First-order Checking of w-Automata Using MDGsFang Wang

Faculty of Engineering and Applied ScienceMemorial University of NewFoundlandSt. John's, NewFoundland AIB 3X5

Email: fangwang@engr.mun.ca

Abstract- Multiway decision graph (MDG) based model into a simple one: checking a formula consisting of variableschecking outperforms other symbolic model checking methods of Boolean sort (a concrete sort with enumeration {0,1}) onsince it uses variables of abstract sort and uninterpeted function an ASM composed of the system ASM and the constructedsymbols. However, it can only accept a few first-order formulapatterns; this greatly limits its application. To overcome this ASMs. The checking is further automatically conducted bylimitation, this paper proposes an w-automata based verification an algorithm chosen from the algorithm set according to thetechnique using MDGs. Experimental results are presented to formula pattern.show the efficiency of the proposed method. In this paper, we adopt the transformation of [4] but use

a unified algorithm to check the transformed verificationproblem by employing the w-automata based technique. The

It is well-known that state space explosion is the most integration of these two techniques removes the limitationchallenging problem in the reduced ordered Binary Decision on property formula patterns of the LMDG checking, whichDiagram (BDD) based model checking. This is mainly due to further improves the MDG application. The FOL accepted bythe fact that the BDD based methods describe the design at our method is denoted by LMDGC, and the proposed checkingthe Boolean logic level and thus in general is not adequate method will be referred to as LMDG* checking in the sequel.for verifying designs with large datapath. Multiway decision The rest of the paper is organized as follows: Section IIgraph (MDG) based methods have been proposed to alleviate describes ASM and Section III presents LMDG*. The structurethis problem by integration of two important verification of our method is presented in Section IV, and Section Vtechniques: implicit state enumeration and use of variables of gives the related algorithm. Experimental results are shownabstract sorts and uninterpreted function symbols [1]. in Section VI; and Section VII concludes the paper.

In the MDG based model checking, the system design ismodeled as an abstract state machine (ASM), encoded by II. ABSTRACT STATE MACHINEMDGs, accepting variables of abstract sorts and uninterpreted To model the system design as an ASM, we use variablesfunction symbols; the properties to be checked are represented of concrete sorts to represent control signals and variables ofby first-ordered linear time temporal logic formulas, called abstract types to represent data path signals. Concrete sortsLMDG formulas [4](For this reason, the MDG based model have finite enumerations, while the abstract sorts do not. Thechecking will also be referred to as LMDG checking in the data operation is represented by an abstract function symbol,sequel); and the checking of properties is automatically carried where the output of the abstract function is of abstract sort.out by algorithms implemented with a set of MDG operators The feedback from the datapath to the control circuitry isand a reachability analysis procedure that explores the state represented as a cross operator whose output is of concretespace of an ASM using abstract implicit enumeration tech- sort, and at least one input is of abstract sort. Both the abstractniques [1]. As a result, LMDG checking raises the abstraction function symbols and the cross-operators are uninterpreted orlevel of BDD based model checking to the first-order level partially interpreted by rewriting rules.without sacrificing automation. However, the LMDG allows The system is described using finite sets of input, state andonly six patterns of first-order linear time temporal logic output variables, which are pairwise disjoint. The behaviorformulas, p, Gp, Fp, pUq, G(p -* Fq) and G(r -* (pUq)), of system is defined by its transition/output relations, togetherwhich greatly hampers the application of LMDG checking. with a set of initial states. Transition/output relation and initialTo overcome this limitation, in this paper we exploit the states are represented by directedformulas. A directedformulaw-automata based verification technique with MDGs and of type U -* V is a formula in disjunctive normal formpropose a new verification method. satisfying certain rules [4], [1]. More specifically, an ASM

Related Work. In the literature, there exist serveral first-order is defined as a tuple D (X, Y, Y', Z, FI, FT, FO), wheretemporal logic (FOL) model checking methods (see [2] and 1) X, Y, Y', and Z are pairwise disjoint sets of input,the references therein). Among them, the LMDG checking of state, next state and output symbols, respectively. ThereASM developed by Xu et. al. [4] is the most related one. Using is a one-to-one mapping between Y and Y'.a developed construction mechanism, Xu et. al. transform the 2) FI is a directed formula of type U -* Y, representingverification of an ASM with respect to an LMDG formula the set of initial states, where U is a set of abstract

453

1-4244-0797-4/07/$20.OO ©¢ 2007 IEEE

variables disjoint from X U Y U Y' U Z. Typically, FI is then at the next time M will be updated by this number."a one-disjunct directed formula representing the set of The LMDG* formula for this property is G (c 0 & rinitial states. 0 & leq(x,M) 0 -O LET (v x)IN X (M v))).

