In this paper we investigate the formal verification of the Memory Manager block of a System-on-a-Chip platform Protocol Converter using the FormalCheck tool of Cadence. The Memory Manager represents the main block of the protocol converter and is responsible for the reception of packets and their treatment for conversion. For the verification, we first extracted some constraints to define the environment for the Memory Manager. Then, we specified a number of relevant liveness and safety properties expressible in FormalCheck. Through extensive verification under the defined set of constraints, we have been able to find a few bugs in the design that were omitted by simulation. This experience demonstrates the usefulness of formal verification as complement to traditional verification by simulation.
INTRODUCTION
The increasing complexities of hardware designs have made verification and error detection on the critical path of the design process. Moreover, some of these errors may cause catastrophic loss of money, time, or even human life. This is in particular a serious problem for System-on-a-chip (SoC) designs which may contain processor cores, custom logic, memory and IP (Intellectual Property) blocks on a single chip. Traditionally, simulation is used to verify the "correctness" of a design. However, simulation is no longer able to keep pace with the increasing complexity of hardware designs. To overcome this difficulty, formal hardware verification methods [1] are now being deployed, and became useful tools for detection of functional design errors. By using formal verification alongside the design efforts, the overall design cycle can be reduced. This ensures a maximum design coverage while maintaining a high degree of confidence in the verification result. The objective of formal verification is to verify that the design model conforms to an abstract specification, consisting of a set of properties. Together, these properties describe (partially) the intended functionality of the design. Formal verification techniques have proven their efficiency by verifying industrial size systems.
This paper aims to explore the verification by model checking of the Memory Manager component of an SoC platform Protocol Converter System and to show that formal methods are strong enough for the verification of complex designs. The Protocol Converter system was designed by the "Groupe de Recherche en Micro-électronique" at thé Ecole Polytechnique de Montréal [2] . The architecture of the Memory Manager is described at the Register-Transfer Level coded in VHDL and represents the main block of the protocol converter system. The Memory Manager is composed of five modules: a Memory Manager Controller, an Address Counter Register, a Data Counter Register, a Packet Counter Register and a Packet Assembler. The model checking of the Memory Manager has been conducted using the FormalCheck tool of Cadence [3] . First, we extracted some constraints to define the environment for the Memory Manager. Then we specified a number of relevant liveness and safety properties expressible in FormalCheck. We successfully accomplished the properties verification under the defined set of constraints. This verification enabled us to find a number of bugs in the design that were not caught during the simulation process. This experience demonstrates how formal verification techniques can powerfuly complement traditional verification by simulation.
THE MEMORY MANAGER BLOCK
The Protocol Converter System at hand is based on an SoC platform developed at theÉcole Polytechnique de Montréal [2] . The main advantage of such platform is its flexibility. In fact, its modularity allows the addition, the change or the drop of some modules without affecting the global architecture of the system. The Protocol Converter accepts incoming packets from a physical bus, converts their protocols and then sends them back through the physical interface. The Protocol Converter System is subdivided into three blocks as shown in Figure 1 . The first block, composed of a Memory Manager and a Controller, is specialized in the reception of packets and preliminary treatments for the conversion. The second is responsible for the transmission of converted packets, while the third performs the Once the protocol conversion is done, the Controller asks the Memory Manager, to remove the converted packet from the Main Memory. So, the address of this packet and some other control signals are transmitted to the Memory Manager. The functionality of the Memory Manager is insured by its different components. Besides the Memory Manager Controller, the Memory Manager has three registers and a Packet Assembler. Intuitively, the Memory Manager Controller is responsible for the communication between the Memory Manager and the Controller. The registers are used as counters of addresses and packets. The Packet Assembler is a module that concatenates packet's address and data.
ENVIRONMENT CONSTRAINTS
In FormalCheck, primary signals are assumed to be nondeterministic, meaning they could acquire any value within their range on any edge of the clock. However, in most cases correct design operation is allowed on a single edge of the clock. For this reason, properties should be observed using the appropriate clock edge. When we deal with formal verification by model checking, we should pay great attention to the set of defined constraints. Since constraints are generally used to simulate the environment on which the system operates, they are the most critical task. This set should be as complete as possible to describe the exact behavior of the environment. However, it should not contain more constraints than necessary to avoid obtaining an over-constrained system. In this work, we have established twelve constraints. A full list of all constraints is given in [4] . They include, for instance, a constraint to define the system clock, a constraint to define the reset of the system and some others to describe the duration and the synchronization of input signals (with respect to the clock system), as well as to describe the interaction between the external environment and the Memory Manager block. For example, the signal Phyn_Sop is activated during one cycle of the system's clock rising edge (Sys_Clk=rising) to indicate the start of packet submission. This can be expressed by the following safety constraint: 
PROPERTIES SPECIFICATION
After establishing the proper environment, and defining all needed constraints, we have specified sixteen queries (set of constraints and properties) of the Memory Manager, including liveness and safety properties. These properties have been defined based on the design textual documentation and the test benches given in [2] . In the following, we describe three samples for illustration purposes. A full list of all defined properties is given in [4] . Our main goals were to verify (1) the global reset of the Memory Manager, (2) the duration and the synchronization of output signals (with respect to the system's clock) and (3) where WasMgr_Sop is a state variable that indicates if the signal Mgr_Sop is already activated or not.
