Abstract This paper formalizes an incremental approach to design flow-control oriented hardware devices described by Moore machines. The method is based on successive additions of new behaviours to a simple device in order to build a more complex one. The new behaviours added must not override the previous ones. A set of CTL formulae is assigned to each step of the design. The links between the formulae of two consecutive design steps are formalized as a set of formula-transformations F, stating that: for all CTL formula f with atomic propositions related to step i, f is satisfied on a design at step i, iff F(f ) is satisfied on the design extended at step i + 1. This result extends the classical CTL property preservation results in a particular context. Moreover, it simplifies the writing of properties for a new device. This approach has been applied in the design of bus protocol converters and the transformations were useful to perform non-regression analysis. It could also be applied in order to simplify both system and formulae in particular cases.
hardware designers adopt an incremental strategy: after having defined the information flow of the design, the rough structure of the data-path and the control part, they proceed to the implementation of the simplest cases up to the most complex ones. This is accomplished by adding new functionalities, thus building a more and more complex device. This is particularly true for devices implementing a pipe-line flow: stages of the pipe-line can be roughly drawn and then the stalling actions are added. We believe that this incremental approach provides a framework that simplifies the design process, by treating difficulties one by one instead of having to face them altogether.
Often, the verification of such devices is performed by simulation of test cases. Specification of components by means of a list of properties expressed as CTL formulae and verification by symbolic model-checking [2] emerge as a verification method complementary to simulation. For instance, a bus protocol can be expressed by means of CTL formulae, and a new design conformable to the protocol may be checked by plugging it into a verification environment mimicking the bus, and then check that all properties of the specification are verified. In particular, verification of a single component in isolation by means of CTL or LTL specification is commonly used in the assume-guarantee verification process [7, 14] .
In a general way, the incremental design approach does not preserve the set of properties from a simple component to a more complex one. Once a behaviour is added to a simple model, a global property, which was true in the simple model, may be wrong in the extended one. Consequently, local and global properties (about the component plugged into a complex environment consisting of other components) have to be re-adapted for each incremental step of the de-sign. The method we propose overcomes this limitation: the properties satisfied in the simple model are transformed into others satisfied in the complex model. The limit of the model's complexity is related to the use of symbolic model-checking: each component has to be passed into the model-checker (this is sufficient to perform assume-guarantee verification) and if one needs to verify a global property among several components, the complete system has to fit into the model-checker. In practice, this corresponds to medium-sized systems (reducible to about 10 K logical gates).
This incremental design process is complementary to those applying a refining strategy as in the B method [8] . In refining strategies, the global information flow is initially defined and all cases, the simplest ones up to the most complex ones, are obtained by incremental refinements of the initial model. Each refinement is considered as a step towards a real implementation. The strength of these approaches resides in the preservation of global properties along the refinement process: if a property is true in a given model, then, if the refinement is well-defined, the refined model will preserve the initial property. This design method ensures that the implementation respects the properties of the specification. But this refining strategy excludes the addition of new functionalities during the design process : a refinement is a specialization of a pre-defined set of behaviours, whereas the incremental method we propose is built on addition of new behaviours. In our case, the price to pay is the lack of property-preservation. Larsen and Thomsen [9] proposed another refining method based on modal transition systems (MTS) which allows partially defined specifications. A MTS can be refined by preserving at least all the must-transitions and maybe adding some, while eliminating some may-transitions. But any behaviours allowed in the implementation has to be allowed in the specification.
The way several increments interfere with each other has been extensively studied in the context of feature inconsistencies detection in telecommunication or software plug-ins. For instance, Plath and Ryan have proposed in [4, 15] a feature integration automating tool [11] coupled with model-checkers (for SMV [15] ). The inconsistencies between several added features are detected by LTL or CTL property violation. More recently in [4] , Ryan et al. have stated a ATL property (alternating-time temporal logic 1 ) preservation for a restricted type of features. This is the transposition of the classical results of CTL-property preservation [6] into the context of ATL formulae, well-adapted to systems described in the game theory. They also integrate this feature inconsistency detection with ATL in MOCHA [1] . Others, as Cansell and Mery in [3] have proposed a method to compose features integrated into the Atelier B tool [16] : the refining strategy is applied to guarantee the correctness of the implementation with respect to an abstract specification of the basic component plus the added services. The inconsistencies between services appear as non provable proof-obligations.
