In the formal verification domain the use of monitors represents a powerful technique where model I/O sequences are monitored and triggers are raised to allow a simplification in the construction of formal properties. This reduces the chances of incorrect system specifications and can sometimes reduce also the actual model checking time. The drawback of this technique lies in its heterogeneity. In fact, usually monitors are defined at the implementation level of the device model under test. In this paper we present a more general approach based on the idea of abstracting monitors definition from the model level up to the specification level without imposing further constraints on the current model checking techniques. A test case from the telecom domain is used to illustrate the definition and use of this type of embedded monitors, showing advantages and benefits related to their application.
3

Introduction
The development of new application domains in the telecom market, such as radiomobile telephony or multimedia services, has led to a substantial increase in the average complexity of single devices and has made the definition and verification of the interoperability of different modules in a system a very error prone task. Specifically, the control parts of highly sequential devices is critical, not in terms of resulting area overhead or timing constraints, but for the correct definition, implementation and verification of the logical complexity that is required. Errors of different kinds in the control module may cause malfunctionings, made evident only by low level simulations or after prototyping. For this reason it is extremely crucial to define and apply tools during the definition phase of complex systems allowing early error detection and correction.
Formal verification techniques are becoming more and more attractive as part of the verification methodology, in conjunction to simulation, to guarantee the complete correctness of complex devices. Several examples of applications in industrial environments of these techniques [PP95],[JQKP97], [1] show that they have reached an acceptable level of maturity. Still, problems of complexity handling imposed by today's model checking technology [8] limit for the moment a wider diffusion. Furthermore, writing formal properties is not an easy task. It is necessary to deeply understand the behaviour of the device under test in order to define a correct context where the formal property is meaningful.
In some cases the specification of formal properties of digital devices can be very difficult since to prove the correctness of their behaviour it is necessary to verify a complex protocol characterised by long input/output sequences in the model. It is common practice [6] in such cases to implement a monitor inside the environment (see Figure 1 ). This monitor asserts a particular variable monitor_valid whenever a correct input/output sequence is detected. Having such a variable makes the formal property very easy to express. The main advantages of this technique are the complete independence from the actual implementation of the device under test and a more safe and effective way to specify properties even if the state space increases.
In this paper we will introduce a more general approach based on the idea of implementing monitors directly as a part of the formal specifications (see Figure 2 ). This does not require the setting of the test environment anymore and it allows a clear distinction between the model under test and its formal specification. This is a real advantage, since the embedding of monitors into formal properties could help the Compositional Verification Approach where properties of one hierarchical level are proved by composing properties of their submodules through tautology checking. Compositional verification includes all the information of the device into its own set of formal properties. However, if monitors are used, this information is not homogeneous and this could lead to problems both of clearness and integration.
Symbolic Timing Diagrams are used in the following because they are an integral part of the model checking environment used in our site. Anyway the approach does not rely on them and is more general. In fact CTL with temporal variables can be used for the same goal.
The paper is structured as follows: in Section 2 a brief description of the Symbolic Timing Diagrams is given; in Section 3 the problem of formal specification of HW devices and the use of monitors is addressed and in Sections 4 and 5 embedded monitors are introduced.
Their definition and application in the verification of the VHDL specification of a telecom device are presented in Section 6. Finally, Section 7 contains some conclusions and indicates the lines of future work.
A Brief Introduction to STDs
In the present design approach, we employ the extended Symbolic Timing Diagrams (from now on simply called STDs) [4, 3, 9, 5] as a mean for specifying the behaviour of a digital device. The user defines the properties (expected behaviour) of the device under consideration in a graphical form, which is automatically translated into temporal logic (TL). Although their very high expressive power, STDs are more concise than TL formulae and can be easily understood. These aspects could encourage the use of formal methods also in industry, where designers are quite familiar with timing diagrams. Here we recall the main concepts of STDs. For further details, see [2] .
STDs are characterized by the presence of general waveforms, whose events are assertions (any VHDL expression is allowed), and constraints between such events. An example of STD is shown in Figure 3 .
There are mainly two classes of specifications that need to be defined: the specification of the device and the specification of the environment. The latter is necessary to restrict the model checker in the generation of input sequences while trying to find a counter example for the property to be proved. The result is a partition into commitments and assumptions, the former to specify the system behaviour in response to input stimuli, the latter to specify the behaviour expected from the environment for stimulating and responding to the device evolution. When defining the property to be verified, then, a single commitment and one or more assumptions are selected for model checking with respect to the model to be validated. The model checker will prove the commitment by generating all possible input sequences fulfilling the assumptions. An STD is activated when the initial assertions of all its waveforms are satisfied or when the specification imposes that the diagram has to be satisfied only at the beginning of the system run: the activation mode is initial, if it is activated only once at the beginning of each system run, invariant, if it is activated whenever the initial conditions are met during the system run. The vertical bar on the left-hand side of the STD is called Activation bar, and denotes the configuration of input/output signals required to activate the STD. A double line denotes the initial Activation bar and a single line the invariant one.