EXPERIMENTAL RESULTS
All verifications in this project were executed on an Ultra 5 Sun workstation with 256 MB RAM and UNIX operating system. For all properties, we used Symbolic (BDD) as algorithm and 1-Step as reduction technique [3] . We found these modes effective enough to conduct the verification process. The experimental results are shown in Table 1 , including the status of the queries verification, the number of reached states (RS), the average state coverage (SC), the CPU time (real time) in seconds and the memory usage in MB. From Table 1 , we can see that the system reset and signal duration properties are verified, but some others failed. For instance, when the Physical Interface starts a packet transmission, there is no guarantee that this packet will be detected by the Memory Manager and thereby will be stored in the Main Memory. In this case, the Controller will not be informed about this transmission and the packet will be lost. Intuitively, it seems logic that if the Memory Manager will not detect some packet transmissions, then it will not detect the end of these transmissions or the occurrence of some errors. In such cases, the Controller will not be informed by these activities performed by the Physical Interface. In fact, there is no direct dialogue between the Controller and In [2] , there is an illustrated case in which packets are lost. When the Main Memory is full and no more space is available to store incoming packets, the Memory Manager will simply reject incoming packets without informing the Physical Interface. In such case, the Physical Interface will continue sending packets to the Memory Manager. However, according to [2] , this situation was defined as the only case in which packets are lost. In our work, FormalCheck gives a counterexample and shows that in spite of memory space availability, incoming packets can still get lost. The failure of Q16 means that some packets are stored into the Main Memory but the Memory Manager does not inform the Controller about them once they are received. This means that some packets will remain in the Main Memory without conversion. Furthermore, the Controller will never ask for the suppression of these packets.
RELATED WORK
Related case studies, where model checking techniques were used to verify commercial products, are too numerous to be listed here. In the following, we elaborate on a few of them. For instance, in [5] , FormalCheck was used to verify the implementation of a SCI-PHY (Saturn Compatible Interface for ATM-PHY devices) Level 2 protocol engine, commercialized by PMC-Sierra, Inc. From the set of eleven established properties, only one error has been detected. In comparison, the design considered in our project is more complex and presents a more generic behavior. In [6] , the model checking tool VIS (Verification Interacting with Synthesis) [7] , was adopted for the verification of an Asynchronous Transfer Mode (ATM) switch used for real applications in the Cambridge Fairisle network. This earlier work shows how VIS can partially verify large size circuit design by using specific reduction, abstraction and property division techniques. In [8] , the same ATM switch fabric design is verified in FormalCheck and a comparison between the two hardware verification tools is given. From the experimental results in [8] , it was shown that FormalCheck is faster than VIS and that the memory usage in FormalCheck is less than that in VIS for all verified properties. Moreover, no manual reduction or property composition were required in FormalCheck. This justifies again our choice of FormalCheck to verify our system. In [9] , VIS was used for the verification of an ATM ring (ATMR) media access control (MAC) protocol. VIS was also used in [10] to formally verify a commercial product of PMC-Sierra, Inc. In this latter work, a design error which could lead the system to a deadlock state was detected. However, properties that involve the introduction of time delays were not verified because unlike FormalCheck, as used in our project, VIS does not support timed Verilog models. In [11] , the MDG (Multiway Decision Graph) [12] tool was used in the formal verification of a Telecom System Block commercialized by PMC-Sierra, Inc., which processes a portion of the SONET (Synchronous Optical Network) line overhead of a received data stream. While the MDG tool possesses efficient features for data abstraction, it does not support neither Verilog nor VHDL to be considered in a complex project like ours.
CONCLUSION
In this study, we explored the formal verification by model checking of the Memory Manager Component of the Protocol Converter system. Our experimental results demonstrated the presence of many residual bugs in the design. These errors can lead to serious problems since they cause the non-conversion of many received packets and the nonliberation of the Main Memory. Despite the important effects of such situations on the functionalities of the Protocol Converter system, these errors were not detected by extensive post-design simulation efforts.
The main contribution of our work is the emphasis on the importance of formal methods for design verification. In our case, we were able to detect errors that were not detected by simulation. However, we should mention that formal techniques are not by themselves an alternative to verify if a design is correct with respect to a specification. They should be used with simulation as a complementary process to insure a maximum error detection.
In summary, our work joins other successful industrial-sized case studies in using model checking for hardware verification. We believe to have contributed fostering the evidence that model checking is now powerful enough to be widely used in industry to help in the verification of developed complex hardware designs.
