Abstract. We develop an approach to model checking Linear Temporal Logic (LTL) properties of Büchi Pushdown Systems (BPDS). Such BPDS models are suitable for Hardware/Software (HW/SW) co-verification. Since a BPDS represents the asynchronous transitions between hardware and software, some transition orders are unnecessary to be explored in verification. We design an algorithm to reduce BPDS transition rules, so that these transition orders will not be explored by model checkers. Our reduction algorithm is applied at compile time; therefore, it is also suitable to runtime techniques such as co-simulation. As a proof of concept, we have implemented our approach in our co-verification tool, CoVer. CoVer not only verifies LTL properties on the BPDS models represented by Boolean programs, but also accepts assumptions in LTL formulae. The evaluation demonstrates that our reduction algorithm can reduce the verification cost by 80% in time usage and 35% in memory usage on average.
Introduction
Hardware/Software (HW/SW) co-verification, verifying hardware and software together, is essential to establishing the correctness of complex computer systems. In previous work, we proposed a Büchi Pushdown System (BPDS) as a formal representation for co-verification [1] : a Büchi Automaton (BA) represents a hardware device model and a Labeled Pushdown System (LPDS) represents a model of the system software; the interactions between hardware and software take place through the synchronization of the BA and LPDS. This is different from a BPDS model used in software verification [2] , where BA only monitors the state transitions of the Pushdown System (PDS) (see Related Work). We also designed an algorithm for checking safety properties of BPDS [1, 3] . However, besides the verification of safety properties, the verification of liveness properties is also highly desirable. For example, a driver and its device should not hang on an I/O operation; a reset command from a driver should eventually reset the device.
We present an approach to LTL model checking of BPDS and design a reduction algorithm to reduce the verification cost. Given an LTL formula ϕ to be checked on a BPDS BP, we constructed a BA B ϕ from ¬ϕ to monitor the state transitions of BP. The model checking process computes if B ϕ has an accepting run on BP. Since a BPDS has two asynchronous components, i.e., a BA and an LPDS, we design our model checking algorithm in such a way that the fairness between them are guaranteed. We also design an algorithm to reduce the BPDS transition rules based on the concept of static partial order reduction [4] . Our reduction algorithm is applied at compile time when constructing a BPDS model rather than during model checking; therefore, the algorithm is also suitable to runtime techniques such as co-simulation [5] . Different from other partial order reduction techniques [4, 6] , our approach can reduce many visible transitions without affecting the LTL −X properties 1 to be verified, which is very effective in reducing the co-verification cost.
As a proof of concept, we have implemented our approach in our co-verification tool, CoVer. CoVer not only verifies LTL properties on the BPDS models represented by Boolean programs [7] , but also accepts assumptions in LTL formulae. These assumptions are very helpful in practice to constrain the verification and rule out false positives. We have also designed an evaluation template to generate BPDS models with various complexities. The evaluation demonstrates that our reduction algorithm can reduce the verification cost by 80% in time usage and 35% in memory usage on average.
The rest of this paper is organized as follows. Section 2 reviews related work. Section 3 introduces the background of this paper. Section 4 presents our LTL model checking algorithm for BPDS. Section 5 elaborates on our reduction algorithm. Section 6 presents the implementation details of CoVer and illustrates an example of BPDS represented by Boolean programs. Section 7 presents the evaluation results. Section 8 concludes and discusses future work.
Related Work
Bouajjani, et al. [8] presented a procedure to compute backward reachability (a.k.a., pre * ) of PDS and apply this procedure to linear/branching-time property verification. This approach was improved by Schwoon [2] , which results in a tool, Moped, for checking LTL properties of PDS. An LTL formula is first negated and then represented as a BA, which is combined with the PDS to monitor its state transitions; therefore, the model checking problem is to compute if the BA has an accepting run. The goal of the previous research was to verify software only; however, our goal is co-verification.
Cook, et al. [9] presented an approach to termination checking of system code through proofs. The approach has two phases: first constructing the termination argument which is a set of ranking functions and then proving that one of the ranking functions decreases between the pre-and post-states of all finite transition sequences in the program. When checking the termination of a device driver, its hardware behavior is necessary to be modeled; otherwise, the verification may report a false positive or miss a real bug (see examples in Section 6).
