xi

vii Chapter

vii

transyt is a BDD-based tool specifically designed for the verification of timed and untimed asynchronous concurrent systems. transyt system architecture is designed to be modular, open and flexible, such that additional capabilities can be easily integrated. A state of the art BDD package [1] is integrated into the system, and a middleware extension [2] provides support complex BDD manipulation strategies.

ion of a PTFSM uses the order of the earliest pulse arrival times of inputs of the gate. An input bit vector of an SFSM with the order corresponds to a pulse arrival sequence. Thus, the output bit vector and the next state from an input vector at a present state of an SFSM can be decided by the corresponding PTFSM. For example, we consider an 2562 IEICE TRANS. FUNDAMENTALS, VOL.E98–A, NO.12 DECEMBER 2015 Fig. 6 Example of abstraction the PTFSM to the SFSM. input bit vector 101 at a, b and clk on a present state s3 with order (clk, b, a) of a clocked AND gate g in Fig. 6. The input bit vector 101 corresponds to the pulse arrival sequence (clk, a). On the PTFSM of the clocked AND gate, when pulses arrive at clk and then a on state s3, the state results in s1 and a pulse is produced on c. Therefore, on the SFSM of g with order (clk, b, a), the next state and the output bit vector from the input bit vector 101 at a, b and clk on the present state s3 are s2 and 1 at c, respectively. An SFSM has three types of forbidden input bit vectors which are an input bit vector with the values “1” on both of a pair of input lines whose timing slack is negative, an input bit vector including a forbidden input of PTFSM and an input bit vector producing more than one pulse on an output line in a time frame. For example, when a clocked AND gate g has a negative timing slack TS (g, a, clk) or TS (g, clk, a), input bit vectors 101 and 111 at (a, b, clk) on any state are forbidden. An input bit vector 100 at (a, b, clk) on state s1 of g is forbidden, because the input bit vector includes a pulse arrival at a on s1 which is forbidden on the PTFSM of g. The SFSM of gate g, M′ is abstracted from the PTFSM of g, M = (S , I,O, δ, λ, q). M′ = (S , I′,O′, δ′, λ′, q) is composed of a set of states S , a set of input bit vectors I′, a set of output bit vectors O′, the transition function δ′ : S × I′ → S , the output function λ′ : S × I′ → O′ and an initial state q. I′ is a set of all bit vectors at input lines of g. O′ is a set of all bit vectors at output lines of g. When OI(g) is decided, an input pulse arrival sequence on M, (i0, i1, . . . , im−1) is defined uniquely from an input bit vector i′ ∈ I′ where m is the number of values “1” on i′. δ′(i′, s ∈ S ) and λ′(i′, s) are decided uniquely by (i0, i1, . . . , im−1) on M corresponding to i′ on M′. δ′(i′, s) is the resulting state of δ(im−1, . . . δ(i1, δ(i0, s)) . . . ). We consider a state sequence (s0, s1 . . . , sm) and an output pulse arrival sequence (o0, o1 . . . , om−1) where s0 = s, s j+1 = δ(i j, s j) and o j = λ(i j, s j) for 0 ≤ j ≤ m − 1. Then, δ′(i′, s) can also be represented as sm. When o ∈ O does not appear in (o0, o1 . . . , om−1), an output bit vector λ′(i′, s) has value “0” at an output line of o. When o appears once in (o0, o1 . . . , om−1), an output bit vector λ′(i′, s) has value “1” at an output line of o. When o appears more than one time in (o0, o1 . . . , om−1), λ′(i′, s)is the indefinite bit vector x. In addition, whenever (i′, s) is a forbidden input of M′, δ′(i′, s) and λ′(i′, s) are dealt as the error state se and the indefinite bit vector x, respectively. If i′ has values “1” on both of input lines a and b with negative TS (g, a, b) or TS (g, b, a), ∃ jδ(i j, s j) = se or λ′(i′, s) = x, (i′, s′) is a forbidden input. For example, M′ of a clocked AND gate includes S = {s0, s1, s2, s3, se}, I′ = {000, 001, ..., 111, x} at a, b and clk, O′ = {0, 1, x} at c, δ′(s0, 110) = s3, λ′(s3, 001) = 1, q = s0. The next state and the output bit vector from the forbidden input bit vectors at the corresponding state, any input bit vector at state se or input bit vector x at any state are always se and x, respectively. Figure 6 shows an example of abstraction the PTFSM to the SFSM of a clocked AND gate g with OI(g) = (clk, b, a) and negative timing slack TS (g, b, clk). Input bit vectors 111 and 011 at (a, b, clk) on any state are forbidden because TS (g, b, clk) is negative. Other forbidden input bit vectors at (a, b, clk) are 100 and 110 on s1, 010 and 110 on s2 and 010, 100 and 110 on s3 because the forbidden input of the PTFSM. The product machine of SFSMs of all gates in the circuit corresponds to the SFSM of the circuit. By abstracting the behavior of all gates in the circuit, the SFSM of the circuit are given. 