We study model checking for a first-order linear-time temporal logic. We present the computation model: abstract description of state machines (ASMs), in which data and data operations are described using abstract sort and uninterpreted function symbols. ASMs are suitable for describing Register Transfer level designs. We define a first-order linear-time temporal logic called L MDG which supports the abstract data representations. Both safety and liveness properties can be expressed in L MDG , however, only universal path quantification is possible. Fairness constraints can also be imposed. The property checking algorithms are based on implicit state enumeration of an ASM and implemented using Multiway Decision Graphs.
INTRODUCTION
Symbolic model checking has proven to be an important technique for the automatic verification of hardware designs [1, 2, 3, 4] . However, these methods require the description of the design to be at the Boolean logic level, and thus in general they are not adequate for verifying circuits with large datapath because of the state explosion problem.
Being motivated by a desire to combine the automation feature of model checking and the abstract representation of data in theorem proving, we developed model checking algorithms for a few first-order linear-time temporal logic patterns. Our approach is based on a computation model called an abstract description of state machine (ASM) where a data value is represented by a single variable of abstract type, rather than by a vector of Boolean variables, and a data operation is represented by an uninterpreted function symbol [5, 6] . ASMs can be used to describe designs at Register Transfer Level (RTL). An ASM is encoded using Multiway Decision Graphs (MDGs) [6, 7] of which Reduced Ordered Binary Decision Diagrams (ROBDDs) [8] are a special case. The verification of ASMs is based on state enumeration whose complexity is independent of the width of the datapath. Thus, the state explosion problem caused by descriptions of large datapaths at the Boolean logic level is alleviated.
While our formalization of ASMs was introduced in [6, 7] , and the invariant checking on ASMs was presented in [9] , in this paper we address the model checking problem for ASMs. We define the first-order linear-time temporal logic L MDG and present the property checking algorithms for L MDG . As part of the property checking algorithms, we also show a special handling of the next operators, i.e. using ASMs to represent the basic L MDG sub-formulas in which only the next operator X is allowed (called Next_let_formulas).
To check a property p in L MDG on an ASM M, we first build additional ASMs automatically for Next_let_formulas, then we compose the additional ASMs with M, and finally check a relatively simpler property on the composite machine. The property checking algorithms are based on implicit state enumeration as supported by MDGs. However, the algorithms do not always terminate. Decidability of model checking for L MDG , just like decidability of reachability analysis for our ASMs, is left as an open question.
There are previous developments reported in the literature that are directly related to ours. Hungar, Grumberg, Damm et al. proposed a 'true symbolic model checking' technique in [10] , and later improved in [11] by checking first-order-CTL (FO-CTL) properties on systems with clear separation between control and datapath. In their method, the BDD-based symbolic model checker is used to check the properties on the control part, the data part is handled by annotating each control-expanded state by a first-order formula, and BDDs are used to represent and manipulate the first-order annotations symbolically. The FO-CTL is more expressive than L MDG , since only a limited nesting of temporal operators is allowed in L MDG . However, their method differs from our method in the way the property checking is achieved. Basically, they showed how to cast first-order model checking into
The Computer Journal, Vol. 47, No. 1, 2004 BDD-based model checking, while our property checking algorithms are carried out directly on the first-order logic level.
Cyrluk and Narendran [12] defined a first-order temporal logic-Ground Temporal Logic (GTL), which falls in between the first-order and the propositional temporal logics. The validity problem in GTL is the same as checking a lineartime temporal logic formula for all computation paths. In [12] , the authors showed that the full GTL is undecidable. They then identified a decidable fragment of GTL, consisting of p (always p) formulas where p is a GTL formula containing an arbitrary number of 'Next' operators, but no other temporal operators. However, they did not show how to build the decision procedure. We shall see in the following sections that the decidable fragment of GTL is actually a subset of the class of properties that we can verify.
Hojati, Brayton et al. proposed a concurrency model called integer combinational/sequential (ICS), which uses finite relations, interpreted and uninterpreted integer functions and predicates, and interpreted memory functions to describe hardware systems with datapath abstraction [13, 14, 15] . Verification of ICS models is performed using language containment. They showed that for a subclass of 'controlintensive' ICS models, integer variables in the model can be replaced by enumerated variables (i.e. finite instantiation) and then the property verification can be carried out at the Boolean logic level without sacrificing accuracy. They gave a linear-time algorithm for recognizing those subsets. For verifying properties of circuits with complex datapaths, i.e. the circuit contains interpreted and uninterpreted functions, finite instantiation cannot be used. Instead, they compute the set of states reachable in n steps using BDDs and check that no error exists in these n steps. Their algorithm, if it terminates, computes the set of reachable states. Thus, they can check only safety properties, while our methods can check safety properties as well as certain liveness properties.
