Terminal Satisfiability in GSTE

Xu, Yongsheng; Yang, Guowu; Chang, Zhengwei; Zheng, Desheng; Guo, Wensheng

doi:https://doi.org/10.1155/2014/725275

Journal of Applied Mathematics

On this page

Abstract Introduction Preliminaries Conclusions Acknowledgments References Copyright Related Articles

Special Issue

Intelligent Modeling and Verification 2014

View this Special Issue

Research Article | Open Access

Volume 2014 | Article ID 725275 | https://doi.org/10.1155/2014/725275

Terminal Satisfiability in GSTE

Yongsheng Xu,¹Guowu Yang,¹Zhengwei Chang,²Desheng Zheng,¹and Wensheng Guo¹

Academic Editor: Guiming Luo

Received09 Feb 2014

Accepted10 Mar 2014

Published15 May 2014

Abstract

Generalized symbolic trajectory evaluation (GSTE) is an extension of symbolic trajectory evaluation (STE) and a method of model checking. GSTE specifications are given as assertion graphs. There are four efficient methods to verify whether a circuit model obeys an assertion graph in GSTE, Model Checking Strong Satisfiability (SMC), Model Checking Normal Satisfiability (NMC), Model Checking Fair Satisfiability (FMC), and Model Checking Terminal Satisfiability (TMC). SMC, NMC, and FMC have been proved and applied in industry, but TMC has not. This paper gives a six-tuple definition and presents a new algorithm for TMC. Based on these, we prove that our algorithm is sound and complete. It solves the SMC’s limitation (resulting in false negative) without extending from finite specification to infinite specification. At last, a case of using TMC to verify a realistic hardware circuit round-robin arbiter is achieved. Avoiding verifying the undesired paths which are not related to the specifications, TMC makes it possible to reduce the computational complexity, and the experimental results suggest that the time cost by SMC is 3.14× with TMC in the case.

1. Introduction

Logic errors found in finite state concurrent systems are extremely important problems for both circuit designers and programmers [1] (i.e., sequential circuit designs and communication protocols). Model checking is a technique for verifying finite state concurrent systems [1]. Symbolic trajectory evaluation is a lattice-based model checking technique based on a form of symbolic simulation [2–4]. STE has shown great promise in verifying medium to large scale industrial hardware designs with a high degree of automation at both the gate level and the transistor level [4–7]. Generalized symbolic trajectory evaluation [3, 8] is an extension of symbolic trajectory evaluation [9, 10]. STE is very limited in the types of properties that it can specify and verify. GSTE can handle -regular properties and maintain the efficiency and capacity of STE [9–13]. GSTE is originally developed at Intel and has been used successfully on Intel’s next-generation microprocessors [14].

The main disadvantage of model checking is the state explosion, which motivates the need for algorithms such as abstract technology and the data structure of BDD and so forth to alleviate it [2, 15–18]. Although a lot of effort has been spent on improving this weakness, the efficient and effective method has yet to be developed. GSTE is a method of model checking and it also has the problem of state explosion. In GSTE, specifications are given as assertion graph and a model is induced by transition relation. Each edge in the model represents a state transition and a trace in the model is a state sequence, while a path in the assertion graph is an edge sequence. In SMC, NMC, and FMC, a model satisfies an assertion graph if all the traces (finite or infinite) in the model are accepted by all the paths of the same length in the assertion graph [3, 8, 19]. Results shown in [1, 9, 15, 17, 20–22] indicate that the method of enumeration usually leads to state explosion and increases the complexity of computing. As we know, traces are induced by model, and the number of traces is directly proportional to the size of model. Furthermore, paths are related to specifications. Thus, it will not need to verify each trace or path. Therefore, the key to alleviating the state explosion lies in deleting some undesired paths and traces. Aiming at this situation, this paper puts forward the filtering approach for TMC (Terminal Satisfiability Model Checking).

