Formal verification of a time-triggered hardware interface by Schmaltz, Julien
ar
X
iv
:1
10
3.
22
46
v1
  [
cs
.L
O]
  1
1 M
ar 
20
11
Formal verification of a time-triggered hardware interface
Julien Schmaltz
Open University of the Netherlands
School of Computer Science
Postbus 6401 DL Heerlen, The Netherlands
email: Julien.Schmaltz@ou.nl
Abstract
We present a formal proof of a time-triggered hardware interface. The design implements the bit-clock
synchronization mechanism specified by the FlexRay standard for automotive embedded systems. The
design is described at the gate-level. It can be translated to Verilog and synthesized on FPGA. The proof
is based on a general model of asynchronous communications and combines interactive theorem proving in
Isabelle/HOL and automatic model-checking using NuSMV together with a model-reduction procedure,
IHaVeIt. Our general model of asynchronous communications defines a clear separation between analog
and digital concerns. This separation enables the combination of theorem proving and model-checking
for an efficient methodology. The analog phenomena are formalized in the logic of Isabelle/HOL. The
gate-level hardware is automatically analyzed using IHaVeIt. Our proof reveals the correct values of a
crucial parameter of the bit-clock synchronization mechanism. Our main theorem proves the functional
correctness as well as the maximum number of cycles of the transmission.
1 Introduction
Communications in distributed systems inherently are asynchronous. To cope with clock imperfections
different clock synchronization algorithms are required. FlexRay [1] defines a standard for reliable com-
munications in safety-critical automotive applications. In particular, it defines a bit-clock synchronization
algorithm that guarantees proper bit transmission between two independently clocked registers connected
via a shared bus. In this paper, we prove the formal correctness of a hardware interface implementing this
bit-clock synchronization algorithm.
bad resolutionreceiver clock
receiver output
sender output
sender clock
A B C C
metastability
metastability
no metastability
A
B
C
good resolution
Figure 1: Asynchronous communications and metastability
Figure 1 illustrates one difficulty of interfacing two independently clocked registers1. Assume a sender
and a receiver communicating via a shared bus. This picture first shows the sender clock and the signal
1Our presentation owes a great debt to Moore’s introduction [14]. In particular, Figure 1 is largely inspired by Figure 2 of
Moore’s paper.
1
output on the bus. The sender output progressively changes from 1 to 0 and then from 0 to 1. In the picture,
the receiver clock is slightly out-of-phase, i.e., receiver edges appear slightly after sender ones. It might be
possible for the receiver to sample a signal that is neither a logical 0 nor a logical 1 (See period A and B
in Figure 1). In that case, the receiver reaches a metastable state and ceases to behave as a digital device,
i.e., its output is oscillating between high and low voltages. Metastability cannot be avoided [13]. After the
resolution time, the receiver output stabilizes to a well-defined value. In the picture, the resolution time
is less than a clock cycle. The receiver output stabilizes to 0 (period A) before the end of the cycle. The
resolution value is non-deterministic. In Figure 1, the first metastability resolved to the value sent by the
sender but resolution to the negation of this expected value also is possible (see period B). For the last two
cycles, the sender keeps its output stable and the receiver can always sample a well-defined value. It never
reaches a metastable state (periods C). In the picture, the clock periods of the receiver and the sender are
always equal. In practice, clocks suffer from jitter. The clock period of one clock is not constant over time,
i.e., two successive clock cycles will have different lengths. Clocks also suffer from drift. The frequencies of
two independent clocks are drifting from each other over time.
The FlexRay interface guarantees proper transmission despite jitter, drift, and metastability. The basic
idea is that senders keep their output stable long enough to create a sweet spot for sampling on the receiver
side. We call this stable period a safe sampling window. To prevent metastable states, receivers sample
bits in the middle of this window. If receivers are faster or slower than the sender they will read bits at
the beginning or at the end of this window. But if this window is large enough, they will still sample in
the region where sender output signals are stable. To prove the correctness of our implementation of the
FlexRay algorithm, we develop an abstract and formal model of jitter, drift and metastability. This model is
general and can be reused in other proof efforts. Our proof shows how to use this abstract model of analog
phenomena to reason about digital hardware designs.
The abstraction of analog phenomena is captured in Proposition 5 (Section 4.6). This proposition states
precise conditions on the signal produced by the sender. These conditions guarantee successful data trans-
missions. In Figure 1, the last bit can be sampled properly because the sender keeps its output signal stable.
The conditions of Proposition 5 ensure that the sender keeps its output stable long enough to let the receiver
sample properly. This proposition mentions analog entities only. Our goal is to analyze digital designs.
Proposition 6 (Section 5.3) identifies conditions that the sender part of the hardware interface must satisfy
to ensure proper reception at the receiver part of the hardware interface. These conditions concern digital
aspects only. The formal analysis of hardware designs can abstract away from all analog considerations
and stay in the scope of usual automatic verification techniques, e.g., model-checking [8]. Our main theo-
rem (Theorem 1, Section 7) proves that a message of l bytes can be sent and recovered properly using our
hardware implementation despite imperfect clocks and asynchronous communications.
Our model and proof have been developed entirely within the Isabelle/HOL [15] theorem prover. Our
abstract model of asynchronous communications and the hardware design are represented in the logic of
Isabelle. Interactive theorem proving is used to define our abstract model and prove Propositions 5 and 6.
Properties of the hardware designs are automatically proven using the NuSMV model-checker [7]. NuSMV is
used within Isabelle via a model-reduction interface, named IHaVeIt [21, 20]. The synchronization mechanism
used in the design is based on resetting a counter when a specific sequence of bits is detected. This specific
reset value is crucial to the correctness of the algorithm. In the proof of Theorem 1, Statements 1 and 2
identify the exact values ensuring synchronization. This shows that the values proposed in this paper and in
the FlexRay standard are correct while the value proposed in an early version of our hardware interface [4]
is not.
In summary, our contribution consists in (1) a clear presentation of a precise model of asynchronous
communications; (2) the combination of this model with the discrete semantics of hardware design; (3) a
hybrid verification methodology combining automatic tools with interactive theorem proving; and (4) the
proof of the hardware implementation of a time-triggered interface. Our proof reveals the specific values of
a crucial parameter that ensure proper sampling of arbitrary long messages. Some of these results have been
presented in previous publications [18, 19]. This paper gives a more precise and comprehensible presentation
of a unified and extended version of them.
2
δ Bound on the jitter of all clocks
π Bound on the drift (number of clock cycles)
c sender cycle
ξ receiver cycle
eu(x) real-time of the occurrence of edge number x on unit u
mk(ξ, c) ”the mark” (receiver cycle ξ affected by sender cycle c)
βξc metastability factor (0 or 1 depending on metastability)
α distance from the mark
χ drift factor (-1, 0, or 1)
th register holding time (real number, % of receiver clock)
ts register set-up time (real number, % of receiver clock)
tpmin register minimum propagation delay (real number, % of sender clock)
tpmax register maximum propagation delay (real number, % of sender clock)
s(t) value of signal s at real-time t
Ω abstract logical value representing signal oscillations
l[i] element with index i in list l
ζ(s, t) conversion to {0, 1} of signal s at real-time t
γ(l) conversion of list of bits l to a signal taking values in {0, 1,Ω}
clku clock of unit u
ceu clock enable signal of output register of unit u
outu output signal of output register of unit u
inpu input signal of input register of unit u
Ru input or output register of unit u
aRu analog register of unit u
Table 1: Notations
In the next section we give an overview of our model and its use in the verification of the hardware
interface. The bit-clock synchronization algorithm and its hardware implementation are described in Sec-
tion 3. The hardware design can be translated to Verilog [16] and synthesized on FPGA. We present our
model of asynchronous communications in Section 4. This Section presents Proposition 5. We explain the
principles of our combination of Isabelle/HOL and IHaVeIt/NuSMV in Section 5 and illustrate the derived
proof method using a simple example in Section 6.
Section 7 proves our correctness theorem by induction on the number of bytes in messages. It shows the
values for a correct algorithm and gives details about the induction step. The difficulty of this proof is that
the main theorem states the correctness of the receiver state machine and the synchronization hardware. The
latter involves reasoning about analog phenomena. These two facts are not independent as the hardware
controls the state machine and vice versa. We need to prove their correctness simultaneously. Finally,
Section 8 discusses related work and Section 9 presents our conclusions.
2 Overview of our model and our proof
This section gives an overview of our formal model and proof. It introduces principles without giving formal
definitions. Some notations are mentioned in this section, but only defined later on in the paper. Table 1
summarizes the notations used all along this paper.
2.1 Abstract model of asynchronous communications
Asynchronous communications are facing three issues: clock drift, clock jitter, and metastability. Clock drift
denotes the fact that clocks have different frequencies. Clock jitter denotes the fact that the frequency of
one particular clock is not constant over time. This means that two consecutive clock cycles may have two
3
different lengths. Finally, registers may sample undefined signals and reach metastable states. Our formal
model of asynchrony takes these three aspects into account.
Clock jitter is formalized in Definition 1 (notations δ, Section 4.2). The bound on the jitter defines the
maximum and minimum length of the clock period of all clocks in the system. From this bound on the clock
jitter, we derive in Proposition 1 bounds on the drift between two clocks. Our bound is expressed as the
maximum number of cycles in which the number of clock edges – called clock ticks – of two clocks may differ
by at most one. This maximum number of cycles is denoted as π. Given two clocks u and v, our bound
states that if clock u advances by α ≤ π clock ticks then it is known that clock v will advance by α ticks or
α± 1 ticks. Our bound on clock jitter is the same for all clocks of a system. Consequently, our bound on the
clock drift also is the same for all pairs of clocks. Metastability is modeled in the formal definition of analog
registers (Figure 9, Section 4.4). When a register samples a signal that is neither a logical 1 nor a logical 0,
its output oscillates before stabilizing. Oscillations are represented by an undefined logical value (notation
Ω). Resolution is represented by a non-deterministic choice between 0 and 1.
A sender cycle is often referred to as cycle c. A receiver cycle is often referred to as cycle ξ. The time of
the rising edge starting cycle x on unit u is noted eu(x) (Equation 4, Section 4.2). On a receiver unit, the
rising edge ξ that is the closest in time to sender rising edge c is said to be ”marked” (or ”affected”) by c,
notation mk(ξ, c) (See Definition 3, Section 4.5). According to our bound on the clock drift and from a pair
of cycles c and ξ, we know the mark of any cycle that is less than π cycles away from sender cycle c. Given
a mark mk(ξ, c) and a distance α ≤ π, the mark for all cycles c + α is known with an error of at most one
cycle, i.e., we have mk(ξ + α + χ, c+ α) with χ ∈ {−1, 0, 1} (Proposition 2, Section 4.5). As edges c and ξ
appear approximately at the same time, at the time of edge ξ, the output signal of the sender output register
might not be stable yet – i.e. still between a logical 0 and a logical 1 – and the receiver input register may
become metastable. The resolution of this metastable state is a non-deterministic choice that might be the
opposite of the value sent by the sender. This resolution to the wrong value might introduce one cycle delay
in the receiver input stage. Resolution to the good value or no metastable states do not introduce any delay
and are treated as a unique case. This case distinction is formalized in the metastability factor, notation βξc
(See Definition 2, Section 4.3). The metastability factor returns 1 if a delay is introduced at receiver edge ξ
marked by sender cycle c and 0 otherwise. Formally, we have β ∈ {0, 1}.
Finally, the global error is the sum of the error introduced by metastabilities (factor β) with the error
introduced by clock imperfections (factor χ). This sum gives an error in the set {−1, 0, 1, 2}. Proposition 4
(Section 4.6) shows that our implementation of the FlexRay algorithm can transmit bits properly even if the
number of cycles needed to sample each byte might vary by four cycles.
2.2 Integration of analog and digital aspects
Model of Async.