4.3.2 Forbidden Input Checking and Equivalence Checking When the SFSM of an SFQ circuit is abstracted from the PTFSM of all gates in the circuit, the following verification can be accomplished in a similar way to synchronous sequential circuits. Model checking and equivalence checking, which are called formal verification, are used for verification of synchronous sequential circuit. Some tools for the formal verification are developed [16]–[18]. We can use them for verification of an SFQ circuit. In the proposed verification method, a forbidden input of an SFSM is checked by the forbidden input checking. The forbidden input checking is accomplished by using properties representing no forbidden input and checking whether the properties are satisfied or not by model checking. When a negative timing slack exists on a gate and forbidden input checking is passed without errors on the gate, the negative timing slacks can be ignored because negative timing slacks also effect the SFSM. In the equivalence checking, the specification corresponding to behavior of the SFQ circuit needs to be prepared. The specification and the abstracted SFSM of the SFQ circuit are compared to detect an error of the design. 5. Experimental Results We have implemented the proposed static timing analysis tool in SKILL language and the abstraction tool of behavior in SKILL and C++ languages. The implemented static timing analysis tool obtains gate delay and timing constraints from the cell library and calculates the path delay, timing slacks including the minimum timing slack, the minimum clock period and the order of pulse arrival times at each gate KAWAGUCHI et al.: A VERIFICATION METHOD FOR SINGLE-FLUX-QUANTUM CIRCUITS USING DELAY-BASED TIME FRAME MODEL 2563 Table 1 Verification results. circuit #gate #JJ #state #NTS min TS (ps) min CP (ps) STA time (s) FC time (s) EC time (s) full adder 9 292 5832 0 3.6 23.5 0.3 < 0.01 < 0.01 8 bit CLA 158 6380 3.09 × 1086 9 −5.3 33.0 3.27 12.3 0.07 4-bit SS 190 3829 1.10 × 1081 50 −3.9 42.4 1.87 27.0 0.06 of an SFQ circuit. The abstraction tool translates PTFSM of an SFQ circuit to the SFSM described in BLIF-MV which is used for verification of synchronous sequential circuit. Simultaneously, the tool produces properties which represent no occurrence of forbidden inputs in LTL language. We verified several circuits using these tools. The SFSM of the circuits was verified by forbidden input checking and equivalence checking using vis [17] and ABC [18], respectively. The forbidden input checking uses the properties produced by the abstraction tool. We verified three circuits, a full adder using NDROs and CBs without clock supply, an 8-bit carry look-ahead adder employing concurrentflow clocking (8-bit CLA) [6] and a 4-bit slice 32 bit shifter using gates with and without clock supply (4-bit SS). The experiments were conducted on a Linux platform (Debian 6.0) with an Intel Xeon X5470 (3.33 GHz) and 32 GB of RAM. Table 1 shows the number of logic gates (#gate), the number of Josephson junctions (#JJ), the number of states (#state), the number of negative timing slacks (#NTS), the minimum timing slack (min TS), the minimum clock period (min CP), CPU time for static timing analysis (STA time), CPU time for forbidden input checking (FC time) and CPU time for equivalence checking (EC time). The forbidden input checking was accomplished by unbounded model checking. The equivalence checking was accomplished by unbounded sequential equivalence checking. In the forbidden input checking of the 8-bit CLA, we detected a failed property caused by a connection error on a clocked AND gate. The forbidden input of the gate, which is pulse arrival at a on s1 specifically, could occur because of this error. This error was also detected in the equivalence checking. 50 negative timing slacks were detected by the static timing analysis of the 4-bit SS. They were 29 in CBs, 8 in RDFFs (resettable DFFs) and 13 in D2FF (DFFs with two clock inputs and two corresponding outputs). The negative timing slacks in RDFFs were caused by predecessors of CBs and the output line of the CB had two pulses in a time frame. In order to avoid the two pulses on a line in a time frame, we duplicate lines from CBs to RDFFs as shown in Fig. 7. All gates in the redesigned version of the 4-bit SS passed through forbidden input checking and the negative timing slacks on D2FFs and CBs could be ignored because pulses at two inputs causing the negative timing slacks did not appear simultaneously in a time frame. The experimental results show that the proposed verification method can handle circuits employing various clocking and composed of gates with and without clock supply. Fig. 7 Duplication of a line from CB to RDFF in 4-bit SS.

