Synthesis of Sequential Extended Regular Expressions for Verification by Noureddine, Mohamad et al.
Synthesis of Sequential Extended Regular
Expressions for Verification
Mohamad Noureddine∗ Fadi A. Zaraket ∗ Ali S. Elzein†
∗ American University of Beirut,{man17,fz11}@aub.edu.lb
† IBM Systems and Technology, elzein@us.ibm.com
Abstract—Synthesis techniques take realizable Linear
Temporal Logic specifications and produce correct cir-
cuits that implement the specifications. The generated
circuits can be used directly, or as miters that check the
correctness of a logic design. Typically, those techniques
generate non-deterministic finite state automata, which can
be determinized at a possibly exponential cost. Recent
results show multiple advantages of using deterministic
automata in symbolic and bounded model checking of LTL
safety properties. In this paper, we present a technique
with a supporting tool that takes a sequential extended
regular expression specification Φ, and a logic design
implementation S, and generates a sequential circuit C,
expressed as an And-Inverted-Graph, that checks whether
S satisfies Φ. The technique passes the generated circuit C
to ABC, a bounded model checker, to validate correctness.
We use free input variables to encode the non-
determinism in Φ and we obtain a number of states in
miter linear in the size of Φ. Our technique succeeds
to generate the input to the model checker while other
techniques fail because of the exponential blowup, and
in most cases, ABC succeeds to either find defects in
the design that was otherwise uncheckable, or validate
the design. We evaluated our technique against several
industrial benchmarks including the IBM arbiter, a load
balancer, and a traffic light system, and compared our
results with the NuSMV framework. Our method found
defects and validated systems NuSMV could not validate.
I. INTRODUCTION
Safety critical systems such as medical and naviga-
tion control devices rely on digital systems in order to
provide accurate services. Verification techniques, such
as symbolic and bounded model checking, address the
correctness of digital systems with respect to formal
specifications written in languages such as linear tempo-
ral logic (LTL). Sequential extended regular expressions
(SERE) form a subset of the Property Specification
Language (PSL) that constitute a practical way to specify
logic designs [1]. SERE covers a practical subset of LTL.
Automated synthesis tools such as Wring [2], Lily [3],
and UNBEAST [4] take an LTL specification and gen-
erate a correct implementation. Validation tools such
as Focs [5], NuSMV [6], and SPIN [7] take a speci-
fication and an implementation and check whether the
implementation satisfies the specification. They either
provide a proof of correctness, a counterexample, or an
inconclusive result when they reach their computational
boundaries [8].
NuSMV [6] and COSPAN [9] typically translate the
design S and the negation of the LTL specification Φ into
non-deterministic finite state automata (NDFA) MS and
M¬Φ (typically using Bu¨chi automata), respectively, and
then perform symbolic model checking on the resulting
cross product automaton [10], [11]. This results in an
online determinization of the assertion automaton and
thus the state space explosion problem is inherent to
symbolic model checking [10].
The majority of the LTL properties to be verified are
safety properties, to which finite violating counterex-
amples can be found. Therefore, researchers consider
translating the LTL specifications into deterministic finite
state automaton (DFA) [10], [12] risking the state space
explosion problem [13]. This often limits the ability of
synthesis tools to generate input to the model checkers
for verification. NuSMV uses several abstraction and
reduction techniques, such as the cone of influence re-
duction [14] and other Binary Decision Diagrams (BDD)
based techniques [15], in order to avoid such a problem.
In this paper, we present a technique and a supporting
tool that takes an SERE specification Φ and an imple-
mentation of it S, and generates a sequential circuit C
that checks whether S satisfies Φ. Our technique encodes
the non-determinism in Φ using additional free variables,
and generates an equisatisfiable sequential circuit CΦ
such that CΦ has a number of states linear in the
size of Φ. Informally, a sequential circuit C with a
designated output o therein is equisatisfiable to an SERE
specification Φ when o is satisfiable if and only if Φ
is satisfiable. The circuit CΦ can not be used as an
implementation of S and can only be used as a miter in
ar
X
iv
:1
40
1.
31
73
v1
  [
cs
.FL
]  
14
 Ja
n 2
01
4
model checking tools to validate an implementation of
Φ. The technique translates the implementation S into a
sequential circuit CS and builds C as the composition of
CΦ and CS . The technique then applies the ABC model
checker on the generated sequential circuit C and checks
for correctness.
Encoding non-determinism using free variables is a
textbook technique [13]. Reportedly, it might have been
used in existing tools such as “smvtoaig” for a limited
subset of the “smv” designs. Up to our knowledge, we
are the first to use this technique in an open source tool
to enable the verification of logic design against SERE
specifications. Our technique enables the ABC model
checker to find defects and prove the correctness of
systems where it is not possible with existing techniques.
