In the era of billion-transistor design, it is critical to es- 
Introduction
As embedded systems today are becoming more integrated and complex, system verification continues to he a major challenge. More than ever, design and verification methodologies at higher levels of abstraction are required to minimize the design cost of an electronic product. To make the practice of designing from high level system specification a reality, Verification methods must accompany every step in the design flow. Specification at the system level makes formal verification possible [6] . Designers can prove the property of a specification by writing down the property they want to check in some logic (e.g. Linear Temporal Logic (LTL) [IO] ) and use a formal verification tool (e.g. the model checker Spin [ 111) to run the verification. Formal verification checks the entire state space of a design to verify some specified property without any uncertainty. At the lower level, however, the complexity can quickly overwhelm the automatic tools, and the simulation becomes the primary means for verifying the behavior of a design.
The confidence of a simulation verification mainly depends on the design of test cases. Designers can insert embedded assertions into their HDL (Hardware Description Language) descriptions to help uncover bugs of system designs during simulation. Today's embedded assertion lan-0-7803-8236-6/031$17.00 0 2003 IEEE 83 guages capture those simple logics as language/platform specific library blocks (e.g. handshake assertion) and use a set of extended temporal logic to operate on those blocks for expressing more complex assertions. IBM's Sugar2.0 [SI is chosen by Accellera as the standard formal property specification language (PSL) for assertion-based verification. A similar assertion specification language from Synopsys, OpenVera [I] , can be used to specify both simple temporal sequences of events and complex temporal formulas. to demonstrate the usefulness and effectiveness of our LOCbased quantitative constraint verification. The rest of the paper is organized as follows. In the next section, we review Logic Of Constraints (LOC), Linear Temporal Logic (LTL), and their typical usage. In Section 3, we analyze the expressiveness of LOC. In Section 4, the approach of simulation trace analysis for LOC formulas is reviewed. Then, we discuss our formal verification approach for LOC formulas. In Section 5, we present the case studies on validating a TTL channel design with LOC constraints. Both techniques of simulation trace analysis and model checking are utilized and tested. Section 6 concludes the paper and gives our future work.
Background
In this section, we review the salient aspects of our quam titative constraint formalism, Logic Of Constraints (LOC) and the popular temporal logic for functional property specification, Linear Temporal Logic (LTL). We discuss their typical usage and the typical constraints they can express.
Logic Of Constraints
Logic Of Constraints 141 is a formalism designed to reason about traces from the execution of a system. It consists of all the terms and operators allowed in sentential logic, with additions that make it possible to specify system level quantitative functional and performance constraints without compromising the ease of analysis. LOC can be used to specify very common and useful real-time performance constraints: rate, e.g. "Display's are produced every 10 time units":.
(1) latency, e.g. "Display is generated no more than 25
= 10 , time units after Stimuli.":
(2) 8 jitter, e.g. "every Display is no more than 4 time units away from the corresponding tick of the real-time clock with period lo":
throughput, e.g. "at least 100 Display events will be produced in any period of 1001 time units":
The basic components of an LOC formula are: event names (e.g. Di.splay and S t i m u l i ) , instances of events (e.g. Display [l] for the fourth instance of the event Display in the current execution given as a trace of event instances), indices of event instances (e.g. 0, 1, ..., etc), the index variable i and annotations (e.g. t). The rate constraint (1) requires that the difference between the values of annotation t for any two consecutive Display instances should equal to IO.
It should be emphasized that time isonly one of the possible annotations. Any value that may be associated with an event (e.g. power, area) can be used as an annotation. In the case of concurrent events, the values of time annotation should be the same. The indices of instances of the same event denote the strict order as they appear in @e execution trace. There is no implied relationship between instances of different events. LOC can be used to express relationship between the annotations of the different instances of the same event (e.g. rate), or instances of different events (e.g. latency). Iraddition, LOC can also be used to specify quantitative functional constraints like data consistency. 
Linear Temporal Logic

LOC V . S . LTL
In this section, we discuss the expressiveness of LOC and compare it with LTL. For LTL, we only restate here its well known properties. Note that LTL is defined on the state transition level where any change on the system state can be accounted for, while LOC works on a higher abstraction level, in which only the events observable from the system and their annotations are considered. However, this difference is just a technicality, because it is not difficult to hide state transitions so that LTL and LOC are defined over the same kind of objects. Through several examples and claims, we will conclude that LOC and LTL are incomparable and have different domains of expressiveness.