1
clks
ces
outs
ζ
inpr
clkr
1
Rs RraRs aRr
γ
sender receiver
Figure 2: Mixing Analog and Digital Signals
We consider the setting pictured in Figure 2. The dotted box shows our model of asynchronous com-
munications and two instances of our definition of an analog register (Figure 9, Section 4.4). Outside this
dotted box, the sender and the receiver units as well as their registers connected to the bus correspond to
the descriptions made by hardware designers in their favorite hardware description language (e.g., VHDL or
Verilog). Registers are composed of a control signal (ce), input and output signals (e.g., inpr and outs), and
4
a clock. In our case, designs are represented in the syntax of Isabelle/HOL. Nevertheless, our description
corresponds to synthezisable Register Transfer Level (RTL) designs. The tool IHaVeIt can automatically
generate Verilog code from our Isabelle/HOL syntax 2. The idea is to superpose our abstract model above the
digital designs. These designs are not modified. The purpose of our formal model is to provide an abstraction
of the analog phenomena related to asynchronous communications. It identifies constraints on the digital
units that are sufficient to guarantee proper transmissions in our model of asynchronous communications.
This abstraction is captured in Proposition 5 (Section 4.6) and Proposition 6 (Section 5.3). Proposition 5
identifies the constraints that guarantee proper transmission in our analog model. Proposition 6 shows which
constraints are required on the (digital) sender unit to guarantee proper reception on the (digital) receiver
side via our analog model. Proposition 6 makes the connection between the digital world of hardware designs
and the analog world of asynchronous communications.
3 Synchronization mechanism and hardware implementation
In this section, we introduce the protocol and its hardware implementation. We first give an overview of
the format of messages and the principles of the protocol. We briefly discuss the implementation of sender
units. We give more details on the implementation of receiver units.
3.1 Protocol overview
We consider the transmission of bits between an arbitrary number of units connected through a shared bus.
A basic idea of the time-triggered approach is to give every unit access to the bus during a specific time slot.
The concatenation of all time slots form a round (Figure 3). Rounds are repeated over and over again. This
gives every unit regularly access to the bus. During its time slot each unit can send one message. Outside its
sending slot, a unit listens to the bus waiting for incoming messages. Each unit can send and receive. Idle
units send a logical one to the bus. At each time, the value on the bus is the conjunction of all the values
output by all units.
tl
slot0 slot1 . . . slotj slotn−1
roundi
tk
Figure 3: Round and slots
The division of a round into time slots is a global variable of the entire distributed system. To avoid a
situation where two units are sending a message at the same time slot, there must be a global understanding
on when every slot begins and ends. The difficulty is that each individual unit is independently clocked and
each one of them may be at a different time point in a round. It might happen that unit i has its clock
at the beginning of slot n whereas unit j is still in slot n − 1, or vice versa. One objective of the FlexRay
architecture is to maintain the global synchronous abstraction despite the clock imperfections. In this paper,
we are analyzing a small part of it, namely the bit-clock synchronization algorithm. This algorithm handles
the bit transmission between two independently clocked registers. We now describe it. The pictures and
related explanations are extracted from the FlexRay standard (Chapter 3 Section 3.2.2. of [1]).
The principle of the protocol is explained in Figure 4. The first line gives the output of the sender at each
clock cycle. The second line shows the bit read by the receiver. The last line shows the value of a counter
maintained by the receiver. The counter counts from one to eight.
The basic idea is to mark the start of the transmission of each byte with a falling edge. This falling edge
constitutes the byte start sequence BSS and is created by bits BSS[0] and BSS[1]. Each bit is sent for eight
2More information on the tool can be found at http://www-wjp.cs.uni-saarland.de/ihaveit/.
5
clock cycles. Figure 4 shows the sender output consisting of a byte surrounded by two falling edges. The
counter is used by the receiver to determine which of the eight copies of a bit should be sampled. In the
Figure, the receiver samples a bit when its counter equals 5. This sample point is called the strobe point.
The counter is reset to 2 each time the receiver detects a falling edge.
BSS[1]
resetreset
BSS[0] BSS[1] byte BSS[0]
0 0 0 0 0 0 0 0 0 0
2 3 4 5
1 1 1 1 1 11 1
2 3 4 56 7 8 1 6 6 7 8 1
0
1 6 7 8 1 2 6 7 8 1.....
.....
Sender
clock ticks
and output
Receiver
input
Receiver
2counter 3 4 5 2 3 4 5
1 1 1 1 1 11 1 0 0 0 0 0 0
Figure 4: Principle of the protocol
In the Figure, the counter starts with value six instead of one. This illustrates a situation where the
receiver is out of synchronization by three cycles. Because of this delay, the receiver samples the last copy of
BSS[0]. Then, it detects a falling edge and the counter is reset to two. The receiver samples the fifth copy
of the next bit. In the context of perfect clocks, the receiver would sample the fifth copy of every bit. After
the first falling edge, the receiver misses one bit. This is illustrated by the cross replacing a 0 or a 1. This
corresponds to a situation where either the receiver clock was too fast and the receiver sampled the last copy
of bit BSS[1] twice or the receiver was too slow and the receiver will sample the first bit of the byte twice.
The consequence of these two situations is that the receiver will sample the fourth copy of every bit instead
of the fifth one. After detecting the next falling edge and resetting the counter, the receiver samples the fifth
copy again. So, despite clock imperfections the receiver always starts sampling the fifth copy of every bit.
The receiver is kept in synchronization with the sender.
a bit is not sampled
reset reset
byte BSS[0] BSS[1]byte BSS[0]
a bit is sampled twice
BSS[1]
Sender
clock ticks
and output
Receiver
input
Receiver
counter
1 1 1 1 1 11 1
2 3 4 5 6 7 8
0 0 0 0 0 0 01 0
1 6 7 8 1 2 2 3 4 651
0
1 6 7 8
1
2.....
..... 0 0 0 0 0 0 0 ?
2 3 1541
1 1 1 1 11 1
2 3 4 5
Figure 5: The protocol, drift and metastability
Figure 5 shows how the protocol works in the presence of drift and metastability. Metastability may
happen when the receiver samples signals that are transiting between a logical 0 and a logical 1 or vice
versa. As the sender produces eight copies of the same bit, metastability may only take place when sampling
the first copy of each bit. The resolution of the metastable state is non-deterministic. In the left part in
Figure 5, the receiver reads the correct value of the first bit of BSS[1]. This illustrates either that there was
no metastability when reading this bit or that metastability resolved to the expected value. The right part in
Figure 5 illustrates bad resolution when sampling the first bit of BSS[1]. The receiver reads a 1 instead of a
0. In Figure 4, the receiver always reads eight copies of every bit. In practice, because of clock imperfections,
the receiver might only read seven copies. Formally, we can prove that at least seven copies are always read
properly (Proposition 5, Section 4.6). The fact that the eighth copy might be misread is pictured by a ’?’
in Figure 5. Depending on the effect of metastability these seven copies can be read ”early” (left part in
Figure 5) or ”late” (right part in Figure 5).
Our bound on clock jitter and drift is such that missing one cycle in the period starting with the first
bit of BSS[0] and ending with the last copy of the last bit of the byte is the worst case (Figure 4). When
6
sampling the following BSS sequence and byte, a cycle might be missed again. The left part in Figure 5
shows the case where the receiver is faster than the sender. The counter is updated twice (to 3 and then to
4) when reading only one copy of a bit. The consequence is that the receiver will strobe earlier and store
the fourth copy of the bit. The right part in Figure 5 shows the case where the receiver is slower than
the sender. The counter needs two copies of a bit to be updated from 4 to 5. The consequence is that the
receiver strobes one cycle later and stores the sixth ”good” copy of the bit. The idea is that at least seven
copies of every bit will always be stable and ready to be read. The objective of the protocol is to strobe one
of these seven ”good” copies despite drift and metastability. The difference between the strobe point and
the reset is crucial to the correctness of the protocol. Our proof (Section 7.5, statements 1 and 2) shows
that correctness is achieved when this difference is of at least one cycle and not greater than three cycles.
For larger or smaller value of this difference the protocol fails.
In summary, the main principle of this protocol is to use the BSS sequence as a ”mark” used by receivers
to synchronize with the sender. The falling edge of the BSS sequence ”marks” the beginning of a new byte.
When a receiver detects that mark it will reset its counter to a specific value. After sampling a byte and
because of clock drift the counter of each individual receiver might be slightly different. They will detect
the next mark with different values of their counter. But, they will all detect the next falling edge and reset
their counter to the same value. They will all start sampling the next byte with the same value achieving
synchronization.
3.2 Sender module
As idle units put a one on the bus, a sender starts a transmission with a zero. This bit is called the
transmission start sequence, noted TSS. The sender then creates a rising edge by sending another zero and
then a one. This sequence is called the frame start sequence, noted FSS. Before transmitting each byte, the
sender starts with the falling edge of the byte start sequence made of BSS[0] = 1 and BSS[1] = 0. Finally,
the sender ends the transmission with 2 bits creating a rising edge. The last sequence is called the frame
end sequence, noted FES = 01. Let 〈a, b〉 be the concatenation of bit vectors a with b. A message m of l
bytes is encapsulated into a frame f(m) with the following format:
f(m) = 〈TSS,FSS,BSS,m[0], . . . ,BSS,m[l− 1],FES〉
Each bit of a frame is sent for eight clock cycles.
b[4]
start done = 0
done = 1
b[7]
b[2]
b[0]
idle
b[1]
FES[0] FES[1]
BSS[0] BSS[1]
TSS
FSS[1]FSS[0]
b[5]b[6]
b[3]
Figure 6: Control Automaton
The sender embeds bytes into frames by the control automaton in Figure 6. As specified by the protocol,
in each state the corresponding bit is generated eight times. The sender is connected with the shared bus
through a register named Rs with control enable bit ces (See Figure 2). This paper focuses on the verification
of message reception. We do not detail the sender implementation any further.
3.3 Receiver implementation: Bit clock synchronization
The receiver module implements the same state automaton as the sender. In each state, the receiver is
expecting to receive the corresponding bit of the frame eight times. Beside the automaton, the relevant part
7
v
t
?
6= vt−1
rb.we
R
1
b7
strobe
cnt
?
= 010
idle ∨ BSS[1]
inpr R R SH[3:0]
5-Maj1
v
BYTE[7:0]
sync
Figure 7: Input Stage
of this receiver consists of the input stage pictured in Figure 7. The first two registers form a “synchronizer”
used to remedy to metastability. Designers used a 2-stage synchronizer, which means that they assume that
the resolution time of the metastability is less than one clock cycle. The results presented here would be
equally applicable to synchronizers of any length. A five majority vote is performed. Signal sync is used to
detect the synchronization sequence BSS. It is high if and only if the current voted bit does not equal its
previous value and the state automaton is either in state idle or in state BSS[1]. When sync is high counter
cnt is reset to 000 in the next cycle. Let st be the value of signal s at hardware cycle t. Let z denote the
state of the receiver automaton. Signal sync is defined by the following Equation:
synct ≡ vt 6= vt−1 ∧ (zt = BSS[1] ∨ zt = idle) (1)
Counter cnt is defined as follows:
(cnt t+1 = cntt + 1 ∧ ¬synct) ∨ cntt+1 = 000 (2)
The state automaton is clocked by signal strobe, which is high each time the counter reaches value 010
and the automaton is not synchronizing, i.e., when signal sync is low. The formal definition of signal strobe
is as follows:
strobet ≡ cntt = 010 ∧ ¬synct (3)
Each time strobe is high, the voted bit is stored in shift register BYTE. When the last bit has been stored
(i.e., automaton is in state b[7]) and signal strobe is high, signal rb.we turns high and BYTE is written to
the main receiver buffer.