Device Driver Tester (DDT) [5] is a symbolic simulation engine for testing closedsource binary device drivers against undesired behaviors, such as race conditions, memory errors, resource leaks, etc. Given driver's binary code, it is first reverse-engineered and then simulated with symbolic hardware, a shallow hardware model that mimics simple device behaviors such as interrupts. When simulating the interactions between device and driver, DDT employs a reduction method that allows interrupts only after each kernel API call by the driver to operate the hardware device. While the reduction method of DDT was not formally justified, such kind of reduction can be formalized as the static partial reduction approach discussed in this paper.
Our previous work [3] of co-verification implemented an automatic reachability analysis algorithm for BPDS models specified using the C language. The concept of static partial order reduction is applied to reduce the complexity of the BPDS model only for reachability analysis. However, no algorithm was designed for either co-verification of liveness properties or its complexity reduction.
Background

Büchi Automaton (BA)
A BA B [10] is a non-deterministic finite state automaton accepting infinite input strings. Formally, B = (Σ, Q, δ, q 0 , F ), where Σ is the input alphabet, Q is the finite set of states, δ ⊆ (Q × Σ × Q) is the set of state transitions, q 0 ∈ Q is the initial state, and F ⊆ Q is the set of final states. B accepts an infinite input string if and only if (iff) it has a run over the string that visits at least one of the final states infinitely often. A run of B on an infinite string s is a sequence of states visited by B when taking s as the input. We use q σ → q ′ to denote a transition from state q to q ′ with the input symbol σ.
Labeled Pushdown System (LPDS)
An LPDS P [1] is a tuple (I, G, Γ, ∆, g 0 , ω 0 ), where I is the input alphabet, G is a finite set of global states, Γ is a finite stack alphabet,
is a finite set of transition rules, and g 0 , ω 0 is the initial configuration. An LPDS transition rule is written as g, γ τ ֒→ g ′ , w ∈ ∆, where τ ∈ I. A configuration of P is a pair g, ω ∈ G × Γ * . The set of all configurations is denoted as Conf (P). The head of a configuration c = g, γv (γ ∈ Γ, v ∈ Γ * ) is g, γ and denoted as head(c). Similarly the head of a rule r = g, γ τ ֒→ g ′ , ω is g, γ and denoted as head(r). Given the same rule r, for every v ∈ Γ * , the immediate successor relation is denoted as g, γv
, where we say this state transition follows the LPDS rule r. The reachability relation, ⇒ * , is the reflexive and transitive closure of the immediate successor relation. A path of P on an infinite input string, τ 0 τ 1 . . . τ i . . ., is written as c 0
. ., where the path is also referred to as a trace of P if c 0 = g 0 , ω 0 is the initial configuration.
Büchi Pushdown System (BPDS)
A BPDS BP, as defined in [1] , is the Cartesian product of a BA B and an LPDS P, where the input alphabet of B is the power set of the set of propositions that may hold on a configuration of P; the input alphabet of P is the power set of the set of propositions that may hold on a state of B; and two labeling functions are defined as follows: -L P2B : (G × Γ ) → Σ, associates the head of an LPDS configuration with the set of propositions that hold on it. Given a configuration c ∈ Conf (P), we write L P2B (c) instead of L P2B (head(c)) for simplicity. -L B2P : Q → I, associates a state of B with the set of propositions that hold on it.
There are three definitions that help the presentation of BPDS:
otherwise t is disabled by c (resp. r). The LPDS rule r is enabled by the BA state q (resp. the BA transition t) iff τ ⊆ L B2P (q); otherwise, r is disabled by q (resp. t). 
Indistinguishability. Given a BA transition
e., r is enabled by both q and q ′ .