When the diagram is active, the actual behaviour of the associated entity during the system run and the diagram assertions are compared: the actual values of the entity must correspond to the events of the waveform and all the constraints defined between events must be satisfied. This matching process is event-driven: every time a new assertion about the value of the port applies during system execution, if the assertion changes correctly with respect to the waveform and to the constraints specified on that edge, the event is matched, otherwise a violation has occurred.
Five classes of constraints between two events (a source and a target event) can be defined: the leads to constraint expresses that the target event must occur once the source event has occurred; the causality constraint indicates that the target event must occur but it can occur even before the source event has occurred; the precedence constraint is a weak version of the causality constraint (it states that if the target event occurs, it does so after the source event has occurred); finally the simultaneous and the conflict constraints indicate that the source and target events need to occur at the same time and at a different time, respectively. Some of these events can be combined. STDs allow also the specification of the time interval between the occurrence of the source and the target events, by means of the upper and the lower bound (valid values are 0, ∞, -∞ for qualitative constraints, nonnegative integers for quantitative constraints).
The severity of the constraint violation depends on the strength of the constraints. A possible (weak) constraint (light grey in the STDs) indicates that if the target event occurs, it must satisfy the constraint (not necessarily in the specified time limit), otherwise the diagram is deactivated without failure. A constraint with strength mandatory (strong constraint) states that the target event must occur, fulfilling the timing specification, otherwise a counter-example is generated.
The expressiveness of STDs is increased by the possibility of using flexible and rigid variables [2] . Flexible variables are logical variables whose value can change in any step. They are modelled as pairs of input ports (of any allowed VHDL type), where the second one represents the value one step delayed with respect to the first one. The two ports are added to the original VHDL device interface and are not connected to any internal module. Rigid variables are parameters that initially can assume any value and maintain their values thereafter.
Moreover, to improve the reusability of the STDs, generic STD definitions [2] can be adopted, that allow using macros for symbolic waveform assertions, which can be instantiated with particular values when the STD is declared.
Current Limitations in Formal Specification and Verification and the use of monitors
Specification languages used for formal verification of hardware devices allow the description of the behaviour of the circuits modelled, e.g. in VHDL, by means of relationships among the input/output ports. The need of formally specifying and verifying complex sequential circuits from different applications is increasing. Sequential circuits are usually described as finite state machines, where the outputs depend not only on the current input, but also on past values of the inputs. Thus, in general, to formally specify a FSM it is usually necessary to express its behaviour by means of a sequence of input/output signals.
The behaviour of a complex device can be triggered by a very long sequence of input/output signals and this leads to write very complex formal specifications. In many cases the style adopted by the tester is very close to the simulation approach where the tester tries to explicitly state all the stimuli necessary to bring a system into a particular "state". Moreover, in many cases it is not easy to define the state reached after a sequence of inputs using only the input/output relationships.
To clarify the problem, we consider as sample example a regular expression analyser, that asserts the output signal Found when the regular expression ab + ab is detected on the input port Data (Figure 4 shows the FSM recognising this regular expression). Every time an expression is detected, the device starts from the beginning again, i.e. no sequences overlapping is considered.
In order to verify that the device works properly, we need to prove that: for each valid sequence the device asserts the Found output signal (from now on called Property 1) the Found signal is asserted only in correspondence of valid sequences (Property 2).
We describe step by step the formal specification of this device. Property 1 is modelled by the STD commitment of Figure 5 where after a valid sequence on the input port Data the output port Found is asserted.
This diagram does not correctly describe the desired behaviour: in fact, since the diagram is activated whenever the initial assertions are matched (i.e., Data=a and Found='0'), this specification is self-activating, and this leads to detect overlapping sequences.
Precedence constraint with bounded distance Leads to constraint Self-activation could be avoided by using flexible variables as shown in Figure  6 .
This STD is activated whenever Data=a, Found='0' and the flexible variable flexV is false: after one step the flexible variable is set to true until all the other waveforms/constraints of the diagram have been matched (graphically this waveform ends after all the others). This method avoids matching the activation assertions again when a diagram is active. However, Property 1 is not sufficient to specify the expected behaviour of the device: it does not say anything about the fact that the Found signal is asserted only when this kind of sequence is detected and not in other cases. Currently one way to solve this problem is by using monitors. A monitor is a module, generally written in the same language of the design under test (in our case VHDL), that analyses the same inputs (and possibly also the outputs) of the device and asserts a particular variable when a correct sequence of input/output events is detected. Aim of this paper is to provide a method for embedding monitors into the formal specification of properties to be tested.
