Abstract-In bounded model checking (BMC)-based verification flows lack of reachability constraints often leads to false negatives. At present, it is daily practice of a verification engineer to identify the missing reachability constraints by manually inspecting the design code and by analyzing counterexamples. This, unfortunately, requires a lot of effort and is prone to errors. We propose an algorithm to determine reachability constraints automatically. The proposed approach applies to a design style where the operation of the design is controlled by a main FSM which can easily be extracted from the RTL description of the circuit. The algorithm decomposes and analyzes the state space of the circuit by considering transitions of the main FSM. Experimental results show that the proposed method can considerably reduce the manual work of verification engineers.
I. INTRODUCTION

A. Reachability constraints in a BMC-based verification flow
In recent years, bounded model checking (BMC) [1] has been used successfully to verify large industrial designs formally. In the BMC-based verification flow, a sequential circuit is unrolled for a finite number of time frames and is then translated together with a property into a SAT instance. In practice, the property is not always checked from the set of initial states as in [1] . Instead of the general AG property, the practical property typically specifies a set of starting states, a set of stopping states and input/output conditions. The property is used to prove the correct execution of a certain operation by the circuit. Whenever the circuit starts in one of the starting states and goes through a sequence of states under the input conditions it should stop in one of the stopping states and fulfill the output conditions 1 . A simple example of such a property is
where n is a small number. The sets of starting {state = idle} and stopping {state = ready} states used in the property should be reachable from the initial states of the circuit, otherwise it may lead to a false negative. For example, the circuit checked by the property in Equation 1 may use a counter cnt to keep track of time; it transfers to state ready iff cnt = n. Therefore, the property will fail because it does not specify the value of the counter. 1 The property is similar to a property in a Symbolic Trajectory Evaluation (STE)-based verification flow [2] . Although we focus here on the BMC-based flow, the proposed method can be applied for the STE-based verification flow as well. For example, one false counterexample is that (state = idle ∧ cnt = 1) leads to (state = ready ∧ output = ack) after n − 1 cycles but not n cycles. The property holds if the condition cnt = 0 is added to the starting state idle of the property, e.g.:
(state = idle ∧ cnt = 0 ∧ input = req) → AX n (state = ready ∧ output = ack)
Reachability constraints such as the correspondence between state and cnt in the example are necessary to avoid false negatives when properties are proven. They are currently determined manually by inspecting the design code and by analyzing counterexamples. Note that the validity of manually found reachability constraints such as the invariant AG(state = idle → cnt = 0) in the example must be proven as well. In practice, they are included in the set of properties.
In this paper, we consider a certain design style that is often used to implement protocols and other specifications consisting of many FSMs. We assume that the behavior of the design is controlled by a main FSM that interacts with a hierarchy of sub-FSMs.
In the conventional verification flow shown as the nonshaded part in Figure 1 , the verification engineer writes properties based on the main FSM of the design. Note that there exist commercial tools to automatically extract the main FSM from the source code of a design. The properties specify functional operations of the design corresponding to a sequence of states of the main FSM (main states). The sets of starting and stopping states of the properties are related to main states. Initially, reachability constraints involving the other state variables belonging to the sub-FSMs are not specified in the properties. Thus, the properties often fail because of false negatives when checked by a property checking method. The verification engineer needs to extend his analysis to the behavior of the sub-FSMs in order to identify reachability constraints and to update the properties. This, unfortunately, requires a lot of effort and is prone to errors.
In this paper, we propose a technique to identify the reachability constraints automatically. Our algorithm and its output are represented as the shaded part in Figure 1 . In order to provide the verification engineer with additional reachability constraints the algorithm analyzes the circuit using the information of the main FSM. These additional constraints help to eliminate false negatives. This means that the verification engineer only needs to focus on the main FSM which is usually fairly small. In this way, the number of false negatives as well as the effort of inspecting the code and of updating properties later are reduced dramatically. Moreover, in contrast to manually found reachability constraints, the constraints derived by the proposed method are proven to be valid, automatically.