Independence. Given a BA transition t and an LPDS rule r, if they are indistinguishable to each other, t and r are independent; otherwise if either t or r is not indistinguishable to the other but they still enable each other, t and r are dependent. The independence relation is symmetric.
is constructed by taking the Cartesian product of B and P. A configuration of BP is denoted as (g, q), ω ∈ (G × Q) × Γ * . The set of all configurations is denoted as Conf (BP). (g 0 , q 0 ), ω 0 is the initial configuration. For all g ∈ G and γ ∈ Γ , (g, q), γ ∈ F ′ if q ∈ F . If we strictly follow the idea of Cartesian product, a BPDS rule in ∆ ′ is constructed from a BA transition in δ and an LPDS rule in ∆; therefore, both BA and LPDS have to transition simultaneously so that BPDS can make a transition. In order to model the asynchronous executions between BA and LPDS, we also need to introduce self-loops to BA and LPDS respectively. The set of BPDS rules, ∆ ′ , is constructed as follows:
given a BA transition t = q σ → q ′ ∈ δ and an LPDS rule r = g, γ τ ֒→ g ′ , ω ∈ ∆ that enable each other, -if r and t are dependent, add (g, q), γ ֒→ BP (g ′ , q ′ ), ω to ∆ ′ , i.e., B and P transition together. -otherwise, add three rules to ∆ ′ : (1) B transitions and P self-loops, i.e., (g, q), γ ֒→ BP (g, q ′ ), γ ; (2) P transitions and B self-loops, i.e., (g, q), γ ֒→ BP (g ′ , q), ω ; and (3) B and P transition together, i.e., (g, q), γ ֒→ BP (g ′ , q ′ ), ω .
The head of a configuration c = (g, q), γv (γ ∈ Γ, v ∈ Γ * ) is (g, q), γ and denoted as head(c). Similarly the head of a rule r = (g, q), γ
, γ and denoted as head(r). Given the same rule r, for every v ∈ Γ * , the immediate successor relation in BPDS is denoted as (g, q), γv ⇒ BP (g ′ , q ′ ), ωv , where we say this state transition follows the BPDS rule r. The reachability relation, ⇒ * BP , is the reflexive and transitive closure of the immediate successor relation. A path of BP is a sequence of BPDS configurations, π = c 0 ⇒ BP c 1 . . . ⇒ BP c i ⇒ BP . . ., where π satisfies both the Büchi constraint and the BPDS loop constraint. Büchi constraint requires that if π is infinitely long, it should have infinite many occurrences of BPDS configurations from the set { c | head(c) ∈ F ′ }. Given that -the projection of π on B, denoted as π B , is a sequence of state transitions of B, and -the projection of π on P, denoted as π P , is a path of P, 2 BPDS loop constraint requires that if π is infinite, both π B and π P should also be infinite. Since self-loop transitions are introduced to B and P when constructing BPDS, we define BPDS loop constraint as a fairness constraint to guarantee that neither B nor P can self-loop infinitely on these self-loop transitions. The BPDS path π is also referred to as a trace of BP if c 0 is the initial configuration.
Model Checking Algorithms for BPDS
Model Checking Problem
Our goal is to verify LTL properties on BPDS. Given a BPDS BP, an LTL formula ϕ, and a labeling function
At(ϕ) that associates a BPDS configuration to a set of propositions that are true of it (At(ϕ) is the set of atomic propositions in ϕ), there exists a BA B ϕ = (2 At(ϕ) , Q ϕ , δ ϕ , q ϕ0 , F ϕ ) that accepts the language L(¬ϕ); therefore we can synthesize a transition system, B 2 P, from BP and B ϕ , where conceptually, B ϕ monitors the state transitions of BP.
We construct
, where G×Q×Q ϕ is the finite set of global states, Γ is the stack alphabet, ∆ B 2 P is the finite set of transition rules, (g 0 , q 0 , q ϕ0 ), ω 0 is the initial configuration, and
For the purpose of simplicity, we also write
is p, γ and denoted as head(c). Similarly the head of a rule r = p, γ ֒→ B 2 P p ′ , ω is p, γ and denoted as head(r). The immediate successor relation and reachability relation are denoted respectively as ⇒ B 2 P and ⇒ * B 2 P . A path of B 2 P is written as c 0 ⇒ B 2 P c 1 ⇒ B 2 P . . ., where the path is also referred to as a trace of B 2 P if c 0 is the initial configuration.
