Formally-Based Design Evaluation (extended version) by Turner, Kenneth J & He, Ji
Kenneth J. Turner and Ji He. Formally-Based Design Evaluation (extended
version of article published by and copyright Springer-Verlag).  In
Tiziana Margaria and Thomas F. Melham, editors, Proc. 11th Conference on
Correct Hardware Design and Verification Methods (CHARME 2001), Lecture
Notes in Computer Science 2144, pages 104-109, Springer Verlag, Berlin,
Germany, September 2001.
Formally-BasedDesignEvaluation
KennethJ. Turner and Ji He
ComputingScienceandMathematics,Universityof Stirling, Stirling FK9 4PU,Scotland
kjt@cs.stir.ac.uk, h.ji@reading.ac.uk
Abstract. This paperinvestigatesspecification,verificationandtestgeneration
for synchronousandasynchronouscircuits.Theapproachis calledDILL (Digital
Logic in LOTOS). DILL modelsarediscussedfor synchronousandasynchronous
circuits. Relationsfor (strong)conformancearedefinedfor verifying a design
specificationagainsta high-level specification.An algorithmis alsooutlinedfor
generatingandapplyingimplementationtestsbasedonaspecification.Toolshave
beendevelopedfor automatedtest generationandverification of conformance
betweenanimplementationandits specification.Theapproachis illustratedwith
variousbenchmarkcircuitsascasestudies.
Keywords: asynchronousdesign,conformance,LOTOS (LanguageOf Temporal
OrderingSpecification),synchronousdesign,testgeneration,verification
1 Intr oduction
DILL (Digital Logic in LOTOS [7–13,19]) is anapproachfor specifyingdigital circuits
usingLOTOS (LanguageOf TemporalOrderingSpecification[6]). DILL hasbeende-
velopedover six yearsto allow formal specificationof hardwaredesigns,represented
using LOTOS at variouslevels of abstraction.DILL addressesfunctional and timing
aspects,synchronousandasynchronousdesign.Thereis supportfrom alibrary of com-
moncomponentsandcircuit designs.AnalysisusesstandardLOTOS tools.
LOTOS is a formal languagestandardisedfor usewith communicationssystems.
DILL, which is realisedthroughtranslationto LOTOS, is asubstantiallydifferentappli-
cationareafor this language.Sincethereadersof this paperareunlikely to befamiliar
with LOTOS or its communicationsorigins,muchof thetechnicaldetailhasbeenomit-
ted.HoweverthearticlesonDILL referencedabovecanprovideadditionalbackground.
LOTOS canbeusedto supportrigorousspecificationandanalysisof hardware.LO-
TOS is neutralwith respectto whethera specificationis to be realisedin hardwareor
software,allowing hardware-softwareco-design.LOTOS inheritsawell-developedver-
ification theoryfrom thefield of processalgebra,andhasa theoryfor testingandtest
generation.Thereis goodsupportfrom general-purposeLOTOS toolsetssuchasCADP
(CæsarAldébaranDevelopmentPackage[3]).
Languages uchasVHDL (VHSIC HardwareDescriptionLanguage),Verilog and
ELLA arecommonlyusedin industry. Theselanguagesaresemi-formalbecausetheir
semanticsis basedon simulationmodels.Other languagesdo have formal semantics,
e.g. CIRCAL (Circuit Calculus),HOL (Higher Order Logic) and Ruby. DILL most
closely resemblesCIRCAL in that both have a behavioural basisin processalgebra.
At a low level of specification,thetrueconcurrency semanticsof CIRCAL areperhaps
moreappropriatethan the interleaving semanticsof LOTOS. However, the integrated
datatyping in LOTOS makesit muchmoreexpressivethanCIRCAL. In theauthors’ex-
perience,DILL canbeusedsuccessfullyatavarietyof abstractionlevelswhereCIRCAL
appearsto belesseffective.
The presentpapersynthesises everal aspectsof DILL for modelling andverify-
ing synchronousandasynchronouscircuits. Synchronousdesignis importantas it is
the main approachfor digital technology. Control by clock signalsmakes it easier
to abstractaway from timing information.The currentstandardfor LOTOS doesnot
supportquantifiedtiming, althoughthe authorshave developedTimed DILL [10] for




now to combinetheorem-provingandmodel-basedapproachesoasto achievegeneral-
ity aswell asautomatedsupport.LOTOS verificationapproachestendto bestate-based
usinganLTS(LabelledTransitionSystem).CurrentLOTOS toolsoffer modelchecking
and reachabilityanalysis,togetherwith equivalenceor preorderchecking.DILL can
thusexploit a rangeof verificationtechniques.
Verificationof asynchronouscircuits, especiallythosethat arespeed-independent
or delay-insensitive, hasbeena researchtopic for someyears[1, 2]. Rigoroustesting
of asynchronouscircuits is still in its infancy. Like DILL, otherasynchronousverifica-
tion approachesdefinerelationsthatjudgecorrectnessof acircuit design.Therelations
conforandstrongconfordefinedin this paperresemblethoseintroducedby others,e.g.
conformance[1], decomposition[2] andstrong conformance[4]. It is not possibleto
detectdeadlocksandlivelockswith conformanceanddecomposition. Althoughstrong
conformancecando this, it doesnot work for non-deterministicspecifications.
For validatinghardwaredesigns,testcasesarein practicemanuallydefinedor are
randomlygenerated.More rigorousapproachesusetraditionalsoftware testingtech-
niquesor statemachinerepresentations.In DILL, testsarederived from higher-level
specificationsin a novel adaptationof protocolconformancetestingtheory.
2 Modelling Approach
DILL supportslogicdesignsatdifferentlevelsof abstraction,with formalcomparisonof
higherlevel andmoredetaileddesignspecifications.DILL doesnot provideguidelines
for refinement,sincedesignis presumedto follow conventionalengineeringpractice.
