Abstract. The formal specification component of verification can be exported to simulation through the idea of property checkers. The essence of this approach is the automatic construction of an observer from the specification in the form of a program that can be interfaced with a simulator and alert the user if the property is violated by a simulation trace. Although not complete, this lighter approach to formal verification has been effectively used in software and digital hardware to detect errors. Recently, the idea of property checkers has been extended to analog and mixed signal systems. In this paper, we apply the property-based checking methodology to an industrial and realistic example of a DDR2 memory interface. The properties describing the DDR2 analog behavior are expressed in the formal specification language STL/PSL in form of assertions. The simulation traces generated from an actual DDR2 interface design are checked with respect to the STL/PSL assertions using the AMT tool. The focus of this paper is on the translation of the official (informal and descriptive) specification of a non-trivial DDR2 property into STL/PSL assertions. We study both the benefits and the current limits of such approach.
Introduction
The formal verification of digital (and other finite state) systems has been based on the decision procedures which often involve model-checking temporal logic formulae. Temporal logic [MP95] is a rigorous specification formalism that is used to describe desired behaviors of the system. The fact that logics such as LTL or CTL can be efficiently translated into corresponding automata [VW86,SB00,GPVW95,GO01] has facilitated their integration into main verification tools. An adaptation of formalisms based on temporal logics and regular expressions to the needs of the hardware industry has been done through standard specification languages PSL [HFE04] and SVA [Acc04] .
Similar verification methods have been introduced in the analog and mixed signal domain with the advent of hybrid automata [MMP92] , which serve as a model to describe systems with continuous dynamics with switches, and the algorithms for the exhaustive exploration of their search space. While certain progress has been made recently in that field [ADF + 06], scalability remains an important issue for the exhaustive verification of hybrid systems, due to the explosion of the underlying state space. Consequently, this verification method can be used nowadays to reason about small critical ⋆ Intern at Rambus, Inc. during this work analog and mixed signal blocks containing up to a dozen continuous variables. Moreover, property-based verification of hybrid systems is only at its beginning [FGP06] .
The preferred analog validation method remains simulation-based testing, combined with a number of common analysis techniques (frequency-domain analysis, statistical measures, parameter extraction, eye detection etc.) The validation tools are specific to the class of properties checked, and include waveform analyzers and calculators, measuring commands as well as manually written scripts. These solutions are often adhoc and may require considerable user effort, and in the case of scripts, reusability becomes an issue.
The gap between formal verification and standard simulation analysis of analog systems can be reduced by introducing formal specifications into the domain of simulation. This approach relies on an automatic construction of an observer, also called a property checker, from the formula. This checker takes the form of a program that can be interfaced with the simulator and alert the user if the property is violated by a simulation trace. This method is not complete, but can be effectively used to catch "bugs" in the system. It can be more reliable and efficient than the visual inspection of simulation traces, or manual construction of property observers. This procedure, often related to as lightweight verification, has been successfully integrated into the validation flow of software and hardware frameworks, and temporal logic has been used as the specification language in a number of property checking tools, including The extension of property-based checkers to analog and mixed signal systems has been proposed in [MN04, NM07] , with the introduction of the formal specification language STL/PSL, based on the dense-time temporal logic MITL [AFH96] , and it allows to relate temporal behavior of continuous waveforms via their static abstractions. The properties expressed in STL/PSL can be checked against analog simulation traces with the tool AMT [NM07] . A similar approach for checking PSL properties of discrete time analog and mixed signal systems was proposed in [AZDT07] . The authors of [JHP + 07] describe a framework based on PSL extended with analog operators, which is targeted at checking mixed signal interface properties. In [DC05] , the authors introduce the AN-ACTL logic, an analog extension of CTL, which they use to check properties of a finite state machine, which represents a set of discretized and bounded transient simulation traces.
In this paper, we study the framework of property checkers in the analog domain and its applicability to real-world industrial examples. We present a case study where we translate a non-trivial property of a DDR2 memory interface [Jed06] in STL/PSL and use the monitoring tool AMT to check the specification against the simulation waveforms. DDR2 memory is a natural candidate for this case study as it contains a number of timing relations between different analog signals. We are particularly interested in the expressiveness of STL/PSL with respect to the class of properties informally described in the official DDR2 specification document.
The rest of this document is organized as follows: in Section 2 we present the STL/PSL specification language. Section 3 describes a non-trivial property of the DDR2 memory component and its formalization and translation into STL/PSL. The experimental results are reported in Section 4 followed by a discussion about the results and the conclusions (Section 5).
