Faster Verification of RTL-Specified Systems via Decomposition and Constraint Extension

Faster Verification of RTL-Specified Systems viaDecomposition and Constraint Extension

Stefan ANDREISchool of Computing

National University of SingaporeE-mail: [email protected]

Albert Mo Kim CHENGDepartment of Computer Science

University of HoustonE-mail: [email protected]

Abstract

Embedded and real-time systems are increasingly com-mon and complex, requiring formal specification and veri-fication in order to guarantee their satisfaction of desirablesafety and timing requirements. Real-Time Logic (RTL) hasbeen used to capture both the specification of a real-timesystem and the desirable safety assertions with respect tothis system specification. A verification procedure then de-termines whether the safety assertions hold with respect tothe system specification. However, the satisfiability problemfor RTL, as well as for other first-order logics, is undecid-able. Consequently, efforts have been focused on identifyingnon-trivial classes of formulas sufficiently practical for de-scribing industrial real-time systems for which the verifica-tion and debugging can be done via efficient heuristics. Onesuch class of formulas is the so-called path RTL. The firstcontribution of this paper is to extend the existing path RTLclass without sacrificing the time complexity of the tradi-tional path RTL heuristic for verification. This implies thatwe can specify and verify real-time systems, which we wereunable to do using the existing path RTL, in the extendedpath RTL. For real-time systems with large specifications,there is a lot of room for improvement in the algorithmsused for verification and debugging. The second contribu-tion of this paper is an efficient method to perform veri-fication and debugging of real-time systems specificationsusing decomposition techniques. Our idea is to decomposethe constraint graph, used in existing approaches, into in-dependent subgraphs so that it is no longer necessary toanalyze the entire specification at once, but rather its indi-vidual and smaller components. We have implemented thismethod in the Java-based DEVA-RTL tool and tested it onseveral industrial real-time systems.

1 Introduction

Real-time systems can be defined by either a structuralspecification (how their components work) or a behavioralspecification (showing the reaction of each component inresponse to an internal or external event). A behavioralspecification often suffices for verifying the timing prop-erties of the system. Given the behavioral specification of asystem (denoted by SP ) and a safety assertion (denoted bySA) to be analyzed, the verification goal is to relate a givensafety assertion with the system specification [8, 9]. Onesuch logic for describing the specification and the safety as-sertion is Real-Time Logic (RTL). However, the satisfiabil-ity problem for RTL, as well as for other first-order logics,is undecidable [16]. In an effort to find subclasses of RTLhaving decidable properties, the path real time logic (pathRTL) was described in [9, 10, 16]. A typical timing con-straint expressed in path RTL is a disjunction of inequali-ties like ∀i @(e1, i)− @(e2, i) ≤ k, that has the meaning:the difference between the time of the i−th occurrence ofevent e1 and the time of the i−th occurrence of event e2 isat most k, where the time occurrences, i and k are positiveintegers. Heuristics that deal with verification of SP → SAwere described in [9], and more recently in [3, 4]. The classof path RTL formulas was successfully used to specify in-dustrial real-time systems, e.g., railroad crossing [9, 10, 6],the moveable control rods in a reactor [9], the Boeing 777Integrated Airplane Information Management System [12],and the X 38, an autonomous spacecraft designed and builtby NASA as a prototype of the International Space StationCrew Return Vehicle [14, 6].

However, the path RTL subclass has some limitations.To llustrate this, let us consider the specification of an air-port radar station. As described in [6], an airport radar sta-tion specification has two parts: the sensing part and thetracking/computation part. Since the sensing part of theradar station specification (adapted from [6]) is simpler thanthe tracking/computation part, let us illustrate here as a mo-tivating example of path RTL limitation (the other part be-

1Proceedings of the 27th IEEE InternationalReal-Time Systems Symposium (RTSS'06)0-7695-2761-2/06 $20.00 © 2006

ing specified in Section 3): “Suppose there is a radar stationhaving two radar sensors for detecting actions. The radarstation is turned on at time 0. In order to allow time for theinitialization routine, the sum of times when both sensorsinitially start sensing must be at least 5 seconds. If the firstsensor starts early, the second sensor must start later, andvice versa. Both sensors may start at the same time but onlyafter 5 seconds. Moreover, at most 11 seconds may elapsebetween the starts of both sensors.” Clearly, by translatingthe above natural language specification in the path RTL,we get:

∀i @(RadarSensor1, i)+ @(RadarSensor2, i) ≥ 5 ∧@(RadarSensor1, i)− @(RadarSensor2, i) ≤ 10 ∧@(RadarSensor2, i)− @(RadarSensor1, i) ≤ 10.

