Discovering the input assumptions in specification refinement coverage by Basu, Prasenjit et al.
Discovering the Input Assumptions in
Specification Refinement Coverage
Prasenjit Basu Sayantan Das Pallab Dasgupta  P.P. Chakrabarti 
Department of Computer Science & Engineering,
Indian Institute of Technology, Kharagpur, INDIA 721302
 pbasu,sayantan,pallab,ppchak@cse.iitkgp.ernet.in
Abstract— The design of a large chip is typically hierarchical
– large modules are recursively expanded into a collection of sub-
modules. Each expansion refines the design due to the addition
of level specific details. We believe that a similar approach is nec-
essary to scale the capacity of formal property verification tech-
nology – as the design gets refined from one level to another, the
formal specification must also be refined to reflect the level spe-
cific design decisions. At the heart of this approach we propose
a checker that identifies the input assumptions under which the
refined specification ”covers” the original specification. This en-
ables the validation engineer to focus the verification effort on the
remaining input scenarios thereby reducing the number of target
coverage points for simulation.
I. INTRODUCTION
In recent times, most leading chip design companies are se-
riously investigating the possibility of integrating formal prop-
erty verification (FPV) [1] into their pre-silicon validation
flows. It is widely accepted that the major challenge in ex-
isting FPV technology is in capacity. Unfortunately the the-
oretical lower bounds on the complexity of model checking
problems imply that the technology is unlikely to scale beyond
a point, in spite of the advances in the engineering of formal
tools. Therefore a new methodology is required to extend the
frontiers of FPV technology and enable us to formally verify
properties over large designs.
How do we succeed in developing the RTL of large and com-
plex designs? We do so by recursively decomposing the design
functionality into the functionality of smaller modules, and by
adding more details as we go down the module hierarchy. We
continue this process of refinement until the modules are sim-
ple enough to be treated as unit level modules. We believe that
the future of formal property verification lies in adopting a sim-
ilar approach for formal property specifications. Whenever, we
refine the design functionality into that of its component mod-
ules, we need to refine the formal specification of the design
into that of its component modules. We refer to this paradigm
as formal specification refinement.
The key formal method required for enabling specification
refinement is a prover that checks whether the refined specifi-
cation consisting of the specifications of the component mod-
ules covers the original specification of the design. In other
 Pallab Dasgupta and P.P.Chakrabarti acknowledge the partial support of
the Dept. of Sci & Tech, Govt. of India.
words we need to verify that all behaviors that refute the orig-
inal specification also refute the refined specification. For ex-
ample, let   denote the set of architectural properties of a
design. Suppose we implement the design in terms of a set
of RTL modules,  
 
   
 
. Capacity limitations of existing
FPV tools do not allow us to verify   over the whole design.
Today validation engineers write properties,

over each RTL
module,  

and verify them, but this does not guarantee that
they together satisfy  . This guarantee can be obtained by a
specification refinement proof which verifies that 
 
    
 
