Abstract-Synthesis techniques take realizable Linear Temporal Logic specifications and produce correct circuits that implement the specifications. The generated circuits can be used directly, or as miters that check the correctness of a logic design. Typically, those techniques generate non-deterministic finite state automata, which can be determinized at a possibly exponential cost. Recent results show multiple advantages of using deterministic automata in symbolic and bounded model checking of LTL safety properties. In this paper, we present a technique with a supporting tool that takes a sequential extended regular expression specification Φ, and a logic design implementation S, and generates a sequential circuit C, expressed as an And-Inverted-Graph, that checks whether S satisfies Φ. The technique passes the generated circuit C to ABC, a bounded model checker, to validate correctness.
I. INTRODUCTION
Safety critical systems such as medical and navigation control devices rely on digital systems in order to provide accurate services. Verification techniques, such as symbolic and bounded model checking, address the correctness of digital systems with respect to formal specifications written in languages such as linear temporal logic (LTL). Sequential extended regular expressions (SERE) form a subset of the Property Specification Language (PSL) that constitute a practical way to specify logic designs [1] . SERE covers a practical subset of LTL.
Automated synthesis tools such as Wring [2] , Lily [3] , and UNBEAST [4] take an LTL specification and generate a correct implementation. Validation tools such as Focs [5] , NuSMV [6] , and SPIN [7] take a specification and an implementation and check whether the implementation satisfies the specification. They either provide a proof of correctness, a counterexample, or an inconclusive result when they reach their computational boundaries [8] .
NuSMV [6] and COSPAN [9] typically translate the design S and the negation of the LTL specification Φ into non-deterministic finite state automata (NDFA) M S and M ¬Φ (typically using Büchi automata), respectively, and then perform symbolic model checking on the resulting cross product automaton [10] , [11] . This results in an online determinization of the assertion automaton and thus the state space explosion problem is inherent to symbolic model checking [10] .
The majority of the LTL properties to be verified are safety properties, to which finite violating counterexamples can be found. Therefore, researchers consider translating the LTL specifications into deterministic finite state automaton (DFA) [10] , [12] risking the state space explosion problem [13] . This often limits the ability of synthesis tools to generate input to the model checkers for verification. NuSMV uses several abstraction and reduction techniques, such as the cone of influence reduction [14] and other Binary Decision Diagrams (BDD) based techniques [15] , in order to avoid such a problem.
In this paper, we present a technique and a supporting tool that takes an SERE specification Φ and an implementation of it S, and generates a sequential circuit C that checks whether S satisfies Φ. Our technique encodes the non-determinism in Φ using additional free variables, and generates an equisatisfiable sequential circuit C Φ such that C Φ has a number of states linear in the size of Φ. Informally, a sequential circuit C with a designated output o therein is equisatisfiable to an SERE specification Φ when o is satisfiable if and only if Φ is satisfiable. The circuit C Φ can not be used as an implementation of S and can only be used as a miter in model checking tools to validate an implementation of Φ. The technique translates the implementation S into a sequential circuit C S and builds C as the composition of C Φ and C S . The technique then applies the ABC model checker on the generated sequential circuit C and checks for correctness.
Encoding non-determinism using free variables is a textbook technique [13] . Reportedly, it might have been used in existing tools such as "smvtoaig" for a limited subset of the "smv" designs. Up to our knowledge, we are the first to use this technique in an open source tool to enable the verification of logic design against SERE specifications. Our technique enables the ABC model checker to find defects and prove the correctness of systems where it is not possible with existing techniques.
We implemented and evaluated our techniques with benchmarks from UNBEAST [4] and LILY [3] , in addition to the IBM arbiter presented in [16] . We provide our tool, the appendices of the paper including proofs, and the benchmarks for the experiments online 1 . Our technique was able to find problems in several designs where it was not possible before. The supporting tool allows the user to
• prove that an implementation satisfies an SERE property using satisfiability and bounded model checking, • debug the implementation and the specification using the generated counterexample, and • simulate the implementation and the specification and inspect the results.
The rest of this paper is organized as follows. Section II presents some preliminary information, Section III motivates our approach using a simple example. The core of the synthesis technique is presented in section IV. We describe our implementation in Section V, and show a summary of the experimental results in Section VI. Related work is summarized in Section VII and we conclude in Section VIII.
