over of input and storage variables and is any arithmetic relation. . and represent set of storage or output assignment.

3 Proposed algorithm for conversion from an untimed PRES+ models to an FSMD models

Let the input PRES+ model be and the generated FSMD model be . For simplicity, we assume that all tokens are of integer type. i.e = for all .

The first step of our algorithm computes the following entities in the FSMD model: and . The algorithm then goes on to compute : the set of states; : the state transition function and : the update function. Symbolic simulation of the PRES+ model is used to compute these entities starting from the initial marking .

  • At each step of the simulation, starting from a present marking the algorithm enumerates all the possible sets of transitions of from ; for each of these sets of possible transitions, it constructs the next state of from the new marking of the PRES+ model .

  • Obtain the transition from to in .

  • Figure 1: Places and transitions in a PRES+ model

    For example, consider the scenario given in Figure 1. Let ; so the set of all transitions emanating from the places in M is given by . The possible sets of transitions are leading to the marking and leading to the marking . The FSMD transition is associated with the guard condition and the FSMD transition is associated with the guard condition , i.e, and . and . and .


Step 1: Given PRES+ model
           { Variables associated with ;
           {Variables associated with ;
           // is the set of variables associated with places from which no arcs are input            // to any transition. Therefore
           {Variable associated with ;
           // is obtain from transition function of PRES+ model and variable associated            // with post set of that transition. Therefore,
           is the function associated with             , and ;
           // is obtained from the guard conditions of the PRES+ models. Therefore,
Step 2: ; ; ;
Step 3:

Step 3.1: ; ;
                   constructSetOfTransitions ; // , the set of possible
                                                               // transitions.
                  , empty set, //: the set of next states generated
                                             // depending on mutually exclusive
                                             // depending on guard condition
                                             // associated with member of .
      Step 3.2:
         Step 3.2.1: ; ;
         Step 3.2.2: Let be the set of guards associated with . In the table
                        of the function , insert entry
        Step 3.2.3: Let be the set of assignments of the form
                                                     and is the function associated with };
                        In the table of the function , insert the entry ;
                        // members of are carried out in parallel
        Step 3.2.4: ;
Step 4: // Any new state generated
           if exit;
            else { ; ; ;
                   goto Step 3

Figure 2: PRES+ model to be converted into FSMD model

Figure 3: FSMD model equivalent to the PRES+ model of Figure 1

4 Notion of equivalence and Real life example

4.1 Notion of equivalence between two PRES+ models

In the synthesis process there are a number of refinement phase. System model is transformed in each phases. So the validity of this transformation depends on the equivalence between the input behaviour and the output behaviour of each phase. Literature [3] has propounded three notion of equivalence - cardinality equivalence, functional equivalence, and time equivalence; the two PRES+ models are totally equivalence iff they satisfies all these equivalence. We are dealing with untimed PRES+ hence, there is no need to show time equivalence. Two PRES+ models and are cardinality equivalence iff:

  1. There exist a one to one correspondence between the in-ports and the out-ports of and i.e : and : .

  2. The Initial markings and of and are the same.

  3. After execution of and if the tokens are accumulated at out-ports of the each nets, there is a one to one correspondence of marking at their out-ports.

For example in Figure 4 in = {, }, out = {, , }, in = {, } out = {, , } and and are defined by () = , () = , () = , () = and () = . Second condition also satisfies the two nets. and also satisfies third condition i.e after execution of and all out-ports of and contains token and they are one to one correspondence. Hence two PRES+ and are cardinality equivalence.

Figure 4: Cardinality equivalence nets

Two nets PRES+ and are functionally equivalent iff:

  1. and are cardinality equivalent,

  2. The token values in out-ports in and are the same.

Figure 5: Functional equivalence nets

For example in Figure 5 and are cardinality equivalence. If of and of contain token whose values are 2. then after execution of and the out-port of and contains token whose values are 5. Hence two nets are totally equivalence.