We implemented and evaluated our techniques with
benchmarks from UNBEAST [4] and LILY [3], in ad-
dition to the IBM arbiter presented in [16]. We provide
our tool, the appendices of the paper including proofs,
and the benchmarks for the experiments online 1. Our
technique was able to find problems in several designs
where it was not possible before. The supporting tool
allows the user to
• prove that an implementation satisfies an SERE
property using satisfiability and bounded model
checking,
• debug the implementation and the specification
using the generated counterexample, and
• simulate the implementation and the specification
and inspect the results.
The rest of this paper is organized as follows. Sec-
tion II presents some preliminary information, Section III
motivates our approach using a simple example. The core
of the synthesis technique is presented in section IV.
We describe our implementation in Section V, and show
a summary of the experimental results in Section VI.
Related work is summarized in Section VII and we
conclude in Section VIII.
II. PRELIMINARIES
Let A be a set of atomic propositions. The mapping
A → B denotes a valuation to the atomic propositions
in A where B = {true, false}. Let V = (A→ B) be the
set of all such valuations.
SERE formulae range over the alphabet Σ =
A
⋃ {; , ∗,∧,∨,¬, (, )}, where (1) ∧,∨ are Boolean
binary operators denoting conjunction and disjunction,
1http://webfea.fea.aub.edu.lb/fadi/dkwk/doku.php?id=ltlsyn
respectively, (2) ‘;’ is a sequential binary operator de-
noting temporal next, (3) ¬ is a Boolean unary operator
denoting logical negation, and (4) ∗ is a sequential unary
operator denoting zero or more times.
Definition (SERE terms). An atomic proposition in Ais
an SERE term. If t1 and t2 are SERE terms, then t1∧t2,
t1 ∨ t2, (t1) and ¬t1 are SERE terms. We denote by T
the set of all SERE terms.
Definition (SERE formula). An SERE term is an SERE
formula. Given φ and ψ are SERE formulae and t is an
SERE term, then t∗, φ;ψ, (φ) , φ∧ψ, and φ∨ψ are all
SERE formulae. We denote by SERE the set of all SERE
formulae.
A valuation v ∈ V satisfies an atomic proposition a ∈
A, v |= a iff v maps a to true; we denote that also by
v(a) = true. A trace ρ = 〈v1, v2, . . . , vi, . . . , vn〉, i ∈
[1 . . . n] is a sequence of valuations. We denote by (1)
ρ = ρ1 ◦ ρ2 the concatenation of the traces ρ1 and ρ2,
and (2) ρ(t, i) the value of term t at the ith entry of ρ.
Definition (SERE term semantics). Let ρ be a trace, and
let e1 and e2 be SERE terms.
• If e1 ∈ A then ρ |= e1 iff |ρ| = 1 and ρ(e1, 1)
• ρ |= ¬e1 iff |ρ| = 1 and ρ 6|= e1
• ρ |= e1 ∧ e2 iff ρ |= e1 and ρ |= e2
• ρ |= e1 ∨ e2 iff ρ |= e1 or ρ |= e2
We denote by [e] all the valuations that satisfy term e.
Let ψ be an SERE formula of the form
x1y1;x2y2; . . . ;xnyn where i ∈ [1 . . . n] xi ∈ T,
yi ∈ {, ∗}, and  is the empty string.
Definition (SERE formula semantics). Let ρ be a trace
and ψ be an SERE formula. We say ρ satisfies ψ(ρ |= ψ)
in the following cases.
• ψ = x1y1, y1 =  iff |ρ| = 1 and ρ(x1, 1)
• ψ = x1y1, y1 = ∗ iff
– ρ = ,
– |ρ| = 1 and ρ |= x1, or
– there exists traces ρ1, ρ2 such that ρ1 6= , ρ =
ρ1 ◦ ρ2, ρ1 |= ψ, and ρ2 |= ψ
• ψ = x1y1;x2y2 iff there exists traces ρ1, ρ2 such
that ρ = ρ1 ◦ ρ2, ρ1 |= x1y1, and ρ2 |= x2y2
• ψ = φ1;φ2 where φ1, φ2 are formulae iff there
exists traces ρprefix , ρ1, ρ2, ρsuffix , such that ρ =
ρprefix ◦ ρ1 ◦ ρ2 ◦ ρsuffix , ρ1 |= φ1, and ρ2 |= φ2
• ψ = φ1 ∧ φ2 iff ρ |= φ1 and ρ |= φ2
• ψ = φ1 ∨ φ2 iff ρ |= φ1 or ρ |= φ2
We denote by [ψ] all the traces that satisfy formula ψ.