Previous studies have shown or suggested that a tool is needed to tell the difference between desired paths and undesired paths. One possible method is to choose as the filter condition, where is the set of edges in assertion graph. Our approach only adds some restricted conditions into assertion graphs without changing the structure of models and assertion graphs. Each edge in the assertion graph is labeled by an antecedent and consequent . and are sets of states in the model, so we can assign the states related to specifications to the of edge which is in . Then, we can delete undesired paths by . A fuller discussion of TMC will appear in a later section.

In this paper, we focus on the need for alleviating state explosion and present a new algorithm for TMC based on GSTE. In Section 2, we introduce the basic definitions in GSTE. In Section 3, some concepts such as terminal assertion graph, terminal path, and terminal satisfiability are defined. After a statement of the basic concepts, related properties and a theorem are given. In Section 4, we present an algorithm for verifying terminal satisfiability with an example which cannot be verified by SMC but by TMC. In the end, we use TMC to successfully verify a hardware circuit round-robin arbiter, and the time cost by SMC is 3.14× with TMC in the case. In Section 5, we prove that our algorithm is sound and complete. Section 6 is the conclusion of the paper.

2. Preliminaries

We introduce some basic definitions in GSTE [3, 8]. We assume a universal set of finite states, denoted by .

2.1. Model

Definition 1 (transition relation; see [3, 8]). A relation is a transition relation if for all , , .

Definition 2 (model; see [3, 8]). The model induced by the transition relation is the pair , where(1)the preimage transformer pre: is defined as (2)and the postimage transformer post: is defined as

Definition 3 (trace; see [3, 8]). A trace in model is a state sequence such that for all .

2.2. Assertion Graph

Definition 4 (assertion graph; see [3, 8]). An assertion graph is a quintuple , where is a finite set of vertices, is the initial vertex, is a set of edges satisfying for all , , , is a mapping: , and is a mapping: .

Definition 5 (path; see [3, 8]). A path in assertion graph is an edge sequence such that ends at a vertex from which starts for all .

Definition 6 (a trace is accepted by a path; see [3, 8]). An execution trace in a model is accepted by a path in an assertion graph if (suppose the length of trace and path is ) where is the th state of the trace and is the th edge of the path .

2.3. Four Kinds of Verifying Algorithms

Based on Definition 6, GSTE has four kinds of acceptance [19].

Definition 7 (SMC (model checking strong satisfiability)). A model strongly satisfies an assertion graph if for all finite initial paths in and all finite traces in of the same length is accepted by , denoted by .

Definition 8 (NMC (model checking normal satisfiability)). A model normally satisfies an assertion graph if for every infinite initial path in and every infinite trace in of the same length is accepted by , denoted by .

Definition 9 (FMC (model checking fair satisfiability)). A model fairly satisfies an assertion graph under (fairness constraint) if for every infinite fair path in and every infinite trace in , is accepted by , denoted by .

Definition 10 (TMC (model checking terminal satisfiability)). A model terminally satisfies an assertion graph under (terminal edge set) if for all finite terminal paths in and all finite traces in of the same length is accepted by , denoted by .

We use the following notations in the rest of the paper, be an arbitrary sequence of elements, be the length of the sequence, and be the th element in the sequence. Further, denotes the sequence by appending element to the end of when is finite, and is the sequence by appending element to the head of .

3. Terminal Satisfiability

In this section, we define some concepts such as terminal assertion graph and terminal path and give some related properties on them.

In GSTE, the set of states in model is finite , but each state has its successor states so that traces in the model can be extended to infinite length. Each edge in the assertion graph has its successor edges so that assertion graphs can specify infinite properties. It should be noted that in our daily life, most of the properties which have been verified are finite rather than infinite. In particular, some properties are terminated at some states and these states are not involved. In GSTE existing theories, the SMC algorithm is the only one used to handle finite properties [3, 8]; it cannot stop at some edges whose labels are not related to the specifications and there are many redundant calculations. The program proves that we can predict the behavior of the model; these observations lead us to hypothesize that finite specifications will terminate at some states which we can predict. Corresponding to terminal specifications, the paths will also terminate at some edges, which are named terminal edge. Our algorithm will make the labels on the edges, which cannot reach terminal edges, equal to . The method outlined here can be used to reduce the complexity of computation.

