In this paper we display apraciical approach adoptedfor the formal verfication of Fairisle ATM (Asynchronous Transfer Mode) swiich pori conholler wing model checking. The ATM port conholler is part of the Cambridge Fairisle ATM neiwork andplays a key role in the ATMswiichingprocess. In pariicular, wepresenr our experience on ihe model checking ofihe ATMpori conholler using the VIS toolfrom UC Berkeley. To ihis end, we successfilly modeled the port conholler behavior and shuchlre in Verilog HDL, esiablished the necessary verrficotron environmenis and verijied a number ofrelevant temporalproperties on the pori conhaller.
INTRODUCTION
With the increasing reliance of digital systems, design errors can cause serious failures, resulting in the loss of time, money, and long design cycle. Large amounts of effort are required to correct design hugs, especially when the emor is discovered late in the design process. For these reasons, we need approaches that enable us to discover errors and validate designs as early as possible. Conventionally, simulation has been the main debugging technique. However, due to the increasing complexity of digital systems, it is becoming impossible to simulate large designs adequately. Therefore, there has been a recent surge of interest in formal verification [3] .
One very successful formal verification approach is model checking [3] which enables to check a design model against temporal logic properties. Model checking is an automatic technique for verifying finite-state reactive systems, such as sequential circuit designs and communication protocols. Specifications are expressed in a propositional temporal logic, and the reactive system is modeled as a state-transition gaph. However, the specifications are not always easy to be expressed in the given temporal logic. In this paper, we display practical approaches to represent the specification in the temporal logic and present our experience on the model checking of The Fairisle port controller (Fig 1) is a real design from Cambridge University. It is at the heart of Fairisle ATM network switch [4] . In the ingress [2], the port controller receives ATM cells from the transmission hoard and performs the ATM switching on the received cells. It also sends the ATM cells to the switch fabric [5]. In the egress [2], the port controller receives ATM cells from the fabric and sends the acknowledgment signals to the switch fabric. The port controller assigns priorities to ATM cells, by preloading priority hits into the memory. The priority bit will he used for arbitration in the switch fabric. In this work, we modeled the port controller at the RTL (Register Transfer Level) following some documentation and incomplete structural code we have obtained from
Cambridge. The RTL description of the port controller is written in Verilog HDL (Hardware Description Language). To verify the port controller in VIS, we established a proper environment, and defined a number of related CTL (Computation Tree Logic [3] ) properties.
In following sections, we will introduce the behavior and structure of the port controller in Section 2. Section 3 describes the properties we established on the port controller. Section 4 illustrates a practical method on verifymg CTL properties using model checking, and Section 5 summarizes the paper. gives a positive acknowledgment signal; otherwise, it sends a negative acknowledgment.
THE FAIRISLE PORT CONTROLLER
The input port controller always monitors theframesfarf signal ( Fig I) . On an activefromestart signal, the input port controller will assert a write enable signal to the memory.
After the framestan signal is received, the input port controller will latch the first two bytes which build the VCI field of the receiving cell. (Fig 1) is the conversion between the VCI of the receiving cell and its memory location, c means the column address and r means the row address. The decimal digit indicates the position in the hinary address (e.g. r4 means bit 4 of the row address). On the other hand, when theframesfart signal is asserted and the input port controller bas a cell to send, the input port controller will read the data cell from the memory into the fabric. After a certain number of clock cycles, if the input port controller receives the positive acknowledgment signal through the switch fabric, it will continue sending the ATM cell; otherwise, it will stop the transmission. While the input port controller receives data from the transmission board and transmits the data into the fabric, the output port controller receives data from the switch fabric and gives the acknowledgment signal to the input port controller through the switch fabric. After the framestart signal is asserted, the output port controller will detect the active bit in the port controller header. If the active bit is asserted, the output port controller will generate the positive acknowledgment signal which will be transmitted into the input port controller through the fabric; otherwise, the output port controller will generate the negative acknowledgment signal. If the output port controller receives a data cell, it will write the data into the output FIFO, and the f m t byte of the data, which is the Port controller Routing Byte (PRB), will be stripped. The signals @-mem-wr-en and ip_mem-rd-req are the memory write enable and memory read request signals, respectively. The memory row and column addresses are provided by @-mem-addr-r and W-mem-addr-c, respectively. The rx_@-data is an 8-bit data bus which is the data inputs from the transmission board. The signals m-rd-req and n-ip-soc indicate cell availability in the transmission board and the start of a cell, respectively. The m-@-soc signal corresponds to the fromesfart mentioned above, The signal Q-m-wr-en demonstrates whether the input port controller is able to accept a cell or not. The ip fab-data is an 8-bit data bus which transfers data from the input port controller to the fabric. The fab-@-ack is the acknowledgment signal which indicates whether the current cell succeeded the transfer to the destined output port controller. The fab-op-data is an %bit data inputs fiom the fabric to the port controller and the fab-op-ack is the acknowledgment signal generated by this latter. The op-fifo-data is an %bit datapath from the output port controller to the FIFO. The op-fifo-w-en is the write enable signal for the output FIFO. The signal op-fifo_soc indicates the start of a cell, and it is asserted before the fmt byte data transfer. The npc-rst-n is the reset signal.