Our purpose differs from those described in [3, 4, 15] since our increment definition is much simpler than the feature integration they propose. Indeed, our increment is monotonic: there is no overriding of behaviours, all behaviours that were in the simple component are preserved in the more complex one and new behaviours are tagged with a particular value, thus one can recognize them. Hence property-preservation results we propose are stronger.
We are interested in exploring the links between properties that are true in an initial model and those that are true in the extended one. This might be expressed as: "May we transform the CTL formulae that are true in the initial model into other CTL properties that are true in the extended one, capturing the way the extension was performed ?". If we can perform this, we can ensure that the extended model preserves the behaviours that were checked on the initial one. Conversely, from some property satisfied on the complex model, we can derive a simpler property to verify the simpler one. Our goal is to build a set of CTL formulae that represents a specification for the complex component by re-using the specification of the simpler component (and adding new properties specific to the added behaviours).
Given an additive increment, the initial model and the extended one, we show that this CTL transformation is possible. The transformed CTL formulae, applied to the extended model, restrict the verification statespace traversal to a sub-graph isomorphic to the one derived from the initial model. This guarantees that if the extended model respects the extension rules defined in Sect. 2, then the verification results of the transformed CTL formulae, applied to the extended model, and the verification of the initial CTL formulae, applied to the initial model, are identical.
We show how these transformations can be used to perform non-regression analysis. In a general way, when a designer modifies a component, he has to ensure that the modification did not induce regression: the correction does not disturb other correct functionalities. This is generally done by simulation: one has to re-simulate all the test cases that were successful on the previous model on the corrected one. By applying our approach, if the correction is manually performed, we can automatically derive the set of CTL formulae that will represent the specification of the corrected component. These properties will have to be verified on the complex system. If the correction is automatically performed by applying a pre-defined increment, the non-regression is guarantied by construction.
The paper is organized as follows: in the second section we present how new behaviour is added to an existing model and the associated definitions. The third section presents the Kripke structures derived from an initial model and the extended model, and characterizes the main properties of the latter. The fourth section presents a set of transformations of CTL formulae, restricting the verification of CTL formulae in the Kripke structure of the extended model to the initial one it includes. Then we present, in the fifth section, the way these transformations were applied during the incremental design process of protocol converters (between virtual component interface (VCI) [12] and PI-bus [13] ). Finally in the sixth section we draw some conclusions.
Increment formalization
In this section, we formalize the component being designed and the increment. Then we characterize the extended component.
A 
Definition of a component
Our approach iteratively applies an increment to a component W 0 to build a more complex component. W i refers to the component resulting from i successive increments. • Either the definition domain of one or more existing input signals is extended. The interfaces of the component are fixed, but the incremental design process takes into account values of these interfaces that were not previously considered.
•
One or more new input signals are added (with a definition domain). This is the case of an increasing complexity of the data-path of the component.
In both cases, the new event is modelled by the appearance of a new set of input signals (with their definition domain), I + , extending I i . In the first case we treat the extended signal as a new one. For example, let l be a signal with an initial domain Dom(l) = {a, b}. A more complex component has to take into account a new possible value, c, of signal l. This can be expressed by introducing a new signal j such that Dom(j) = {0, 1} and "j takes value 0" means "l takes a previously considered value (a or b)" and "j takes value 1" means l takes a new value c (that was not previously considered). The domain of l is unchanged.
The set of all configurations corresponding to the new input signals is split in two disjoint sets representing that the new event is active or not.