Claim 1:
There are LOC formulas that can be expressed 'with LTL.
Since both LOC and LTL contain basic Boolean expressions, a'subset of LOC constraints that specify simple global Boolean conditions can be expressed in LTL also. For example, the constraint, "the annotation data of the event Display is always greater than IOW, is expressed in LOC as:
If we use a variable Displaydata to store the value of data in the design, and use a flag Di.splay.occur to indicate that an instance of the event Di.splay occurs, this constraint can be easily expressed in LTL as: Indeed, if a trace does not satisfy an LOC formula, then there must exist an i for which the formula is false. We can evaluate all index expressions for that value of i.. Since there can only be finitely many of these expressions, there must exist some point in the execution such that, for that particular value of i, the formula does not refer to any event occurrence beyond that point. Clearly, the execution prefix up to that point is sufficient to disprove the property. On the other hand, LTL is capable of expressing some liveness properties, for example U 0 A, i.e. "A occurs infinitely often". From claims
(1)-(3), we can conclude the following:
Conclusion: LOC and LTL are incomparable. Generally, LOC is designed for the specification of quantitative performance and functional constraints at the transaction level where system events and their annotations are considered. Because of the use of index variable i, LOC is beyond the finite automata domain. On the other hand, LTL is suitable for the specification of functional constraints, and can effectively express the temporal patterns for system state transitions. Because of this difference, LOC can express important properties that cannot be expressed with LTL, on which the traditional property specification languages are based.
Verification Approaches for LOC Formulas
In this section, we discuss the analyzability of LOC. We first review the simulation-based trace analysis approach presented in [7] , and show that LOC constraints can be easily verified in an assertion-based simulation verification environment. Then, we discuss how to utilize the existing formal verification technique, i.e. model checking, to verify an LOC formula. 
Simulation Verification of LOC Formulas
The methodology for simulation verification with an automatically generated LOC checker is illustrated in Figure I [7]. From the specification of LOC formulas and a trace format, the automatic checker generator is used to generate a C++ source of the checker. The source code is compiled into an executable that takes in simulation traces and repons any constraint violation.
The algorithm of LOC checking progresses based on the index variable i. Each LOC formula instance is checked sequentially with the value of i being 0, 1, 2, ... 
Formal Verification of LOC Formulas
Although our trace analysis enables efficient verification of LOC formulas in a simulation environment, formal verification may still be necessary to formally prove properties of library modules and other small designs for frequent use. The simulation approach described above suggests our formal verification approach. A trace checker can be interpreted as an automaton accepting executions. We could thus use existing model-checking tools to verify that each execution of the system is accepted by the trace checker. 
compares the annotation t of any two consecutive occurrences of the event Display. To verify this formula, the trace checker (see Section 4.1) only needs to store the annotation t of two consecutive occurrences of Display at any given time, i.e. only a constant amount of memory is needed.
From the above discussion, we give the following couservative rule to decide if the checker for a particular LOC formula can be expressed by a finite-state automaton. Although Rule 1 may appear quite restrictive, still many interesting properties satisfy it, including throughput (4) and rate (7) formulas. Let n be the maximum difference between two index expressions in a given formula satisfying Rule 1, and let mi be the largest of all index expressions evaluated for a particular value of i. Evaluating the formula for any value of i requires knowing annotations of at most n + 1 consecutive occurrences of the indexed event. Thus, if the trace checker maintains a list of n + 1 most recent annotations of the indexed event, the value of the formula for some value of i can be computed as a state predicate after the mi-th occurrence of the indexed event.
For example, for the rate constraint (7), n is 1, and Assuming that variables Display2 and Displayd-last are used to store the values of the annotation t for the current and last instances of Display respectively, and that Boolean variable Di.splay.occur is true whenever Display occurs, except for the first time (first Occurrence must be skipped since mi is never I), we can convert the rate constraint (7) into the state predicate: P1: There are never more than 50 occurrences of Stimuli between the x-th occurrences of Stimuli and Display.
p2: If P1 holds, then (2) holds.
Obviously, if P1 and P2 both hold then so does (2), and if P2 is false, so is (2). However, if P2 holds, but P1 does not, the result is inconclusive.