II. PRELIMINARIES
Let A be a set of atomic propositions. The mapping A → B denotes a valuation to the atomic propositions in A where B = {true, false}. Let V = (A → B) be the set of all such valuations. SERE formulae range over the alphabet Σ = A {; , * , ∧, ∨, ¬, (, )}, where (1) ∧, ∨ are Boolean binary operators denoting conjunction and disjunction, 1 http://webfea.fea.aub.edu.lb/fadi/dkwk/doku.php?id=ltlsyn respectively, (2) ';' is a sequential binary operator denoting temporal next, (3) ¬ is a Boolean unary operator denoting logical negation, and (4) * is a sequential unary operator denoting zero or more times.
Definition (SERE terms). An atomic proposition in Ais an SERE term. If t 1 and t 2 are SERE terms, then t 1 ∧ t 2 , t 1 ∨ t 2 , (t 1 ) and ¬t 1 are SERE terms. We denote by T the set of all SERE terms.
Definition (SERE formula). An SERE term is an SERE formula. Given φ and ψ are SERE formulae and t is an SERE term, then t * , φ; ψ, (φ) , φ ∧ ψ, and φ ∨ ψ are all SERE formulae. We denote by SERE the set of all SERE formulae.
A valuation v ∈ V satisfies an atomic proposition a ∈ A, v |= a iff v maps a to true; we denote that also by
is a sequence of valuations. We denote by (1) ρ = ρ 1 • ρ 2 the concatenation of the traces ρ 1 and ρ 2 , and (2) ρ(t, i) the value of term t at the i th entry of ρ.
Definition (SERE term semantics). Let ρ be a trace, and let e 1 and e 2 be SERE terms.
• If e 1 ∈ A then ρ |= e 1 iff |ρ| = 1 and ρ(e 1 , 1)
• ρ |= ¬e 1 iff |ρ| = 1 and ρ |= e 1 • ρ |= e 1 ∧ e 2 iff ρ |= e 1 and ρ |= e 2 • ρ |= e 1 ∨ e 2 iff ρ |= e 1 or ρ |= e 2 We denote by [e] all the valuations that satisfy term e.
Let ψ be an SERE formula of the form x 1 y 1 ; x 2 y 2 ; . . . ; x n y n where i ∈ [1 . . . n] x i ∈ T, y i ∈ { , * }, and is the empty string.
Definition (SERE formula semantics). Let ρ be a trace and ψ be an SERE formula. We say ρ satisfies ψ(ρ |= ψ) in the following cases.
• ψ = x 1 y 1 , y 1 = iff |ρ| = 1 and ρ(x 1 , 1)
We denote by [ψ] all the traces that satisfy formula ψ. The semantics of DFA are defined in the typical manner. A sequence of input valuations ρ = v 0 , v 1 , . . . , v n−1 , determines a sequence of state transitions σ = s 0 , s 1 , . . . , s n , s 0 ∈ I, and s i+1 = δ(s i , e) where e ∈ L and v i ∈ [e]. We say ρ satisfies M (ρ |= M ) iff s n is an accept state of M ; (s ∈ F ).
Definition (Equisatisfiability). We say a DFA M is equisatisfiable to an SERE formula ψ iff M is satisfiable iff ψ is satisfiable. That is ∃ρ.ρ |= M ⇔ ∃ρ .ρ |= ψ.
III. MOTIVATING EXAMPLE
Consider the SERE formula ψ = a; b; c.NDFA M in Figure 1 simulates ψ with non-deterministic transitions in its initial state. Once M receives a valuation where a is true, it can move into state s 1 or remain in s 0 since δ(s 0 , a) = {s 0 , s 1 }.
Typically, an NDFA M is translated into a DFA M using subset construction with a possible exponential blowout in the number of states [13] . In brief, states in M are subsets of states in M and transitions are constructed to make M equivalent to M , yet deterministic. Figure 2 shows a DFA equivalent to M produced using the JFLAP tool [17] .
