Transition-by-Transition FSM Traversal for Reachability Analysis in Bounded Model Checking

Minh D. Nguyen, Dominik Stoffel, Markus Wedler, Wolfgang Kunz

Department of Electrical and Computer Engineering University of Kaiserslautern, Germany {nguyen, stoffel, wedler, kunz}@eit.uni-kl.de
RTL description automatic extraction main FSM informal specification

Abstract In bounded model checking (BMC)-based verication ows lack of reachability constraints often leads to false negatives. At present, it is daily practice of a verication engineer to identify the missing reachability constraints by manually inspecting the design code and by analyzing counterexamples. This, unfortunately, requires a lot of effort and is prone to errors. We propose an algorithm to determine reachability constraints automatically. The proposed approach applies to a design style where the operation of the design is controlled by a main FSM which can easily be extracted from the RTL description of the circuit. The algorithm decomposes and analyzes the state space of the circuit by considering transitions of the main FSM. Experimental results show that the proposed method can considerably reduce the manual work of verication engineers.

automatic analysis finds reachability constraints updates properties false negative?

additional reachability constraints

writes properties properties (bounded)

property counter fails example true negative? bug report

property checking (BMC-based) property holds

I. I NTRODUCTION A. Reachability constraints in a BMC-based verication ow In recent years, bounded model checking (BMC) [1] has been used successfully to verify large industrial designs formally. In the BMC-based verication ow, a sequential circuit is unrolled for a nite number of time frames and is then translated together with a property into a SAT instance. In practice, the property is not always checked from the set of initial states as in [1]. Instead of the general AG property, the practical property typically species a set of starting states, a set of stopping states and input/output conditions. The property is used to prove the correct execution of a certain operation by the circuit. Whenever the circuit starts in one of the starting states and goes through a sequence of states under the input conditions it should stop in one of the stopping states and fulll the output conditions1 . A simple example of such a property is (state = idle input = req) (1) AX n (state = ready output = ack) where n is a small number. The sets of starting {state = idle} and stopping {state = ready} states used in the property should be reachable from the initial states of the circuit, otherwise it may lead to a false negative. For example, the circuit checked by the property in Equation 1 may use a counter cnt to keep track of time; it transfers to state ready iff cnt = n. Therefore, the property will fail because it does not specify the value of the counter.
1 The property is similar to a property in a Symbolic Trajectory Evaluation (STE)-based verication ow [2]. Although we focus here on the BMC-based ow, the proposed method can be applied for the STE-based verication ow as well.

Fig. 1. BMC-based verication ow (non-shaded parts) and the proposed algorithm (shaded parted)

For example, one false counterexample is that (state = idle cnt = 1) leads to (state = ready output = ack) after n 1 cycles but not n cycles. The property holds if the condition cnt = 0 is added to the starting state idle of the property, e.g.: (state = idle cnt = 0 input = req) AX n (state = ready output = ack) Reachability constraints such as the correspondence between state and cnt in the example are necessary to avoid false negatives when properties are proven. They are currently determined manually by inspecting the design code and by analyzing counterexamples. Note that the validity of manually found reachability constraints such as the invariant AG(state = idle cnt = 0) in the example must be proven as well. In practice, they are included in the set of properties. In this paper, we consider a certain design style that is often used to implement protocols and other specications consisting of many FSMs. We assume that the behavior of the design is controlled by a main FSM that interacts with a hierarchy of sub-FSMs. In the conventional verication ow shown as the nonshaded part in Figure 1, the verication engineer writes properties based on the main FSM of the design. Note that there exist commercial tools to automatically extract the main FSM from the source code of a design. The properties specify functional operations of the design corresponding to a sequence of states of the main FSM (main states). The sets of starting and stopping states of the properties are related to main states. Initially, reachability constraints involving the other