4.2 Modeling of a real life example

Non-pipelined pipelined version of PRES+ model for a jammer is reported [3]. Transformation technique from non-pipelined version of PRES+ model to pipeline version of PRES+ model also have been reported [3]. Non-pipelined and pipelined version of PRES+ models are shown in Figure 6 and Figure 7 respectively.

Figure 6: A non pipelined PRES+ model for a jammer

Figure 7: A pipelined PRES+ model for a jammer

5 Experimental results

We have reported a translation algorithm from untimed PRES+ model to FSMD model. Hand execution of this translation algorithm we have get FSMD model of the jammer from non pipelined PRES+ model. The FSMD model is given Figure 8 and transition function is given in Table 1.

Figure 8: A non pipelined FSMD model for a jammer
State Transition function

in-Copy, Thresold-copy, trigerselect-Copy, opMode-Copy, modParLib-Copy and delayPerLib-copy
, detectEnv
, detectAmp
, thresold-keepVal, copy
, getAmp, pwPricnt
, getT
, head
, f
, getKPS
, getPer
, getType
, trigSelect-keepVal, getScenario
, trigSelect-copy, opMode-keepVal, extractN, extractN
, opmode-copy, delayPerLib-keepVal, modPerLib-keepVal, adjustdelay
, delayPerLib-copy, modPerLib-copy, doMod
, sumsig
Table 1: Transition function for FSMD model obtain from normal PRES+ model of a jammer

Similarly, the FSMD generated from the pipelined PRES+ model is shown in Figure 9 and the state transition function given in Table 2

Figure 9: A pipelined FSMD model for a jammer
State Transition function

in-Copy detectEnv
, Thresold-copy keepVal detectAmp
, in-Copy getAmp
, pwPriCnt getT head
, f getKPS FFT getPer
, trigerselect-Copy keepVal getType opMode-Copy keepVal getScenario
, modParLib-Copy keepVal extractN and delayParLibCopy keepVal extranctN adjustDelay
, doMod sumsig
, emit
Table 2: Transition function for FSMD model obtain from pipelined PRES+ model of a jammer

Here the FSMD equivalence checking is very straightforward. Two versions of FSMDs have only one path and the data transformation which have been shown in Table 1 and Table 2 are same. Hence two FSMD models are equivalent.

6 Plan of Future work

Carrying out analysis for correctness of technique, complexity analysis, etc. Direct equivalence checking between two PRES+ models Generalization of FSMD models to timed FSMD models. We will generalize an FSMD model to timed FSMD model which can capture data path as well as timing behaviour and Conversion of PRES+ models to timed FSMD models.


  • [1] S. Edwards, L. Lavagno, E. A. Lee, and A. Sangiovanni-Vincentelli, “Design of embedded systems: Formal models, validation, and synthesis,” in Proceedings of the IEEE, pp. 366–390, 1997.
  • [2] P. Eles, K. Kuchcinski, Z. Peng, A. Doboli, and P. Pop, “Scheduling of conditional process graphs for the synthesis of embedded systems,” in DATE ’98: Proceedings of the conference on Design, automation and test in Europe, (Washington, DC, USA), pp. 132–139, IEEE Computer Society, 1998.
  • [3] L. A. Cortés, P. Eles, and Z. Peng, “Verification of embedded systems using a petri net based representation,” in ISSS ’00: Proceedings of the 13th international symposium on System synthesis, (Washington, DC, USA), pp. 149–155, IEEE Computer Society, 2000.
  • [4] C. Karfa, D. Sarkar, C. Mandal, and P. Kumar, “An equivalence-checking method for scheduling verification in high-level synthesis,” IEEE Trans. on CAD of Integrated Circuits and Systems, vol. 27, no. 3, pp. 556–569, 2008.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
Add comment
Loading ...
This is a comment super asjknd jkasnjk adsnkj
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test description