Instead, we encode the non-determinism using an additional free atomic proposition r as shown in in Figure 3 . This results in DFA M a that is equisatisfiable to psi and that has a number of states linear in the number of terms in ψ. We use M a with symbolic and bounded model checkers wherever it is expensive or impossible to generate an equivalent DFA for ψ. Our technique leaves it to the model checker to efficiently handle the free variables added by our synthesis technique. In practice, even though our technique does not reduce the inherent complexity of the problem, it enables the application of several reduction and abstraction transformations available in model checkers such as ABC to reduce and solve the problem. These are not applicable without our technique.
Notice that, for each trace ρ that satisfies a; b; c, there is a trace of r values that makes ρ satisfiable for the DFA in Figure 3 . In particular, set r to true where the matching sequence starts in ρ and to false otherwise.
IV. EQUISATISFIABLE DFA
Given an SERE formula ψ, we want to efficiently construct a DFA M with a number of states linear in the size of ψ that is equisatisfiable to ψ such that the trace ρ that satisfies M also satisfies ψ. We focus on the two sources of non-determinism: the initial states and the * operator.
We first consider formulae ψ of the form ψ = x 1 y 1 ; x 2 y 2 ; . . . ; x n y n where A and T denote the atomic propositions and SERE terms of ψ, respectively, x i ∈ T, y i ∈ { , * }, and is the empty string. We want to construct a DFA M = (Q, I, F, V , T , δ) where Q = {s 0 , s 1 , . . . , s n }, I = {s 0 }, and where each state s i corresponds to a term x i in ψ. The other components F , V , T , and δ will be discussed later.
Consider the initial state s 0 , and consider an input valuation v that matches x 1 the first term in ψ. The DFA M needs to allow for two possibilities: (1) v is part of the sequence matching the terms of ψ, and (2) v is ignored and next inputs are considered as the match to the first term in ψ. For example, consider ψ = a; b where A = {a, b} and consider the trace Consider the subformula x 1 * ; x 2 which specifies that input valuations that match the term x 1 occur zero or more times in succession followed by a valuation that matches the term x 2 . By definition, this includes non-determinism at every step. Once the valuation that matches x 1 is presented, M should allow for more valuations matching x 1 , and since we are restricting s 1 to correspond to x 1 , M stays at the same state. M should as well allow for valuations matching x 2 by transitioning to state s 2 .
Consider the SERE formula ψ = a; b * ; a where
and , v 5 = {(a, true), (b, false)}. Again, ρ can satisfy ψ in several ways. One way is to consider accepting the subtrace v 1 , v 2 , v 3 , and another is consider accepting the subtrace v 3 , v 4 , v 5 . Once an input valuation such as v 3 that matches the second a term in ψ is presented, M can move into the accepting state. We use one free atomic proposition to allow the choices. It can also wait since v 2 |= b * and then upon receiving v 5 it will go to the accepting state.
Further non-determinism needs to be considered when two consecutive terms in ψ use the * operator. For example, the input traces
true, all satisfy the formula ψ = a; b * ; c * ; d. M needs to allow for enough choices on the states corresponding to the * terms to accept the four traces. For m consecutive * operators, x i * ; x i+1 * ; . . . ; x i+m−1 * , we consider the corresponding m states S * = {s i , s i+1 , . . . , s i+m−1 } with all transitions possible from state s k ∈ S * to state s p ∈ S * where k p on the same input valuation. Therefore, we need log 2 m atomic propositions to encode these transitions as (s k , x k ∧ choice(k, p,r), s p ) wherer is the vector of additional atomic propositions and choice is a unique choice of a valuation of propositions in r mapped to p and k. The same applies to terms in ψ that follow s i such that y i = and y i−1 = * .
A. Equisatisfiable DFA construction
Let A = A ∪r wherer is the vector of additional atomic propositions. T is the set of SERE terms where A is the set of atomic propositions, and V is the set of valuations where A is the set of atomic propositions. We construct the transition function δ by constructing four partial transition functions.
The function δ 0 denotes the transitions at the initial
The
The function δ * is the transitions corresponding to terms x i y i i ∈ [1 . . . n] where y i = * .
The function δ * is the transitions corresponding to terms x i y i i ∈ [1 . . . n] where y i = and y i+1 = * . 