state variables belonging to the sub-FSMs are not specied in the properties. Thus, the properties often fail because of false negatives when checked by a property checking method. The verication engineer needs to extend his analysis to the behavior of the sub-FSMs in order to identify reachability constraints and to update the properties. This, unfortunately, requires a lot of effort and is prone to errors. In this paper, we propose a technique to identify the reachability constraints automatically. Our algorithm and its output are represented as the shaded part in Figure 1. In order to provide the verication engineer with additional reachability constraints the algorithm analyzes the circuit using the information of the main FSM. These additional constraints help to eliminate false negatives. This means that the verication engineer only needs to focus on the main FSM which is usually fairly small. In this way, the number of false negatives as well as the effort of inspecting the code and of updating properties later are reduced dramatically. Moreover, in contrast to manually found reachability constraints, the constraints derived by the proposed method are proven to be valid, automatically. B. Related work The problem of state space explosion in model checking may be avoided by decomposing the characteristic functions of the state set and the transition relation into partitions. In [3], [4], [5] the characteristic function of the transition relation is considered as a conjunction of partitioned functions and is manipulated using an early quantication operation. In other approaches, the state set and the transition relation are decomposed as a disjunction of the characteristic functions which are manipulated separately [6], [7], [8], [9]. In [10], [11], [12] the transition function is decomposed as a disjunction by means of input and output splitting. The combination of disjunctive and conjunctive decomposition is proposed in [13]. Cho et al. presented an approximate FSM traversal method based on state space decomposition [14]. Their basic idea is to partition the circuit into several sub-FSMs and to perform a symbolic traversal for each individual sub-FSM. There are two classes of approximate traversal algorithms in [14]: Machine By Machine (MBM) and Frame By Frame (FBF). The latter has two variants called Reached FBF (RFBF) and To FBF (TFBF). In [15], Cho et al. proposed methods to automatically determine good partitions of the circuit. Another method to partition the circuit using overlapping projections was presented in [16]. In [17], extensions were made to improve the convergence of the RFBF algorithm by proposing the Least xpoint Machine By Machine (LMBM) algorithm. Another thread of research related to our work is Generalized Symbolic Trajectory Evaluation (GSTE). Here the property under verication is specied as assertion graph and is used for decomposing the problem [18], [19], [20], [21]. As highlighted in [19], the GSTE algorithm decomposes the set of states satisfying the property using the assertion graph.

C. Contribution Whereas the previous works aim at calculating or approximating the reachable states for the whole circuit, our goal is to identify reachability constraints in relation to main states of the circuit being necessary to write properties in a BMCbased verication ow. This is done by calculating the sets of reachable states corresponding to main states. In our method, the state space is decomposed into sets of states corresponding to main states. The sets of reachable states are calculated exactly by considering state transitions in the main FSM (main transitions). Using the main FSM to guide the decomposition procedure clearly distinguishes our method from the previous decomposition methods. Although the core algorithm in GSTE [18] looks very similar to our FSM traversal algorithm, there are subtle (but important) differences. In GSTE, the state space satisfying the property is decomposed based on state predicates called antecedents being associated with the edges of the assertion graph. In our algorithm, not only the state space but also the transition relation is decomposed, and this decomposition is performed with respect to individual transitions in the main FSM. Whereas GSTE carries out conventional (unconstrained) image computation for a given intermediate subset of states, the proposed algorithm performs image computation constrained to single transitions in the main FSM. This can signicantly reduce the computational complexity. The algorithm proposed in this paper is therefore named Transition By Transition (TBT) FSM traversal. Another important difference is that TBT traversal can be applied as a pre-processing phase to the complete design. Unlike GSTE, it is not restricted to being driven by the property. Since the main FSM covers the complete state space of the design, TBT traversal performs a complete reachability analysis. To avoid the explosion problem of exact reachability computation we develop a new approximation technique that partitions the design into sub-FSMs using the information of the main FSM. Each sub-FSM is traversed individually in combination with the main FSM using our TBT algorithm. The traversed FSMs in our algorithm are not disjoint partitions as in [15] but they share the same main state variables. Also, they are not similar to overlapping projections as in [16] because our shared state variables are given exactly and are the same for all traversed sub-FSMs. Finally, we use SAT techniques instead of BDD techniques to approximate the set of states. D. Preliminaries Let C be a sequential circuit with a set of primary inputs X = {x1 , . . . , xn }, a set of present-state variables V = {v1 , . . . , vm }, a set of next-state variables V = {v1 , . . . , vm }. We can consider the set of state variables as a vector. A circuit C is modeled as an encoded nite state machine M = (I, S, S0 , ). I B n is the input alphabet, encoded by the primary inputs X, where B = {0, 1}. S B m is the set of states encoded by the state variables. The set S0 S

is the set of initial states. : B n B m B m is the next-state function. The next-state function can be considered as a boolean functional vector = (1 , . . . , m ), where i is the next-state function for a next-state variable vi , i.e., vi = i (X, V ). The value of a state variable vi in a state s is denoted by s(vi ). We consider a sub-vector U of state variables, U = (vj , . . . , vk ), where 1 j < k m. The boolean vector of the values of the state variables in U for state s is denoted by s(U ). Let U = (j |vj U ) be the boolean functional vector of next-state functions for state variables in U . The state transition graph (STG) of a FSM is a graph where the vertices are given by the set of states S, the source vertices correspond to the set of initial states S0 , and the edges are given by the transition relation R S S. The characteristic function of the transition relation is dened as
i=m