together cover  . Since the proof compares the specifications
only (and not specification versus implementation – as in ex-
isting FPV techniques), we do not have major capacity limi-
tations. In an earlier work, we developed the foundations of
specification refinement proofs [2]. In that work we presented
the methodology for comparing two temporal logic specifica-
tions at different levels of abstraction, and finding whether one
covers the other.
What should we do if the refinement checker returns a nega-
tive answer? One option is to add more RTL properties to plug
the coverage gap. In practice however, it is not always possible
to cover system level properties in this way. Therefore the re-
maining properties in   must be checked dynamically during
simulation.
This brings us to an interesting problem. Typically the cov-
erage gap is a function of the input scenarios. In other words,
we often find that the RTL properties succeed in covering the
original specification   under some input constraints and fail
for the rest. If we are able to compute the input constraints un-
der which the refinement checker succeeds, then we can target
the simulation on the remaining scenarios. This is the main
goal of this paper.
In this paper we define a methodology for constraining the
coverage gap between temporal specifications to determine the
input constraints under which the gap is closed. The negation
of these constraints cover the scenarios that must be checked
through simulation. We believe that this enhancement to the
basic refinement checker is of significant practical value in de-
sign validation through specification refinement.
The paper is organized as follows. In Section II, we
present the theoretical background of the specification refine-
ment problem. The formalism for computing the input con-
straint that covers the gap is presented in Section III. Sec-
tion IV presents the algorithms for finding a legible represen-
tation of the input constraint. Section V presents the results of
our prototype tool on several test cases. We have presented a
case study on a realistic example in the Appendix.
II. SPECIFICATION REFINEMENT COVERAGE
In this paper we will focus on covering the gap between
the formal architectural specification and the combined for-
mal properties of the RTL components through specification
refinement.
1. The key architectural properties are specified using a for-
mal property specification language.  This forms the ar-
chitectural intent,  .
2. In the first phase of implementation, the design is planned
in terms of a set of RTL blocks, and the functionality of
each of these RTL blocks are defined. At this stage, for-
mal properties are written to express some of the correct-
ness requirements of each RTL block. The properties of
the RTL blocks taken together is called the RTL specs,.
3. Our specification refinement checker checks whether the
RTL specs, , cover the architectural intent,  . We refer
to this check as the primary coverage question.
The following definition formally describes the notion of
coverage of the architectural intent by the RTL specs.
Definition 1 [Coverage Definition: ]
The RTL specs cover the architectural intent iff there exists
no run that refutes one or more properties of the architectural
intent but does not refute any property of the RTL specs.  
In [2], it was shown that the RTL specs , cover the architec-
tural intent  , iff the temporal property    is valid.
Most model checking tools for LTL [3] and its derivatives
already have the capability of performing validity (or satisfia-
bility) checks on temporal specifications, and can therefore be
used to check whether    is valid.
An arsenal of heuristic algorithms had been proposed in [2],
for representing the coverage gap as a set of temporal proper-
ties when the answer to the primary coverage question is neg-
ative. While this feedback is useful in deciding whether and
where more properties need to be added, it does not help the
validation engineer to find the input scenarios that cover the
behaviors in the gap.
III. COVERING INPUT ASSUMPTIONS
Specification refinement is not always feasible. It relies on
the design architect’s ability to add properties over individual
RTL modules in a way to cover the architectural properties of
the whole design. The refinement checker verifies the correct-
ness of the decomposition and shows the gaps, but it does not
automate the decomposition of the specification.
It is therefore natural to expect that in spite of adding more
RTL properties on component modules, some architectural be-
haviors will remain uncovered. These behaviors must be tar-
geted by simulation and dynamic property verification tech-
niques.
 We shall use Linear Temporal Logic (LTL) in this paper
Our objective in this paper is to partition the architectural
behaviors in terms of the input scenarios that trigger those be-
haviors. We use the specification refinement approach to show
that the RTL specs cover the architectural specs under some
of the input assumptions (expressed as properties over input
variables). Since these scenarios are covered by specification
refinement FPV, the remaining scenarios (also expressed as
properties over inputs) represent the cases that must be veri-
fied through simulation. We believe that this is a very useful
feedback to the validation engineer.
The following example demonstrates our intent. This is a
toy example, used to demonstrate the main idea intuitively. In
the appendix, we present a real example.
c
( b )( a )
XAND
XAND
XAND
a
b
z
 
 
 


 


Fig. 1. A sample arbiter
Example 1 Let us consider the design of an arbiter that arbi-
trates between two request lines  
 
and  
 
from two master
devices. Let the corresponding grant lines to the master de-
vices be 

and 
 
. The arbiter also receives an input  from
a slave device, that remains high as long as the slave device is
ready.
The arbiter specification requires us to treat  
 
as a high-
priority request. Whenever  
 
is asserted and the slave is ready
(that is,  is high), the arbiter must give the grant, 
 
in the
next cycle, and continue to assert 
 
as long as  
 
remains as-
serted. When  
 
is not high, the arbiter parks the grant on 

regardless of whether  

is asserted. We are further given, that
the request  
 
is fair in the sense that it is de-asserted infinitely
often (enabling 

to be asserted infinitely often).
The above architectural intent may be expressed in LTL as
follows:


:      
 


 
:      
 
      
 
  
 
 


:      
 
   


Let us now consider an implementation of the arbiter using a
component called XAND, as shown in Fig 1. The specification
of the module XAND is as follows:


 :     	  
      
It may be noted that we do not require the internal implemen-
tation of the RTL module XAND. Property 

  is part of the
RTL specification for XAND. Substituting the signal names of
the instances of XAND in Fig 1(b) with  