Definition 4
The event e is a triple, e = I + , C ACT (I + ), C QT ( We have
In the following, we denote e_qt a configuration of signals in I + belonging to C QT (I + ), respectively, e_act represents a configuration of signals in I + belonging to C ACT (I + ). We have ¬(e_act) ∈ C QT (I + ) and ¬(e_qt) ∈ C ACT (I + ). Figure 1 presents an admissible increment. On the left, the Moore machine describing a component W i contains three states and the input signal k with Dom(k) = {0, 1} drives the transitions. On the right, the component W i+1 resulting from the increment of W i with an additional input signal j with Dom(j) = {0, 1}. j = 0 belongs to the quiet configurations' set, and j = 1 to the active one. In W i+1 , j = 0 labels all transitions that were in W i (j = 0 is represented by the literal j); new transitions leaving from states that existed in W i are labelled with the active configuration of j (that is, j = 1, In the following definition, let E 2 ⊂ E 1 be sets of signals, let c be a configuration in C(E 1 ), we write c = proj(c, E 2 ) for the sub-configuration of c restricted to the signals in E 2 (c ∈ C(E 2 )). We also need to extend the signature of the configuration of transitions that were in T i . The function Extend fills the old configuration with a sub-configuration belonging to the quiet configuration set :
Definition 5 An increment from a component
∩ S i = ∅ T + ⊆ (S i × C(I i ∪ I + ) × S i ) ∪ (S i × C(I i ∪ I + ) × + ) ∪ ( + × C(I i ∪ I + ) × + ) ∪ ( + × C(I i ∪ I + ) × S i ): each transition (s 1 , c , s 2 ) in T + leaving a
state that was in S i has an input configuration whose sub-configuration of the new input signals belongs to C ACT (I + ). We have
A component W i+1 obtained by applying an increment to a component W i preserves all behaviours that were present in W i , assuming that, in W i+1 , the new event stays to a quiet configuration. We have,
We recall the definition of simulation relation as expressed by Grumberg and Long in [6] .
Definition 6 (simulation relation [6] 
Proof We build ρ W a binary relation between the states of two consecutive components W i and W i+1 , such that [5] Figure 2 shows the transformation of a Moore machine (on the left) into a Kripke structure (on the right). The state s 1 is transformed into n states, each of which being labelled with s 1 and a different input configuration.
Applying 
Properties of K(W i+1 )
By construction, the tree of behaviours of K(W i ) is preserved in K(W i+1 ), labelled with a quiet configuration of the new event. This preservation property can be expressed as the existence of a simulation relation between the Kripke structures' states obtained from two consecutive components. More precisely, the enrichment relation captures the fact that behaviours of the previous component are enclosed in the newer one, tagged with a quiet configuration of the event. In the following, we denote s K(W i ), 0 by t 0 and s K(W i+1 ), 0 by t 0 .
In [6] a simulation relation between Kripke structures is also defined. We apply it here. 
, with s ∈ W i+1 and c ∈ C(I i+1 ). For such t and t we set (t, t ) ∈ ρ K W iff s = s and c = c ∧ e_qt. By construction, ρ K W is a simulation relation.
Remark 2 From above, t enriches t with e_qt ⇒ t simulates t. t enriches t with e_act ⇒ t simulates t t simulates t ⇒ t enriches t.
Indeed, nothing can be said once a state t enriching t with e_act is encountered, since it represents the beginning of a new behaviour. Fig. 3 ) (Contradiction).
Hence, K(W i+1 ) includes K(W i ) and K(W i ) can be detected in K(W i+1 ) since it is the maximal connected sub-graph tagged with e_qt, reachable from the initial state. This is captured by the enrichment relation. The enrichment relation with e_qt is included in a simulation. We now use this particularity to establish links between CTL formulae verified on K(W i ) and some others verified on K(W i+1 ).
CTL-formulae transformations
References [10] and [6] have stated some CTL formulae-preservation results between two Kripke structures ordered by any simulation relation. We recall their results in our particular context.
In [10] The results we present are not based on the preservation of a fragment of CTL between a component and another one that includes it, but rather transform CTL operators and provide a bi-implication between the initial formula and the transformed one.
Given a CTL formula , we are going to set out the rules to transform that is true in s K(W i ),0 (named in short s 0 ) into that is true in s K(W i+1 ),0 (shortly named s 0 ) when s 0 enriches s 0 with e_qt. , the corresponding paths in K(W i+1 ) are infinite paths tagged with e_qt and the transformation of , but also finite paths with a prefix tagged with e_qt and , ending in a state where e_act holds. The presence of these infinite paths where and e_qt always hold explains the weak until operator W.
Theorem 1 Let s ∈ S K(W i ) and s ∈ S K(W i+1
The transformations listed above do not modify the temporal structure of the initial formula in that the nesting of temporal operators is preserved, hence the size of the CTL formula (measured as the number of nested temporal operators) is unchanged. The transformation of an EF into an EU or an AG into an AW does not significantly change the complexity of the verification since they are based on the same fix-point computation. The transformation is transfered into the propositional operations that are performed by classical BDD operations (and, or, implies, .. 
.).