B. Related work
The problem of state space explosion in model checking may be avoided by decomposing the characteristic functions of the state set and the transition relation into partitions. In [3] , [4] , [5] the characteristic function of the transition relation is considered as a conjunction of partitioned functions and is manipulated using an early quantification operation. In other approaches, the state set and the transition relation are decomposed as a disjunction of the characteristic functions which are manipulated separately [6] , [7] , [8] , [9] . In [10] , [11] , [12] the transition function is decomposed as a disjunction by means of input and output splitting. The combination of disjunctive and conjunctive decomposition is proposed in [13] .
Cho et al. presented an approximate FSM traversal method based on state space decomposition [14] . Their basic idea is to partition the circuit into several sub-FSMs and to perform a symbolic traversal for each individual sub-FSM. There are two classes of approximate traversal algorithms in [14] : Machine By Machine (MBM) and Frame By Frame (FBF). The latter has two variants called Reached FBF (RFBF) and To FBF (TFBF). In [15] , Cho et al. proposed methods to automatically determine good partitions of the circuit. Another method to partition the circuit using overlapping projections was presented in [16] . In [17] , extensions were made to improve the convergence of the RFBF algorithm by proposing the Least fixpoint Machine By Machine (LMBM) algorithm.
Another thread of research related to our work is Generalized Symbolic Trajectory Evaluation (GSTE). Here the property under verification is specified as assertion graph and is used for decomposing the problem [18] , [19] , [20] , [21] . As highlighted in [19] , the GSTE algorithm decomposes the set of states satisfying the property using the assertion graph.
C. Contribution
Whereas the previous works aim at calculating or approximating the reachable states for the whole circuit, our goal is to identify reachability constraints in relation to main states of the circuit being necessary to write properties in a BMCbased verification flow. This is done by calculating the sets of reachable states corresponding to main states.
In our method, the state space is decomposed into sets of states corresponding to main states. The sets of reachable states are calculated exactly by considering state transitions in the main FSM (main transitions). Using the main FSM to guide the decomposition procedure clearly distinguishes our method from the previous decomposition methods.
Although the core algorithm in GSTE [18] looks very similar to our FSM traversal algorithm, there are subtle (but important) differences. In GSTE, the state space satisfying the property is decomposed based on state predicates called antecedents being associated with the edges of the assertion graph. In our algorithm, not only the state space but also the transition relation is decomposed, and this decomposition is performed with respect to individual transitions in the main FSM. Whereas GSTE carries out conventional (unconstrained) image computation for a given intermediate subset of states, the proposed algorithm performs image computation constrained to single transitions in the main FSM. This can significantly reduce the computational complexity. The algorithm proposed in this paper is therefore named Transition By Transition (TBT) FSM traversal.
Another important difference is that TBT traversal can be applied as a pre-processing phase to the complete design. Unlike GSTE, it is not restricted to being driven by the property. Since the main FSM covers the complete state space of the design, TBT traversal performs a complete reachability analysis.
To avoid the explosion problem of exact reachability computation we develop a new approximation technique that partitions the design into sub-FSMs using the information of the main FSM. Each sub-FSM is traversed individually in combination with the main FSM using our TBT algorithm. The traversed FSMs in our algorithm are not disjoint partitions as in [15] but they share the same main state variables. Also, they are not similar to overlapping projections as in [16] because our shared state variables are given exactly and are the same for all traversed sub-FSMs.
Finally, we use SAT techniques instead of BDD techniques to approximate the set of states.
