Abstract-Current statistics attribute up to 75% of the overall design costs of digital hardware and embedded system development to the verification task. In recent years, the trend to augment functional with rormal verification tries to alleviate this problem. Efficient property checking algorithms allow automatic verification of middle-sized designs nowadays. However, the steadiiy increasing design sizes still leave verification the major 
I. INTRODUCTION
Gaining confidence on the correctness of digital designs is one of the major tasks in the system design flow. Steadily increasing design sizes make verification a bottleneck in modem design flows of digital hardware and embedded software systems. State of the art verification techniques include traditional simulation on the one end of the spectrum and model checking on the other end. Simulation is applicable to large designs, whercas model checking provides full error coverage of the design with an automatic process. The most noteworthy contribution in this area is bounded model checking (EiMC) [l] , which is well suited for finding shallow errors in large designs. All these techniques have their own advantages and disadvantages. State space explosion is the major probIem in all formal verification tools.
In this paper we deal with invariant checking and its improvement. For invariant checking, all reachable states of the system are calculated and the desired property is checked to hold. In case of failure a counterexample is generated. The computational complexity of property checking is disclosed when large systems are anaIyzed. Even utilization of BDD based symbolic techniques does not allow the complete analysis of the state space. Though BMC and BDD based bounded property checking reduce this problem considerably This work is sponsored by the German Research Grant (DFG projects KOMFORT and GRASP).
by restricting the state space with in a bound, sometimes intermediate steps itre too huge to handle.
Our approach can be clearly separated into two parts, first, bounded property checking using symboIic state space traversal and second, dynamic guiding for providing information used during symbolic execution of the system model. The target designs of dynamic guiding are concurrent, multimodule, control intensive protocol FSM designs. In contrast to a classical model checker, our bounded property checker SymC perfoms one forward image computation at a time, i.e. the current set of states is replaced by the set of states reachable from the current set within one transition. This results in an efficient verification for properties with large time bounds by avoiding fixpoint iterations and reachable state set computations 123.
With dynamic guiding we attempt to reduce the BDD size during symbolic state space traversal. Current guiding techniques are static by nature, i.e. the whole verification environment is specialized for a given property. In [3] , [4] the authors either constrain the input or remove the uninteresting parts of the design. In contrast, our approach first extracts structural information from every module of the system design. These individual information of modules are then used to generate the guiding sequence for the whole product machine for a given property. Thus, the system model is left untouched and can be used for different properties. Only during symbolic execution the guiding information steers traversal into paths that are more likely to satisfy the checked property. This implies that given the structural information, a guiding sequence can be generated for any property and used during symbolic execution, hence the name dynamic guiding. In [5] a similar concept is used, but in a totally different verification approach in comparison to our work. The rest of the paper is structured as follows: In the next section we describe our bounded property checker. Thereafter, we detail the dynamic guiding approach. Finally, we conclude and point to ongoing and future work.
BOUNDED PROPERTY CHECKZNG
In [2] we proposed a fonnal verification technique for time bounded property checking. The technique performs forward image computation for state traversal, a characteristic shared by forward model checking [6] . Experimental results 123 show that this approach outperforms other property checking methods for certain classes of systems and properties.
The input to SymC is a system description given either as Verilog gatelist or in a simple SMV-like finite state description language. Properties are specified with FLTL [7] or PSL [XI formulas, therefore a tight integration with other property checking tools is provided. The temporal logic formulas are converted to special FSMs, so-called AR-automata [7], which can then be used in the symbolic execution phase. The system description is translated into a finite state system encoded with BDDs. During the symbolic execution we observe the state of our properties and we report success or failure to the user. Figure 1 shows the structure of SymC. The dashed components constitute the new guiding unit and will be described in Section III. The following algorithm sketches the core of the execution engine for one AR-automaton. The algorithm can be extended to multiple AR-automata.
//Build product state of the system and the AR-Automaton.
The tool includes a number of optimization techniques. One of them partitions the current state set upon reaching a threshold size. Then, the partition sets are explored sequentially. If a property's AR-automaton reaches either the accept or reject state, exploration of the remaining sets can be skipped, saving time and space. The first version of SymC partitions the state set randomly. At this point, we introduce dynamic guiding in order to select partitions that will make termination of the symbolic execution more likely based on information extracted from both the design and the property. Notice that the guiding unit does not interfere with other optimizations present in SymC.