aa
s2
c
s3
a
s1
b
¬a ∧ ¬b
a
s0
¬c
Fig. 1. NDFA of a;b;c
Definition (Deterministic finite state automata). A de-
terministic finite state automata (DFA) is a tuple M =
(Q, I, F,Σ, L, δ) where Q = {s0, s1, . . . , sn} is the set
of states of M , I ⊆ Q is the set of initial states, F ⊆ Q
is the set of accept states, Σ = V is the input alphabet
of M , L ⊆ T is a set of transition labels such that
δ = Q × L → Q is the state transition function. Note
that labels with joint alphabet symbols (e.g. a, a ∧ b,
a∨ b) are not allowed on edges outgoing from a state s
in order to keep the transitions deterministic.
The semantics of DFA are defined in the typi-
cal manner. A sequence of input valuations ρ =
〈v0, v1, . . . , vn−1〉, determines a sequence of state tran-
sitions σ = 〈s0, s1, . . . , sn〉, s0 ∈ I , and si+1 = δ(si, e)
where e ∈ L and vi ∈ [e]. We say ρ satisfies M (ρ |= M )
iff sn is an accept state of M ; (s ∈ F ).
Definition (Equisatisfiability). We say a DFA M is
equisatisfiable to an SERE formula ψ iff M is satisfiable
iff ψ is satisfiable. That is ∃ρ.ρ |= M ⇔ ∃ρ′.ρ′ |= ψ.
III. MOTIVATING EXAMPLE
Consider the SERE formula ψ = a; b; c.NDFA M in
Figure 1 simulates ψ with non-deterministic transitions
in its initial state. Once M receives a valuation where a
is true, it can move into state s1 or remain in s0 since
δ(s0, a) = {s0, s1}.
Typically, an NDFA M is translated into a DFA M ′
using subset construction with a possible exponential
blowout in the number of states [13]. In brief, states in
M ′ are subsets of states in M and transitions are con-
structed to make M ′ equivalent to M , yet deterministic.
Figure 2 shows a DFA equivalent to M produced using
the JFLAP tool [17].
Instead, we encode the non-determinism using an
additional free atomic proposition r as shown in in Fig-
ure 3. This results in DFA Ma that is equisatisfiable to
psi and that has a number of states linear in the number
of terms in ψ. We use Ma with symbolic and bounded
model checkers wherever it is expensive or impossible to
generate an equivalent DFA for ψ. Our technique leaves
it to the model checker to efficiently handle the free
a
a ∧ ¬b a ∧ b ∧ ¬c
b ∧ c
c ∧ ¬b ∧ ¬a
b ∨ c
¬a ∧ b
a ∧ ¬c
c
s2
¬a ∧ b ∧ ¬c
c
a ∧ ¬b ∧ ¬c
s0
s4
s3s1
¬a ∧ b ∧ ¬c
Fig. 2. DFA of a;b;c using JFLAP [17]
s0 s1
a ∧ r
a ∧ ¬b¬r
¬a ∧ ¬b
¬c
s2
cb
s3
Fig. 3. DFA of a;b;c with free atomic proposition r
variables added by our synthesis technique. In practice,
even though our technique does not reduce the inherent
complexity of the problem, it enables the application of
several reduction and abstraction transformations avail-
able in model checkers such as ABC to reduce and
solve the problem. These are not applicable without our
technique.
Notice that, for each trace ρ that satisfies a; b; c, there
is a trace of r values that makes ρ satisfiable for the
DFA in Figure 3. In particular, set r to true where the
matching sequence starts in ρ and to false otherwise.
IV. EQUISATISFIABLE DFA
Given an SERE formula ψ, we want to efficiently
construct a DFA M with a number of states linear in
the size of ψ that is equisatisfiable to ψ such that the
trace ρ that satisfies M also satisfies ψ. We focus on the
two sources of non-determinism: the initial states and
the ∗ operator.
We first consider formulae ψ of the form ψ =
x1y1;x2y2; . . . ;xnyn where A and T denote the atomic
propositions and SERE terms of ψ, respectively, xi ∈ T,
yi ∈ {, ∗}, and  is the empty string. We want to
construct a DFA M = (Q, I, F,V′,T′, δ) where Q =
{s0, s1, . . . , sn}, I = {s0}, and where each state si
corresponds to a term xi in ψ. The other components
F , V′, T′, and δ will be discussed later.