The difference between δ * and δ * is that in δ * no self transitions are defined.
The transition function δ is now defined as δ = δ 0 δ δ * δ * . Finally, we construct F the set of accepting states as follows. If y n = , then F = {s n }. If y n = * then F = {s i | i = n or k i n and ∀j.k < j n =⇒ y j = * }. Intuitively, this includes the states corresponding to the suffix of terms with * including one preceding term. For example, the accept states in M corresponding to the formula x 1 ; x 2 ; x 3 * ; x 4 * are F = {s 2 , s 3 , s 4 }.
Theorem 1 (Equisatifiability of M and ψ).
A formula ψ = x 1 y 1 ; x 2 y 2 ; . . . ; x n y n where A = {x 1 , x 2 , . . . x n }, and a constructed DFA M = (Q, I, F, V , T , δ), M and ψ are equisatisfiable. In addition if there exists ρ that satisfies M then ρ also satisfies ψ.
The proof is by induction on the length of the formula ψ and is available in the online appendix 1 . Note that it is shown in the proof that the satisfiability of ψ and M will be by the same trace, with some existential quantification over the added free (auxiliary) atomic propositions.
B. Input to ABC
The ABC solver accepts an And-Inverted-Graph (AIG) sequential circuit as input. An AIG is a sequential circuit restricted to only use AND and NOT logical gates. The translation from a DFA to an equivalent AIG circuit is straightforward. In short, we encode each state from the DFA by a unique valuation of the register variables, and construct the initial values and the next state functions of the registers according to δ. The AIG circuit will also have a unique output o who is true only when the values of the registers correspond to a state in F . Note that o will be then negated in order to perform bounded model checking.
For a formula of the form ψ = φ 1 ∧ φ 2 , we construct C 1 and C 2 that correspond to φ 1 and φ 2 , respectively, and we use a conjunction of the outputs of C 1 and C 2 to correspond to the satisfiability of ψ. Similarly, we use a disjunction for φ 1 ∨ φ 2 .
V. IMPLEMENTATION
We implemented our technique and integrated it with the ABC [18] synthesis and verification framework. We used ANTLR [19] to provide users with a C like input language, augmented with constructs that support wire declarations, synchronization, and SERE specifications. Our tool supports scalar variables, boolean variables, arrays, and functions including recursion.
The tool generates an AIG circuit as discussed in Section IV. The added free atomic propositions are left as free primary input variables into the AIG circuit.
The goal of the verification procedure is to ensure that there exists at least one setting of the primary input variables that leads the AIG representing the SERE specification ψ from its initial state to one of its accept states. Let R be the set of all possible valuations ofr; |R| m where m is the maximum number of consecutive * operators in ψ since the size ofr is bounded by log 2 (m). Our goal is to prove that ∃v r ∈ R such that ψ is satisfied. We encode the existential quantifier with a disjunction over all the valuations in R.
If the system under test violates ψ, ABC returns a counterexample and our tool provides a user friendly int x; x = 0; while ( true ) { @do_together { if ( x == 3 ) x = 0; else x = x + 1; @guarantee_sere_invariant cntr; } } @sere cntr { atoms x0, x1, x2, x3, x4. x0 <-(x == 0). x1 <-(x == 1). x2 <-(x == 2). x3 <-(x == 3).
Formula f. f = (x0;x1;x2;x3;x0). } Fig. 4 . Example of a 2 bit counter debugging interface to debug the system. Before performing symbolic or bounded model checking, the user can make use of the ABC framework to perform circuit level optimizations, an advantage not present in traditional model checking tools such as NuSMV [6] . This can help reduce the size of the problem. For bounded model checking, the user can also provide a bound on the number of transitions of the system. ABC will then check that the specification ψ is always valid within the provided upper bound. Figure 4 shows the implementation of a 2 bit counter. The @do_together modifier denotes that the enclosed list of statements occur simultaneously. The @guarantee_sere_invariant is a synchronization constructs that times the specification evaluation. The @sere block lists the specifications. Atoms x i , 0 ≤ i ≤ 3 evaluate to true when x = i.