3) FT is a directed formula of type (X U Y) Y',representing the transition relation. IV. METHODOLOGY

4) FO is a directed formula of type (X U Y) Z,representing the output relation. The LMDG* checking is actually an automata based ver-

To illustrate the above definition, we give an ASM model ification technique, in which both the system and propertyof a machine which picks up the minimum and maximum formula are transformed into )-automata. An )-automatonfrom a set of natural numbers. Let r and x be inputs to can be viewed as a transition system structure with an ac-describe the reset signal and input number respectively; and ceptance condition. Its language is defined as a set of runsc/c', m/rm' and M/M' represent sate/next-state variables, which satisfy the acceptance condition infinitely often. Thewhere c describes the states of the machine, m/M describe the system automaton accepts all the behaviors produced by theminimal/maximal number obtained so far; there is no output system, while the property automaton accepts the behaviorsvariables in the machine. r and c/c' are defined as variables of (time line structures) violating the property formula. A productBoolean sort, while x, /m', M/M' are defined as variables automaton is built to accept all the behaviors produced by theof abstract sorts wordn. We further define a cross-operator, system but violating the property. Finally, a language checkingleq, to compare two variables a and b of sort wordn. leq is algorithm on the product automaton is used to check whetherinterpreted by rewriting rule: leq(a, b) 1 if and only if its language is empty. If not, then there is at least one behaviora is less than or equal to b; leq(a, b) 0 otherwise. The produced by the system cannot be satisfied by the property [6].initial states FI are defined as directed formula c = 1 A m= Generalized Biichi Automaton (GBA) is the most commonly,max A M = min. The transition relation is shown in Fig. 1. used )-automaton in the area of formal verification. The

acceptance condition of a GBA is defined by a finite collectionr=1 r =0, m'= x M'=x r of sets of states, where each set is called a fairness set. Them'= max m'-r= =ifexm ) thenxelse mofcmse

M'= min( M'=if(ieq(x,M3 1) then M else x language of a GBA is composed of those runs that intersectr=1, m'= max, M'=min all fairness sets infinitely often. If the GBA accepts all the

Fig. 1. The transition relation of MINMAX ASM runs produced by the transition structure, then the acceptancecondition should consist of one set which includes all thesystem states [6]. Thus, by using the GBA to represent the

III. A FIRST-ORDER LINEAR-TIME TEMPORAL LOGIC: system design, the acceptance condition of the product GBA,LMDG composed of the property automaton and system automaton,

To represent the properties to be verified, we define a is determined only by the property automaton. The procedurefirst-order linear-time temporal logic, called LMDG*. Given shown in [7] is efficient in transforming a propositional Linera description of an ASM and a set of ordinary variables V time Temporal Logic (LTL) formula into a GBA which acceptswhich is available for use in the specification of properties, all behaviors violating the formula.the LMDG* is defined in the following, where the sort of a We propose an LMDG* checking, which accepts LMDG*function symbol is the sort of its output. formulas as property and an ASM as system model andThe atomic formulas of LMDG* are T(truth), F(falsity) and answers if the property is satisfied by the system design or

A1 A2, where A1, A2 are terms of the same sort oz. not. The structure of the proposed method is shown in Fig. 2.The basic formulas called Nextilet-formulas are defined by 1) Using the ASM model's symbols, construct an ASM

the following rules: for each Nextilet-formula in LMDG*, whose outputs* Each atomic formula is a Nextilet formula. are variables of Boolean sort; generate an LTL formula* If p and q are Nextilet formulas, then so are (p&q) (p using the outputs and the LMDG* formula; compose

and q), (p q) (p or q), !p (not p), X p(next p) and the constructed ASMs with the original ASM model toLET (v t) INp, where t is a variable of abstract sort produce an ASM denoted by M.and v is an ordinary variable used to remember the value 2) Generate a GBA B from the LTL formula obtained inof t at the current state. step 1) using the existing algorithm [7].

Finally, the (compound) formulas are defined inductively as 3) Compose M and B to produce a product GBA Mp.follows: 4) Finally, check if the language of the Mp is empty or

* Each Nextilet formula is a formula; not using a language emptiness checking algorithm that* If p, q are formulas, then so are p U q(p until q), will be discussed in the next section.G p(always p), F p (eventually p). The details of each step and the correctness of our method

To show how to use LMDG*, we again use the minmax can be found in [2]. As an example, Fig. 3 shows theexample. Consider the property "at any time, if the machine constructed ASMs for the property of the minmax exampleaccepts a new number which is not less than or equal to M, in Section III.

454 2007 IEEE International Symposium on Integrated Circuits (ISIC-2007)

ASM c M 2) For each fairness set Ci, remove those states that cannot(model)9 composing MASMs building be reached by Ci.

