Equivalence Checking in Embedded Systems Design Verification using PRES+
  model by Bandyopadhyay, Soumyadip
ar
X
iv
:1
01
0.
49
53
v1
  [
cs
.L
O]
  2
4 O
ct 
20
10
Equivalence Checking in Embedded Systems Design
Verification
Soumyadip Bandyopadhyay
soumyadip@cse.iitkgp.ernet.in
1 Introduction
In this paper we focus on some aspects related to modeling and formal verification of embedded systems. Many
models have been proposed to represent embedded systems [1] [2]. These models encompass a broad range of styles,
characteristics, and application domains and include the extensions of finite state machines, data flow graphs, com-
munication processes and Petri nets. In this report, we have used a PRES+ model (Petri net based Representation
for Embedded Systems) as an extension of classical Petri net model that captures concurrency, timing behaviour of
embedded systems; it allows systems to be representative in different levels of abstraction and improves expressive-
ness by allowing the token to carry information [3]. This modeling formalism has a well defined semantics so that it
supports a precise representation of system. As a first step, we have taken an untimed PRES+ model which captures
all the features of PRES+ model except the time behaviour which have reported in earlier report.
A typical synthesis flow of complex systems like VLSI circuits or embedded systems comprises several phases.
Each phase transforms/refines the input behavioural specification (of the systems to be designed) with a view to
optimize time and physical resources. Behavioural verification involves demonstrating the equivalence between the
input behaviour and the final design which is the output of the last phase. In computational terms, it is required to
show that all the computations represented by the input behavioural description, and exactly those, are captured by the
output description.
Modeling using PRES+, as discussed above, may be convenient for specifying the input behaviour because it
supports concurrency. However, there is no equivalence checking method reported in the literature for PRES+ models
to the best of our knowledge. In contrast, equivalence checking of FSMD models exist [4]. Although Transformation
procedure from non-pipelined version PRES+ to pipelined version PRES+ is reported [3]. As a first step, we seek to
hand execute our reported algorithm on a real life example and we have to translate two versions of PRES+ models to
FSMD models.
The rest of the paper is organized as follows. Section 2 presents the definition of PRES+ and FSMD models.
Section 3 presents Proposed algorithm for conversion from an untimed PRES+ models to an FSMD models. Section 4
presents notion of equivalence, abstraction. In this section we have also presented the working principal of an example
of real life embedded systems. Section 5 verify the equivalence between initial and transformed behaviour using
FSMD equivalence checking method. Finally, some future works are identified in Section 6
2 Brief description of PRES+ and FSMD model
Before the conversion mechanism we discuss the design representation of PRES+ models.
2.1 Description of PRES+ models
A PRES+ model is a seven tuple N = (P, VP ,K, T, IP , O,M0), where the members are defined as follows. The