,  
 
, 

, 
 
and ,
and adding the fairness property on  
 
, we have the RTL spec-
ification as:
  
:      
 

 
 
:     

  
 
   


 

:     
 
     
 

The first property is the same fairness constraint as in the archi-
tectural intent. The second property says if 

is asserted and

 
is de-asserted then 

is asserted in the next cycle. The third
property states that whenever 
 
and  are asserted together,
then 
 
is asserted in the next cycle.
The primary coverage problem is to determine whether
  

  
 
  

   

 
 
 

 is valid. In this case the
answer is negative. For example whenever we have a scenario
where both 

and 
 
are low, the architectural intent requires


to be asserted, but the RTL specification does not have this
requirement, which shows that 

is not covered. The cover-
age gap can be accurately represented by the following prop-
erty:


:      

  
 
   


Our previous specification refinement checker will produce the
property 

as the coverage gap. In the new approach we will
produce the input constraint:
	
 
   

 
 

Under assumption 	
 
, we have   

  
 
  

  

.
Therefore RTL FPV succeeds in covering 

under these
cases. Simulation should target input sequences satisfying
 	
 
, which is:
	

     

  
 

This is indeed what we want, since the coverage gap 

repre-
sents the cases where 

and 
 
are low together.  
The inputs to our problem are:
1. The architectural intent, as a set of LTL properties over
a set 
 
, of Boolean signals, and
2. The RTL specification, as another set of LTL properties
over a set, 

, of Boolean signals,
3. Additionally, we have the interface information of the ar-
chitectural block; namely the set of inputs  
 
, and the set
of outputs 
 
, of the architectural block, where 
 
=
 
 
 
 
.
We shall also use to denote the conjunction of the properties
in the architectural intent, and  to denote the conjunction of
the properties in the RTL specification.
Throughout this paper we assume that 
 
 

. This
assumption essentially means that the RTL specification has
the same names for their signals as the corresponding ones in
the architectural intent. The RTL specification can have other
signals in addition to these. Typically this is not a restrictive
assumption within the design hierarchy, since it is generally
considered a good practice for designers at a lower level of the
design hierarchy to inherit the interface signal names from the
previous level of hierarchy.
Definition 2 [Strong and weak properties: ]
A property	

is stronger than a property 	
 
iff 	

 	
 
and
	
 

 	

. We also say that 	
 
is weaker than 	

.  
Definition 3 [Coverage Hole in RTL Spec: ]
A coverage hole in the RTL specification is a property 

over 

, such that    

  , and there exists no
property, 

, over 

such that 

is weaker than 

and    

  . In other words, this is the weakest
property that suffices to close the coverage hole. Adding the
weakest property strengthens the RTL specification in a mini-
mal way.  
Since 
 
 

, each property of the architectural intent
is a valid property over 

. In [2], we have shown that the
coverage hole in the RTL specification is unique and is given
by    .
Definition 4 [Covering Input Constraint: ]
A covering input constraint is a property 

over  
 
, such
that under the assumption 

, the RTL specification covers
the architectural intent i.e. 

    , and there ex-
ists no property  

over  
 
such that  

is weaker than 

and  

    . In other words, we find the weakest
assumption over  
 
that suffices to close the coverage gap.  
According to the definition, the covering input constraint 

is
a property over  
 
, such that 

      . That is, it is
stronger than the coverage hole in the RTL specification and no
other property over  
 
which is weaker than 

has the same
characteristic.
Definition 5 [Uncovered Input Space: ]
An uncovered input space is a property 

over  
 
, such that
every run that refutes one or more properties of the architec-
tural intent but does not refute any property of the RTL spec-
ification, implies 

. Intuitively, these are the input scenarios
for which the required guarantees have not been specified in
the RTL specs.  
Clearly the input scenarios which fall outside the covering in-
put constraint, are the uncovered input scenarios. Thus the
uncovered input space is   

.
IV. COMPUTING THE Uncovered Input Space
In this section, we present the algorithms for determining
the uncovered input space as defined in Definition 5.
A. Coverage Algorithm
Our algorithm takes each formula	
 
from the architectural
intent  and the interface definition of the architectural block
and finds the uncovered input space, 

