Abstract. The LTL model checker that we use provides sound decomposition mechanisms within a purely model checking environment. We have exploited these mechanisms to successfully verify a wide spectrum of large and complex circuits. This paper describes a variety of the decomposition techniques that we have used as part of a large industrial formal verification effort on the Intel Pentium R 4 (Willamette) processor.
Introduction
One of the characteristics that distinguishes industrial formal verification from that done in academia is that industry often works on large, complex circuits described at the register transfer level (RTL). In comparison, academic work usually verifies either small RTL circuits or high-level abstractions of complex circuits. Academia remains the primary driving force in the development of new verification algorithms, and many of these advances have been succesfuly transfered from academia to industry [7, 6, 12, 4, 15, 16, 9, 2, 18] . However, improving the strategies for applying these algorithms in industry requires exposure to circuits of a size and complexity that are rarely available to academics.
An important task in continuing the spread of formal verification in industry is to document and promulgate techniques for applying formal verification tools. In this paper we describe a variety of decomposition strategies that we have used as part of the formal verification project for the Intel Pentium R 4 (Willamette) processor. This paper focuses on strategies taken from verifying two different implementations of queues and a floating-point adder.
The verification tool we use is an LTL model checker developed at Intel that supports a variety of abstraction and decomposition techniques [14, 15] . Our strategies should be generally applicable to most model-checking-based verification tools. In theory, the techniques are also applicable for theorem-proving. But, because the capacity limitations of model checking and theorem proving are so very different, a strategy that is effective in reducing the size of a model checking task might not be the best way to reduce the size of the problem for theorem proving.
-hierarchical model checking enables wide variety of decomposition techniques -techniques: -symmetry in behavior -multiple verifications runs of ''same'' property on different parts of circuit -due to optimizations, can have identical behavior (for legal inputs), but different structure -structural decompostion of circuit and spec -propogation of assumptions
Overview
In this section we give a high-level view of LTL model checking and provide some intuition about how the model checker works while maintaining our focus on the applications rather than the model checker itself. The focus of this paper is on the application of decomposition techniques, not on the model checking algorithms underlying the decomposition. Figure 1 . LTL model checking is done by converting the specification (which is an LTL formula) to a tableaux and a CTL formula. The tableaux is an automaton that recognizes traces that satisfy the LTL formula. The CTL formula checks that the tableaux never fails. The verification run computes the product machine of the tableaux and the implementation and checks that the product machine satisfies the CTL formula [8] .
Because specifications are converted into automata, and model checking verifies automata against temporal formulas, specifications can themselves be verified against higher-level specifications. Figure 2 shows an implementation that is verified against a middle-level specification, which, in turn, is verified against a high-level specification.
We now step through a simple example of hierarchical decomposition, using the circuit pri shown in Figure 3 . The circuit pri takes three inputs (i0, i1, and i2) and outputs a 1 on the highest priority output line line whose input was a 1. We model combinational logic as having zero delay and flip flops as being unit delay. We draw flip flops as rectangles with small triangles at the bottom.