set P = {p1, p2, ...., pm} is a finite non-empty set of places; VP : the set of variables. A place p is associated with
a variable vp; therefore, VP = {vp | p ∈ P}. Every place is capable of holding a token having a value. A token
value may be of any type, such as, Boolean, integer, etc., or a user-defined type of any complexity (for instance, a
structure, a set, or a record). The set K denotes the set of all possible token types. Thus, K is a set of sets. The set
T = {t1, t2, ...., tn} is a finite non-empty set of transitions; IP ⊆ P × T is a finite non-empty set of input arcs which
define the flow relation from places to transitions − “input” with respect to transitions; O ⊆ T × P is a finite non
empty set of output arcs which define the flow relation from transitions to places. A marking M is the assignment of
tokens to places of the net; hence, M ⊆ P . The marking of a place p ∈ P , denoted M(p), is either 0 or 1. For a
particular marking M, a place p is said to be marked iff M(p) = 1. M0 is the initial marking of the net, depicting the
places having tokens initially.
The type function τ : P → K associates every place p ∈ P with a token type.
The pre-set ◦t of a transition t ∈ T is the set of input places of t. Thus, ◦t = {p ∈ P | (p, t) ∈ IP }. Similarly, the
post-set t◦ of a transition t ∈ T is the set of output places of t. So, t◦ = {p ∈ P | (t, p) ∈ O} and ∀t ∈ T, ∀p1, p2 ∈
t◦, τ(p1) = τ(p2) and vp1 = vp2 . The subset V◦t = {vp | p ∈ ◦t} is the set of variables associated with places from
which input arcs lead to the transition t. Similarly, the pre-set ◦p and the post-set p◦ of a place p ∈ P are given by
◦p = {t ∈ T | (t, p) ∈ O} and p◦ = {t ∈ T | (p, t) ∈ Ip}, respectively.
For every transition t ∈ T , there exists a transition function ft associated with t; that is, for all t ∈ T , ft:
τ(p1) × τ(p2) × .... × τ(pa) → τ(q), where ◦t = {p1, p2, ....., pa} and q ∈ t◦. The functions ft’s are used to
capture the functional transforms that take place of the variable associated with the output places of the transitions i.e,
vq ⇐ ft(vp1 , vp2 , ...vpa).
A transition t ∈ T may have a guard gt associated with it. The guard of a transition t is a predicate gt: τ(p1) ×
τ(p2)× ....× τ(pa)→ {0, 1}, where ◦t = {p1, p2, ..., pa} over the variable set V◦t.
2.2 Description of FSMD model
A finite state machine with data path (FSMD) is a universal specification model. An FSMD is defined as an ordered
tuple F = (Q, q0, IF , VF , O, f, h) where
Q = {q0, q1, ...., qn} is a finite set of control states. q0 ∈ Q is the reset state. IF is the set of primary input
signals. VF is the set of storage variables. OF is the set of primary output signals, OF ⊆ VF . f : Q × 2S → Q is
the state transition function. h: Q × 2S → U is the update function of the output and the storage variables, where
S and U are as defined below S = {L ∪ ER | L is the set of boolean literals of the form b or b, b ∈ B ⊆ V is
a boolean variable and ER = {eR0 | e ∈ EA}}; its represent the set of status expression over IF ∪ V , where EA
represents a set of arithmetic expression over IF ∪ U of input and storage variables and R is any arithmetic relation.
R ∈ {=, 6=, >,≥, <,≤}. U = {x ⇐ e | x ∈ OF ∪ VF and e ∈ EA ∪ ER} represent set of storage or output
assignment.
