Abstract. This paper reports about design verification of a real microprocessor using a symbolic model checking algorithm for a variant of branching time temporal logics, i.e. branching time regular temporal logic (BRTL). The 8-bit microprocessor which was verified is KUE-CHIP2, which is an LSI chip developed for educational purpose. The KUE-CHIP2 contains approximately 1,600 gates and 68 flip-flops and supports 19 kinds of instructions, many of which can specify absolute/index addressing. The language for specification is BRTL, which is an enhancement of computation tree logic (CTL). BRTL has automaton connectives as temporal operators. Some examples of the specification in BRTL are shown. The adopted verification technique is symbolic model checking using binary decision diagram (BDD). Some of the properties such as conditions for buses or behaviors for the instructions were chekced. The verifier succeeded in finding a bug. The total verification time for all the instruction was approximately 10 hours.
Introduction
In order to verify correctness of finite state machines automatically, various methods have been widely studied. Among them, the model checking approach based on computation tree logic (CTL) has been shown to be one of the most practical and effective methods. The model checking method, however, suffered from combinatorial explosion which can be observed in construction of state transition graphs or Kripke structures from sequential circuits.
On the other hand, as a new data structure to represent and handle logic functions, binary decision diagram (BDD) was formulated by R.E. Bryant[l[. Through the development of efficient BDD manipulators [2, 3] , it has been known that BDD can relax effectively the exponential blowups which occur in manipulation of logic functions
The key idea of symbolic model checking proposed by Burch et al. [4] is to express sequential circuits by logic functions and to perform model checking '~ This research was partially supported by Japan-USA Cooperative Research sponsored by JSPS and NSF. The first author was partially supported by Grant-in-Aid for Scientific Research (B)(1) under project number 04555079.
through logic function manipulation. Using BDD for manipulating logic functions, the symbolic model checker for CTL succeeded in verifying a pipelined ALU, which has 102o states in the form of state transition diagrams/4]. The circuit size which can be handled has increased by several works [5, 6] . Recently, by introducing abstraction through homomorphism to reduce a register file composed of 64 registers to 3 registers, the pipehned ALU with 101300 states was successfully verified /7] . The aim of this paper is to report about design verification of a real microprocessor based on the symbolic model checking method. An 8-bit microprocessor which was verified is KUE-CHIP2 (Kyoto University Educational Chip 2), which is an LSI chip developed for educational purpose. The KUE-CHIP2 which is composed of approximately 1,600 gates and 68 flipflops is more complex in some points than the above pipelined ALU. For example, the processor supports 19 kinds of instructions, many of which specify absolute/index addressing modes and the phase length of the instructions varies in the range from 3 to 5.
The specification is described by using branching time regular temporal logic (BRTL) [8] , which is an improvement of CTL in terms of expressive power. BRTL uses a restricted w automaton of Biichi type to express temporal properties. Although the expressive power is smaller than extended CTL (ECTL) [9] , the restriction to w automata gives less computation cost in the symbolic model checking. For example, complex nested fixed point operations can be avoided.
The reason BRTL instead of CTL or ~ calculus(/10] etc.) was used, is that w automaton is straightforward to express temporal properties especially when we handle the structure corresponding to while. Furthermore it is easier to understand intuitively than greatest or least fixed point operators of # calculus. In a later section, we show some examples of how to describe specifications for the microprocessor in BRTL.
Using a symbohc model checking algorithm for BRTL, spree of the properties such as conditions for buses or behaviors for the instructions were checked and bugs were found. (In the verification, the abstraction method was not utilized.) The experimental results suggest that the verification of the whole chip (excluding the internal memory) can be performed in reasonable time.
This paper is organized as follows: Section 2 overviews design verification using BRTL. Section 3 explains the algorithm of symbolic model checking through an example. Section 4 describes some examples of specification for the KUE-CHIP2 and reports experimental results. Section 5 concludes this paper. The accurate definition of BRTL and the detail of the algorithm are shown in Appendix.
2
Overview of Design Verification
This section overviews how a given sequential machine is verified for a specification described in BRTL. When we consider a tuple of input values and output values, i.e. an input/output tuple, the behavior of a sequential machine corresponds to a set of sequences composed of the input/output tuples. The model checking algorithm checks whether the property which a given BRTL formula specifies is satisfied by the set of the sequences of the input/output tuples.
