<table>
<thead>
<tr>
<th>項目</th>
<th>内容</th>
</tr>
</thead>
<tbody>
<tr>
<td>タイトル</td>
<td>An Efficient System Verification based-on Check-points</td>
</tr>
<tr>
<td>作者</td>
<td>Yamada, Chikatoshi</td>
</tr>
<tr>
<td>引用</td>
<td>沖縄工業高等専門学校紀要 = Bulletin of Okinawa National College of Technology (3): 25-30</td>
</tr>
<tr>
<td>発行日</td>
<td>2009-03</td>
</tr>
<tr>
<td>URL</td>
<td><a href="http://hdl.handle.net/20.500.12001/18660">http://hdl.handle.net/20.500.12001/18660</a></td>
</tr>
<tr>
<td>権利</td>
<td>沖縄工業高等専門学校</td>
</tr>
</tbody>
</table>
An Efficient System Verification based-on Check-points Extraction Method

Chikatoshi Yamada

Abstract—Recently, model checking has played an important role in design of embedded systems, complex systems, and other critical systems. However, it is inefficiency to verify the entire systems. This article considers the case where designers of systems can extract check-points easily in model checking of formal verification. Moreover, we propose a method by which temporal formulas can be obtained inductively for specifications in model checking. Finally, we demonstrate verification results for some arbitration modules by NuSMV model checking tool.

Index Terms—Model checking, Formal verification, Linear temporal logic, Check-points extraction method.

I. INTRODUCTION

Today, industrial designs are becoming more and more complex as technology advances and demand for higher performance increases. Especially, hardware and software systems are widely used in applied field where no failure is permitted: telephone switched network, electronic commerce, and medical equipment, etc. The validity of a design accompanies checking whether the physical design satisfies its specification. In traditional design flow, validation is accomplished through simulation and testing. Some errors inside a design may exhibit nondeterministic behaviors, and therefore, will not be reliably repeatable. This makes testing and debugging using simulation difficult. Also, exhaustive testing for nontrivial designs is generally infeasible, therefore, testing provides at best only a probabilistic assurance.

In design of complex and embedded systems and other critical systems, model checking has played an important role. Model checking in formal verification ascertain whether designed systems can be executed or specified. Various formal methods for verification have been studied. However, formal verification has problems of its own class too. The major problem with automatic formal verification is that a large amount of memory and time is often required, because the underlying algorithm in these methods usually involves systematic examination of all reachable states of the system to be verified. As the number of reachable states increases rapidly with the size of the system, the basic algorithm by itself becomes impractical: the number of states for the system is often too large to check exhaustively within the limited time and memory that is available. This phenomenon is known as the state space explosion problem[1].

In this research, we focus on specification process of model checking in formal verification shown in Fig.1, and to propose a new method which can extract verification check-points inductively from modeling systems. System designers can easily derive check-points of verified systems by using the method. The rest of this article is organized as follows: In section II, Model Checking, Temporal Logic, Signal Transition Graph are briefly explained, and in section III our proposed Check-Points Extraction Method is described by means of procedure of specification. Moreover, some benchmarks are used for verification to compare by NuSMV model checking tool in section IV. Finally, we summarize the discussion in section V.

II. PRELIMINARIES

A. Model Checking

The principal validation methods for complex systems are simulation, testing, deductive verification, and model checking. Simulation and testing both involve making experiments before deploying the system, testing is performed on the actual product. In the case of circuits, simulation is performed on the design of the circuit, whereas testing is performed on the circuit itself. In both cases, these methods typically inject signals at certain points in the system and observe the resulting signals at other points. These methods can be a cost-efficient way to find many errors. However, checking all of the possible interactions and potential pitfalls using simulation and testing techniques is rarely possible. Formal verification attempts to overcome the weakness of non-exhaustive simulation by proving the correspondence between some abstract specification and the design in hand.