For convenience, we expanded the assertion graph into six-tuple.

Definition 11 (terminal assertion graph). A terminal assertion graph is a six-tuple , where , , , , and are the same as in preliminaries; is a set of terminal edges.

Definition 12 (terminal path). A terminal path is where is an initial edge, it starts from , and is a terminal edge, . The last edge of path must be terminal edge.

Definition 13 (a trace is accepted by a terminal path; see [3, 8, 19]). Let be a terminal assertion graph and be a model. Given an edge labeling where is either or , a trace in satisfies a terminal path of the same length under if for every , , denoted by The trace is accepted by the terminal path if denoted by .

Definition 14 (model satisfies terminal assertion graph). A model satisfies a terminal assertion graph if for all terminal paths in and all traces in of the same length one has , denoted by

Definition 15 (model strongly satisfies assertion graph; see [3, 8]). A model strongly satisfies an assertion graph () if for all finite paths in and all traces in of the same length one has , denoted by The Difference between Finite Path and Terminal Path. Note that there is a key difference between finite path and terminal path; unlike terminal path, which must be end up with a terminal edge , finite path can end up with any edge . Given our analysis, this suggests a terminal path will be a finite path; however, a finite path may not be a terminal path.

Let is a finite initial path and the length of is , where and is a terminal path and the length of is , where . The last edge of must be a terminal edge, ; however, the last edge of does not have this restriction, it just needs to meet , , so one has .

Theorem 16. For any assertion graph and any model , one has

Proof. According to Definition 15

Theorem 16 describes the relationship between SMC and TMC. If SMC returns true, then TMC returns true, but not vice versa. When , terminal satisfiability behaves as strong satisfiability. When , , we can remove some undesired paths in the assertion graph.

4. Model Checking with Terminal Satisfiability

In this section, we describe a model checking method for verifying terminal satisfiability. The concept of terminal satisfiability was proposed in [19] but was not given any algorithm. In this paper, we present an algorithm and prove it.

4.1. The TMC Algorithm

In [3, 8], the algorithms for SMC, NMC, and FMC were given. Our TMC algorithm is similar. First, we should define the backward simulation sequence.

Definition 17. Given an assertion graph and a model , the backward simulation sequence is as below where () is the -step backward simulation relation. It is defined as

Based on this result, when we verify finite properties, we simply verify those traces that can reach some states in , where . These states, which are related to the property, are assigned to the label of the terminal edge. Then we emulate the model’s behavior backwards starting from the terminal edge. The -step backward simulation relation is the set of the states that can reach the terminal edge within -step.

Obviously, the backward simulation relation sequence is nondecreasing and has a least fix-point upper limit bounded by . We denote the least fix-point by . Now we propose a terminal satisfiability model checking algorithm that first performs a series of graph transformations and then checks strong satisfiability on the resulting graph.

4.2. The Application of TMC

In order to describe TMC clearly, let us look at the following example [23].

Example 18. Consider the model in Figure 1, where .

Suppose we want to specify the following property: if the system is in the state , then it must have been in the last time when it was neither in nor . The model satisfies this property. Now, let us catch this property using the assertion graph in Figure 2.

The fact that SMC cannot verify this property is due to undesired paths, such as the finite initial path and the finite trace , , but the first state of is not in the . Thus, the model does not strongly satisfy the assertion graph. If we use SMC, the SMC algorithm will return false. In order to deal with this situation in the former, [3, 8] introduce NMC and FMC. As we know, NMC and FMC have been used to deal with -regular properties. If we want to solve the SMC’s limitation, we should expand finite specifications to infinite specifications. This is the key that leads to the increasing complexity of the model checking. However, the algorithm of using TMC to verify this property is more suitable. TMC can be accomplished without expanding finite specifications to infinite specifications. The following example is constructed only for the purpose of illustrating the computational procedure discussed.

