What lies between design intent coverage and model checking? by Das, Sayantan et al.
What lies between Design Intent Coverage and Model Checking?
Sayantan Das Prasenjit Basu Pallab Dasgupta P.P. Chakrabarti
Department of Computer Science & Engineering
Indian Institute of Technology Kharagpur, India.
Abstract
Practitioners of formal property verification often work
around the capacity limitations of formal verification tools
by breaking down properties into smaller properties that
can be checked on the sub-modules of the parent mod-
ule. To support this methodology, we have developed a for-
mal methodology for verifying whether the decomposition
is indeed sound and complete, that is, whether verifying
the smaller properties on the submodules actually guaran-
tees the original property on the parent module. In prac-
tice, however designers do not write properties for all mod-
ules and thereby our previous methodology was applicable
to selected cases only. In this paper we present new formal
methods that allow us to handle RTL blocks in the analysis.
We believe that the new approach will significantly widen
the scope of the methodology, thereby enabling the valida-
tion engineer to handle much larger designs than admitted
by existing formal verification tools.
1. Introduction
Most leading chip design companies are today seriously
exploring the role of formal property verification (FPV)
within their existing pre-silicon validation flows. Past expe-
rience shows that FPV works very well at the unit level with
modules of modest size, but runs into serious capacity is-
sues when presented with designs of moderate size. The the-
oretical lowerbounds on the complexity of model checking
techniques indicate that the situation is unlikely to improve
significantly, even with the numerous advances that are tak-
ing place with the engineering of the FPV tools. FPV is un-
likely to present us with a push-button solution for property
verification on large designs.
Practitioners of FPV in the industry often find ways out
of the capacity barrier by human ingenuity. If the FPV tool
runs into capacity issues while attempting to check a prop-
erty P , on a module M , they often attempt to prove P on
M by checking local properties on the component submod-
ules of M . In other words, if M consists of submodules
M1, . . . ,Mk, they try to figure out a set of properties, Pi for
each module Mi, such that proving Pi on Mi for each Mi
is sufficient to guarantee P on M . Experience shows that
this methodology usually works well, and enables the val-
idation engineer to handle larger designs than admitted by
the FPV tools.
The main gap in this methodology is the lack of a for-
mal proof that the refinement of the specification P into
P1, . . . , Pk is sound and complete. If the validation en-
gineer’s conjecture is incorrect, then a bug can hide be-
tween P and P1, . . . , Pk. In other words it may be the case
that each individual submodule Mi satisfies its specifica-
tion Pi, but M does not satisfy P . Therefore, in order to
support this methodology we need a formal tool that com-
pares P1, . . . , Pk with P , verifies whether P1, . . . , Pk cov-
ers all behaviors relevant to P , and more importantly shows
the gap between the specifications in a meaningful form.
In an earlier work [3], we presented a methodology
called design intent coverage, for comparing the architec-
tural properties of a design module with the sets of RTL
properties of its submodules. Our tool checks for the exis-
tence of a gap between these specifications and presents the
validation engineer with a set of missing properties that are
sufficient to cover the gap.
RTL
Formal RTL Specs
RTL FPV
New!
Design
Refinement
Architectural Model
Architectural Specs
verification
Design Flow
Validation Flow
Design intent
coverage
Design intent
M2
M3
M1
M1
Specs
M2
Specs
M3
Specs
Figure 1. Design Intent Coverage
While the design intent coverage paradigm has been
well received, there is a serious limitation of the previ-
 
3-9810801-0-6/DATE06 © 2006 EDAA 
 
ous approach. In practice, the sub-modules of a module are
stitched together (interconnected) using some simple logic
(referred to as glue logic). The previous version of our tool
was capable of comparing only temporal logic specifica-
tions (say P and P1, . . . , Pk). Since it did not handle the
glue logic between submodules, it was unable to establish
the proof of coverage in many cases where the validation en-
gineer was actually right. Our goal in this paper is to present
a methodology for handling such RTL logic in the coverage
analysis.
In practice designs will always have some simple blocks
for which validation engineers will not normally write any
formal properties. Typical examples include pre-verified
custom cells. In the proposed approach we will be able to
extract the logic of these blocks into our analysis. The glue
logic between submodules may also be viewed as special
RTL blocks.