Denition 2: Let s S be a main state of a circuit C. The set of states corresponding to s is Ss = {s S|s(V ) = s} In the same way, we can describe the transitions of the complete design C in terms of transitions of the main FSM. When the main FSM moves from one of its states, s1 , to another state, s2 , the circuit C correspondingly moves from a state in Ss1 to another state in Ss2 . If we consider all possible transitions between such states corresponding to s1 and s2 , we can dene the designs transition relation corresponding to a transition of the main FSM: Denition 3: Let (1 , s2 ) R be a main transition of a s circuit C. The transition relation corresponding to (1 , s2 ) is s Rs1 2 = {(s1 , s2 ) R|s1 Ss1 s2 Ss2 } s Given this denition of the transition relation Rs1 2 , we s can dene image computation corresponding to a transition s1 s2 of the main FSM. Denition 4: Let (1 , s2 ) R be a main transition of a s circuit C. The constrained img operation corresponding to (1 , s2 ) is s imgs1 2 (From) = {s2 S|s1 From(s1 , s2 ) Rs1 2 } s s where From S. The following two lemmas show how the state transition graph of a circuit C can be explored based on single transitions of the main nite state machine in the design. Lemma 1: The set of states of the circuit can be decomposed into disjoint sets of states corresponding to main states: S=
sS

R (V , V ) = xX
i=1

(vi i (X, V ))

The set of next states of a set of states From S is calculated by the operation img dened as img(From) = {s S|s From : (s, s ) R} II. D ECOMPOSING THE STATE SPACE BY THE MAIN FSM As mentioned, we assume a certain design style where the overall behavior of the design is controlled by a main FSM. The nite state machine of the circuit C can be viewed as the product machine of all FSMs in C, including the main FSM. The main FSM is encoded by a sub-vector V = (vp , . . . , vq ) of V with 1 p < q m. Denition 1: The STG of the main FSM of the circuit is a tuple (S, S0 , R) where |V | s S = { B |s S : s(V ) = s} is the set of main states S0 = {0 S|s0 S0 : s0 (V ) = s0 } is the set of s initial main states 2 s R = {(1 , s2 ) S |s1 , s2 S : (s1 , s2 ) Rs1 (V ) = s1 s2 (V ) = s2 } is the main transition relation. In other words, the tuple (S, S0 , R) describes the behavior of the isolated main FSM. All other FSMs are abstracted away. The states in S are encoded solely by the state variables belonging to the main FSM such that an encoded main state is a sub-vector of the entire state vector V . The main FSM of the circuit can be easily extracted from the RTL description. Note that the extraction technique must yield a main FSM conforming to Denition 1, i.e., all main states must be identied and no state may be missed. Since the main FSM is very small, in practice, this is easy to guarantee2 . Whenever the main FSM is in one of its states, the other FSMs in the circuit may be in one of many different states. Each single state of the main FSM therefore corresponds to a set of states of the complete circuit C:
2 It is straightforward to devise a formal method for this purpose. In our work, we chose to rely on a commercial solution.

Ss

Proof: (i) Consider a main state s1 and a state s1 Ss1 . By Denition 2 it is s1 S. Therefore, it is s Ss S. (ii) Consider a state s2 S, since V V there exists a s2 S such that s2 (V ) = s2 . Hence, it is s2 Ss2 and S s Ss . (iii) Next we prove that Ss1 Ss2 = for all s1 = s2 . Suppose that there exists s Ss1 Ss2 then, by Denition 2 it is s1 = s(V ) = s2 . From (i), (ii) and (iii), the lemma is proven. Lemma 1 states that the states of the circuit can be computed implicitly and exactly as the union of states corresponding to main states. Lemma 2: Let Froms1 be a set of states corresponding to a main state s1 . The next states of Froms1 can be calculated as: img(Froms1 ) =
s2 :(1 ,2 )R s s

imgs1 2 (Froms1 ) s

Proof: (i) Consider a main transition (1 , s2 ) R and a s state s2 imgs1 2 (Froms1 ). By Denition 4 there exists a s s1 Froms1 such that (s1 , s2 ) Rs1 2 . By Denition 3 it s is (s1 , s2 ) R. Hence, it is s2 img(Froms1 ). Therefore it is (1 ,2 )R (imgs1 2 (Froms1 )) img(Froms1 ). (ii) If we s s s consider a state s2 img(Froms1 ) then there exists a s1 Froms1 such that (s1 , s2 ) R. By Denition 1 there exists a transition (1 , s2 ) R such that s1 (V ) = s1 s2 (V ) = s2 . s

(a)

(b)

(c)

(d)

Fig. 2.