Consider the initial state s0, and consider an input
valuation v that matches x1 the first term in ψ. The
DFA M needs to allow for two possibilities: (1) v is
part of the sequence matching the terms of ψ, and
(2) v is ignored and next inputs are considered as the
match to the first term in ψ. For example, consider
ψ = a; b where A = {a, b} and consider the trace
ρ = 〈v1, v2, v3, v4〉 where v1 = {(a, true), (b, false)},
v2 = {(a, true), (b, false)}, v3 = {(a, true), (b, true)},
and v4 = {(a, false), (b, true)}. The subtrace 〈v2, v3〉 of
ρ matches ψ while v1 matches only the first term a in
ψ. Also 〈v3, v4〉 matches ψ. The DFA M should allow
a choice of whether to stay in the initial state s0 or to
start the acceptance chain of transitions.
Consider the subformula x1∗;x2 which specifies that
input valuations that match the term x1 occur zero
or more times in succession followed by a valuation
that matches the term x2. By definition, this includes
non-determinism at every step. Once the valuation that
matches x1 is presented, M should allow for more
valuations matching x1, and since we are restricting s1
to correspond to x1, M stays at the same state. M should
as well allow for valuations matching x2 by transitioning
to state s2.
Consider the SERE formula ψ = a; b∗; a where A =
{a, b, c}. Consider the trace ρ = 〈v1, v2, v3, v4, v5〉 where
v1 = {(a, true), (b, false)}, v2 = {(a, false), (b, true)},
v3 = {(a, true), (b, true)}, v4 = {(a, false), (b, true)},
and , v5 = {(a, true), (b, false)}. Again, ρ can satisfy ψ
in several ways. One way is to consider accepting the
subtrace 〈v1, v2, v3〉, and another is consider accepting
the subtrace 〈v3, v4, v5〉. Once an input valuation such
as v3 that matches the second a term in ψ is presented,
M can move into the accepting state. We use one free
atomic proposition to allow the choices. It can also wait
since v2 |= b∗ and then upon receiving v5 it will go to
the accepting state.
Further non-determinism needs to be considered when
two consecutive terms in ψ use the ∗ operator. For
example, the input traces ρ1 = 〈v1, v4〉 ρ2 = 〈v1, v2, v4〉,
ρ3 = 〈v1, v3, v4〉, and ρ4 = 〈v1, v2, v3, v4〉, where
v1(a) = v2(b) = v3(c) = v4(d) = true, all satisfy the
formula ψ = a; b∗; c∗; d. M needs to allow for enough
choices on the states corresponding to the ∗ terms to
accept the four traces. For m consecutive ∗ operators,
xi∗;xi+1∗; . . . ;xi+m−1∗, we consider the corresponding
m states S∗ = {si, si+1, . . . , si+m−1} with all transitions
possible from state sk ∈ S∗ to state sp ∈ S∗ where
k 6 p on the same input valuation. Therefore, we need
dlog2me atomic propositions to encode these transitions
as (sk, xk ∧ choice(k, p, r¯), sp) where r¯ is the vector of
additional atomic propositions and choice is a unique
choice of a valuation of propositions in r mapped to p
and k. The same applies to terms in ψ that follow si
such that yi =  and yi−1 = ∗.
A. Equisatisfiable DFA construction
Let A′ = A ∪ r¯ where r¯ is the vector of additional
atomic propositions. T′ is the set of SERE terms where
A′ is the set of atomic propositions, and V′ is the set
of valuations where A′ is the set of atomic propositions.
We construct the transition function δ by constructing
four partial transition functions.
The function δ0 denotes the transitions at the initial
state. δ0 = {(s0,¬r, s0), (s0, r ∧ x1, s1)}.
The function δ is the transitions corresponding to
terms xiyi i ∈ [1 . . . n] where yi =  and yi+1 6= .
δ = {(si, xi+1, si+1) | 0 6 i < n and si, si+1 ∈ Q and
yi = }⋃ {(si,¬xi+1, s0, ) | 0 6 i < n and si, s0 ∈ Q and
yi = }
The function δ∗ is the transitions corresponding
to terms xiyi i ∈ [1 . . . n] where yi = ∗.
δ∗ = {(si,
∧n
j=i ¬xj , s0) | (m ≤ i ≤ n) and yi = ∗ and
ym =  and m ≥ 1}⋃ {(si, xj ∧ tij , sj) | i 6 j 6 m 6 n and
∀k.i 6 k < m =⇒ yk = ∗ and
tij =
(
choice(i, j, r¯) ∨ ∀k.i 6 k 6 m =⇒ ¬xk
) }
The function δ∗ is the transitions corresponding to
terms xiyi i ∈ [1 . . . n] where yi =  and yi+1 = ∗.
δ∗ = {(si,
∧n
j=i ¬xj , s0) | m 6 i 6 n and yi = ∗ and
ym =  and m ≥ 1}⋃ {(si, xj ∧ tij , sj) | i < j 6 m 6 n and
∀k.i < k < m =⇒ yk = ∗ and
tij =
(
choice(i, j, r¯) ∨ ∀k.i < k 6 m =⇒ ¬xk
) }
The difference between δ∗ and δ∗ is that in δ∗ no
self transitions are defined.