D. Preliminaries
Let C be a sequential circuit with a set of primary inputs
We can consider the set of state variables as a vector. A circuit C is modeled as an encoded finite state machine
n is the input alphabet, encoded by the primary inputs X, where B = {0, 1}. S ⊆ B m is the set of states encoded by the state variables. The set S 0 ⊆ S is the set of initial states. ∆ : 
The boolean vector of the values of the state variables in U for state s is denoted by s(U ). Let δ U = (δ j |v j ∈ U ) be the boolean functional vector of next-state functions for state variables in U . The state transition graph (STG) of a FSM is a graph where the vertices are given by the set of states S, the source vertices correspond to the set of initial states S 0 , and the edges are given by the transition relation R ⊆ S × S. The characteristic function of the transition relation is defined as
The set of next states of a set of states From ⊆ S is calculated by the operation img defined as
II. DECOMPOSING THE STATE SPACE BY THE MAIN FSM
As mentioned, we assume a certain design style where the overall behavior of the design is controlled by a main FSM. The finite state machine of the circuit C can be viewed as the product machine of all FSMs in C, including the main FSM. The main FSM is encoded by a sub-vectorV
Definition 1: The STG of the main FSM of the circuit is a tuple (Ŝ,Ŝ 0 ,R) where
In other words, the tuple (Ŝ,Ŝ 0 ,R) describes the behavior of the isolated main FSM. All other FSMs are abstracted away. The states inŜ are encoded solely by the state variables belonging to the main FSM such that an encoded main state is a sub-vector of the entire state vector V .
The main FSM of the circuit can be easily extracted from the RTL description. Note that the extraction technique must yield a main FSM conforming to Definition 1, i.e., all main states must be identified and no state may be missed. Since the main FSM is very small, in practice, this is easy to guarantee 2 . Whenever the main FSM is in one of its states, the other FSMs in the circuit may be in one of many different states. Each single state of the main FSM therefore corresponds to a set of states of the complete circuit C: Definition 2: Letŝ ∈Ŝ be a main state of a circuit C. The set of states corresponding toŝ is Sŝ = {s ∈ S|s(V ) =ŝ} In the same way, we can describe the transitions of the complete design C in terms of transitions of the main FSM. When the main FSM moves from one of its states,ŝ 1 , to another state,ŝ 2 , the circuit C correspondingly moves from a state in Sŝ 1 to another state in Sŝ 2 . If we consider all possible transitions between such states corresponding toŝ 1 andŝ 2 , we can define the design's transition relation corresponding to a transition of the main FSM:
Given this definition of the transition relation Rŝ 1→ŝ2 , we can define image computation corresponding to a transition s 1 →ŝ 2 of the main FSM.
Definition 4: Let (ŝ 1 ,ŝ 2 ) ∈R be a main transition of a circuit C. The constrained img operation corresponding to
The following two lemmas show how the state transition graph of a circuit C can be explored based on single transitions of the main finite state machine in the design. (Fromŝ 1 )) . From (i) and (ii), the lemma is proven.
By Lemma 2 the next states of a set of states corresponding to a main state can be calculated using the constrained img operation for every outgoing transition of the corresponding main state. This is the basis of our transition-by-transition FSM traversal algorithm. Note that TBT traversal does not only create a partition of the state set but also disjointly partitions the transition relation of the design. This is important to make the proposed approach practical for large circuits.
The algorithm in Figure 2 calculates reachable states of a circuit by decomposing the state space and the transition relation based on the main FSM. Procedure TBT TRAVERSAL (transition by transition) takes the transition relation, the set of initial states and the main FSM of the circuit as inputs. It returns the sets of reachable states corresponding to main states.