This specification involves inequalities that cannot be ex-pressed in the path RTL. To check that, let us consider theabstracted version of the above specification, i.e., f1(x) +f2(x) ≥ 5 ∧ f1(x) − f2(x) ≤ 10 ∧ f2(x) − f1(x) ≤ 10.One can think that we can do some transformations andstill reduce it to the path RTL. For example, an attemptof transforming f1(x) + f2(x) ≥ 5 to a path RTL-like in-equality is to replace f2(x) with−f3(x). But then the otherpath RTL-like inequalities become now non path RTL, i.e.,f1(x) + f3(x) ≤ 10 ∧ −f3(x) − f1(x) ≤ 10. Any directtransformation would fail as the above inequalities containboth ‘+’ and ‘−’ operators. In the following sections ofthis paper, we shall present an extension of the path RTLclass by allowing inequalities like f1(x) + f2(x) ≥ k andf1(x)+f2(x) ≤ k to be part of the specification. Obviously,equalities like f1(x) + f2(x) = k may be also part of theextended path RTL specification, as they can be easily con-verted into the above two inequalities. Then a new and fastalgorithm based on a translation to an extended constraintgraph is described, too.

In order to describe the second contribution of this pa-per, we remind that the important key point in verificationof a safety assertion with respect to the specification of areal-time system was the constraint graph [9]. This is anintermediate data structure useful for the translation of thenegation of the formula SP → SA to a propositional for-mula PF . If PF is unsatisfiable, then SP → SA is atheorem. In case that SP → SA is not yet a theorem, thedebugging problem is obviously an important task, that is,to identify some changes in the specification such that thenew SP → SA becomes a theorem. There exist alreadyefforts dealing with the debugging problem for some RTLsubclasses, in a manual way [3] and in a systematic way[4]. However, for real-time systems having large specifi-cations, the algorithms used for verification and debuggingcan be further improved. This is because the intermediateconstraint graph may have a large size, so the satisfiabil-ity of the corresponding propositional formula may need an

impractical amount of time to be established. All knownindustrial real-time systems specified in path RTL (e.g., therailroad crossing, the moveable control rods in a reactor,the Boeing 777, and the X 38) have more than one (inde-pendent) sub-component, so the divide-and-conquer strat-egy can be successfully applied. Among them, X 38 repre-sents the real-time system having the largest RTL specifica-tion. That is why we choose this as a case-study in Section4 in order to describe our new technique. As mentioned in[14], the constraint graph for the X 38 specification of thenegation of SP → SA has 26 nodes and 74 arcs. This leadsto a propositional formula which takes a long time to checkfor satisfiability. In general, industrial examples have manycomponents that are not time-related or are loosely time-related. For example, the timing constraints of the brakingcomponent of a car are not necessarily related to the frontheadlights component of a car. Similarly, the flight-criticalloop of the X 38 is not time-related with the non-flight criti-cal loop of the X 38. By exploiting this issue, we provide anefficient method to solve the verification and debugging oflarge real-time systems specifications using decompositiontechniques. We describe a way to decompose the constraintgraph into independent subgraphs so that it does not have toanalyze the entire specification at once, but only the smallercomponents.

To summarize, the contribution of this paper is two-fold:

1. a non-trivial extension of the existing path RTL byallowing inequalities like f1(x) + f2(y) ≥ k andf1(x) + f2(y) ≤ k to be also part of the specificationand safety assertion (the path RTL allows only con-straints like f1(x)− f2(y) ≤ k for specification);

2. an efficient divide-and-conquer method to solve theverification and debugging problem of large real-time systems specifications using decomposition tech-niques; in this way, dealing with smaller componentscan lead to efficient verification and debugging of theentire real-time system.

Experimental results show that our method of automaticmodular verification and debugging of real-time systemsspecification is very practical, as we evaluated it on severalexisting industrial based applications.

The structure of this paper: Section 2 presents thebackground of real-time logic (adapted from [8, 9, 10, 16,6, 3, 4]). Section 3 describes the extended path RTL, as anew and larger class of formulas that can be used to spec-ify new real-time systems (e.g., airport radar station). Sec-tion 4 presents a motivating example specified in path RTL,namely the X 38 spacecraft, followed by explanations ofhow our algorithm uses decomposition techniques to breakthe constraint graph into independent subgraphs. Section5 demonstrates how experimental results were applied for


several existing industrial based applications. The last twosections present related work and conclusions.

2 The Real-Time Logic Background

Firstly, we describe the path RTL logic as a uniform wayto express the real-time systems specifications. Secondly,we remind some definitions and notations from proposi-tional calculus (i.e., the SAT and #SAT problems). Thirdly,we show how a useful auxiliary data structure (i.e., the con-straint graph) is constructed. Finally, we discuss about thedecidability results of this logic, as well as its applicability.