STL/PSL Specification Language
The specification of properties of continuous waveforms requires an adaptation of the semantic domain and the underlying logic. Let the time domain T be the set R ≥0 of non-negative real numbers. We consider finite length signals ξ over an abstract domain D, which are partial functions ξ : T → D whose domain of definition is I = [0, r), r ∈ Q >0 . The length of the signal ξ is r, and is denoted with |ξ| = r. We restrict our attention to two particular types of signals, Boolean signals with D = B and continuous signals with D = R. We denote by π p (ξ) the projection of the signal ξ on the dimension with domain B that corresponds to the proposition p (likewise, π s (ξ) denotes projection of the signal ξ on the dimension with domain R corresponding to the continuous variable s).
The STL/PSL logic is an extension of MITL [AFH96] and STL [MN04] logics, using layers in the fashion of PSL [HFE04] . The analog layer allows to reason about continuous signals and the temporal layer relates the temporal behavior of input traces. The "communication" between the two layers is done via static abstractions that partition the continuous state space according to some (in)equality constraints on the continuous variables. The STL/PSL properties are targeted at the lightweight verification over finite traces, so the language adopts the finitary interpretation in the spirit of PSL, with strong and weak forms of the temporal operators 1 . The analog layer of STL/PSL is defined by the following grammar:
where s belongs to a set S = {s 1 , s 2 , . . . , s n } of continuous variables, ⋆ ∈ {+,-, * }, c ∈ Q and k ∈ Q + .
The semantics of the analog layer of STL/PSL is defined as an application of the analog operators to the input signal ξ:
The temporal layer of STL/PSL contains both future and past operators and is defined as follows:
where p belongs to a set P = {p 1 , p 2 , . . . , p n } of propositional variables, a,b,c ∈ Q, • ∈ {>,>=,<,<=,==} and I is an interval of type
, where a, b are rationals with 0 ≤ a < b. Note that we include explicitly in the syntax weak and strong versions of eventually and once operators. The satisfaction relation (ξ, t) |= ϕ, indicating that signal ξ satisfies ϕ at time t is defined inductively as follows:
An STL/PSL specification ϕ prop is an STL/PSL temporal formula. The signal ξ satisfies the specification ϕ prop , denoted by ξ |= ϕ prop , iff (ξ, 0) |= ϕ prop .
Other standard operators such as always and historically can be derived from the basic ones. Note that the syntax and semantics of STL/PSL differ from [NM07] in several aspects. The until operator has the strict semantics as originally proposed in [AFH96] and the past operators as well as events (detection of rising and falling edges of a signal) have been added to the language 2 .
The STL/PSL language contains some additional constructs that simplify the process of property specification. Each top-level STL/PSL property is declared as an assertion, and a number of assertions can be grouped into a single logical unit in order to monitor them together at once. We also add a definition directive which allows the user to declare a formula and give it a name, and then refer to it as a variable within the assertions. The Boolean and analog variables are typed (prefixes b: and a:, respectively). The extended STL/PSL is defined with the following production rules stl_psl_prop :== vprop NAME { { define_directive } { assert_directive } } define_directive :== define b:NAME := stl_psl_property | define a:NAME := analog_expression assert_directive :== NAME assert : stl_psl_property where stl psl property and analog expression correspond to ϕ and φ defined above, respectively.
Translation of DDR2 Properties to STL/PSL Assertions
In DDR2, the data access is controlled by a single-ended or differential data strobe signal, which acts as an asynchronous clock. The official JEDEC DDR2 specification is defined in [Jed06] and describes, amongst others, a number of properties that involve timing relationship between events that happen in data and data strobe signals. In this paper, we are particularly interested in a property that defines the correct alignment between these two signals. The case study considers the specification parameters for the single-ended data strobe DDR2-400 memory interface, which is part of the JEDEC standard.
The DDR2 specification contains a number of relevant thresholds, shown in Table 1. The temporal relationship between data signal DQ and data strobe signal DQS is defined with respect to the crossings of these thresholds. The general definition of the alignment of data DQ and data strobe DQS signals is shown in Figure 1 . The proper alignment between the two signals is determined by two values, the setup time tDS and hold time tDH. The setup and hold times of DQ and DQS are checked on both their falling and rising edge, but we only consider, for the sake of simplicity, the specification of the property for the setup time at the signals' falling edge (the other cases are similar and symmetric). Unfortunately the above property, naturally expressed in STL/PSL, does not present the full reality. In fact, setup time tDS is not a constant value, but rather varies according to the slew rates (slopes) of DQ and DQS signals. For example, when DQ and DQS fall more sharply, the required tDS increases. Setup time tDS is equal to the sum of a (constant) base term tDS(base) and a (variable) correction term ∆tDS tDS = tDS(base) + ∆tDS
The setup base term tDS(base) is equal to 150ps for the single-ended DDR2-400. The correction term ∆tDS is a value that depends directly on slew rates of DQ and DQS, with the setup slew rate of a falling signal being defined as Setup falling slew rate
where ∆T F is the time that the signal spends between V REF (DC) and V IL(AC)max . As we can see, the setup falling slew rate of a signal can be deduced from ∆T F . In order to extract the setup correction term ∆tDS from the actual slew rates of DQ and DQS, we can use a specification table from [Jed06] , partially reproduced in Table 2 . According to the JEDEC specification, ∆tDS corresponding to the slew rates not listed in Table 2 Since tDS is a value that varies during a simulation, depending on the slew rates of DQ and DQS, the DQ/DQS alignment property cannot be exactly formulated in STL/PSL, which currently supports only temporal operators with constant time bounds. However, we can use approximation in order to express a similar alignment property which still preserves some guarantees. We can divide the table of correction terms into a finite number of ranges, and use the worst case value of ∆tDS for each range. This method corresponds to a conservative approximation, which guarantees that if the overapproximated property holds, the exact property holds too 3 . As an example, consider the highlighted range of Table 2 , which we call the "topleft" range, where the setup falling slew rates of DQ and DQS are between 1 and 2 V /ns. For the conservative approximation of tDS, with slew rates falling in that range, we choose the worst-case ∆tDS as the correction term, that is 188ps. Hence, the approximated falling setup time tDS T L for all DQ and DQS with falling slew rates between 1 and 2V /ns would be equal to tDS T L = 150 + 188 = 338ps.