Burch and Dill [16] used a subset of first-order logic, specifically, the quantifier-free logic of uninterpreted functions and predicates with equality and propositional connectives, for verifying microprocessor control circuitry. Velev and Bryant [17] presented a Equality Validity Checker (EVC) for a logic called Equality with Uninterpreted Functions and Memories (EUFM). The EVC translates a formula in EUFM to a propositional formula, and then evaluates the propositional formula using a Boolean satisfiability procedure. Those methods are appropriate for verification of microprocessor control because they allow abstraction of datapath values and operations. However, those methods, unlike ours, cannot verify properties involving temporal operators, in particular, liveness properties. Another relevant but differently focused approach was [18] , in which Namjoshi and Kurshan showed an algorithm that constructs a finite state 'abstract' program from a given, possibly infinite state, 'concrete' program by means of a syntactic program transformation.
This paper is organized as follows: in Section 2, we first describe the formal logic used in our ASM approach, and then define the computation model, i.e. the definition of ASMs. In Section 3, we define the syntax and the semantics of L MDG , as a property specification language for which we have been able to develop property checking procedures. In Section 4, we present in detail the property checking procedures. In Section 5, we show how to impose fairness constraints in our verification system and the algorithms for checking liveness properties under fairness constraints. In Section 6, we verify some properties regarding the Island Tunnel Control bench mark using our model checker and also using VIS from University of California at Berkley. We also verify several properties regarding an abstract counter in which the value of the counter is described using a variable of abstract type. We conclude the paper in Section 7.
ABSTRACT DESCRIPTION OF STATE MACHINES
Abstract description of state machine is a model used for describing hardware designs at the RTL. Using ASMs, a data value can be represented by a single variable of abstract type, rather than by a vector of Boolean variables, and a data operation is represented by an uninterpreted function symbol. The model checking method based on a first-order linear-time temporal logic as developed in this paper allows to verify properties on designs represented by ASMs. Thus, it is necessary to review first the terminology related to ASMs.
A many-sorted first-order logic
As in an ordinary many-sorted first-order logic, the vocabulary consists of sorts, constants, variables and function symbols (or operators). Constants and variables have sorts. We deviate from standard many-sorted firstorder logic by introducing a distinction between concrete (or enumerated) sorts and abstract sorts; the difference is that concrete sorts have enumerations, while abstract sorts do not. The enumeration of a concrete sort α is a set of distinct constants of sort α. We refer to constants occurring in enumerations as individual constants and to other constants as generic constants. The distinction between abstract and concrete sorts leads to a distinction between three kinds of function symbols. Let f be a function symbol of type α 1 × α 2 × · · · × α n → α n+1 . If α n+1 is an abstract sort then f is an abstract function symbol. If all the α 1 , . . . , α n+1 are concrete, f is a concrete function symbol. If α n+1 is concrete while at least one of α 1 , . . . , α n is abstract, then f is referred to as a crossoperator. Both abstract function symbols and cross-operators may be uninterpreted, or partially interpreted by conditional rewrite rules. The terms and their types (sorts) are defined inductively as follows: a constant or a variable of sort α is a term of type α; and if f is a function symbol of type An interpretation is a mapping ψ that assigns a denotation to each sort, constant and function symbol such that:
Let X be a set of variables, a variable assignment with domain X compatible with an interpretation ψ is a function ϕ that maps every variable x ∈ X of sort α to an element ϕ(x) of ψ(α). We write ψ X for the set of ψ-compatible assignments to the variables in X, ψ, ϕ |= P if a formula P denotes truth under an interpretation ψ and a ψ-compatible variable assignment ϕ to the variables that occur free in P , |= P if a formula P denotes truth under every interpretation ψ and every ψ-compatible variable assignment to the variables that occur free in P .