Real-time logic (RTL), which is based on a first-orderlogic with restricted features, was introduced in [8] to cap-ture the timing requirements of real-time systems. Real-time logic provides a uniform way to specify the relativeand uniform timing of events. It is an extension of integerarithmetic without multiplication between variables (Pres-burger arithmetic) that adds a single uninterpreted binaryoccurrence function, denoted by @, to represent the rela-tionship between events of a system, and their times of oc-currence. The equation @(e, i) = t states that the time ofthe i−th occurrence of event e is t. Let us denote with Z,N and N+ the set of integers, positive integers, and strictpositive integers, respectively. The time occurrence func-tion is a mapping @: E × N+ → N, where E is a domainof events, and such that @ is strictly monotonically increas-ing in its second argument, i.e., @(E, i) < @(E, i+ 1), forany i ∈ N+. There are no event variables, or uninterpretedpredicate symbols. So, RTL formulæ are boolean combina-tions of equality and inequality predicates of standard inte-ger arithmetic, where the arguments of the relations are in-teger valued expressions involving variables, constants, andapplications of the function symbol @. Usually, there arefour classes of events, namely: stop and start events (↑Aand ↓A denote the start and stop events of the action A),transition events and external events. The correctness ofa real-time system specification can be achieved by com-puting the satisfiability of an associated propositional for-mula. A particular subclass of practical RTL formulæ (i.e.,efficient heuristics exist for this) is the so-called path RTL,[9, 16] and it has two restrictions:

a) each arithmetic inequality may involve only two termsand an integer constant, where a term is either a variable ora function;

b) no arithmetic expressions with a function may take aninstance of itself as an argument.

Let LP be the propositional logic over the finite set ofatomic formulæ (variables) V = {A1, ..., An}. A literalL is an atomic formula A (positive literal) or its negation¬A (negative literal), that is, V(L) = V(¬L) = A. Anyfunction S : V → {0, 1} is an assignment that can beuniquely extended in LP to a propositional formula F . The

binary vector (y1, ..., yn) is a truth assignment for F overV = {A1, ..., An} if and only if S(F ) = 1 such thatS(Ai) = yi, ∀ i ∈ {1, ..., n}. A formula F is called satisfi-able if and only if there exists an assignment S for whichS(F ) = 1; otherwise F is called unsatisfiable. Any fi-nite disjunction of literals is a clause. The set of atomicformulæ whose literals belong to clause C and formula Fare denoted by V(C) and V(F ), respectively. Any proposi-tional formula F ∈ LP having l clauses can be translatedinto the conjunctive normal form (CNF): F = (L1,1∨ ...∨L1,n1)∧ ... ∧(Ll,1∨ ... ∨Ll,nl

), where the Li,j’s are liter-als. We can denote the above F using the set representationF = {{L1,1, ..., L1,n1}, ..., {Ll,1, ..., Ll,nl

}}, or simplyF = {C1, ..., Cl}, where Ci = {Li,1, ..., Li,ni

}. We de-note the empty clause, the one without any literal, by . Aclause C is called positive (or negative) if and only if Ccontains only positive (or negative) literals.

In [3], the notion of determinant was introduced. LetC1, ..., Cs be clauses over V (s ≥ 1). We denote mV (C1,..., Cs) = |{A | A ∈ V − V(C1∪ ... ∪Cs)}| anddifV (C1, ..., Cs) = 0 if (∃ i, j ∈ {1, ..., s}, i 6= j, suchas ∃ L ∈ Ci and ¬L ∈ Cj) or (∃ i ∈ {1, ..., s}, such asCi = ); Otherwise difV (C1, ..., Cs) = 2mV (C1,...,Cs). Us-ing the above notations, the determinant of the set of clausesF = {C1, ..., Cs} is detV (F ) = detV (C1, ..., Cs) = 2|V |−

s∑j=1

(−1)j+1 · ∑1≤i1<...<ij≤s

difV (Ci1 , ..., Cij ). In other

words, the determinant is a positive integer representing thenumber of truth assignments of the given clausal formula[2]. A useful implication of this fact is that detV (F ) = 0if and only if F is unsatisfiable. For instance, consideringF1 = {{p, q, r}, {¬p,¬q}, {¬q, r}, {p,¬r}} over V ={p, q, r}, we get detV (F1) = 23− (1+2+2+2)+1 = 2.This means that F1 has 2 truth assignments over V .