In the following, the values allowed to use as inputs and outputs are restricted to 1 or 0, without loss of generality. Boolean operators V, -1, A, =--and =~ mean disjunction, negation, conjunction, equivalence and implication as usual, true and false represent tautology and inconsistency respectively. +, -, 9 are sometimes used instead of V ,-1, A respectively.
(1) Transformation to Kripke structure
We assume designs are given as sequential machines. Since the semantics of BRTL formulas is determined over Kripke structures, A Kripke structure has to be obtained so that the structure reflects all the behaviors of the sequential machine.
The sequential machine of Moore type shown in Figure l "It always holds that, when the input x becomes 1, then the output changes its value at the next time" The property is expressed as follows:
YAlways(x ~ ((z ~ VNex~(~z)) ^ (-~z =~ YNext(z))))
Here V means "over all paths on the Kripke structure". Always(f) and Next(f) mean "f always holds" and "f holds at the next time" respectively. The temporal properties such as Always and Next are described by finite automata shown in Figure 2 .
The automata have propositional logic formulas (more generally, BRTL formulas) as their transition conditions. The finite automata in BRTL accept or reject infinite sequences of vectors composed of 0 or 1. The acceptance condition is Bfichi type, that is, an automata accepts an infinite sequence if and only if it hits some accepting state infinitely often. Th automata satisfying the following conditions are allowed to use in BRTL.
It has a unique initial state. -The transition is deterministic and completely specified.
There exists no path from an arbitrary rejecting state q~ to q, via some accepting state.
For automata A, A1 and A2, VA, 3A, V(A1 V A2), V-~A and so on can be described in BRTL.
(3) Verification
Whether a BRTL formula holds or not is determined at each vertex on a Kripke structure. A formula VA (3A) holds at a vertex if and only if all (some) paths on the Kripke structure starting from the vertex are accepted.
For example, in Figure l(b), u Next(z) holds at s~ and g dcf = x~ ((z~ v Next(-~z))^ (-~z ~ V Next(z))) holds at so, Sl, s2 and s3.
The given specification is satisfied if and only if the BRTL formula holds at every initial vertex of the Kripke structure.
Outline of Symbolic Model Checking
The detail of the algorithm of symbolic model checking is shown in Appendix.
The following notations are used. ] is a logic function. 3x.f(x, 9) aej [(0, y) V f(1, y). For x = xl, x2,-.., x,~, 3x.f(x, y) aej 3x1.(3x2.-. 9 (3x,.f(x, y))..-)
Furthermore, for B = {0, 1}, a subset X C_ B" is represented by a logic function with n variables ]x such that [x satisfies the following condition:
When a sequential machine is given as a design, a unique code word is assigned to each state of the machine and transition functions and output functions of the machine are used as inputs to the model checking algorithm. It is necessary to perform manipulation of logic functions efficiently, when we implement the above algorithm. Shared binary decision diagram (SBDD) [2] is an improvement of the original BDD [1] , which shares all possible subgraphs among multiple functions. By using BDD, logical operations, substitution to logical variables and equivalence checking of two functions can be performed efficiently and many functions are represented compactly. The implemented system uses SBDD.
For the purpose of efficient model checking, the whole transition relation functions fs are not generated. Each of transition functions is handled separately using the method shown in [5, 6] .
Verification Results

Specification
In this section, examples of specification description are shown. The verified microprocessor is KUE-CHIP2. The KUE-CHIP2 is an 8-bit microprocessor based on CMOS technology and the second version of KUE-CHIP [11] which was developed for educational purpose. The microprocessor contains approximately 1,600 gates (exclusive of the internal memory) and 68 flipflops and supports 19 kinds of instructions, many of which can specify absolute/index addressing modes. The microprocessor does not contain a pipeline structure nor a mnltiplier. The architecture is shown in Figure 3. I .......... .~Bo The microprocessor has three kinds of operation modes: normal mode, single instruction mode and single phase mode. Under the single instruction (or phase) mode, only an instruction (or a phase) is performed by a start pulse.
The KUE-CHIP2 has an external memory and an internal memory. Since direct manipulation of 8 bit by 512 word memory is impossible even with BDD, inputs (or outputs) of the memory are modeled as outputs (or inputs) of the microprocessor. Specifications have to be described so that the contents of the memory axe not accessed.