DILL supportsbehaviouralaswell asstructuralspecification.
Wires or tracks betweencomponentsare not normally representedexplicitly in
DILL. A component’s ports (e.g. its pins) are representedby LOTOS event gates.To
‘wire up’ two ports,their LOTOS gatesaremerelysynchronised.SinceLOTOS allows
multi-way synchronisation,it is easyto connectoneoutputto several inputs.In high-




LOTOS, like most specificationlanguages,dealsonly with discreteevents. In syn-
chronouscircuits, changesin signal level are controlledby clock pulses(except for
componentsuchaslevel-triggeredflip-flops).Signallevelscanthusbetreatedasmain-
tainedduringa clockcycle, i.e. oneLOTOS eventperclock cycle.
Theclassicalsynchronouscircuit modelhascombinationalogic to providethepri-
maryoutputsandthe internaloutputsaccordingto theprimary inputsandthe internal
inputs.Internaloutputsarethenfed into statehold componentsto producetheinternal
inputs.Changesof the internalinputsaresynchronisedwith theclock, in otherwords
they arechangedonly ataparticularmomentof theclockcycle (usuallyits transition)..
Theprimaryinputsareusuallysynchronisedwith theclock signal.This makesdesign-
ing andanalysingsynchronouscircuits much easier. DILL incorporatesthis practice
into its synchronouscircuit model,assumingthattheprimaryinputshavealreadybeen
synchronisedwith theclock signal.
For asynchronouscircuit, designersmustensurethattheclockcycle is slower than
thesloweststagein acircuit.Thiscanbedoneby analysingthetiming characteristicsof
componentsusedin thecircuit. Theuntimedversionof DILL cannotof courseconfirm
if the clock constraintis met.However asdiscussedelsewhere[10], Timed DILL can
specifysuchconstraints.Properlymodellingthestoragecomponentsandenvironment
canensurethattheclock constraintis alwaysfulfilled by a DILL specification.
ThefundamentalDILL modelalwaysallowsaninputor outputport to offeranevent
correspondingto a signalchange.This modelis generallyapplicable,but may leadto
non-determinismdueto the lack of quantifiedtiming [11]. Themodelthereforehasto
be constrainedaccordingto the environmentin which it operates.If the clock is slow
enoughto let everysignalsettledown, it is reasonableto allow thevalueof eachsignal
to changejust onceperclock cycle.
TheDILL synchronousmodelimposesfurther two restrictions.It is importantthat
thereisnocyclic connectionwithin astage,andstoragecomponentshavetobespecified
in the behavioural style. Theserestrictionsare relatedto the componentmodel, for
otherwisea DILL specificationmight deadlockwherea realcircuit couldstill work.
2.2 AsynchronousCir cuits
In asynchronousDILL, it is only signalchangesthataremodelled.Asynchronouscir-
cuitsexhibit a varietyof formsdueto thedifferentdelayandenvironmentassumptions
made.An asynchronouscircuit canbehave correctlyonly whentheseassumptionsare
met.Someof the better-known designmethodshandledelay-insensitive, quasidelay-
insensitiveor speed-independentcircuits.
Boundeddelaysneeda formalismthatcanspecifyquantitative timing. DILL deals
with (quasi)delay-insensitive and speed-independentcircuits sincethey assumeun-
boundeddelaysthatareappropriatefor LOTOS. (Quasi)delay-insensitive designscan
be easily changedto speed-independentcircuits by insertingartificial delay compo-
nents.Most wire delayscanin factbe absorbedinto the precedingcomponents.Only
componentswith morethanoneoutputneedspecialtreatment.
3
AsynchronousDILL concentratesmainly on speed-independentdesign.Happily
this is a good matchto the DILL approachsincecomponentdelaysare unbounded,
just like theinterval betweenconsecutiveLOTOS events.In DILL, componentportsare
connectedby synchronisingtheirLOTOS events.Thisactuallyassumesthatdelayonthe
connectingwiresis negligible,anassumptionthatis alsoadoptedby speed-independent
circuits. If new inputscannotchangeany pendingoutputs,the designis termedsemi-
modular. Semi-modularityis often usedasa correctnesscriterion for speedindepen-
dence,sincetheviolationof semi-modularitycausesspeed-dependentbehaviour.
In LOTOS, communicationbetweenprocessesis basedon symmetricsynchronisa-
tion at a gate.However, digital hardwarehasa clear distinction betweeninputs and
outputs.A hardwarecomponentcannever refuseinputs,while its outputscanneverbe
blockedby othercomponents.A specificationis saidto beinput-receptiveif everyinput
is allowedin everystate.In suchacase,theDILL modelrepresentstherealcircuit faith-
fully. However input-receptivespecificationscannotbewritten for mostasynchronous
circuit components inceunexpectedinputsarenot permitted.Oneway to addressthis
is by explicit deadlockif unexpectedinputsarrive.If moreaccurateanalysisis required,
input quasi-receptivespecificationsshouldbewritten. Informally, a specificationis in-
putquasi-receptive if it canalwaysparticipatein inputeventsexceptwhendeadlocked.
An input quasi-receptive specificationcanbeobtainedby addinga choicewhenthere
is a potentialoutput.
It is not straightforwardto transforma LOTOS specificationwith morethanjust se-
quenceandchoiceoperatorsinto input quasi-receptive form. In sucha case,a partial
specificationcanbeusedto generatethecorrespondingLTS (LabelledTransitionSys-
tem).An inputquasi-receptivespecificationcanbeobtainedby modifying theLTS.For
astatethatcannotparticipatein all inputevents,outgoingedgesleadingto deadlockare
addedfor missedinputs.