The main approach for timing constraints verification ofa real-time system specification is to express the specifica-tion and safety assertion in terms of path RTL. Then, inorder to translate these into an equivalent Presburger arith-metic formula, each @(E, i) is replaced by a function fE(i).This translation is denoted by Presb(). To do the conver-sion of a RTL formula to a propositional formula, an inter-mediate data structure is needed, namely the so-called con-straint graph. We say that G = (V, E, W ) is a cost graphif V is a nonempty set of nodes, W is a nonempty set ofweights, and E is a nonempty set of arcs over V , that is,E ⊆ V× V ×W . An arc e from v to v′ of cost w is denotedas e = (v, v′, w) or equivalently e = v

w→ v′. When theweight is not important, it can be omitted. Thus an arc ecan be denoted as e = (v, v′) or e = v → v′. A path oflength n in G from v to v′ is a word p ∈ E∗, that is, p = e1

e2 ... en, n ≥ 1, where e1 = v0w1→ v1, e2 = v1

w2→ v2,..., en = vn−1

wn→ vn. If v0 = vn, then the above path iscalled a cycle. The number w1+ ... +wn is called the total


weight of the cycle. We say that G′ = (V ′, E′) is a sub-graph of G = (V, E) if and only if V ′ ⊆ V and E′ ⊆ E.A strongly connected component, denoted as SCC, is a setof nodes such that any two nodes v and v′ of SCC are con-nected through a path from v to v′, as well as a path fromv′ to v. Every finite graph can be decomposed into a finitenumber of strongly connected components. Traditionally,the constraint graph is a cost graph constructed as follows[9]: for each inequality v1− v2 ≤ I , two nodes labelledwith v1 and v2 are linked by an arc (v1, v2) of weight I .The nodes should be joint together if a substitution can bindthem, e.g., given the inequalities f(x) − g(x) ≤ 10 andg(T ) − h(U) ≤ 3, then g(x) and g(T ) will be viewed asa single node (because of the substitution of variable x andconstant T - sometimes, this node is called a cluster). Thus,a set of inequalities represented by the constraint graph isunsatisfiable if and only if a cycle is present in the graphwith a positive total weight on it [9].

A variation of Herbrand’s Theorem for this approach waspresented in [9]. That result permits one to use any methodin propositional logic to check for unsatisfiability becausepositive cycles are detected and the appropriate clauses areadded to the existing set of clauses. Considering Xi,1, Xi,2,..., Xi,ni as the i−th positive cycle, then the formula Pi =Xi,1∧ Xi,2∧ ... ∧Xi,ni is unsatisfiable (so, ¬Pi is a tau-tology). Therefore, PF is satisfiable if and only if PF∧ {¬Pi | for all positive cycle i} is satisfiable. The map-ping PosCycle() returns the set of negative clauses cor-responding to the positive cycles of the constraint graph.The clausal formula PF contains only positive clauses cor-responding to all arcs of the constraint graph, and only neg-ative clauses corresponding to a positive cycle.

If SA is a theorem derivable from SP , then the systemis safe. If SA is unsatisfiable, then the system is inherentlyunsafe. If ¬SA is satisfiable under certain conditions, addi-tional constraints may be added to SA and/or SP to ensureits safety. A systematic incremental approach was presentedin [4] to obtain a modified SA and/or SP so that SP → SAis a theorem. This is outlined in Procedure A, a generalscheme for systematic and automatic debugging (the veri-fication problem can be viewed as a particular case of thedebugging problem).

Procedure A:Input: SP , SA such that ¬SA is satisfiable;Output: SPnew, SAnew such that the system is safe;Method:1. k = 1; SP1 = SP; SA1 = SA;2. while (SPk → SAk is not a tautology) {3. let SPnew and SAnew be new constraints;4. SPk+1 = SPk ⊕ SPnew;5. SAk+1 = SAk ⊕ SAnew;6. k = k + 1; }7. SPnew = SPk; SAnew = SAk;

The technique expressed in Procedure A is known in theliterature [9] as the fix-point approach. This uses an in-duction on the number of corrections until a fixed point isreached. An improvement to the above technique was de-scribed in [3], using a foundation of incremental countingsatisfiability for the verification of timing constraints of areal-time system. In other words, the satisfiability of the for-mula SPk+1 → SAk+1 was expressed incrementally fromthe satisfiability of SPk → SAk. The total cost of eachnew method can be more efficiently achieved through com-puting the satisfiability of the newly added or subtractedclauses, according to the operator ⊕ (that denotes an op-eration on sets similar to the ordinary union). In general,one may want to remove constraints from SA and to addconstraints to SP. But for the sake of generality, we usethe same operator ⊕. So, there is no need to consider thesatisfiability of the entire new formula (step 3 of ProcedureA). Briefly, the key point in that technique was computingthe determinant of that propositional formula), instead oftraditional boolean satisfiability [9]. The determinant cantell us how “far away” is a given specification from satis-fying its safety assertion. In this paper, we describe twoimprovements built on top of this technique [3], namely anextension of the specification and a decomposition of theconstraint graph.

The test condition of the while loop of Procedure Acan be described by putting altogether all the above facts asfollows:

1. consider F1 = ¬(SPk → SAk);2. get the Presburger formula: F 1

Presb = Presb(F1);3. get the Skolem formula: F 1

CNF = Skolem(F 1Presb);

4. extract the positive clauses: F 1pos = pos(F 1

CNF);5. construct the constraint graph: CG = graph(F 1

CNF );6. for each positive cycle of CG, get a negative clause: F 1

neg

= PosCycle(CG, F 1CNF);

7. get the propositional formula: PFk = F 1pos ∪ F 1

neq

8. if det(PFk) == 0 then PFk is unsatisfiable, so SPk →SAk is a tautology.