ion of Communication Channels in Promela: A Case Study . . . . . . 187 Elena Fersman and Bengt Jonsson (Uppsala University)

ion and Refinement for Design Verification at Logic Level Abstraction refinement has recently emerged as an enabling technology for applying model checking techniques to large real-life designs. Previous techniques for abstraction refinement work on static abstractions, in that the abstract model produced by the abstraction algorithm is not modified by the downstream model checking. We propose a new, dynamic method of abstraction, which can be applied during successive steps of the model checking algorithm to further abstract the model produced by traditional static abstraction methods. This is facilitated by information gathered from an analysis of the proof of unsatisfiability of SAT-based bounded model checking problems, solved on the concrete model, and passed to the model checker. It effectively allows the model checker to work with smaller abstract models. Experiments on several industrial benchmarks demonstrate that dynamic abstraction significantly improves the performance of the abstraction refinement flow and alsoion refinement has recently emerged as an enabling technology for applying model checking techniques to large real-life designs. Previous techniques for abstraction refinement work on static abstractions, in that the abstract model produced by the abstraction algorithm is not modified by the downstream model checking. We propose a new, dynamic method of abstraction, which can be applied during successive steps of the model checking algorithm to further abstract the model produced by traditional static abstraction methods. This is facilitated by information gathered from an analysis of the proof of unsatisfiability of SAT-based bounded model checking problems, solved on the concrete model, and passed to the model checker. It effectively allows the model checker to work with smaller abstract models. Experiments on several industrial benchmarks demonstrate that dynamic abstraction significantly improves the performance of the abstraction refinement flow and also

ion and Refinement Model-Checking with Formula-Dependent Abstract Models . . . . . . . . . . . . . . 155 Alexander Asteroth, Christel Baier, Ulrich Aßmann Verifying Network Protocol Implementations by Symbolic Refinement Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Rajeev Alur, Bow-Yaw Wang Automatic Abstraction for Verification of Timed Circuits and Systems . . . . 182 Hao Zheng, Eric Mercer, Chris Myers

ion Techniques 97 The organization of this chapter is as follows. First, a short overview is given of related work. In particular, we pay attention to a method for approximate reachability analysis of FSMs. In Section 6.4, we discuss the problem of decomposing a product machine without using abstraction. Then we introduce the basic abstraction mechanism we propose for product machines, and explain how this mechanism can be used when decomposing a product machine. In Section 6.6, we focus on how abstraction can be used to prove the equivalence of sequentia! circuits. The use of abstraction techniques for disproving the equivalence of circuits is the subject of Section 6. 7.