L*MDGonstructing Product checkIng 3) Remove those states that cannot be reached by cycles.PoMeDG ASMs Mp language 4) Check if a fixed point Z is reached. If yes, stop and(Prope ty ) t outputs utomaton emptiness further check if Z is empty; otherwise, go back to step

generating TL generating B 2)._tLTL ) tAutomata ) We have implemented the above algorithm with MDG oper-

ators, see [5] for details. Its correctness proof can be found

Fig.2. The structure of LMDG* checking in [2]. We will provide some experimental results in the nextsection. Note that since the LMDG* checking is carried onthe first-order logic, the reachability analysis procedure may

System leq(M) not terminate; as a result, the above algorithm may be notr r0

Model - terminate either. Some solutions to this issue are provided inMrg Abstract or p [9].

ComparartoriVI. EXPERIMENTAL RESULT

Fig. 3. The constructed ASM for property G (c 0 & r To show the efficiency of the LMDG* checking, we haveO & leq(x, M) = O- LET (v = x)IN X (M = v))) conducted several case studies with it and compared it with

the LMDG checking. Due to the space limit, here we onlyV. LANGUAGE EMPTINESS CHECKING ALGORITHM show the experiment with the Island Tunnel Controller (ITC).

More experimental results can be found in [2].With the product GBA Mp generated by our method

presented in the previous section, we next proceed to address A. System Descriptionthe language emptiness checking on Mp. EL2 is one of the The ITC was originally introduced by Filser and Johnasonmost efficient algorithms for detecting the language emptiness [3]. ITC controls the traffic lights at both ends of a tunnel,of a GBA [8]. The algorithm first computes the set of reachable which is a single lane connecting the mainland to an island,states; then in this set, searches the Strongly Connected Cycles according to the traffic situation detected by the sensors on(SCCs) that intersect with all the fairness sets, called fair both ends of the tunnel. There are two pairs of sensors: oneSCCs. This computation is based on the observation that the pair is on the island side including one at the tunnel entranceSCC containing a state v is the set of states with both a path (ie) and one at the tunnel exit (ix); another pair is on theto v and a path from v. Therefore, for each fair SCC there mainland side consisting of one at the tunnel entrance (me)must exist at least one cycle that intersects each fairness set, and one at the tunnel exit (mx). For simplicity, it is assumedmore specifically, there is a run intersects all the fairness sets that there are finite cars; no car gets stuck in the tunnel; carsinfinitely often. do not exit the tunnel before entering the tunnel; cars do not

The search of fair SCCs is implemented by an implicit leave the tunnel entrance without traveling through the tunnel;enumeration technique which computes a set of states that and there is sufficient distance between two cars such that thecontain all the fair SCCs, called SCC-Hull. The computation sensors can distinguish them. One constraint is imposed "atreturns an SCC-Hull which is empty when there is no fair most 16 cars may be on the island at any time." In fact, theSCC. Starting with all reachable states, the EL2 algorithm number "16" can be taken as a parameter and it can be anyrecursively removes those states that cannot be reached by all natural number. In our ASM, we model this number with afairness sets and those states that cannot be reached by cycles, variable of abstract sort.The algorithm terminates when a fixed point is reached. The As shown in Fig. 4, Filser and Johson proposed a specifi-reached fixed point contains all the states that can be reached cation of ITC using three communicating controllers: Islandby all fairness SCCs. If the fixed point is empty, then there is Light Controller (ILC), Tunnel Controller (TC), Mainlandno run that can be accepted by the GBA, which means that all Light Controller (MLC); and two counters: island counterbehaviors produced by the system are accepted by the property (ic) and tunnel counter (tc). The ILC has four states: green,automaton. In this case, the property is satisfied by the system entering, red, and exiting. The outputs igl and irl control thedesign. Otherwise, the fixed point can be used to provide a green and the red lights on the island side, respectively; iucounterexample which gives the designer a clue of the design indicates that the cars from the island side are currently usingerror. the tunnel, and ir indicates that ILC is requesting the tunnel.

Based on the operators provided in the MDG package and The input iy requests the ILC to release the control of thethe existing reachability analysis procedure, we implemented tunnel, and ig grants control of the tunnel from the island side.this algorithm as follows: A similar set of signals is defined for the MLC. TC produces

Algorithm 5.1: (MDG EL2 Algorithm) the access right requested by the ILC and MLC. ic and tc1) Compute all reachable states using the MDG reachabil- keep track of the numbers of cars currently on the island and

ity analysis procedure. in the tunnel, respectively. For the tunnel controller, at each

2007 IEEE International Symposium on Integrated Circuits (ISIC-2007) 455

TABLE IC. Discussion

EXPERIMENTAL RESULTS FOR THE ITCFrom the experimental results shown in Table 1, we can

time Memory # of MDG see that our method can verify some properties that cannot be(sec) (MB) nodes accepted by the LMDG checking. The reason for this is that by