VI. EXPERIMENTAL RESULTS
We compare our implementation with NuSMV2 [6] , a symbolic model checker used for the verification of system designs. NuSMV2 accepts Computational Tree Logic, Property Specification Language, and LTL as specification languages. We compare our implementation with the NuSMV2 model checker for LTL properties.
In several examples, such as the load balancer example, we succeeded to generate an AIG and find counterexamples in defect circuits where other techniques in NuSMV2 failed.
All computation times provided in the following are obtained on a machine with 2.20 Ghz Intel Core i7 processors running an x64-version of Ubuntu Linux. The allowed memory usage is up to 8 GB and we set a timeout of 1800 seconds. For our experiments, we used NuSMV v2.5.4.
A. LILY [3] and UNBEAST [4] Examples
We used LILY examples [3] and the UNBEAST load balancer example [4] as benchmarks for comparison. We passed LTL formulae from the benchmarks to LILY and UNBEAST and generated implementation designs. Then we translated the resulting designs manually into the input language of our tool as well as into SMV, the language of NuSMV2. In the cases where LILY and UNBEAST were not able to generate designs, we manually wrote dummy designs in which defects surely exist. Note that in both cases, we manually translated the LTL properties into SERE. We passed the implementation annotated with the SERE specification to both NuSMV and to our tool and compared the results based on the size of the resulting structure passed to the model checker, and on the computation time. NuSMV generates BDDs to perform reachability analysis. Our tool generates AIG circuits and passes them to ABC. We used the number of latches and AND gates in our synthesized AIG before and after applying optimizations versus the number of states in the generated DFA and the total number of BDD nodes from NuSMV2. We use the commands dump_fsm and print_usage to obtain such information from the NuSMV2 tool. Table I shows a summary of the results obtained from performing formal verification of the realizable load balancing examples from UNBEAST [4] and examples from the LILY suites [3] . Designs labeled as load_ * correspond to load balancing examples, while designs labeled as demo-v * correspond to examples from the LILY benchmarks corresponding to a traffic light system. Note that we restrict our attention to realizable LTL formulae.
We used the demos, version 3 and 19, from the LILY benchmarks for comparison. We were able to generate the circuits and verify them in both cases. We employed several circuit level synthesis techniques available ABC [18] and were able to significantly reduce the size of the problem. NuSMV2 was also able to verify both models efficiently.
For the load balancer examples, we verified 5 out of the examples that we tested and we found problems and fixed them in the others. We used LILY and UNBEAST to generate the models from the specifications, and then checked the generated models against their specifications. NuSMV2 was also able to verify the 5 examples but failed (timed out at 30 minutes) to synthesize the LTL formulae for other benchmarks such as load_30, load_75, load_76, load_76, load_77, load_78, and load_79. UNBEAST and LILY were not able to generate a model of the specifications as well. Notice that the load_79 benchmark is the largest design in the load balancer benchmarks with 9 clients and a fixed number of servers. This is evidence of the high utility of our technique which enables model checking where other tools fail. We also note that in all of the cases, the size of the problem we send to the model checker was smaller than the size of the problem generated by NuSMV2.
B. IBM Arbiter case Study
We also used our tool against the IBM generalized buffer [16] . The model consists of four senders that communicate with a generalized buffer in order to send data to two receivers. Each sender has its own data line while the receivers share a common data bus. The buffer also includes a first-in first-out queue. We translated the VHDL implementation provided from IBM and checked it against the defined specifications. We checked for two assertions on the design.
• Sender requests are always acknowledged, and • arbiter requests are always acknowledged. Note that since the original LTL assertions are of the form "is always acknowledged", writing an SERE specification for the good traces would not be useful for bounded model checking since the specification would match if one request was acknowledged once. In order to overcome this limitation, we can use a bound on the number of requests and then check that all requests within this bound have been acknowledged.
We were able to efficiently verify the first assertion. However when verifying the second assertion our implementation detected a counter example, and after debugging and inspection we found that there is a defect in the assignment of the request acknowledgments in the provided VHDL implementation. Table II shows the size of the synthesized AIG circuit in terms of number of latches and number of And gates before and after optimizations, and the verification decision of our tool for both specifications.
Our tool and the experiments are all available online 1 .
