In this paper we display several practical approaches adopted for the formal verijkation of an industrial case study using model checking. The device under investigation is the Routing Control, Monitoring and Policing 800 Mbps (IRCMP-800), a product flom PMC-Sierra, Inc. RCMP-800 is an integrated circuit that implements ATM (Asynchronous Transfer Mode) layer functions including fault and performance monitoring, header translation and cell rate policing. In particular, we present our experience on model checking of the input FIFO of RCMP-800 using the VIS tool. We successfilly established the environments and verified a number of relevant properties in the input process module of RCMP-800, which led to the discovery of a f a v errors.
INTRODUCTION
With the increasing reliance of digital systems, design errors can cause serious failures, resulting in the loss of time, money, and long design cycle. Large amounts of effort are required to correct the error, especially when the error is discovered late in the design process. For these reasons, we need approaches that enable us to discover errors and validate designs as early as possible. Conventionally, simulation has been the main debugging technique. However, due to the increasing complexity of digital systems, it is becoming impossible to simulate large designs adequately. Therefore, there has been a recent surge of interest in formal verification [5] .
One very successful formal verification approach is model checking [5] which enables to check a design model against temporal logic properties. Model checking is an automatic technique for verifying finite-state reactive systems, such as sequential circuit designs and communication protocols. Specifications are expressed in a propositional temporal logic, and the reactive system is modeled as a state-transition graph. An efficient search procedure is used to determine automatically if the specifications are satisfied by the state-transition graph. While some approaches such as symbolic representations have greatly increased the size of the system that can be verified, most realistic systems are still too large to be handled.
In this paper we present our experience on model checking of the input FIFO of RCMP-800 using the Verification Interacting with Synthesis (VIS) tool [l] . The RCMP -800 (Routing Control, Monitoring and Policing 800 Mbps [SI), a product fiom PMC-Sierra, Inc., is an integrated circuit that implements ATM (Asynchronous Transfer Mode) [3] layer functions including fault and performance monitoring, header translation and cell rate policiqg). We wrote the RTL (Register Transfer Level) description of the input FIFO in Verilog. Since, the input FIFO has 128 x 16 bit memory which could contain 4 ATM cells, its verification could not be handled by VIS. Therefore, we abstracted away the memory to concentrate on the functionality of the control circuitry, which is usually the critical part in the verification. We then established am environment for the input FIFO, which gives the inputs as random variables and defines registers as a default value. Thereafter, we defined a set of safety and liveness properties, which we verified against the Verilog model. While most properties could be verified with no problems, some yielded a state space explosion. We hence applied a number of h t h e r abstraction and reduction techniques [6] to reduce the state space. This enabled us to verify all properties with a reasonable CPU time. We have been able to find a few bugs in the design, which were not caught during the simulation. Our experience demonstrates the applicability of formal verification for a commercial digital design.
The rest od the paper is organized as follows. In Section 2, we introduce the RCMP-800 device in detail. In Section 3, we describe the behavior of the RCMP-800 Input FIFO. In Section 4, we present the verification environment and the set of properties we verified. In Section 5, we display our experimental results and point to a few design errors detected. Finally, in Section 6 , we conclude the paper. 