P1 16.90 13.98 19696 using )-automata representations for both the property andP2 19.21 21.45 23286 system design, the verification problem can be reduced to the

language emptiness checking of automata. As a result, muchmore properties can be checked. This is exactly the purpose

clock cycle, tc is incremented by one depending on tc+ or of developing our new method.decremented by one depending on tc- if it is not already zero. VII. CONCLUSIONThe ic operates in a similar way, except that the increment VI CoNCLU sIoNand decrement signals are ic+ and ic-, respectively. In this paper we proposed a first-order checking of

a-automata using MDGs, which accept the LMDG* as prop-mrl mg iu ie erty and ASM as system design model. To achieve this, we

mgl _ Mainland m Tunnel ir Island ix defined LMDG* and proposed an approach by integrating theme Light mu ' ControController i

C ll ASM transformation technique and the )-automata basedmx Controller mu I

(MLC) (TC) -- (ILC) _ verification technique. We also adapted the existing languageemptiness checking algorithm into the MDG package. Exper-

ict ic; ic tCf+; tcA imental results on the ITC showed that our new method canIsland Counter Tunnel Counter handle more properties than the existing MDG tools and thus

improved the capability of the MDGs tool package.Fig. 4. The specification of the Island Tunnel Controller

REFERENCES

[1] E. Cerny, F. Corella, M. Langevin, X. Song, S. Tahar and Z. Zhou.B. Verification of ITC "Automated Verification with Abstract State Machines Using Multiway

Decision Graphs." Formal Hardware Verification: Methods and SystemsWe first generate the Register Transfer Level (RTL) model in Comparison, pages 79-113, Springer-Verlag Publishers, 1997.

representing the ITC design. For this purpose, we define [2] F. Wang First-ordered Model Checking of w-automata using MultiwayASMs to represent ILC, MTC, TC, Island Counter (IC), Decision Graphs Ph.D. Dissertation,Concordia University, 2005.

[3] K. Fisler and S. Johnson. "Integrating Design and Verification Environ-and Tunnel Counter (TC), where we use two variables of ments through Logic Supporting Hardware Diagrams." In Proceedingabstract sort wordn to describe the state variables and the two of IFIP Conference on Hardware Description Languages and theirabstract function symbols nc, dec to represent the operations Applications, pages 669-674, Chiba, Japan, August 1995.

[4] Y. Xu, X. Song,E. Cerny , and 0. Ait Mohamed. "Model checkingof increment by I and decrement by I respectively. Cross for a first-order logic using multiway decision graphs." In The Computeroperators equz and lessN are used to denote if icltc is equal Journal Vol. 47, No. 1, pages 71-84, The British Computer Society, 2004.to zero, and if the number of cars on the island is less than the [5] F. Wang, S. Tahar, and 0. Ait Mohamed. "First-order LTL Model Check-

ing using MDGs." Proceeding International Symposium on Automatedlimit N. The environment is built in such a way that it allows Technology for Verification and Analysis (ATVA'04), Taipei, Taiwan,a non-deterministic choice of values on the primary inputs ie, November 2004, LNCS, Springer Verlag.ix, me and mx. [6] M. Y. Vardi. "An Automata-Theoretic Approach to Linear Temporal

Logic." In Logics for Concurrency: Structure Versus Automata, LNCSTo verify the above ITC RTL design, we proposed several 1043: 238-266, Springer Verlag, 1996.

properties and some of them are verified by our method [7] F.Somenzi and R. Bloem. "Efficient Bachi automata from LTL formulae."ad MGhcnewhich are In Conference on Computer Aided Verification (CAV), volume 1855 of

and LMDG checking. Below we give 2 properties whlch are LNCS, pages 247-263. Springer-Verlag, 2000.verified by the LMDG* checking but cannot be accepted by [8] F. Somenzi, K. Ravi, and R. Bloem. "Analysis of symbolic scc hull

LMDG checking. algorithms." In Conference on Formal Methods in Computer Aidedcheckiisn g.always true that no car waits forever in order to Design, volume 2517 of LNCS, pages 88-105. Springer-Verlag, 2002.P1: It is not always true that no car waits forever in order to [9] 0. Ait-Mohamed and X. Song. "MDG Based State Enumeration by

enter the tunnel: Retiming and Circuit Transformation." In Journal of Circuits, Systems,and Computers (JCSC), World Scientific Publishers, 2003.

!(G!((me 1) -* G!(mgl 1)))

P2: It is always true that a car waiting to enter the tunnel willwait until it is allowed:

G((ie 1) & !G!(igl 1) - (ie= 1)U(igl 1)).

The experiments were carried out on a Sun Ultra-2 work-station with 296MHZ CPU and 768MB of memory. Theexperimental results are summarized in Table I, includingthe CPU time, memory usage and number of MDG nodesgenerated.

456 2007 IEEE International Symposium on Integrated Circuits (ISIC-2007)