3 Proposed algorithm for conversion from an untimed PRES+ models to an
FSMD models
Let the input PRES+ model be N and the generated FSMD model be F . For simplicity, we assume that all tokens are
of integer type. i.e τ(p) = Z for all p ∈ P .
The first step of our algorithm computes the following entities in the FSMD model: q0, IF , VF , OF , U and S. The
algorithm then goes on to compute Q: the set of states; f : the state transition function and h: the update function.
Symbolic simulation of the PRES+ model is used to compute these entities starting from the initial markingM0 = q0.
• At each step of the simulation, starting from a present marking M(= q) ⊆ P the algorithm enumerates all the
possible sets of transitions of N from M ; for each of these sets of possible transitions, it constructs the next
state (q+) of F from the new marking M+ of the PRES+ model N .
• Obtain the transition from q to q+ in F .
f
1
f
t3t1
t2 t3
p4 p5 p6 p7
p
1 p2
p
3
t
ft2
g ~g
Figure 1: Places and transitions in a PRES+ model
• For example, consider the scenario given in Figure 1. Let M = {p1, p2, p3} = q; so the set Tq of all transitions
emanating from the places in M is given by Tq = {t1, t2, t3}. The possible sets of transitions are {t1, t2}
leading to the marking M+1 = {p4, p5, p6} = q+1 and {t1, t3} leading to the marking M+2 = {p4, p7} = q+2 .
The FSMD transition (q → q+1 ) is associated with the guard condition g and the FSMD transition (q → q
+
2 ) is
associated with the guard condition ¬g, i.e, f(q, g) = q+1 and f(q,¬g) = q+2 . h(q, g) : vp4 ⇐ ft1(vp1 , vp2) and
vp6 = vp5 ⇐ ft2(vp3). h(q,¬g) : vp4 ⇐ ft1(vp1 , vp2) and vp7 ⇐ ft3(vp7).
Algorithm
Steps:
Step 1: Given PRES+ model
q0 ⇐M0;
IF ⇐ { Variables associated with p | p ∈M0(p)};
VF ⇐ {Variables associated with p | p /∈ M0(p)};
// OF is the set of variables associated with places from which no arcs are input // to any transition.
Therefore
OF ⇐ {Variable associated with p | p◦ = φ};
// U is obtain from transition function of PRES+ model and variable associated // with post set of that
transition. Therefore,
U ⇐ {x ⇐ fnt (v1, v2, ...., vn) | t ∈ T, f
n
t is the function associated with t, x = vt◦ and
vi ∈ v◦t, 1 ≤ i ≤ n};
// S is obtained from the guard conditions of the PRES+ models. Therefore,
S ⇐ {gt | t ∈ T };
Step 2: Q⇐ {q0}; Qnew ⇐ Q; Q+new ⇐ ∅;
Step 3: ∀q ∈ Qnew
Step 3.1:Qnew ⇐ Qnew − {q}; Tq ⇐ {t | ◦t ∈ q};
τq ⇐ constructSetOfTransitions (Tq); // τq ∈ 2Tq , the set of possible
// transitions.
Qqnew = ∅, empty set, //Qqnew: the set of next states generated
// depending on q mutually exclusive
// depending on guard condition
// associated with member of τq .
Step 3.2: ∀T ∈ τq
Step 3.2.1: q+T ⇐ {t | ti ∈ T }; Qnew ⇐ Qqnew ∪ {q+T };
Step 3.2.2: Let GT be the set of guards associated with t ∈ T . In the table
of the function f , insert entry
f(q,GT ) = q
+
Step 3.2.3: Let AT be the set of assignments of the form
{v ⇐ ft(v1, v2, ..., vn) | t ∈ T, {v} = t◦, {v1, v2, ..., vn} =◦ t
and ft is the function associated with t };
In the table of the function h, insert the entry h(q,Gt) = AT ;
// members of AT are carried out in parallel
Step 3.2.4: Q+new ⇐ Q+new ∪Qqnew;
Step 4: // Any new state generated
Q+new ⇐ Q
+
new − Q;
if Q+new = ∅ exit;
else { Q⇐ Q ∪Q+new; Qnew ⇐ Q+new; Q+new ⇐ ∅;
goto Step 3
}
  