Definition 1. An accepting run of B
2 P is an infinite trace π such that (1) π has infinitely many occurrences of configurations from the set { c | head(c) ∈ F B 2 P }, i.e., the Büchi acceptance condition is satisfied; and (2) both π B and π P are infinite, i.e., the BPDS loop constraint is satisfied.
Definition 2. Given a BPDS BP and an LTL formula ϕ, the model checking problem is to compute if the B
2 P model constructed from BP and ϕ has an accepting run.
Model Checking Algorithm
We define a binary relation ⇒ r B 2 P between two configurations of B 2 P as: c ⇒ r [11] for proof) Our LTL model checking algorithm for BPDS has two phases. First, computing a special set of repeating heads, R ⊆ Rep(B 2 P), where the repeating paths of the heads satisfy the BPDS loop constraint. Second, checking if there exists a path of B 2 P that leads from the initial configuration to a configuration c such that head(c) ∈ R.
In the first phase, we compute R. We construct a head reachability graph G = ((P × Γ ), E), where the set of nodes are the heads of B 2 P, the set of edges E ⊆ (P ×Γ )×{0, 1}
3 ×(P ×Γ ) denotes the reachability relation between the heads. Given a rule r ∈ ∆ B 2 P , we define three labeling functions: (1) F B 2 P (r) = 1 if head(r) ∈ F B 2 P and F B 2 P (r) = 0 if otherwise; (2) R B (r) = 1 if r is constructed using a BA transition from δ and R B (r) = 0 if otherwise; and (3) R P (r) = 1 if r is constructed using an LPDS rule from ∆ and
, ε denotes the empty string, and:
This definition is based on the idea of backward reachability computation. Given the head p ′ , ε reachable from p ′′ , v 1 , if there exits a rule to indicate that p ′′ , v 1 γ ′ is reachable from p, γ , then we know that the head p ′ , γ ′ (a.k.a., p ′ , εγ ′ ) is reachable from the head p, γ . During such a computation process, we use the three labels defined above to record the information whether a path between the heads contains a final state in F B 2 P and satisfies the BPDS loop constraint.
The set R can be computed by exploiting the fact that a head p, γ is repeating and the repeating path satisfies the BPDS loop constraint iff p, γ is part of a Strongly Connected Component (SCC) of G and this SCC has internal edges labeled by (1, * , * ), ( * , 1, * ), and ( * , * , 1), where * represents 0 or 1. Algorithm REPHEADS takes B 2 P as the input and computes the set R. REPHEADS first utilizes the backward reachability analysis algorithm of [2] , a.k.a., pre * , to compute the edges E of G. Given ∆ B 2 P , pre * finds a set of rules trans ⊆ ∆ B 2 P such that trans has rules all in the form of p, γ ֒→ B 2 P p ′ , ε , also written as (p, γ, p ′ ) for simplicity. With the three labels defined above, we can further write a rule in trans as (p, [γ,
Given such a rule, the algorithm between line 7 and 19 computes the reachability relation between heads. Specifically, when we see a rule p 1 , γ 1 ֒→ B 2 P p, γ at line 11 or line 13, we know p ′ , ε is reachable from p 1 , γ 1 , so we add a new rule to trans; when we see a rule p 1 , γ 1 ֒→ B 2 P p, γγ 2 at line 15, we know p ′ , γ 2 is reachable from p 1 , γ 1 , so we add a new rule to ∆ label , where a rule in ∆ label describes the reachability relation between two heads through more than one transitions; and rel stores the processed rules from trans. Meanwhile, we also use the labels to record the information whether a final
3: {First, compute the head reachability graph of B 2 P using pre * } 4: for all r = p, γ ֒→ B 2 P p ′ , ε ∈ ∆ B 2 P do 5:
{Add the labeled rule r (written in a simplified form) to trans} 6:
for all r = p1, γ1 ֒→ B 2 P p, γ ∈ ∆ B 2 P do 12:
for all r = p1, γ1 ֒→ B 2 P p, γγ2 ∈ ∆ B 2 P do 16:
{Match the new rule with the rules that have been processed} 18: 
{Indirect reachability between two heads, i.e., computed by pre * } 25: for all p, γ
28: {Second, find R in G} 29: Find strongly connected components, SCC, in G = ((P × Γ ), E) 30: for all C ∈ SCC do 31:
if C has edges labeled by (1, * , * ), ( * , 1, * ), and ( * , * , 1), where * represents 0 or 1 then 32:
{C contains repeating heads whose repeating paths satisfy the BPDS loop constraint} 33:
R ← R {the heads in C} 34: return R state is found and the BPDS loop constraint is satisfied on the path between two heads. Second, the algorithm detects all the SCCs in G and checks if one of the SCCs contains repeating heads (required by the label (1, * , * )) and satisfies the BPDS constraint (required by the two labels ( * , 1, * ) and ( * , * , 1)). [11] for proof)
In the second phase, after R is computed, we compute post * ({c 0 }) R, i.e., given the initial configuration c 0 , ∃c 0 ⇒ * c ′ such that head(c ′ ) ∈ R. The forward reachability algorithms, a.k.a., post * , for PDS-equivalent models have been well studied. We use the forward reachability algorithm [2] with a complexity of O((|P |+|∆ B 2 P |) 3 ). Therefore, the LTL model checking of BPDS has the complexity of O((|P | + |∆ B 2 P |)
3 ).
