Abstract
Introduction
High-Level Synthesis (HLS) identifies and assigns time steps to all operations of a given behavioral description (× ÙÐ Ò ) and then binds them to individual resource instances from library of components ( ÐÐÓ Ø ÓÒ or Ò Ò ) to automatically generate Register-Transfer Level designs. Verification of synthesis can be performed by establishing equivalence between the result of each step and the design specification that is the input of the synthesis tool, if each of these is represented using the same abstract models. Verification by this method has been demonstrated to be highly scalable in [1] [9] [10] .
FSMD, that extends the Finite State Machine(FSM) model, is known to be a simple and extremely efficient way to represent complex designs comprehensively [4] . Unlike FSMs that often model the control flow, FSMDs capture the the data-flow of a design too. Moreover, in modeling the sequential elements of the data-path, each bit is NOT di- rectly translated into two states alleviating the state explosion problem. We use FSMD models to represent the three different design abstractions along the HLS process Ú Þ, the initial design and the design after scheduling and binding. Verification of HLS is done by establishing the equivalence of FSMDs between any two consecutive design abstractions. This approach, however, cannot always be successfully applied for two FSMD models that have the same functionality for the reason explained below.
HLS can be seen as stepwise transformation of a behavioral specification into a structural implementation as shown in Fig.1 . The intermediate result produced after each step is modeled by an automaton. Each automaton is a FSMD as described in [4] [2] . Three different automata represent the behavior (Å ), the scheduled CDFG (Å × ) and the final CDFG after scheduling and binding (Å ). The scheduling process may result in movement of operations into different states. In Fig.1 , for example, after scheduling, the shiftright operation in state × and the addition operation in state × Ð of the behavior Å have moved to states × and × , respectively. Hence, two states × and × Ð present in Å were removed in Å × . This causes a difference in the number of states and the behavior of the two FSMDs in each state. Similar problem does not arise between Å × and Å as is evident by Fig.1 . Since the correspondence between the states is lost after scheduling, the two FSMs Å and Å × are not equivalent based on the conventional definition of FSM equivalence. This definition is, however, too restrictive as the equivalence condition might fail for designs that are functionally equivalent. Therefore, a definition of equivalence between FSMDs that captures the notion of functional equivalence is needed.
In this paper, we propose a novel approach to verify equivalence between FSMDs representing automata Å and Å × . The notion of functional equivalence of FSMDs is also defined. Both FSMDs for Å and Å × are converted into a set of equal number of higher-order logic predicates. The functional equivalence is then proved based on equivalence of each pair of predicates. Defining each predicate in a re- . . . 
Related work
Model checking was used to perform equivalence checking between behavioral specification and RTL implementation of designs in [1] , and also to validate the controllers generated by the HLS system (DSS) in [10] . Mansouri et al suggested a formal verification methodology for HLS process using PVS prover [9] by checking the equivalence between behavior specification and RTL implementation. FSM verification methodology based on failure state reachability of the product machine was presented in [8] . This is, however, limited to FSM models and cannot exploit the benefits of FSMD models.
Borrione et al presented the formal verification methodology of establishing equivalence between FSMDs representing scheduled CDFG and RTL implementation after binding [2] . A fully automatic method for the equivalence checking between designs before and after scheduling in HLS was presented in [3] , using a custom-defined language, LLS (Language of Labeled Segments) instead of FSMDs which led to lack of design compatibility. While all these methods target a similar verification problem, we believe that a completely automated verification of scheduling process using the FSMD model is unique to this work.
Formalization of FSMD Equivalence
FSMD is an extension to FSM. Usually, FSM models provide the required precision for formal reasoning of designs. But, they are susceptible to state explosion problems and hence cannot be employed to large designs. FSMDs, on the other hand, have states encoded as variables, thus alleviating the state explosion problem and hence making formal verification of large designs possible. The definition of the FSMD equivalence is presented as an extension to FSM equivalence below.
FSM Model and its Equivalence
Here, we briefly review the definitions of FSM and FSM equivalence as given in [6] and [7] . 
Note that in the above definition: (1) × : Ë Ë ¼ is a bijective mapping function between the state of two machines, (2) this definition only applies to compatible machines, i.e., machines which have the same input and output valuation sets.