The transition function δ is now defined as δ =
δ0
⋃
δ
⋃
δ∗
⋃
δ∗ .
Finally, we construct F the set of accepting states as
follows. If yn = , then F = {sn}. If yn = ∗ then F =
{si | i = n or k 6 i 6 n and ∀j.k < j 6 n =⇒ yj =
∗}. Intuitively, this includes the states corresponding to
the suffix of terms with ∗ including one preceding term.
For example, the accept states in M corresponding to
the formula x1;x2;x3∗;x4∗ are F = {s2, s3, s4}.
Theorem 1 (Equisatifiability of M and ψ). A formula
ψ = x1y1;x2y2; . . . ;xnyn where A = {x1, x2, . . . xn},
and a constructed DFA M = (Q, I, F,V′,T′, δ), M and
ψ are equisatisfiable. In addition if there exists ρ that
satisfies M then ρ also satisfies ψ.
The proof is by induction on the length of the formula
ψ and is available in the online appendix1. Note that it is
shown in the proof that the satisfiability of ψ and M will
be by the same trace, with some existential quantification
over the added free (auxiliary) atomic propositions.
B. Input to ABC
The ABC solver accepts an And-Inverted-Graph
(AIG) sequential circuit as input. An AIG is a sequential
circuit restricted to only use AND and NOT logical
gates. The translation from a DFA to an equivalent AIG
circuit is straightforward. In short, we encode each state
from the DFA by a unique valuation of the register
variables, and construct the initial values and the next
state functions of the registers according to δ. The AIG
circuit will also have a unique output o who is true only
when the values of the registers correspond to a state in
F . Note that o will be then negated in order to perform
bounded model checking.
For a formula of the form ψ = φ1 ∧ φ2, we construct
C1 and C2 that correspond to φ1 and φ2, respectively,
and we use a conjunction of the outputs of C1 and C2
to correspond to the satisfiability of ψ. Similarly, we use
a disjunction for φ1 ∨ φ2.
V. IMPLEMENTATION
We implemented our technique and integrated it with
the ABC [18] synthesis and verification framework. We
used ANTLR [19] to provide users with a C like input
language, augmented with constructs that support wire
declarations, synchronization, and SERE specifications.
Our tool supports scalar variables, boolean variables,
arrays, and functions including recursion.
The tool generates an AIG circuit as discussed in
Section IV. The added free atomic propositions are left
as free primary input variables into the AIG circuit.
The goal of the verification procedure is to ensure
that there exists at least one setting of the primary input
variables that leads the AIG representing the SERE spec-
ification ψ from its initial state to one of its accept states.
Let R be the set of all possible valuations of r¯; |R| 6 m
where m is the maximum number of consecutive ∗
operators in ψ since the size of r¯ is bounded by log2(m).
Our goal is to prove that ∃vr ∈ R such that ψ is satisfied.
We encode the existential quantifier with a disjunction
over all the valuations in R.
If the system under test violates ψ, ABC returns a
counterexample and our tool provides a user friendly
int x;
x = 0;
while ( true ) {
@do_together {
if ( x == 3 )
x = 0;
else
x = x + 1;
@guarantee_sere_invariant
cntr; } }
@sere cntr {
atoms x0, x1, x2, x3, x4.
x0 <- (x == 0).
x1 <- (x == 1).
x2 <- (x == 2).
x3 <- (x == 3).
Formula f.
f = (x0;x1;x2;x3;x0).
}
Fig. 4. Example of a 2 bit counter
debugging interface to debug the system. Before per-
forming symbolic or bounded model checking, the user
can make use of the ABC framework to perform circuit
level optimizations, an advantage not present in tradi-
tional model checking tools such as NuSMV[6]. This
can help reduce the size of the problem. For bounded
model checking, the user can also provide a bound on
the number of transitions of the system. ABC will then
check that the specification ψ is always valid within the
provided upper bound.
Figure 4 shows the implementation of a 2 bit
counter. The @do_together modifier denotes that the
enclosed list of statements occur simultaneously. The
@guarantee_sere_invariant is a synchronization
constructs that times the specification evaluation. The
@sere block lists the specifications. Atoms xi, 0 ≤ i ≤ 3
evaluate to true when x = i.
VI. EXPERIMENTAL RESULTS
We compare our implementation with NuSMV2 [6],
a symbolic model checker used for the verification of
system designs. NuSMV2 accepts Computational Tree
Logic, Property Specification Language, and LTL as
specification languages. We compare our implementation
with the NuSMV2 model checker for LTL properties.