This methodworks very well for LTSs without internal events.But subtleprob-
lemscanarisefor thosecontaininginternalevents.Internaleventsarelessmeaningful
whenconsideringinput receptivenessasthey meanthe environmenthasno effect on
choices.For this reason,LTSswith internaleventsarefirst determinised(internalnon-
determinismis removed).Outgoingedgesarethenaddedto createinputquasi-receptive
specifications.An LTSis inputquasi-receptiveif, afterdeterminisation,all statesexcept
terminalonescanacceptall inputs.
As it is moredifficult to specifycomponentsin an input (quasi-)receptive manner,
verificationmaybebasedon componentsthatarenot input-receptive.Theverification
may, however, not beexact in thatsomeproblemsmaynot bediscovered.Input quasi-
receptivespecificationsresultin a largerstatespace,makingverificationmoredifficult.
Assumptionsaboutthe environmentof an asynchronouscircuit often have to be
made.Whenan environmentis not explicit, many methodssimply assumethe mirror
of a specificationastheenvironmentof its implementations[1]. This assumesthat the
environmentdoesnot provide extra inputs,so inputsthatareacceptedonly by an im-
plementationare ignoredwhenverifying the joint behaviour. This is reasonable,but
permitsan implementationto producemoreoutputsthana specification.This is un-
desirablesincean implementationproducingunexpectedoutputfor legitimateinput is
4
normally erroneous.Moreover whena specificationis non-deterministic,this method
mayexcludecorrectdeterministicimplementations.
Whenanimplementationis specifiedin aninput(quasi-)receptiveway, adistinction
is madebetweeninputsandoutputs.If its environmentis alsoreceptive,it will deadlock
on unexpectedoutputsfrom an implementation.However, it is very hardto extractan
inputquasi-receptiveenvironmentfrom abehaviouralspecification– especiallyif thisis
complicatedor containsinternalevents.An alternative methodis thereforeusedwhen
verifying asynchronouscircuits. Relationsaredefinedthat respectthe differencebe-
tweeninput andoutput.Theserelationsdo not requirea (quasi-)receptiveenvironment
or implementation,andarenaturalcriteriafor asynchronouscircuit correctness.
3 ConformanceTestingand Verification
Conformancetestingis a term drawn from communicationssystemsto meanevaluat-
ing the correctnessof an implementationagainstits specification.To formally define
an implementationrelation,a test hypothesisis neededthat implementationscan be
expressedby a formalmodel.In traditionalconformancetestingtheoriesfor LTSs(La-
belledTransitionSystems),both thespecificationandtheIUT (ImplementationUnder
Test)aremodelledasLTSs.An IUT communicateswith its environmentthroughsym-
metricinteractions,soits environmentasexpressedby testsis alsomodelledasanLTS.
Many real-world systemscommunicatewith their environmentin a differentway
from anLTS,with acleardistinctionbetweeninputsandoutputs.Theinputsof asystem
arealwaysenabledandcannotrefusetheactionsofferedby theenvironment.After the
systemconsumesaninput andproducesits outputs,theenvironmenthasto acceptthe
outputs.In otherwords,suchasystemwill never rejectinputsandits environmentwill
never block outputs.Communicationis thusno longersymmetric.In [18] this kind of
behaviour is modelledasanIOLTS (Input-OutputLabelledTransitionSystem),which
is a specialkind of LTS. In an IOLTS, thesetof actionsis partitionedinto inputsand
outputs.Intuitively this meansthatinput actionsarealwaysenabledin any state.
TheDILL approachallowsconformanceof animplementationto beverifiedagainst
its specification.More precisely, a designspecificationis formally checkedagainstan
abstractspecification.Thesameapproachalsoallows testsuitesfor animplementation
to be rigorouslyderived from its specification.This allows the actualimplementation




In the DILL approachto conformancetesting,a circuit is specifiedin LOTOS (whose
semanticsis givenby anLTS).Theimplementationof thesamecircuit is describedby
VHDL. Thebehaviour of a VHDL programis presumedto bemodelledby anIOLTS
thatneednot beknown explicitly.
To supportthecheckingof conformance,anintermediateLTS termeda suspension
automatonis built from the specificationLTS. The suspensionautomatonof an LTS
5
is obtainedby addingself-loopsfor all quiescentstates(whereno outputis pending).
Theresultingautomatonis thendeterminised.Theimportantpropertiesof asuspension
automatonare that it is deterministicand that it respectsthe outputsof the original
LTS. Checkingconformancecanbe easilyreducedto checkingtraceinclusionon the
suspensionautomaton.
A testcaseis anLTSwith finite deterministicbehaviour. A testcaseendswith states
labelledPassor Fail to indicatethe verdict of conformance.The testcasesgenerated
by DILL havetheform of tracesratherthantrees.Thisallowseasymeasurementof test
coverageandautomaticexecutionof testcases.A testsuitecannotusuallycover the
entirebehaviour of a specificationasthis is normally infinite. Thestrategy is therefore
to coverall transitionsin a transitiontour thataddressestheChinesePostmanproblem.
As a suspensionautomatonmay not be stronglyconnected,it is not possibleto make
directuseof conventionaltransitiontouralgorithms.Insteadtheapproachof [5] is used
becauseit is suitablefor all kinds of directedgraphs.Depth-firstsearchis useduntil
an unvisited edgecannotbe reached.Breadth-firstsearchis thenemployed to find an
unvisitededge,andthendepth-firstsearchrecommences.
