CTL-Property Transformations Along an Incremental Design Process  by Braunstein, Cécile & Encrenaz, Emmanuelle
CTL-Property Transformations Along an
Incremental Design Process
Ce´cile Braunstein1 Emmanuelle Encrenaz2
LIP6
Universite´ Pierre et Marie Curie, CNRS UMR 7606
Paris, France
Abstract
This paper formalizes an incremental approach to design ﬂow-control oriented hardware devices
described by Moore machines. The method is based on successive additions of new behaviors to a
simple device in order to build a more complex one. The new behaviors added must not override
the previous ones. A set of CTL formulae is assigned to each step of the design. The links between
the formulae of two consecutive design steps are formalized as a set of formula-transformations F ,
stating that : a CTL formula f is satisﬁed on a design at step i, iﬀ F (f) is satisﬁed on the design
extended at step i+1. This result has been applied during the design of bus protocol converters in
the context on non-regression analysis. It could also be applied in order to simplify both system
and formulae in particular cases.
Keywords: System Design and Veriﬁcation, Simulation Relation, Computational Tree Logic.
1 Introduction
This paper stems from the observation of the way some hardware components
may be designed. In some cases, hardware designers could adopt an incre-
mental strategy : after having deﬁned the information ﬂow of the design, the
rough structure of the data-path and the control part, they proceed to the
implementation of the simplest cases up to the most complex ones. This is
accomplished by adding new functionalities to already existing ones, building
1 Email: cecile.braunstein@lip6.fr
2 Email: emmanuelle.encrenaz@lip6.fr
Electronic Notes in Theoretical Computer Science 128 (2005) 263–278
1571-0661 © 2005 Elsevier B.V. Open access under CC BY-NC-ND license.
www.elsevier.com/locate/entcs
doi:10.1016/j.entcs.2005.04.016
a more and more complex device. This is particularly true for devices imple-
menting a pipe-line ﬂow: the stages of the pipe-line can be roughly drawn and
then the stalling actions are added (e.g. stalling actions due to cache-miss,
register dependencies between successive instructions, or exception handling).
Often, the veriﬁcation of such devices is performed by simulation of test
cases. Speciﬁcation of components by means of a list of properties expressed
as CTL formulae and veriﬁcation by symbolic model-checking [2] emerges as a
veriﬁcation method complementary to simulation. For instance a bus protocol
can be expressed by means of CTL formulae, and a new design conformable
to the protocol, may be checked by plugging the design under test into a
veriﬁcation environment mimicking the bus, and then check that all properties
of the speciﬁcation are veriﬁed.
In general, the incremental design approach does not preserve the set of
properties from a simple component to a more complex one. Once a behavior
is added to an initial model, a global property, which was true in the initial
model, may be wrong in the extended one. Consequently, local and global
properties (about the component plugged in a complex environment made
of other components) have to be re-adapted for each incremental step of the
design.
This incremental design process is complementary to those applying a re-
ﬁning strategy as in [11]. In reﬁning strategies, the global information ﬂow
is initially deﬁned, and all cases, the simplest ones up to the most complex
ones, are obtained by incremental reﬁnements of the initial model. Each re-
ﬁnement is considered as a step towards a real implementation. The strength
of these approaches resides in the preservation of global properties along the
reﬁnement process: if a property is true in a given model, then, if the re-
ﬁnement is well-deﬁned, the reﬁned model will preserve the initial property.
This induces a design method ensuring that the implementation respects the
properties of the speciﬁcation. But this reﬁning strategy excludes the addition
of new functionalities during the design process: a reﬁnement is a specializa-
tion of a pre-deﬁned set of behaviors, whereas the incremental method is built
on addition of new behaviors. In our case, the price to pay is the lack of
property-preservation.
The way several increments interfere with each other has been extensively
studied in the context of detecting features inconsistencies in telecommuni-
cation or software plug-ins. For instance, Plath and Ryan have proposed in
[15,16,4] a feature integration automating tool coupled with model-checkers
([16] for Promela/SPIN [10], [15] for SMV [13] and [4] for MOCHA [1]). The
inconsistencies between several added features are detected by LTL or CTL
property violation. More recently in [4] they stated a ATL-property preserva-
C. Braunstein, E. Encrenaz / Electronic Notes in Theoretical Computer Science 128 (2005) 263–278264
tion for a restricted type of feature. Others, as Cansell and Mery in [3] have
proposed a method to compose features integrated into the Atelier B tool [5]:
here, the reﬁning strategy is applied to guarantee the correctness of the im-
plementation with respect to an abstract speciﬁcation of the basic component
plus the added services. The inconsistencies between services appear as non
provable proof-obligations.