VII. RELATED WORK
Several techniques have been developed in the literature in order to synthesize LTL formulae, usually describing properties that hold over real-life hardware systems and designs. These synthesis techniques have different targets, some aim to generate complete and correct systems based on input specifications, while others are targeted at generating monitors to ensure correct functionality of systems through assertion checking. We differ than most of the literature in that we synthesize an equisatisfiable circuit to the formula that is good to be used for model checking purposes only.
NuSMV2 [6] is a symbolic model checking tool that employs both satisfiability (SAT) and BDD based model checking techniques. It processes an input describing the logical system design as a finite state machine, and a set of specifications expressed in LTL, Computational Tree Logic and Property Specification Language. Given a model M and a set of specifications P , NuSMV2 first flattens M and P by resolving all module instantiations and creating modules and processes, thus generating one synchronous design. It then performs a boolean encoding step to eliminate all scalar variables, arithmetic and set operations and thus encode them as boolean functions.
In order to avoid the state space explosion problem, NuSMV2 performs a cone of influence reduction [14] step in order to eliminate non-needed parts of the flattened model and specifications. The cone of influence reduction abstraction technique aims at simplifying the model in hand by only referring to variables that are of interest to the verification procedure, i.e. variables that influence the specifications to check [11] . We use NuSMV2 to compare the results of our implementation on a set of benchmarks as described in Section VI.
FoCs is an industrial tool developed at IBM research labs, targeted at generating simulation checkers from formal specifications [5] . The tool's goal is to reduce, or possibly eliminate the amount of human intervention in writing and maintaining functional checkers. FoCs takes input specification expressed in RCTL [20] , and generates formal checkers written in VHDL. These checkers are then linked with the original VHDL and executed on a set of test programs. The role of the formal checkers is to make sure that the original design never goes into an error state.
The generation of the formal checkers from the RCTL specifications is done in three steps. First, the RCTL is translated into a NDFA according to the algorithm described in [20] . This NDFA will have a set of error states, which represent the states that the design should never go into if it meets the required specifications. In order to be able to generate the VHDL checkers, the NDFA has to be translated into a DFA, which is in turn translated into a VDHL process. This process will then be run alongside the original design to check for violations of the specifications.
The key drawback of FoCs' approach is that transformation algorithm generates a DFA that can be exponential in the number of states of the NDFA, which takes us back to the state-space explosion problem. The authors claim that such a limitation does not exist in their case, since the simulation is rather sensitive to the number of VHDL lines in the generated checker, which is at most quadratic in the size of the property to check. Our approach differs from FoCs in that it aims at generating a AIG free primary input variables that is linear in the size of the property, without generating an intermediary NDFA. Therefore, it can help rendering the generated VHDL checker even smaller in terms of the lines of code.
Jobstmann et. al developed LILY [3] , a synthesis tool aimed at synthesizing correct designs from LTL specifications. It is implemented on top of Wring, and introduces several optimizations based on alternating tree automata, covering both game based and simulation based optimization techniques. They present an incremental algorithm for checking realizability of LTL formulae, and output a Verilog [21] model in case the formula is realizable. We made use of LILY to generate several design models, and then we checked these generated models against their original specifications using our own implementation.
UNBEAST [4] is a synthesis tool that aims to generate system designs that are correct by construction. It takes as input a specification containing environment assumptions and system guarantees, and splits them into safety and non-safety conditions. Each of these sets of conditions are then handled differently in the synthesis game. Unlike LILY, it relies on universal co-Büchi word automata instead of co-Büchi tree automata. It checks for realizability of LTL formulae and returns SMV models when realizable. We differ from both UNBEAST and LILY in the type and the goal of synthesis. Our goal is to generate monitor from SERE properties, while LILY and UNBEAST generate models that satisfy the LTL properties. Our generated DFA is equisatisfiable to the input SERE property, and thus can be used for model checking purposes only.
VIII. CONCLUSION
In this paper we presented a technique that takes a formula in SERE and transforms it into an AIG circuit with a number of states that is linear in terms of the length of the formula. The generated circuit is equisatisfiable to the formula and enables the use of symbolic model checking and bounded model checking where it was not possible before; i.e. where the typical translation from NDFA equivalents of the formula to a DFA blows up exponentially.