Reduction
We present how to utilize the concept of static partial order reduction in the LTL −X checking of BPDS. As illustrated in Figure 1 , our reduction is based on the observation that when B and P transition asynchronously, one can run while the other one selfloops. Figure 1 (2) a vertical edge represents a transition when P transitions and B self-loops; and (3) a diagonal edge represents a transition when B and P transition together. If the graph satisfies certain requirements (see below), we can reduce many state transitions while preserving the LTL −X property to be checked as illustrated in Figure 1(b) . The reduced BPDS is denoted as BP r , where only the BPDS rules are reduced.
Definition 3.
Given a BPDS rule r, V isP rop(r) denotes the set of propositional variables whose value is affected by r. If V isP rop(r) = ∅, r is said to be invisible. 
It is already known that any LTL −X property is invariant under stuttering [6] ; therefore, given a trace π of BP, we want to guarantee that there always exists a trace of BP r stuttering equivalent to π.
Given t = q σ − → q ′ ∈ δ and a ∈ 2 At(ϕ) , for every r = (g, q), γ ֒→ BP (g, q ′ ), γ ∈ ∆ ′ , if V isP rop(r) = a = ∅, t is said to be horizontally visible. Intuitively, horizontal visibility describes the situation when propositional variables are evaluated only based on the states of BA. This can help reduce many visible BPDS rules without affecting the LTL −X properties to be verified, since such a horizontal transition can be shifted on a BPDS trace to construct another stuttering equivalence trace. Given a BA transition t and an LPDS rule r, Algorithm REDUCIBLERULES decides whether the corresponding diagonal/horizontal BPDS rules are reducible candidates. We should assume that t and REDUCIBLERULES( t ∈ δ, r ∈ ∆ t ∈ δ, r ∈ ∆ t ∈ δ, r ∈ ∆ ) Require: t and r are independent. 1:
3: r 3 = (g, q), γ ֒→ BP (g ′ , q ′ ), ω {Diagonal BPDS rules, see Figure 1 (a)} 6: if V isP rop(r 1 ) = ∅ and V isP rop(r 2 ) = ∅ and V isP rop(r 3 ) = ∅ then 7: {If r 1 , r 2 , and r 3 are all invisible} 8: ReduceDiag ← TRUE, ReduceHori ← TRUE 9: else 10: if V isP rop(r 1 ) = V isP rop(r 3 ) or V isP rop(r 2 ) = V isP rop(r 3 ) or V isP rop(r 1 ) = ∅ or V isP rop(r 2 ) = ∅ then
11:
ReduceDiag ← TRUE
12:
if r 1 is invisible or t is horizontally visible then
13:
ReduceHori ← TRUE 14: return (ReduceDiag, ReduceHori) r are independent; otherwise, since B and P must transition together when t and r are dependent, no BPDS rule can be reduced. In this algorithm, at line 8, if there is no visible BPDS rules, both the horizontal rule r 1 and the diagonal rule r 3 are reducible candidates; at line 11, r 3 is a reducible candidate if it is replaceable by horizontal and vertical rules; at line 13, r 1 is a reducible candidate if it is either invisible or constructed from a BA transition (i.e., t) that is horizontally visible.