description of state machine is a model used for describing hardware designs at the RTL. Using ASMs, a data value can be represented by a single variable of abstract type, rather than by a vector of Boolean variables, and a data operation is represented by an uninterpreted function symbol. The model checking method based on a first-order linear-time temporal logic as developed in this paper allows to verify properties on designs represented by ASMs. Thus, it is necessary to review first the terminology related to ASMs. 2.1. A many-sorted first-order logic As in an ordinary many-sorted first-order logic, the vocabulary consists of sorts, constants , variables and function symbols(or operators). Constants and variables have sorts. We deviate from standard many-sorted firstorder logic by introducing a distinction between concrete (or enumerated ) sorts and abstract sorts ; the difference is that concrete sorts have enumerations , while abstract sorts do not. The enumeration of a concrete sort α is a set of distinct constants of sort α. We refer to constants occurring in enumerations as individual constantsand to other constants as generic constants . The distinction between abstract and concrete sorts leads to a distinction between three kinds of function symbols. Let f be a function symbol of type α1 × α2 × · · · × αn → αn+1. If αn+1 is an abstract sort then f is an abstract function symbol . If all the α1, . . . , αn+1 are concrete, f is a concrete function symbol . If αn+1 is concrete while at least one of α1, . . . , αn is abstract, then f is referred to as a crossoperator.Both abstract function symbols and cross-operators may be uninterpreted, or partially interpretedby conditional rewrite rules. The termsand their types(sorts) are defined inductively as follows: a constant or a variable of sort α is a term of type α; and if f is a function symbol of type α1 × α2 × · · · × αn → αn+1, n ≥ 1, and A1, . . . , An are terms of types α1, . . . , αn, then f (A1, . . . , An) is a term of type αn+1. We say that a term, variable or constant is concrete (resp. abstract) to indicate that it is of concrete (resp. abstract) sort. A term is concretely reduced if it only contains: (i) the individual constants; (ii) the abstract generic constants; (iii) the abstract variables; and (iv) the terms of the form f (A1, . . . , An) where f is a function symbol and A1, . . . , An are concretely reduced terms. Thus, the concretely reduced The Computer Journal, Vol. 47, No. 1, 2004 Model Checking for a First-Order Temporal Logic 73 terms are those that have no concrete subterms other than individual constants. A term of the form f (A1, . . . , An) where f is a cross-operator and A1, . . . , An are concretely reduced terms is called a cross-term. An equation is an expression A1 = A2 where A1 and A2 are terms of same type α. Atomic formulasare the equations, plus T (truth) and F (falsity). Formulas are built from the atomic formulas in the usual way using logical connectives and quantifiers. An interpretationis a mapping ψ that assigns a denotation to each sort, constant and function symbol such that: (i) The denotation ψ(α) of an abstract sort α is a non-empty set. (ii) If α is a concrete sort with enumeration {a1, a2, . . . , an} then ψ(α) = {ψ(a1), ψ(a2), . . . , ψ(an)} and ψ(ai) = ψ(aj ) for 1 ≤ i < j ≤ n. (iii) If c is a generic constant of sort α, then ψ(c) ∈ ψ(α). If f is a function symbol of type α1 × · · · × αn → αn+1, then ψ(f ) is a function from the Cartesian product ψ(α1) × · · · × ψ(αn) into the set ψ(αn+1). Let X be a set of variables, a variable assignment with domain X compatible with an interpretation ψ is a function φ that maps every variable x ∈ X of sort α to an element φ(x) of ψ(α). We write ψX for the set of ψ-compatible assignments to the variables in X, ψ , φ |= P if a formula P denotes truth under an interpretation ψ and a ψ-compatible variable assignment φ to the variables that occur free in P , |= P if a formulaP denotes truth under every interpretationψ and every ψ-compatible variable assignment to the variables that occur free in P . 