TBT traversal algorithm Fig. 3. Example of TBT traversal algorithm

By Denition 3 it is s2 imgs1 2 (Froms1 ). Therefore, it is s img(Froms1 ) (1 ,2 )R (imgs1 2 (Froms1 )). From (i) and s s s (ii), the lemma is proven. By Lemma 2 the next states of a set of states corresponding to a main state can be calculated using the constrained img operation for every outgoing transition of the corresponding main state. This is the basis of our transition-by-transition FSM traversal algorithm. Note that TBT traversal does not only create a partition of the state set but also disjointly partitions the transition relation of the design. This is important to make the proposed approach practical for large circuits. The algorithm in Figure 2 calculates reachable states of a circuit by decomposing the state space and the transition relation based on the main FSM. Procedure TBT TRAVERSAL (transition by transition) takes the transition relation, the set of initial states and the main FSM of the circuit as inputs. It returns the sets of reachable states corresponding to main states. At the beginning, the sets of states corresponding to the main states are empty except for the sets of states corresponding to the initial main states which contain the given initial states. A queue is used to keep track of the main states that need to be processed next. First, the queue contains the initial main states. A main state s is added to the queue if and only if its corresponding set of states changes. In this case, the sets of states corresponding to the next states of s have to be recalculated. For a main state s in the queue, the algorithm considers all its next states. The set of states Ss s corresponding to a transition ( s ) is calculated by the s constrained img operation. The set of states Ss corresponding to main state s is extended by Ss . If this actually adds s any new states to Ss then s is entered into the queue. When the queue is empty, the sets of states corresponding to the main states are unchanged and the algorithm terminates. Note that procedure TBT TRAVERSAL implements a xedpoint calculation for the sets of reachable states corresponding to the main states.

The algorithm is illustrated in Figure 3 where the main FSM of the circuit consists of four main states s0 . . . s3 . We want to calculate the sets of states Ss0 . . . Ss3 corresponding to the main states. At the beginning, in Figure 3(a), the set of states Ss0 contains the initial state s0 . The other sets of states are empty and the queue consists of s0 . Next, in Figure 3(b), main state s0 is removed from the queue. The algorithm calculates the sets of states S01 and S02 corresponding to the outgoing transitions s0 s1 and s0 s2 of s0 by the constrained img operation. S01 and S02 are united with the old Ss1 and Ss2 , respectively, to obtain the new Ss1 and Ss2 . Because Ss1 and Ss2 change, the main states s1 and s2 are added into the queue. In Figure 3(c), s1 and s2 are removed from the queue. Similarly, the sets of states S13 and S23 corresponding to the outgoing transitions s1 s3 and s2 s3 are calculated. S13 and S23 are added to Ss3 . Because Ss3 changes we add s3 into the queue. In Figure 3(d), we remove s3 from the queue and calculate S30 corresponding to the transition s3 s0 . S30 is then added to the old Ss0 to obtain the new Ss0 . Let us assume that Ss0 does not change because S30 does not contain any new states. Therefore, s0 is not entered into the queue. Now, because the queue is empty the algorithm terminates. Theorem 1: Procedure TBT TRAVERSAL traversal calculates all reachable states of the circuit exactly. Proof: Consider a main state s1 in the queue, the for loop in lines 7 9 iterates over all outgoing transitions of s1 . Therefore, it calculates all next states for the set of states corresponding to s1 according to Lemma 2. This means that all next states of the set of states corresponding to a main state in the queue are visited by the loop. Let state s2 be a newly visited next-state and be added to the set of states corresponding to main state s2 . It changes the set Ss2 and state s2 is written into the queue. Therefore, the next states of s2 are visited later when s2 is read from the queue. At the beginning the queue contains the initial main states with the

III. D ECOMPOSING THE STATE SPACE BY THE SUB -FSM S A. Partitioning into sub-FSMs In this section, we present a technique to partition the circuit into the sub-FSMs using the information of the main FSM.
MSF niaM

Fig. 5.

Partitioned structure of a circuit

Fig. 4.