Definition 5.
We define three sets of heads, SensitiveSet, V isibleSet, and LoopSet on Conf (P), as follows:
∃t ∈ δ, r and t are dependent }, where g 0 , ω 0 is the initial configuration of P;
, ω ∈ ∆ ′ visible to ϕ; and r is irreducible according to Algorithm REDUCIBLERULES }; -LoopSet = { h | for every SCC C in G P , pick a head h from C }, where G P is the head reachability graph of P and there is no preference on how h is selected.
SensitiveSet is introduced to preserve the reachability [3] ; the concept of V isibleSet is similar to that of SensitiveSet, i.e., preserving the reachability of BPDS paths right after a visible transition that is not reduced according REDUCIBLERULES; LoopSet, similar to the concept of cycle closing condition [4] , is introduced to satisfy the BPDS loop constraint when a loop of P is involved in the accepting run. Algorithm BPDSRULESVIASPOR applies the reduction following the idea illustrated in Figure 1(b) , where the horizontal/diagonal edges are reduced. At line 6, since the LPDS rule r and the BA transition t are dependent, B and P must transition together; at line 9, we construct a vertical rule to represent the asynchronous situation when P transitions and B self-loops. Since BPDSRULESVIASPOR follows the reduction idea of Figure 1(b) , all vertical BPDS rules are preserved; at line 10, we invoke REDUCIBLERULES, to decide if the horizontal/diagonal BPDS rules are reducible candidates; at line 13, we construct a diagonal BPDS rule if necessary; at line 16, we cons-
for all t = q σ → q ′ ∈ δ and σ ⊆ LP2B( g, γ ) and τ ⊆ LB2P (q) do 4:
if r and t are dependent then 5:
{B and P must transition together} 6:
else 8:
{P transitions and B self-loops} 9:
∆vert ← ∆vert { (g, q), γ ֒→BP (g ′ , q), ω } 10:
(ReduceDiag, ReduceHori) ← REDUCIBLERULES(t,r) 11:
if ReduceDiag = FALSE then 12:
{B and P transition together} 13:
if ReduceHori = FALSE or g, γ ∈ SensitiveSet V isibleSet LoopSet then 15:
{B transitions and P self-loops} 16:
truct a horizontal BPDS rule if necessary. Note that even if REDUCIBLERULES returns TRUE for ReduceHori, we still have to preserve this horizontal BPDS rule if head(r) belongs to SensitiveSet, V isibleSet, or LoopSet.
Theorem 2.
Algorithm BPDSRULESVIASPOR preserves all LTL −X properties to be verified on BP. (see [11] for proof.) Complexity analysis. In BPDSRULESVIASPOR, let n sync be the number of BPDS rules that are generated from dependent BA transitions and LPDS rules (at line 6), n v be the number of BPDS rules related to visible transition rules (i.e., when RE-DUCIBLERULES returns FALSE for ReduceDiag or ReduceHori), n svl be the number of BPDS rules associated to SensitiveSet, V isibleSet, and LoopSet (at line 16 when ReduceHori is TRUE). We have |∆ hori ∆ diag | = n v + n svl and |∆ sync | = n sync . As illustrated in Figure 1 , asynchronous transitions can be organized as triples where each one includes a vertical transition, a horizontal transition, and a diagonal transition, so we have
. The number of rules generated by BPDSRULESVIASPOR is |∆
n sync − n svl . Therefore, our reduction is effective when the following criteria have small sizes: (1) BPDS rules visible to ϕ; (2) dependent transitions of B and P; and (3) loops in P.
Implementation
As a proof of concept, we have realized the LTL checking algorithm for BPDS as well as the static partial order reduction algorithm in our co-verification tool, CoVer. The implementation is based on the Moped model checker [2] . We specify the LPDS P using Boolean programs and the BA B using Boolean programs with the semantic extension of relative atomicity [3] , i.e., hardware transitions are modeled as atomic to software. In this section, we first present an example of a BPDS model specified in Boolean programs. Second, we illustrate how we specify LTL properties on such a BPDS model. Third, we elaborate on how CoVer generates a reduced BPDS model for the verification of an LTL −X formula.