An important issue in specifications completeness. Model checking provides means for checking that a model of the design satisfies a given specification, but is impossible to determine whether the given specification covers all the properties that the system should satisfy.

- Safety property expresses that, under certain conditions, nothing bad will happen.
- Liveness property express that, under certain conditions, something good will eventually happen.

In this article, behaviors of a system are specified by temporal formulas.

B. Temporal Logic

Temporal logic[1], [2] is a formalism for describing sequences of transitions between states in a reactive system. In the temporal logics that we will consider, time is not mentioned explicitly; instead, a formula might specify that eventually some designated state is reached, or that an error state is never entered. Properties like eventually or never are
specified using special temporal operators. These operators can also be combined with boolean connectives or nested arbitrarily. Temporal logics differ in the operators that they provide and the semantics of those operators. Its operators mimic linguistic constructions (the adverbs "always", "until", the tenses of verbs, etc.) with the result that natural language statements and their temporal logic formalization are fairly close. Finally, temporal logic comes with a formal semantics, an indispensable specification language tool. Here, Linear Temporal Logic in temporal logic will be explained in following section.

1) Linear Temporal Logic (LTL): Temporal logic allows us to formalize the properties of a run unambiguously and concisely with the help of a small number of special temporal operators. Most relevant to the verification of asynchronous process systems is a specific branch of temporal logic that is known as linear temporal logic (LTL), commonly abbreviated as LTL. The semantics of LTL is defined over infinite runs. With help of the stutter extension rule, however, it applies equally to finite runs[1]. Here we give descriptions of LTL. LTL is a sort of temporal logic, which has the following formulas:

- $\square q$ : means that $q$ always holds for all successor states on a certain path.
- $\diamond q$ : represents that $q$ must be sometimes true for only one successor state of the path, and is similar to the formula which expresses future in linear temporal logic.
- $pUq$ : is that $p$ must be true on the path states, beginning at the current state, until $q$ becomes true.
- $Xp$ : then simply states that $p$ is true in the immediately following state of the run.

The correctness of properties to be verified is usually specified in LTL. The LTL is extending propositional logic with temporal operators that express how propositions change their truth values over time. Here we use temporal operators: Operators $\square$, $\diamond$, and $X$ meaning globally, sometime in the future, and next time, respectively.

C. Signal Transition Graph

In order to describe highly concurrent systems, graph-based specification methods have been widely used. An Signal Transition Graph (STG)[3], a labeled interpreted Petri Net, has been considered as a well-suited specification method to describe asynchronous circuits.

Definition 1: (Petri Net (PN)). A Petri Net is a bipartite directed graph consisting of 4-tuple $\sum = (P, T, F, m_0)$, where

1. $P$ is a finite set of places.
2. $T$ is a finite set of transitions, satisfying $P \cap T = \emptyset$ and $P \cup T = \emptyset$.
3. $F$ is a flow relation $F \subseteq (P \times T) \cup (T \times P)$, specifies binary relation between transitions and places.
4. $m_0$ is the initial marking of the PN.

When transitions are interpreted as rising and falling transitions of signals of a control circuit, an STG is one interpretation of a PN.

Definition 2: (Signal Transition Graph (STG)). Let $J$ be a set of signals of a network, A Signal Transition Graph defined on $J$ is a Petri Net $\sum_J = (P, T, F, M_0)$ with $T : J \rightarrow \{ + , - \}$.

Each transition of the STG is interpreted as a rising transition or a falling transition of a signal.

Consider an arbiter module shown in Fig.2. An STG for the arbiter module is shown in Fig.3, where ‘+’ mean a rising edge and ‘-’ means a falling edge of a certain signal, respectively. This example uses two signals $u_0$ and $u_1$. Black circle on a transition edge indicates a token. A transition is enabled when all input places have at least one token. When an enabled transition fires, it removes one token from each input place and adds one token to each output place.