Determining the support set

Given a main transition (1 , s2 ) R, we can approxis mate the support set of the next-state function j under the constraint of this main transition as illustrated in Figure 4. First, the state values s1 and s2 are assigned to the main state variables V and the main next-state variables V , respectively. These boolean constraints are then propagated to identify constant nodes in the circuit structure. Next, the support set s of j under the constraint of the main transition (1 , s2 ) is approximated by tracing the circuit structure backward from the next-state variable vj to the inputs or the state variables. The backtracing procedure terminates whenever it reaches a constant node. If the procedure reaches a state variable vi , it returns vi as being in the support set of j under the constraint of (1 , s2 ). The constrained support set determined in this way s is denoted by supps1 2 (j ) in the following. s Denition 5: Let R be the main transition relation of a circuit C with the next-state function . Let (1 , s2 ) R s be a main transition. The constrained dependency graph of state variables is a directed graph G(V, E) where the set of vertices is given by the set of state variables V . The set of edges E is dened as E = {(vi , vj ) V 2 |vi
(1 ,2 )R s s

sub-FSMs are V , V1 , . . . , V5 respectively. Sub-FSMs 1 and 2 are in level 1, the other sub-FSMs are in level 2. As shown in Figure 5, the SCC decomposition guarantees uni-directional interaction among the sub-FSMs of the circuit. The control information stored in the state variables goes into only one direction from the lower level sub-FSMs to the higher level sub-FSMs. Note that a non-constrained decomposition into SCCs is generally not useful for industrial designs because this type of decomposition will often produce only a single large SCC containing the whole design. If, however, the dependency graph is constrained by the transition of the main FSM the situation is different and a large number of small SCCs can often be identied. B. Traversing the sub-FSMs The sub-circuit Ck corresponding to a sub-FSM k and the main FSM is derived from circuit C by removing all state / variables vj {V Vk }. The removed state variables are considered as pseudo inputs. Moreover, the pseudo inputs are constrained by the reachable states of the sub-circuits l < k. Because of the uni-directional communication among subFSMs the next-state functions of a sub-FSM in level k only depend on the state variables in sub-FSMs in level l < k. Therefore, the characteristic function of the transition relation Rk of the sub-circuit Ck is approximated as Rk =
vi V Vk

(vi i )
l<k

(Reachl )

where Reachl is the characteristic function of reachable states of the sub-circuit Cl .

supps1 2 (j )} s

where supps1 2 (j ) is the support set of function j under s the constraint of the transition (1 , s2 ). s The constrained dependency graph is partitioned using a simple algorithm to identify strongly connected components (SCC). Each SCC corresponds to a sub-FSM. The graph of sub-FSMs is a directed acyclic graph, which can be levelized by a depth-rst search algorithm. An example of the hierarchical structure of the circuit after being partitioned is shown in Figure 5. The circuit consists of a main FSM and ve subFSMs. The sets of state variables of the main FSM and the ve

Fig. 6.

Approximate TBT traversal algorithm

The algorithm in Figure 6 approximates the set of reachable states corresponding to the main states. Procedure approx TBT takes the transition relation, the initial states, the main FSM of the circuit and the partitions of state variables {Vk } as input

3 4 5

)2 level( MSF-bus )2 level( MSF-bus

)1 level( 2 MSF-bus

)0 level( MSF niam

corresponding sets of states containing all initial states. Thus, all next states of the initial states are visited. Recursively, all reachable states of the circuit are visited by the procedure. According to Lemma 1, the calculated reachable states are partitioned into sets of states corresponding to the main states.

)2 level( MSF-bus

)1 level( MSF-bus

noitagaporp tniartsnoc naeloob

1 gnicartkcab 1 0

parameters. In the procedure, all sub-FSMs are traversed in the order of their level. Consider a sub-FSM k, the procedure constrain R extracts the correspondent sub-circuit Ck from the circuit and imposes constraints representing the reachable states Reachl on the pseudo inputs. The sub-circuit Ck with the transition relation Rk obtained by procedure constrain R is then traversed by procedure TBT TRAVERSAL to calculate its k reachable states Reachk composed from the Ss for each main state s. The set of reachable states Reachk for the sub-circuit k Ck is the union of Ss . Theorem 2: Given a circuit which is partitioned into a main FSM and sub-FSMs as described in Section III-A. The sub-FSMs are levelized by their dependencies. Procedure Approx TBT exactly calculates the sets of reachable states for all sub-circuits corresponding to sub-FSMs in level 1. Proof: Consider a sub-FSM k in level 1 and its state variables Vk . Because the sub-FSM k is in level 1, it only depends on state variables in V Vk . Therefore, the other state variables can be removed without imposing constraints on the corresponding pseudo inputs. The sub-circuit Ck corresponding to sub-FSM k can be considered as an independent circuit with state variables V Vk and free inputs. According to Theorem 1 procedure TBT TRAVERSAL exactly calculates all reachable states for the sub-circuit Ck . IV. I MPLEMENTATION

Fig. 7.

img procedure

variables from being reassigned is added to the SAT instance as in [23]. The blocking clause CP of s2 is dened by CP =
vi V

li

where li is the literal representing the inverted value of the next-state variables i.e. li = vi vi if s2 (vi ) = 0 if s2 (vi ) = 1