The fundamental problem addressed in this paper is
therefore as follows. We are given a property P over the in-
terface of a module M . The FPV tool is unable to verify P
on M due to capacity limitations. The module M has sub-
modules M1, . . . ,Mk. The validation engineer has given us
sets of local properties over some of these modules (say,
M1, . . . ,Mj) and the RTL of the remaining modules (say,
Mj+1, . . . ,Mk). Our task is to verify whether checking the
local properties on M1, . . . ,Mj is sufficient to guarantee
that the module M (consisting of M1, . . . ,Mk) satisfies the
property P , and if not, then to present the gap in terms of
properties that demonstrate the gap.
The intention here is to allow small RTL blocks to be
considered, while we preserve the computational advan-
tage of comparing two formal specifications over the model
checking task of comparing a specification with an imple-
mentation. At one extreme we require the functionality of
M1, . . . ,Mk to be expressed solely in terms of properties
(which is our intent coverage problem), while at the other
extreme we allow M1, . . . ,Mk to be presented as RTL
(which is the model checking problem). The work presented
in this paper is inclined more towards the former, since that
is where the computational advantage lies – albeit at the ex-
pense of the human intervention in writing properties for
M1, . . . ,Mj .
The paper is organized as follows. In Section 2 we for-
malize the problem and present the basis for coverage anal-
ysis. Section 3 presents the notion of a coverage gap and
Section 4 presents the algorithms for presenting the cover-
age gap in a legible form. Section 5 presents the runtimes of
our tool on several industrial designs.
2. The new Intent Coverage Problem
In order to clearly differentiate between the properties
of a module and the specification (properties or RTL) of its
submodules, we will refer to the former as the architectural
specs and the latter as the RTL specs. Therefore the archi-
tectural specs of a module, M , consists of a set,A, of prop-
erties that we wish to prove on that module, but are unable
to do so, due to capacity limitations of the FPV tool. Let
APA be the set of signals over which the properties in A
are defined.
In the original version of the design intent coverage prob-
lem, the RTL specs consisted solely of properties over the
submodules, M1, . . . ,Mk of M . In the new version of the
problem, the RTL specs has two parts, namely a set of prop-
erties, R over some of the submodules and the RTL of the
remaining modules. We shall refer to these remaining mod-
ules as concrete modules. Let APR be the set of signals
over which the properties in R are defined.
Assumption 1 Throughout this paper we assume that
APA ⊆ APR.
Typically this is not a restrictive assumption within the
design hierarchy, since it is generally considered a good
practice for designers at a lower level of the design hier-
archy to inherit the interface signal names from the previ-
ous level of hierarchy.
We define a state as a valuation of the signals at a given
time. A run is an infinite sequence of states over time.
Definition 1 [Coverage Definition: ]
The RTL specification covers the architectural intent iff
there exists no run that refutes one or more properties of the
architectural intent but does not refute any property of the
RTL specification and is consistent with the concrete mod-
ules. 
Our coverage problem is as follows:
• To determine whether the RTL specification covers the
architectural intent, and
• If the answer to the previous question is no, then to
determine a set of additional temporal properties that
represent the coverage gap (that is, these properties to-
gether with the RTL specification succeed in covering
the architectural intent).
The following theorem answers the first question.
Theorem 1 The RTL specification consisting of the prop-
erties R and concrete modules M, covers the architectural
intent A, iff the temporal property ¬A ∧ R is false in M.
Proof: The property ¬A ∧ R represents the set of runs
which refutes the architectural intent but are passed by the
RTL properties. If this property is false inM then these runs
are not present in the complete RTL specification. Hence all
runs passed byR andM are present inA and thus the RTL
specification covers the architectural intent. On the other
hand if ¬A ∧ R is true in M then there exists a run which
is passed by the RTL specification but will be refuted by the
architectural specs and hence the RTL does not cover the
architectural intent.
The theorem shows that the primary coverage question
can be answered by model checking the property ¬A ∧ R
in M. This is feasible when M is a set of small modules.
The following example demonstrates the essence of the cov-
erage problem.
wait
L
L
hit
wait
A
A
A
A
O
A
A
(a) (b)
wait
.
(c)
hit
d1
d1
d2
d2
n1
n1
n2
n2
r1
r2
g1
g1g1
g2
g2
g2
M1
M1
L1
L1PrA
Figure 2. Memory Arbitration Logic(MAL)
0 1 2 3
(a) Cache hit for
(b) Cache miss for
d1
d2
d2
r1
r1
r1
r2
g1
g2
g2
hit
hit
wait
wait
addr
clk
Figure 3. Timing Diagram
Example 1 Fig 2 shows the architecture of a simple Mem-
ory Arbitration Logic(MAL) in the presence of a cache.