Our implementation differs slightly from the FlexRay guidelines. The standard suggests to reset the
counter to 010 and to strobe when it reaches 101. We reset to 000 and strobe at 010. The parameter crucial
to the algorithm is the difference between the strobe and the reset values. We chose to reset to 000 because
it is slightly simpler to implement than a reset to 010. In our configuration, the difference between the strobe
and the reset values is of two cycles. In the FlexRay standard, the difference is of three cycles. In a previous
implementation of this algorithm [4], the counter is reset to 000 and strobe is high when cnt is 100. In this
configuration, the difference between the strobe and reset points is of four cycles. One cycle more than in
the FlexRay standard. We prove that the synchronization algorithm works only if this difference is of at
least one cycle and not greater than three cycles.
4 Asynchronous communications and the main statement
This section presents our formal model of asynchronous communications. We first define signals and clocks.
After that, we define our bounds on clock jitter and drift. After defining the metastability factor and analog
8
registers, the section concludes with the correctness of the bit transmission (Proposition 5).
4.1 Signals and clocks
Time is represented by the nonnegative reals (R+). We assume a finite number of electronic control units
(abbr. ecu) that are connected through a shared bus. The set of all the units is noted U .
A signal s is represented by a function s(t) from real time t to {0, 1,Ω}: 1 and 0 mean “high” and “low”
voltages; Ω means any other voltage. Value Ω abstracts in one logical value all voltages that cannot be
identified as a logical 1 or 0. Formally, signals have the following functionality:
s : R+ → {0, 1,Ω }
Because of their cyclic behavior, clocks are not represented by signals but by their period. The clock
period of unit u is noted τu. This represents the ideal case. In practice, clock periods suffer from jitter and
are not constant over time. Jitter is introduced hereafter in Section 4.2. Periods are different from zero.
The time of the cth rising edge of clock clku of unit u is given by function e. Formally, e is a function which
converts discrete time to real time relative to the clock of unit u.
e : N× U → R+ (4)
Function e is defined as the product of c with the clock period: e(c, u) = c · τu. To simplify our notation, we
shall write eu(c) instead of e(c, u).
A clock cycle is defined by the time interval between two rising clock edges. Clock cycle c at unit u is
represented by interval ]eu(c) : eu(c+1)]. The interval is left open to represent the fact that the cycle starts
when the clock edge has reached value 1.
4.2 Clock jitter and clock drift
Function e gives the ideal time of edges. In practice, clocks suffer from jitter and the length of a clock period
is not constant over time. We assume that all clock periods of any clock deviate at most by a fraction δ of
a reference clock period. This reference clock is named clk ref . Its period is τref .
Definition 1. Bounded Clock Jitter.
Γu ≡ 1− δ ≤
τu
τref
≤ 1 + δ
We are not interested in the deviation at each cycle, but in the number of cycles in which the number
of ticks of two independent clocks may differ by at most one. Let π be that number. In this interval, the
maximum drift between two clocks is obtained between the slowest and the fastest clocks allowed by our
bound on the clock jitter (Definition 1). We derive a bound on the clock drift from the ratio between the
minimum and the maximum clock periods. From the bound on the clock jitter (Definition 1) and choosing
π = 1−δ2·δ , we prove the following proposition:
Proposition 1. Bounded Clock Drift.
Γi ∧ Γj →
π
π + 1
≤
Min(τi, τj)
Max (τi, τj)
This property is preserved for any number less than π.
9
thts
x
x
Ωy
tpmin
tpmax
eclk (c)
inp
clk
out
ce 1
Figure 8: Behavior of the register w.r.t clock edge c
4.3 Metastability factor
Our model of metastability links three parts: (1) the undefined voltage Ω, (2) the non-deterministic resolution
of metastable states to a well-defined value, and (3) resolution to the negation of the expected value. Points
(1) and (2) are related in the formal definition of analog registers (Figure 9). The last point is captured
by the metastability factor, notation βξc (Definition 2). We now specify the behavior of analog registers and
formally define the metastability factor. Then, we continue with the formal definition of analog registers.
Registers consist of one input signal inp, one clock signal clk , one control signal ce, and one output
signal out . Figure 8 illustrates the behavior of a register. A new value (x) is input to the register at cycle
c (interval ]eu(c) : eu(c + 1)]). During minimum propagation delay tpmin the output signal equals previous
value y. Because the control signal is high, the output oscillates (i.e., is Ω) before stabilizing at new value
x. If the control signal is low, the output does not oscillate and keeps its old value y.
If the input or the control signals do not have a constant value during the setup time (noted ts) before
edge c or during the holding time (noted th) after edge c, the register may become metastable. This means
that its output may still be Ω after tpmax . After resolution of this metastability, the receiver input register
will output either the value sent by the sender or its negation. The former case is equivalent to the case when
there is no metastable state. Therefore, we always assume resolution to the negation of the expected input.
This case distinction is represented by the metastability factor (β). Metastability can only happen if an edge
– say ξ – (minus the setup time) appears while the sender output is undefined, i.e., before es(c) + tpmax . In
this case, the metastability factor returns 1. It returns 0 otherwise. Formally, the metastability factor is a
function, which takes as arguments cycles ξ and c, and two clocks.
Definition 2. Metastability Factor.
β(ξ, c, clks, clkr) , if er(ξ)− ts ≤ es(c) + tpmax then 1 else 0
To alleviate the notation, we shall write βξc instead of β(ξ, c, clk s, clkr). The notation β
ξ
c denotes whether
sampling the bit sent at sender cycle c is affected by a potential metastability at receiver cycle ξ.
4.4 Formal definition of analog registers
A signal s is stable during time interval [t1 : t2] if it holds the value at time t1 until time t2. A signal s
has a defined value during time interval [t1 : t2] if it never equals Ω during that interval. Formally, this is
expressed as follows3:
stadep(t1, t2, s) , ∃b ∈ {0, 1}, ∀t ∈ [t1 : t2], s(t) = b
3Note: stadep means stable, defined, predicate
10
aRu(c, clku, ceu, inpu, out
0
u) ,
if c = 0 then λt.out0u else
if
{
stadep(eu(c)− ts, eu(c) + th, ceu)
∧ stadep(eu(c)− ts, eu(c) + th, inpu)
then ;; stable inputs – no metastability
if ceu(eu(c)) = 1 then ;; update with new value
λt.


aRu(c− 1, . . .)(eu(c)) : t ∈ eu(c)+]0 : tpmin ]
Ω : t ∈ eu(c)+]tpmin : tpmax ]
inpu(eu(c)) : t ∈ eu(c)+]tpmax : τu]
Ω : t /∈ eu(c)+]0 : τu] ;; to make function total
else ;; keep old value
λt.
{
aRu(c− 1, . . .)(eu(c)) : ∀t ∈ eu(c)+]0 : τu]
Ω : t /∈ eu(c)+]0 : τu] ;; to make function total
endif
else ;; metastability – non-deterministic resolution to 0 or 1
λt.


aRu(c− 1, . . .)(eu(c)) : t ∈ eu(c)+]0 : tpmin ]
Ω : t ∈ eu(c)+]tpmin : τu − ts[
x ∈ {0, 1} : t = eu(c+ 1) + [−ts : 0]
Ω : t /∈ eu(c)+]0 : τu] ;; to make function total
endif
endif
Figure 9: Definition of Analog Registers
The formal definition of the analog behavior is given by function aRu (Figure 9). We are interested in
the output value of a register for all real times during cycle c. Function aRu takes as arguments a cycle c, a
clock signal clku, a clock enable control signal ceu, an input signal inpu, and the initial output value out
0
u.
It generates a signal.
If no setup or holding time violation occurs, the register behaves normally. If the control signal is low,
the register keeps its old value (at the previous cycle c− 1); if the control signal is high the output keeps its
previous value during tpmin , then oscillates (i.e., is Ω) to finally reach its final value at time eu(c) + tpmax . If
input signal inpu or control signal ceu is not stable and defined during interval eu(c)+ [−ts : th], the register
becomes metastable. The output equals the previous computation until tpmin (included) and Ω afterwards.
At the end of the cycle, metastability has been resolved and the output equals an arbitrary but defined
value. To make the function total, Ω is output for all times outside the cycle. To alleviate our notation, we
shall write aR
c
u instead of aRu(c, clku, ceu, inpu, out
0
u).
Formally, all timing parameters (th, ts, tpmin , tpmax ) are real numbers expressed as percentages of the local
clock period. In the remainder of this paper, if not precise otherwise, propagation delays are relative to the
sender clock and setup and holding times are relative to the receiver clock period. We assume that the sum
of these parameters is less than 1.
4.5 The ”mark”
The relation between a sender and a receiver is pictured in Figure 10. A sender starts sending three different
bits at edges c, c + 8, and c + 16. Each bit is sent for eight clock cycles. If we take a closer look around
edge c, the sender output is not modified before es(c) + tpmin , when it moves from y to Ω (see Figure 8 for
more details). If a receiver samples before that time, it will get the old value. It is not yet affected by the
new transfer. In contrast, sampling strictly after that time will affect the receiver, either it will become
metastable, or it will detect a new value. At most, it will take a receiver a full cycle to sample after this
time. Let ξ be the first receiver edge after eu(c) + tpmin . As this edge is the first one to be affected by the
behavior of the sender, we denote it as ”marked with edge c”, noted mk(ξ, c). If there is no ambiguity, we
may drop the first argument. We name this edge ”the affected cycle”. It is formally defined as follows:
11
es(c)
tpmin
χ ∈ {−1, 0, 1}
τr
es(c+ 8) es(c+ 16)
mk(ξ + 8 + χ, c)
mk(ξ + 16 + χ, c)mk(ξ, c)
Figure 10: Relating Receivers and Senders
Definition 3. Affected Cycle. mk(ξ, c) ≡ er(ξ) + th ∈ eu(c)+]tpmin : τr]
Suppose that edge ξ is affected by some cycle c at which a sender puts a new bit on the bus. If the
sender sends another bit within a number of cycles (α) less than our bound π, the corresponding affected
cycle may be seen by the receiver with a potential error of one cycle, i.e., at er(ξ + α± 1). This means that
subsequent marks are known with the same error. We name χ ∈ {−1, 0, 1} the drift factor. Figure 10 shows
these marks for α = 8 and α = 16. Formally, we have the following Proposition:
Proposition 2. More Affected Cycles
Γr ∧ Γs ∧ 0 < α ≤ π ∧mk(ξ, c)→
∨
χ∈{−1,0,1}mk(ξ + α+ χ, c+ α)
Proof. We do a case analysis depending on the position of ξ + α regarding the receiver cycle expected
to be affected by sending at sender cycle c + α. The expected affected cycle should be in the interval
eu(c + α)+]tpmin : τr]. If er(ξ + α) is (1) before that interval, we prove that it contains er(ξ + α + 1); (2)
within that interval, this proves the obvious case where χ = 0; (3) after that interval, we prove that it
contains er(ξ + α− 1).
Proposition 2 is important because it gives us which marks can be deduced from the knowledge of a
single one. In most of the proofs done in the analysis of the hardware, we always assume only one mark.
Then, we use Proposition 2 to obtain subsequent marks and perform a case analysis on the three possible
times of these marks.
4.6 Correctness of asynchronous communications
To ensure that the receiver will not always sample Ω’s, the sender keeps its output constant for several
cycles (say k cycles). If k is large enough there exists a ”sweet spot” in which the receiver can sample safely.
Formally, the safe sampling window of length k w.r.t. cycle c (noted SSWck) is defined as follows:
Definition 4. Safe Sampling Window.
SSWck ≡]eclk(c) + tpmax : eclk (c+ k + 1) + tpmin ]
We prove that under our drift hypothesis, SSWck entails up to k − 1 receiver cycles (or k edges), even in
case of metastability. This shows the number of ”good” samples that guarantee reception by the receiver
without metastability.
Proposition 3. SSW’s are large enough.