, for 	
 
, with respect
to the RTL specification. Since is required to cover every
property in  (by definition), we use this natural decomposi-
tion of the problem.
Algorithm 1 Coverage Algorithm
Find Uncovered Input Space(	
 
,,  
 
, 
 
)
1. Compute   	
 
   
2. If   is not valid then
(a) Unfold   up to its fixpoint to create two sets of un-
covered terms; one is the disjunction of the terms
before the fixpoint,  
 
 and the other is the dis-
junction of the terms at the fixpoint,  
 
 ;
(b) Use universal quantification to eliminate signals be-
longing to 
 


from both the sets;
(c) 

= Call Find ISpace BeforeF(  
 

,  

, 

);
(d) 

= Call Find ISpace AtF(

,  
 

,  

, 

);
(e) 

= Call Combine Both Parts(

, 

,  );
[where   is the no. of unfolding required for   to
reach the fixpoint]
(f) 

=  

;
3. Return 

;
The first step computes the coverage gap   . If   is valid then


is covered. Otherwise we determine the uncovered input
space. The second step of the algorithm performs this task.
This step is further divided into six steps. The following sub-
sections describe each of these steps in details.
B. Step 2(a): Unfolding of  
In this step we recursively unfold   and generate two sets of
disjunction of terms, namely  
 
 and  
 

, that contain
only Boolean subformulas and Boolean subformulas guarded
by a finite number of X (next) operators.
Definition 6 [X-depth, X-pushed, X-guarded: ]
A formula is said to be X-pushed if all the X operators in the
formula are pushed as far as possible to the left. A formula
is said to be X-guarded if the corresponding X-pushed for-
mula starts with an X operator whose scope covers the whole
formula. The X-depth of an operator within a formula is the
number of X operators whose scope covers the operator in the
X-pushed form.  
Any LTL property can be recursively unfolded over time
steps to create an equivalent properties over Boolean formulas
and X-guarded LTL formulas. It is known that for every tem-
poral property such a decomposition begins to produce similar
X-guarded subformulas after a well defined number of unfold-
ing. During the unfolding process we check whether such a
fixpoint has been reached. Once we reach the fixpoint (say af-
ter   steps of unfolding), then we take the formula produced
after      levels of unfolding and abstract out the tempo-
ral operators other than X as in [4]. We rewrite it in the form
of disjunction of terms to generate  
 

. In case   = 1, we
consider  
 
 as .  
 
 is obtained by dropping the
terms that contain any temporal operator other than X from the
one step decomposed form of the fixpoint formula.
Example 2 Let us consider the architectural property  and
the RTL properties and  as given below where 
 
 
 
 

are inputs to the architectural block and 

is the output:
  	  

 
 


    

  

  
 

  	    

 
 
  
 

We compute the disjunction of the uncovered terms before the
fixpoint,  
 
 and obtain the following formula:
 
 

  

	 
  

 	   

  

  
  

  	
  

 
 
  
  

 
Again unfolding the fixpoint part and abstracting out the un-
bounded temporal operators, we yield the following disjunc-
tion of terms as  
 

.
 
 

  

	 
  

 	   

 
 
  
  

   
C. Step 2(b): Abstraction
In this step we universally eliminate the variables in
 



from the properties  
 
 and  
 

.
D. Step 2(c): Finding covering input constraint before fixpoint
We treat each different X-guarded Booleans (different in X-
guarded Boolean variables and/or in the number of X oper-
ators guarding the variables) in  
 
 as separate Boolean
variables and characterize them as inputs or outputs depending
on whether the X-guarded Boolean variables are inputs or out-
puts respectively. Now we universally abstract out the outputs
from  
 
 and obtain the covering input constraint before
fixpoint, namely 

.
Example 3 Let us again consider the architectural property 
and the RTL properties  and  as given in Example 2. We
consider 
 

as an output variable since 

is an output of
the architectural block. We universally abstract out the output

 

from  
 
 to get 

as below:


  

	   

  

 	   

 
 