DYNAMIC GUIDING
We identify guiding of a symbolic state space traversal with the information provided for steering the direction of traversal into the interesting state space. Interesting state in our context can be defined as a state which satisfies a property that is expected to hold at least in one path from initial state (existential). If the property has to hold in all paths from initial state (universal), then we look for states that falsify the property. Steering the traversal into interesting state implies that we aim at reducing the intermediate memory and the time to verify a property. The goal of our approach is to get an guiding mechanism for different properties for the same initial condition of the design, and without changing the verification setup. These requirements force the guiding mechanism to have information of the design. The following elaborations rely on the deterministic FSM (D-FSM) formalism. This restriction of image compulation is the key point of guiding in our approach. In order to realize this guiding mechanism, we have to decide on the exact time step for guiding and the specific assertions at that time point. For effective guiding of arbitrary properties, the guiding mechanism should generate assertions to be applied at all time steps during image computation. Typically, SymC traverses the FSM of the system model from the initial state at time point zero and continues until the b maximum time bound of the property is reached. This unveils that the guiding mechanism needs a sequence of input symbols from time point zero until the maximum bound in the property in order to guide the tool to the interesting state. The sequence that is to be generated by the guiding mechanism has to be always one of the words 20 that is accepted by the L(A). Such a sequence can be generated using abstract information from the design. In our context abstract information means the regular structure of the language L(A).
This regular structure is represented in the form of regular expressions (RES) as it is the standard and compact way of representing languages. A RE is a string that describes a language, according to certain syntax rules.
Definition 3: A RE consists of constants and operators that denote sets of strings and operations over these sets, respectively. Given a finite alphabet C the following constants are defined: (empty set) q5 denoting the set q5, (empty string) . c denoting the set (E} and (literal character) a E C denoting the set {a};
+ (concatenation) RS denoting the set {ap I a E R and (set union) R U S denoting the set union of R and S , (Kleene star) R* denoting thc smallest supcrset of R that contains E and is closed under string concatenation.
1v. EXTRACTiON OF REGULAR EXPRESSIONS AND
as well as the following operations:
GUIDING SEQUENCES
We will now describe how RES are generated from the input FSMs, and how these are used to generate guiding sequences for the automatic guiding process.
A. Exrruction of Regular Expressious
The state elimination method is a standard algorithm in automata theory to convert a D-FSM into a RE [9J. The actual state elimination method generates a RE that is equivalent to a given FSM. This RE represents all words accepted by L(A) (see definition 2). But we are interested only in the regular structure of the accepted language. So we use a variant of the state elimination method. Figure 2 depicts In other words, if we have more than one initial states, the procedure has to loop for every single initial state and join them by union. R is then used to extract the sequence for the property. The RES extracted from the small example in Figure   3 with s1 as initial state is shown below:
(Treq)' U reg (wail)* lwait uck
B. Extraction of Guiding Sequences
This section focuses on the extraction of a guiding sequence from the system's RE R tailored for the given properties.
Presently we handle only FLTL formulas of the form A and A + B, where A and B are FLTL formulas. The FLTL property that is to be verified can be viewed as a discrete representation of the guiding sequence in a special syntax. In principle, verification of a FLTL formula is finding a sequence (word) accepted by the design's FSM that can satisfy the discrete conditions. Such a word is the guiding sequence in our case. For obvious reasons we do bottom-up searching to form the guiding sequence out of RES for the property. The RES resemble all the possible regular structures of the language accepted by the FSM. This is the key point in our sequence generation approach. With a bottom-up search the symbols of the commitment formula B are first located in E.
Then, all possible predecessor symbols from that particular RE are collected at each time point.
This process should be carried out from the maximum time bound until time point zero. The ordered coIlection of symbols from the maximum time bound until time point zero are the possible guiding sequences. The sequence that is generated can be restricted to the condition of the assumption and the temporal operators of FLTL.
The following algorithm sketches the core of the sequence generation engine. Here k is the maximal time bound in the property, c is the commitment signal, a is the assumption signal, and bound is the time bound of the property. In a bottom-up search we first locate ack, then we search for all possible predecessor symbols to ack. In this example only lwait can occur. Then, we locate the predecessor symbols to lwait, which are either reg or wait, and so on. This information is stored in a map as follows: Now the timing condition is checked, where the property instructs that req should be at time point 0 and ack should be at time point 2. Considering that the sequence elements start from time point 0, the valid sequence as per the condition is Seqlteircel, which in tum will be used for dynamic guiding.
For example if SymC requires guiding at time point 2, the dynamic guiding will assert signal l w a i t in order to guide to the success state.
V. EXPERIMENTAL RESULTS
To examine the benefits and the limitations of our ideas, we conducted experiments with our prototype tool with single and multi-module systems. The result was promising for multi module designs, in which every module is of relatively small size and blows up when producting it. Apparently, it was not so convincing for large single module design. To show the benefits of our idea, presently we considered a wireless protocol design, which is restricted to six modules modeling only the connection establishment of the priority flows. Figure  4 shows the BDD size difference for three environments: a) guiding at every time step, b) guiding only if the BDD size is larger than a threshold value, and c) without guiding. The BDD size in the graph is normalized to 1. The graph highlights the fact that our approach reduces the intermediate BDD size, which in turn helps the verification tool to handle designs more efficiently.
VI. CONCLUSIONS We presented a technique for guiding forward state space traversal in a BDD based bounded property checker. It can dynamically guide the traversal for any property with similar initial conditions. This is due to the fact that we extract abstract guiding information out of the real design in a discrete manner. Our tool is successfully tested with some examples. Future work focuses on extending our prototype tool to handle a wider variety of standard designs.