Step 1. Construct the terminal assertion graph and figure out the terminal edges (Figure 3).

Step 2. First, the fix-point of every edge is computed according to Definition 17; then the label of every edge is replaced by the corresponding ; lastly, the resulting assertion graph is gotten.

Step 3. This step behaves as the algorithm . The edge which is marked by the blue line is the terminal edge. Supposing , there is only one terminal edge in the case (Figure 3). Thus, the terminal path can be grouped into two cases (as follows): Because the terminal path must end up with the terminal edge, there is only one terminal edge in Figure 3 and the vertex to is unreachable. Thus, if a path reaches the edge that is not a terminal path, then all terminal paths are finite. As we know, the length of a terminal path must be greater than or equal to 2. Thus, we can eliminate the path and the trace , which will lead to SMC returning false negative, since . The trace in model (Figure 1), if not starting from , ultimately would violate the label on the edge ; therefore the model (Figure 1) terminally satisfies the terminal assertion graph (Figure 3). The calculation is as follows (after one iteration, every edge can be reached to the fix-point).

The first iteration (initialization):

The second iteration: After replacing the label of each edge with the corresponding fix-point , the resulting assertion graph is shown as Figure 4.

As can be seen, of each edge has been reached by the minimum, and TMC returns true. Thus, the model satisfies the terminal assertion graph.

4.3. A Hardware Verification Case of TMC

In this section, we present a case study of TMC on hardware verification. The circuit we choose for this study is a round-robin arbiter, which is the core component in many real network systems [24]. An arbiter has inputs and the output is a vector encoding of arbitration results. Request with highest priority in round-robin order is granted in each cycle, and the priority of the request which is granted in last arbitration will become the lowest in the next round; this protocol guarantees a dynamic priority assignment to requestors without starvation. We consider the arbiter with 4 inputs (shown in Figure 5). First, the priority of inputs is placed in descending order from to [25, 26]. Thus, has the highest priority, has the next priority, and so on. Each input of the arbiter in Figure 5 is connected to a switch cell; only one of the four inputs will succeed each clock cycle. Others are rejected and must retry later. routeEnable is enable signal.

We model this arbiter as a finite state machine (shown in Figure 6) according to its truth table in paper [24]. The input is a vector of ternary-valued variables; each variable can take 0, 1, or . indicates that variable can take 0 or 1. Figure 6 is the model of this arbiter. Consider Safety property: once a request is set high from a state and kept high, then the request will be granted after several cycles. Suppose a state where the value of grant is , which means that the last request granted is req2; if the request req2 is set high again and kept high, then the request will be granted after at most 4 cycles. We use the terminal assertion graph to specify this property (shown as in Figure 7) [24]. Consider The edge is the terminal edge. We only verify those paths that end up with the edge . If we use SMC to verify this property, we must verify all finite paths. If using TMC, we only need to verify terminal paths. In the terminal assertion graph (Figure 7), all finite paths are as follows: If we use SMC, we must verify 22 paths: . But we use TMC only to verify . Therefore, the time cost by SMC is 3.14× with TMC in this case.

5. Correctness Proof

In this section, we formally prove that the TMC algorithm is both sound and complete.

5.1. The Logic of Algorithm

for all in , for all in of the same length, and for all in and for all in of the same length, By analyzing algorithm TMC, in the end, we use . Consider It indicates that we can only get But we are aiming at (according to (19)) Then, if we want to prove TMC is correct, we must prove that (according to (21) and (22))

5.2. The TMC Algorithm Is Sound

According to Definition 17, we get the following lemma.