We implemented our algorithms based on a SAT solver [22]. The transition relation of the circuit and the sets of states are represented by CNFs of their characteristic functions. The next states in the constrained img operation are enumerated using a SAT solver as follows. In the following, we represent CNFs as sets of clauses and clauses as disjunctions of literals. Let (1 , s2 ) be a main s transition. The transition relation corresponding to (1 , s2 ) s dened in Denition 3 is

(1 , s2 ). First, a SAT instance C = Cs1 2 CFroms is s s 1 calculated from the transition relation, the main states s1 , s2 and the set of states Froms1 . A satisable assignment A of the SAT instance is then found by a SAT solver. The values of the next-state variables encoding the next state s2 is extracted from A as a partial assignment. State s2 is added to the set of next states Nexts2 . A blocking clause CP preventing the next-state

The SAT instance is solved again to nd another assignment. The procedure nishes when the SAT instance becomes unsatisable. Let us illustrate procedure img by an example. Let the main state variables be v1 , v2 and the other state variables be v3 , v4 . Consider a main transition s1 , s2 . In the main state s1 the values of state variables v1 and v2 are 0. In the main state s2 the values of next-state variables v1 and v2 are 0 and 1, respectively. The set of states corresponding to the main state s1 is S1 (v3 , v4 ) = {00, 10}. We want to calculate the set of next states corresponding to the main state s2 . The sets of Cs1 2 = CR {li } {li } clauses are calculated as s v i V v i V 1) Cs1 2 = CR {v1 } {v2 } {v1 } {v2 }. s 2) CFroms = cnf (v3 v4 v3 v4 ). 1 where CR is the set of clauses representing the transition reSolving the SAT instance we get an assignment of the nextlation of circuit C and li , li are literals representing the values of the main state variables in main states s1 , s2 respectively. state variable A(v3 , v4 ) = 01. Therefore, a next state is s2 = 01. We add a blocking clause to the SAT instance: li and li are dened by CP = v3 v4 . The SAT instance is given to the solver again. vi if s2 (vi ) = 1 However, the solver proves the instance to be unsatisable. vi if s1 (vi ) = 1 li = and li = vi if s1 (vi ) = 0 vi if s2 (vi ) = 0 Consequently, the set of next states corresponding to the main transition (1 , s2 ) is S13 = {01}. s Procedure img in Figure 7 calculates the next states of V. E XPERIMENTAL RESULT the set of states Froms corresponding to a main transition
1

We conducted experiments based on two industrial and one public domain design. Table I gives a brief description of the experimental results. The main FSMs of two industrial designs, the ash memory controller and the AHB master, have been extracted automatically from design codes by the commercial tool Debussy R . The main FSM of the public domain design has been extracted manually. The number of

main states and the number of main transitions are shown in column 2. The last column shows the CPU time which our algorithm has spent to identify the reachable state sets corresponding to the main states. From these reachable state sets we derived all constant state variables as reachability constraints for our commercial BMC-based verication tool. The number of the reachability constraints are shown in column 4. The experiments were performed on an AMD64 PC with 2.2 GHz clock frequency and 1 GB RAM running SUSE Linux 9.3.
TABLE I E XPERIMENTAL RESULTS Design Flash memory controller AHB master PCI target State variables 493 Main FSM 38/103 Constraints 2524 CPU time(h) 2:55:10

3371 182

14/51 6/24

1412 291

18:50:59 0:03:21

To illustrate the usefulness of the found reachability constraints, we tried to verify the rst design which is is a ash memory controller using an AMBA-avor protocol. 23 properties were written to prove the compliance of the hardware with the protocol specication and the correct execution of all functional operations. The verication engineer spent about one week to analyze the main FSM and to write properties. Unfortunately, all properties failed because of false negatives. Using conventional verication methodology, it required three more weeks to manually inspect the design code. In order to identify the reachability constraints not only the main FSM but also some or all sub-FSMs had to be inspected. In the properties, the manually found reachability constraints were then replaced by the reachability constraints which were generated by TBT algorithm. All properties could now be proven without false negatives. This means that the proposed approach can completely avoid the effort of manually inspecting the design code and counterexamples.
TABLE II T HE NUMBER OF REACHABILITY CONSTRAINTS IN MAIN STATES FOUND
MANUALLY AND AUTOMATICALLY FOR THE FLASH MEMORY CONTROLLER