There are two request inputs, r1 and r2, for two independent
on-chip requesting modules. The priority arbiter PrA arbi-
trates between r1 and r2 and asserts either n1 or n2 in the
next cycle. The module L1 is a cache access logic. The in-
put, hit, to this logic indicates a cache hit. In case of a cache
miss, L1 asserts the wait signal which masks the arbitra-
tion decision through the logic M1. The outputs d1 and d2
are inputs to the requesting devices respectively. When the
page becomes available in the cache, d1 or d2 is asserted ac-
cordingly. In the figure ’A’ represents an AND gate, ’O’ an
OR gate and ’L’ a latch.
The architectural intent requires that r1 has higher prior-
ity than r2. This means that if r1 comes before r2 then it is
never the case that r2 has it’s page available before r1. This
intent can be expressed by the following LTL property:
A = G( ¬ wait ∧ r1 ∧ X(r1 U r2)→ X( ¬d2U d1 ))
Suppose we are unable to verifyA on the whole design.1
We must therefore refine the specification. Let us assume
that we are given the RTL for M1 and L1 and the follow-
ing properties for PrA.
R1 = G( r1 → X n1 ) R2 = G( ¬r1 ∧ r2 → X n2 )
Our primary coverage problem is to determine whether
the architectural intent A is covered by the RTL modules
and the properties of PrA. In this case the answer is posi-
tive. Consider the scenario as shown in the timing diagram
in Fig 3. Here r1 is asserted in time 0 and de-asserted in
time 1. The input r2 is asserted in time 1. Also consider the
case where the wait signal is initially low. Now n1 will be
asserted in time 1. Here there can be two different scenar-
ios depending on whether there is a hit or miss. If hit oc-
curs, d1 will be asserted in the next cycle and hence the ar-
chitectural intent is not violated. If there is a miss (as shown
in the Fig 3(b)) then wait will be high which would pre-
vent g2 to be asserted in time 2. The wait signal would re-
main high until the data comes to the cache and hit is as-
serted which would assert d1 in the same cycle, thus pre-
venting A to be violated.
Formally our tool answers this primary coverage ques-
tion by checking the truth of the property NU = (R1 ∧
R2) ∧ ¬(A) in the model consisting of M1 and L1. The
model checker returns a negative answer, and therefore the
answer to the coverage question here is positive. 
3. Computing the Coverage Gap
In this section we address the more complex problem
of computing and representing the coverage gap. One way
1 This is a toy example which is unlikely to run into capacity issues, but
we use this assumption to demonstrate our approach in simple terms
to demonstrate that a coverage gap exists is to produce a
counter-example run, that is, a run that satisfies the RTL
specification but refutes the architectural intent. However,
this only reflects a fraction of the coverage gap. On the other
hand, our aim is to find the set of missing temporal proper-
ties in the RTL specification, which when included in the
RTL specification closes the coverage gap.
wait
hit
d1
d2
n1
n2
r1
r2
g1
g2M1 L1PrA
Figure 4. Mem Arbitration Logic(With GAP)
Example 2 Let us consider a slight variant of the MAL de-
scribed in Ex 1 as shown in Fig 4. Now the request lines
r1 and r2 are connected to M1 and the outputs n1 and n2
of M1 are used to drive PrA. The outputs of PrA is con-
nected to the grant inputs g1 and g2 of L1. The new RTL
properties of PrA would be:
R′1 = G(n1 → X g1) R′2 = G(¬n1 ∧ n2 → X g2)
In this scenario the architectural property A is not covered
by the RTL specification. For example whenever we have
the scenario where r1 is asserted for one cycle and r2 as-
serted in the next cycle, and if there is a miss for r1 but a hit
for r2, then d2 will be asserted before d1. Thus the archi-
tectural intent is not guaranteed by the RTL specification.
Specifically the coverage gap lies only on those scenarios
where the data for a later r2 is in the cache while the data of
a previous r1 is not. In other words, the coverage gap can be
accurately represented by the following property that con-
siders exactly the above scenarios:
U = G(¬wait∧r1∧X(r1U(r2∧X¬hit))→ X(¬d2Ud1))
We have (R1 ∧ R2 ∧ U)∧ ¬(A) is false in L1 and hence
closes the coverage gap. In general, our aim will be to de-
termine the weakest set of temporal properties that close the
coverage gap between the RTL specification and the archi-
tectural intent. This intent is formally expressed below. 