Directed formulas
Given two disjoint sets of variables U and V , a directed formula (DF) of type U → V is a formula in disjunctive normal form (DNF) such that: Intuitively, in a DF of type U → V , the U variables play the role of independent variables, the V variables play the role of dependent variables, and the disjuncts enumerate possible cases. In each disjunct, the equations of the form u = a and A = a specify a case in terms of the U variables, while the other equations specify the values of (some of the) V variables in that case. The cases need not be mutually exclusive, nor exhaustive.
A DF is said to be concretely reduced iff every A in an equation A = a is a cross-term, and every A in an equation v = A is a concretely reduced term. It is easy to see that every DF is logically equivalent to a concretely reduced DF, given complete specifications of the concrete function symbols and concrete generic constants; the reduction can be accomplished by case splitting. From now on, by DF we shall mean concretely reduced DF.
Let P be a DF of type U → V . For a given interpretation ψ, P can be used to represent the set of vectors Set
In the following sections, DFs are used for two distinct purposes: to represent sets (viz. sets of states as well as sets of input vectors and output vectors) and to represent relations (viz. the transition and output relations). 
Abstract description of state machines
Thus the transition relation of the state machine M represented by D is
Given an interpretation ψ, the output relation of 
Basic algorithms of DFs
We recall the basic algorithms used in [5, 6] , but here we give their definitions in terms of DFs, since these algorithms will be needed later in the model checking procedures.
Disjunction. The disjunction algorithm is n-ary. It takes as inputs a set of DFs
This algorithm is mainly used to compute the union of sets of states.
Conjunction. The conjunction algorithm takes as inputs a set of DFs
This algorithm is used to extract a common subset from sets of states.
Relational product. The algorithm takes as inputs a set of DFs P i , 1 ≤ i ≤ n, of types U i → V i , a set of variables E to be existentially quantified, and a renaming substitution η, and produces a DF R = RelP({P i } 1≤i≤n , E, η) such that
The algorithm computes the conjunction of the P i , existentially quantifies the variables in E, and applies the renaming substitution η. The type of the result R is then
In our property checking procedures, this algorithm is used to compute the set of states reachable in one transition from one set of states.
Pruning by subsumption. The algorithm takes as inputs two DFs P and Q of types U → V 1 and U → V 2 respectively, and produces a DF R = PbyS(P , Q) of type U → V 1 derivable from P by pruning (i.e. by removing some of the disjuncts) such that
The disjuncts that are removed from P are subsumed by Q, hence the name of the algorithm. If R is F, then it follows tautologically that |= P ⇒ (∃U)Q.
This algorithm is used to check whether a set of states is a subset of another set of states. Let P 1 , P 2 be two DFs of type U → Y . Then for a given interpretation ψ, the two sets of states represented by P 1 , P 2 are re-
We say that P 1 and P 2 are equivalent DFs (in that case, for any ψ, S 1 and S 2 are equivalent sets) if PbyS(P 1 , P 2 ) = F and PbyS(P 2 , P 1 ) = F. We allow the formula
A FIRST-ORDER LINEAR-TIME
The properties allowed in L MDG can have the following forms:
Semantics of L MDG
A path π is a sequence of states. We use π i to denote a path starting from π i where π i denotes the ith state in π. All the formulas in L MDG are path formulas. We write π, σ |= p to mean that a path formula p is true at path π under a ψ-compatible assignment σ to the ordinary variables. We use Val φ∪σ (t) to denote the value of term t under a ψ-compatible assignment φ to the state, input and output variables, and a ψ-compatible assignment σ to the ordinary variables. We then define |= inductively as follows:
Given a property in L MDG regarding an ASM under a given interpretation ψ, the property holds on the ASM iff the property is true for every path π such that π 0 is an initial state and, for every i, there is a transition from π i to π i+1 from some ψ-compatible assignment to the input variables.
MODEL CHECKING FOR PROPERTIES IN
L MDG Our approach to model checking is to build automatically additional ASMs that represent the Next_let_formulas appearing in the property to be verified, connect these additional ASMs to the original one, and then check a simpler property on the composite machine [19] . The initial set of states F Ip are assigned differently depending on which property template the Next_let_formula P corresponds to. The general idea is that the initial states of D p should not affect the result of verifying P on the original ASM D. There is no output from D p , i.e. Zp is empty. Hence, there is no output relation either. The details of an algorithm for constructing an ASM representing a Next_let_formula can be found in [20] .
