Cindy Eisner

The Temporal Logic Sugar

Since the introduction of temporal logic for the specification of computer programs [5], usability has been an issue, because a difficult-to-use formalism is a barrier to the wide adoption of formal methods. Our solution is Sugar, the temporal logic used by the RuleBase formal verification tool [2]. Sugar adds the power of regular expressions to CTL [4], as well as an extensive set of operators which provide syntactic sugar. That is, while these operators do not add expressive power, they allow properties to be expressed more succinctly than in the basic language. Experience shows that Sugar allows hardware engineers to easily and intuitively specify their designs. The full language is used for model checking, and a significant portion can be model checked on-the-fly [3]. The automatic generation of simulation checkers from the same portion of Sugar is described in [1]. While previous papers have described various features of the language, this paper presents the first complete description of Sugar.

RuleBase: an industry-oriented formal verification tool

RuleBase is a formal verification tool, developed by the IBM Haifa Research Laboratory. It is the result of three years of experience in practical formal verification of hardware which, we believe, has been a key factor in bringing the tool to its current level of maturity. We present the tool, including several unique features, and summarize our usage experience.

Reasoning with Temporal Logic on Truncated Paths

We consider the problem of reasoning with linear temporal logic on truncated paths. A truncated path is a path that is finite, but not necessarily maximal. Truncated paths arise naturally in several areas, among which are incomplete verification methods (such as simulation or bounded model checking) and hardware resets. We present a formalism for reasoning about truncated paths, and analyze its characteristics.

Efficient Detection of Vacuity in ACTL Formulas

Prepositional logic formulas containing implications can suffer from antecedent failure, in which the formula is true trivially because the pre-condition of the implication is not satisfiable. In other words, the post-condition of the implication does not affect the truth value of the formula. We call this a vacuous pass, and extend the definition of vacuity to cover other kinds of trivial passes in temporal logic. We define w-ACTL, a subset of CTL and show by construction that for every w-ACTL formula ϕ there is a formula w(ϕ), such that: both ϕ and w(ϕ) are true in some model M iff ϕ passes vacuously. A useful side-effect of w(ϕ) is that if false, any counter-example is also a non-trivial witness of the original formula ϕ.

Efficient Detection of Vacuity in Temporal Model Checking

The ability to generate a counter-example is an important feature of model checking tools, because a counter-example provides information to the user in the case that the formula being checked is found to be non-valid. In this paper, we turn our attention to providing similar feedback to the user in the case that the formula is found to be valid, because valid formulas can hide real problems in the model. For instance, propositional logic formulas containing implications can suffer from antecedent failure, in which the formula is trivially valid because the pre-condition of the implication is not satisfiable. We call this vacuity, and extend the definition to cover other kinds of trivial validity. For non-vacuously valid formulas, we define an interesting witness as a non-trivial example of the validity of the formula. We formalize the notions of vacuity and interesting witness, and show how to detect vacuity and generate interesting witnesses in temporal model checking. Finally, we provide a practical solution for a useful subset of ACTL formulas.

RuleBase: Model Checking at IBM

RuleBase is a symbolic model checking tool, developed by the IBM Haifa Research Laboratory. It is the result of four years of experience in practical formal verification of hardware which, we believe, has been a key factor in bringing the tool to its current level of maturity. Our experience shows that after a short training period, designers can operate the tool independently and achieve impressive results. We present the tool and summarize our development and usage experience, focusing on some work done during 1996.

Model Checking at IBM

Over the past nine years, the Formal Methods Group at the IBM Haifa Research Laboratory has made steady progress in developing tools and techniques that make the power of model checking accessible to the community of hardware designers and verification engineers, to the point where it has become an integral part of the design cycle of many teams. We discuss our approach to the problem of integrating formal methods into an industrial design cycle, and point out those techniques which we have found to be especially effective in an industrial setting.

Comparing Symbolic and Explicit Model Checking of a Software System

There are two main paradigms for model checking: symbolic model checking, as is performed by the tool RuleBase, and explicit state model checking, as is performed by Spin. It is often accepted that the former is better for verifying hardware systems, while the latter has advantages for verifying software. We examine this piece of common wisdom in light of experience in verifying the software of a disk controller using both symbolic and explicit state model checking.

Resurrecting infeasible clock-gating functions

In this paper we consider the problem of exploiting infeasible clock gating functions. Analysis of industrial designs reveals a large margin of potential for power saving based on clock gating functions that initially appear to be useless due to timing violation or excessive power consumption. We propose two optimization techniques for resurrecting such functions that can be used as a generic post-processing phase in an automatic clock gating tool. The first provides timing-aware approximation and the second aims at generating large gating domains by clustering similar clock gating functions. Our experimental results show that the combination of these two techniques yields an additional power saving of up to 78% in industrial designs.

The definition of a temporal clock operator

Modern hardware designs are typically based on multiple clocks. While a singly-clocked hardware design is easily described in standard temporal logics, describing a multiply-clocked design is cumbersome. Thus it is desirable to have an easier way to formulate properties related to clocks in a temporal logic. We present a relatively simple solution built on top of the traditional LTL-based semantics, study the properties of the resulting logic, and compare it with previous solutions.