In case when the condition of step 8 above is evaluated tofalse, then the while loop of Procedure A has to be exe-cuted. This can be done efficiently by using the #SAT prob-lem above. That is, det(PFk+1) will be computed by sim-ply adding the former value, i.e., det(PFk), and the valueof the increment of the new clauses (details of this strategycan be found in [3, 4]).

3 The Extended Path Real Time Logic

Similar to the constraint graph construction, theextended constraint graph, defined as ECG =(EN, EA, EW ), can be given. Let ν be the set ofliterals that appear in SP and SA. The set of extended


nodes is denoted as EN = {v+, v− | v ∈ ν}. We say thata timing difference constraint is in the normal form if ithas one of the following forms vi − vj ≤ c, vi + vj ≤ c,−vi − vj ≤ c, vi ≤ c and vi ≥ c, where vi and vj

may be variables or functional symbols of one argument(e.g., f(x)) and c an integer constant. For each inequalityexpressed in normal form we construct the set of arcs EAsuch as:1. for any vi − vj ≤ c, i 6= j: add arcs (v−i , v−j , −c) and(v+

j , v+i , −c) to EA;

2. for any vi + vj ≤ c, i 6= j: add arcs (v−i , v+j , −c) and

(v−j , v+i , −c) to EA;

3. for any −vi − vj ≤ c, i 6= j: add arcs (v+i , v−j , −c) and

(v+j , v−i , −c) to EA;

4. for any vi ≤ c: add arc (v−i , v+i , −2 · c) to EA;

5. for any vi ≥ c: add arc (v+i , v−i , 2 · c) to EA.

We generalize the path RTL to the extended path RTLby simply allowing a timing constraint to have any of theabove five forms described in the normal form. Note thatunlike the traditional construction of the constraint graphwhere one inequality generates two nodes and one arc, inthe case of the extended constraint graph an inequality willgenerate four nodes and two arcs (e.g., the above first threecases). This implies that the propositional formula corre-sponding to real-time systems specified in extended pathRTL tends to have twice as many propositional variablesand clauses as the propositional formula of the same sys-tem specified in traditional path RTL (of course, if this for-mula is specifiable in traditional path RTL). This empha-sizes that a larger graph is needed to handle the new con-straints. Moreover, equalities like vi + vj = c may bealso part of the extended path RTL specification, as they canbe easily converted into the two extended path-RTL normalform inequalities: vi + vj ≤ c and −vi − vj ≤ −c.

We have presented in Introduction a small part of thesensing part specification of an airport radar station. In thefollowing, we describe the tracking/computation part spec-ification of the radar station (adapted from [6]): “A radarsystem searches objects of interest in the desired coveragearea by repeatedly executing the following steps: (1) scan-ning/radio signal processing, (2) tracking, and (3) data as-sociation/classification. Here, we specify a simplified ver-sion of the specification of the tracking step for four objects.The safety assertion states that the computing resources (2CPUs) can feasibly schedule the four object-tracking tasks,each tracking a distinct object of interest. Each task is fullyparallelizable and thus can execute on two CPUs if neededto speed up its execution by a factor of 2. Tasks T1, T2,T3, and T4 have respectively computation times c1, c2, c3,and c4, all with the same period of p.” In order to translatethe above natural language specification to an extended pathRTL formula, we denote by Tj CPUk the fact that task j is

executing in CPUk. For any j ∈ {1, ..., 4} and k ∈ {1, 2},we denote by @(↑ Tj CPUk, i) and @(↓ Tj CPUk, i)the i-th occurrence of the starting and the ending time oftask Tj CPUk, respectively. The above specification canbe written in the extended path RTL as SP :

@(↓ T1 CPU1, i) + @(↓ T1 CPU2, i) ≤ c1+ c2+ c3+ c4

@(↓ T2 CPU1, i) + @(↓ T2 CPU2, i) ≤ c2+ c3+ c4

@(↓ T3 CPU1, i) + @(↓ T3 CPU2, i) ≤ c3+ c4

@(↓ T4 CPU1, i) + @(↓ T4 CPU2, i) ≤ c4

The next eight identities express that the computationtime of each task equals the difference between the endingtime point and the starting time point:∀ j ∈ {1, ..., 4} and k ∈ {1, 2}, we have @(↓ Tj CPUk,

i) - @(↑ Tj CPUk, i) = cj

There exists a task priorities sequence: the task T4 is thehighest, and T1 is the lowest. This implies the extended pathRTL formulas:∀ j ∈ {1, 2, 3} and k ∈ {1, 2}, we have @(↑ Tj CPUk,

i) > @(↑ Tj+1 CPUk, i), where the margin cases are @(↑T1 CPUk, i) < p and @(↑ T4 CPUk, i) ≥ 0.