In several examples, such as the load balancer exam-
ple, we succeeded to generate an AIG and find coun-
terexamples in defect circuits where other techniques in
NuSMV2 failed.
All computation times provided in the following are
obtained on a machine with 2.20 Ghz Intel Core i7
processors running an x64-version of Ubuntu Linux. The
allowed memory usage is up to 8 GB and we set a
timeout of 1800 seconds. For our experiments, we used
NuSMV v2.5.4.
A. LILY [3] and UNBEAST [4] Examples
We used LILY examples [3] and the UNBEAST load
balancer example [4] as benchmarks for comparison.
Our tool NuSMV
Synthesis Optimizations Verification Total Time(s) Synthesis Verification Total Time(s)Design latches Ands latches Ands States BDD nodes
Load 0 29 289 0 0 Verified 0 10 453 Verified 0.004
Load 7 87 1018 20 72 Verified 0 32 13171 Verified 0.04
Load 8 27 271 0 0 Verified 0 10 387 Verified 0.004
Load 24 63 902 26 131 Verified 0.07 2481 48053 Verified 1.228
Load 30 193 3089 123 584 Found counter 0.05 Timeout NA
Load 75 110 1476 49 203 Found counter 0.18 Timeout NA
Load 76 124 1832 64 301 Found counter 0.19 Timeout NA
Load 77 137 2046 69 321 Found counter 0.32 Timeout NA
Load 78 151 2270 75 359 Found counter 0.36 Timeout NA
Load 79 164 2488 80 381 Found counter 0.38 Timeout NA
demo-v3 48 639 31 151 Verified 0.11 70 4237 Verified 0.012
demo-v19 66 941 48 634 Verified 0.08 96 9332 Verified 0.008
TABLE I
RESULTS OF OUR TOOL COMPARED TO NUSMV
We passed LTL formulae from the benchmarks to LILY
and UNBEAST and generated implementation designs.
Then we translated the resulting designs manually into
the input language of our tool as well as into SMV,
the language of NuSMV2. In the cases where LILY
and UNBEAST were not able to generate designs, we
manually wrote dummy designs in which defects surely
exist. Note that in both cases, we manually translated the
LTL properties into SERE.
We passed the implementation annotated with the
SERE specification to both NuSMV and to our tool
and compared the results based on the size of the
resulting structure passed to the model checker, and
on the computation time. NuSMV generates BDDs to
perform reachability analysis. Our tool generates AIG
circuits and passes them to ABC. We used the number
of latches and AND gates in our synthesized AIG before
and after applying optimizations versus the number of
states in the generated DFA and the total number of BDD
nodes from NuSMV2. We use the commands dump_fsm
and print_usage to obtain such information from the
NuSMV2 tool.
Table I shows a summary of the results obtained from
performing formal verification of the realizable load
balancing examples from UNBEAST [4] and examples
from the LILY suites [3]. Designs labeled as load_*
correspond to load balancing examples, while designs
labeled as demo-v* correspond to examples from the
LILY benchmarks corresponding to a traffic light system.
Note that we restrict our attention to realizable LTL
formulae.
We used the demos, version 3 and 19, from the
LILY benchmarks for comparison. We were able to
generate the circuits and verify them in both cases.
We employed several circuit level synthesis techniques
available ABC [18] and were able to significantly reduce
the size of the problem. NuSMV2 was also able to verify
both models efficiently.
For the load balancer examples, we verified 5 out of
the examples that we tested and we found problems and
fixed them in the others. We used LILY and UNBEAST
to generate the models from the specifications, and then
checked the generated models against their specifica-
tions. NuSMV2 was also able to verify the 5 examples
but failed (timed out at 30 minutes) to synthesize the
LTL formulae for other benchmarks such as load_30,
load_75, load_76, load_76, load_77, load_78,
and load_79. UNBEAST and LILY were not able to
generate a model of the specifications as well. Notice that
the load_79 benchmark is the largest design in the load
balancer benchmarks with 9 clients and a fixed number
of servers.
This is evidence of the high utility of our technique
which enables model checking where other tools fail. We
also note that in all of the cases, the size of the problem
we send to the model checker was smaller than the size
of the problem generated by NuSMV2.
B. IBM Arbiter case Study
We also used our tool against the IBM generalized
buffer [16]. The model consists of four senders that
communicate with a generalized buffer in order to send
data to two receivers. Each sender has its own data line
while the receivers share a common data bus. The buffer
also includes a first-in first-out queue. We translated the
VHDL implementation provided from IBM and checked
it against the defined specifications. We checked for two
assertions on the design.
• Sender requests are always acknowledged, and
• arbiter requests are always acknowledged.