Lemma 19. For a terminal assertion graph and a model , let be the backward simulation sequence towards . Then for any , for all finite terminal paths , and all finite traces of length , such that (1)(2)when and , we have () (note: represents all paths of length which are obtained by traversing backwards starting from the terminal edge. For example, if and , then , represents all traces of length obtained by traversing backwards starting from the last state of )(3)when , we have , .

Proof (mathematical induction). Suppose .
First Step . (1) since is a terminal path.
(2) Let us prove : According to (24)-(25),
(3) Let us prove , : According to (27)-(28), Then, the conclusions (1), (2), and (3) are true for .
Second Step. We already saw that the conclusions are true for . Assume this, for an arbitrary , the above lemma is true for , then we get the following.
( represents all traces of length and represents all terminal paths of the same length) (1) . (2) When , we have () (where represents all paths of length obtained by traversing backwards starting from the terminal edge; the terminal edge is the last edge of the terminal path; is similar), (3) when , we have , .
Third Step (let us derive the lemma is true for from above assumption). We must consider all terminal paths of length and all traces of the same length.
(1) since is a terminal path.
(2) We must prove () at this step, where represents all paths of length obtained by traversing starting from the terminal edge and is obtained by deleting the first two states of , , and . By the induction hypothesis we have the following conclusion: According to (31), namely, ().
(3) Consider According to (35)–(37), which exactly means that the lemma holds for . Therefore, the lemma is true for all starting with 2.

The conclusions of Lemma 19 have been used to prove Theorem 20. At the same time, Lemma 19 gives the conclusion that the backward simulation sequence is a convergent sequence. If the length of the path is , then the simulation sequence of the th edges will reach the fixed point through at least iterations.

Suppose is the fix-point of the backward simulation sequence based on the terminal set ; after replacing the label of each edge with the corresponding fix-point , the resulting assertion graph is denoted by .

Theorem 20. Consider

Proof. According to Section 5.1 (the logic of algorithm), we know holds equivalent to the following . For any , represents all terminal paths of length in assertion graph ( is also the terminal path in assertion graph ) and represents all traces of the same length in model . Consider The direction is obvious, since for any .
The direction : when , according to Lemma 19, therefore, .

can be obtained through a series of transformations on . Theorem 20 guarantees that these transformation operations will not change the model’s features on terminal satisfiability.

Theorem 21. For any terminal assertion graph and any model ,

Proof ( is defined in Theorem 20). Consider
Theorem 21 proves that the TMC algorithm is sound.

5.3. The TMC Algorithm Is Complete

Now let us prove the completeness of the algorithm. First, we need the following lemma.

Lemma 22 (see [3, 8]). For any , , and any , there is a finite initial path and a finite trace of some length such that

Lemma 22 provides a counterexample for the proof of Theorem 25. We can find a path and a trace satisfying but when TMC returns false. is the simulation sequence used in SMC algorithm; for more, please read [3, 8].

Lemma 23 (see [3, 8]). For all and ,

According to the results of Lemma 23, we can conclude that when .

Lemma 24. For a terminal assertion graph and a model , let be the backward simulation sequence towards . Then, for any , for any , and any state , there is a finite path which starts from and a finite trace which starts from of some length () such that

Proof (mathematical induction). is a subscripted variable of the simulation sequence .
(1) (): when , we have ; for all , there is a path of length and a trace such that When , we have two cases.
Case 1. , , the conclusion is obvious.
Case 2. and ; according to Definition 17: namely, there is a path of length and a trace such that
(2) Suppose the lemma is true for ( is an arbitrary integer), we can get for all , for all , there is a finite path starting from and a trace starting from of some length () such that
(3) Suppose for all and for all , according to Definition 17, we also have two cases.
Case 1. ; the lemma is obviously true according to induction hypothesis.
Case 2. Consider by the induction hypothesis, there exists a path of length () which starts from and a trace which starts from such that According to (51), there is a path of length and a trace of the same length such that (1), (2), and (3) show that the lemma is true.

Lemma 24 ensures that the counterexample path which we find is the terminal path.