Definition 2 [Strong and weak properties: ]
A property F1 is stronger than a property F2 iff F1 ⇒ F2
and F2 ⇒ F1. We also say that F2 is weaker than F1. 
Definition 3 [Coverage Hole in RTL Spec: ]
A coverage hole in the RTL specification is a property RH
over APR, such that (R ∧ RH) ∧ ¬A is false in M, and
there exists no property, R′H , over APR such that R′H is
weaker than RH and (R ∧ R′H) ∧ A is also false in M.
In other words, we find the weakest property that suffices
to close the coverage hole. Adding the weakest property
strengthens the RTL specification in a minimal way. 
In order to determine the coverage hole we generate the
temporal formula which exactly represents a RTL model
M. We do this as follows: Given a RTL model M we ex-
tract the Finite State Machine (FSM) SM modeling it. SM
is a 6 tuple 〈I,O, S, S0, L, T 〉 where, I is the set of inputs,
O is the set of outputs, S is the set of states, S0 is the ini-
tial state, L(s) is a boolean function over the variables in
s, where s ∈ S, T (s, i, s′) is an LTL property correspond-
ing to the transition (s, i, s′) in SM . Specifically for a transi-
tion (s, i, s′) from state s to s′ on input i the transition prop-
erty is L(s)∧ i∧X(L(s′)). The transition function T is the
collection of all these properties.
Definition 4 LTL formula TM for FSM M
For a FSM M = 〈I,O, S, S0, L, T 〉 we define an LTL for-
mula TM = L(S0) ∧ G(∨(〈s,i,s′〉∈T )L(s) ∧ i ∧ X(L(s′)).
TM exactly represents all the runs which are present in M.
LG
M
(a) Simple Model (b) The extracted FSM
a
b c
c
¬c
¬(a ∧ b)
¬(a ∧ b)
(a ∧ b)
(a ∧ b)
Figure 5. A simple Model(Example 3)
The following example illustrates this construction.
Example 3 Consider the concrete module M as shown in
Fig 5(a). M has ’a’ and ’b’ as inputs and ’c’ as the output.
Fig 5(b) shows the extracted FSM of this model. Let c′ be
the next state variable corresponding to the output variable
c. The initial state of the model is c = 0, hence L(s0) = ¬c.
After minimization TM will be as,
TM = (¬c) ∧G(¬c.a.b.c′ ∨ ¬c.¬(a.b).¬c′
∨ c.a.b.c′ ∨ c.¬(a.b).¬c′)
It must be noted that the RTL model M may consist
of multiple concurrent models say M1,M2,. . .,Mk. In such
case we generate k temporal formulas TM1 ,TM2 ,. . .,TMk
for each model. TM is then generated by taking conjunc-
tion of all these k properties .
The following theorem characterizes the coverage hole.
Theorem 2 The coverage hole in the RTL specification is
unique and is given by A ∨ ¬(R∧ TM ).
Proof: Let RH = A ∨ ¬(R∧ TM ). It is easy to see that ((R∧
TM ) ∧RH)⇒ A, and therefore RH closes the coverage hole.
Let R′H be a property such that R′H is weaker than RH and
(R ∧R′H ∧ TM ) ⇒ A. Since R′H ⇒ RH , there exists a run, π,
that satisfies R′H but not RH .
Suppose π satisfies R ∧ TM . Then by the definition of R′H , π
satisfies A. But if π satisfies A, then π must satisfy RH (by the
definition of RH ). This is a contradiction.
Otherwise, suppose π does not satisfy R ∧ TM . Therefore π
satisfies ¬(R∧ TM ), and again π must satisfyRH (by the defini-
tion of RH ). Again we have a contradiction. Therefore RH is the
unique weakest property that closes the coverage gap. 
We now consider the problem of computing the uncov-
ered architectural intent as defined below.
Definition 5 [Uncovered architectural intent: ]
An uncovered architectural intent is a property AH over
APA, such that (R ∧ TM ∧ AH) ⇒ A, and there ex-
ists no property A′H over APA such that AH ⇒ A′H and
(R ∧ TM ∧ A′H) ⇒ A. In other words, we find the weak-
est property over APA that closes the coverage hole. 