In the following subsections, we describe algorithms for verifying the various forms of the formulas in L MDG . When our property checking algorithms report success to a query, then the property holds for an ASM under any interpretation. It is possible that a property holds for the ASM under the intended interpretation of the abstract function symbols and constants, but not under every interpretation. In that case, the algorithm, if it terminates, will return a false negative answer with respect to the original, non-abstracted problem.
However, if all the data operations are viewed as black boxes, a property is expected to hold for every interpretation; it is in this sense that we say that our algorithms are applicable to designs where data operations are viewed as black boxes. We then transform the problem to verifying Flag = 1 on each reachable state.
Verification of G(Next_let_formula
For example, to check the property G(req = 1 → LET(v = Din) IN (X (Dout = v))) on an ASM D, we build a composite ASM as shown in Figure 1 , and then perform reachability analysis and in each state check that Flag = 1.
The algorithm to check a property in the form of G(Flag = 1) is as follows: If the set of initial states represented by G I does not satisfy the property we report failure. Otherwise, we compute the next new states and add them to those already visited until a fixpoint is reached. At each iteration, we verify the property on the newly generated states.
To check a property in the form of Next_let_formula, we construct a composite ASM in the same way as in the case of G(Next_let_formula), and then we verify that Flag = 1 on the states reached in n + 1 transitions from the initial states, where n is the maximum nesting depth of the X operators in the property, and the 1 cycle delay is caused by the register associated with Flag.
Verification of (Next_let_formula)U(Next_let_ formula)
We use additional ASMs to represent the Next_let_formulas and then transfer the problem to checking (FlagP = 1) U(FlagQ = 1) on the composite machine. 
VERIFICATION OF LIVENESS PROPERTIES WITH FAIRNESS CONSTRAINTS

Fairness constraints
When verifying liveness properties, one is usually interested only in the so-called fair infinite computation paths. A fair path is a computation path along which the states satisfy each fairness condition infinitely often. In the literature, different methods for specifying fairness constraints have been developed for CTL model checking [21] and for language containment using L-automata [22, 23] .
In our method, we impose fairness constraints using a subset of the criteria employed in the method based on language containment, namely, by specifying cycle sets. Let H i , i = 1, . . . , n, be n 'exception' conditions, and S ω the set of infinitely repeating states along a computation path. If at least one H i holds on all states in S ω , then the computation path is not fair and need not satisfy the property under investigation. That is, only those computation paths along which the states satisfy every !(H i ) infinitely often are considered. Therefore, !(H i ) (1 ≤ i ≤ n) can be viewed as the fairness constraints. We call the formula representing the exception condition H i an H_formula. The syntax of an H_Formula is as follows: In this algorithm, is a set containing the DFs representing each a set of states not satisfying FlagQ = 1 on the fair computation paths after a transition step, P represents the frontier set of states to be explored further, and n is the number of fairness constraints.
Verification of pUq with fairness constraints
In loop1, Lines (7) (8) (9) (10) (11) (12) , S notq represents the set of states in P not satisfying FlagQ = 1. If S notq is empty, then the computation stops by reporting success; otherwise, if S notq covers any set in P , which means there is at least one cycle that is not one of the cycle sets, and the states in the cycle do not satisfy FlagQ = 1, then the algorithm stops and reports failure. If no cycle is detected, then we check whether the states in S notq satisfy FlagP = 1. If not then report failure; if yes, then S notq is added to and the computation continues (Lines 10-12).
Lines (13-39) form a loop which is executed n times. This loop deals with each exception condition. At every i-th (1 ≤ i ≤ n) iteration, S 2 represents the set of states in S 1 that satisfy the excepting condition FlagH i = 1, and S notH represents the set of states in S 1 that does not satisfy FlagH i = 1. If S 2 is not empty, the algorithm computes S 3 (loop 20-31). This set represents all states that are reachable from S 2 by any number of transition steps and that all states satisfy FlagH i = 1 and FlagP = 1, but do not satisfy FlagQ = 1. In other words, S 3 could contain cycles which are formed by the states satisfying FlagH i = 1 and FlagP = 1 but not FlagQ = 1. (The way to compute S 3 is the same as the reachability analysis.) Then, one more transition is done to compute the set of states reachable by one transition step from the states of S 3 , but not satisfying FlagH i = 1, and these states are stored in S 4 . S 4notq represents the set of states in S 4 that do not satisfy FlagQ = 1. If this set contains at least one state that does not satisfy FlagP = 1, then report failure (Line 36). S 1 is the union of the set of states represented by S 4notq and S notH at each iteration of the loop.