Fig. 2. An arbiter module.
A. Strong/Weak Temporal Order Relation

In verifying behaviors of a system, checking all signal events is inefficient. Reducing signal events to be checked is necessary for specifying behaviors of the system. Here, we consider a system which has 3-inputs \((a, b, c)\) and 2-outputs \((x, y)\) shown in Fig. 4. Suppose that behaviors of the system occur as \(a \rightarrow x \rightarrow b \rightarrow c \rightarrow y \rightarrow a\), repeatedly.

All relations of the signal events can be indicated as follows:

\[
\{(a, x), (a, y), (x, b), (b, c), (b, y), (c, y)\},
\]

where \((a, x)\) indicates that output \(x\) occur after input \(a\). Although output \(y\) is not an immediate successor of input \(a\), \((a, y)\) can be considered because output \(y\) must occur after input \(a\) in the future. Definitions of strong/weak temporal order relations are as follows:

**Definition 3:** (strong temporal order relation). A strong temporal order relation is any inverse input-output relation of event sequences.

Here, we focus on relation \((x, b)\). We notice that \((x, b)\) indicates an inverse relation of input and output events. However, it is not necessary that input \(b\) must occur after output \(y\) in many cases excepting systems of 1-input and 1-output. Thus such an inverse input-output relation can be reduced by a strong temporal order relation.

**Definition 4:** (weak temporal order relation). A weak temporal order relation is any relation of input signal events.

Further, we focus on relation \((b, c)\). We notice that the relation only indicates inputs. Output \(y\) is a successor of inputs \(b\) and \(c\) by relations \((b, y)\) and \((c, y)\). On the other hand, output \(y\) can occur by rendezvous of inputs \(b\) and \(c\). Output \(y\) can occur independently of relation \((b, c)\). Therefore, such a relation can be reduced by a weak temporal order relation.

Thus, behaviors of the system can be specified by introducing strong/weak temporal order relations as follows:

\[
\{(a, x), (a, y), (b, y), (c, y)\}
\]

Its specification shows that output \(x\) can occur after input \(a\) and output \(y\) can occur by rendezvous inputs \(a, b, \) and \(c\).

B. Converting STG to State Graph

To explain the procedure of the proposed method, we especially consider an arbiter module shown in Fig. 2. Thus we describe specification of temporal formulas for the arbiter module. The STG of the arbiter module can be drawn in Fig. 3. Firing processes for the STG are indicated as Fig. 5, where the initial state is **State0**. The states are connected with labeled edges as shown in Fig. 6 to represent order relations of events. Converting the STG to the state graph can be made by Petriify tool[4] automatically. A branch expression for Fig. 6 is shown in Fig. 7. The procedure of the proposed specification method is described in the succeeding sections.

C. Procedure of Specification

In this section, we describe the procedure of the proposed specification method. This procedure corresponds to the part in the wavy arrow line in Fig. 1. The procedure is composed of five steps shown as follows:

**[STEP 1]**

In this step, event sequences are extracted from branch expression, for example, path \((A), (B), (C), (D)\) and \((E)\) are extracted from Fig. 7.

\[
\begin{align*}
(A) & \quad u_{0i}^+ u_{0o}^+ u_{1i}^+ u_{1o}^+ u_{0i}^- u_{0o}^- u_{1i}^- u_{1o}^- \\
(B) & \quad u_{0n}^- u_{0o}^+ u_{1i}^+ u_{1o}^+ u_{0o}^- u_{1i}^- u_{1o}^- \\
(C) & \quad u_{0i}^- u_{0o}^+ u_{1o}^- u_{0o}^- u_{1i}^- u_{1o}^- \\
(D) & \quad u_{0i}^+ u_{1o}^- u_{0o}^- u_{0o}^+ u_{1i}^- u_{1o}^- \\
(E) & \quad u_{0i}^- u_{1o}^- u_{0o}^- u_{0o}^+ u_{1i}^- u_{1o}^- \\
\end{align*}
\]

**[STEP 2]**

In this step, checked signal events can be reduced by introducing strong/weak temporal order relations.