In order to determine the falling slew rates of DQ and DQS, we need to detect how much time these signals remain in their falling slew region (between V with similar properties that have to be written for each range of DQ and DQS slew rates.
obtained for that particular version of the DDR2 memory, and we used instead the official specification parameters for the single-ended DDR2-400 presented in Section 3, assuming that these parameters would be conservative enough. The simulation traces contained about 180,000 samples for each signal. For the case study evaluation, we used the AMT stand-alone tool. AMT takes as inputs STL/PSL specifications and analog or mixed signal traces and checks whether the specification is satisfied with respect to the simulation waveforms. The architecture of AMT is shown in Figure 5 . The tool offers two evaluation modes, offline, where the input traces are validated after the simulation, and incremental, where the property evaluation can run in parallel with the simulation via a communication through a TCP/IP connection and try to early determine the satisfaction of the formula. In this case study we used the offline mode because the DDR2 simulation traces were already available. We started by splitting the main property into 4 different ranges, taking an overapproximated tDS value for each slew rate range. The evaluation of each property took about 7 seconds. Since some of the over-approximated properties were shown to be false, we decomposed them further in 3 iterations into a total of 7 properties before being able to show that the specification held for each range for this given set of simulation traces. The refinement of the properties was done manually and proved to be a tedious task.
Future Work and Conclusion
The DDR2 case study showed that an important class of non-trivial properties describe "event"-based timing relationships between analog signals, which can be in general naturally expressed in a specification language like STL/PSL. However, the timing relationship between analog signals can be more complex than what the current expressiveness of STL/PSL can describe. This problem has been exposed by the DDR2 data vs. data strobe alignment property that we considered in this paper. We had to use approximate techniques in order to show that the alignment between data and data strobe signals was correct. The resulting specification turned out to be quite complex to write. The refinement of the over-approximated specification was done manually and was not a simple and quick task. This case study was useful in showing that this approach may be indeed practical for some analog applications, but it also helped us to identify the features that are still missing in the STL/PSL language. We present here some directions for future work:
Parameterized time bounds: the DDR2 case study exposed that STL/PSL temporal operators with constant time modalities may not be sufficient to describe some realistic relations between analog signals. In our opinion, variable time bounds would be an important extension to STL/PSL Automatic parameter extraction: the interaction with analog designers revealed that the verification with respect to the existing specification is not the only interesting question that can be asked about an analog design. In fact, the specification parameters such as time relationship between different signals are often not known in advance. Such parameters are rather extracted from the simulation traces, and the specification is completed only after simulatinga model of the design. We would like to express properties without specifying the time bounds, for example always (rise(b:p) -> eventually![?] b:q), asking the following question: given a set of simulation traces, what are the minimum and maximum time bounds, if any, such that the the property is satisfied. In formal methods community, this problem is known as model measuring, and has been considered in the context of parametric temporal logics in [AELP99] . Tighter integration with simulators: in our opinion, property-based analog checking approach would be more accepted if the specification and monitoring process were more integrated into the simulators. In the digital world, the assertions are often integrated into Verilog or VHDL code and are inserted at the points where the property should be checked. We can consider integrating analog and mixed signal property checking algorithms into a design language like Verilog-AMS. This may be beneficial for several reasons. The STL/PSL language could embed the existing constructs from Verilog-AMS in order to better detect threshold crossing (@cross) or to compute some more complex measures like the area under a curve. Integration with test generation: an interesting direction of research would be to combine the property-based analog checkers approach with techniques for automatic generation of simulation traces, such as those studied in [ND07a, ND07b] . The combined simulation generation and checking flow could make the analog validation more automatic.