constraints to eliminate the false negative. Therefore, the number of manually found reachability constraints in Table II is proportional to the number of false negatives that have occurred and thus to the number of trials which the engineer needed to make. Hence, the number of reachability constraints in column 2 of Table II can approximate the manual verication effort. By contrast, using the proposed approach reachability constraints are automatically determined in a preprocessing phase. Similarly, a set of properties was written for the second design to prove the compliance of the hardware with the AHB protocol specication. The experimental results were similar and the verication effort was reduced dramatically. In addition, to make our experiments more transparent to the reader, let us explain in more detail another experiment conducted on a public domain PCI target block. The PCI target block was extracted from the PCI local bus in [24]. To avoid the explosion problem of the state space the creator of the benchmark has reduced the width of the address/data bus to 3. We re-expanded the width of the address/data bus to 32 bits. This makes the design more realistic. The modied benchmark is no longer feasible for BDD-based approaches. We wrote a property that checks the turnaround cycle of the PCI protocol. The property states that if the PCI target is in main state idle and the bus command is read, then the next cycle must be the turnaround cycle. This means the PCI target does not drive the bus lines in this cycle [25]. The property is written based on the main states as (main state = idle ReadCmd) AX(OE TRDY = 0 OE DEVSEL = 0 OE AD = 0) where OE TRDY, OE DEVSEL and OE AD are the signals controlling the bus lines. When they are 0 the bus lines are not driven by the target. A BMC-based property checker failed to prove the property. There are many false counterexamples. One of them is that the values of OE TRDY, OE DEVSEL and OE AD are 1 when the main state is idle. Therefore, to avoid this false negative the following reachability constraint needed to be added to the property. (main state = idle OE TRDY = 0 OE DEVSEL = 0 OE AD = 0) Instead of identifying these values manually, we performed approx TBT to automatically identify reachability constraints and added them to the properties. Thus, the property is (main state = idle ReadCmd TBT constraints) AX(OE TRDY = 0 OE DEVSEL = 0 OE AD = 0) The modied property was now proven without any false negative. VI. D ISCUSSION The paper presents a new approach to automatically determine reachability constraints which are necessary in a BMCbased verication ow. Our algorithm is based on using information about a main FSM of the circuit which can

Main state ilde error wr w f if o rd start rd w f if o

manually found 28 22 25 24 29

automatically found 151 53 62 64 61

Table II illustrates the evaluation of the manual effort in comparison with the proposed approach. It shows the number of reachability constraints in some main states. Finding reachability constraints manually is a process of trial and error. Whenever a false negative occurs the verication engineer needs to inspect the design code and identify reachability

be extracted from the design code. Because the properties in the BMC-based verication ow often specify functional operations from one main state to another main state it is natural to relate main states to reachability constraints to be found. In contrast to GSTE which is a property-driven partitioning algorithm, TBT traversal is circuit-driven. Future work will explore a combined verication methodology in which TBT traversal is applied for both, property and design. Because an approximate algorithm is used some reachability constraints might be missed and false negatives are not guaranteed to be avoided. Although this did not happen in our practical experiments, in future work, an iterative approach is to be developed which analyzes false negatives to merge subFSMs and to identify more necessary constraints. Abstraction renement techniques as in [26], [27] can be applied to nd sub-FSMs that need to be merged. ACKNOWLEDGMENT The authors would like to thank Klaus Winkelmann and Marc Paucke (Inneon) for helping us conduct experiments with industrial designs. R EFERENCES
[1] A. Biere, A. Cimatti, E. Clarke, O. Strichman, and Y. Zhu, Bounded Model Checking, Advances In Computers Volume 58. Academic Press, 2003. [2] C.-J. H. Seger and R. E. Bryant, Formal verication by symbolic evaluation of partially-ordered trajectories, Form. Methods Syst. Des., vol. 6, no. 2, pp. 147189, 1995. [3] J. R. Burch, E. M. Clarke, and D. E. Long, Representing circuits more efciently in symbolic model checking, in Proceedings of the 28th conference on ACM/IEEE design automation. ACM Press, 1991, pp. 403407. [4] D. Geist and I. Beer, Efcient model checking by automated ordering of transition relation partitions, in Proceedings of the 6th International Conference on Computer Aided Verication. Springer-Verlag, 1994, pp. 299310. [5] R. Hojati, S. C. Krishnan, and R. K. Brayton, Early quantication and partitioned transition relations, in Proceedings of the 1996 International Conference on Computer Design, VLSI in Computers and Processors. IEEE Computer Society, 1996, pp. 1219. [6] G. Cabodi, P. Camurati, L. Lavagno, and S. Quer, Disjunctive partitioning and partial iterative squaring: an effective approach for symbolic traversal of large circuits, in Proceedings of the 34th annual conference on Design automation, 1997, pp. 728733. [7] G. Cabodi, P. Camurati, and S. Quer, Improved Reachability Analysis of Large Finite State Machines, in Proceedings of the International Conference on CAD (ICCAD). IEEE, 1996, pp. 354360. [8] A. Narayan, A. J. Isles, J. Jain, R. K. Brayton, and A. L. SangiovanniVincentelli, Reachability analysis using partitioned-ROBDDs, in Proceedings of the 1997 IEEE/ACM international conference on Computeraided design. IEEE Computer Society, 1997, pp. 388393. [9] S. Quer, G. Cabodi, and P. Camurati, Decomposed symbolic forward traversals of large nite state machines, 1996. [Online]. Available: citeseer.ist.psu.edu/quer96decomposed.html [10] H. Cho, G. Hachtel, S.-W. Jeong, B. Plessier, E. Schwarz, and F. Somenzi, ATPG Aspects of FSM Verication, in Proceedings of the International Conference on CAD (ICCAD). IEEE, 1990. [11] O. Coudert, C. Berthet, and J. Madre, Verication of sequential machines using boolean functional vectors, in Proceedings of the IFIP International Workshop Applied Formal Methods for Correct VLSI Design, June 1989, pp. 111128. [12] O. Coudert and J. C. Madre, A unied framework for the formal verication of sequential circuits, in Proceedings of the International Conference on CAD (ICCAD). IEEE, 1990, pp. 126129.