2.2. Directed formulas Given two disjoint sets of variables U and V , a directed formula (DF) of type U → V is a formula in disjunctive normal form (DNF) such that: (i) Each disjunct is a conjunction of equations of the form A = a, where A is a term of concrete sort α of the form ‘f (B1, . . . , Bn)’ (f is thus a cross-operator) that contains no variables other than elements of U , and a is an individual constant in the enumeration of α, or w = a, where w ∈ (U ∪V ) is a variable of concrete sort α and a is an individual constant in the enumeration of α, or v = A, where v ∈ V is a variable of abstract sort α and A is a term of type α containing no variables other than elements of U . (ii) In each disjunct, the left-hand sides (LHSs) of the equations are pairwise distinct. (iii) Every abstract variable v ∈ V appears as the LHS of an equation v = A in each of the disjuncts. (Note that there need not be an equation v = a for every concrete variable v ∈ V .) Intuitively, in a DF of type U → V , the U variables play the role of independent variables, the V variables play the role of dependent variables, and the disjuncts enumerate possible cases. In each disjunct, the equations of the form u = a and A = a specify a case in terms of the U variables, while the other equations specify the values of (some of the)V variables in that case. The cases need not be mutually exclusive, nor exhaustive. A DF is said to be concretely reducediff every A in an equation A = a is a cross-term, and every A in an equation v = A is a concretely reduced term. It is easy to see that every DF is logically equivalent to a concretely reduced DF, given complete specifications of the concrete function symbols and concrete generic constants; the reduction can be accomplished by case splitting. From now on, by DF we shall mean concretely reducedDF. Let P be a DF of type U → V . For a given interpretation ψ , P can be used to represent the set of vectors SetψV (P ) = {φ ∈ ψV |ψ, φ |= (∃U)P }. In the following sections, DFs are used for two distinct purposes: to represent sets (viz. sets of states as well as sets of input vectors and output vectors) and to represent relations (viz. the transition and output relations). 2.3. Abstract description of state machines An ASM M is a tuple D = (X, Y, Z, FI , FT , FO), where (i) X, Y and Z are sets of variables, viz. the input, state and output variables, respectively. Let η be a one-to-one function that maps each state variable y to a distinct variable η(y) obtained, for example, by adorning y with a prime. The variables in Y ′ = η(Y ) are used as the nextstate variables. X, Y and Z must be disjointed from Y ′. Given an interpretation ψ , an input vector of the state machine M represented by D is a ψ-compatible assignment to the set of input variables X; thus the set of input vectors, or input alphabet, is ψX. Similarly, ψ Z is the set of output vectors. A state is a ψ-compatible assignment to the set of state variables Y ; hence, the state space is ψY . A state φ can also be described by an assignment φ′ = φ ◦η−1 ∈ ψY to the next state variables. A variable in X ∪ Y ∪ Z is called an ASM_variable. (ii) FI is a DF representing the set of initial states, of type U → Y , where U is a set of abstract variables disjoint from X ∪ Y ∪ Y ′ ∪ Z. Typically, FI is a one-disjunct DF representing the set of initial states. Given an interpretation ψ , a state φ ∈ ψY is an initial state iff ψ, φ |= (∃U)FI . Thus the set of initial statesis SI = Set(FI ) = {φ ∈ ψY |ψ, φ |= (∃U)FI }. (iii) FT is a DF of type (X ∪ Y ) → Y ′ representing the transition relation. Given an interpretation ψ , an input vector φ ∈ ψX and a state φ′ ∈ ψY , a state φ′′ ∈ ψY is a possible next state iff ψ, φ ∪φ′ ∪φ′′ ◦η−1 |= FT . Thus the transition relation of the state machine M represented by D is RT = {(φ, φ′, φ′′) ∈ ψX × ψY × ψY |ψ, φ ∪ φ′ ∪ (φ′′ ◦ η−1) |= FT }. (iv) FO is a DF of type (X ∪ Y ) → Z representing the output relation. The Computer Journal, Vol. 47, No. 1, 2004

