RuleBase is a formal verification tool, developed by the IBM Haifa Research Laboratory. It is the result of three years of experience in practical formal verification of hardware which, we believe, has been a key factor in bringing the tool to its current level of maturity. We present the tool, including several unique features, and summarize our usage experience.

The specification language RCTL, an extension of CTL, is defined by adding the power of regular expressions to CTL. In addition to being a more expressive and natural hardware specification language than CTL, a large family of RCTL formulas can be verified on-the-fly (during symbolic reachability analysis). On-the-fly model checking, as a powerful verification paradigm, is especially efficient when the specification is false and extremely efficient when the computation needed to get to a failing state is short. It is suitable for the inherently gradual design process since it detects a multitude of bugs at the early verification stages, and paves the way towards finding the more complex errors as the design matures. It is shown that for every erroneous finite computation, there is an RCTL formula that detects it and can be verified on-the-fly. On-thefly verification of RCTL formulas has moved model checking in IBM into a different class of designs inaccessible by prior techniques.

Forward model checking is an efficient symbolic model checking method for verifying realistic properties of sequential circuits and protocols. In this paper, we present the techniques that modify the order of state traversal on forward model checking, and that dramatically improve average CPU time for finding design errors. A failing property has to be checked again and again to analyze the bug until it is corrected. The techniques, therefore, can have significant impacts on actual verification tasks. We use a modified regular/!-regular expression to represent a set of illegal state transition sequences of an FSM. It makes the problem clear and gives us a sense of depth-first traversal, not on the state space, but on the property. 1

vi List of Tables ix List of Figures x Chapter 1 Introduction 1 1.1 Previous Work . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1.1 BDD-Based Approaches . . . . . . . . . . . . . . . . . 3 1.1.2 Test synthesis . . . . . . . . . . . . . . . . . . . . . . . 4 1.1.3 Coverage estimation . . . . . . . . . . . . . . . . . . . 4 1.1.4 Conservative approximations . . . . . . . . . . . . . . . 5 1.1.5 Sequential ATPG . . . . . . . . . . . . . . . . . . . . . 6 1.2 The Case for a Simulation Based Approach . . . . . . . . . . . 6 1.3 Thesis Organization . . . . . . . . . . . . . . . . . . . . . . . . 8 Chapter 2 Background 9 2.1 Netlists and FSMs . . . . . . . . . . . . . . . . . . . . . . . . 9 vii 2.2 RTL descriptions and Indicator variables . . . . . . . . . . . . 10 2.3 Invariant Verification . . . . . . . . . . . . . . . . . . . . . . . 12 Chapter 3 Augmenting Simulation with ATPG and BDDs 13 Chapter 4 Experiments and Results 21 Bibliography 25 Vita 29 viii List of Tables ix Li...

In this paper we present several practical methods for formally verifying an Asynchronous Transfer Mode (ATM) network switching fabric using the Verification Interacting with Synthesis (VIS) tool. We produced Verilog RTL behavioral and netlist structural descriptions of the switch fabric at different levels of hierarchy and established several abstracted models of the fabric. Using various techniques presented in the paper, we provided a number of relevant liveness and safety properties expressible in CTL, and accomplished their verification in reasonable CPU time. Moreover, we performed equivalence checking between the structural and behavioral descriptions of each submodule of the implementation hierarchy.

In this paper we present our results on formally verifying the implementation of an Asynchronous Transfer Mode (ATM) network switching fabric using a new class of decision graphs, called Multiway Decision Graphs (MDG). The design we consider is in use for real applications in the Cambridge Fairisle network. We produced the description of the hardware implementation at different levels of abstraction. We then performed the verification of an abstract description model against the description of the gate-level implementation. Using this abstract model, we accomplished the verification of specific properties that reflect the behavior of the Fairisle ATM switch fabric.

this paper, a verification method is presented which combines the advantages of deduction style proof systems like HOL with those of traditional model checking approaches. For this reason, a new class of higher order formulas is presented, which allows a unified description of hardware structure and behaviour at different levels of abstraction. Data path oriented verification goals involving abstract data types can be expressed by these formulae as well as control dominated verification goals with an unregular structure. As the latter kind of goals is hard to prove in HOL, a translation procedure is presented which converts the goals into several CTL model checking problems, which are then solved outside HOL. If a complete proof in HOL is desired, the information of the model checking proof can be used for reducing the proof goals to propositional logic, which can then be proved by TAUT TAC in HOL. The usefulness of the approach is demonstrated with examples.

We describe a data structure and a set of BDD based algorithms for efficient formal design verification. We argue that hardware designs should be translated into an intermediate hierarchical netlist of combinational tables and sequential elements, and internally represented by a flattened network of gates and latches, akin to that in SIS [32]. We establish that the core computation in BDD based formal design verification is forming the image and pre-image of sets of states under the transition relation characterizing the design. To make this step efficient, we address BDD variable ordering, use of partitioned transition relations, use of clustering, use of don't cares, and redundant latch removal. Many of these techniques have been studied in the past. We provide a complete integrated set of modified algorithms and give references andcomparisons with previous work. We report experimental results on a series of seven industrial examples containing from 28 to 172 binary valued latches. ...

Previous researchers have suggested the use of "lighthouses" to act as guides in directed state space search. The drawback of using lighthouses is that the user has to manually derive them, through a potentially laborious examination of the design. Additionally, specifying a large number of lighthouses results in wasted effort during the search. We present approaches to automatically generate high-quality lighthouses for hard-to-cover targets.

We investigate the equivalence checking of the RTL hardware implementation of the Cambridge Fairisle Asynchronous Transfer Mode (ATM) 4 by 4 switch fabric against a high-level behavioral specification which has no restrictions with respect to the frame size, cell length or word width. The verification is based on the reachability analysis of the product machine of the implementation and the specification, both modeled as Abstract State Machines (ASM). Multiway Decision Graphs (MDG) are used to encode both the output and transition relations of ASMs and the set of reachable abstract states, allowing implicit abstract state enumeration. Since MDGs avoid model explosion induce...