Specification of the BA B and LPDS P
We specify B and P using an approach similar to that described in [3] , where the state transitions of B are described by atomic functions. by the keyword atomic describe the state transitions of B. Such kind of functions are also referred to as transaction functions. The function main models the behavior of P, where main has three steps: (1) resets the state of B by invoking the function reset; (2) waits for the reset to complete; (3) waits for the counter of B to increase above 4, i.e., v2==1. When a transaction function, such as reset or rd reg, is invoked from P, it represents a dependent (a.k.a., synchronous) transition between B and P. On the other hand, the transaction function HWModel represents independent (a.k.a., asynchronous) transitions of B with respect to P. In this example, since the dependent transitions of B and P are already specified as direct function calls, the rest of the Cartesian product is to instrument P with the independent transitions of B, i.e., add function call to HWInstr after each statement in main.
Specification of LTL Properties
Without loss of generality, we specify LTL properties on the statement labels. For example, we write an LTL formula, F exit, which asserts that the function main always terminates. This property is asserted on a very common scenario: when software waits for hardware to respond, the waiting thread should not hang. Verification of this property requires relatively accurate hardware models. As illustrated in Figure 2 , the transaction function HWModel describes a hardware model that responds to software reset immediately; thus, the first while-loop in main will not loop for ever. Since the hardware will start to increment its register after reset, the second while-loop will also terminate. Therefore, F exit holds. Note that the non-deterministic while-loop in HWInstr will repeatedly call HWModel, which is guaranteed by the BPDS loop constraint and the fairness between hardware state transitions (i.e., transitions specified by HWModel should not be starved by self-loop transitions introduced when constructing a BPDS).
There may exist a hardware design that cannot guarantee immediate responses to software reset commands. Therefore, delays should be represented in the hardware model. Figure 3 illustrates a transaction function HWModelSlow which describes a hardware design that cannot guarantee immediate responses to reset commands. The property F exit fails on the BPDS model that uses HWModelSlow for hardware, since the hardware can delay the reset operation infinitely. In practice, design engineers may want to assume that: hardware can delay the reset operation; therefore, software should wait for reset completion; however hardware should not delay the reset operation for ever. CoVer accepts such assumptions as LTL formulae. Under the assumption G (reset cmd → (F reset act)), F exit will hold on the BPDS model. Such kind of assumptions are also considered as the Büchi constraint specified on the hardware model.
As another example, we write an LTL formula, G !error, asserting that the labeled statement in main is not reachable. Verification of G !error fails on the BPDS model in Figure 2 . Since hardware is asynchronous with software when incrementing the register, it is impossible for software to control how fast the register is incremented. Therefore, when software breaks from the second while-loop, the hardware register may have already been incremented to 5, i.e., (v2==1)&&(v1==0)&&(v0==1).
Reduction during the Cartesian Product
In order to make the Cartesian product of B and P, we need to add function call to HWInstr after every software statement. As discussed in Section 5, certain BPDS transitions are unnecessary to be generated for such a product, i.e., it is unnecessary to call HWInstr after every software statement to verify an LTL −X property. We define the concrete counterparts corresponding to the concepts defined on Conf (P):
Software synchronization points [3] . Corresponding to SensitiveSet, software synchronization points are defined as a set of program locations where the program statements right before these locations may be dependent with some of the hardware state transitions. In general, there are three types of software synchronization points: (1) the point where the program is initialized; (2) those points right after software reads/writes hardware interface registers; and (3) those points where hardware interrupts may affect the verification results. We may understand the third type in such a way that the effect of interrupts (by executing interrupt service routines) may influence certain program statements, e.g., the statements that access global variables. Software visible points. Corresponding to V isibleSet, we define software visible points as a set of program locations right after the program statements whose labels are used in the LTL property. For example, in Figure 2 the program location right after the statement error can be a software visible point. However, the location right after the statement reset act cannot be a software visible point, since this statement is in a transaction function for B. Software loop points. Corresponding to LoopSet, we define software loop points as a set of program locations involved in program loops. The precise detection of those loops needs to explore the program's state graph, which is inefficient. Therefore, we try to identify a super set LoopSet ′ ⊇ LoopSet using heuristics. A program location is included into the super set if it is at (1) the point right before the first statement of a while loop; (2) the point right before a backward goto statement; or (3) the entry of a recursive function, which can be detected by analyzing the call graph between functions.