The above SP can be checked now for feasibility (i.e.,there exists a schedule for all tasks in each period) by thefollowing extended path RTL formula, denoted with SA(stands here for the ‘schedulling assertion’):∀ j ∈ {1, ..., 4} and k ∈ {1, 2}, we have @(↓ Tj CPUk, i) ≤ p.

Note that the above specification is using the extendedpath RTL formulas. Since it makes use of both arithmeticoperators “+” and “−”, the specification cannot be doneusing only the traditional path RTL formulas.

The above specification and schedulling assertion con-tain constants c1, c2, c3, c4 and p. To illustrate the verifica-tion and debugging of SA in the context of SP , we considera specific system configuration by assigning values for theconstants that occur in SP. Let these be c1 = 32, c2 = 8,c3 = 28, c4 = 12 and the period p = 40. For simplicity,we omit the argument i, so we associate to each time oc-currence function a functional symbol of arity 0, such as:@(↑ Tj CPUk, i) will be denoted as sj,k (where ‘s’ standsfor ‘start’) and @(↓ Tj CPUk, i) will be denoted as ej,k

(where ‘e’ stands for ‘end’). After substituting the constantsand reducing the formula to its normal form, we obtain thefollowing (e.g., we also transform the equalities in inequal-ities):

Task 1 Task 2 Task 3e1,1 + e1,2 ≤ 80 e2,1 + e2,2 ≤ 48 e3,1 + e3,2 ≤ 40e1,1 − s1,1 ≤ 32 e2,1 − s2,1 ≤ 8 e3,1 − s3,1 ≤ 28s1,1 − e1,1 ≤ −32 s2,1 − e2,1 ≤ −8 s3,1 − e3,1 ≤ −28e1,2 − s1,2 ≤ 32 e2,2 − s2,2 ≤ 8 e3,2 − s3,2 ≤ 28s1,2 − e1,2 ≤ −32 s2,2 − e2,2 ≤ −8 s3,2 − e3,2 ≤ −28s1,1 ≤ 41s1,2 ≤ 41


Task 4 Start CPU1 Start CPU2

e4,1 + e4,2 ≤ 12 s2,1 − s1,1 ≤ −1 s2,2 − s1,2 ≤ −1e4,1 − s4,1 ≤ 12 s3,1 − s2,1 ≤ −1 s3,2 − s2,2 ≤ −1s4,1 − e4,1 ≤ −12 s4,1 − s3,1 ≤ −1 s4,2 − s3,2 ≤ −1e4,2 − s4,2 ≤ 12s4,2 − e4,2 ≤ −12s4,1 ≥ 0s4,2 ≥ 0

The schedulling assertion to be checked is:∧i,j

ei,j ≤ 40,

∀ i ∈ {1, ..., 4}, j ∈ {1, 2}. Thus, the negation of theschedulling assertion is

∨i,j

ei,j ≥ 41. The extended con-

straint graph corresponding to SP ∧ ¬SA is given below.Because of its large size, we split it into four components,one for each task, and their interconnections. In fact, welimit the extended constraint graph only to describe the be-havior of task 1 (Figure 1), the rest being similar. The vari-ables si,j and ei,j correspond to the nodes of the extendedconstraint graph s−i,j , s+

i,j and e−i,j , e+i,j . The arcs are gener-

ated according to the steps described at the beginning of thissection. Moreover, there exist 12 more arcs that correspondto the starting times of both CPU1 and CPU2. These arcslink some of the internal nodes of the above four tasks’ ex-tended constraint graphs, namely (s−i,j , s−i−1,j , 1) and (s+

i,j ,

s+i−1,j , 1), ∀ i ∈ {2, 3, 4}, j ∈ {1, 2}.

−80

−82

−32

s+1,1

e−1,1 e+1,1 e−1,2 e+

1,2

s−1,2 s+1,2s−1,1 −32

−32

−80

32

32

32

32

−32

82 82

−82

Figure 1. The task 1’s extended constraint graph

The next step in doing the verification of unsatisfiabilityof SP ∧ ¬SA is to construct the corresponding proposi-tional formula using the above extended constraint graph.As mentioned in [9] and reminded in Section 2, for eachnew arc there exists a new propositional variable (that mayappear in disjunctions) and for each positive cycle there ex-ists a negative clause. The corresponding propositional for-mula for the whole extended path RTL formula has 60 vari-ables and 72 clauses. For example, the arc (e−1,2, e+

1,1, −80)corresponds to a propositional variable denoted as ee−+

1,2,1,1.There are 7 distinct cycles in the extended graph of Figure1, but only 3 of them are positive. For example, the pos-itive cycle given by the arcs (e−1,2, e+

1,1, −80), (e+1,1, e−1,1,

82), (e−1,1, e+1,2, −80), (e+

1,2, e11,2, 82) leads to the nega-

tive clause ¬ee−+1,2,1,1∨ ¬ee+−

1,1,1,1∨ ¬ee−+1,1,1,2∨ ¬ee+−

1,2,1,2.When computing the determinant of the propositional for-mula, we get the value 0, which means that SP ∧ ¬SA isunsatisfiable. This implies that SP → SA is a theorem, sothe airport radar station is feasible.