[13] I.-H. Moon, J. H. Kukula, K. Ravi, and F. Somenzi, To split or to conjoin: the question in image computation, in Design Automation Conference, 2000, pp. 2328. [Online]. Available: citeseer.ist.psu.edu/article/moon00to.html [14] H. Cho, G. Hachtel, E. Macii, B. Plessier, and F. Somenzi, Algorithms for approximate FSM traversal based on state space decomposition, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 15, no. 12, pp. 14651478, December 1996. [15] H. Cho, G. Hachtel, E. Macii, M. Poncino, and F. Somenzi, Automatic state space decomposition for approximate FSM traversal based on circuit analysis, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 15, no. 12, pp. 14511464, December 1996. [16] S. G. Govindaraju, D. L. Dill, A. J. Hu, and M. A. Horowitz, Approximate reachability with BDDs using overlapping projections, in Design Automation Conference, 1998, pp. 451456. [Online]. Available: citeseer.ist.psu.edu/govindaraju98approximate.html [17] I.-H. Moon, J. Kakula, T. Shiple, and F. Somenzi, Least xpoint approximations for reachability analysis, in Proceedings of the 1999 IEEE/ACM international conference on Computer-aided design, 1999, pp. 4144. [Online]. Available: citeseer.ist.psu.edu/moon99least.html [18] J. Yang and C.-J. H. Seger, Introduction to generalized symbolic trajectory evaluation, IEEE Trans. Very Large Scale Integr. Syst., vol. 11, no. 3, pp. 345353, 2003. [19] R. Sebastiani, E. Singerman, S. Tonetta, and M. Y. Vardi, Gste is partitioned model checking. in CAV, 2004, pp. 229241. [20] A. J. Hu, J. Casas, and J. Yang, Reasoning about GSTE assertion graphs, in Correct Hardware Design and Verication Methods: 12th IFIP WG 10.5 Advanced Research Working Conference (CHARME03). Springer, 2003, pp. 170184, lecture Notes in Computer Science Vol. 2860. [21] X. Feng, A. J. Hu, and J. Yang, Partitioned model checking from software specications, in Asia South Pacic Design Automation Conference. IEEE Press, 2005, pp. 583587. [22] M. W. Moskewicz, C. F. Madigan, Y. Zhao, L. Zhang, and S. Malik, Chaff: Engineering an Efcient SAT Solver, in Proceedings of the 38th Design Automation Conference (DAC01), 2001. [Online]. Available: citeseer.ist.psu.edu/moskewicz01chaff.html [23] K. L. McMillan, Applying sat methods in unbounded symbolic model checking. in CAV, 2002, pp. 250264. [24] A. Aziz, Texas-97 benchmarks, 1997, http://wwwcad.EECS.Berkeley.EDU/ Respep/Research/Vis/texas-97. [25] PCI local bus specication 2.1, 1995. [26] E. Clarke, A. Gupta, J. Kukula, and O. Strichman, SAT based abstraction-renement using ILP and machine learning techniques, in Proc. of Conference on Computer-Aided Verication (CAV02), ser. LNCS, 2002. [Online]. Available: citeseer.ist.psu.edu/clarke02sat.html [27] E. M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith, Counterexample-guided abstraction renement, in Computer Aided Verication, 2000, pp. 154169. [Online]. Available: citeseer.ist.psu.edu/clarke00counterexampleguided.html