\[
\begin{align*}
(A) & \quad \{(u_{0i}^+, u_{0o}^+), (u_{0i}^+, u_{1o}^+), (u_{1i}^+, u_{1o}^+), (u_{1i}^+, u_{0o}^-), (u_{0i}^-, u_{0o}^-), (u_{0i}^-, u_{1o}^-), (u_{1i}^-, u_{1o}^-)\} \\
(B) & \quad \{(u_{0i}^+, u_{0o}^+), (u_{0i}^+, u_{1o}^+), (u_{0i}^+, u_{0o}^-), (u_{1i}^+, u_{1o}^-), (u_{1i}^+, u_{0o}^-), (u_{0i}^-, u_{0o}^-), (u_{0i}^-, u_{1o}^-), (u_{1i}^-, u_{1o}^-)\} \\
(C) & \quad \{(u_{0i}^+, u_{0o}^+), (u_{0i}^+, u_{1o}^+), (u_{0i}^-, u_{0o}^-), (u_{1i}^-, u_{0o}^-), (u_{1i}^-, u_{1o}^-), (u_{0i}^-, u_{1o}^-), (u_{0i}^-, u_{1o}^-)\} \\
(D) & \quad \{(u_{0i}^+, u_{1o}^+), (u_{0i}^+, u_{0o}^+), (u_{0i}^- u_{0o}^-), (u_{1i}^+, u_{0o}^-), (u_{1i}^+, u_{1o}^-), (u_{0i}^-, u_{1o}^-)\}
\end{align*}
\]
In all paths, relations of the same temporal operator and the same IO can be extracted. Otherwise only the same IO relation can be extracted. Since \( \Diamond \) expresses "sometime in the future," the next operator \( X \) can be covered as \( X \subseteq \Diamond \) in order to apply Partial Order Reduction. Thus, the extracted same IO relation can be gathered by \( \Diamond \).

\[ \Diamond (u_{0i-}, u_{1o-}), X(u_{1i+}, u_{0o-}), X(u_{1i-}, u_{1o-}) \]

### [STEP.3]

In each path, if IO relation shows that there is immediate successor, specified as \( X \) operator, otherwise specified as \( \Diamond \) operator.

\[ \begin{align*}
(A) \quad & \{X(u_{0i+}, u_{0o+}), \Diamond(u_{0i+}, u_{1o+}), X(u_{1i+}, u_{1o+}),
\Diamond(u_{1i+}, u_{0o-}), X(u_{0i-}, u_{0o-}), \Diamond(u_{0i-}, u_{1o-}),
X(u_{1i-}, u_{1o-}) \} \\
(B) \quad & \{X(u_{0i+}, u_{0o+}), \Diamond(u_{0i+}, u_{1o+}), \Diamond(u_{0i+}, u_{0o-}),
X(u_{1i+}, u_{1o+}), \Diamond(u_{1i+}, u_{0o-}), \Diamond(u_{1i-}, u_{1o-}),
X(u_{0i-}, u_{1o-}) \} \\
(C) \quad & \{X(u_{0i+}, u_{0o+}), \Diamond(u_{0i+}, u_{1o+}), \Diamond(u_{0i+}, u_{0o-}),
\Diamond(u_{0i-}, u_{1o-}), X(u_{1i+}, u_{0o-}), \Diamond(u_{1i-}, u_{1o-}) \} \\
(D) \quad & \{X(u_{0i+}, u_{1o+}), \Diamond(u_{0i+}, u_{0o+}), \Diamond(u_{0i+}, u_{0o-}),
\Diamond(u_{0i-}, u_{1o-}), X(u_{1i+}, u_{0o-}), \Diamond(u_{1i+}, u_{1o-}),
X(u_{1i-}, u_{1o-}) \} \\
(E) \quad & \{X(u_{0i+}, u_{1o+}), X(u_{0i-}, u_{0o+}), \Diamond (u_{0i-}, u_{0o-}),
\Diamond (u_{0i-}, u_{1o-}), X(u_{1i+}, u_{0o-}), \Diamond (u_{1i+}, u_{1o-}),
X(u_{1i-}, u_{1o-}) \}
\end{align*} \]
Fig. 6. A state graph for Fig.3.