  
E. Step 2(d): Finding covering input constraint at fixpoint
In this step we first use the algorithm described in [2] to
find out the uncovered architectural intent (say 
) using  
 

as the uncovered minterms. We have developed an approxi-
mate strategy for automatically identifying the input scenarios
that trigger non-vacuous interpretations of a temporal property.
Given a property, , defined over input variables , and output
variables , we generate a formula 

that is stronger than 
and is defined only over . Since 

is stronger than  and is
free from output variables, it follows that 

describes input
scenarios that make  vacuously true. Therefore, we restrict
the input space by 

, which covers all non-vacuous runs.
Example 4 Consider the property,  : 	 

 
 

. Then


= 	 

 and the constraint that restricts the input space to
non-vacuous runs is 

=  

, where 

as an input and 

is an output.  
To find the required property over the inputs we define two op-
erators, namely  and  which correspond to strengthening
and weakening operations respectively. We present the rules
for pushing the operators  and downto the variables.
  The rules for  operator:
           where   is from  
            where  is from  
                 
    	    	   
  The rules for operator:
          where   is from  
          where  is from  
                
   	    	    
After applying the above rules on   
 , we yield a form
where only the variable instances are preceded by an  or 
operator. The substitution rule for a variable instance 	 is to
substitute 	 by False for   	 , and by True for   	 .
We substitute the output variable instances of 
 according
to the actions derived from   
  and keep the input variables
intact, thus obtaining a formula which is stronger than 
 and
does not have any output variables. We call this formula, the
covering input constraint at fixpoint, namely 
 
.
Example 5 Let us consider the same architectural property 

and RTL properties  and  as given in Example 2. After
applying the coverage algorithm of [2] we yield the formula 

as follows:

      
 
 	 
 
   


Now we replace the output variable instances by True/False so
as to strengthen 
. In this case we substitute 

by False. After
reducing the substituted formula we get 
 
as shown below:

 
   	   

 	 
 
   
F. Step 2(e): Combining two parts
Here we combine the input constraints 

and 
 
to pro-
duce the covering input constraint 
 
. It may be noted that in-
tuitively 

tells about the input constraint before the fixpoint
and 
 
tells about the input constraint from the fixpoint under
which the RTL properties cover the architectural intent. Hence
we augment 
 
with (  ) X operators in the prefix where
 is the fixpoint depth of  and take conjunction between 

and the X-augmented 
 
to yield 
 
.
Example 6 Let us again consider the properties of Example 2.
The fixpoint depth in this example is 2. After augmenting one
X operator in the prefix of 
 
we get the following formula:


 
    	   

 	 
 
 
We produce 
 
by taking the conjunction of 

and  
 
.

 
   	 

   

 	 

    

 
 
  
   	   

 	 
 
   
G. Step 2(f): Final step
Finally, we present 

as the negation of 
 
.
Example 7 Continuing with the same example we can see that
the uncovered input space in this case is as follows:


   

 	
 
 

      

 	 
 
  
V. RESULTS
We have implemented a tool for computing the uncovered
input scenarios. In Table I, we give the run times of our tool for
some example circuits, including ARM AMBA AHB [5] and
two Intel test cases, on a 2.8 GHz Intel Xeon processor with
4GB RAM. The second and third columns of the table present
the no. of architectural signals and RTL signals respectively,
for the circuit under test (mentioned in the first column). In
the fourth and fifth columns, we produce the time (in seconds)
taken by our tool to solve the primary coverage question and
to compute the uncovered input space respectively. The results
are quite promising. In all of the cases, the tool produced the
uncovered input space, wherever necessary, in reasonable time.
TABLE I
RUNTIMES OF OUR TOOL
Time(s)
Primary Uncov.
Circuit  
 
   