In Lines (40-42), P is computed to represent the states reachable in one transition step from the states in S 1 . The computation continues in loop 1 with P being the new frontier set of states to be checked.
In Figure 2 , we show an example that illustrates how this algorithm works. Suppose we wish to verify (FlagP = 1)U (FlagQ = 1) under the fairness constraint ! (FlagH 1 = 1) on the state transition graph given in Figure 2 . We also indicate the values of FlagP, FlagQ and FlagH 1 in each state. We shall see that the algorithm stops and reports success at the 3rd iteration in loop1. However, checking (FlagP = 1) U(FlagQ = 1) without the fairness constraint would fail on the path s1
The Check_U_fair algorithm is conservative, i.e. it requires that for every path, FlagP = 1 is satisfied on all the states along the path before a state satisfying FlagQ = 1 is reached. Along some paths, if the states repeating forever are covered by a cycle set and there is no other state reached by those states as shown in Figure 3 , Check_U_fair will report failure. However, it is not necessary that FlagP = 1 holds on these states, since this path should not even be considered. Thus Check_U_fair may give a false negative answer. In real systems, this situation happens rarely. To verify that Fp (where p is a Next_let_formula) under fairness constraints, we verify (TUq). The method will not produce any false negative answer since T is satisfied by any state in this case.
EXPERIMENTAL RESULTS
To show how to express properties in L MDG , and how to use our model checker, we use the Island Tunnel Controller (ITC) [24] and the Abstract Counter [12] as examples. Although the two examples are small and do not represent the scale of designs that the MDG-based model checker can verify, they are ideal for illustration purposes. From the two examples, we can see how the ASMs are used to describe design models, and how the properties can be stated using L MDG . We also carried out the same verification using the ROBDD-based verification tool VIS [25] . Both tools showed the same verification result. However, using the MDG-based method, we were able to use abstract variables that describe the datapath and the first-order temporal logic to state properties, hence, the performance of the MDG-based model checker is much better than that of VIS.
Checking properties of the ITC
The ITC was originally introduced by Fisler and Johnson [24] to illustrate the notation of a heterogeneous logic system supporting diagrams as logic entities, however, no verification experiments were performed.
The ITC
Generally speaking, the ITC controls the traffic lights at both ends of a tunnel based on the information collected by sensors installed at both ends of the tunnel: there is one lane tunnel connecting the mainland to an island, as shown in Figure 4 . At each end of the tunnel, there is a traffic light. There are four sensors for detecting the presence of vehicles: one at the tunnel entrance (ie) and one at the tunnel exit on the island side (ix), and one at the tunnel entrance (me) and one at the tunnel exit on the mainland side (mx). It is assumed that all cars are finite in length, that no car gets stuck in the tunnel, that cars do not exit the tunnel before entering the tunnel, that cars do not leave the tunnel entrance without travelling through the tunnel, and that there is sufficient distance between two cars such that the sensors can distinguish the cars.
In [24] , one more constraint is imposed: 'at most 16 cars may be on the island at any time'. The number '16' can be taken as a parameter and it can be any natural number. The constraint can thus be read as follows: 'at most n (n ≥ 0) cars may be on the island at any time'. In our ASM approach, we have the luxury to model an abstract datapath, hence, we used an abstract variable to describe the counter n. For ROBDDbased verification methods, like VIS, a particular instance of n has to be given.
Fisler and Johnson proposed a specification of ITC using three communicating controllers and two counters as shown in Figure 5 . The island light controller (ILC) has four states: green, entering, red and exiting. The outputs igl and irl control the green and red lights on the island side, respectively; iu indicates that the cars from the island side are currently occupying the tunnel, and ir indicates that ILC is requesting the tunnel. The input iy requests the ILC to release control of the tunnel, and ig grants control of the tunnel from the island side. A similar set of signals is defined for the mainland light controller (MLC). The tunnel controller (TC) processes the requests for access issued by the ILC and MLC. The island counter and the tunnel counter keep track of the numbers of cars currently on the island and in the tunnel, respectively. For the TC, at each clock cycle, the counter tc is increased by 1 depending on tc + or decremented by 1 depending on tc− unless it is already 0. The island counter operates in a similar way, except that the increment and decrement signals are ic+ and ic−, respectively. In [24] , Fisler and Johnson proposed a set of properties that the ITC design should satisfy. In the next section, we will show how those properties are specified in L MDG , and the CPU time and memory used for verifying the properties using the MDG package.