We implemented a CTL formulae transformation automation tool that automates the rules described in Theorem 1. This tool takes a file with a set of CTL formulae and a file containing the definition of a new event and returns the set of transformed CTL formulae. The file defining the new event contains the set of new signals with their definition domain, and the quiet and active configuration sets.
Experiment
The task of writing pertinent CTL properties for a realistic component is not easy. The specification mixing natural language, partial chronogram, partial statemachine, describes very subtle behaviours that lead to complex CTL formulae. In practical use, the specification is composed of hundreds of formulae. They are written by a human being, who may make mistakes. The mistakes are detected once the whole verification process is accomplished. The system does not satisfy the erroneous formulae and the designer has to state whether the mistakes are in the system or in the formulae.
Moreover, in the incremental design process, the CTL formulae for a component W i have to be transformed for a component W i+1 . A manual transformation may also introduce errors. The transformation rules in Theorem 1 can be automated and be used to produce a part of the specification of W i+1 , alleviating the burden of handwriting the whole specification. The part of the specification of W i+1 automatically derived from W i is exactly the set of rules necessary to check the non-regression between the two components.
We experimented with this automatic production of CTL specifications in the context of a protocol conversion between PI-bus and VCI standard. We aim at analyzing the differential of verification complexity (in terms of memory and speed) of a realistic medium-sized system, obtained by our incremental design process, between two successive design steps. In this experiment, the increments are manually added (following the design process). Some properties we want to verify are local to a component, but others are global to a system composed of several components. We are interested in checking that the added behaviours do not introduce regression.
The conversion between PI-bus and VCI protocols is realized by a component named VCI-PI wrappers. A wrapper is a core wrapping device implementing a given interface. In our context, the IP-core is supposed to be VCI compliant [12] and the considered wrapper is an adapter between the VCI interface and the PI-bus pro- 5 The Platform performing the VCI-PI-VCI translation and illustration of a VCI transfer tocol [13] ; hence we are able to connect various IP-cores through a PI-bus.
The PI protocol distinguishes the component initiating a bus transfer, named master, and the component responding to a transfer, named slave. An IP-core may have both master and slave functionalities. Figure 4 illustrates the major signals interfaces a VCI-PI master wrapper has to deal with.
A VCI transfer is shown in Fig. 5 . The VCI initiator sends a request to the VCI-PI-master-wrapper (1) , that asks for the bus to the bus arbiter (2) , and when the VCI-PI-master-wrapper owns the bus (3), it transfers each VCI request cell through the PI-bus to the VCI-PIslave-wrapper (4, 5). The VCI-PI-slave-wrapper translates the PI-cell into a VCI-cell to be given to the VCI target (6). The VCI-target transmits the VCI-response to the VCI-PI-slave-wrapper (7), which responds to the VCI-PI-master-wrapper through the PI bus (8, 9). The latter translates the PI-response into a VCI-response and sends it to the VCI initiator (10) . In some cases, the VCI-PI-slave-wrapper may implement a look-ahead mechanism in order to send the responses to the VCI-PI-master-wrapper in one cycle.
Using the incremental design process approach, we developed a set of six master VCI-PI wrappers, from a very simple one supposing that the VCI initiator and the PI target will always acknowledge in one cycle, up to the most complex one supporting delays and retract events sent by the VCI initiator or the PI target. The hierarchy of the six master wrappers is shown in Fig. 6 .
The behaviour of the simplest wrapper (model A) is a three-stage pipeline, performing at the same time:
• Accepting a VCI request k to be sent to PI from its VCI interface.
• Sending the PI request corresponding to the (k − 1)th VCI request on its PI interface.
• Accepting the PI response to the (k − 2)th VCI request on its PI interface.
Further models (B to C ) deal with external events disturbing the pipeline flow: either the kth VCI request cannot be given to the wrapper, or the (k−1)th response is delayed by the PI targets, or it says that a major problem occurred and the transaction has to be restarted later, or the (k − 2)th response cannot be returned to the VCI initiator; all these cases stall or break the pipeline.
The incremental architecture of the six master wrappers is presented in Fig. 7 , showing the behaviours successively added by increments ranking from A to C . For each increment, the FSM part (finite state machine) contains the Moore machine of the corresponding wrapper, and the data-path is augmented accordingly. Successive additions to the data-path are shown in different gray shades. The PI retract area is a piece of circuit induced by the increments to produce wrapper B into wrapper C. The same increment also transforms wrapper B into C . The PI wait area corresponds to the increment between wrappers A and B and between wrappers A and B also.