Fig. 7. A branch expression for the state graph.

Check-points can be extracted by repeating the above-mentioned steps. Finally, we can get temporal formulas only considering necessary signal events. For these formulas, signal transition graph can be indicated in Fig.8.

IV. Verification Results

In this section, we show some asynchronous bench marks in the table, and show verification results for a shared resources access structure shown in Fig.9. All these model verifications are performed on an 2.4GHz Core 2 Duo processor under Linux with 2GB of available RAM. In this article, all simulations are verified by NuSMV version 2.4.3[5].

For each circuit, we report the number of boolean variables necessary to represent the corresponding model, OBDD nodes, and time required by the systems to analyze the model. Some circuits in the table can be found in the distribution of SMV[5].

For small circuits such as C-element4, p-queue and pipeline4, time is not much different between the two methods. On the other hand, as the circuits become larger, the effect begins to appear in the results: It is remarkable especially for control modules.

Fig. 8. A reduced signal transition graph for Fig.3 by check-points extraction method

Fig. 9. A shared resources access structure.

Next, we show performance results of verification of the shared resources access structure shown in Fig.9. For the structure, we report the number of OBDD nodes and memory required by the systems to analyze the structure shown in Fig.10 and Fig.11. Here, CPE indicates verification results with check-points extraction method, and Normal indicates verification results without the method, respectively. For small models such as queue and mutex, results are not much different between the two methods. On the other hand, as the models become larger, the effect begins to appear in the results. It is remarkable especially for elevator control systems.

V. Conclusion

Formal verification plays an important role in large scale and complex systems. However, it is inefficiency to verify the entire systems. We proposed a method by which check-points can be obtained inductively for specifications in model checking. Users must generally know well temporal specification because the specification might be complex. Our proposed method can gain temporal formula specifications inductively. We aimed at input-output order relations for systems, not considering output-input order relations. Furthermore, we defined strong/weak temporal order relations in the procedure of specification. Weak temporal order relations include orders of inputs implicitly. Strong temporal order relations express inverse input-output order relations. We showed that the verification tasks are reduced for states, transitions, and memory with our
TABLE I
VERIFICATION RESULTS with the CPE method without the CPE method
\begin{tabular}{|l|c|c|c|c|c|}
\hline
Circuit name & OBDD nodes & Reduce(\%) & Time(secs) & Reduce(\%) & OBDD nodes & Time(secs) \\
\hline
C-element4 & 1988 & -1.5\% & 0.06 & 0.0\% & 2018 & 0.06 \\
C-element16 & 242244 & -0.1\% & 0.97 & -1.0\% & 242462 & 0.98 \\
p-queue & 139530 & -5.8\% & 0.82 & -3.5\% & 148160 & 0.85 \\
pipeline2 & 679 & -23.5\% & 0.02 & -60.0\% & 888 & 0.05 \\
pipeline4 & 3272 & -22.9\% & 0.06 & -66.8\% & 4244 & 0.09 \\
pipeline8 & 144431 & -13.8\% & 0.79 & -66.8\% & 167469 & 2.38 \\
abp4 & 75661 & -21.5\% & 0.43 & -21.8\% & 96384 & 0.55 \\
pci3p & 447889 & -21.5\% & 1.19 & -66.5\% & 570388 & 3.55 \\
 pci & 193576 & -44.2\% & 385.57 & -34.6\% & 346758 & 589.75 \\
\hline
\end{tabular}

proposed inductive specification method. System designers can easily lead complex temporal formulas by using the method. In verification results, especially, required memory was able to reduced for formal verification. Then, it is assumed to be research work in the future to verify more large scale systems.

REFERENCES