Property checking using the MDG package
We first create an ASM model representing the ITC design which could be read by the MDG verification system. We created modules representing ILC, MLC, TC and the counters as specified. All the signals are described using concrete variables, except that two state variables of abstract sort WORDN for n-bit word are used to describe the island counter (ic) and the tunnel counter (tc). The uninterpreted function inc of type W ORDN → W ORDN is used to describe the operation of incrementation by 1, and dec of the same type to describe the decrementation by 1. The environment (ENV) is built in such a way that it allows a non-deterministic choice of values on the primary inputs ie, me, ix and mx.
The following properties were verified on the ITC design: This is a typical safety property that a traffic light controller should satisfy. This property is described in the specification language L MDG as follows:
Property 2. The island counter is never ordered to increment and decrement simultaneously:
Property 3. The tunnel counter behaves properly if ordered to increment and decrement simultaneously.
We used an ordinary variable v to remember the value of tc at the current state, and compare the value of tc at the next state with v. The property states that if both the signals tc+ and tc− are set, then the value of tc should not change from the current state to the next state. Rewrite rules which interpret dec(inc(v)) and inc(dec(v)) as v are used in the verification of this property. Table 1 shows the CPU time and the memory used in building the composite machine and checking the simplified property regarding the signal Flag on the composite machine. The experiment was carried out on a SPARC Station 20 with 128 MB of memory.
Property checking using VIS
Besides the ASM-based verification experiments, we also verified the same set of properties using VIS [25] . The same ITC behaviour model was recoded in a subset of Verilog HDL, accepted by VIS. However, since VIS is based on finite state machines, the counters tc and ic are now assigned concrete values which indicate the maximum number of cars that are allowed in the tunnel and on the island. We developed models according to the number of register bits used for the counters. For example, if 4 bits are used to describe ic (tc), then the maximum of 16 cars are allowed on the island (in the tunnel). It takes 65 transition steps to compute all the reachable states when 4 bit counters are used. From Table 2 , we can see that the number of transition steps increases when the counter width increases. The properties were described in CTL as follows:
Property 2. G(!((ic_minus = 1 * ic_plus = 1))); 
Property 4. G( !((itc+ = 1) * (mtc− = 1)) ); Table 2 shows the CPU time and the memory used for verifying all the four properties on models with different counter widths. We also indicate the number of transition steps needed for the state exploration and the number of reachable states for the different models. The experiment was also carried out on a SPARC Station 20 with 128 MB of memory.
Discussion
From the experimental results shown in Tables 1 and 2 , we can see that the MDG-based model checking can verify a parameterized implementation having n bits, and it does so very efficiently and independently of the datapath width. That is exactly the purpose behind the development of the ASM-based model checking methods. On the other hand, using the ROBDD-based tool VIS, the number of transition steps needed for state exploration and the number of states get doubled, and the resource usage (CPU time and memory) for the property verification increases exponentially with the counter width.
Verification of properties of an abstract counter
In this section, we use the MDG-based model checker to verify both safety and liveness properties on a small design: an abstract counter which was introduced in [12] . The abstract counter was used in [12] as an example to show how formulas in GTL can be used to describe state transitions and to specify design properties. Figure 6 shows the state transition graph of the counter. There are four control states: c_Fetch, c_Load, c_Inc1 and c_Inc2. Depending on the input, the counter pc will get a new value, or increase by one, or keep the previous value.
Property checking using the MDG package
To use our model checker, we first describe the behaviour of the counter using the MDG-HDL language. The counter pc is of abstract sort. The control state is initialized to c_Fetch, the initial value of pc is a free variable called init_pc (i.e. the initial state is generalized to any value). As the counter variable pc is of abstract sort and implicit enumeration is applied, a set of states represented by DF pc = init_pc and its next states represented by DF pc = finc(init_pc) are viewed as equivalent sets of states by the PbyS algorithm, all the reachable states are computed in three transition steps. The following properties were verified: 
Property 4. From state c_Fetch, the machine will eventually reach state c_Load if the input is not c_No_op or c_Inc1 or c_Inc2 forever. The property is expressed in L MDG as:
under the following fairness constraint: These properties were verified by our model checker using less than one second. Table 3 shows the CPU time in seconds used in building the composite machine and checking the simplified property regarding Flag on the composite machine. The experiment was carried out on a SPARC Station 20 with 128 MB of memory.
