In this paper, we present our experiences in using symbolic model checking to analyze a specification of a software system for aircraft collision avoidance. Symbolic model checking has been highly successful when applied to hardware systems. We are interested in whether model checking can be effectively applied to large software specifications. To investigate this, we translated a portion of the state-based system requirements specification of Traffic Alert and Collision Avoidance System II (TCAS II) into input to a symbolic model checker (SMV). We successfully used the symbolic model checker to analyze a number of properties of the system. We report on our experiences, describing our approach to translating the specification to the SMV language, explaining our methods for achieving acceptable performance, and giving a summary of the properties analyzed. Based on our experiences, we discuss the possibility of using model checking to aid specification development by iteratively applying the technique early in the development cycle. We consider the paper to be a data point for optimism about the potential for more widespread application of model checking to software systems.

Binary Moment Diagrams (BMDs) provide a canonical representations for linear functions similar to the way Binary Decision Diagrams (BDDs) represent Boolean functions. Within the class of linear functions, we can embed arbitrary functions from Boolean variables to integer values. BMDs can thus model the functionality of data path circuits operating over word-level data. Many important functions, including integer multiplication, that cannot be represented efficiently at the bit level with BDDs have simple representations at the word level with BMDs. Furthermore, BMDs can represent Boolean functions with around the same complexity as BDDs. We propose a hierarchical approach to verifying arithmetic circuits, wherecomponentmodulesare first shownto implement their word-level specifications. The overall circuit functionality is then verified by composing the component functions and comparing the result to the word-level circuit specification. Multipliers with word sizes of up to 256 bits hav...

ACL2 is a mechanized mathematical logic intended for use in specifying and proving properties of computing machines. In two independent projects, industrial engineers have collaborated with researchers at Computational Logic, Inc. (CLI), to use ACL2 to model and prove properties of state-of-the-art commercial microprocessors prior to fabrication. In the first project, Motorola, Inc., and CLI collaborated to specify Motorola's complex arithmetic processor (CAP), a single-chip, digital signal processor (DSP) optimized for communications signal processing. Using the specification, we proved the correctness of several CAP microcode programs. The second industrial collaboration involving ACL2 was between Advanced Micro Devices, Inc. (AMD) and CLI. In this work we proved the correctness of the kernel of the floating-point division operation on AMD's first Pentium-class microprocessor, the AMD5K 86. In this paper, we discuss ACL2 and these industrial applications, with particular attention ...

Regarding finite state machines as Markov chains facilitates the application of probabilistic methods to very large logic synthesis and formal verification problems. In this paper we present symbolic algorithms to compute the steady-state probabilities for very large finite state machines (up to 10 27 states). These algorithms, based on Algebraic Decision Diagrams (ADDs) --- an extension of BDDs that allows arbitrary values to be associated with the terminal nodes of the diagrams --- determine the steady-state probabilities by regarding finite state machines as homogeneous, discrete-parameter Markov chains with finite state spaces, and by solving the corresponding Chapman-Kolmogorov equations. We first consider finite state machines with state graphs composed of a single terminal strongly connected component; for this type of systems we have implemented two solution techniques: One is based on the Gauss-Jacobi iteration, the other one is based on simple matrix multiplication. Then we...

e�mail � emc�cs.cmu.edu e�mail � masahiro�eecs.berkeley.edu e�mail � xzhao�cs.cmu.edu Abstract � Functions that map boolean vectors into the in� tegers are important for the design and veri�cation of arith� metic circuits. MTBDDs and BMDs have been proposed for representing this class of functions. We discuss the relation� ship between these methods and describe a generalization called hybrid decision diagrams which is often much more concise. We show how to implement arithemetic operations e�ciently for hybrid decision diagrams. In practice � this is one of the main limitations of BMDs since performing arith� metic operations on functions expressed in this notation can be very expensive. In order to extend symbolic model check� ing algorithms to handle arithmetic properties � it is essential to be able to compute the BDD for the set of variable as� signments that satisfy an arithmetic relation. In our paper� we give an e�cient algorithm for this purpose. Moreover� we prove that for the class of linear expressions � the time complexity of our algorithm is linear in the number of vari� ables. 1

