Abstract. In this paper, we describeafi rst-order linear time temporal logic (LTL) model checkerb ased on multiway decision graphs (MDG). We developed afi rst-order temporal language, L MDG * ,w hiche xpresses asubset of many-sorted first-order LTLand extends an earlier language, L MDG ,d efined for an MDG based abstractC TL model checking. We derived as et of rules, enabling the transformation of L MDG * formulas into generalized Büchi automata( GBA). The product of this GBA and the abstracts tate machine (ASM) model is checkedf or language emptiness. We have lifted two instances of the generalized Strongly Connected Component(SCC)-hull (GSH)c hecking algorithm [17] to support abstractd ata and uninterpreted functions based on operators available in the MDG package. Experimental results have shown the superiority of our tool compared to the same instances of GSH implemented with BDDs in VIS.
1I ntroduction
Formalv erificationh as receivedc onsiderable attention fromt he electricale ngineering,c omputers cience and the industryc ommunities, where many BDD based formal verification tools being developed overt he years. These, however, suffer fromt he well-known state space explosion problem. Multiway Decision Graphs (MDGs) [5] have been introduced as one way to reduce this problem. MDGsa re basedo namany-sorted first-order logic with ad istinction between concrete and abstract sorts. Abstract variablesa re usedt or epresentd ata signals,whileuninterpreted functionsymbols are used to representdata operations, providing amorecompact description of circuits with complex data path. Many MDG basedverificationapplicationshave been developed duringthe last decade, including invariant checking, sequential equivalence checking, and abstract CTL model checking [21] o fa bstract state machines( ASM) [ 5] . TheM DG tools are available at [22] .
In this paper we introduce an ew MDG verification application by implementing automata based model checking of as ubseto ffi rst-order lineart ime temporal logic (LTL). Generally,L TL model checking verifiesaKripkestructure with respect to ap ropositional linear time temporal logic (PLTL) formula. A PLTL formula φ is valid if it is satisfied by all paths of theK ripkes tructure M .T he validation of φ can be done by converting itsn egation into aG eneralizedBu chiA utomaton( GBA) [ 19] B ¬ φ ,c omposing the automaton with the 442F .W ang, S. Tahar, and O.A. Mohamed model M ,a nd checking its languagee mptiness [19] . The main idea of the work we describe in this paper is to lift classicalL TL model checking procedures to the languagee mptiness checking (LEC) of aG BA encoded with MDGs. To this end,w ed efinea ne xtended temporal logic, called L MDG * ,f or whichw eh ave developed as et of derivationr ulest hatt ransform L MDG * properties into PLTL formulasaugmented with atransformation circuit, which will be composed with the system model (ASM)u nder verification.W eu se an automata generatort o get aGBA for the negationofthis PLTL formula.Language emptinessc hecking basedo nt wo instances of the GSHa lgorithm[ 17] is finallyp erformed on the product of this latterand the composedASM describedearlier.W ecall this new MDG verification application MDG LEC.
The rest of the paper is organized as follows: Section 2d escribes related work. Section 3o verviewst he notion of multiway decisiong raphs. Section 4 definest he first order lineart emporall ogic L MDG * andr elated transformation rules. Section 5d escribes the languagee mptiness checking algorithms. Section 6p rovides ac ase study applying the developed MDG LEC tool on an ATM (Asynchronous Transfer Mode) switch fabric.F inally,S ection 7c oncludes the paper.
2R elated Work
The idea of first-order temporal logicm odel checking is not new. Fori nstance, Bohn et.al [3] presented an algorithm for checking afirst-order CTLspecification on first-order Kripke structure, an extension of "ordinary" Kripke structures by transitions with conditional assignments. The algorithm separates the control and data parts of the design and generates the first-order verification conditions on data.T he controlp artc an be verifiedw ith Booleanm odel checking, while the data part of the design has to be verifiedu sing interactivet heorem proving. Compared to this work, ourl ogic is less expressive since L MDG * cannot accept existential quantification. However, in oura pproacht he propertyi sc heckedo n the whole model automatically,whilein[3] atheorem proverisneeded to validate the first-order verification conditions. Besides,o ur methodc an be applied on anyfi nites tate models, while their application is limited to designs that can be separated into data and control parts.
Hojati et.al [13] p roposed an integer combinational/sequential (ICS) concurrencymodel to describehardwaresystems with datapath abstraction. They used symbols sucha sfi niter elations, interpreted and uninterpreted integer functions and predicates, and proceeded the verification of ICSm odels usingl anguage containment.F or as ubclass of "control-intensive"I CS models, integer variables in the model can be replacedb ye numerated variables, hencee nabling av erificationa tt he Boolean levelw ithout sacrificinga ccuracy.C ompared to ICS, our ASM models are more general in the sense that the abstract sort variablesi n ours ystem can be assigned anyv aluei nt heird omain, instead of ap articular constanto rf unctiono fc onstants as in ICSm odels. Fort he class of ICSm od-