We have seen that the above extended constraint graphmay be quite large, so its propositional formula is too. Thenext section shows an efficient decomposition technique todeal with large specifications.

4 Our Decomposition Technique

In order to motivate the decomposition technique, wepresent in this section the X 38 as a useful case-study. Thecomplete specification can be found in [14], [6]. For sim-plicity, the presentation will follow the notations of the con-straint graph, but all the results may be applied to the ex-tended constraint graph, too. The X 38 is a family of ve-hicles built as incremental development prototypes for theCrew Return Vehicle (CRV) of the International Space Sta-tion (ISS). Its mission is to automatically and safely bringto earth a crew of seven passengers in the event of an emer-gency ISS evacuation. The CRV vehicle is designed to au-tonomously perform all the guidance, navigation, and con-trol functions, the deorbit burn, a parafoil-assisted glidethrough the atmosphere, and to land horizontally at one ofseveral pre-determined landing sites.

As the requirements and design phases of the X 38’ssoftware task structure is rapidly maturing, it became moti-vated that a method to represent the timing and schedulingaspects of the system in order to analyze, communicate, ver-ify, and debug critical real-time performance of the systemis needed.

The analysis and verification of the X 38 timing prop-erties using RTL was done in [14]. The RTL specificationof the X 38 avionic system captures the two X 38 flight-critical control loops, as well as one non-flight critical con-trol loop and the associated safety assertion. The task namesyntax is such that the first three characters define the pro-cessor, the next character designates I−input, P−process,or O−output; the number identifies the speed of the processin Hertz or cycles per second, next is the criticality such asFC-flight critical or NFC-non flight critical, and last is anyother necessary information such as data type. The variablei represents the loop count or iteration number. For exam-ple, the set of constraints in the flight critical 50 Hz controlloop are the first five listed below [14]:∀ i @(↑ ICP I50FC SSR, i)− @(↓ ICP I50FC SSR, i) ≥ −2∀ i @(↑ FCP I50FC, i) −@(↓ FCP I50FC, i) ≥ −1∀ i @(↑ FCP P50FC, i) −@(↓ FCP P50FC, i) ≥ −5∀ i @(↑ FCP O50FC, i) −@(↓ FCP O50FC, i) ≥ −1

∀i@(↑ ICP I50FC CMD, i)−@(↓ ICP I50FC CMD, i) ≥ −1


The workload for the first task, designated “Instrumenta-tion Control Processor (ICP) Input (I) of 50 Hz Flight Crit-ical (FC) Sensor Data”, is a maximum of 2 ms. The abovegroup of tasks is representative of the ICP reading all 50Hz flight-critical sensors such as flap, rudder positions, andGlobal Positioning System (GPS) data; passing that datato the Flight Critical Processor (FCP) as input, having theguidance application process that data and formulate com-mand output, passing that output to the ICP, and having theICP actuate the command. This list is the first of two flightcritical timing loops, requiring completion within 10 ms forsafe vehicle control. The 10 Hz flight-critical control loop issimilar, but a loop completion time of 50 ms, rather than 10ms, is required. This completion requirement is representedin the safety assertion formula. The non-flight-critical tasksonly receive sensor input and produce no command output,and are included as a representation of the many non-flight-critical tasks which run in the background but whose execu-tion is not considered safety-critical.

Let us present the safety assertion here, the completespecification can be found in [14]. It states that each ofthe flight critical control loops, the 50 Hz and the 10 Hz,from initial sensor read through command activation, mustexecute within 10 and 50 ms., respectively:∀ i @((↓ ICP I50FC CMD, i)−@(↑ ICP I50FC SSR, i) ≤ 10

∧@(↓ ICP I10FC CMD, i)− @(↑ ICP I10FC SSR, i) ≤ 50)

In order to verify the satisfaction of the safety assertion,the formulæ are represented using the constraint graph tech-nique. The system specification alone produces a graphwith no positive cycles. Negation of the safety assertion,however, yields arcs which produce positive cycles betweenclusters. As mentioned in [14], the constraint graph for theX 38 specification of the negation of SP → SA has 26nodes and 74 arcs. This leads to a propositional formulawhich takes quite a long time to check for satisfiability. Apractical idea would be to find a way to decompose the con-straint graph into independent subgraphs so that it does nothave to analyze the entire specification at once, but only thesmaller components. Next, we introduce a general efficientmethod to individually verify and debug each strongly con-nected component of the constraint graph. The satisfiabilityof one or all strongly connected component(s) can be usedto determine the satisfiability of the entire specification. Weshow how our algorithm uses decomposition techniques tobreak the constraint graph into independent subgraphs sothat it does not have to analyze the entire specification atonce. We now recall some notations from Section 2. Giventhe negation of the path RTL specification F , we denoteby CGF the constraints graph associated with F. Given theconstraints subgraph CG′F ⊆ CGF , we denote by PFG′

the propositional formula obtained from F by consideringonly the nodes and arcs of CG′F .