Γr ∧ Γs ∧mk(ξ, c) ∧ n+ 1 ≤ k ≤ π → ∀l ≤ n, er(ξ + β
ξ
c + l) + [−ts : th] ∈ SSW
c
k
12
The proposition reads as follows. The first two terms of the hypothesis state that jitter on the receiver
and sender clocks is bounded. The third one states that the bit sent at sender cycle c corresponds to receiver
cycle ξ. The last term assumes that k is not greater than our bound π on the clock drift. The conclusion
shows that the time of n receiver edges together with their set-up and holding times – hence n+1 = k cycles
– is within the safe sampling window. Note that there are k cycles even in the presence of metastability
(β = 1).
Proposition 4 below proves that sampling in a safe sampling window is correct. This first line assumes
that jitter is bounded, sender cycle c is related to receiver cycle ξ, and that k is not greater than our bound
π on the clock drift. The second line expresses the fact that the sender creates a safe sampling window of
length k. The third and fourth assumptions state that control and input bits must be stable and defined
during interval es(c)+]− ts : th] to avoid metastabilities on the sender side. The last two assumptions state
that there is a connection between the sender and the receiver and that the time of receiver edge ξ is in the
safe sampling window (SSWck). The conclusion shows that the output of the receiver register equals the bit
sent by the sender.
Proposition 4. Correct Transfer.
Γr ∧ Γs ∧mk(ξ, c) ∧ c > 0 ∧ n+ 1 ≤ k ≤ π (*bounded drift, affected cycle*)
∧ ces(es(c)) = 1 ∧ ∀l ∈ [1 : k], ces(es(c+ l) = 0 (* SSW
c
k *)
∧ ∀l ∈ [0 : k + 1], stadep(es(c+ l)− ts, es(c+ l) + th, inps)(*input *)
∧ ∀l ∈ [0 : k + 1], stadep(es(c+ l)− ts, es(c+ l) + th, ces)))(*control*)
∧ ∀c, Inr = aRs(c, clk s, ces, inps, out
0
s) ∧ ∀t, cer(t) = 1 (*analog connection*)
∧ er(ξ) + [−ts : th] ∈ SSW
c
k (* good cycle *)
→ aR
ξ
r(er(ξ + 1)) = Ins(es(c))
Proof. First, Proposition 3 gives us the position of receiver edges in the safe sampling window. Then, we
case split on the position of interval er(ξ)+]− ts : th]. We set two reference points: es(c+1) and es(c+1+k).
We prove the conclusion for 5 cases depending on the position of interval er(ξ)+] − ts : th] regarding these
points.
Finally, Proposition 5 hereafter combines Proposition 3 and Proposition 4 to prove that for all edges in
the safe sampling window the receiver register samples properly. The five hypotheses equal the first five
hypotheses of the previous proposition. The conclusion shows that the output value of the receiver register
equals the value sent by the sender at cycle c for x cycles. Cycle ξ+βξc denotes the first ”good” sample after
either a bit inversion introduced by wrong resolution of a metastable state (βξc = 1) or a proper reading at
receiver cycle ξ (βξc = 1). Function aR
ξ+βξc+x(t) represents the output signal of the receiver register during
each ”good” cycle x. We consider the value at the end of each cycle, i.e., at time er(ξ + β
ξ
c + x+ 1).
We illustrate Proposition 5 for the FlexRay protocol and its seven ”good” values sketched in Section 3.1
in Figures 4 and 5. The FlexRay protocol specifies that senders must send a bit for eight clock cycles, i.e.,
they keep their output stable for seven extra cycles. So, we have k = 7 and n = 6. The receiver always reads
seven good copies, for x = 0 to 6. Depending on the value of βξc , these seven good copies are read ”early”
(βξc = 0) or ”late” (β
ξ
c = 1).
Proposition 5. Known Inputs.
Γr ∧ Γs ∧mk(ξ, c) ∧ c > 0 ∧ n+ 1 ≤ k ≤ π (*bounded drift, affected cycle*)
∧ ces(es(c)) = 1 ∧ ∀l ∈ [1 : k], ces(es(c+ l) = 0 (* SSW
c
k *)
∧ ∀l ∈ [0 : k + 1], stadep(es(c+ l)− ts, es(c+ l) + th, inps)(*input *)
∧ ∀l ∈ [0 : k + 1], stadep(es(c+ l)− ts, es(c+ l) + th, ces)))(*control*)
∧ ∀c, Inr = aRs(c, clk s, ces, inps, out
0
s) ∧ ∀t, cer(t) = 1 (*analog connection*)
→ ∀x ∈ [0 : n] : aR
ξ+βξc+x
r (er(ξ + β
ξ
c + x+ 1)) = Ins(es(c))
Proof. Proposition 3 gives us n + 1 cycles in the safe sampling window. For each one of them we conclude
using Proposition 4.
13
This last Proposition will be rephrased in the next section to mix analog and digital worlds. It is key
because it gives us which inputs are correctly sampled by the receiver when knowing the cycle at which the
sender has put a bit on the bus. The ”digitalized” version of this formula will convert the conclusion to
mention bits and not signals.
5 Continuous model and discrete semantics
Our model of asynchronous communications mentions analog entities only. The semantics is based on
functions and a dense representation of time. Ultimately, we want to use this model to verify hardware
designs described in another semantics based on a discrete notion of time and transition functions. Before
describing our approach, we define type conversion functions and rephrase Proposition 5 to match bits and
not signals.
5.1 Principle and soundness
We recall Figure 2 that illustrates our integration of our analog results in the analysis of digital designs. Our
model of asynchrony is shown inside the dashed box. The remainder of the Figure corresponds to digital
designs that are actually used to synthesize hardware. These designs are not modified. Our model is simply
inserted as a filter of the receiver inputs. Functions γ and ζ converts bits to signals and signals to bits. We
precise their definition in the next subsection.
Digital designs are represented by their transition function, one application of which represents the
computation of one clock cycle. The sender and the receiver parts are analyzed separately. The analysis
of the sender does not need any analog arguments. It mainly consists of the proof that sender output outs
follows a specific frame format. The analysis of the receiver is done assuming correctness of the sender
and that the connection of receiver input inpr is done through our model of asynchrony. We write that an
element su of unit u has bit-value x at cycle c - i.e., after c applications of the transition function - as s
c
u = x.
Formally, we assume that the value of input bit inpr at hardware cycle c equals the output value of register
aRr at the time of edge c+ 1:
∀c, inpcr = ζ(aR
c
r, er(c+ 1)) (5)
The left hand side represents the value that should be in register Rr at c+ 1. As the analog register is not
part of the transition function of the receiver, one application of the latter compensates this difference. The
right hand side is always a defined value.
5.2 Mixing bits and signals
Function γ is not given any particular definition. We only assume that it produces a signal such that during
the metastability window around cycle i + 1 it outputs the value with index i in the bit list. This property
is defined by predicate bv2sp:
bv2sp(γ, lu) ≡ ∀t, i, t ∈ eu(i+ 1)+]− ts + th]→ γ(lu) = lu[i]
Function ζ takes as input a signal and a time. If the value of the signal at that time is a bit value, this
value is returned. Otherwise, a non-deterministic choice is made and some bit value is returned.
ζ(s, t) , if s(t) ∈ {0, 1} then s(t) else x ∈ {0, 1}
5.3 Combining two worlds
Let lists ces and inps be the bit lists containing values given to the analog sender register aRs. If they both
satisfy predicate bv2sp, list element ces[c− 1] or inps[c− 1] corresponds to the bit value given to the sender
analog register at time es(c).
14
Proposition 5 is embedded into a digital context in the following statement. We assume that (a) clock
drift is bounded; (b) function γ correctly translates bit lists ces and inps; (c) the digital control bits are
high once and then low k times to create a safe sampling window. Analog hypotheses are concerned with
the connection of the sender with the receiver and the clock drift. Obviously, they cannot be “digitalized”.
These assumptions will be used in almost all theorems, lemmas and propositions proved in the remainder of
this paper. We denote them by H, which is formally defined as follows:
H ≡


Γr ∧ Γs ∧ n+ 1 ≤ k ≤ π ∧mk(ξ, c) (*bounded drift, mk(c)*)
∧ ∀c, inpr = aRs(c, clks, γ(ces), γ(inps), out
0
s) ∧ ∀t, cer(t) = 1(*link*)
∧ bv2sp(γ, ces, clk s) ∧ bv2sp(γ, inps, clk s) (*modeling hypotheses*)
∧ ces[c+ α− 1] = 1 ∧ c > 0 ∧ ∀l ∈ [1 : k], ces[c+ l − 1] = 0(*sender*)
Under these assumptions, we prove in Proposition 6 below that the ”digitalized” output of the analog
receiver register equals the digital input of the sender at cycle c. Comparing to Proposition 5, this proposition
differs in its hypotheses and its conclusion. As shown above, hypothesisH mentions primarily digital entities.
The left hand-side of the conclusion of Proposition 6 is the application of conversion function ζ to the
conclusion of Proposition 5. The right hand-side is a bit instead of a signal.
Proposition 6. Back to the Digital World.
H → ∀x ∈ [0 : n] : ζ(aR
ξ+βξc+x
r , er(ξ + β
ξ
c + x+ 1)) = inps[c− 1]
Proof. By definition of predicate bv2sp, γ(inps) and γ(ces) are stadep for the required cycles. Proposition 5
concludes.
6 A proof example: correct voted bits
To prove that bytes are sampled correctly, we need to prove that each sampled bit is correct, i.e., that
the value of the voted bit is correct. This is a very simple lemma which illustrates the combination of
the continuous time model and the discrete time model, as well as the combination of Isabelle/HOL with
IHaVeIt and NuSMV. In this section, we first describe how hardware designs are described and verified in
the IHaVeIt environment. Then, we show how to incorporate digital properties in our model of asynchronous
communications.
6.1 The IHaVeIt environment
IHaVeIt stands for Isabelle Hardware Verification Infrastructure and has been developed by Tverdsy-
shev [20]. It is written in Standard ML and implemented as an oracle proof tactic in Isabelle/HOL. IHaVeIt
provides a connection to external verification tools: the NuSMV and SMV model-checkers, and different
SAT solvers. The environment also provides a tool to generate Verilog descriptions that are then synthesized
on FPGA. The main contribution of this tool is an efficient model-reduction algorithm. This algorithm is
based on a combination of transformation and domain reduction techniques. These techniques provide data
reduction and elimination of functions and memories. Details on these algorithms fall outside the scope of
this paper (See [20] for more details).
6.1.1 Hardware description in Isabelle/HOL
IHaVeIt considers a subset of the Isabelle/HOL syntax that is suitable to describe hardware, i.e., descriptions
can be translated to Verilog. The IHaVeIt subset considers the following basic types: Boolean, bit vectors,
naturals, integers, lists, functions, finite enumeration, and records. Infinite types are shrunk using predicate
sets. IHaVeIt provides a library of predicate sets of the aforementioned basic types, e.g., bv n(n) and
arr of (n, t) define the sets of bit vectors of length n and arrays of n elements of type t. Combinatorial
circuits are represented using Isabelle/HOL expressions, non-recursive functions and uninterpreted functions.