Our purpose diﬀers from those described in [3,15,16,4] since our increment
deﬁnition is much simpler than the feature integration they propose. As a
consequence, our increment is monotonic: there is no overriding of behaviors,
all behaviors that were in the simple component are preserved in the more
complex one. But the CTL formulae that were true in the simple model may
be falsiﬁed by the increment. Our goal is to build a set of CTL formulae
that represents a speciﬁcation for the complex component by re-using the
speciﬁcation of the simpler component (and adding new properties speciﬁc to
the added behaviors).
We are interested in exploring the links between properties that are true
in an initial model and those that are true in the extended one. This might
be expressed as: “May we transform the CTL formulae that are true in the
initial model into other CTL properties that are true in the extended one,
capturing the way the extension was performed ?” If we can perform this, we
can insure that the extended model preserves the behaviors that were checked
on the initial one. Conversely, from some property satisﬁed on the complex
model, can we derive a simpler property to verify on the simpler one?
Given an additive increment, the initial model and the extended one, we
show that this CTL transformation is possible. The transformed CTL formu-
lae, applied to the extended model, restrict the veriﬁcation state-space traver-
sals to a sub-graph isomorphic to the one derived from the initial model. This
guarantees that, if the extended model respects the extension rules, then the
veriﬁcation results of the transformed CTL formulae, applied to the extended
model, and the veriﬁcation of the initial CTL formulae, applied to the initial
model, are identical.
The paper is organized as follows: In a ﬁrst section we present how a
new behavior is added to an existing model. The second section presents the
Kripke structures derived from an initial model and the extended model, and
characterizes the main properties of the latter. From these considerations, the
third section presents a set of transformations of CTL formulae, restricting the
veriﬁcation of CTL formulae in the Kripke structure of the extended model
to the Kripke structure of the initial one it includes. Then we present, in
the fourth section, the way these transformations were applied during the
incremental design process of protocol converters — between VCI (Virtual
C. Braunstein, E. Encrenaz / Electronic Notes in Theoretical Computer Science 128 (2005) 263–278 265
Component Interface) [6] and PI-bus [14] — and ﬁnally in the ﬁfth section we
draw some conclusions.
2 Increment formalization
In this section, we formalize the component being designed and the increment.
Then we characterize the extended component.
A component is viewed as a control part driving a data-path. Its state-
space is modelled by a complete and deterministic synchronous Moore ma-
chine. The component presents an interface made of directed typed signals.
2.1 Deﬁnitions of a signal and a conﬁguration
Deﬁnition 2.1 Each signal is deﬁned by a name s and a ﬁnite deﬁnition
domain Dom(s).
Deﬁnition 2.2 Let E be a set of signals. A conﬁguration c(E) is a vector
that associates to each signal in E one value of its deﬁnition domain. The set
of all conﬁgurations c(E) is named C(E).
2.2 Deﬁnition of a component
Our approach iteratively applies an increment to a component W to build a
more complex component where Wi refers to the component resulting from i
successive increments.
Deﬁnition 2.3 A component Wi = < Si, Ii, Oi, Ti, Li, si > is described as a
deterministic and complete Moore machine:
Si: Finite set of states.
Ii: Finite set of input signals with their ﬁnite deﬁnition domain:
{(sigin, Domi(sigin))}
Oi: Finite set of output signals with their ﬁnite deﬁnition domain:
{(sigout, Domi(sigout))}
Ti: Finite set of transitions ⊆ Si×C(Ii)×Si satisfying ∀s ∈ Si , ∀c ∈ C(Ii),
∃!s′ ∈ Si s.t. (s, c, s
′) ∈ Ti (∃! means ”there exists exactly one”).
Li: Vector of generation functions = {l0, . . . , l|Oi|−1}, each function deﬁning
the value of exactly one output signal in each state; for all output signal oj
0 ≤ j < |Oi| we have lj : Si → Dom(oj),
si ∈ Si: the initial state
C. Braunstein, E. Encrenaz / Electronic Notes in Theoretical Computer Science 128 (2005) 263–278266
Remark 2.4 Applying the vector of generation functions to a given state of
Si produces a conﬁguration c(Oi).
2.3 Increment
An increment is a set of modiﬁcations applied to a component’s architecture
in order to build a more complex component. It reﬂects the carrying out of
a new event at the component’s interface. The architecture of Wi does not
consider the occurrence of this new event, while the architecture Wi+1 does.
An event is an input conﬁguration which may produce a state change of the
system. An increment is a new event (or a set of new events), introducing
new behaviors. A new event can occur of diﬀerent manners:
• Either the deﬁnition domain of one or more existing signals are extended.