Synthesis Optimizations Verification
Assertion Latches Ands Latches Ands Verification Time(s)
(1) 800 3209 0 0 Verified 0
(2) 792 3139 38 141 Found counter 0.61
TABLE II
SIZE OF THE PROBLEM AND DECISION OF OUR TOOL ON THE IBM GENBUF ARBITER
Note that since the original LTL assertions are of
the form “is always acknowledged”, writing an SERE
specification for the good traces would not be useful for
bounded model checking since the specification would
match if one request was acknowledged once. In order
to overcome this limitation, we can use a bound on
the number of requests and then check that all requests
within this bound have been acknowledged.
We were able to efficiently verify the first asser-
tion. However when verifying the second assertion our
implementation detected a counter example, and after
debugging and inspection we found that there is a defect
in the assignment of the request acknowledgments in
the provided VHDL implementation. Table II shows the
size of the synthesized AIG circuit in terms of number
of latches and number of And gates before and after
optimizations, and the verification decision of our tool
for both specifications.
Our tool and the experiments are all available online1.
VII. RELATED WORK
Several techniques have been developed in the lit-
erature in order to synthesize LTL formulae, usually
describing properties that hold over real-life hardware
systems and designs. These synthesis techniques have
different targets, some aim to generate complete and
correct systems based on input specifications, while oth-
ers are targeted at generating monitors to ensure correct
functionality of systems through assertion checking. We
differ than most of the literature in that we synthesize
an equisatisfiable circuit to the formula that is good to
be used for model checking purposes only.
NuSMV2 [6] is a symbolic model checking tool that
employs both satisfiability (SAT) and BDD based model
checking techniques. It processes an input describing the
logical system design as a finite state machine, and a
set of specifications expressed in LTL, Computational
Tree Logic and Property Specification Language. Given
a model M and a set of specifications P , NuSMV2 first
flattens M and P by resolving all module instantiations
and creating modules and processes, thus generating one
synchronous design. It then performs a boolean encoding
step to eliminate all scalar variables, arithmetic and set
operations and thus encode them as boolean functions.
In order to avoid the state space explosion problem,
NuSMV2 performs a cone of influence reduction [14]
step in order to eliminate non-needed parts of the flat-
tened model and specifications. The cone of influence
reduction abstraction technique aims at simplifying the
model in hand by only referring to variables that are
of interest to the verification procedure, i.e. variables
that influence the specifications to check [11]. We use
NuSMV2 to compare the results of our implementation
on a set of benchmarks as described in Section VI.
FoCs is an industrial tool developed at IBM research
labs, targeted at generating simulation checkers from
formal specifications [5]. The tool’s goal is to reduce, or
possibly eliminate the amount of human intervention in
writing and maintaining functional checkers. FoCs takes
input specification expressed in RCTL [20], and gener-
ates formal checkers written in VHDL. These checkers
are then linked with the original VHDL and executed on
a set of test programs. The role of the formal checkers
is to make sure that the original design never goes into
an error state.
The generation of the formal checkers from the RCTL
specifications is done in three steps. First, the RCTL
is translated into a NDFA according to the algorithm
described in [20]. This NDFA will have a set of error
states, which represent the states that the design should
never go into if it meets the required specifications. In
order to be able to generate the VHDL checkers, the
NDFA has to be translated into a DFA, which is in
turn translated into a VDHL process. This process will
then be run alongside the original design to check for
violations of the specifications.
The key drawback of FoCs’ approach is that transfor-
mation algorithm generates a DFA that can be exponen-
tial in the number of states of the NDFA, which takes us
back to the state-space explosion problem. The authors
claim that such a limitation does not exist in their case,
since the simulation is rather sensitive to the number
of VHDL lines in the generated checker, which is at
most quadratic in the size of the property to check. Our
approach differs from FoCs in that it aims at generating
a AIG free primary input variables that is linear in the
size of the property, without generating an intermediary
NDFA. Therefore, it can help rendering the generated
VHDL checker even smaller in terms of the lines of
code.
Jobstmann et. al developed LILY [3], a synthesis
tool aimed at synthesizing correct designs from LTL
specifications. It is implemented on top of Wring, and
introduces several optimizations based on alternating
tree automata, covering both game based and simu-
lation based optimization techniques. They present an
incremental algorithm for checking realizability of LTL
formulae, and output a Verilog [21] model in case the
formula is realizable. We made use of LILY to generate
several design models, and then we checked these gen-
erated models against their original specifications using
our own implementation.
UNBEAST [4] is a synthesis tool that aims to gen-
erate system designs that are correct by construction.