a new framework for verifying the sequential equiva- lence of circuits optimized by retiming. Our approach recognizes the existence of a retiming invariant relating the two circuits, and utilizes that invariant in an induction-based verification paradigm. We prove useful properties about that invariant and present efficient algorithms for computing as well as employing it for verification. We demonstrate encouraging results on the ISCAS 89 benchmarks.

With the trend to partially move safety-related features from courtyards into on-board control software, new challenges arise in supporting such designs by formal verification capabilities, essentially entailing the need for a model-based design process. This paper reports on the usage of the STATEMATE Verification Environment to model and verify a radio-based signaling system, a trial case study offered by the German train system company DB. It shows, that industrially sized applications can be modeled and verified with a verification tool to be offered as a commercial product by I-Logix, Inc.

With the spread of internet and mobile devices, transferring information safely and securely has become more important than ever. Finite fields have widespread applications in such domains, such as in cryptography, error correction codes, among many others. In most finite field applications, the field size - and therefore the bit-width of the operands - can be very large. The high complexity of arithmetic operations over such large fields requires circuits to be (semi-) custom designed. This raises the potential for errors/bugs in the implementation, which can be maliciously exploited and can compromise the security of such systems. Formal verification of finite field arithmetic circuits has therefore become an imperative. This dissertation targets the problem of formal verification of hardware implementations of combinational arithmetic circuits over finite fields of the type F2k . Two specific problems are addressed: i) verifying the correctness of a custom-designed arithmetic circuit implementation against a given word-level polynomial specification over F2k ; and ii) gate-level equivalence checking of two different arithmetic circuit implementations. This dissertation proposes polynomial abstractions over finite fields to model and represent the circuit constraints. Subsequently, decision procedures based on modern computer algebra techniques - notably, Grobner bases-related theory and technology - are engineered to solve the verification problem efficiently. The arithmetic circuit is modeled as a polynomial system in the ring F2k [x1,x2, ···, xd], and computer algebra-based results (Hilbert's Nullstellensatz) over finite fields are exploited for verification. Using our approach, experiments are performed on a variety of custom-designed finite field arithmetic benchmark circuits. The results are also compared against contemporary methods, based on SAT and SMT solvers, BDDs, and AIG-based methods. Our tools can verify the correctness of, and detect bugs in, up to 163-bit circuits in F2163 whereas contemporary approaches are infeasible beyond 48-bit circuits.

With the shrinking feature sizes and increasing transistor counts on chips, the push for higher speed and lower power makes it necessary to look for alternative design styles which offer better performance characteristics than static CMOS. Among them, pass transistor logic (PTL) circuits give great promise. Since the delay in a pass-transistor chain is quadratically proportional to the number of stages, and a signal may degenerate when passing through a transistor, buffers are necessary to guarantee performance and restore signal strength in PTL circuits. In this paper, we first analyze the effects of buffer insertion on a circuit and give the sufficient and necessary condition for safe buffer insertion. Then the buffer minimization problem is formulated, which asks for a minimum number of buffers to make sure that no path has length longer than a given upper bound. Although NP-hard in general, we show that, when buffers are required on multiple fan-outs, it can be solved linearly. We also consider the case when buffers are inverters, where phase assignment are done on MCNC logic synthesis and optimization benchmarks; compared with a level-by-level insertion,a large number of buffers are saved.

With the proliferation of electronic devices in our day-to-day existence, the quality of the underlying circuits is becoming increasingly important. The devices are expected to run robustly under different operating conditions. Asynchronous circuits are promising as compared to synchronous approach, in achieving low power, low noise and high speed circuits which can be developed in a modular way. However, the absence of a global clock in these circuits comes at the cost of added concurrency. Therefore, it is important to have a better understanding of such highly concurrent systems in order to have confidence in the resultant devices. A formalism known as delay-insensitive (DI) processes is used to reason about a special class of asynchronous circuits that make no assumptions about delays in any of its components or wires. The formalism is shown to be useful in verification of such circuits using existing verification tools. DI processes can be easily integrated into such tools and existing equivalence checking techniques applied to them, instead of starting from scratch. In particular, the application of the Concurrency Workbench (CWB) to the verification of DI processes is shown by modelling them in CCS and using MUST-testing for equivalence and refinement checking. DI processes interact with their environment to form closed systems. A new restriction operator is defined to obtain the effective behaviour of a process in a given environment, which eases specification and facilitates implementation. This operator is also shown to be more general than the alternation operator defined previously by Mallon. Building on the work of Josephs and Udding, the algebraic semantics of DI processes is investigated and transformations are automated using the term rewriting system Maude. A canonical form is defined and is further used for equivalence and refinement checking based on syntactic comparison. The formalism is useful not only in verification, but also in the decomposition of certain forms of processes that have been found difficult for logic synthesis tool, such as Petrify, to handle. The decompositions introduce Wires and Fork elements that preserve the delay-insensitive behaviour of asynchronous controllers. The proposed heuristics are applied on benchmark examples to help the tool Petrify to synthesise area-efficient circuits rapidly. Besides using the CWB, Maude and Petrify, the experiments reported here have involved tools developed in-house, namely, Furey’s translation tool di2pn, verification tool diana and the authors translation tool di2ccs. The thesis demonstrates that (i) DI processes can be verified by adopting existing verification tools and techniques; (ii) consideration of the environment of a process leads to simpler specifications; and (iii) decomposing specifications leads to area efficient implementations.