The interfaces of the component are ﬁxed, but the incremental design pro-
cess takes into account values of these interfaces that were not previously
considered.
• Or one or more new signals are added (with a deﬁnition domain). This is
the case of an increasing complexity of the data-path of the component.
In both cases, the new event is modelled by the appearance of a new symbol
e in the set of input signals Ii+1, with a deﬁnition domain Dom(e). This do-
main is split into two disjoint sets: the quiet values set (V QT(e)) grouping the
conﬁgurations of the extended or added signals meaning that the new event
has not occurred, the active values set (V ACT(e)) grouping the conﬁgurations
of the extended or added signals, meaning that the new event occurred.
The denomination e = val qt means that the extended signals present a
conﬁguration belonging to V QT(e), respectively e = val act belonging to
V ACT(e).
The new event introduces new transitions and states: the new behaviors
are represented as new transitions and states in the previous Moore machine.
Completeness and determinism of the Moore machine are preserved.
The new event drives new actions: either one or more existing output
signals have their domain extended, or one or more new output signals are
created.
As previously done, these modiﬁcations are modelled by the appearance of
a new output signal o, with a deﬁnition domain Dom(o), split into V QT(o) and
V ACT(o) disjoint sets. The new signal o is added into the states existing in the
older Moore machine, driving one of its quiet values, and it appears in fresh
states, driving either one of its quiet or active values. Figure 1 presents an
admissible increment. On the left, the Moore machine describing a component
Wi contai’= ns three states and the input signal k drives the transitions. On
C. Braunstein, E. Encrenaz / Electronic Notes in Theoretical Computer Science 128 (2005) 263–278 267
Fig. 1. Increment example
the right, the component Wi+1 resulting from the increment of Wi with an
additional input signal j and Dom(j) = {0, 1}; its quiet value is 0 and its
active value is 1. In Wi+1, the quiet value of j labels all transitions that were
in Wi; new transitions leaving from states that existed in Wi are labelled with
the active value of j; new states are the source of transitions labelled with
either the active or quiet value of j.
Deﬁnition 2.5 An increment from a component Wi is a 4-tuple
INC = < I+, R+, O+,Σ+ >
Σ+: The set of new reachable states where Σ+ ∩ Si = ∅
R+: The set of new transitions ⊆ (Si×Si)∪(Si×Σ+)∪(Σ+×Σ+)∪(Σ+×Si)
where R+ ∩ Ti = ∅.
I+: The set of new input signals and their deﬁnition domain =
{(sigin+ , Dom(sigin+))}. We name e the event associated to I+, e= {sigin+},
and C(e) = V QT(e) ∪ V ACT(e) such that:
• each transition (s1, c, s2) in Ti will have its input conﬁguration extended
with the sub-conﬁguration concerning the new input signals belonging to
the V QT(e), denoted by c′ = c where e = val qt.
• each transition (s1, c, s2) in R+∩(Si×Σ+∪Si×Si) will have its input con-
ﬁguration extended with the sub-conﬁguration concerning the new input
signals belonging to V ACT (e), denoted by c′ = c where e = val act.
O+: The set of new output signals and their deﬁnition domain = (o,Dom(o))
with: Dom(o) = V QT(o) ∪ V ACT(o) such that the output function associ-
ated to o returns a value in V QT(o) for all states that were in Wi.
A component Wi+1 = < Si+1, Ii+1, Oi+1, Ti+1, Li+1, si > obtained by ap-
plying an increment to a component Wi preserves all behaviors that were
present in Wi, assuming that, in Wi+1, the new event is maintained to one of
C. Braunstein, E. Encrenaz / Electronic Notes in Theoretical Computer Science 128 (2005) 263–278268
its quiet values. We have Si+1 = Si ∪ Σ+, Ii+1 = Ii ∪ i+, Oi+1 = Oi ∪ O+,
Ti+1 = Ti ∪R+, and Li+1 conforms to the restriction imposed by O+.
Proposition 2.6 The initial state in Wi+1 simulates the initial state in Wi.
Proof (Sketch) : We build ρW a binary relation between the states of two
consecutive components Wi and Wi+1, such that ρW ⊆ Si × Si+1 and ∀s ∈ Si,
(s, s′) ∈ ρW if s
′ is the name of s in Si+1. By construction, ρW is a simulation
relation.
3 Translation of Moore machine into Kripke structure
The semantics of CTL formulae is deﬁned on the Kripke structure derived
from the initial Moore machine describing the component Wi. Informally,
the input conﬁgurations that label the transitions in the Moore machine are
incorporated into states in the Kripke structure. We formally deﬁne the Kripke
structure K(Wi) obtained from the component Wi.