Function of RCMP-800
The Routing Control, Monitoring and Policing 800 Mbps (RCMP-800) device is an integrated circuit that implements ATM layer functions including fault and performance monitoring, header translation and cell rate policing. The RCMP-800 is intended to be situated between a switch core and the physical layer devices in the ingress direction. It supports a sustained aggregate throughput of 1.42 x 1 O6 cellls. The RCMP-800 uses external SRAM to store per-VPWCI (Virtual Path Identifier/ Virtual Channel Identifier) [3] data structures. The device is capable of supporting up to 65536 connections. The input cell interface can be connected to up to 32 physical layer devices through a SCI-PHY [ 9 ] compatible bus. The 53 byte ATM cell is encapsulated in a data structure which can contain pre-pended or post-pended routing information. Received cells are buffered in a four cell deep FIFO. All physical layer and unassigned cells are discarded. For the remaining cells, a subset of ATM header and appended bits is used as a search key to find the VC (Virtual Channel) Table Record for the virtual translation. If a connection is not provisioned and the search terminates unsuccessfully, the cell is discarded and a count of invalid cells is incremented. If the search is successful, subsequent processing of the cell is dependent on contents of the cell and configuration fields in the VC Table Record. Cell rate policing is supported through two instances of the Generic Cell Rate Algorithm (GCRA) for each connection. Each cell that violates the traffic contract can be 
Structure of RCMP-SO0
The structure of the chip is shown in into the RCMP, and that of the output FIFO is to transmit the data cells to the fabric. ATM cells are transferred to Micro Cell buffer from the input FIFO, and the microprocessor will read the ATM cells in the Micro Cell, and checks the cell types, cell header, VCINPI and CI (Connection Identifier). Depending on that information, the microprocessor looks for the VC table, and determines the pre-pend and post-pend bytes, or tags CLP bit or discards the cell if GCRA is violated, or inserts RM or OAM cell which will be written in Micro Cell Buffer. Cell Processor and Microprocessor RAM arbitration, External RAM address look-up are used to look up VC routing table, so this part involves both hardware and software. We are interested in the input and output FIFOs of the RCMP-800 hardware. The whole chip verification which involves hardware and software verification is not possible for model checking due to the limitation of current tools.
However, model checking can be used to verify an individual block of the RCMP-800, here we use the input FIFO as an example.
read and write of the FIFO, and FIFO counter indicates the depth of the FIFO.
2.
Checking parity for the input data, and the parity check result is stored in the register. By default, the cell coding is assumed to be for a NetworkNetwork interface ("I); therefore the VPI is taken to be twelve bits.
BEHAVIOR OF RCMP
The RCMP-800 is a bus master and services the PHY devices as one of two ways: direct status arbitration or address line polling. 
VERIFICATION OF THE INPUT FIFO
We used the same methods that we described in [7] to do the verification. We wrote the RTL description of the input €IF0 in Verilog, with some minor changes on the model. The difference between the original model and our verification model was that we only used 16-bit datapath while the original design used either 1 6-bit or 8-bit datapath. In addition, the input FIFO had 128 x 16 bit memory which 'could contain 4 ATM cells, but VIS could not handle suc:h big memory verification. Therefore, we verified the corttrol circuits of the input FIFO excluding the memory. Such reduction is practical because usually the control circuit is the critical part in the verification.
The Environment of the Input FIFO
Similar to [7] , we established an environment for the input FIFO, and the environment gives the inputs as random variables and defines registers as a default value. Figure 2 gives the code for the required environment.
In Figure 2 , lines 2 to 9 are inputs from transceiver board and the block of Micro cell buffer, so we define them as nondeterministic variables. Lines 10 to 14 are registers, so we give them as their default values. Because our verification is to focus on the critical behavior of the block, the constant register values will not have an influence On the verification. However, to further Verify the block, we could apply other constant values for these registers.
Functions of RCMP Input FIFO
The en filnctiom ofthe input FIFO are the following:
1. storing ATM cells in the input FIFO. There are three counters: read counter, write counter and FIFO counter. Read counter and write counter are used to control the 1. 2. 3. 4.
. 6 .
7. 8. 9.
always Q(posedge clock) begin idat = idat-ran; prty = prty-ran; isoc = isoc-ran; ica4 = ica4-ran; ical = ical-ran; ica32 = ica32-ran; ipoll = ipoll-ran; ifrdb = ifrdb-ran; -10. hecudf = 1; 11. icainv = 0 ; 12. cellpost = 0; 13. celllen = 0 ; 14. ibyteprty = 0 ; 15. icalevelO = 1; 16. ifrst = 0; 17. iptyp = 0 ; 18. end 
Properties Description
According to the functions of the input FIFO described in Section 3, we give 8 properties. In the following CTL (Computational Tree Logic) expressions, "*", "3" and "*" mean logical "and", "imply" and "xor", respectively.
