Formal Verification of the Island Tunnel Controller Using Multiway Decision Graphs

node with a fresh abstract variable. However, the reachable state spaceis unnecessarily enlarged since states that are not within processor-like loops arealso generalized. As a trade-o , we propose a heuristic solution to this problem:After a certain number of state transitions (speci ed by the user), if the MDGsize of the frontier-set keeps increasing, the value of each state variable in theMDG is generalized. With this heuristic, the state to be generalized is morelikely to be within a processor-like loop.Termination of the abstract state enumeration can be obtained at the cost offalse negatives introduced by the state generalization. If the reachability analysissucceeds, we know that the invariant holds even for the enlarged set of reach-able states, but if it does not, then we have to examine, e.g., by simulation,whether the counterexample thus produced corresponds to a real design error.The heuristic method performs state generalization quite blindly at rst, andpostpones any manual analysis to the examination of counterexamples, if any.The results in Table 2 (the last row) are obtained using the heuristic stategeneralization technique on the complete ITC speci cation composed of the veASMs of Figure 2.7 ConclusionsIn this paper, we demonstrated the feasibility of the MDG-based hardware ver-i cation at the RT level on a non trivial example{the Island Tunnel Controller.We performed various veri cation experiments on the example including com-binational veri cation, behavioral equivalence checking and invariant propertychecking. Using the counterexample facility of the MDG tools, we also showedour ability to identify design errors that were present in the original imple-mentations. Furthermore, we gave a comparative evaluation of the results frominvariant checking with the ROBDD-based tools SMV and VIS, and we showedthe strength of MDG approach by handling arbitrary data widths. Finally, westudied in detail the non-termination problem of abstract state enumeration andpresented a heuristic solution.The MDG tools are capable of dealing with complex designs. The interestedreaders may wish to refer to [15, 17] where a case study is presented aboutthe veri cation of an ATM switch fabric. We are currently developing a modelchecking algorithm for a restricted rst-order temporal logic.References1. R. E. Bryant. Graph-based algorithms for boolean function manipulation. IEEETransactions on Computers, 35(8):677{691, August 1986.2. R. E. Bryant and Y. Chen. Veri cation of arithmetic circuits with binary momentdiagrams. In 32nd ACM/IEEE Design Automation Conference (DAC'95). SanFrancisco, California, June 1995.3. R. K. Brayton et. al. VIS: A system for veri cation and synthesis. In Proc.8th International Conference on Computer-Aided Veri cation (CAV'96). NewBrunswick, New Jersey, USA, July 1996. 4. J. R. Burch, E. M. Clarke, D. E. Long, K. L. McMillan and D. L. Dill. Sym-bolic model checking for sequential circuit veri cation. IEEE Transactions onComputer-Aided Design, 13(4):401{424, April 1994.5. J. R. Burch and D. L. Dill. Automatic veri cation of pipelined microprocessorcontrol. In: D. L. Dill, editor, Computer Aided Veri cation. Lecture Notes inComputer Science 818, Springer Verlag, 1994.6. E. M. Clarke, O. Grumberg, and D. E. Long. Model checking and abstraction. InProc. 19th ACM Symp. on Principles of Programming Languages. January 1992.7. E. Clarke, M. Fujita and X. Zhao. Hybrid decision diagrams. In Proc. IEEE Inter.Conf. on Computer-Aided Design (ICCAD'95). San Jose, California, USA, Nov.1995.8. F. Corella, Z. Zhou, X. Song, M. Langevin and E. Cerny. Multiway decisiongraphs for automated hardware veri cation. IBM technical report RC19676, July1994. To appear in the journal Formal Methods in System Design.9. F. Corella, M. Langevin, E. Cerny, Z. Zhou and X. Song. State enumeration withabstract descriptions of state machines. In Proc. IFIP WG 10.5 Advanced Re-search Working Conference on Correct Hardware Design and Veri cation Methods(Charme'95). Frankfurt, Germany, October 1995.10. O. Coudert, C. Berthet and J. C. Madre. Veri cation of synchronous sequentialmachines based on symbolic execution. In J. Sifakis, editor, Automatic Veri ca-tion Methods for Finite State Systems. Lecture Notes in Computer Science 407,Springer Verlag, 1989.11. D. Cyrluk and P. Narendran. Ground Temporal Logic: A logic for hardware ver-i cation. In: D. L. Dill, editor, Computer Aided Veri cation. Lecture Notes inComputer Science 818, Springer Verlag, 1994.12. K. Fisler and S. Johnson. Integrating design and veri cation environments througha logic supporting hardware diagrams. In Proc. IFIP Conference on Hardware De-scription Languages and their Applications (CHDL'95). Chiba, Japan, Aug. 1995.13. R. B. Jones and D. L. Dill. E cient validity checking for processor veri cation.In Proc. IEEE International Conference on Computer-Aided Design (ICCAD'95).San Jose, California, USA, November 1995.14. D. E. Long. Model Checking, Abstraction, and Compositional Veri cation. PhDthesis, Carnegie Mellon University, 1993.15. M. Langevin, S. Tahar, Z. Zhou, X. Song and E. Cerny. Behavioral Veri cation ofan ATM switch fabric using implicit abstract state enumeration. In Proc. IEEEInter. Conf. on Computer Design (ICCD'96). Austin, Texas, USA, Oct. 1996.16. K. L. McMillan. Symbolic model checking. Kluwer Academic Publishers, Boston,Massachusetts, 1993.17. S. Tahar, Z. Zhou, X. Song, E. Cerny and M. Langevin. Formal veri cation of anATM switch fabric using multiway decision graphs. In Proc. IEEE Sixth GreatLakes Symposium on VLSI. Ames, Iowa, USA, March 1996.18. K.D. Anon, N. Boulerice, E. Cerny, F. Corella, M. Langevin, X. Song, S. Tahar,Y. Xu, Z. Zhou. MDG tools for the veri cation of RTL designs. In Proc. 8th Inter-national Conference on Computer-Aided Veri cation (CAV'96). New Brunswick,New Jersey, USA, July 1996.19. Z. Zhou, X. Song, S. Tahar, E. Cerny, F. Corella and M. Langevin. Formal veri -cation of the Island Tunnel Controller using Multiway Decision Graphs. TechnicalReport 1042, D'IRO, Universite de Montreal, Montreal, Canada, July 1996.This article was processed using theLaTEX macro package with LLNCS style