Assume-guarantee Reenement between Diierent Time Scales ??? ?

Re nement checking is used to verify implementations against more abstract speci cations. Assume-guarantee reasoning is used to decompose re nement proofs in order to avoid state-space explosion. In previous approaches, speci cations are forced to operate on the same time scale as the implementation. This may lead to unnatural speci cations and ine ciencies in veri cation. We introduce a novel methodology for decomposing re nement proofs of temporally abstract speci cations, which specify implementation requirements only at certain sampling instances in time. Our new assume-guarantee rule allows separate re nement maps for specifying functionality and timing. We present the theory for the correctness of our methodology, and illustrate it using a simple example. Support for sampling and the generalized assume-guarantee rule have been implemented in the model checker Mocha and successfully applied to verify the VGI multiprocessor data ow chip with 6 million transistors.