Embedded monitor as Virtual Finite State Machine: Concepts and Definition
Our solution to embedding monitors into formal specificationsto is based on the definition of auxiliary FSM directly specified through STD assumptions. We call this kind of monitors virtual Finite State Machines (VFSM) to reinforce the idea that they record all the events needed to define the context, where the formal specification can be proved even if their description is, in every respect, a part of the formal specification.
A VFSMs can read all ports from the interface and provides information about its internal states (called virtual states) to the property specification (see Figure 7) .
A VFSM is defined as a sextuple 〈VS,vs 0 , I,O,λ,δ〉, where VS is a finite set referred to as the virtual states, vs 0 is the initial state, I and O are finite sets referred to as the set of the inputs ad outputs, respectively, δ:VS×I→VS is the next-state function and λ:VS→O is the output function (Moore FSM). The inputs I are a subset Block diagram for the formal specification using VFSMs of (possibly all) the actual input/output signals of the physical device, relevant to the evolution of the VFSM. The virtual states VS are, in general, unrelated to the actual states and they may assume a value that can be updated only by the sequence of input signals I. The next state function δ represents how the virtual states evolve with respect to the inputs and present state. The outputs O coincide with the virtual states VS themselves and the output function λ maps one state with the state itself. Hence, actually we need to consider only the quadruple 〈VS, vs 0 , I, δ〉.
The virtual states of the VFSM can be used in a property specification to be proved in order to recognise particular contexts. In fact, VFSMs, like monitors, can be used to represent in an abstract way the sequential behaviour of a (part of a) circuit, and virtual states can be used in substitution of the internal states in order to identify the right context deriving from a particular sequence of inputs. VFSMs describe state information in an abstract view, which allows, for example the counting of events, the identification of phases within a handshake protocol, the identification of operating modes, or even more complex control structures in an abstracted view.
Embedded monitor as Virtual Finite State Machine: Semantics and Specifications
A VFSM extends the observable behaviour of a system by providing additional information. As there is no transmission of this information to the device model itself (see Figure 7) , the VFSM does not restrict the behaviour of the considered model, nor does it modify the behaviour of the device model in any way. Given a device model M with inputs I and outputs O a property specification spec is usually built over the observable interface (I,O). The validity of spec for the device M is denoted by M spec(I,O) .
In an assumption/commitment style spec is given as a set of assumptions and a commitment. Verification of such a property is done e.g. by model checking. Virtual finite state machines introduce an additional -expected -observation of the device.
Enhancing the specification method by adding virtual finite state machines specifications are given by pairs (VM, spec). How is such a property specification verified? As mentioned above, a VFSM VM can be seen as an observer of the interface (I,O) which stores some history information of the observed behaviour in its virtual states. This information can be used in the property specification spec (I,O,VS) . Hence, verification is performed with respect to the enhanced model M × VM that provides additional information for the property. Formally, we prove the validity of spec(I,O,VS) with respect to the composition of M and VM:
M × VM spec(I,O,VS) . Hence no modification of the underlying model checking procedure is required. As the transition relation of the virtual finite state machine VM is complete for all possible inputs and no outputs are transmitted to the device M, the behaviour of M × VM restricted to the observable (I,O) is equivalent to the behaviour of M. If the specification spec does not refer to any virtual state the validity of M × VM spec(I,O) is equivalent to the validity of M spec (I,O) . From this point of view it should be clear that the virtual finite state machine is a kind of memory providing history information for the property specification and does not restrict the behaviour of M.
Specification example
The behaviour of the device of Figure 4 can be defined using the virtual states of a VFSM coincident with the FSM of the regular expression analyser (the mapping of a VFSM into STDs is shown in Appendix A). The two properties to be proved can be efficiently represented by the commitment of Figure 8 .
It simultaneously proves both properties, by stating that the output signal Found is asserted if and only if the virtual state VS is equal to 4. This condition must hold forever (in this case the waveform is graphically represented with dashed lines). One of the most important benefits of this approach is the possibility of completely embedding a monitor as a list of assumptions into the set of formal properties of a device in a linear and clear way without any need to extend the features of current model checkers. Each link allows management of data in transmitting (tx) and receiving (rx) modes at the same time. During the rx mode, the data are inserted into the data storage memory for a future analysis. The upper part of Figure 9 shows a simple block diagram of the main modules of the device. The HDLC module receives data from the external environment, runs some OSI layer 2 functionalities (for example the CRC checking) and then transmits them to the FIFO that behaves as a buffer. The DMA transfers the data directly from the FIFO to the main memory through a 32bit BUS. During the tx mode, devices like those previously described are used in a dual way: the DMA module gets the data from the main memory and inserts them into the FIFO. The HDLC module reads the data from FIFO and sends it through the transmission channel after the execution of a set of OSI layer 2 functionalities (CRC computation).