Testsaregeneratedfrom a suspensionautomatonby analgorithmthatoffersthree
choicesin eachiteration.Thefirst choiceterminatestestgeneration.Sincespecifications
usuallyhaveinfinite behaviour, testgenerationhasto bestoppedatsomepoint.Thesec-
ondchoicegivesthenext input to theimplementation.Sinceinputsarealwaysenabled,
thisstepwill neverresultin deadlockwhenaninput is applied.It is thereforenotpossi-
ble to reachaterminalPassor Fail state.To avoid unnecessarynon-determinismduring
testing,only oneinput is appliedeachtime.Thethird choicecheckseachpossiblenext
output of the implementation.Any implementationproducingan unexpectedoutput
will resultin aFail terminalstate,indicatinganon-conformingimplementation.For all
otheroutputs,testgenerationmaycontinue.This testgenerationalgorithmguarantees
soundtestcasesfor ioconf (input-outputconformance).An exhaustivesetof testcases
is alsoguaranteed.
Thismethodworkswell with deterministicspecifications.Howeverwhenthespec-
ification hasnon-deterministicbehaviour, simply generatingtracesfrom a treeraises
problems.Theproblemis thatanimplementationhasto passall thetestcasesin a test
suitebeforeit is regardedascorrect.This problemis solved by markingoutputsat a
contradictorybranchto indicatethat the correspondingtest is inconclusive whenthe
markedoutputis not matchedduringtesting.
TheCADP toolsetfor LOTOS supportsan applicationprogramminginterfacethat
allows user-written programsto manipulatethe statespaceof a given LOTOS spec-
ification. The authorshave developedthe TestGentool to realisethe test generation
algorithm.Eachgeneratedtransitiontour is a testcaseandis saved in a testfile. The
accumulatedtestcasesarepassedto a VHDL simulatorthathandlesa lower-level im-
plementationof thecircuit. A VHDL testbenchwasdesignedto allow thetestcasesto
beappliedandexecutedagainsttheVHDL descriptionof thecircuit.
Thetestbenchmainlyconsistsof two processesthatareexecutedconcurrently. The
first processgeneratesclocksignalsfor thecircuit undertest.Thesecondprocessreads
thetestsuitefile andgeneratesignalstimuli accordingto theinputsof eachtestcase.
It alsocomparestheoutputsgeneratedby theVHDL simulatorwith theoutputvalues
6
specifiedby test cases.A Fail verdict is given and the simulationis abortedif these
outputsarenot thesame.This needssomeknowledgeof thecircuit realisation,suchas
the propagationdelaysof componentsin the circuit. Betweentwo testcasesof a test
suite,a resetsignalis generatedby the testbenchto re-initialisethe circuit undertest.
(It is assumedthata circuit canalwaysbereset.)
An inconclusivepointmaybemetduringtestingbecausetherearealternativeimple-
mentations.In suchacasethetestbenchmayhaveto searchforwardor backwardto find
a matchingalternative.This meansthatloopscanariseduringtesting,sothetestbench
operatesa strategy to avoid endlessrepetition.Thetestbenchalsoneedsto maintaina
timer. If thereis nooutputwithin acertainperiod,thecircuit mustbeassumedquiescent
(waiting for input).A failureverdictmustbegivenif outputwasrequiredat this point.
3.2 ConformanceVerification
Several implementationrelationshave beendefinedto expressconformanceof an im-
plementationto its specification.In theserelations,specificationsaremodelledasLTSs
andimplementationsaremodelledasIOLTSs.This is becauseanLTS cangivea more
abstractview of a system,while an IOLTS is closerto reality. The specificationLTS
canberegardedasapartially specifiedIOLTS in thesensethattherearesomestatesin
the specificationthat canrefuseinput actions.Therearetwo reasonsfor writing such
kindsof specifications.Oneis that it doesnot matterhow implementationsrespondto
unspecifiedinputs.Theotheris thattheenvironmentis assumednotto offer suchinputs,
sothereis no needto specifythem.
To definethe implementationrelation ioconf (input-outputconformance),several
otherdefinitionshaveto beintroduced.A quiescentstateis onethatcannotperformany
outputtransitionsor aninternaltransition.An implementationhasinput-outputconfor-
manceto its specificationif, afterevery traceof thespecification,the implementation
outputscanalsobeproducedby thespecification.An implementationcannotproduce
outputswhicharenotexpectedby thespecification.Sincethisalsoholdsfor aquiescent
state,the implementationmaynot outputif thespecificationcannotdo so.As for test
generation,asuspensionautomatonis createdasasteptowardsverifying conformance.
SupposeSpecis anabstractspecificationof acircuit andImpl is its implementation
specification.Specmay be partial in the sensethat in somestatesit doesnot accept
someinputs, i.e. it is not input-receptive. An input is absentif the environmentof a
circuit doesnot provideit, if thebehaviour of thecircuit uponreceiving theinput is not
of interest,or if thebehaviour is undefined.Althougha circuit mayacceptall inputsat
any time, mostspecificationsarepartial to avoid detail. Impl maybepartialor total in
thesenseof input receptiveness.
Supposethatsp is a stateof Specandthat im is thecorrespondingstatein Impl. To
definetheimplementationrelationconfor(conformance),considertheinput transitions
of spand im. If input ip is acceptedby sp, it is reasonablethat ip alsobeacceptedby
im. But if im acceptsaninput thatis notacceptedby sp, this inputandall thebehaviour
afterwardscanbe ignored.Sincetheenvironmentwill never provide suchan input, or
evenif it is provided,suchbehaviour is notof interest.In short,theinputsacceptablein
spshouldbea subsetof thoseacceptablein im.
7
If spcanproduceoutputop, a correctimplementationshouldalsoproduceit. If sp
cannotproducea certainoutput,neithershouldits implementation.However whena
specificationis allowedto benon-deterministic,it is toostrongto requireim to produce
exactly thesameoutputsassp. A deterministicimplementationcouldproduceasubset
of theoutputs.A suitablerelationshouldthusrequireoutputinclusioninsteadof output
equality. Unfortunatelya circuit that acceptseverythingbut outputsnothingmay also
bequalifiedasacorrectimplementation.Theovercomethisproblem,aspecial‘action’
δ is introducedfor quiescence,meaningtheabsenceof output.Like any otheroutput,
if δ is in theoutputsetof im it mustbein theoutputsetof sp for conformanceto hold.