It takes as input a specification containing environment
assumptions and system guarantees, and splits them into
safety and non-safety conditions. Each of these sets of
conditions are then handled differently in the synthesis
game. Unlike LILY, it relies on universal co-Bu¨chi word
automata instead of co-Bu¨chi tree automata. It checks for
realizability of LTL formulae and returns SMV models
when realizable. We differ from both UNBEAST and
LILY in the type and the goal of synthesis. Our goal is
to generate monitor from SERE properties, while LILY
and UNBEAST generate models that satisfy the LTL
properties. Our generated DFA is equisatisfiable to the
input SERE property, and thus can be used for model
checking purposes only.
VIII. CONCLUSION
In this paper we presented a technique that takes
a formula in SERE and transforms it into an AIG
circuit with a number of states that is linear in terms
of the length of the formula. The generated circuit is
equisatisfiable to the formula and enables the use of
symbolic model checking and bounded model checking
where it was not possible before; i.e. where the typical
translation from NDFA equivalents of the formula to a
DFA blows up exponentially.
REFERENCES
[1] Accelera, “Property specification language reference manual,”
2004.
[2] M. Daniele, F. Giunchiglia, and M. Vardi, “Improved automata
generation for linear temporal logic,” in Computer Aided Veri-
fication. Springer, 1999, pp. 681–681.
[3] B. Jobstmann and R. Bloem, “Optimizations for ltl synthesis,” in
Formal Methods in Computer Aided Design, 2006. FMCAD’06.
IEEE, 2006, pp. 117–124.
[4] R. Ehlers, “Symbolic bounded synthesis,” in Computer Aided
Verification. Springer, 2010, pp. 365–379.
[5] Y. Abarbanel, I. Beer, L. Gluhovsky, S. Keidar, and Y. Wolf-
sthal, “Focs–automatic generation of simulation checkers
from formal specifications,” in Computer Aided Verification.
Springer, 2000, pp. 538–542.
[6] A. Cimatti, E. Clarke, E. Giunchiglia, F. Giunchiglia, M. Pis-
tore, M. Roveri, R. Sebastiani, and A. Tacchella, “NuSMV 2:
An opensource tool for symbolic model checking,” in Computer
Aided Verification. Springer, 2002, pp. 359–364.
[7] G. Holzmann, “The model checker spin,” Software Engineering,
IEEE Transactions on, vol. 23, no. 5, pp. 279–295, 1997.
[8] T. Kropf, Introduction to formal hardware verification.
Springer, 1999.
[9] R. H. Hardin, Z. Har’El, and R. P. Kurshan, “Cospan,” in
Computer Aided Verification. Springer, 1996, pp. 423–427.
[10] M. Y. Vardi, “Automata-theoretic model checking revisited,”
in Verification, Model Checking, and Abstract Interpretation.
Springer, 2007, pp. 137–150.
[11] E. M. Clarke, O. Grumberg, and D. A. Peled, Model checking.
MIT press, 1999.
[12] R. Armoni, S. Egorov, R. Fraer, D. Korchemny, and M. Y.
Vardi, “Efficient ltl compilation for sat-based model checking,”
in Proceedings of the 2005 IEEE/ACM International conference
on Computer-aided design. IEEE Computer Society, 2005, pp.
877–884.
[13] M. Sipser, Introduction to the Theory of Computation. Thom-
son Course Technology Boston, MA, 2006, vol. 27.
[14] S. Berezin, S. Campos, and E. M. Clarke, Compositional
reasoning in model checking. Springer, 1998.
[15] R. K. Ranjan, A. Aziz, R. K. Brayton, B. Plessier, and C. Pixley,
“Efficient bdd algorithms for fsm synthesis and verification,”
IWLS95, Lake Tahoe, CA, vol. 253, p. 254, 1995.
[16] S. Rabinovich, “Generalized buffer (psl/sugar version),”
http://www.research.ibm.com/haifa/projects/verification/RB
Homepage/tutorial3/index.html, IBM Haifa Research Lab.
[17] S. Rodger and T. Finley, JFLAP: An Interactive Formal Lan-
guages and Automata Package. Jones & Bartlett Learning,
2006.
[18] R. Brayton and A. Mishchenko, “Abc: An academic industrial-
strength verification tool,” in Computer Aided Verification.
Springer, 2010, pp. 24–40.
[19] T. Parr and R. Quong, “Antlr: A predicated-ll (k) parser gen-
erator,” Software: Practice and Experience, vol. 25, no. 7, pp.
789–810, 1995.
[20] I. Beer, S. Ben-David, and A. Landver, “On-the-fly model
checking of rctl formulas,” in Computer Aided Verification.
Springer, 1998, pp. 184–194.
[21] D. Thomas and P. Moorby, The Verilog R© Hardware Descrip-
tion Language. Springer, 2002, vol. 2.