The tasks of the internal RISC microprocessor are basically the bus management (it manages the bus request of different DMAs) and the memory management (it maintains the coherence of the information contained in an external RAM (ESRAM)). With this information it is possible to determine where to store new frames or where to retrieve frames ready to be sent. To show how the proposed approach has been applied to this device we focus on the Fifo_rx module. The Fifo_Rx (represented in the lower part of Figure 9 ) is a synchronous device driven by the two clocks CLK_RX and ICLK; the first one comes from the environment and sets the rates of the receiving links, while the second one is the internal clock, which drives the DMA, the controller and part of the HDLC modules. The Fifo_Rx contains a buffer of four elements, each one composed of a tag and a data value. The tag value indicates if the data value is an information or a control byte. The EN_HDLC_H signal and reset RES_L signal enable the module.
During the rising edge of the CLK_RX clock the write request signal (WR_H) coming from the HDLC module is sampled: if it is asserted (WR_H = '1') a writing operation is performed, i. e., the data on the DAT_IN and TAG_IN ports are read and stored into the buffer. When the DMA module performs a read request (RD_H = '1'), the Fifo_Rx provides the internal information on the DAT_OUT and the TAG_OUT ports and asserts the data valid acknowledge signal (VALID_H stays high for one ICLK clock cycle). If there is no information in the Fifo_Rx, the VALID_H stays low indefinitely. If the read and the write requests are simultaneously asserted, the writing operation is performed first. If the Fifo_Rx is full a further writing operation generates an "overrun error" (the tag and the data value of the last element of the Fifo_Rx are forced to '1' and to a value representing the overrun event, respectively).
The property we consider here refers to the behaviour of the device in case of "overrun" event occurrence. The automaton of Figure 10 represents the VFSM describing the behaviour of the Fifo_rx in case of read/write operations.
The virtual states change in correspondence with the read/write operations. The write operation (WR) depends on the assertion of the input signal WR_H and is triggered by the CLK_RX clock. The read operation (RD) depends on the assertion of the input signal RD_H, having lower priority than the WR_H signal (to perform a read operation WR_H must be disabled) and is triggered by the ICLK that is the reference clock of the device (implicitly considered).
The information of the VFSM is used to prove that when an overrun occurs, the device overwrites the last element of the internal buffer with a code representing this kind of error. A simple way for detecting this fact without adding further port signals, is to look at the values on the dat_out and tag_out ports when an overrun has occurred (VS has become 5) and subsequently the fifo has been emptied (VS=0) without further write operations: in such a way the content of the last element of the internal buffer is available on the output ports. These concepts are efficiently expressed by the commitment of Figure 11 . This STD is activated when the virtual state VS is equal to 5 and for any value on the dat_out and tag_out ports; then, when the virtual state changes to 0, without Figure 11: Commitment to prove the overrun property performing any further writing operation (wr_h port is de-asserted till the end of the diagram), the dat_out and tag_out ports have to report that an overrun error occurred (the stable condition at {true} for VS is a compact way to state that all possible values between VS = 5 and VS = 0 are allowed).
Notice that the output signals DAT_OUT = OVERRUN_FLAG and TAG_OUT = '1' are defined as non-deterministic points since we are interested in the occurrence of those values after the transition of VS to 0 independently of how many times they have been set to these values between the activation of the diagram and the VS transition to 0. Note that, in general, VFSMs are not too complex, since usually they are used to prove a single behaviour and do not represent the functionality of the whole device.
Concluding Remarks
Actual applicability of formal verification strongly depends on the availability of methods and tools allowing the designer to specify the intended behaviour in a compact and effective way. The proposed technique is based on Virtual Finite State Machines that provide the possibility of extracting from the actual description those "states", that do not necessarily correspond to the implemented states, necessary for the specification of particular properties. The paper has shown how this embedding of monitors in the formal specification is performed through the instantiations of STDs assumptions. Examples have been provided for a small test case, and for a telecom application. A promising exploitation of this technique is in conjunction with compositional verification and future work will aim to investigate such possibility. Furthermore we will work to provide a tool allowing the user to specify directly in a graphical way the VFSM and checking for its completness.