Deﬁnition 3.1 A Kripke structure is a 5-tuple 〈S, s0, AP,L, R〉 where:
S is a ﬁnite set of states,
s0 ⊆ S is the set of initial states,
AP is a ﬁnite set of atomic propositions,
L = {l0, . . . , l|AP |−1} is a vector of |AP| functions, each function deﬁning the
value of exactly one atomic proposition; for all 0 ≤ i ≤ |AP| we have
li : S → B; for all s ∈ S, we have that li(s) is true iﬀ the atomic proposition
associated to li is true in s,
R ⊆ S × S is the transition relation.
Deﬁnition 3.2 Given a component Wi = < Si, Ii, Oi, Ti, Li, si >, we de-
duce the Kripke structure K(Wi) = 〈SK(Wi), sK(Wi),0, APK(Wi),LK(Wi), RK(Wi)〉
where:
SK(Wi) = Si × C(Ii),
sK(Wi),0 = {si} × C(Ii),
APK(Wi) = Ii ∪ Oi,
LK(Wi) = {lO0, . . . , lO |Oi|−1} . {lI0, . . . , lI |Ii|−1};
RK(Wi) ⊆ SK(Wi) × SK(Wi) and ∀ (s, ci) ∈ SK(Wi), ∀ (s
′, c′i) ∈ SK(Wi), we have
((s, ci), (s
′, c′i)) ∈ RK(Wi) iﬀ (s, ci, s
′) ∈ R.
Applying an increment to a component Wi produces a component Wi+1.
The CTL formulae associated to Wi are veriﬁed over the Kripke structure
C. Braunstein, E. Encrenaz / Electronic Notes in Theoretical Computer Science 128 (2005) 263–278 269
S1
S2
ci
c1 cn
... ...
c'1 c'p
...
S1c1 S1ci... S1cn...
S2c'1 S2c'i...
Fig. 2. Transformation of a Moore machine into a Kripke structure
K(Wi). One can derive a Kripke structure K(Wi+1) from the component
Wi+1 by applying Deﬁnition 3.2. We are now interested in characterizing the
properties of K(Wi+1) with respect to K(Wi), namely to show that K(Wi)
is included into K(Wi+1), with all states that were present in K(Wi) tagged
with the quiet value of the new event.
3.1 Properties of K(Wi+1)
By construction, the tree of behaviors of K(Wi) is preserved in K(Wi+1),
labelled with some quiet values of the new event. This preservation property
can be expressed as the existence of a simulation relation between the states
of the Kripke structures obtained from two consecutive components. More
precisely, the enrichment relation captures the fact that the behaviors of the
previous component are enclosed in the newer one, tagged with the event
assigned to some of its quiet values.
Deﬁnition 3.3 Enrichment For all states si = (s, c) ∈ K(Wi), let there be
s′i = (s
′, c′) and s′′i = (s
′′, c′′) ∈ K(Wi+1) such that:
s′ = s, c′ = c if e = val qt and s′′ = s, c′′ = c if e = val act.
Then s′i and s”i are said to enrich si (with (e = val qt) in the ﬁrst case).
Proposition 3.4 Each initial state of K(Wi+1) that enriches the initial state
of K(Wi) with (e = val qt) simulates the latter.
Proof (Sketch) : We deﬁne ρKW ⊆ SK(Wi) × SK(Wi+1), such that for all
s ∈ SK(Wi), c ∈ C(Ii), s
′ ∈ SK(Wi+1), and c
′ ∈ C(Ii+1), we have (s, s
′) ∈ ρKW
iﬀ (s = s′ and c′ = c) where e = val qt. By construction, ρKW is a simulation
relation.
Remark 3.5 From the above, we obtain:
If s′ enriches s with e = val qt, then s′ simulates s.
If s′ enriches s with e = val act, this does not imply that s′ simulates s.
If s′ simulates s, this does not imply that s′ enriches s.
C. Braunstein, E. Encrenaz / Electronic Notes in Theoretical Computer Science 128 (2005) 263–278270
Corollaries
(i) If there exists some inﬁnite path in K(Wi), then there exists some inﬁnite
path in K(Wi+1) along which the event e has always one of its quiet
values. If σ = s0 . . . sn . . . is in K(Wi), then ∃σ
′ = s′0 . . . s
′
n . . . in K(Wi+1)
such that all s′i enriches si with (e = val qt).
(ii) K(Wi) is the maximal sub-graph in K(Wi+1), reachable from s
′
0, that
enriches s0 (in K(Wi)) with (e = val qt) when e remains in one of its
quiet values.