15
Functions are constructed using Isabelle/HOL operators. Uninterpreted functions are translated to Verilog
modules without bodies. They are typically used to represent memories. Sequential circuits are represented
by standard Mealy machines. State components are stored in registers which constitute a specific type used
in the translation tool.
v
m
u
x
0
1
m
u
x
0
1
1
0
m
u
x
0
1
1
0
m
u
x
0
1
1
0
m
u
x
0
1
inpr R R SH[3:0]
1
0
1
1
0
Figure 11: RTL description of majority vote
We shortly illustrate hardware description in Isabelle/HOL on the very simple example of the computation
of the voted bit noted v in Figure 7. Figure 11 shows the schematics. The state component of this circuit is
defined by a record containing the two input registers and a 4-bit shift register. Using Isabelle syntax, we
have4:
record t_rBUSCON =
rR :: t_bitreg
rRH :: t_bitreg
rSH4 :: t_shiftreg4
Majority is computed using a cascade of multiplexers (noted mux ). A multiplexer is defined as a function
taking as arguments two bit-vectors and a select bit. It returns the selected bit-vector.
constdefs mux_impl :: "bv => bv => bit => bv"
"mux_impl xs ys s == (if (bit2bool s) then xs else ys)"
In computing the majority, multiplexers are used to introduce a 0 or 1.
constdefs major_help_impl :: "bv => bit =>bv"
"major_help_impl b sel == mux_impl (b@[1]) ([0]@b) sel"
All the multiplexers are connected together to compute the 5-bit majority voting.
constdefs major5_impl :: "bv => bit"
"major5_impl b ==
let
v0::bv = [(nth b 0)];
v1::bv = major_help_impl v0 (nth b 1);
v2::bv = major_help_impl v1 (nth b 2);
v3::bv = major_help_impl v2 (nth b 3);
v4::bv = major_help_impl v3 (nth b 4)
in
(nth v4 2)"
Finally, the voted bit is computed as the majority of the four values stored in the shift-register and the value
stored in the second input register.
4
RH denotes the second input register and SH4 the 4-bit shift register in Figure 11. An ’r’ indicates that the element is part
of the receiver interface.
16
constdefs s_v :: "t_rBUSCON => bit"
"s_v rbuscon ==
let
rh_bit::bit = rRH_read_impl rbuscon;
shift_dout::bv = rSH4_read_impl rbuscon
in
(major5_impl ([rh_bit]@shift_dout))"
6.1.2 Theorems in IHaVeIt
IHaVeIt supports the proof of combinatorial properties and temporal properties expressed either in linear or
branching time temporal logic (LTL or CTL). A combinatorial property is a Boolean expression where all
free variables are quantified over their subtype, e.g., ∀a ∈ arr of (4 , bv n(8 )) :P (a). Typically, combinatorial
properties are given to a SAT solver or any other kind of decision procedures. The syntax and semantics of
the LTL and CTL formulas supported by IHaVeIt can be found in Tverdyshev thesis [20]. These formulas
correspond to the usual properties described in standard textbooks (e.g., [8, 3]). The formalization is inspired
by the case-study ”Verified Model Checking” in the Isabelle/HOL tutorial [15].
On the circuit computing the majority voting we prove that if the input bit is equal to bit value b for
seven clock cycles, the voted bit equals b for seven cycles with a delay of four cycles. Let X denote the LTL
next operator and Xn(P ) be defined as Xn(Xn−1(P )). This property is expressed by the following formula:
inpr = b ∧X(inpr = b) ∧X
2(inpr = b)
∧ X3(inpr = b) ∧X
4(inpr = b) ∧X
5(inpr = b) ∧X
6(inpr = b)
=⇒
X4(v = b) ∧X5(v = b) ∧X6(v = b) ∧X7(v = b) ∧X8(v = b)
∧ X9(v = b) ∧X10(v = b)
Let CorrVotedBit(inpr , v) denote this property. Let K = (S, I, T ) denote the Kripke structure representing
the circuit where S is the set of states represented by record t rBUSCON, I is a predicate defining the set
of initial states, and T is the transition function. In our case, we make no assumption on the initial states
of the registers and I = True. The transition function is not detailed. It basically applies function s v to
compute the new value of the voted bit. It shifts all registers by one place to the right and inserts value inpr
in the first register. We prove that property CorrVotedBit holds always.
Proposition 7. K |=ltl CorrVotedBit(inpr , v)
Proof. This property is automatically proven by IHaVeIt that applies model reduction and calls NuSMV.
To reduce the state space, we prove it for each possible values of b (0 or 1).
To use the above temporal property we translate it back to usual logic using the semantic description
in Isabelle/HOL. Globally () means that the property holds for all positions of all traces. Let t denote
an arbitrary position in a trace. Then, CorrVotedBit(inpr , v) translates to ∀t.CorrVotedBit(inp
t
r , v
t). Let
Xn(s) translate to ∀t.st+n. Then, Proposition 7 translates to Proposition 8 below:
Proposition 8. ∀x ∈ [0 : 6] : inpt+xr = b→ v
t+x+4 = b
Proof. This proposition is the translation of Proposition 7 according to the LTL semantics.
In the next section, we show how to combine this property with our model of asynchronous communica-
tions and connect with the sender unit.
17
translation
IHaVeIt/NuSMV
LTL/CTL Property
Shows. Property
Input sequence
Assume:
Isabelle/HOL
Assume: receiver reads good inputs
Shows: Property(t)
digital world
analog world
Substitution
Substitution
Proposition 5 and 6
receiver reads
good inputs
sent by sender
Shows: Property(t + α)
with error χ
Proposition 2
Shows: Property(t)
semantic
Figure 12: Proof method
6.2 A simple example: correct voted bits
Our general proof method is illustrated in Figure 12. The first step is to prove a temporal property on the
design. In the example of the voted bits, this was done in Proposition 7. The structure of this property
is very typical in our proof. We always prove a property on part of the design assuming a specific input
sequence. The second step is to translate this temporal property in the logic of Isabelle/HOL using the
semantics. This was the purpose of Proposition 8. The property is now dependent of an arbitrary position
t in traces. Until now, the digital part of the receiver unit was analyzed. We now show how to include the
sender and our model of asynchronous communications.
We recall Figure 2 showing the connection of sender, our model of asynchronous communications, and
receiver. Formally, this connection is expressed by Equation 5. In Proposition 8, we assume that the receiver
reads an arbitrary bit value b. In reality, this bit value is put on the bus by the sender unit at cycle c. The
receiver is then expected to read the sender output register, i.e., outcs in Figure 2. The third step of our proof
method is to show that the receiver can indeed read this value in our model of asynchronous communications.
In our example of the voted bits, we have to show that the receiver can read seven copies of each bit. This is
the case if the sender creates a safe sampling window. This is exactly the statement of Propositions 5 and 6.
Using these propositions, we can discharge the assumptions of our property in the analog world. In the
FlexRay algorithm, k and n have values 7 and 6 in Proposition 6. The hypotheses obtained by instantiating
k and n in H with these values is noted H[k ⊳ 7, n ⊳ 6]. Finally, we obtain the following proposition:
Proposition 9. H[k ⊳ 7, n ⊳ 6] ∧ Equation 5→ ∀x ∈ [0 : 6] : inp
ξ+βξc+x
r = outcs
Proof. Follows directly from Proposition 6 and Equation 5 by substitution.
By combining this Proposition with Proposition 8, we obtain the correctness of the voted bit assuming
asynchronous transmission, metastability, and clock drift.
Proposition 10. H[k ⊳ 7, n ⊳ 6] ∧ Equation 5→ ∀x ∈ [4 : 10] : vξ+β
ξ
c+x = outcs
Proof. Follows from Propositions 9 and 8, by substituting t by ξ + βξc + 4.
Typically, we obtain at this point a formula with a time reference at receiver cycle ξ (or sometimes simply
t). This reference corresponds to the mark, i.e., the association of a receiver cycle with a sender cycle (e.g.,
mk(ξ, c)). We are often interested in generalizing this formula to subsequent marks at a distance α ≤ π from
the known one. This is exactly the purpose of Proposition 2. In the proof of the correct voted bit, we obtain
the following proposition:
18
Proposition 11.
H[k ⊳ 7, n ⊳ 6] ∧ α ≤ π ∧ Equation 5→
∨
χ∈{−1,0,1}
∀x ∈ [4 : 10] : vξ+β
ξ+θ
c +x+θ = outc+αs
where θ = α+ χ
Proof. Proposition 2 gives us three possible marks, one for each value of χ. For each one of them, we
instantiate Proposition 10.
7 Formal proof
In this section we give details on the formal correctness proof of the time-triggered interface. We focus on the
receiver correctness and therefore assume correctness on the sender part. We first precise this assumption.
Then, we give an overview of the global proof structure. After that, we give our correctness statement and
show the proof of two important lemmas: Lemma 1 and Lemma 2. Lemma 1 shows the possible states in
which the receiver can be after reading the synchronization sequence BSS. Lemma 2 extends this result to
show that for all these possible states bytes can be sampled correctly. Theorem 1 – the main correctness
theorem of the hardware interface – is proven by induction on the number of bytes in a message. We conclude
this Section by showing how Lemma 2 is used in the induction step.
7.1 Assumptions: sender correctness
The sender is proven to effectively generate each bit for eight clock cycles. This discharges the digital
hypotheses of Proposition 6. Formally, this is defined as follows, where l denotes the number of bytes in a
message:
Definition 5. Correctness of ces.
WFce(ces, l, k, c) ≡ ∀i < l, ces[c+ 8 · i] = 0 ∧ ∀j ∈ [1 : k], ces[c+ 8 · i+ j] = 0
We prove that the sender generates frames with the specified format. For the purpose of this paper,
we are only concerned with synchronization bits, i.e., the BSS sequence. This is expressed by the following
predicate, where l denotes the number of bytes in a message:
Definition 6. Partial Correctness of inps.
WFinp(inps, l, c) ≡ ∀i < l, ∀y ∈ [0 : 7]
{
inps[c+ 80 ∗ i+ 16 + y − 1] = 1
∧ inps[c+ 80 ∗ i+ 24 + y − 1] = 0
7.2 Proof roadmap
Senders send frames composed by two initial bit sequences – the transmission start sequence (TSS) and
the frame start sequence (FSS) – followed by a number of bytes, say l bytes. Before sending each byte a
synchronization sequence – the falling edge made of BSS[0] and BSS[1] – is sent. Our objective is to prove
that each byte is received properly. We take as reference the time point when a receiver reads the first copy
of bit BSS[0]. In this section, this time point is referred to with t. When reading the initial bit sequences
or the previous byte, receivers have different configurations when starting reading a byte at time t. We first
show the different possible states after reading the initial bit sequences, i.e., the states before reading the
first byte.
We illustrate these different possible states in Figure 13. The first two lines show the output of the sender
and how it is seen by the receiver. Black boxes indicate possible metastabilities. We first need a mark and
assume that cycle ξ is the first affected cycle. Because of clock drift, the BSS[0]-mark may appear on the
19
mk(ξ, c)
1 1 1 0 00 100 0 00 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
TSS FSS BSS[0]
0 0 0 0 0 1 1 1 1 1 1 1 1 11 1 1 1 1 100
es(c)
outs
inpr
βξc + 16
βξc = 0 z = BSS[0] ∧ cnt = 011
βξc = 1 z = FSS ∧ cnt = 010
mk(ξ + 16 + [−1 : 1], c+ 16)
Figure 13: Initial Transmission Phase
receiver side 15 (χ = −1), 16 (χ = 0) or 17 (χ = 1) cycles after ξ. There is a potential metastability at cycle
ξ. Depending on the value reached after resolution – that is depending on the value of βξc – the receiver
automaton reaches different state and counter values when the BSS[0]-mark is detected. In the figure, we
show these values at βξc +16, where the automaton is either in state BSS[0] with a counter at 011 or in state
FSS with a counter at 010. This corresponds to the case where χ = 0. If χ = 1, then the receiver automaton
reaches state BSS[0] 17 cycles after ξ and with counter value 100.
The base case and all the sub-cases of the induction step are proven using two main lemmas. The
first one states that synchronization occurs while sampling the synchronization sequence. It shows for all
possible states of the receiver before reading the BSS sequence which are the possible states after reading
this sequence. The second lemma shows that this synchronization is good enough to sample a byte. It shows
for all possible states after reading the BSS sequence the byte can be sampled properly. Its proof shows the
correct value of the counter used in the bit-clock synchronization algorithm.
7.3 Main statement
The main theorem is shown below. The first line contains hypotheses about the low level aspects (H), our
integration of the analog and the digital worlds (Equation 5), and our assumption that the sender is correct.