Thatis, im canproducenothingonly if spcandonothing.
Theconfor relationrequiresthat,aftera suspensiontraceof Spec, theoutputsthat
animplementationImpl canproduceareincludedin whatSpeccanproduce.If Impl can
follow thesuspensiontrace,the inputsthatSpeccanacceptarealsoacceptedby Impl.
A secondimplementationrelationstrongconfor(strongconformance)is alsodefined.
This is similar except that output inclusion is replacedby outputequality. Normally
confor is usedfor adeterministicspecificationandimplementation,while strongconfor
is usedwhenanimplementationis moredeterministicthana specification.
To checktheserelations,a specificationLTS is first transformedinto a suspension
automaton.This is part of the verification tool VeriConf developedby the authorsto
checkthe(strong)conforrelations.Briefly, CADPis exploitedto generateLTSsof both
specificationandimplementation.Thenthe verifier is usedto producethe suspension




avoidedbiasingthe illustrationsin favour of their method.A selectionhasbeenmade
from casestudiesby the authorsto illustratelarger andsmallercircuits, synchronous
andasynchronousdesigns,testingandverification.
4.1 BusArbiter
The Bus Arbiter is a benchmarkcircuit usingto checkhardwareverifiers[17]. It is a
synchronouscircuit that grantsaccesson eachclock cycle to a singleclient amonga
numberof clientsrequestinguseof a bus.Theinputsto thearbiterarea setof request
signalsfrom clients.Theoutputsarea setof acknowledgesignalsthat indicatewhich
client is grantedaccessduringa clock cycle.For brevity thespecificationsandformal
analysisarenot givenhere,but canbefoundin [11,13].
The arbitrationalgorithm embodiedin the designis a round-robintoken scheme
with priority override.Normally thearbitergrantsaccessto thehighestpriority client:
the one with the lowest index numberamongall the requestingclients.However as
requestsbecomemorefrequent,the arbiter is designedto fall backon a round-robin
schemesothatevery requesteris eventuallyacknowledged.This is doneby circulating
a tokenin a ring of arbitercells,with onecell perclient. Thetokenmovesonceevery
8
clock cycle. If a client’s requestpersistsfor the time it takesfor the token to make a
completecircuit, thatclient is grantedimmediateaccessto thebus.
LOTOS supportsspecificationat variouslevels of abstraction.Although the Bus
Arbiter hasbeenstudiedby many researchers,asfar astheauthorsknow therehasnot
beenaformalspecificationof thearbitrationalgorithmusedin thedesign.With LOTOS,
it is possibleto provide sucha higher-level specification.Translatingthealgorithmto
LOTOS is quitestraightforward.For anarbiterwith threecells,theLOTOS specification
has79 lines(includingcomments)for thebehaviouralspecification.
The designof the arbiterconsistsof repeatedcells. Eachcell is in charge of ac-
ceptingrequestsignalsfrom a client,andsendingbackacknowledgementsto thesame
client.Thefirst cell is slightly differentbecauseit is assumedthatthetokenis initially in
thefirst cell.Becausethecomponentsof eachcell arein theDILL library, it is veryeasy
to specifytheprocessdescribinga cell. Thespecificationof anarbiterwith threecells
is obtainedby connectingthreesuchprocesses.Thereis alsoanenvironmentconstraint
in the structuralspecificationof the arbiterto meetthe conditionsof the synchronous
circuit model(section2.1).
Theformulationof propertieswith theCADPtool usesaction-basedtemporallogic,
namelyACTL (Action-basedComputationalTreeLogic [16]) andHML (Hennessy-
Milner Logic). Thefollowing threepropertieshave to beprovedfor thecircuit: no two
acknowledgeoutputsareassertedin thesameclock cycle (safety);every persistentre-
questis eventuallyacknowledged(liveness);andacknowledgeis not assertedwithout
request(safety).To verify thehigher-level specificationagainstthetemporallogic for-
mulae,the LTS of the specificationwasproducedfirst. CADP generatesan LTS with
3649statesand7918transitions.This is reducedto 379statesand828transitionswith
respectto strongbisimulation.Both generationandreductiontake a few secondson
a 300MHz Sun.The temporallogic formulaearethenverifiedagainsttheminimised
LTS within aminute.
Therealchallengecomeswhenthelower-level designspecificationis verified.The
statespaceis so large thatdirect generationof the LTS from the LOTOS specification
is impractical.Compositionalgenerationwasthereforeusedto verify the arbiter. The
specificationis dividedinto severalsmallerspecificationsto makesurethatit is possible
to generateanLTS for eachof them.Thenthesearereducedwith respectto a suitable
equivalencerelation.
In orderto getvalid verificationresults,specialattentionmustbegivento theequiv-
alencerelation that is used.Safetyequivalencepreservesall safetyproperties,while
branchingbisimulationequivalencepreserves livenesspropertieswhen thereare no
livelocksin specifications.Both of theseequivalencesare congruenceswith respect
to theLOTOS parallelandhideoperators.Thesetwo equivalencesarethusappropriate
to compositionalgeneration.
Thedesignof thearbiterwasdividedinto threepieces,onepercell of thearbiter. An
LTS which is safetyequivalentto theLOTOS specificationof thedesignwasgenerated
in aboutsevenminutes.Thetwo safetypropertieswereverifiedto be trueagainstthis
LTS,implying thatthedesignalsosatisfiestheseproperties.Verificationof theformulae
tookjustseconds.HowevergeneratinganLTSthatis branchingequivalentto thedesign
tookalmostoneday, afterwhich thelivenesspropertywasalsoverifiedto betrue.