(iii) The states in K(Wi+1) obtained by the expansion of a state in Σ+ are
only reachable from the initial state s′K(Wi+1),0 that enriches sK(Wi),0 by a
path along which at least one state is labelled by (e = val act).
(iv) If s′ ∈ K(Wi+1) enriches s ∈ K(Wi) with (e = val qt ), then for all
t′ ∈ K(Wi+1) such that s
′ → t′, there exists t ∈ K(Wi) such that t
′ is
produced by the expansion of t due to the increment, and s → t.
Proof.
(i) By induction on the length of σ′.
(ii) By construction of K(Wi+1), we have s
′
0 enriches s0, hence s
′
0 simulates
s0. Due to corollary (i) there exists a path σ
′ = s′0 . . . s
′
n . . . such that all
states enriches a state in K(Wi). For each state r
′ ∈ σ′, r′ enriches a state
r in K(Wi) with (e = val qt), let t’ such that r
′ → t′ and t′ satisﬁes (e
= val act), then t’ does not belong to K(Wi).
(iii) From corollary (ii).
(iv) Let s′ ∈ K(Wi+1) enriche s ∈ K(Wi) with (e = val qt) and s
′ → t′.
Assume t′ is not obtained by expansion due to the increment of a state t
in K(Wi). By construction, t
′ is produced by the expansion of a state r in
Wi+1 reached by a transition labelled by (e = val act). Contradiction.
Hence, K(Wi+1) includes K(Wi) and K(Wi) can be detected in K(Wi+1)
since it is the maximal connected sub-graph tagged with (e = val qt). This
is captured by the enrichment relation that is included in a simulation. We
now use this particularity to establish links between CTL formulae veriﬁed on
K(Wi) and some others veriﬁed on K(Wi+1).
4 CTL-formulae transformations
[12] and [8] have stated some CTL formulae-preservation results between two
Kripke structures ordered by any simulation relation. We recall their results
in our particular context.
C. Braunstein, E. Encrenaz / Electronic Notes in Theoretical Computer Science 128 (2005) 263–278 271
In [12] the authors state the preservation of ECTL 3 formulae from K(Wi)
to K(Wi+1), while in [8] the authors state the preservation of ACTL
4 formulae
from K(Wi+1) to K(Wi)
The results we present are not based on the preservation of a fragment
of CTL between a component and another one that includes it, but rather
transform the whole CTL operators and provide a bi-implication between the
initial formula and the transformed one.
Given a CTL formula Φ, we are going to set out the rules to transform Φ
that is true in sK(Wi),0 (named in short s0) into Φ’ that is true in s
′
K(Wi+1),0
(shortly named s′0) when s
′
0 enriches s0 with (e = val qt).
Theorem 4.1 Let be s ∈ SK(Wi) and s’ ∈ SK(Wi+1) such that s’ enriches
s with (e = val qt), for any atomic proposition p ∈ APK(Wi), for any CTL
formulas Φ, χ and Ψ (with all their atomic propositions in APK(Wi) ), s|= Φ ⇔
s’|= Φ′ , where Φ′ is the formula obtained by recursively applying the following
transformations:
Φ = p ⇔ Φ′ = p.
Φ = notΨ ⇔ Φ′ = notΨ′.
Φ = EXΨ ⇔ Φ′ = (e = val qt) ⇒ EXΨ′.
Φ = EFΨ ⇔ Φ′ = E((e = val qt)UΨ′).
Φ = EGΨ ⇔ Φ′ = EG((e = val qt) ∧Ψ′).
Φ = EΨUχ ⇔ Φ′ = E(((e = val qt) ∧Ψ′)Uχ′).
Φ = AXΨ ⇔ Φ′ = (e = val qt) ⇒ AXΨ′.
Φ = AFΨ ⇔ Φ′ = AF ((e = val qt) ∨Ψ′).
Φ = AΨUχ ⇔ Φ′ = A(((e = val qt) ∧Ψ′)U((e = val qt) ∨ χ′)).
Φ = AGΨ ⇔ Φ′ = A(((e = val qt) ∧Ψ′)W (e = val qt)).
Φ = AΨWχ ⇔ Φ′ = A(Ψ′W (χ′ ∨ (e = val qt))).
W stands for the ”Weak until” operator.
Proof (Sketch) : The transformations are based on the reduction of the
computational tree explored in K(Wi+1) to the sub-tree along which the ac-
tive values of the event are not considered. By corollary (ii), this sub-graph
represents K(Wi). The transformation is proven for each CTL operator ap-
plied to an atomic proposition by including the (e = val qt) constraint in
its deﬁnition. Then the proof proceeds by induction on the length of the
formula Φ.