  
  
  




   
   
   
   




   
pa pb
a             t 1 b−1          t2
pc
c+d          t 3
pe
4
e             t 53*e        t
p
d
c d
e e
[e < 1][ e >= 1]
 a b
p
gpf
Figure 2: PRES+ model to be converted into FSMD model
  
c, d / e         c+d
     /  e          c+d
                  
q0 q1
q2q3
q4
e >=1 / f        e
e < 1 / g        e
a, b / c        a, d         b−1
Figure 3: FSMD model equivalent to the PRES+ model of Figure 1
4 Notion of equivalence and Real life example
4.1 Notion of equivalence between two PRES+ models
In the synthesis process there are a number of refinement phase. System model is transformed in each phases. So the
validity of this transformation depends on the equivalence between the input behaviour and the output behaviour of
each phase. Literature [3] has propounded three notion of equivalence - cardinality equivalence, functional equiva-
lence, and time equivalence; the two PRES+ models are totally equivalence iff they satisfies all these equivalence. We
are dealing with untimed PRES+ hence, there is no need to show time equivalence. Two PRES+ models N1 and N2
are cardinality equivalence iff:
1. There exist a one to one correspondence between the in-ports and the out-ports of N1 and N2 i.e fin: inP1 ↔
inP2 and fout: outP1 ↔ outP2.
2. The Initial markings M1,0 and M2,0 of N1 and N2 are the same.
3. After execution of N1 and N2 if the tokens are accumulated at out-ports of the each nets, there is a one to one
correspondence of marking at their out-ports.
For example in Figure 4 inP1 = {Pa, Pb}, outP1 = {Pe, Pf , Pg}, inP2 = {Paa, Pbb} outP2 = {Pee, Pff , Pgg} and
fin and fout are defined by fin(Pa) = Paa, fin(Pb) = Pbb, fout(Pe) = Pee, fin(Pf ) = Pff and fin(Pg) = Pgg . Second
condition also satisfies the two nets. N1 and N2 also satisfies third condition i.e after execution of N1 and N2 all
out-ports of N1 and N2 contains token and they are one to one correspondence. Hence two PRES+ N1 and N2 are
cardinality equivalence.
Two nets PRES+ N1 and N2 are functionally equivalent iff:
1. N1 and N2 are cardinality equivalent,
2. The token values in out-ports in N1 and N2 are the same.
For example in Figure 5 N1 and N2 are cardinality equivalence. If Pa of N1 and Paa of N2 contain token whose
values are 2. then after execution of N1 and N2 the out-port of N1 and N2 contains token whose values are 5. Hence
two nets are totally equivalence.
Pa Pb
Pc Pd
Pe Pf
Pg
 ( a )
Paa Pbb
Pxx
Pee Pff Pgg
   
                 
( b )
Figure 4: Cardinality equivalence nets
      
          
a
Pa
Pb
Pc
Pa
Pb
( a ) ( b )
a
b
b + 1
a + 2
a + 1
Figure 5: Functional equivalence nets
4.2 Modeling of a real life example
Non-pipelined pipelined version of PRES+ model for a jammer is reported [3]. Transformation technique from non-
pipelined version of PRES+ model to pipeline version of PRES+ model also have been reported [3]. Non-pipelined
and pipelined version of PRES+ models are shown in Figure 6 and Figure 7 respectively.
Pin
Pout
P2
P3
P3
P4
P5
P6
P7
P8P9
P10
P13
P14
P15
P17
P18
P19P20
P22
P23
P24
P25
P26
P27
P28
P29
P30
P31
P32 P33
P34 P35
P36
P37
P39
P40 P41
P42P43
P44P45
P46P47
P48
P11
P12
P16
copy
detectEnv
detect
 Amp
copy
keepVal
Copy
getAmp
 