This paper presents a new data structure called Boolean Expression Diagrams (BEDs) for representing and manipulating Boolean functions. BEDs are a generalization of Binary Decision Diagrams (BDDs) which can represent any Boolean circuit in linear space and still maintain many of the desirable properties of BDDs. Two algorithms are described for transforming a BED into a reduced ordered BDD. One is a generalized version of the BDD apply-operator while the other can exploit the structural information of the Boolean expression. This ability is demonstrated by verifying that two di erent circuit implementations of a 16-bit multiplier implement the same Boolean function. Using BEDs, this veri cation problem is solved in less than a second, while using standard BDD techniques this problem is infeasible. Generally, BEDs are useful in applications, for example tautology checking, where the end-result as a reduced ordered BDD is small.

. We prove that read-once branching programs computing integer multiplication require size 2 ## # n) . This is the first nontrivial lower bound for multiplication on branching programs that are not oblivious. By the appropriate problem reductions, we obtain the same lower bound for other arithmetic functions. Key words. multiplication, read-once, branching programs, BDD, verification AMS subject classifications. 68Q05, 68Q25, 68M15 PII. S0097539795290349 1. Introduction and background. It is well known that many functions, some of them very simple, cannot be computed by read-once branching programs of polynomial size [We88, Za84, Du85, We87, BHST87, Ju88, Kr88]. Interest in whether integer multiplication can be so computed has been created by recent developments in the field of digital design and hardware verification. 1.1. Hardware verification and branching programs. The central problem of verification is to check whether a combinational hardware circuit has been correctly designe...

ion The main problem with model checking is the state explosion problem -- the state space grows exponentially with system size. Two methods have some popularity in attacking this problem: compositional methods and abstraction. While they cannot solve the problem in general, they do offer significant improvements in performance. The direct method of verifying that a circuit has a property f is to show the model M satisfies f . The idea behind abstraction is that instead of verifying property f of model M , we verify property f A of model MA and the answer we get helps us answer the original problem. The system MA is an abstraction of the system M . One possibility is to build an abstraction MA that is equivalent (e.g. bisimilar [48]) to M . This sometimes leads to performance advantages if the state space of MA is smaller than M . This type of abstraction would more likely be used in model comparison (e.g. as in [38]). Typically, the behaviour of an abstraction is not equivalent...

. Stochastic process algebras have been introduced in order to enable compositional performance analysis. The size of the state space is a limiting factor, especially if the system consists of many cooperating components. To fight state space explosion, various proposals for compositional aggregation have been made. They rely on minimisation with respect to a congruence relation. This paper addresses the computational complexity of minimisation algorithms and explains how efficient, BDD-based data structures can be employed for this purpose. 1 Introduction Compositional application of stochastic process algebras (SPA) is particularly successful if the system structure can be exploited during Markov chain generation. For this purpose, congruence relations have been developed which justify minimisation of components without touching behavioural properties. Examples of such relations are strong equivalence [22], (strong and weak) Markovian bisimilarity [16] and extended Markovian bisimi...

This paper presents the formal verification of all sub-circuits in a floating-point arithmetic unit (FPU) from an Intel microprocessor using a wordlevel model checker. This work represents the first large-scale application of word-level model checking techniques. The FPU can perform addition, subtraction, multiplication, square root, division, remainder, and rounding operations; verifying such a broad range of functionality required coupling the model checker with a number of other techniques, such as property decomposition, propertyspecific model extraction, and latch removal. We will illustrate our verification techniques using the Weitek WTL3170/3171 Sparc floating point coprocessor as an example. The principal contribution of this paper is a practical verification methodology explaining what techniques to apply (and where to apply them) when verifying floating-point arithmetic circuits. We have applied our methods to the floating-point unit of a state-of-the-art Intel microprocesso...