  Coverage Input
Question Space
Memory Arb. Logic 17 26 1.66 26.01
Intel Test Case1 8 16 0.005 0.02
Intel Test Case2 8 16 0.01 0.11
AMBA AHB Arb. 12 12 0.005 0.07
Paper Example 5 5 0.005 0.02
REFERENCES
[1] E. M. Clarke, O. Grumberg, and D. A. Peled, Model checking, MIT Press,
2000.
[2] S. Das, P. Basu, A. Banerjee, P. Dasgupta, P. P. Chakrabarti, C.R. Mohan,
L. Fix, R. Armoni, “Formal verification coverage: computing the cover-
age gap between temporal specifications,” In Proc. of ICCAD, 198-203,
2004.
[3] A. Pnueli, “The temporal logics of programs,” In Proc. of FOCS, 46-57,
1977.
[4] A. Biere, A. Cimatti, E. M. Clarke, M. Fujita, Y. Zhu, “Symbolic model
checking using SAT procedures instead of BDDs,” In Proc. of DAC, 1999.
[5] ARM AMBA specification rev 2.0, http://www.arm.com/
A. CASE STUDY: MEMORY ARBITRATION LOGIC
Fig. 2 shows the architecture of a memory arbitration logic
in the presence of a L1 cache. There are four request inputs,
     , for four independent on-chip requesting modules.
Each of these four modules also assert write-enable signals
      respectively. When  is high, it indicates that the
r1
r4
nextreq1
nextreq2
nextreq3
nextreq4
finalreq1
finalreq2
finalreq3
finalreq4
G1
G2
PRIORITY
CACHE
L1
ACCESS
LOGIC
(C)
r2
r3
w1   ...   w4
h1 ...    h4
d1
d2
d3
d4
ARBITER
(A)
  hold
Fig. 2. Memory arbitration with L1 cache
corresponding requesting device intends to perform a write op-
eration, where as the read operation is the default (when   is
low). The signals        are inputs from the cache that in-
dicates whether the page requested by        respectively
are present in the cache. The input signal hold signifies that
when it is asserted the memory arbitration logic stops accept-
ing any request. The signals        indicates whether the
page requested by        respectively is ready.
The architectural intent requires that   and  have higher
priority than  and . Specifically this is translated into the
architectural property that-
If two devices with different priorities make requests
for the cache control unit with the higher priority
device making the request before the lower priority
one, the device with higher priority will always have
its page ready at the output, before the device with
lower priority.
This architectural level requirement can be expressed by four
properties for the four different ways in which a high priority
request can come with a low priority one. For example, when
we consider   (high priority) with  (low priority) we have
the property-
 
 
:                            
We have the following fairness conditions on the inputs and
outputs:

 
:           


:           
which require the requesting device to hold the request line
high until the page becomes ready. In addition we have the
following two fairness restrictions:


:               


:               
which states whenever a device is idle (i.e. not requesting),
its page ready signal will be low in that cycle and its next cy-
cle. Fig. 2 shows the architecture of this logic in terms of four
modules. G1 and G2 are round-robin arbiters. Whenever hold
is asserted they ignore the request lines. The variable lastreq
represents the state of G1 indicating which device was granted
in the last round. Below we present the RTL properties for G1.
Those for G2 are similar.

  
 
:         	
      


  

:         	
      


  

:           	
   
 
        
   

  

:           	
   
 
        
   

  

:   	
         

  

:     
The priority arbiter in Fig 2 selects requests in the priority
order, namely G1-highest and G2-lowest. The specification for
this module is given below:


 
:      
 



:      
 



:           




:           




:   
     
 
The cache access logic in Fig 2 directly interacts with the
cache and performs according to the transfer type and whether
the transfer is a cache hit or a cache miss. Whenever a cache
miss is occurred in a read transfer the cache logic keeps the
corresponding request pending in a wait buffer. bfull is an in-
ternal signal which notifies the wait buffer full condition. The
following three properties are given for device 1. For other
devices we have the similar properties.


 
:     
        



:     
           



:     
         

     
Also for the buffer full condition, the following two proper-
ties are required.



:   	
  

 



:   

      

  
Finally we have the mutual exclusion property for the ready
signals.



:       
The answer to our primary coverage problem for the archi-
tectural property 
 
is negative i.e. 
 
is not implied by the
RTL specification. On a closer look it can be observed that in
the scenario when the higher priority request is a read opera-
tion that results in a cache miss, 
 
is not guaranteed by the
RTL properties. A counter example scenario that demonstrates
this gap is as follows:
Device 1 has requested for a page read in the present
cycle but device 2 and device 3 haven’t. In the next
cycle device 3 has made a request and device 1’s re-
quest results in a cache miss. So in the following
cycle device 1 does not get the corresponding page
ready signal but device 3’s request results in a cache
hit and hence in the succeeding cycle device 3 has its
page ready signal available at the output.
Our tool returns the following property as the uncovered input
space:
 

                           
      	
           
The property represents the set of scenarios that are not cov-
ered by the RTL specification.