Phase signals
The following formula means that "if 'op' is always 1, then the phase number of each instruction is 3, 4 or 5, and the phase signals become 1 correctly". 'op' is a signal which indicates that the microprocessor is in operation. 'ph0' is an abbreviation of phO. phl .ph2. ph3. ph4 and so on. phi is the signal representing the phase i at which the processor is operating.
VAlways(V(Always(op) :=~ A))
A is shown in Figure 4 . The edges to the dead state are abbreviated.
Conditions for Buses
The condition for the bus shown in Figure 7 can be described as follows:
VAlways(ab-d + ~b~ + ~bc)
The formula claims that one and only one control signal among the signals of the tristate buffers is 1. Always is shown in Figure 2 .
Behaviors for Instructions
The behavior for each instruction is verified by checking the behavior for each bit and for each phase. For example, the behavior of the instruction IN is informally described by Figure 5 . The following formula specifies the behavior for (ibuf) ~ ace.
YAlways(u ~ IN))
IN is shown in Figure 6 . Instruction In fetches data from the input buffer and put it to the accumulator. 'ibuf0' and 'ace0' represents the 0th bit of input data and the 0th bit of the accumulator (ACC) respectively. Similar description for every bit is used as specification. 'op' is the signal representing that the processor is operating, pho means phase 0 as shown in the above. 'opin' means the code for IN. 'opin' is a logic formula mere7, mem6. memS. mem4. mem3, where mem i represents the i-th bit of the outputs of the memory.
When the processor was verified, different descriptions were given for efficiency. Since the first two edges from the initial state of IN are the same for each bit, they can be shared. The automaton IN was split and the same property was expressed by nesting two automata. 
Experimental Results
A symbolic model checker for BRTL was implemented. The verifier was written in language C and runs on a SPARCstation 2. This program utilizes the Boolean function manipulator developed by Minato et.al. [2] . The transition functions and the output functions were obtained directly from the design data made on SOLO, a CAD tool developed by ES2 (European Silicon Structure).
Each flip-flop was expanded to a transition function using a next state variable. The internal memory (8 bit • 512 words) included in KUE-CHIP2 was detached in the translation, that is, it was treated as an external memory. The bus shown in Figure 7 was translated to the following formula. bus buffer
Fig. 7. Bus
In order to describe the w finite automata, we implemented a simple language which has structures of 'while' or 'if' and can use macro definitions.
The number of nodes of SBDD was limited to 500,000 (11 M byte). The conditions for all the control signals for the buses were checked. The verifier found that a bus floats under some condition, and the error was debugged. Table 1 shows the experimental result of verifying some of the properties of the microprocessor. 'bus' shows the result for the conditions for the buses.
'phloop' shows the result for VAlways(V (Always(op) =3. A) ). Since the behaviors at phase 0 and 1 are common aznong all the instructions, they were checked separately without specifying any instruction. The results for the phases 0 and 1 are shown in 'ph0' and 'phl' respectively. The result for each instruction does not consider the behaviors for phase 0 and 1. The given specifications include the conditions where the registers that should hold the values, for example, the index register in Figure 5 , do not change their values.
In order to simplify the verification, some of the inputs to the processor were fixed to 0 or 1.
'ADC' in Table 1 is the instruction with the address modification by the index register. The behavior for the instruction is most complex.
The KUE-CHIP2 has about 170 instructions, if addressing modes and destination registers are distinguished. The behavior of all the instructions under the normal mode of the KUE-CHIP2 was verified. The total verification time was approximately 10 hours. The size of the files containing the specifications was approximately 2 Mbyte. 
Conclusion
In this paper, for an 8-bit microprocessor KUE-CHIP2, how to describe specification in a variant of branching time temporal logics, i.e. BRTL, was shown. The specifications were checked by using a symbolic model checking method. The experimental results show that the symbolic model checking method is suitable to the microprocessor design and that the verification of the whole chip (excluding the internal memory) can be done in reasonable time.
Although the KUE-CHIP2 has only 8-bit arithmetic operations excluding multiplication, the 16 or 32-bit multiplier increases the difficulties of verification drastically. In order to verify larger microprocessors, incorporation of the technique shown in [12] and so on has to be investigated.
The descriptions of specification in Section 3 and 4 are given for each phase. It would be better to describe the specification as a relation between the condition at the first phase and that at the last phase for each instruction as shown in [4] . In order to verify such descriptions, the part of the internal memory has to be handled as a sequential circuit. Abstraction mechanism seems powerful to handle large memories. We would like to introduce the technique and estimate its effectiveness in the near future. 