4. Representing the Coverage Hole
Theorem 2 gives us a formalism for computing the cov-
erage hole, but does not convey the missing properties in a
meaningful way. Our aim is to present the coverage hole and
the uncovered architectural intent to the designer in a form
that is syntactically close to the architectural intent and is
thereby amenable to visual comparison with the architec-
tural intent. The following example highlights this intent.
Example 4 We consider the coverage of A by R′1,R′2 and
the concrete modules M1 and L1 as given in Ex 2. By The-
orem 2, the coverage gap between A and R′1,R′2,M1 and L1
is given by the property:
ϕ = A ∨ ¬(R′1 ∧R′2 ∧ TM1 ∧ TL1)
which does not convey a meaningful information to the de-
signer. On the other hand, consider the property U of Ex 2:
U = G(¬wait ∧ r1 ∧X(r1U(r2 ∧X¬hit))→ X(¬d2Ud1))
U is stronger than ϕ, but represent the coverage gap more
effectively than ϕ because, the designer can visually com-
pare U with A and see what remains to be covered. 
Our tool is based on two key algorithms. The first algo-
rithm computes the bounded terms in the coverage gap and
then pushes them into the syntactic structure of the archi-
tectural properties to obtain the uncovered part. The second
algorithm takes architectural properties having unbounded
temporal operators and systematically weakens them into
structure preserving decompositions and checks the com-
ponents that remains to be covered.
4.1. Coverage Algorithm
The core idea behind our algorithm is to present a struc-
ture preserving form of the coverage gap. Our algorithm
takes each formula FA from the architectural intent A and
finds the coverage gap, G, for FA, with respect to the RTL
properties R and the concrete Models M. Since R and M
are required to cover every property in A, we use this natu-
ral decomposition of the problem. The algorithm below im-
plements this idea. Here we use U to represent the RTL cov-
erage hole RH and M to represent the concrete module in
the RTL specification.
Algorithm 1 Coverage Algorithm
Find Coverage Gap(FA,R,M)
1. Generate TM from the concrete module M and com-
pute U = FA ∨ ¬(R∧ TM )
2. If ¬(U) is not false in M then
(a) Unfold U to create a set of uncovered terms, UM ,
that approximates the coverage gap;
(b) Use universal quantification to eliminate signals
belonging to APR −APA,
(c) Push the terms of UM into FA to obtain FU .
(d) WeakenFU to obtain the final uncovered formula
G.
3. Return G;
The details of Algorithm 1 were presented in [3]. Here
we explain it’s operation with the help of the design in Ex 2.
In the design described in Ex 2, A = G( ¬ wait ∧ r1 ∧
X(r1 U r2) → X( ¬d2U d1 )), R′1 and R′2 are the RTL
properties of PrA. L1 and M1 constitute the concrete mod-
ules M . The first step of the algorithm generates the tem-
poral properties TL1 and TM1 corresponding to L1 and M1
respectively. M1 is a combinational block and thus TM1 is
generated by nesting a global operator G above the Boolean
function it implements.
TL1 = G((r1 ∧ wait ↔ g1) ∧ (r2 ∧ wait ↔ g2))
For generating TM1 our algorithm first generates the FSM
for M1 and then generates TM1 from it.
TM1 = (¬g1 ∧ ¬g2 ∧ ¬wait) ∧G[(g1 ∧ hit′ ∧ d′1)
∨(g1∧hit′∧d′2)∨(¬(g1∧hit′)∧¬d′1)∨(¬(g1∧hit′)∧¬d′1)∨
(g1 ∧ ¬hit′ ∧ wait′) ∨ (g1 ∧ ¬hit′ ∧ wait′) ∨ (¬(g2 ∧
¬hit′) ∧ ¬d′1) ∨ (¬(g2 ∧ ¬hit′) ∧ ¬d′1)]
The first step of Algorithm 1 generates U = A ∧ R ∧ TM
where TM = TM1 ∧ TL1. Since ¬U is false in M , in
steps 2(a) U is unfolded upto it’s fixpoint [2]. After unfold-
ing and abstracting out the local RTL variable d we ob-
tain UM as follows:
UM = {¬r1 ∧Xr2 ∧XX¬hit ∧Xd1,
¬r1 ∧Xr2 ∧XX¬hit ∧X¬d2 ∧XXd1}
The distribution of the above terms into the parse tree of
A is done in the step 2(c) of the algorithm as shown in
Fig 6. This step determines that the gaps lie inside the un-
bounded operator until(U).