pwPriCnt
gerT
head
f
getKPSFFT
getPer
copy
getType
Copy
KeepVal
getScenario
extractN
extractN
Copy
KeepVal
adjustDelay
doMod
sumSig
Figure 6: A non pipelined PRES+ model for a jammer
p1
P2
P3
P4
P5
P6
P7
P8 P9
P10
P11 P12
P13 P14
P15
P16
P17
P18
P19
P20
P21
P22P23
P24
P25 P26 P27 P28
P29
P30
sample
1
S1
S2
S3
S4S5
S6
S7 S8
S9
emit
1
Figure 7: A pipelined PRES+ model for a jammer
5 Experimental results
We have reported a translation algorithm from untimed PRES+ model to FSMD model. Hand execution of this trans-
lation algorithm we have get FSMD model of the jammer from non pipelined PRES+ model. The FSMD model is
given Figure 8 and transition function is given in Table 1. Similarly, the FSMD generated from the pipelined PRES+
q0
q1
q2 q3
q4
q5
q6
q7
q8
q9
q10
q11
q12
q13
q14
q15
Figure 8: A non pipelined FSMD model for a jammer
model is shown in Figure 9 and the state transition function given in Table 2
State Transition function
〈 q0, q1 〉 in-Copy, Thresold-copy, trigerselect-Copy, opMode-Copy, modParLib-Copy and delayPerLib-copy
〈 q1, q2 〉 detectEnv
〈 q2, q3 〉 detectAmp
〈 q3, q4 〉 thresold-keepVal, copy
〈 q4, q5 〉 getAmp, pwPricnt
〈 q5, q6 〉 getT
〈 q6, q7 〉 head
〈 q7, q8 〉 f
〈 q8, q9 〉 getKPS
〈 q8, q9 〉 FFT
〈 q8, q9 〉 getPer
〈 q9, q10 〉 getType
〈 q10, q11 〉 trigSelect-keepVal, getScenario
〈 q11, q12 〉 trigSelect-copy, opMode-keepVal, extractN, extractN
〈 q12, q13 〉 opmode-copy, delayPerLib-keepVal, modPerLib-keepVal, adjustdelay
〈 q13, q14 〉 delayPerLib-copy, modPerLib-copy, doMod
〈 q14, q15 〉 sumsig
Table 1: Transition function for FSMD model obtain from normal PRES+ model of a jammer
q0
q1
q2
q3 q4
q5
q6
q7
q
8
q9
q10
Figure 9: A pipelined FSMD model for a jammer
State Transition function
〈 q0, q1 〉 in-Copy ✸ detectEnv
〈 q1, q2 〉 Thresold-copy ✸ keepVal ✸ detectAmp
〈 q2, q3 〉 in-Copy ✸ getAmp
〈 q3, q4 〉 pwPriCnt ✸ getT ✸ head
〈 q4, q5 〉 f ✸ getKPS ✸ FFT✸ getPer
〈 q5, q6 〉 trigerselect-Copy ✸ keepVal ✸ getType ✸ opMode-Copy ✸ keepVal ✸ getScenario
〈 q6, q7 〉 modParLib-Copy ✸ keepVal ✸ extractN and delayParLibCopy ✸ keepVal✸ extranctN ✸ adjustDelay
〈 q7, q8 〉 doMod ✸ sumsig
〈 q8, q9 〉 emit
Table 2: Transition function for FSMD model obtain from pipelined PRES+ model of a jammer
Here the FSMD equivalence checking is very straightforward. Two versions of FSMDs have only one path and the
data transformation which have been shown in Table 1 and Table 2 are same. Hence two FSMD models are equivalent.
6 Plan of Future work
Carrying out analysis for correctness of technique, complexity analysis, etc. Direct equivalence checking between
two PRES+ models Generalization of FSMD models to timed FSMD models. We will generalize an FSMD model
to timed FSMD model which can capture data path as well as timing behaviour and Conversion of PRES+ models to
timed FSMD models.
References
[1] S. Edwards, L. Lavagno, E. A. Lee, and A. Sangiovanni-Vincentelli, “Design of embedded systems: Formal
models, validation, and synthesis,” in Proceedings of the IEEE, pp. 366–390, 1997.
[2] P. Eles, K. Kuchcinski, Z. Peng, A. Doboli, and P. Pop, “Scheduling of conditional process graphs for the synthesis
of embedded systems,” in DATE ’98: Proceedings of the conference on Design, automation and test in Europe,
(Washington, DC, USA), pp. 132–139, IEEE Computer Society, 1998.
[3] L. A. Corte´s, P. Eles, and Z. Peng, “Verification of embedded systems using a petri net based representation,”
in ISSS ’00: Proceedings of the 13th international symposium on System synthesis, (Washington, DC, USA),
pp. 149–155, IEEE Computer Society, 2000.
[4] C. Karfa, D. Sarkar, C. Mandal, and P. Kumar, “An equivalence-checking method for scheduling verification in
high-level synthesis,” IEEE Trans. on CAD of Integrated Circuits and Systems, vol. 27, no. 3, pp. 556–569, 2008.