With the increasing emergence of mixed hardware/software systems, it is important to ensure the correctness of such a system formally, particularly for real-time and safety critical applications. We present a hierarchical approach to modeling and formally verifying an embedded system at higher levels of abstraction, using Multiway Decision Graphs (MDGs). We demonstrate our approach on the embedded software for a mouse controller application on a commercial microcontroller (PIG 16C71), using the MDG verification tools. Inconsistencies in the assembly code with respect to the specification, as published in the application notes of the manufacturer, were uncovered through our experiments.

With the development of ASIC designs, simulation cannot cover all the corner cases in a complicated design. Model checking is a fully automatic approach to verify a finite state machine against its temporal specifications. However, its application is limited by the size of the system to be verified. Compositional verification and model reduction are two possible methods to tackle this problem. In this paper, we propose a verification framework based on assume-guarantee compositional model checking, where we can apply model checking to do exhaustive verification at the module level and conduct global properties via compositional reasoning. In this framework, temporal specifications are synthesized into Verilog modules. In case a module under verification is beyond the capability of model checking, the proposed model reduction algorithm is used. We implemented the framework on top of the VIS tool and applied it on an ATM switch fabric from Nortel Networks.

With shrinking feature sizes and increasing transistor counts on chips, demands for higher speed and lower power make it necessary to look for alternative design styles that offer better performance than static complementary metal-oxide-semiconductors. Among them, pass transistor logic (PTL) is of great promise. Since delay in a transistor chain is quadratically proportional to the number of transistors and a signal may degenerate passing through a transistor, buffers are necessary to guarantee performance and restore signal strength in PTL circuits. In this paper, we first analyze effects of buffer insertion on a circuit and give a sufficient and necessary condition for safe buffer insertion. Then, a buffer minimization problem is formulated. Although it is NP-hard in general, it can be solved linearly when buffers are required on multifan-out nodes. We also consider the case when buffers are inverters, where phase assignment needs to be done with buffer insertion.

When developing safety-critical software such as reactor protection systems (RPS) in nuclear power plants, a demonstration of software trust (e.g., safety) is not only absolutely essential but also usually mandated by government authorities. While automated generation of fault trees has become possible with increased use of formal specifications, industrial use of fault trees has been limited primarily to safety demonstrations that the system is free from behavior captured in the root node. In this paper, we propose to extend the use of automated fault tree for verification purposes. As a fault tree represents an abstract and partial behavioral model of software on credible causes leading to a hazard, it must still satisfy various properties (e.g., fairness, correctness). Verification of a fault tree is useful when developing safety-critical software because (1) it strengthens a safety-focused software development process; (2) it provides an opportunity to detect potentially critical errors early; and (3) it is less likely to experience a state explosion problem. This paper demonstrates how to convert a fault tree into a semantically equivalent logic formula so that they can be subject to formal verification using tools like Verification Interacting with Synthesis (VIS). We evaluated the feasibility of FTA's applicability as a verification tool on a prototype model of a nuclear power reactor protection system (RPS) software to be deployed in plants under construction in Korea.

We survey existing approaches to the formal verification of statecharts using model checking. Although the semantics and subset of statecharts used in each approach varies considerably, along with the model checkers and their specification languages, most approaches rely on translating the hierarchical structure into the flat representation of the input language of the model checker. This makes model checking difficult to scale to industrial models, as the state space grows exponentially with flattening. We look at current approaches to model checking hierarchical structures and find that their semantics is significantly different from statecharts. We propose to address the problem of state space explosion using a combination of techniques, which are proposed as directions for further research.