At the beginning, the sets of states corresponding to the main states are empty except for the sets of states corresponding to the initial main states which contain the given initial states. A queue is used to keep track of the main states that need to be processed next. First, the queue contains the initial main states. A main stateŝ is added to the queue if and only if its corresponding set of states changes. In this case, the sets of states corresponding to the next states ofŝ have to be recalculated. For a main stateŝ in the queue, the algorithm considers all its next states. The set of states Sŝ →ŝ corresponding to a transition (ŝ →ŝ ) is calculated by the constrained img operation. The set of states Sŝ corresponding to main stateŝ is extended by Sŝ →ŝ . If this actually adds any new states to Sŝ thenŝ is entered into the queue. When the queue is empty, the sets of states corresponding to the main states are unchanged and the algorithm terminates. Note that procedure TBT TRAVERSAL implements a fixedpoint calculation for the sets of reachable states corresponding to the main states. The algorithm is illustrated in Figure 3 where the main FSM of the circuit consists of four main statesŝ 0 . . .ŝ 3 . We want to calculate the sets of states Sŝ 0 . . . Sŝ 3 corresponding to the main states. At the beginning, in Figure 3 (a), the set of states Sŝ 0 contains the initial state s 0 . The other sets of states are empty and the queue consists ofŝ 0 . Next, in Figure 3(b) , main stateŝ 0 is removed from the queue. The algorithm calculates the sets of states S 0→1 and S 0→2 corresponding to the outgoing transitionsŝ 0 →ŝ 1 andŝ 0 →ŝ 2 ofŝ 0 by the constrained img operation. S 0→1 and S 0→2 are united with the old Sŝ 1 and Sŝ 2 , respectively, to obtain the new Sŝ 1 and Sŝ 2 . Because Sŝ 1 and Sŝ 2 change, the main stateŝ s 1 andŝ 2 are added into the queue. In Figure 3 (c),ŝ 1 and s 2 are removed from the queue. Similarly, the sets of states S 1→3 and S 2→3 corresponding to the outgoing transitionŝ s 1 →ŝ 3 andŝ 2 →ŝ 3 are calculated. S 1→3 and S 2→3 are added to Sŝ 3 . Because Sŝ 3 changes we addŝ 3 into the queue. In Figure 3 (d), we removeŝ 3 from the queue and calculate S 3→0 corresponding to the transitionŝ 3 →ŝ 0 . S 3→0 is then added to the old Sŝ 0 to obtain the new Sŝ 0 . Let us assume that Sŝ 0 does not change because S 3→0 does not contain any new states. Therefore,ŝ 0 is not entered into the queue. Now, because the queue is empty the algorithm terminates. 
III. DECOMPOSING THE STATE SPACE BY THE SUB-FSMS
A. Partitioning into sub-FSMs
In this section, we present a technique to partition the circuit into the sub-FSMs using the information of the main FSM. Given a main transition (ŝ 1 ,ŝ 2 ) ∈R, we can approximate the support set of the next-state function δ j under the constraint of this main transition as illustrated in Figure 4 . First, the state valuesŝ 1 andŝ 2 are assigned to the main state variablesV and the main next-state variablesV , respectively. These boolean constraints are then propagated to identify constant nodes in the circuit structure. Next, the support set of δ j under the constraint of the main transition (ŝ 1 ,ŝ 2 ) is approximated by tracing the circuit structure backward from the next-state variable v j to the inputs or the state variables. The backtracing procedure terminates whenever it reaches a constant node. If the procedure reaches a state variable v i , it returns v i as being in the support set of δ j under the constraint of (ŝ 1 ,ŝ 2 ). The constrained support set determined in this way is denoted by suppŝ 1→ŝ2 (δ j ) in the following.
Definition 5: LetR be the main transition relation of a circuit C with the next-state function ∆. Let (ŝ 1 ,ŝ 2 ) ∈R be a main transition. The constrained dependency graph of state variables is a directed graph G(V, E) where the set of vertices is given by the set of state variables V . The set of edges E is defined as
where suppŝ 1→ŝ2 (δ j ) is the support set of function δ j under the constraint of the transition (ŝ 1 ,ŝ 2 ). The constrained dependency graph is partitioned using a simple algorithm to identify strongly connected components (SCC). Each SCC corresponds to a sub-FSM. The graph of sub-FSMs is a directed acyclic graph, which can be levelized by a depth-first search algorithm. An example of the hierarchical structure of the circuit after being partitioned is shown in Figure 5 Figure 5 , the SCC decomposition guarantees uni-directional interaction among the sub-FSMs of the circuit. The control information stored in the state variables goes into only one direction from the lower level sub-FSMs to the higher level sub-FSMs. Note that a non-constrained decomposition into SCCs is generally not useful for industrial designs because this type of decomposition will often produce only a single large SCC containing the whole design. If, however, the dependency graph is constrained by the transition of the main FSM the situation is different and a large number of small SCCs can often be identified.