The transformations listed above do not modify the structure of the initial
formula: the imbrication of temporal operators is preserved, hence the size of
3 ECTL stands for CTL restricted to the Existential modalities.
4 ACTL stands for CTL restricted to the Universal modalities.
C. Braunstein, E. Encrenaz / Electronic Notes in Theoretical Computer Science 128 (2005) 263–278272
the CTL formula (measured as the number of imbricated temporal operators)
is unchanged. The transformation of an EF into an EU or an AG into an AW
does not signiﬁcantly change the complexity of the veriﬁcation since they are
based on the same ﬁxpoint computation. The transformation is transferred
into the propositional operations that are performed by classical BDD binary
operations (and, or, implies, ...).
We implemented a tool that automates the transformation of the CTL
formulae described in Theorem 4.1. This tool takes a ﬁle with a set of CTL
formulae and a ﬁle containing the deﬁnition of an increment and returns the
set of transformed CTL formulae.
5 Experiment
We experimented with the automatic construction of a part of the speciﬁcation
of a complex system by transforming the speciﬁcation of a simpler one in the
context of VCI-PI wrappers.
A wrapper is a device wrapping around an IP-core and implementing a
given interface. In our context, the IP-core is supposed to be VCI compliant
[6] and the considered wrapper is an adapter between the VCI interface and
the PI-bus protocol [14]; hence we are able to connect various IP-cores through
a PI-bus.
Fig. 3. Master Wrapper VCI and PI interfaces
The PI protocol distinguishes the component initiating a bus transfer,
named master, and the component responding to a transfer, named slave. An
IP-core may have both master and slave functionality. Figure 3 illustrates the
major signal interfaces a VCI-PI master wrapper has to deal with.
A VCI transfer is shown in Figure 4. The VCI initiator sends a request
to the VCI-PI-master-wrapper (1), that asks for the bus to the bus arbiter
C. Braunstein, E. Encrenaz / Electronic Notes in Theoretical Computer Science 128 (2005) 263–278 273
(2), and when the VCI-PI-master-wrapper owns the bus (3), it transfers each
VCI request cell through the PI-bus to the VCI-PI-slave-wrapper (4,5). The
VCI-PI-slave-wrapper translates the PI-cell into a VCI-cell to be given to the
VCI target (6). The VCI-target transmits the VCI-response to the VCI-PI-
slave-wrapper (7), which responds to the VCI-PI-master-wrapper through the
PI bus (8,9). This latter translates the PI-response into a VCI-response and
sends it to the VCI initiator (10). In some cases, the VCI-PI-slave-wrapper
may implement a look-ahead mechanism in order to send the responses to the
VCI-PI-master-wrapper in one cycle.
Fig. 4. Platform and VCI transfer
Using the incremental design process approach, we developed a set of six
master VCI-PI wrappers, from a very simple one supposing that the VCI
initiator and the PI target will always respond in one cycle, up to the most
complex one supporting delays and retract events sent by the VCI initiator or
the PI target. The hierarchy of the 6 master wrappers is shown in Figure 5.
Type of event considered
: Increment
Initiator is
always ready
Initiator
may impose wait states
Target is always ready
pi_rsp = RDY
Target may impose 
wait states
pi_rsp = {RDY,WAIT}
Target may impose  retract
pi_rsp = {RDY,WAIT,RTR}
cmd_ack = 1 ; cmd_val = 1
rsp_val = 1 ; rsp_ack = 1
cmd_ack = 1 ; cmd_val = {0,1}
rsp_val = 1 ; rsp_ack = {0,1}
cmd_ack = {0,1} ; cmd_val = 1
rsp_val = {0,1} ; rsp_ack = 1
cmd_ack = {0,1} ; cmd_val = {0,1}
rsp_val = {0,1} ; rsp_ack = {0,1}
cmd_ack = {0,1} ; cmd_val = 1
rsp_val = {0,1} ; rsp_ack = 1
cmd_ack = {0,1} ; cmd_val = {0,1}
rsp_val = {0,1} ; rsp_ack = {0,1}
B’
A A’
B
C C’
Fig. 5. Hierarchical VCI-PI wrapper. Each event added corresponds to an extension of the deﬁnition
domain of one or more signals.
The behavior of the simplest wrapper (model A) is a 3-stages pipeline,
C. Braunstein, E. Encrenaz / Electronic Notes in Theoretical Computer Science 128 (2005) 263–278274
performing at the same time:
• accepting a VCI request k to be sent to PI from its VCI interface,
• sending the PI request corresponding to the k − 1th VCI request on its PI
interface,
• accepting the PI response to the k − 2th VCI request on its PI interface.