The Initiator wait area represents the increments from A to A , from B to B and from C to C .
We implemented a platform as described in Fig. 5 in synchronous Verilog. We verified this system with the VIS verification tool [17] . We checked about 80 CTL properties for the master wrapper B, the slave wrapper B, and the complete system (when the VCI initiator and target may generate delay events).
Here are examples of CTL (untransformed) properties checked on the platform containing a B wrapper: 
The wrapper B supports delay from the PI bus, but it assumes the initiator is always ready to perform a writing or reading request and to acknowledge the response from the target. The We applied the transformations described in Theorem 1 on the 80 CTL properties of the model B with the increment transforming B into B , and verified them on a system containing now the B VCI-PI master and slave. The verification results were successful, meaning that the modifications from B to B do not introduce regression. Of course, extra CTL formulae had to be added to the B -platform in order to check the behaviours added by the increment.
We now present some quantitative information related to the verification. The verification is performed with VIS. A first step computes the set of reachable states of the system, and then a second step checks each property. Table 1 presents the time and memory required for the verification of the three properties given above (and the corresponding transformed ones) on a platform composed of :
For small-size systems (platforms 1 and 2), the overall verification time is longer for the complex model (2) . Most of this time is consumed during the reachable state-space construction (11 vs. 68 s). The extra cost of property verification is of the same order of magnitude for both platforms (2 vs. 9 s). These results are confirmed for the medium size systems (platforms 3 and 4) where the gap between the B and B verification time is mostly due to the increasing complexity of the system, rather than the complexity of the formula, since most of the verification time is spent during the reachable statespace construction (34 vs. 3 h30). Once the reachable state-space is built, the verification of each property is performed in 2 s for the B platform versus 5 s up to 25 s for the B platform. This is not surprising since, for the property verification, the same piece of state-space is analyzed, but the BDD's representing the transition relation and the state-space of platform B are much bigger than those of platform B.
The incremental design process is also interesting in case of simplification. If one knows that the platform to be built will contain slaves that always respond "ready", then it is worth using master B instead of B : the models are simpler, the properties are given, or can be derived from the ones in B, and the verification cost will be reduced.
Concluding remarks
The transformation rules of CTL formulae are the basis to an approach to automatically derive part of the specification of a component, from the specification of the simpler component it comes from. Moreover, this approach facilitates the handwriting of CTL specifications and is a step toward the automatic reuse of existing specifications of a simpler component.
We have shown that this approach can be used during the design of a concrete component, assuming the increment respects the rules we formalized, as we take advantage of the existence of a particular value tagging the initial part of a model included in an extended model. The transformed CTL formulae have the same complexity (in terms of nested CTL operators) as the initial CTL formulae. This is confirmed by experimental results showing that the increased verification time of the complex system is mainly due to the reachability analysis instead of the CTL formula verification.
It is our intention to extend this study towards the following directions :
Up to now, we did not take into account all the particularities of the increment; we considered only the existence of a particular event splitting the set of states with the ones that appeared in the initial model and the new ones (this event may be due to the extension of existing signal domains and/or to the addition of new signals). We did not take advantage of the graph structure of the increment; most of the time, this increment consists of adding a new state (or set of states) characterizing the freezing of the data-path waiting for some continue signal to be set, allowing the data-path to pursue. In these cases, a new set of CTL transformations may be defined, capturing the added behaviours.
The opposite analysis can also be of interest: given a formula to be verified on a complex model, we can find an increment (in the sense we defined in this paper) such that the complex model has been built from the application of this increment to a simpler model. If yes, can we transform the formula of the complex model to a simpler one to be verified on the simpler model? The verification would be partial since it would not apply to the whole set of behaviours of the complex system, but could give some information if the complex system is too big to be verified with classical model-checking tools.
Another perspective is the increment composition. The example of wrappers presents seven increments, different compositions of some of them converge to the same "most complex" component. We are interested in finding some rules to compose various increments, and to define increments satisfying some "minimality" properties that are the basis of complex increments.
We are also interested in studying the way this approach could be mixed with an Assume-Guarantee verification process generally applied in the refinement design process [7] .