The first bit of the message is put on the bus as sender cycle c and the first “affected” receiver cycle is cycle
ξ. These two facts are hidden in hypothesis H[k ⊳ 7, n ⊳ 6]. In the second line, we simply assume that the
initial state is idle and that each bit of a byte is indexed by j.
Theorem 1. Transmission Correctness.
H[k ⊳ 7, n ⊳ 6] ∧ Equation 5 ∧WFce(ces, l, k, c) ∧WFinp(outs, l, c)
∧ zξ = idle ∧ j ∈ [7 : 0]
→
∀i < l, ∃ν, mk(ν, c+ 16 + 80 · i) (* bss0 mark *)
∧
mk(ν + 7, c+ 24 + 80 · i)(*bss1 mark*)
zν+78 = b[7] ∧ cntν+78 = 010 ∧ BYTEν+79 = 〈out
c+16+80·i+8·(j+2)
s 〉
∨
(mk(ν + 7, c+ 24 + 80 · i) ∨mk(ν + 8, c+ 24 + 80 · i))(*bss1 mark*)
zν+79 = b[7] ∧ cntν+79 = 010 ∧ BYTEν+80 = 〈out
c+16+80·i+8·(j+2)
s 〉
∨
(mk(ν + 8, c+ 24 + 80 · i) ∨mk(ν + 9, c+ 24 + 80 · i))(*bss1 mark*)
zν+80 = b[7] ∧ cntν+80 = 010 ∧ BYTEν+81 = 〈out
c+16+80·i+8·(j+2)
s 〉
∨
mk(ν + 9, c+ 24 + 80 · i)(*bss1 mark*)
zν+81 = b[7] ∧ cntν+81 = 010 ∧ BYTEν+82 = 〈out
c+16+80·i+8·(j+2)
s 〉
20
mk(BSS[0]) + 18
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0
1 1 1 1 1 1 0 0 0 0? ?
0 0 0 0 0
1 1 0 0 0
0
0
metastability
BSS[1]
0 0
BSS[0]
0
0
0
drift/β
?
1
0
15 cycles z = b[0]
0
?
18 cycles
?
Receiver Input
Sender Ouput
outs
inpr
z = BSS[0]
mk(BSS[0]) mk(BSS[1])
mk(BSS[0]) + 15
z = b[0]
b b b b
b[0]
cnt 011 010 000
strobe
010
sync
000010011100cnt 010
strobe
Earliest Sync
Latest Sync
Figure 14: Traversing synchronization edges
The conclusion reads ”for each byte i of a message containing l bytes, there exists a receiver cycle ν from
which the receiver samples the byte correctly”. The conclusion is a conjunction of two terms. The first one
expresses the knowledge of the receiver about the first bit of the synchronization sequence (BSS[0]). The
knowledge of this ”mark” and clock drift induces three possible positions for the second bit of this sequence.
These three possible positions imply four different ways of sampling a byte. This is explained using the
drift factor χ and the metastability factor β. The former can take three values: −1, 0, or 1. The latter is
either 0 or 1. Combining these two factors, we obtain four possibilities: −1, 0, 1, 2. Because of these four
possibilities, the total number of cycles needed to sample a byte can have four different values. These values
are expressed by the second term of the conclusion. In each case, state and counter values mean that the last
bit has been sampled. One cycle after that, the byte register is properly updated. Finally, it takes between
79 to 82 cycles to sample a byte.
This theorem also proves lower and upper bounds on the time at which the last bit of one byte is
recovered. From a simple computation based on the marks of the conclusion, these bounds can be expressed
as functions of the reference clock (τref ) and the time (es(c)) when the first bit is put on the bus by the
sender.
7.4 Lemma 1: Crossing synchronization edges
The objective of Lemma 1 is to prove for all possible states before reading the synchronization sequence
(BSS) what are the possible states after reading this sequence. We illustrate the proof when reading the
first byte, i.e., after reading the initial bit sequences. The other cases are discussed in Section 7.6 about the
induction step. Our reasoning is illustrated in Figure 14. The first two lines show the output of the sender
and how it is seen by the receiver. Black boxes indicate possible metastability. Question marks are used to
denote unknown values.
As explained in Section 7.2, the receiver may be in different configurations at the time of the detection of
the BSS[0]-mark. We fix the initial step of the lemma to match the time of the detection of the BSS[0]-mark.
We consider the case where the receiver is in state BSS[0] with a counter value at either 011 or 100. The
other cases are proven in a similar way.
According to Proposition 2 and assuming that the BSS[0]-mark is known, the BSS[1]-mark has three
possible times (one for each value of χ). The potential metastability around that edge has the same three
times. We consider bits sampled by the receiver at these times unknown. At most, three bits are unknown.
Depending on the values of these three bits, the automaton will spend more or less time in the states of BSS.
There is synchronization if the lower and the upper bound on this number of cycles allow proper sampling.
These bounds are defined by Lemma 1, which proves that the automaton reaches state b[0] with counter
value 011 in at least 15 and at most 18 cycles. We now explain the proof of these lower and upper bounds.
Let t be the time of the affected cycle of BSS[0]. If the three unknown bits are 0 (see line 3 ”earlier sync”
in Figure 14), signal sync is high at t + 7 + 4 = t + 11. The counter is reset and signal strobe is high at
21
t+ 11 + 3 = t+ 14. In the next cycle, the automaton reaches state zt+15 = b[0]. For any lower value of the
counter, the automaton will reach this state earlier.
If the unknown bits are 1 (see line 4 ”latest sync” in Figure 14), signal sync is high at t+10+4 = t+14.
If the counter was 100 initially, then it has reached value 010 and strobe is high. At the same time, signal
sync is high, the automaton stays in BSS[0], and the counter is reset. At cycle t+17, strobe is high and the
automaton reaches b[0] with a correct counter value at t+ 18. For any larger value, the automaton requires
more cycles to reach this state.
The main statement includes all possible configurations when sampling the first byte, but also all possible
configurations when sampling byte i in the induction step. This statement assumes that the time of the first
bit of the first part of the synchronization sequence (the ”BSS[0]-mark”) is known by the reader (mk(t, c+16)).
The conclusion contains the four possible ways to sample the synchronization sequence. In each term of the
disjunction, we know the position of the first bit of the second part of the synchronization sequence (BSS[1]).
This knowledge is crucial to prove that synchronization is good enough to sample bits correctly (Lemma 2,
Section 7.5).
Lemma 1. Synchronization
mk(t, c+ 16)(* bss0 mark *)
∧ (*Next are hyps. about starting point for the lemma*)
(zt = BSS[0] ∧ cntt ∈ {011, 100}∨ zt = FSS[0] ∧ cntt ∈ {001, 010}
∨zt = b[7] ∧ cnt t ∈ {001, 010, 011, 100})(*for induction step*)
→
mk(t+ 7, c+ 24) ∧ (* bss1 mark *)
zt+15 = b[0] ∧ cnt t+15 = 011
∨
(mk (t+ 7, c+ 24) ∨mk(t+ 8, c+ 24)) ∧ (* bss1 mark *)
zt+16 = b[0] ∧ cnt t+16 = 011
∨
(mk (t+ 8, c+ 24) ∨mk(t+ 9, c+ 24)) ∧ (* bss1 mark *)
zt+17 = b[0] ∧ cnt t+17 = 011
∨
mk(t+ 9, c+ 24) ∧ (* bss1 mark *)
zt+18 = b[0] ∧ cnt t+18 = 011
This lemma is proven following the same approach as the one used to prove the correctness of voted bits
(see Section 6.2). The idea is to obtain from the low level model which inputs are unknown and prove that
the design works properly for all possible values of these unknown inputs.
As suggested by the informal description of the proof, there are at most three unknown inputs. In fact,
for each position of the BSS[1]-mark, only one input is unknown. It is the bit that appears exactly on this
mark and it is due to metastability. For instance, if the mark is at its earlier position (see line “Earliest
sync” in Figure 14), then the only unknown input is at time t + 7. Because instantiating Proposition 6 for
this mark gives us that bits from t+ 8 are known. In a similar way, if the mark is at its latest position (see
line 4 ”latest sync” in Figure 14), then we also know that inputs at t + 7 and t + 8 must be one. This is
due to our assumption that clock drift is bounded, i.e., bits at t+ 7 and t+ 8 are still in the safe sampling
window starting at the BSS[0]-mark.
For each position of the BSS[1]-mark, we prove a lemma on the digital design, which shows the two
possible lengths to sample the synchronization sequence. For instance, if the BSS[1]-mark appears at t+ 7,
we prove that sampling the synchronization sequence takes 15 to 16 cycles. This is expressed in Proposition 12
below. The hypotheses first state that at times t+1 until t+6 six good copies of BSS[0] are known and that
at times t+8 until t+13 six good copies of BSS[1] are known. Input at time t+7 is left unspecified and the
model-checker will have to consider all possible values. The rest of the hypotheses state the different receiver
states and counter-value that are possible at time t when reading the first copy of BSS[0]. The conclusion
22
Voted bits
20 21 22 23 24 25 26 27
b b b b b
b[0]
b b b
b b b b b b bβ = 1
b b b b b b bβ = 0
1 1 1 1
1 1 1
15 cycles
18 cycles
Receiver Input
Sender Ouput
outs
inpr
mk(BSS[0])
BSS[0]
...
BSS[1]
mk(BSS[0]) + 15
mk(BSS[0]) + 18
z = BSS[0]
cnt
0 0
0 ?
0
0
0
0 0
0
010
strobe
0
z = b[0]
0
?
?
strobe
010000
010
sync
z = b[0]
011
Latest Sync
Earliest Sync
drift (χ ∈ {−1, 0, 1})
strobe
010
drift (χ ∈ {−1, 0, 1})
strobe
010
Figure 15: Sampling bytes correctly
shows the time points when the receiver reaches state b[0] with counter-value 011, i.e., after reading the BSS
sequence.
Proposition 12.
∀u ∈ [0 : 5], inpt+1+u = 1 ∧ ∀v ∈ [0 : 5], inpt+8+v = 0 (* 2x6 bits known *)
∧ (zt = BSS[0] ∧ cntt ∈ {010, 011} ∨ zt = FSS ∧ cntt ∈ {001, 010}(*a*)
∨zt = b[7] ∧ cnt t ∈ {001, 010, 011, 100})(*b*)
→
zt+15 = b[0] ∧ cnt t+15 = 011 ∨ zt+16 = b[0] ∧ cnt t+16 = 011
Proof. By IHaVeIt. For efficiency of the computations, we decompose this proposition in two propositions.
We prove the conclusion assuming hypotheses (*a*) in one proposition. In another one, we prove the
conclusion assuming (*b*). Each proof is fully automatic.
7.5 Lemma 2: Sampling bytes correctly
The previous Lemma shows the different possible states of the receiver after and before reading the BSS
sequence. Lemma 2 shows that it is possible to sample the transmitted byte for all these possibilities. Let t
denote the receiver cycle reading the first copy of BSS[0]. To simplify, we only consider the case where the
receiver is in state zt = BSS[0] with counter cntt = 011 when reading the first bit of BSS[0]. This case is
pictured in Figure 15. All other cases would be proven in a similar way. The first two lines show the digital
output (outs in Figure 2) of the sender and the digital input of the receiver (inpr in Figure 2). Black boxes
show potential metastabilities and a ’?’ illustrates the fact that the eighth copy is not certainly correct.
Line ”Earliest Sync” considers the shortest traversal of the synchronization sequence. State b[0] is reached
after 15 cycles (t+ 15). Line ”Latest Sync” considers the longest traversal of the synchronization sequence.