Structure of the Fairisle Port Controller
Inside the port controller, there are two control registers (err-id and ch-sz) and one status register (@-empty). The &-id disables the inputs when it is asserted. The register ctr-sz is for debugging purposes. The register ip-empty is used to indicate the status of the port controller.
PROPERTIES OF THE PORT CONTROLLER
Based on the expected function of the port controller, we defined the following six major properties. Property 1: The Fairisle port controller will be reset properly when the reset signal (npe-rst-n) is zero , Property 2: When the input port controller can accept a cell, the transmission board has a cell to send, and the input port controller is in debugging state (ctr-sz = I ) , then the cell will be transferred to the input port controller and stored in the memory at the right location. Property 3: When the input port controller can accept a cell, the transmission hoard bas a cell to send, and the input port controller is in the normal operation state (ctr-sz=O), then the cell will be transferred to the input port controller and stored in the memory at the right location.
Property 4:
When the input port controller has a cell to send, it will send the cell to the fabric. If the input port controller does not receive a positive acknowledgment signal, it will stop sending the cell; otherwise, it will send the data cell completely.
Property 5
The memory cannot be read and ulite at the same time.
Properly 6:
The output port controller will send an acknowledgment signal after it detects an incoming cell.
Each of the above properties will be described formally in CTL. Due to limited space, we will report in detail the formal specification and verification of one sample properly, Property 3, in next section. The CTL specification of the other properties can be found in [6].
SPECIFICATION AND VERIFICATION
In this section we will demonstrate by example (using Property 3) how the specification and verification is processed in a practical way. Property 3 has the following assumptions:
I. The input port controller can accept a cell, expressed as "@-empty = 1";
2.
The transmission board has a cell to send, expressed as "m-@-rd-req = I"; The above CTL expression is not fully correct because the assumptions (ip_empfy=l and rx_ip_rd-req=l) do not happen at the same state as the fourth assumption (m-ip-soc=l). Therefore, we need to put the assumptions into the environment. In fact, because the port controller has a cyclic period synchronized by the n-ij-soc signal whose period is 64 clock cycles, we could establish an environment state machine with 64 states (Fig 4) . The Verilog code for the above environment of the port controller for Property 3 is shown in Fig. 5 . In this environment, the correct assumption npc-rst-n=l, ctl-id=O, ctr-sz=O, @ -e m p p l , rx_ip_rd-req=l, and rx-ip-soc=l are set properly. Next, we divide the verification into the two steps. The first step is to verify whether the environment represents the assumption, and the second step is to check if the conclusion is valid.
Step 1. Veri& the assumption
The five assumptions are expressed using the following CTL expressions:
Step,?. Verify the conclusions. In Property 3, we have to verify two aspects: one is to ensure that two bytes of VCI become the memory address and the memory address is incremented by 1 per byte data transfer. And the other is to verify that the data is transferred from transmission board to the memory with one clock cycle delay and the memory write enable signal is asserted during the data transfer. The formulas (4) and (5) below specify that the two bytes of VCI are transferred to be memory address correctly. The correct memory addresses increment can be specified by formulas (6), (7), (8) and (9) below. Due to the space limitation, the CTL properties for the address increment between S8 and S56 are not listed in here, but they are very similar to (7) and (8). Next, we verify that the data is transferred from the transmission board to the memory with one clock cycle delay and the memoty write enable signal is asserted during data transfer process. This sub-property involves two signals. One is the memory write enable signal (ip-mem-w-en) and the other is the data output signal (ip-mem-data). The ip-mem-w-en signal, which should be asserted during the data transfer period (S7 to S56), is expressed by formulas (10) and (11) below. Also during the data transfer period, the ip-mem-data should equal the value of rx-ip-data with one clock cycle delay. The fust and last byte data transfers are represented by formulas (12) and (13) below. Due to the space limitation, the CTL
11)
AG (state=Sl -> lp-empty =1 rx-ip-rd-req=ll
12)
AGlstate=S3 -> rx-ip-soc=l)
13)
properties for the rest of data transfer are not enumerated in here, but they are very similar to (12) and (13).
A G ( s t a t e = S l + State=SZ + ... + s t a t e = S b + s t a t e = S 5 7 + .,. + a t a t e = S 6 4 -> ip-mem-wr-en=O)
110)
Property 5 A G ( s t a t e = S l t State=S8 + ... + s t a t e = S 5 6 -> 
Using the established environment and combining the property assumptions and conclusions, Property 3 is successfully verified through model checking in VIS. Following the above method, all other 5 properties of the port controller have been similarly specified and verified.
Experimental results on the model checking of all 6 properties are shown in Table 2 , including CPU time, memory usage and number of BDD nodes generated. The experiments were performed on a Sun Ultra Sparc (300MHz/500 MB) machine. 
Property 6

CONCLUSION
In this paper, we have presented the modeling and formal verification by model checking of an ATM switch port controller. This is a real design of a telecommunications component used in the Cambridge Fairisle ATM network. While some specification properties cannot be concisely expressed using single temporal logic formulas, we have shown how we make use of an environment state machine to enable a proper specification. To enable the model checking process, properties are further subdivided into a set of assumption and conclusion subformulas which are combined by conjunction. Using such an approach, we succeeded the model checking of all specification properties of the port controller within the -reasonable time. The method presented could be enough in order to verify larger designs. To this end, we may have to apply some more advanced techniques, such as symmetry reduction or compositional verification [5].