To specify P1 and P2, assume that the trace checker keeps 51 most recent time stamps for Stimuli and Display in arrays Display3 and Stimulif such that the 2-th time stamp is stored at position (x mod 51) of the mays. Also assume that variable D i s p l a y i and S t i m u l i i (which take values from 0 to 50) keep the indices of the most recent time stamps in the arrays. Finally, assume that binary variables Display.occur and Stimulinccur are true when Di.sp1.ay and Sti.muli occur, respectively. Then, P1 can be specified with the following state predicate:
Since we assume that Display always follows Stimuli, the condition where Displayi equals S t i m u l i i just after Stimuli occurs, indicates the buffer overflow. Constraint ( 2 ) can be expressed as follows:
, (10) and finally P2 can be expressed as follows:
Assumption (9) =+ Formula (10) .
(11)
It is natural to search for a general algorithm to check any LOC formula. Unfortunately, checking LOC is undecidable in general. To show this we can encode two counter . We simulate it in the Metropolis environment, and produce simulation traces with different lengths. When the writer DataGen writes a data into the TTL channel, it produces an event of prepared; when the reader Sum reads a data from the it produces an event of processed. We use the annotation data to represent the value of data written into or read from the channel. The non-negative constraint is defined in LOC as:
{s : s is a prefix of Onln2"3* for some n 2 0) .
It is not hard to show (e.g. see Example 6.1 in [ 121) that this language is not context-free, and thus cannot be recogNzed even with a pushdown automaton, l e~ alone a finitestate one. and the data consistency constraint is defined as: It includes refinement of the YAPI channel into a lower-level abstraction called Task Transirion Level (TTL) [9] . The reAt the l T L level, the channel is modeled with a hounded FIFO buffer. The mutual exclusion and boundary checking of the hounded FIFO buffer is guaranteed by a central protocol. As Figure 2 shows, the I T L channel has a bounded FIFO ( B a n d e d F i f o ) whose size is set at design time, and a control medium (RdIVrThreshold) which implements a protocol to guarantee correctly writing to and reading from the FIFO buffer. We use a writer process (DataGen) to write a series of data into the channel and a reader process (Sum) to read the data from it. To verify the correctness of the refinement, we focus on the verification of the TTL channel. We first check a property that is suitable for both LOC and LTL, "the data read by Sum is always greater than or equal to O", and we call it "non-negative" property. Another important property that can he expressed with LOC is data consistency of the TTL channel, i.e. the input data of the TTL channel should he read from the channel in exactly the same order without a loss.
The automatic checker generator is used to parse the definition file for the trace format and LOC formulas, and generate a C++ source for the trace checker. After compilation, we use the executable checker to verify that both of the LOC formulas (12) and (13) hold on traces of lo5 to lo8 lines.
The time and memory usage of the trace analysis are shown in Table 1. finement is shown in Figure 2 . 
Formal Verification for TTL Channel
From the MMM specification of the lTL channel design, we use the Metropolis backend tool to generate a corresponding Promela (Spin's language) description [I I] , which can he verified by the model checker Spin for a particular LTL formula. The l T L channel design has 634 lines of MMM source code and 2049 lines of Promela code after translation. In the Promela code, We use Boolean v a iahles preppared-occur and processedaccur to indicate the conditions that instances of prepared and processed occur, respectively. The code blocks, which manipulate the auxiliary data stmctures, are embedded into the Promela code appropriately. Thus, the non-negative constraint (12) can be expressed in LTL as:
where processeddata stores the most recent data read by Sum. With the bitstate technique [ 1 I] , Spin verifies the LTL formula (14) within 2 hours on our ISGHz Athlon machine with IGByte of memory. The same setup is used for all case studies in this paper. All the relevant verification parameters are listed in Table 2 .
From &e discussion in Section 4.2, we h o w that the data consistency constraint (13) of the Tl'L channel cannot be expressed by LTL directly. Therefore, we have to assume that, "after the r-th write by DataGen, at most 31 writes can be done before the x-th-read by Sum". Then and it is verified to hold by Spin (see Table 2 is verified to hold by Spin, and all the relevant verification parameters are also listed in 6 
Conclusions
In this paper, we discuss the verification aspects of the quantitative constraint formalism, Logic of Constraints. We compare LOC with LTL, find that LOC has a different domain of expressiveness than LTL, and conclude that LOC can express important properties that cannot be directly expressed by LTL. Although it appears that LOC formulas are more difficult to he analyzed, we discuss two feasible verification approaches, simulation trace analysis and model checking. We also present case studies on these approaches to demonstrate their usefulness and effectiveness. Our future work includes extending the LOC formalism with the universal quantifier V and existential quantifier 3, and constraint-guided non-deterministic simulation.
!