9
For checkingequivalencebetweenthe higher-level algorithmand the lower-level
design,compositionalgenerationwas exploited to generatethe LTS for the design.
This time eachcell wasreducedwith respectto observationalequivalencesinceit is
a congruencefor the LOTOS parallel andhide operators.The LTS was generatedin
abouteightminutes.It wasexpectedthatthis LTS would beobservationallyequivalent
to theonerepresentingthehigher-level specification.However CADP discoveredthat
they arenot! The tool providesa counter-examplein which client 0 requeststhe bus
duringthefirst threecycles.Thehigh-level andlow-level specificationsbothgrantac-
cessto this client. In thefourth cycle,client 0 cancelsits requestbut client 1 beginsto
requestaccess.At this point thetwo levelsof specificationsaredifferent:thelow-level
specificationoffers0 for Ack1, whereasthehigh-level specificationoffers1 for Ack1.
After step-by-stepsimulationof the counter-example,it wassoondiscoveredthat
the circuit doesnot properly resetthe overrideout signal.This is a fault in the sup-
posedlyproven benchmarkcircuit. The designwas modified and then verified to be
observationallyequivalentto the higher-level algorithmicspecification.The corrected
circuit diagramappearsin [11].
4.2 Black-Jack Dealer
TheBlack-JackDealeris anotherverificationbenchmarkcircuit [17], alsodiscussedin
[20]. Black-Jackis a cardgamealsoknown asPontoonor Vingt-et-Un.For brevity the
specificationsandformalanalysisarenot givenhere,but canbefoundin [11,12].
TheBlack-JackDealeris a synchronouscircuit whoseinputsareCard Readyand
Card Value (Ace..King, Clubs..Spades).Its outputsare boolean:Hit (card needed),
Stand(stay with currentcards)and Broke (total exceeds21). The Card Readyand
Hit signalsareusedfor a handshakewith a humanuser. Aceshave value1 or 11 at the
choiceof theplayer. Numberedcardshave valuesfrom 2 to 10.Jack,QueenandKing
countas10. The Black-Jackdealeris repeatedlypresentedwith cards.It mustassert
Stand(whenits scoreis 17 to 21) or Broke (whenits scoreexceeds21). In eithercase
thenext cardstartsa new game.
In the LOTOS specificationof theBlack-JackDealer, a new datatypeValue is de-
finedto representhecardvalue.AlthoughthestandardLOTOS datatypeNaturalNum-
bermightappearsuitable,CADPcannotgeneratethecorrespondingLTSfor aninfinite
datatype like this. The key point in the specificationis how to handlethe ambiguous
valueof anAce.To solve theproblem,thespecificationusesthemethodgivenby [20].
Specificationbehaviour occupiesabout80 linesincludingcomments.(Thecircuit dia-
gramis alsoabouta page.)
Using CADP and the authors’TestGenprogram,a test suite for the Black-Jack
Dealerwasderived. The test suite is able to test 181 differenthandsof cardsthat a
dealermay hold. TheVHDL implementationgiven in [20] wasevaluatedagainstthis
testsuite.
Althoughthecircuit wasexpectedto passthetestsuite,a Fail verdictwasrecorded
after thedealerwasgiventhe following cards:5, 5, 3, 2, 1, 10. In this casethedealer
shouldbeBrokebecausethesumof thecardsis 26.However thecircuit outputsneither























Fig.1. Implementationof A Two-StageFIFOfrom Individual Cells
Thecircuit shouldinitially take anAce as11. It shouldbere-valuedas1 (subtract-
ing 10 from the sum)the first time the resultwould be Broke. If the following cards
would make the sumexceed21, thereshouldbe no re-valuationasno Ace is 11. But
the given designstill re-valuesthe Ace card,so the circuit is not Broke in this case.
Carefullysimulatingthecircuit discoveredaproblemin thebenchmarkwith oneof the
flag registersthat indicatesanAce shouldbe11.Theregisteris not resetto zeroprop-
erly becausetheeffectivedurationof thesignalusedto resetit is too short.By slightly
modifying thecircuit to removethecauseof this shortduration,thecircuit wasableto
passthetestsuitesuccessfully. Again,theauthorshaddiscoveredaflaw in asupposedly
verifieddesign.
4.3 AsynchronousFIFO
As atypicalasynchronouscircuit, anasynchronousFIFObuffer wasspecifiedandanal-
ysed.For brevity thespecificationsandformal analysisarenot givenhere,but canbe
foundin [7, 8,14].
TheFIFOhastwo inputsInT, InF andtwo outputsOutT, OutF. Its inputsandoutputs
usedual-rail encodingin which onebit needstwo signallines.A possibleimplemen-
tationfor a FIFO stageis givenin figure1 (a). Apart from thedatapath,therearetwo
lines thatcontroldatatransmission.Reqcomesfrom theenvironmentof a stage,indi-
catingthatenvironmenthasvalid datato transfer. TheAck line goesto theenvironment,
indicatingthat thestageis emptyandis thusreadyto receive new data.Both of these
controlsignalsareactivewhen1. Theimplementationusestwo C-Elements(transition
synchronisersusedin asynchronouscircuits).
To ensurea FIFO workscorrectly, theenvironmenthasto becoordinated.For ex-
ample,it shouldprovidecorrectinputdataaccordingto thedualrail encoding.To make
thingseasier, it is convenientto think abouttheenvironmentin two parts:EnvF (front-
end) is a provider that is always readyto producedata,while EnvB (back-end)is a
consumerthatcanalwaysacceptdata.A two-stageFIFO canthenbe implementedas
in figure1 (b).