"AG" and "AX" are CTL operators meaning for all paths in all states, and for all paths in the next state, respectively. Property 1. In normal operation (not in discard operation), the write counter will increment by 1 whenever writeB is deasserted. The CTL expression is the following:
where discard is an internal signal which determines whether the FIFO is in normal operation or discard operation, writeB is a write enable signal, and w r q t r is a write pointer. We introduce the assistant variable wrqrrqlusl in the design module, which will always be w r q t r + 1 with one clock cycle delay.
Property 2.
Whenever the signal ifidb is deasserted, then the read counter will be incremented by 1. The property can be expressed as follows:
where ipdb indicates Micro cell FIFO has enough space to receive a cell, and d j f r is read pointer of the input FIFO. Similar to w q t r q l u s l , rdqtrqlusl is introduced to have the value of r d q t r + 1 with one clock cycle delay.
Property 3.
In a normal operation, the signal ifcounter will be incremented by 1 whenever writeB is deasserted and iydb is asserted; and ifcounter will be decrement by 1 whenever writeB is asserted and iji-db is deasserted. Formally:
Here, discard, writeB and ifrdb have the same meaning as Property 2. Ifcounter indicates the depth of the input FIFO. Similarly, ifcounterqlusl and ifcounter-minus1 are introduced to represent the values of ifcounter + 1 and ifcounter -1 with one clock cycle delay, respectively.
Property 4.
The parity check is correct and the result will be stored in the register. Since we define ibyteprty as default value "0" and iptyp as a default value "O", it is a word-basis odd panty checking. With iprtyrl] = 1 indicating the parityerror over the IDAT[lS:O] bus, the specification of the property is:
We use division [7] to verify this property using subproperties:
Property 5. Any unassigned cells will be discarded by the input FIFO. Actually, the ATM header determines whether a cell is unassigned cell or not. If all the bits of VPI and VCI and CLP bit are zero, then the cell is unassigned. Since we consider NNI here, the format of an unsigned cell is similar to the one in where, iaddr = 10 expresses that the address of the current receiving PHY device is 10. Because RCMP has a pipeline searching process, iaddr will be equal to 11 in two clock
Here, switching a receiving PHY device from one to another only happens at the state cellcount = 0. When a PHY device gets permission to transfer a cell into RCMP, the write enable signal (iwren) will be asserted. And also While the above properties do not cover all functions listed i n Section 3, other properties can easily be described in a way'
EXPERIMENTAL RESULTS AND ERROR DETECTION
the variable p-sfate stores the number of PHY devices. Therefore, the CTL expression is as follows:
Here, p-state stores the number of current receiving PHY devices, ica2 = 1 means that PHY device 2 has a cell to send, iwren2 = I means PHY device 2 gets the permission to send. Property 8. If $oll is high, the RCMP is receiving data from the PHY device of address 10 and the PHY device of address 11 has a cell to send, RCMP will transmit the cell from PHY device of address 11 next. We did meet state explosion problem when verifyins these properties, and the machine gave the error indicating that the memory cannot be allocated. So we applied a reduction method in which we "hide" unrelated design details when verifying a property [6] . Because a hardware design is "proce;ss-based", we could simply comment unrelated process when verifying a property, and it is also possible to write a program to search unrelated processes and comment them automatically. Although the method seems very obvious, it is very effective. By this method, all the properties were verified in VIS with a reasonable CPU time. Table 3 summarizes the experimental results including the number of CTI, formulas involved, CPU time in seconds, memory usage and number of BDD nodes generated. It is to be noted that before performing the model checking, we carried out an extensive simulation of the RCMP-800 Input FIFO, but we still have found a number errors. For instance, we identified a bug in the "address line polling circuitry" while model checking Properties 7 and 8. ARer fixing the RTL code, the properties succeeded the model checking.
CONCLUSIONS
In this paper, we applied model checking to verify a block of an ATM commercial product. We show how to described the properties in CTL. To save state space, we defined register variables as their default values in the environment. However, we still encountered state space explosion problem. This has been solved by adopting a reduction method in which we comment out property unrelated HDL design code before running model checking. In this work, model checking of all the properties are done with a reasonable time, and we did detect a set of design errors by the model checking.
