Temporal Speci cation Veri cation via Causal Reasoning

We present a technique for verifying the timing speci cations of the interfaces between digital systems. The veri cation process takes as input the timing protocols of each component as well as the connectivity between the components. The technique proceeds in three steps. First, a graph is built, which describes the causal relationships of events which can occur in the complete system. Second, a set of requirements (from the speci cations) are used to identify pairs of events which must (or must not) happen with a particular temporal relationship. Third, for each such requirement, the sequences of events which might lead to such a requirement violation are identi ed and traced to determine if the requirement is violated or satis ed. The technique supports protocols with time ranges on transitions, and conditional events based on dynamic sensitivity to system state. Introduction: The Veri cation Problem Attempts to reason about digital systems have been ongoing for many years [1{3]. Various methods for modeling time delays have been proposed and formal veri cation methods investigated [4{7]. Methods based on simulation have also been used to verify circuits[8,9]. Recent work has taken a symbolic approach to attempt to reason about circuits [10,11] as well as our previous work [12,13] which investigated a simpler veri cation technique, upon which this work is based. As in our previous work, our goal is to provide a technique for automatically verifying the temporal protocols used in the interfaces between digital systems. The technique uses three kinds of information about the system it is verifying. First, are the external actions of each of the component sub-systems, or modules. These are (generally) taken by the module in response to external events from other modules. Second, are the temporal constraints, or requirements, which each module places on its environment in order for it to operate correctly. Taken together, these comprise the temporal protocols of the system. Third, are the actual interconnections between the inputs and outputs of the modules in the system. Given this information the technique is used to verify that no sequence of actions (events) taken by the modules will violate any of the requirements speci ed for the system. In this work, the veri cation process is dependent on an underlying assumption that the system is completely speci ed (i.e., all information regarding the system is known). This assumption is necessary and su cient for the veri cation process to occur. It is necessary since permitting the possibility of unknown information in the system a ecting system operation results in incorrect reasoning. An incompletely speci ed system is one where not all information is known about how all control signals in the system interact. Taken to an extreme, this implies that signals may change values in an unpredictable manner, at any time, precluding the possibility of verifying correct behavior. The assumption that the system is fully speci ed is su cient for veri cation. If all information is known about the system, then, within the scope of the model used, no unanticipated action can occur in the system which could a ect the veri cation process. The veri cation methodology analyzes relationships between events on signals. A signal is a physical entity (e.g., a wire) or a virtual identi er (e.g., a variable) which can have two values, high and low. Restricting signals to two values can be done without loss of generality in the veri cation This section provides an overview of the terminology which will be used; formal de nitions appear in [12,14].