Model Checking the IBM Gigahertz Processor: An Abstraction Algorithm for High-Performance Netlists

A common technique in high-performance hardware design is to intersperse combinatorial logic freely between level-sensitive latch layers (wherein one layer is transparent during the “high” clock phase, and the next during the “low”). Such logic poses a challenge to verification – unless the two-phase netlist N may be abstracted to a full-cycle model N ′ (wherein each memory element may sample every cycle), model checking of N requires at least twice as many state variables as would be necessary to obtain equivalent coverage for N ′. We present an algorithm to automatically obtain such an abstraction by selectively eliminating latches from both layers. The abstraction is valid for model checking CTL* formulae which reason solely about latches of a single phase. This algorithm has been implemented in IBM’s model checker, RuleBase, and has been used to enable model checking of IBM’s Gigahertz Processor, which may not have been feasible otherwise. This abstraction has furthermore allowed verification engineers to write properties and environments more efficiently.