Property checking using VIS
To compare the performance of the MDG-based model checker to that of an FSM-based verification tool, and to verify partially the verification results, we carried out the same property verification using VIS. Again, for the counter pc, we have to give its upper bound. We modelled the abstract counter in a subset of Verilog using registers with different width for the counter pc, i.e. registers consisting of 4 bits, 8 bits, 16 bits and 32 bits. On each model, we verified the same set of properties as in Section 6.2.1. The properties for the model with 4 bit pc register are stated in CTL as follows:
Property 3. G(((state = c_fetch) * (input_instruction = c_inc2) * (pc<3> = 0 * pc<2> = 0 * pc<1> = 0 * pc<0> = 0)) → (AX(AX(AX((state = c_fetch) * (pc<3> = 0 * pc<2> = 0 * pc<1> = 1 * pc<0> = 0))))) ); with (pc<3>pc<2>pc<1>pc<0>) ranging over from 0000 to 1111; Table 4 shows the number of transitions it takes for each model to compute all the reachable states, the number of the reachable states, the CPU time and the memory needed to verify Properties 1-4.
Discussion
The statistics shown in Tables 3 and 4 again demonstrate that the MDG-based model checking can verify both safety and liveness properties on a parameterized implementation independent of the datapath width very efficiently. However, from Table 4 , we can see that with the counter width increasing, the number of reachable states increases exponentially, but the number of transition steps needed for state exploration stays the same and the usage of CPU time and memory only increases slightly, which was not the case in the ITC. The reason is that in this particular example, the counter pc is independent of the state transitions, i.e. the state transitions are not gated by the value of pc. Every time when loading in a new value of pc it can take any value within its range, hence, the node pc will not appear in the BDD expression of the sets of states. Therefore, no matter how large the width of pc is, the time and memory usage will not grow significantly. Nevertheless, the MDG-based model checking still outperforms the ROBDD-based model checker in the sense that one ASM model of the Abstract Counter and one set of properties automatically cover all the possible pc widths. Using VIS on the other hand, we have to build separate models and to develop separate sets of properties for pc instances of different widths.
Implementation issues
To check properties expressed in L MDG automatically, we developed programs that (i) check if the signals in a property (except the ordinary variables) are declared in the original circuit description; report any errors; (ii) check the syntax of the property; report any errors; (iii) build additional circuits to represent the Next_let_formulas in the property and the exception conditions if fairness constraints are imposed; (iv) merge the description of the additional circuits with the description of the original circuit, which means adding declarations of components and signals of the additional circuits to the original circuit description file and the variable order file.
The above programs were implemented in C with Yacc & Lex. The model checking algorithms were developed upon the existing MDGs package implemented in Quintus Prolog V3.2.
CONCLUDING REMARKS
We studied model checking for a first-order linear-time temporal logic based on the ASMs. Since a data value is represented by a single variable of abstract type, rather by a vector of Boolean variables, and a data operation is represented by an uninterpreted function symbol, the width of a datapath of a design has no effect on the description model of the design. We can then alleviate the state explosion problem in symbolic model checking caused by a large datapath.
We defined L MDG as the property specification language and developed property checking algorithms for L MDG . Using L MDG , both safety and liveness properties can be expressed with or without fairness constraints. To check a property of L MDG on an ASM M, we first build additional ASMs for all the Next_let_formulas (which contain the temporal operator X) that appear in the property. We then compose the additional ASMs with M, and finally verify a simpler property on the composite machine. We use MDGs to encode sets of states and the transition relations. The property checking procedures are based on implicit state enumeration and are carried out fully automatically. We illustrated the application of our model checker on the ITC and the Abstract Counter benchmarks. The experimental results demonstrate that the MDG-based model checking can verify both safety and liveness properties on parameterized implementations independent of the datapath width very efficiently. Due to space limit, the proof of the correctness of the property checking procedures are not presented in this paper, while it can be found in [20] .
Since we use first-order logic, the reachability analysis may not terminate [26] , thus the property checking may not terminate either. We are currently exploring techniques that can mitigate this problem [27, 28] . We are also applying the MDG-based model checker to verify some industrial scale designs with large data path (most telecommunication circuits happen to fall into this category).