The further models (B to C’) deal with external events disturbing the
pipeline ﬂow: either the kth VCI request can not be given to the wrapper,
or the k − 1th response is delayed by the PI targets, or it says that a major
problem occurred and the transaction has to be restarted later, or the k− 2th
response can not be returned to the VCI initiator; all these cases freeze the
pipeline.
The incremental data-path of the six master wrappers is presented in Fig-
ure 6, showing the behaviors successively added by increments ranking from
A to C’.
TRA_DA TRA_ADR
XY
Y X
S
T
GETD
fRtr cmd_f fRtr_OK
NOP
NOP
EP
RTR
GETX
PI_REQ
PI_GNT
PI_ACK[
PI_LOCK
PI_D_OUT[
PI_AD
DECODEUR
PI_OPC
FSM
PI_D_IN
RSP_SAVE
Initiator Wait
PI retract
retract
PI
PI wait
RSPDATA
RSPVAL
RSPACK
RSPEOP
CMDACK
CMDVAL
CMD
CMDDATA
CMDADD
CMDEOP
VCI interfacePI−Bus  interface
Fig. 6. Data-path of master wrapper C’. Each area corresponds to a diﬀerent added increment.
We implemented in synchronous Verilog a platform as described in Fig-
ure 4. We veriﬁed this system with the VIS veriﬁcation tool [7]. We checked
about 80 CTL properties for the master wrapper B, the slave wrapper B and
the complete system (when the VCI initiator and target may generate delay
events).
Here are examples of CTL properties checked on the B platform:
C. Braunstein, E. Encrenaz / Electronic Notes in Theoretical Computer Science 128 (2005) 263–278 275
# Check the interface between the PI bus arbiter and the master
wrapper. # property 1: # AG ( (wrap0.state = R_REQ) -> (A(
(m_pi_req = 1) U (m_pi_gnt = 1))));
# Check the behavior of the slave wrapper (its two automata # are
well synchronized). # property 2: #
!EF((wrap_cible.cmd_cible.state = CMD_IDLE) *
!(wrap_cible.rsp_cible.state = RSP_IDLE));
# Check the behavior of the complete system: check that the number
of # acknowledgment cells received by the VCI initiator is equal
to # the number of request cells it previously sent. # Here, the
initiator sends 2 requests. # property 3: # AG( (m_cmd_plen[6:0] =
8 * m_cmd[0] = 1 ) ->
A ( (A (
(A( (m_cmd_plen[6:0] = 8 * m_cmd[0] = 1 * m_cmd_eop = 0 *
m_cmd_val = 1)
U (m_cmd_ack = 1)))
U ( A( (m_cmd_eop = 1 * m_cmd_val=1)
U (m_cmd_ack = 1)))))
U (m_cmd_val = 0) ));
We applied the transformations described in theorem 1 on the 80 CTL
properties of the model B with the increment transforming B into B’, and
veriﬁed them on a system containing now B’ VCI-PI master and slave. The
veriﬁcation results were successful to the expense of an increasing veriﬁcation
time mainly due to the increasing complexity of the system under veriﬁcation.
Of course, extra CTL formulae had to be added to the B’-platform in order
to check the behaviors added by the increment.
For a small-size system (platforms B and B’ with one master wrapper and
one slave wrapper), the overall veriﬁcation time is increased for the complex
model but most of this time is consumed during the reachable state-space
construction (5s vs 40s). The property veriﬁcation extra-cost is of the same
order of magnitude for both platforms (3s vs 9 s). These results are conﬁrmed
for the medium size systems (platforms B and B’ with two master wrappers
and one slave wrapper) where the gap between the B and B’ veriﬁcation time
is mostly due to the increasing complexity of the system, rather than the
complexity of the formula, since most of the veriﬁcation time is spent during
the reachable state-space construction (25s vs 4h). Once the reachable state-
space is built, the veriﬁcation of each property is performed in 10s for the B
platform vs 20 up to 50s for the B’ platform.
C. Braunstein, E. Encrenaz / Electronic Notes in Theoretical Computer Science 128 (2005) 263–278276
6 Concluding Remarks
The transformation rules of CTL formulae we propose are the basis for an
approach to automatically derive part of the speciﬁcation of a component,
from the speciﬁcation of the simpler component is comes from.
We have shown this approach can be used during the design of a concrete
component, assuming the increment respects the rules we formalized, as we
take advantage of the existence of a particular value tagging the initial part of
a model included in an extended model. The transformed CTL formulae have
the same complexity (in terms of CTL imbricated operators) as the initial
CTL formula. This is conﬁrmed by experimental results showing that the
increasing time of the veriﬁcation of the complex system is mainly due to the
reachability analysis instead of the CTL formula veriﬁcation.