{r1Xr2XX¬hit,
¬r1Xr2XX¬hit}
{Xd1, X¬d2d1} d1,¬d2Xd1
r1
r2XX¬hit
X¬hit
⇒ r1
r1
r2∧
∧
X
X
U
U
¬d2
d1
wait
Figure 6. Pushing the terms in UM
The step 2(d) of Algorithm 1 uses heuristics to decom-
pose the property into weaker fragments and then return
those fragments that are not covered by the RTL specifica-
tion. This step is useful when the coverage gap lies in prop-
erties having the unbounded temporal operators, like G, F
and U . We explain the method with the following property:
ϕ: G( ( a U b ) ⇒ ( c U d ) )
Suppose we want to weaken the property by augmenting a
new literal ¬e with the variable instance c. The choice of
the ’e’ is guided by the variable which reaches the tempo-
ral operator during the execution of step 2(c). Here we have
to weaken the variable instance c for weakening of ϕ. So
we need to replace the variable instance with the disjunc-
tion of the variable and the new literal. The resulting weak-
ened property may be any one of the following:
ϕ′: G( ( a U b ) ⇒ ( (c ∨ ¬e) U d ) )
ϕ′′: G( ( a U b ) ⇒ ( (c ∨ e) U d ) )
Here ϕ = ϕ′ ∧ ϕ′′ and it may be the case that RTL covers ϕ′
but not ϕ′′ in which case we report ϕ′′ as the coverage gap.
Returning to our example the until operator to the left of
the implication operator is weakened using X¬hit and we
obtained the following gap property:
U = G(¬wait ∧ r1 ∧X(r1U(r2 ∧X¬hit))→ X(¬d2Ud1))
U closed the the gap between the Aspec and the RTL.
5. Results on SpecMatcher
SpecMatcher is our tool for verifying design intent cov-
erage. The original tool used to accept only LTL specifi-
cations. With the new methods, the tool now also accepts
Time (sec)
No. of Primary TM Gap
Circuit RTL Coverage building Finding
properties Question Time Time
Memory 26 4.7 2.3 26.1
Arb. Logic
Intel Design 12 8.2 0.9 15.2
ARM AMBA AHB 29 12.07 9.8 22.5
Paper Ex. (Fig 1) 2 0.18 0.06 1.2
Table 1. Runtimes of SpecMatcher
RTL modules. Table 1 shows the runtimes of our tool on
several designs. For each design, we selected an architec-
tural property which requires contributions from multiple
submodules. For example, ARM AMBA AHB is bus pro-
tocol involving master, slave and arbiter devices. The exact
arbitration policy is not defined in the protocol, we there-
fore targeted a system level property with the RTL of the
arbiter and set of properties over the master and slave. The
tool accepted all 29 RTL properties and the RTL of the ar-
biter and produced the coverage gap in less than a minute.
The first two designs have non-trivial complexity as in-
dicated by the number of properties. The last design is the
toy example demonstrated in this paper. The time break-ups
show the time spent (on a 2GHz P4) by the tool in each of
the major steps of the coverage algorithm.
If we bring in larger RTL blocks into the picture, we
will have state explosion in two of the steps. Firstly, the
primary coverage question requires model checking on the
RTL blocks. Secondly, the building time for TM will go
up. Therefore the proposed method should not be viewed
as a new way to do model checking. The value of the orig-
inal methodology lies in providing the validation engineer
with a formal proof that the decomposition of the specifica-
tion is correct, or with a clear representation of the cover-
age gap. The new methodology aids the process by allow-
ing simple modules (such as glue logic) to be accepted as
is, but is still totally inclined towards the original goal.
Acknowledgments
Pallab Dasgupta and P.P. Chakrabarti acknowledge the
Department of Science & Technology, Govt. of India for
the partial support of this work.
References
[1] ARM AMBA Specification Rev 2.0, http://www.arm.com
[2] Clarke, E.M., Grumberg, O., and Peled, D.A., Model Check-
ing, MIT Press, 2000.
[3] Das, S., Basu, P., Banerjee, A., Dasgupta, P., Chakrabarti,
P.P., Mohan, C.R., Fix, L., Armoni, R., Formal Verification
Coverage: Computing the Coverage Gap between Temporal
Specifications, In Proc. of ICCAD, San Jose, 198-203, 2004.