As for implementation, CoVer first automatically detects the software synchronization points, visible points, and loop points in the Boolean program of P and then inserts the function calls to HWInstr only at those detected points. Note that some transitions described by HWModel (called via HWInstr) may be visible when a statement label in HWModel is used in the LTL formula, e.g., F !reset act. However, such BA transitions are horizontally visible, since reset act is not affected by any transition of P. This is why function calls to HWInstr can be reduced without affecting the LTL −X properties even if HWModel describes visible transitions. Compared to the trivial approach that inserts HWInstr after every software statement, our reduction can significantly reduce the complexity of the verification model, since the number of the instrumentation points are usually very small in common applications.
Evaluation
We have designed a synthetic BPDS template BPDS<N> for N > 0 to evaluate our algorithms. As illustrated in Figure 4 , this template is similar to the BPDS in Figure 2 . The major difference is between the models of P. BPDS<N> has two function templates level<N> and gcd<N> for P, where each of the function templates has N instances. For 0 < i ≤ N , level<i> calls gcd<i> which is the i th instance of gcd<N> that computes the greatest common divisor (implementation of gcd<N> is omitted). For 0 < j < N , the instance of <stmt> in the body of the function level<j> is replaced by a call to level<j+1>. The instance of <stmt> in the body of level<N> is replaced by skip. The design of BPDS<N> mimics the common scenarios in coverification: since hardware and software are mostly asynchronous, there are many software statements independent with hardware transitions. Our evaluation runs on a Lenovo ThinkPad notebook with Dual Core 2.66GHz CPU and 4GB memory. Table 1 presents the statistics of verifying five LTL formulae on the BPDS models generated from BPDS<N>, where some of the LTL formulae are discussed in Section 6. The statistics suggests that our reduction algorithm can reduce the verification cost by 80% in time usage and 35% in memory usage on average. Table 2 presents the statistics for the verification of BPDS models generated from BPDS Slow<N>, a template that differs from BPDS<N> only in the hardware model. BPDS Slow<N> uses the hardware model illustrated in Figure 3 . As discussed in Section 6, the verification of the property A1 or A2 will fail on the BPDS models generated from BPDS Slow<N>, since the hardware cannot guarantee an immediate response to the software reset command. However, by assuming A2, the verification of A1 should pass. Obviously, the verification of this property, denoted as ϕ (including both A1 and A2), costs more time and memory compared to other properties, because ϕ is more complex than other properties. Nevertheless, we can infer from the two tables that our reduction algorithm is very effective in reducing the verification cost. For example, without the reduction, verification of the property ϕ gets a spaceout failure for N = 2000, i.e., CoVer fails to allocate more memory from the Operating System. 
Conclusion and Future Work
We have developed an approach to LTL model checking of BPDS and designed a reduction algorithm to reduce the verification cost. As a proof of concept, we have implemented our approach in our co-verification tool, CoVer. CoVer not only verifies LTL properties on the BPDS models represented by Boolean programs, but also accepts assumptions in LTL formulae. The evaluation demonstrates that our reduction algorithm is very effective in reducing the verification cost. Although illustrated using Boolean programs, our approach can also be applied with other programming languages such as C. In other words, the BA and LPDS can be described using the C language, and the Cartesian product can be made through instrumenting the software LPDS model with the hardware BA model (as used in [3] ). However, one challenge to this approach is to support the efficient abstraction/refinement, since most loops need to be fully unrolled in liveness property checking. There are two options for future work: (1) implement an aggressive abstraction/refinement algorithm for loop computation in tools such as SLAM [7] (may be insufficient when a ranking function is required); or (2) utilize termination checking tools such as Terminator [9] which analyzes loops by checking termination arguments (i.e., ranking functions).