FSMD model and its Equivalence
Our verification method uses a FSMD that is an extension/variation of [4] and [2] . It is defined as a six-tuple
where, Ë is the set of states; ¦ is the set of all valuations of the inputs; ¡ is the set of all valuations of the outputs; Here, compared to FSM, the compatibility is defined by having the same input and output valuation sets as well as the same variable valuation sets. Fig.2 shows the behavioral description of a design in VHDL, borrowed from [4] . To project the problem and illustrate our methodology, this example will be used throughout the paper. The FSMD models of the behavioral specification (Å ) and the scheduled CDFG (Å × ) for this example are shown in Fig.3 and Fig.4 , respectively. The equivalence between the FSMD models of scheduled CDFG(Å × ) and bound CDFG(Å ) can be established using the definition of FSMD equivalence as defined in the previous section. The same however is not possible between the FSMD models of behavior CDFG(Å ) and scheduled CDFG(Å × ) because: 1)More than one states of behavior (Å ) might get merged into a single state in Å × after scheduling due to assignment of same time step to them. For example, × ¾ and × in Fig.3 merge into ×× in Fig.4 after scheduling, 2) A compound operation in behavior might be broken into simpler operations, each scheduled at a different time step in Å × . In other words the bijective relation between the states of the two machines is lost. This, however, does not mean that the two FSMDs are not functionally equivalent. Motivated by this, we define a less constrained equivalence relation between the FSMDs, where two machines with different number of states may be considered functionally equivalent.
Functional Equivalence of FSMDs

State Transition Predicate
Our fundamental idea of functional equivalence for two FSMDs is based on introducing the predicate logic. Predicate calculus can be used to describe hardware structures [5] . The basic principles are: Modules are predicates with their primary inputs and outputs form the parameters of predicates.
Primary inputs and outputs are universally quantified while internal connections are hidden using existential quantifiers.
Connections between modules are done by sharing names.
Composition is done with logical conjunction.
Since the values generated by the next state function and the output/update function in one state transition of a FSMD are used as inputs of and in the next transition, we can draw an analogy between FSMD and iterative networks. An iterative network is a digital structure with cascaded identical circuit modules [6] . More precisely, one particular state transition of FSMD can be seen as one independent module. This is depicted in Fig.5 . Analogous to iterative networks, and Ó form the input and output vectors between environment and module. Also, × and Ú are the intermodule carriers representing a state and a valuation of the variables. We can further clarify this using × Ò , Ú Ò , × ÓÙØ and Ú ÓÙØ in Fig.5 . Consecutive modules with same inputs that remain constant during the transitions, producing a single valid output at the end, can be grouped into a single larger module. Fig.6 depicts one module representing a state transition path consisting of three consecutive state transitions. Except the last state transition, the valuations of × and Ú are seen as internal connections that can be hidden by existential quantification as it is done for internal connections between submodules of hardware modules. The state transition path predicate (Ô Ø ) for this compound module is given as: 
and these are illustrated in Fig.5 and Fig.7 , respectively. Note that in these definitions a new parameter is added to the path predicate to denote the number of transitions on the path. Having defined the structure of a generic state transition path predicate, we can model the entire FSMD as a set of path predicates.
Breaking FSMD into a Set of State Transition Paths
The behavior automaton Å, can be decomposed into several sub-automata by breaking it in 1) the initial state, 2) the states at which I/O occur, and 3) conditional states. The state transition path between any two break-points is then formally described by a path predicate, Ô (as defined in previous section). This break-up for our example is illustrated in Fig.8 
The set of state transition path of Å ×
Formalization of the Verification Technique
Each path predicate is represented as a four-tuple comprising of the initial state of the path, × Ò , the number of intermediate state transitions on the path Ò, its final output state × ÓÙØ , and the condition under which the sequence of the transitions on the path will occur, ÓÒ ;
The predicate sets È and È × are constructed as shown in 
Implementation
The FSMD models of the behavior specification of a design given in VHDL (Å ) and the scheduled CDFG (Å × ) generated by HLS tool are extracted, and formulated in PVS language. The set of state transition paths and the set of transition conditions for the paths are then extracted as described in previous section. Also, the mapping function between the transition paths, ¬ Ô , and between the variables, ¬ Ú , of the two machines are defined. Then, exploiting the recursive nature of the path predicates, and using the standard proof template by induction, the proof script of equivalence theorem for each corresponding pair of transition paths is automatically generated.
This method has been integrated with a HLS tool. No human intervention is required from the input of behavioral specification in VHDL till the generation of the scheduled CDFG and the equivalence theorems along with their proof scripts. The equivalence theorems are then loaded into the PVS system and the proofs are performed using the generated proof scripts. The methodology has been applied for verification of synthesis results with various scheduling algorithms.
Conclusion
In this paper, a method for formal verification of scheduling in HLS was presented. Since automation is the key in formal verification of the synthesis, the significance of this work is the induction-based mathematical model of FSMD that makes formal verification of scheduling results amenable to automation. Based on this, we introduced a less constrained definition of functional equivalence between two FSMDs, making the equivalence checking between FSMDs applicable to more practical verification problems. However, the scope of this approach is not limited to high-level synthesis. Since FSMD is highly suitable for modeling the designs at any abstraction, designs at the same or different levels can be modeled as FSMDs, and their functional equivalence can be verified automatically.
Our future work includes the extension of the method to accommodate verification of scheduled CDFGs with pipelined control constructs, and the CDFGs that have undergone aggressive code motion (e.g. speculation, reverse speculation).