B. Traversing the sub-FSMs
The sub-circuit C k corresponding to a sub-FSM k and the main FSM is derived from circuit C by removing all state variables v j / ∈ {V ∪ V k }. The removed state variables are considered as pseudo inputs. Moreover, the pseudo inputs are constrained by the reachable states of the sub-circuits l < k. Because of the uni-directional communication among subFSMs the next-state functions of a sub-FSM in level k only depend on the state variables in sub-FSMs in level l < k. Therefore, the characteristic function of the transition relation R k of the sub-circuit C k is approximated as
where χ Reach l is the characteristic function of reachable states of the sub-circuit C l . The algorithm in Figure 6 approximates the set of reachable states corresponding to the main states. Procedure approx TBT takes the transition relation, the initial states, the main FSM of the circuit and the partitions of state variables {V k } as input parameters. In the procedure, all sub-FSMs are traversed in the order of their level. Consider a sub-FSM k, the procedure constrain R extracts the correspondent sub-circuit C k from the circuit and imposes constraints representing the reachable states Reach l on the pseudo inputs. The sub-circuit C k with the transition relation R k obtained by procedure constrain R is then traversed by procedure TBT TRAVERSAL to calculate its reachable states Reach k composed from the S k s for each main stateŝ. The set of reachable states Reach k for the sub-circuit C k is the union of S k s . Theorem 2: Given a circuit which is partitioned into a main FSM and sub-FSMs as described in Section III-A. The sub-FSMs are levelized by their dependencies. Procedure Approx TBT exactly calculates the sets of reachable states for all sub-circuits corresponding to sub-FSMs in level 1.
Proof: Consider a sub-FSM k in level 1 and its state variables V k . Because the sub-FSM k is in level 1, it only depends on state variables inV ∪ V k . Therefore, the other state variables can be removed without imposing constraints on the corresponding pseudo inputs. The sub-circuit C k corresponding to sub-FSM k can be considered as an independent circuit with state variablesV ∪ V k and free inputs. According to Theorem 1 procedure TBT TRAVERSAL exactly calculates all reachable states for the sub-circuit C k .
IV. IMPLEMENTATION
We implemented our algorithms based on a SAT solver [22] . The transition relation of the circuit and the sets of states are represented by CNFs of their characteristic functions. The next states in the constrained img operation are enumerated using a SAT solver as follows.
In the following, we represent CNFs as sets of clauses and clauses as disjunctions of literals. Let (ŝ 1 ,ŝ 2 ) be a main transition. The transition relation corresponding to (ŝ 1 ,ŝ 2 ) defined in Definition 3 is
where C R is the set of clauses representing the transition relation of circuit C and l i , l i are literals representing the values of the main state variables in main statesŝ 1 ,ŝ 2 respectively. l i and l i are defined by
Procedure img in Figure 7 calculates the next states of the set of states Fromŝ 1 corresponding to a main transition (ŝ 1 ,ŝ 2 ). First, a SAT instance C = Cŝ 1→ŝ2 ∪ C Fromŝ 1 is calculated from the transition relation, the main statesŝ 1 ,ŝ 2 and the set of states Fromŝ 1 . A satisfiable assignment A of the SAT instance is then found by a SAT solver. The values of the next-state variables encoding the next state s 2 is extracted from A as a partial assignment. State s 2 is added to the set of next states Nextŝ 2 . A blocking clause C P preventing the next-state Fig. 7 . img procedure variables from being reassigned is added to the SAT instance as in [23] . The blocking clause C P of s 2 is defined by
where l i is the literal representing the inverted value of the next-state variables i.e.
The SAT instance is solved again to find another assignment. 
Solving the SAT instance we get an assignment of the nextstate variable A(v 3 , v 4 ) = 01. Therefore, a next state is s 2 = 01. We add a blocking clause to the SAT instance:
The SAT instance is given to the solver again. However, the solver proves the instance to be unsatisfiable. Consequently, the set of next states corresponding to the main transition (ŝ 1 ,ŝ 2 ) is S 1→3 = {01}.