Thespecificationshouldexhibit liveness.UsingCADP, it wasverifiedthatthespec-
ification satisfiesthe following property:if thereis an input of 1, thenthe outputwill
eventuallybecome1. Thepropertyfor input of 0 is similar andwasalsoshown to be











































OutF !1 OutT !1
FailPass Fail 















Whenspeedindependenceneedsto beverified,eachbuilding block (includingthe
environment)shouldbe specifiedin the input quasi-receptive style. Impl QR is the
implementationspecificationin quasi-receptive style. It usesthe correspondingDILL
library components.The correspondingquasi-receptive specificationsEnvF QR and
EnvB QRalsohave to bewritten.EnvF hasno inputsandsois identicalto EnvF QR.
To checkspeedindependence,the input quasi-receptive specificationswereused.
It wasalsoverified that Spec≈ Impl QR || (EnvB QR |[· · ·]| EnvF QR), which gives
moreconfidencein thedesignof theFIFO.Thelivenesspropertyis alsosatisfiedby the
implementationImpl QR|| (EnvB QR |[· · ·]| EnvF QR).
Figure2 givestheLTSfor theFIFO(minimisedwith respecto observationalequiv-
alence),the suspensionautomatonfor the LTS, andseveral tests.Becausethe LTS is
deterministic,the suspensionautomatonhasalmostthe samestructureexcept for the
δ (quiescent)transitions,which appearascircles in the figure. TestT1 providestwo
inputsandthenchecksthe outputof an implementation.If outputOutF changes,the
implementationpassesthe test.However if OutT changesor if thereis no output,the
implementationfails the test.Similarly, testT2 checksoutputafter one input is pro-
vided.TestT3 checksoutputright away. For this test,an outputfrom the initial state
is incorrectandresultsin a fail. Only afterδ, meaningthatno outputis produced,can
testingcontinue.
It wasshown thatImpl QR|| (EnvB QR|[· · ·]| EnvF QR) strongconfor Specusing
theVeriConftool. TheTestGentool buildsasingletestcaseof length28:
12
InF !1 InF !0 OutF!1 InF !1 OutF!0 OutF!1 InF !0
InT !1 OutF!0 InT !0 OutT !1 InT !1 OutT !0 OutF!1
δ InF !0 OutF!0 InT !1 OutT !1 InT !0 InT !1
OutT !0 OutT !1 δ InT !0 OutT !0 δ Pass
4.4 Selector
A selector(anasynchronousdesigncomponent)allowsnon-deterministic hoiceof out-
put. For brevity the specificationsandformal analysisarenot given here,but canbe
foundin [7, 8,14].
After a changeon input Ip, eitherOp1 or Op2 may changedependingon the im-
plementation.Figure3 givesits LTS (minimisedwith respectto observationalequiva-
lence),thesuspensionautomatonof theLTS, andoneof thetestcases.SampletestT4
shows thatafter input Ip !1, animplementationproducingeitherOp1!1 or Op2!1 will
passthetest.
i i



















The TestGentool producesa single test caseof length 11 for the selector. This
exampleshows how contradictorybranchesaremarked.After Ip !1, theoutputOp1!1
is markedwith thecurrentstate(?S1)sinceanimplementationmayalsodo Op2!1. A
selectorthat insistson sendingits input to Op1canfollow thefirst row of stepsin the
testcasebelow. After thesixthstep(Ip !1), it cyclesbackto thesecondstep(Op!1) – a
loop thatthetestbenchmustbreak.
Ip !1 Op1!1 (?S1) Ip !0 Op1!0 (?S2) δ Ip ! 1
Op2!1 (?S1) δ Ip !0 Op2!0 (?S2) Pass
13
5 Conclusion
An approachto specifyingsynchronouscircuits hasbeenpresented.This hasallowed
standardhardware benchmarksto be verified – the Bus Arbiter and the Black-Jack
Dealerin this paper. Theauthorswerepleasantlysurprisedto find that their approach
discoveredpreviouslyunknown flaws in thesecircuit designs.
An approachto specifyingasynchronouscircuitshasalsobeenpresented.(Quasi)
delay-insensitive circuits are transformedinto speed-independentdesigns.Violations
of speed-independence(or ratherof semi-modularity)arecheckedusingspecifications
thatareinput(quasi-)receptive.The(strong)conforrelationshavebeendefinedto assess
theimplementationof anasynchronouscircuit againstits specification.
In comparisonto othertechniquesappliedto the samecasestudies,e.g.COSPAN
and CIRCAL, DILL is muchmore convenientfor giving a higher-level specification.
CIRCAL givesanabstractview of a synchronouscircuit by directly specifyingits cor-
respondingfinite statemachine,but this is notalwaysanaturalrepresentationof circuit
behaviour.
Beingbasedonprocessalgebra,DILL specificationscanbeverifiedby equivalence
andpreorderchecking.This is distinctive in that mosthardwareverificationsystems
arebasedon theoremproving or model checking.Equivalenceor preorderchecking
makesit possibletowrite thespecificationin thesameformalismastheimplementation,
hereDILL (or really, LOTOS). The correctnessof a DILL specificationcanbe easily
checkedbysimulationtools.TheTestGentoolgeneratestestsuitesusingtransitiontours
of automata.This allows automaticgenerationof testsuitesfor reasonablecoverage,
andalsoallows testingof non-deterministicimplementations.The VeriConf tool was
developedto supportthe(strong)conforrelations.