State b[0] is reached after 18 cycles (t + 18). The large box shows the values of the voted bit, which is
simply the receiver input delayed by four cycles. The first line shows the case of no metastability – or good
resolution of it (β = 0) – when reading the first copy of b[0]. The second lines shows bad resolution of the
metastability (β = 1). Numbers indicate cycle numbers counting from time t when the receiver reads the
first copy of BSS[0]. The possible strobe points for the earliest and latest synchronization are also shown. In
total there are four possible strobe points depending on the four durations of traversing the synchronization
sequence. Strobing appears at t + [15 : 18] + 7 for b[0]. In general, for any bit b[j] strobing appears at
t+ [15 : 18]+ 8 · j+7. We see here that the position of the strobe points is fully determined by the traversal
of the synchronization sequence BSS. It does not depend on clock drift. In contrast, the relative position
of the voted bits may shift by one cycle. This is represented by the different values of drift factor χ. The
objective of Lemma 2 is to prove that all strobe points coincide with a good voted bit.
23
7.5.1 Positions of the voted bits
We assumed that at receiver cycle t the first bit of BSS[0] is read. This bit was put on the bus at sender
cycle c. We are interesting in the bits sent after the two bits of the BSS sequence. We want to read bit b[j]
which is put on the bus 8 · (j + 2) cycles after cycle c. We simply instantiate Proposition 11 (Section 6.2)
with ξ = t and α = 8 · (j + 2) and obtain the following:
∨
χ∈{−1,0,1}
∀x ∈ [4 : 10], v
t+8·(j+2)+χ+β
t+8·(j+2)+χ
c+8·(j+2)
+x
= outs[c+ 8 · (j + 2)− 1]
The right hand side of this equation denotes the value of the bit sent by the sender unit, i.e., b[j]. The left
hand-side shows the different positions of the voted bits. There are seven good bits, i.e., one for every value
of x ∈ [4 : 10]. Ideally, each bit b[j] is read at receiver cycle t + 8 · (j + 2). Because of clock drift, this can
suffer an error of one cycle. Each bit b[j] is then read at cycle t + 8 · (j + 2) + χ. For each bit b[j], there
might be a metastability when reading the first copy of it, i.e., at receiver cycle t+8 · (j+2)+χ. The effect
of this metastability is expressed by β
t+8·(j+2)+χ
c+8·(j+2) , simply written β in the remainder of this section.
For every bit b[j], the position of the corresponding good voted bits is equal to the following expression:
t+ 8 · (j + 2) + β + χ+ x
The objective of Lemma 2 is to show that there is always an x ∈ [4 : 10] to match the position of a
strobe point with a voted bit. Formally, we have to solve the following equality where the left hand side
corresponds to strobe points and the right hand side to the cycles at which the voted bit is correct.
t+ [15 : 18] + 8 · j + 7 = t+ α+ β + χ+ x (6)
7.5.2 Smallest value of x
The minimum x is required when the right hand side is maximized and the left hand side of the equality is
the earliest cycle. This means that the receiver is one cycle behind the sender. Because clock ticks differ at
most by one, this implies that χ cannot take value 1.The right hand side is therefore maximized with β = 1
and χ = 0. We need to find x such that:
t+ 15 + 8 · j + 7 = t+ 16 + 8 · j + 1 + 0 + x
The solution is x = 5. If the receiver would strobe at counter value 001, traversing the synchronization edges
would take a cycle less. Strobe points would be positioned at t + [14 : 17] + 8 · j + 7. The above equation
would become t + 14 + 8 · j + 7 = t + 16 + 8 · j + 1 + 0 + x. The solution would be x = 4 and would still
be in the interval [4 : 10]. This means that counter value 001 would be a limit, i.e., the earliest working
synchronization point.
Statement 1. The lowest reset value of counter cnt is 001. As the counter is reset to 000, the lowest
difference between the strobe and the reset points is one cycle.
7.5.3 Largest value of x
The maximum x is required when the right hand side is minimized and the left hand side of the equality is
the latest cycle. This means that the receiver is one cycle ahead of the sender. Again, because of the bound
on clock drift, this implies that χ 6= −1. The right hand side is therefore minimized with β = 0 and χ = 0.
Here, we need to find x such that:
t+ 18 + 8 · j + 7 = t+ 16 + 8 · j + 0 + 0 + x
The solution is x = 9. If the receiver would strobe at counter value 011, traversing the synchronization
sequence would take one cycle more. Strobe points would be positioned at t+ [16 : 19]+ 8 · j+7. The above
24
equality would become t+19+8 · j+7 = t+16+8 · j +1+0+ x. The solution would be x = 10 and would
still be in the interval [4 : 10]. Note that this counter value is equivalent to the one proposed by the Flex
Ray standard [1]. Value 100 proposed in [4] would be outside this limit and is therefore not adequate.
Statement 2. The largest reset value of counter cnt is 011. As the counter is reset to 000, the largest
difference between the strobe and the reset points is three cycles.
7.5.4 Statement of Lemma 2
The main statement builds on Lemma 1 and shows the four different ways of sampling a byte, starting from
the first bit of the synchronization sequence. In each way, we also have the knowledge of the BSS[1]-mark.
Lemma 2. Sampling bytes correctly.
mk(t, c+ 16)
∧ (zt = BSS[0] ∧ cntt ∈ {010, 011} ∨ zt = FSS ∧ cntt ∈ {001, 010}
∨zt = b[7] ∧ cnt t ∈ {001, 010, 011, 100})
→
mk(t+ 7, c+ 24)
∧zt+78 = b[7] ∧ cntt+78 = 010 ∧ BYTEt+79 = 〈out
c+16+8·(j+2)
s 〉, j ∈ [7 : 0]
∨
(mk (t+ 7, c+ 24) ∨mk(t+ 8, c+ 24))
∧zt+79 = b[7] ∧ cntt+79 = 010 ∧ BYTEt+80 = 〈out
c+16+8·(j+2)
s 〉, j ∈ [7 : 0]
∨
(mk (t+ 8, c+ 24) ∨mk(t+ 9, c+ 24))
∧zt+80 = b[7] ∧ cntt+80 = 010 ∧ BYTEt+81 = 〈out
c+16+8·(j+2)
s 〉, j ∈ [7 : 0]
∨
mk(t+ 9, c+ 24)
∧zt+81 = b[7] ∧ cntt+81 = 010 ∧ BYTEt+82 = 〈out
c+16+8·(j+2)
s 〉, j ∈ [7 : 0]
7.6 Induction Step
We perform a proof by induction on the number of bytes that is transmitted. We first extract an arbitrary
cycle ν from our induction hypothesis. We know that from this cycle we can sample byte i properly. We
then use Lemma 2 to find a cycle from which byte i + 1 can also be recovered. This shows the existential
quantification. For byte i, the induction hypothesis gives us a BSS[0]-mark. The other part of the induction
hypothesis gives us four possible completion times for sampling byte i. Our induction hypothesis for an
arbitrary ν is as follows:
mk(ν, c+ 16 + 80 · i) (* bss0 mark *)
∧
mk(ν + 7, c+ 24 + 80 · i)(*bss1 mark*)
zν+78 = b[7] ∧ cntν+78 = 010 ∧ BYTEν+79 = 〈out
c+16+80·i+8·(j+2)
s 〉
∨
(mk(ν + 7, c+ 24 + 80 · i) ∨mk(ν + 8, c+ 24 + 80 · i))(*bss1 mark*)
zν+79 = b[7] ∧ cntν+79 = 010 ∧ BYTEν+80 = 〈out
c+16+80·i+8·(j+2)
s 〉
∨
(mk(ν + 8, c+ 24 + 80 · i) ∨mk(ν + 9, c+ 24 + 80 · i))(*bss1 mark*)
zν+80 = b[7] ∧ cntν+80 = 010 ∧ BYTEν+81 = 〈out
c+16+80·i+8·(j+2)
s 〉
∨
mk(ν + 9, c+ 24 + 80 · i)(*bss1 mark*)
zν+81 = b[7] ∧ cntν+81 = 010 ∧ BYTEν+82 = 〈out
c+16+80·i+8·(j+2)
s 〉
25
...
...
...
...
...
...
...
...
...
...
...
mk(µ′, c + 24 + 80 · (i + 1))
b b b
b[0]
?
b b b b
b[7]
1 1
1
1
1 ?
1
BSS[0]
1 1
1
1
1 ?
1
BSS[0]
0 0
?
0
0
0
0
BSS[1]
0 0
?
0
0
0
0
BSS[1]
mk(ν, c + 16 + 80 · i)
outs
inpr
mk(µ, c + 24 + 80 · i)
mk(ν′, c + 16 + 80 · (i + 1))
b
Figure 16: Induction step
This induction hypothesis is pictured in Figure 16. It starts with our arbitrary cycle ν at which the
receiver starts sampling byte i. Our induction hypothesis contains also marks (cycle µ) for the second part
of the BSS sequence. Sampling byte i + 1 starts at cycle ν′ and BSS[1] is seen at cycle µ′. The idea of
the proof is (1) knowing ν and µ we obtain values for ν′ and µ′ using Proposition 2 and (2) we instantiate
Lemma 2 at ν′ to show that byte i+ 1 can be sampled properly.
While sampling byte i, clocks are likely to drift. Consequently, the BSS[0]-mark (i.e., position of ν′) for
the next byte is known with the error defined by χ. From Proposition 2 with ξ = ν and α = 80 · i, we have
ν′ = ν + 80 + χ. Thus, we have three different possible BSS[0]-marks for byte i+ 1:
∨
χ∈{−1,0,1}
mk (ν + 80 + χ, c+ 16 + 80 · (i+ 1))
To use Lemma 2, we also need to know when the receiver control automaton sampled the last bit of the
byte, i.e., when z = b[7]. There are four possible times corresponding to the four possible completion times
of sampling byte i. At the end, we have 4 ∗ 3 = 12 cases in our induction step.
Let us consider the case where there is no drift and the receiver sees the first bit of the next BSS sequence
exactly 80 cycles after the previous one. Formally, we have:
mk(ν + 80, c+ 16 + 80 · (i+ 1))
For this perfect ”mark” there are still four possible ways for the receiver to sample byte i. From the
induction hypothesis, there are four possible times when the receiver is sampling the last bit and ready to
strobe and move to state BSS[0], i.e., the receiver is in state b[7] with cnt = 010. Formally, we have the
following cases:
zν+78 = b[7] ∧ cntν+78 = 010
∨ zν+79 = b[7] ∧ cntν+79 = 010
∨ zν+80 = b[7] ∧ cntν+80 = 010
∨ zν+81 = b[7] ∧ cntν+81 = 010
(7)
To instantiate Lemma 2, we need to obtain that the receiver is in state b[7] with a proper counter value
when the sender puts the first bit of BSS on the bus, i.e., at ν + 80, the time of the BSS[0]-mark. In the
earliest case, the counter reaches value 010 at ν + 78. So, at time ν + 80 the counter has value 100. In the
latest case, the counter equals 010 at ν + 81 and therefore it has value 001 at time ν + 80. In the remaining
two cases, the values at time ν + 80 would be 011 or 010. For all these cases, the premises of Lemma 2 are
satisfied for t = ν +80 and c = c+80 · i. This shows that there exist four possible cycles at which byte i+1
can be sampled properly for each one of these times.
Let us consider the case when the BSS[0]-mark is early. Formally, we have:
mk(ν + 79, c+ 16 + 80 · (i+ 1))
We have the same cases as Equation 7. But we must consider the counter value at time t = ν + 79
instead of ν +80. Assume the latest sampling time (the fourth case in Equation 7). The counter equals 010
and z = b[7] at time ν + 81. Consequently, at time ν + 79 the counter is 000 and the receiver automaton
is still sampling b[7]. Under this configuration it is not possible to instantiate Lemma 2 and in fact the
receiver would not be able to synchronize. Note that the induction hypothesis also gives us the time of the
BSS[1]-mark for byte i. For this latest case, we know that this mark was seen by the receiver at time ν + 9,
26
i.e., we have mk(ν + 9, c + 24 + 80 · i). Applying Proposition 2 on this BSS[1]-mark with α = 72 gives us
another three possible times for the BSS[0]-mark of byte i+ 1. Formally, we have:
∨
χ∈{−1,0,1}
mk(ν + 9+ 72 + χ, c+ 24 + 80 · i+ 80) (8)
This means that the BSS[0]-mark is at the earliest (χ = −1) at ν+80. This contradicts our assumption that
the mark is at ν + 79. The remaining cases when the BSS[0]-mark is at ν + 79 are proven using Lemma 2
as explained above.