Theorem 25. Consider

Proof. Consider according to the SMC algorithm, there exists an edge such that . Let , according to the Lemma 22, there exists a finite path of length and a trace of the same length such that
When , is the terminal path. Namely, there exists an initial terminal path and a trace of the same length such that , ; according to Definition 14, we get .
When , is not the terminal path, we know , . By analyzing Algorithm 1, we find that the terminal assertion graph is already updated to when we call the SMC, and every edge in is labeled with . In , for all , . According to Lemma 23, we get , . According to Lemma 24, there exists a finite path of length which starts from and a trace of the same length which starts from such that
Since , and can be spliced into one path of length . Since is true, and can be spliced into one trace whose length is . is a terminal path and such that
According to Definition 14, we get .

Input: the model and terminal assertion graph .
Output: true: model terminally satisfies the terminal assertion graph.
false: model doesn't satisfy the terminal assertion graph.
(1) repeat
(2) ;
(3) := the fix-point of the backward simulation sequence towards ;
(4) := replace the antecedent function in with ;
(5) until ;
(6) SMC;
(7) end.

Theorem 25 proves that the TMC algorithm is complete.

6. Conclusions

This paper has presented a theoretical and experimental study of the TMC process and related concepts, such as terminal assertion graph, terminal path, and terminal satisfiability. Under the basis of the concept mentioned above, to improve the efficiency of the method SMC and solve its limitation, this paper presented an algorithm TMC. The approach TMC is explained and discussed thoroughly in the body of the paper. Then, we use the hardware circuit round-robin arbiter to specify that TMC can be used in industry successfully. In the end, this paper proves that our approach is sound and complete. The method outlined here can be used to deal with finite specifications. It remains to be determined whether our approach will be suitable for infinite specifications.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work was supported by NSFC (nos. 60973016 and 61272175), 973 Program (no. 2010CB328004), and RFSGCC (no. SGSCDK00DWKJ1300510). The authors also would like to express their sincere thanks to Stephen Akobre and Lixiu Lin for useful discussions.