However, thesizeof thecircuit thatcanbeeffectively verifiedis smallcomparedto
that handledby othermaturehardwareverificationtools.Therearetwo main reasons
for this performancelimitation. Onecomesfrom themodellinglanguageLOTOS, and
theothercomesfrom theCADPtool. For synchronouscircuits,theorderin which sig-
nalsoccurduringa clock cycle is not so important.So it is reasonableto imaginethat
the inputshappentogetherandthenoutputoccurs.But whenmodellingsuchcircuits
in DILL, independent(interleaved)inputsareallowedsothestatespaceis considerably
enlarged.CADPis still underdevelopment,andmostof its featuresarecurrentlybased
on explicit stateexploration.On-the-flyobservationalequivalencecheckingis not cur-
rentlysupportedby CADP. A BDD representationof LOTOS specificationsis still being
developedfor CADP, althoughBDDs areusedto representintermediatedatatypesin
somealgorithms.With tool improvements,theverificationperformancereportedin this
papercanbeexpectedto improve.
References
1. D. L. Dill. TraceTheoryfor AutomaticHierarchical Verificationof Speed-IndependentCir-
cuits. ACM DistinguishedDissertations.MIT Press,1989.
2. J. C. Ebergen,J. Segers,andI. Benko. Parallel programandasynchronouscircuit design.
In G. Birtwistle andA. Davis, editors,AsynchronousDigital Circuit Design, Workshopsin
Computing,pages51–103.Springer-Verlag,1995.
14
3. J.-C.Ferńandez,H. Garavel,A. Kerbrat,R.Mateescu,L. Mounier, andM. Sighireanu.CADP
(CÆSAR/ALDÉBARAN DevelopmentPackage):A protocolvalidationandverificationtool-
box. In R. Alur andT. A. Henzinger, editors,Proc. 8th. Conferenceon Computer-Aided
Verification, number1102in LectureNotesin ComputerScience,pages437–440.Springer-
Verlag,Berlin, Germany, Aug. 1996.
4. G. Gopalakrishnan,E. Brunvand,N. Michell, andS. Nowick. A correctnesscriterion for
asynchronouscircuit validationandoptimization. IEEE Transactionson Computer-Aided
Design, 13(11):1309–1318,Nov. 1994.
5. R.C.Ho,C.H. Yang,M. A. Horowitz, andD. L. Dill. Architecturevalidationfor processors.
In Proc.22nd.AnnualInternationalSynposiumonComputerArchitecture, 1995.
6. ISO/IEC. Information ProcessingSystems– OpenSystemsInterconnection– LOTOS – A
FormalDescriptionTechniquebasedontheTemporal Orderingof ObservationalBehaviour.
ISO/IEC8807.InternationalOrganizationfor Standardization,Geneva,Switzerland,1989.
7. Ji He. FormalSpecificationandAnalysisof Digital HardwareCircuitsin LOTOS. PhDthesis,
Departmentof ComputingScienceandMathematics,Universityof Stirling, UK, Apr. 2000.
8. Ji He. Formalspecificationandanalysisof digital hardwarecircuitsin LOTOS. TechnicalRe-
port CSM-158,Departmentof ComputingScienceandMathematics,Universityof Stirling,
UK, Aug. 2000.
9. Ji He andK. J.Turner. ExtendedDILL: Digital logic with LOTOS. TechnicalReportCSM-
142,Departmentof ComputingScienceandMathematics,Universityof Stirling, UK, Nov.
1997.
10. Ji HeandK. J.Turner. TimedDILL: Digital logic with LOTOS. TechnicalReportCSM-145,
Departmentof ComputingScienceandMathematics,Universityof Stirling, UK, Apr. 1998.
11. Ji HeandK. J.Turner. Modellingandverifying synchronouscircuitsin DILL. TechnicalRe-
port CSM-152,Departmentof ComputingScienceandMathematics,Universityof Stirling,
UK, Apr. 1999.
12. Ji He andK. J. Turner. Protocol-inspiredhardware testing. In G. Csopaki,S. Dibuz, and
K. Tarnay, editors,Proc.TestingCommunicatingSystemsXII, pages131–147,London,UK,
Sept.1999.Kluwer AcademicPublishers.
13. Ji HeandK. J.Turner. Specificationandverificationof synchronoushardwareusingLOTOS.
In J.Wu,S.T. Chanson,andQ.Gao,editors,Proc.FormalMethodsfor ProtocolEngineering
andDistributedSystems(FORTEXII/PSTVXIX), pages295–312,London,UK, Oct. 1999.
Kluwer AcademicPublishers.
14. Ji He and K. J. Turner. Verifying and testing asynchronouscircuits using LOTOS. In
T. BolognesiandD. Latella,editors,Proc.FormalMethodsfor DistributedSystemDevelop-
ment(FORTEXIII/PSTVXX), pages267–283,London,UK, Oct. 2000.Kluwer Academic
Publishers.
15. L. LéonardandG.Leduc.An introductionto ET-LOTOSfor thedescriptionof time-sensitive
systems.ComputerNetworksandISDNSystems, 28:271–292,May 1996.
16. R. D. Nicola andF. Vaandrager. Threelogicsfor branchingbisimulation. In Proc.5th.An-
nual Symposiumon Logic in ComputerScience(LICS90), pages118–129.IEEE Computer
SocietyPress,1990.
17. J.StaunstrupandT. Kropf. IFIP WG10.5benchmarkcircuits.http: //goethe.ira.uka.de/hvg/
benchmarks.html,July1996.
18. J. Tretmans.Testgenerationwith inputs,outputsandrepetitive quiescence.Software Con-
ceptsandTools, 17:103–120,1996.
19. K. J. TurnerandR. O. Sinnott. DILL: Specifyingdigital logic in LOTOS. In R. L. Tenney,
P. D. Amer, andM. Ü. Uyar, editors,Proc.FormalDescriptionTechniquesVI, pages71–86,
Amsterdam,Netherlands,1994.North-Holland.
20. D. Winkel andF. Prosser. TheArt of Digital Design. Prentice-Hall,EnglewoodClif fs, New
Jersey, USA, 1980.
15