It is our intention to pursue this study towards the following directions:
• Up to now, we did not take into account all the particularities of the incre-
ment; we considered only the existence of a particular event splitting the
set of states with the ones that appeared in the initial model and the new
ones (this event may be due to the extension of existing signal domains
and/or to the addition of new signals). We did not take advantage of the
graph structure of the increment; most of the time, this increment consists
of the adding of a new state (or set of states) characterizing the freezing
of the data-path waiting for some continue signal to be set, allowing the
data-path to pursue. In these cases, a new set of CTL transformations may
be deﬁned, capturing the added behaviors.
• The opposite analysis can also be of interest: given a formula to be veriﬁed
on a complex model, can we ﬁnd an increment (in the sense we deﬁned in
this paper) such that the complex model has been built from the application
of this increment to a simpler model. If yes, can we transpose the formula
of the complex model to a simpler one to be veriﬁed on the simpler model?
The veriﬁcation would be partial since it would not apply on the whole set
of behaviors of the complex system, but could give some information if the
complex system is too big to be veriﬁed with classical model-checking tools.
• We are also interested in studying the way this approach could be mixed
with an Assume-Guarantee veriﬁcation process [9].
References
[1] R. Alur, T. A. Henzinger, F. Y. C. Mang, Shaz Qadeer, S. K. Rajamani, and S. Tasiran.
MOCHA: Modularity in model checking. In Computer Aided Veriﬁcation, pages 521–525,
1998.
C. Braunstein, E. Encrenaz / Electronic Notes in Theoretical Computer Science 128 (2005) 263–278 277
[2] J. R. Burch, E. M. Clarke, and K. L. McMillan. Symbolic model checking: 1020 states and
beyond. Information and Computation (Special issue for best papers from LICS90), 98(2):153–
181, 1992.
[3] D. Cansell and D. Me´ry. Abstraction and reﬁnement of features. In S. Gilmore and M. Ryan,
editors, Language Constructs for Designing Features. Springer, 2000.
[4] F. Cassez, M. Ryan, and P-Y. Schobbens. Proving feature non-interaction with alternating-
time temporal logic. In S. Gilmore and M. Ryan, editors, Language Constructs for Describing
Features, pages 85–104. Springer Verlag London Ltd, 2001.
[5] STERIA Technologie de l’information Aix-en Provence (F). In Atelier B, Manuel utilisateur,
version 3.5, 1998.
[6] On-Chip Bus Development Working Group. VSI Alliance - Virtual Component Interface
Standard (VCI). version 2, 2000.
[7] The VIS group. Vis : A system for veriﬁcation and synthesis. In International Conference
on Computer-Aided Veriﬁcation, volume 1102 of Lecture Notes in Computer Science, pages
428–432. Springer-Verlag, 1996.
[8] O. Grumberg and D. E. Long. Model checking and modular veriﬁcation. In International
Conference on Concurrency Theory, volume 527 of Lecture Notes in Computer Science, pages
250–263. Springer Verlag, 1991.
[9] T. A. Henzinger, S. Qadeer, and S. K. Rajamani. You assume, we guarantee: Methodology
and case studies. In Computer Aided Veriﬁcation, volume 1427 of Lecture Notes in Computer
Science, pages 440–451. Springer-Verlag, 1998.
[10] G. J. Holzmann. The Model Checker Spin. IEEE Trans. on Software Engineering, 23(5):279–
295, May 1997. Special issue on Formal Methods in Software Practice.
[11] K. Lano. In The B Language and Method, A guide to practical Formal Development. Springer-
Verlag, 1996.
[12] C. Loiseaux, S. Graf, J. Sifakis, A. Bouajjani, and S. Bensalem. Property preserving
abstractions for the veriﬁcation of concurrent systems. volume 6 of Formal Methods in System
Design, pages 1–35. Kluwer, 1995.
[13] K. L. McMillan. In Symbolic Model Checking. Kluwer Academics Publishers, 1993.
[14] European project Open Microprocessor System Initiative (OMI). Pi-bus standard speciﬁcation
(OMI 324), 1994.
[15] M. C. Plath and M. D. Ryan. A feature construct for promela. In SPIN’98, 1998.
[16] M. C. Plath and M. D. Ryan. SFI: a feature integration tool. In R. Berghammer and
Y. Lakhnech, editors, Tool Support for System Speciﬁcation, Development and Veriﬁcation,
Advances in Computing Science, pages 201–216. Springer, 1999.
C. Braunstein, E. Encrenaz / Electronic Notes in Theoretical Computer Science 128 (2005) 263–278278