Let us consider the case when the BSS[0]-mark is late. Formally, we have:
mk(ν + 81, c+ 16 + 80 · (i+ 1))
Again we have the same cases as Equation 7 and must consider the counter value at time ν + 81. Assume
the earliest sampling time of byte i, i.e., the counter has value 010 at time ν + 78. This means that at time
ν+81, counter has value 101 and the receiver is in state BSS[0]. Under this configuration it is not possible to
use Lemma 2. Here again we use the fact that the induction hypothesis gives us a time for the BSS[1]-mark
from which we can derive a contradiction. In the earliest sampling time, this mark is for byte i at time ν+7
and we have mk(ν + 7, c+ 24 + 80 · i). We apply Proposition 2 on this BSS[1]-mark with α = 72 to obtain
three possible times for the BSS[0]-mark of byte i+ 1. Formally, we have:
∨
χ∈{−1,0,1}
mk(ν + 7+ 72 + χ, c+ 24 + 80 · i+ 80) (9)
This means that the BSS[0]-mark is at the latest (χ = +1) at ν + 80. This contradicts our assumption that
the mark is at ν + 81. The remaining cases when the BSS[0]-mark is at ν + 81 are proven using Lemma 2
as explained earlier in this section.
8 Related work
The first verification effort about physical layer protocols was carried out by Moore [14]. Moore developed a
general model of asynchronous communications as a function in the logic of the ACL2 theorem prover [12].
Moore’s model assumes distortion around sampling edges and does not allow for clock jitter. Sender and
receiver modules are also represented by two functions. Moore’s correctness criterion states that the compo-
sition of these three functions is an identity. He applied this approach to the verification of a Biphase-Mark
protocol.
Moore’s work inspired many studies around this protocol. Recently, Vaandrager and de Groot [22]
modeled the protocol and analog behaviors using a network of timed-automata. Their model is slightly
more general than Moore’s and allows for clock jitter. They can derive tighter bounds for the Biphase-Mark
protocol. Previously, timed-automata have been used to verify a low level protocol based on Manchester
encoding and developed by Philips [5]. Another recent proof of the Biphase-Mark protocol has been proposed
by Brown and Pike [6]. They developed a general model of asynchronous communications in the formalism of
the tool SAL [9] developed at SRI. Their model includes clock jitter and metastability. Using k-induction, the
verification of the parameterized specification of Brown and Pike is largely automatic. All these studies tackle
protocol specification only and not actual hardware implementation. They prove functional correctness. We
prove a more precise theorem about a gate-level hardware implementation and from which bounds on the
transmission duration can be derived.
The verification of analog and mixed signal (AMS) designs is a relatively young research field. A re-
cent survey gave an overview of this emerging research area [23]. The authors identify several successful
applications of automatic techniques (equivalence checking, model checking, or run-time verification) in the
context of AMS designs. Our work is more related to the last category identified in this survey, namely proof
based methods. Hanna [10, 11] used predicates to approximate analog behaviors at the transistor level. The
27
predicates can be embedded in digital proofs. His work is not specifically targeted to communication circuits
and does not consider timing parameters, metastability or clock drift. We consider only gates and not their
structure in terms of transistors. Recently, Al Sammane et al. [17] proposed a new symbolic verification
methodology based on the computer algebra system Mathematica. This approach is based on a combination
of induction and symbolic simulations. It is suitable to systems that can be described using discrete-time
models. One contribution of our work is to combine discrete-time models with continuous time models.
9 Conclusion and future work
We presented the correctness proof of a time-triggered interface implementing the bit-clock synchronization
mechanism of the FlexRay standard for automotive systems. This proof involves to simultaneously prove
that the receiver keeps track of the correct bits and that its hardware allows for a proper synchronization.
This difficulty comes from the fact that the hardware controls the state machine which in turn controls
the hardware. The bit-clock synchronization algorithm works by resetting a counter when detecting a
synchronization sequence. This specific value is a crucial parameter. Our proof reveals the exact values
of this counter that guarantee reliable transmissions. This proves and disproves values proposed in the
literature. Our proof is based on a general and precise model of asynchronous communications which
includes clock drift, clock jitter and metastability. The proof is performed using a hybrid methodology that
combines interactive reasoning in Isabelle/HOL and automatic model-checking using NuSMV within Isabelle
via the tool IHaVeIt.
Our model of asynchronous communications is very general. The model is about 2 000 lines of Is-
abelle/HOL code5. It can be easily re-used. A user deals only with Proposition 2, Proposition 5, and our
drift assumption (Definition 1). The design that we presented and analyzed is part of a more complex sys-
tem which includes a fault-tolerant scheduler. Our model, its integration with IHaVeIt, and the supporting
methodology have been re-used to verify – at the gate-level – this fault-tolerant scheduler [2].
The proof presented here was developed in about one man-year and is about 8 000 lines. Most of the
time was spent developing the model and checking whether the model was too weak or that there was an
error in the design. We indeed discovered errors in early designs. Most of the proof about our FlexRay-like
interface is dedicated to the deduction of valid digital inputs from the analog transmission. This technique
is independent of the design under verification. If one would prove a similar design, one would be able to
re-use most of these lemmas. The main task would be to adapt the digital lemmas to this new design. These
lemmas would be proven automatically. We estimate that the time needed to develop such a new proof
would be about a couple of weeks.
An interesting future research direction would be to structure the proof in a way that will make this
separation between design-dependent lemmas and more general ones explicit. To this end, we need to
identify a set of constraints on the digital design that would be sufficient to prove our final theorem. This
would reduce the analysis of similar designs to proving different instances of these digital propositions.
The theorem proving efforts are performed while formalizing computer architectures. The verification of
particular designs reduce to discharging a set of constraints which are more likely to fall into their scope and
limit the state-space explosion problem.
Acknowledgments
Part of this work was carried out while the author was affiliated with the University of Saarland, Saarbru¨cken,
Germany. This work was funded by the German Federal Ministry of Education and Research (bmb+f) in the
framework of the Verisoft project under grant 01 IS C38. This work initiated from the lecture “Computer
Architecture 2 – Automotive Systems” given by Paul at Saarland University and notes taken by students6.
5See http://www.cs.ru.nl/∼julien/Julien at Nijmegen/corr11.html
6www-wjp.cs.uni-sb.de/lehre/lehre.php
28
References
[1] FlexRay Communication System – Protocol Layer Specification v2.1, Rev A, FlexRay Consortium,
December 2005.
[2] E. Alkassar, P. Bo¨hm, and S. Knapp. Correctness of a fault-tolerant real-time scheduler and its hardware
implementation. In Sixth ACM-IEEE International Conference on Formal Methods and Models for
Codesign (MEMOCODE’08), pages 175–186. IEEE Computer Society, 2008.
[3] C. Baier and J.-P. Katoen. Principles of Model Checking (Representation and Mind Series). The MIT
Press, 2008.
[4] S. Beyer, P. Bo¨hm, M. Gerke, M. Hillebrand, T. In der Rieden, S. Knapp, D. Leinenbach, and W. J.
Paul. Towards the formal verification of lower system layers in automotive systems. In ICCD ’05:
Proceedings of the 2005 International Conference on Computer Design, 2005.
[5] D. Bosscher, I. Polak, and F. W. Vaandrager. Verification of an audio control protocol. In ProCoS:
Proceedings of the Third International Symposium Organized Jointly with the Working Group Prov-
ably Correct Systems on Formal Techniques in Real-Time and Fault-Tolerant Systems, pages 170–192,
London, UK, 1994. Springer-Verlag.
[6] G. M. Brown and L. Pike. Easy Parameterized Verification of Biphase Mark and 8N1 Protocols. In
The Proceedings of the 12th International Conference on Tools and the Construction of Algorithms
(TACAS’06), volume 3920 of LNCS, pages 58–72, 2006.
[7] A. Cimatti, E. M. Clarke, E. Giunchiglia, F. Giunchiglia, M. Pistore, M. Roveri, R. Sebastiani, and
A. Tacchella. NuSMV 2: An opensource tool for symbolic model checking. In Proceedings of the
14th International Conference on Computer Aided Verification (CAV’02), volume 2404 of LNCS, pages
359–364, Copenhagen, Denmark, July 27–31 2002. Springer.
[8] E. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT Press, 1999.
[9] L. de Moura, S. Owre, H. Rueß, J. Rushby, N. Shankar, M. Sorea, and A. Tiwari. SAL 2. In R. Alur
and D. Peled, editors, Computer-Aided Verification, CAV 2004, volume 3114 of LNCS, pages 496–500,
Boston, MA, 2004. Springer-Verlag.
[10] K. Hanna. Reasoning about real circuits. In Proceedings of the 7th International Workshop on Higher
Order Logic Theorem Proving and Its Applications, pages 235–253, London, UK, 1994. Springer-Verlag.
[11] K. Hanna. Automatic verification of mixed-level logic circuits. In FMCAD ’98: Proceedings of the Second
International Conference on Formal Methods in Computer-Aided Design, pages 133–166, London, UK,
1998. Springer-Verlag.
[12] M. Kaufmann, P. Manolios, and J Strother Moore. ACL2 Computer Aided Reasoning: An Approach.
Kluwer Academic Press, 2000.
[13] R. Manner. Metastable states in asynchronous digital systems: Avoidable or unavoidable. Microelec-
tronic Reliability, 28(2):295–307, 1988.
[14] J Strother Moore. A Formal Model of Asynchronous Communications and Its Use in Mechanically
Verifying a Biphase Mark Protocol. Formal Aspects of Computing, 6(1):60–91, 1993.
[15] T. Nipkow, L.C. Paulson, and M. Wenzel. Isabelle/HOL: A Proof Assistant for Higher-Order Logic,
volume 2283 of LNCS. Springer, 2002.
[16] V. Sagdeo. The Complete VERILOG Book. Kluwer Academic Publishers, Norwell, MA, USA, 1998.
29
[17] G. Al Sammane, M. H. Zaki, and S. Tahar. A symbolic methodology for the verification of analog and
mixed signal designs. In DATE, pages 249–254, 2007.
[18] J. Schmaltz. A Formal Model of Lower System Layer. In Formal Methods in Computer-Aided Design
(FMCAD’06), San Jose, CA, USA, November 12-16 2006. IEEE/ACM.
[19] J. Schmaltz. A Formal Model of Clock Domain Crossing and Automated Verification of Time-Triggered
Hardware. In J. Baumgartner and M. Sheeran, editors, Formal Methods in Computer-Aided Design
(FMCAD’07), Austin, TX, USA, 11-14 November 2007. IEEE/ACM.
[20] S. Tverdyshev. Formal Verification of Gate-Level Computer Systems. PhD thesis, Saarland University,
Computer Science Department, 2009.
[21] S. Tverdyshev and E. Alkassar. Efficient bit-level model reductions for automated hardware verification.
In S. Demri and C. S. Jensen, editors, 15th International Symposium on Temporal Representation and
Reasoning: TIME2008, pages pp. 164–172. IEEE Computer Society Press, 2008.
[22] F. W. Vaandrager and A. de Groot. Analysis of a biphase mark protocol with uppaal and pvs. Formal
Asp. Comput., 18(4):433–458, 2006.
[23] M. H. Zaki, S. Tahar, and G. Bois. Formal verification of analog and mixed signal designs: a survey.
Microelectronics Journal, 39:1395–1404, 2008.
30