V. EXPERIMENTAL RESULT
We conducted experiments based on two industrial and one public domain design. Table I gives a brief description of the experimental results. The main FSMs of two industrial designs, the flash memory controller and the AHB master, have been extracted automatically from design codes by the commercial tool Debussy R . The main FSM of the public domain design has been extracted manually. The number of main states and the number of main transitions are shown in column 2. The last column shows the CPU time which our algorithm has spent to identify the reachable state sets corresponding to the main states. From these reachable state sets we derived all constant state variables as reachability constraints for our commercial BMC-based verification tool. The number of the reachability constraints are shown in column 4. The experiments were performed on an AMD64 PC with 2.2 GHz clock frequency and 1 GB RAM running SUSE Linux 9.3. To illustrate the usefulness of the found reachability constraints, we tried to verify the first design which is is a flash memory controller using an AMBA-flavor protocol. 23 properties were written to prove the compliance of the hardware with the protocol specification and the correct execution of all functional operations. The verification engineer spent about one week to analyze the main FSM and to write properties. Unfortunately, all properties failed because of false negatives. Using conventional verification methodology, it required three more weeks to manually inspect the design code. In order to identify the reachability constraints not only the main FSM but also some or all sub-FSMs had to be inspected. In the properties, the manually found reachability constraints were then replaced by the reachability constraints which were generated by TBT algorithm. All properties could now be proven without false negatives. This means that the proposed approach can completely avoid the effort of manually inspecting the design code and counterexamples. Table II illustrates the evaluation of the manual effort in comparison with the proposed approach. It shows the number of reachability constraints in some main states. Finding reachability constraints manually is a process of trial and error. Whenever a false negative occurs the verification engineer needs to inspect the design code and identify reachability constraints to eliminate the false negative. Therefore, the number of manually found reachability constraints in Table  II is proportional to the number of false negatives that have occurred and thus to the number of trials which the engineer needed to make. Hence, the number of reachability constraints in column 2 of Table II can approximate the manual verification effort. By contrast, using the proposed approach reachability constraints are automatically determined in a preprocessing phase.
Similarly, a set of properties was written for the second design to prove the compliance of the hardware with the AHB protocol specification. The experimental results were similar and the verification effort was reduced dramatically.
In addition, to make our experiments more transparent to the reader, let us explain in more detail another experiment conducted on a public domain PCI target block. The PCI target block was extracted from the PCI local bus in [24] . To avoid the explosion problem of the state space the creator of the benchmark has reduced the width of the address/data bus to 3. We re-expanded the width of the address/data bus to 32 bits. This makes the design more realistic. The modified benchmark is no longer feasible for BDD-based approaches.
We wrote a property that checks the turnaround cycle of the PCI protocol. The property states that if the PCI target is in main state idle and the bus command is read, then the next cycle must be the turnaround cycle. This means the PCI target does not drive the bus lines in this cycle [25] . The property is written based on the main states as A BMC-based property checker failed to prove the property. There are many false counterexamples. One of them is that the values of OE TRDY, OE DEVSEL and OE AD are 1 when the main state is idle. Therefore, to avoid this false negative the following reachability constraint needed to be added to the property.
(main state = idle∧ OE TRDY = 0 ∧ OE DEVSEL = 0 ∧ OE AD = 0)
Instead of identifying these values manually, we performed approx TBT to automatically identify reachability constraints and added them to the properties. Thus, the property is The modified property was now proven without any false negative.
VI. DISCUSSION
The paper presents a new approach to automatically determine reachability constraints which are necessary in a BMCbased verification flow. Our algorithm is based on using information about a main FSM of the circuit which can be extracted from the design code. Because the properties in the BMC-based verification flow often specify functional operations from one main state to another main state it is natural to relate main states to reachability constraints to be found.
In contrast to GSTE which is a property-driven partitioning algorithm, TBT traversal is circuit-driven. Future work will explore a combined verification methodology in which TBT traversal is applied for both, property and design.
Because an approximate algorithm is used some reachability constraints might be missed and false negatives are not guaranteed to be avoided. Although this did not happen in our practical experiments, in future work, an iterative approach is to be developed which analyzes false negatives to merge subFSMs and to identify more necessary constraints. Abstraction refinement techniques as in [26] , [27] can be applied to find sub-FSMs that need to be merged.