References

E. M. Clarke, O. Grumberg, and D. A. Peled, Model Checking, MIT press, 1999.
S. Hazelhurst and C.-J. H. Seger, “Simple theorem prover based on symbolic trajectory evaluation and BDD's,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 14, no. 4, pp. 413–422, 1995.
View at: Publisher Site | Google Scholar
S. Hazelhurst and C.-J. H. Seger, “Symbolic trajectory evaluation,” in Formal Hardware Verification, pp. 3–78, Springer, New York, NY, USA, 1997.
View at: Google Scholar
S. Owre, S. Rajan, J. M. Rushby, N. Shankar, and M. Srivas, “Pvs: combining specification, proof checking, and model checking,” in Computer Aided Verification, pp. 411–414, Springer, 1996.
View at: Google Scholar
C.-J. H. Seger and R. E. Bryant, “Formal verification by symbolic evaluation of partially-ordered trajectories,” Formal Methods in System Design, vol. 6, no. 2, pp. 147–189, 1995.
View at: Publisher Site | Google Scholar
M. Pandey, R. Raimi, R. E. Bryant, and M. S. Abadir, “Formal verification of content addressable memories using symbolic trajectory evaluation,” in Proceedings of the 34th Design Automation Conference, pp. 167–172, June 1997.
View at: Google Scholar
M. Pandey and R. E. Bryant, “Exploiting symmetry when verifying transistor-level circuits by symbolic trajectory evaluation,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 18, no. 7, pp. 918–935, 1999.
View at: Publisher Site | Google Scholar
J. Yang and C.-J. H. Seger, “Introduction to generalized symbolic trajectory evaluation,” IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 11, no. 3, pp. 345–353, 2003.
View at: Publisher Site | Google Scholar
E. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith, “Progress on the state explosion problem in model checking,” in Informatics, pp. 176–194, Springer, 2001.
View at: Google Scholar
C.-T. Chou, “The mathematical foundation of symbolic trajectory evaluation,” in Computer Aided Verification, pp. 196–207, Springer, 1999.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
C. Baier and J.-P. Katoen, Principles of Model Checking, MIT Press, Cambridge, Mass, USA, 2008.
View at: MathSciNet
Y. Ramakrishna, C. Ramakrishnan, I. Ramakrishnan, S. A. Smolka, T. Swift, and D. S. Warren, “Efficient model checking using tabled resolution,” in Computer Aided Verification, pp. 143–154, Springer, 1997.
View at: Google Scholar
P. Gammie and R. Van Der Meyden, “Mck: model checking the logic of knowledge,” in Computer Aided Verification, pp. 479–483, Springer, 2004.
View at: Google Scholar
B. Bentley, “High level validation of next-generation microprocessors,” in Proceedings of the 7th IEEE International High-Level Design Validation and Test Workshop, pp. 31–35, IEEE, 2002.
View at: Google Scholar
A. Platzer, E. M. Clarke, and P. Zuliani, “Bayesian statistical model checking with application to Simulink/Stateflow verification,” in Proceedings of the 13th ACM international conference on Hybrid systems, pp. 243–252, 2010.
View at: Google Scholar
E. M. Clarke and P. Zuliani, “Statistical model checking for cyber-physical systems,” in Automated Technology for Verification and Analysis, pp. 1–12, Springer, 2011.
View at: Google Scholar
E. M. Clarke, O. Grumberg, and D. E. Long, “Model checking and abstraction,” ACM Transactions on Programming Languages and Systems, vol. 16, no. 5, pp. 1512–1542, 1994.
View at: Publisher Site | Google Scholar
W. Visser, K. Havelund, G. Brat, S. Park, and F. Lerda, “Model checking programs,” Automated Software Engineering, vol. 10, no. 2, pp. 203–232, 2003.
View at: Publisher Site | Google Scholar
A. J. Hu, J. Casas, and J. Yang, “Reasoning about gste assertion graphs,” in Correct Hardware Design and Verification Methods, pp. 170–184, Springer, 2003.
View at: Google Scholar
J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J. Hwang, “Symbolic model checking: $10^{20}$ states and beyond,” Information and Computation, vol. 98, no. 2, pp. 142–170, 1992.
View at: Publisher Site | Google Scholar | MathSciNet
A. Biere, A. Cimatti, E. M. Clarke, O. Strichman, and Y. Zhu, “Bounded model checking,” Advances in Computers, vol. 58, pp. 118–149, 2003.
View at: Google Scholar
E. Clarke, A. Biere, R. Raimi, and Y. Zhu, “Bounded model checking using satisfiability solving,” Formal Methods in System Design, vol. 19, no. 1, pp. 7–34, 2001.
View at: Publisher Site | Google Scholar
J. Yang and C. J. H. Seger, “Generalized symbolic trajectory evaluation,” Intel SCL Tech. Rep, 2000.
View at: Google Scholar
Y. Li, N. Zeng, W. N. N. Hung, and X. Song, “Enhanced symbolic simulation of a round-robin arbiter,” in Proceedings of the 29th IEEE International Conference on Computer Design (ICCD '11), pp. 102–107, November 2011.
View at: Publisher Site | Google Scholar
E. S. Shin, V. J. Mooney III, and G. F. Riley, “Round-robin arbiter design and generation,” in Proceedings of the 15th International Symposium on System Synthesis, pp. 243–248, October 2002.
View at: Google Scholar
Y. Li, S. Panwar, and H. Jonathan Chao, “On the performance of a Dual Round-Robin switch,” in Proceedings of the 20th Annual Joint Conference of the IEEE Computer and Communications Societies, pp. 1688–1697, April 2001.
View at: Google Scholar

Copyright

Copyright © 2014 Yongsheng Xu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1059

Downloads

758

Citations