Definition 4.1 Let F be the negation of a path RTL speci-fication formula, CGF its corresponding constraint graph,and PF be the corresponding propositional formula. Letus also consider that SCC1, ..., SCCn are the stronglyconnected components of CGF and PFSCC1 , ..., PFSCCn

are their corresponding propositional formulæ. For a giveni ∈ {1, ..., n}, we say that:

a) SCCi is globally independent if and only if there isno arc (u, v) ∈ E(CGF ) for which (u ∈ V (SCCi) andv /∈ V (SCCi)) or (u /∈ V (SCCi) and v ∈ V (SCCi));

b) SCCi is locally independent from SCCj , where j 6=i, if and only if ∀u ∈ V (SCCj), ∀v ∈ V (SCCi), the cor-responding literal in PFSCCi of the arc (u, v) does not ap-pear in a disjunction of other arcs of SCCi;

c) SCCi is locally neighbour independent if and only ifthere exists a j such that SCCi is locally independent fromSCCj;

d) SCCi is locally neighbours independent if and only iffor all j such that SCCj is connected with an arc to SCCi,we have that SCCi is locally independent from SCCj .

Informally, Definition 4.1 states that SCCi is globallyindependent if SCCi is completely isolated from the otherstrongly connected components of CGF . Both CGF andPF in Definition 4.1 are according to the eight steps ofconversion described in Section 2. The “corresponding lit-eral” in item b) is the associated literal of the arc (u, v),the one added to the constraint graph to capture a timingconstraint u− v ≤ I (details in Section 2). So, item b)refers to two strongly connected components linked by arcsthat do not appear in formula disjunctions. The rest of theitems of Definition 4.1 deal with situations when SCCi canbe unidirectionally connected with the rest of the graphs.Note that the notions of locally neighbour independent andlocally neighbours independent coincide only when SCCi

has exactly one neighbour. Figure 2 from this section andFigure 3 from Subsection 5.2 contain examples of locallyneighbour independent decompositions.

Let us illustrate now a complementary case with thoseenumerated in Definition 4.1. In case SCCi and SCCj

are linked by an arc (u, v) that appears in a disjunction ofSP ∧ ¬SA, then SCCi and SCCj cannot be independent.So, SCCi and SCCj should be analyzed together. This mo-tivates the splitting of the initial formula into subformulæ,by targeting the satisfiability of the initial formula using thesatisfiability of its subformulæ. In this way, any subformulacan decide independently or together the unsatisfiability ofthe initial formula. In other words, it is likely that not allstrongly connected components are necessary to be checkedto do the verification and debugging of the entire real-timesystem.

Coming back to our case-study, we have identified forthe X 38 constraint graph, three different strongly con-nected components, i.e., two referring to 50 and 10 Hz


flight-critical loops (denoted as SCC1 and SCC2, respec-tively), and the third one referring to the non-flight criticalloop (denoted as SCC3). In other words, SCC1, SCC2

and SCC3 are subgraphs of the X 38 constraint graph. Thecomplete list of constraints appearing in SCC1, SCC2, andSCC3 can be found in [14]. The timing dependencies ofthese components are illustrated in Figure 2.

SCC1

SCC2 SCC3

Figure 2. The X 38 constraint graph

According to Definition 4.1, SCC1, SCC2 and SCC3

are locally neighbours independent because the arcs cor-responding to the constraints @(↓ FCP I50FC, i) −@(↑FCP I10FC, i) ≤ 0 and @(↓ FCP I50FC, i) −@(↑FCP I50NFC, i) ≤ 0 are the only ones from SCC1 toSCC2 and from SCC1 to SCC3, respectively. Moreover,these arcs are not involved in any disjunction of the spec-ification. So, the (un)satisfiability of the general formula(namely corresponding to the complete constraint graph)can be done using the (un)satisfiability of all strongly con-nected components (because they are locally neighbours in-dependent). Section 5 demonstrates that this decompositiontechnique is very efficient, because the time necessary toverify and debug a given strongly connected component ismuch smaller than the time spent to verify and debug thecomplete specification.

We showed in this section how to deal with one of themotivating key points of this paper, namely the decomposi-tion of the constraint graph.

5 Experimental Results

This section is dedicated to experimental work for thetheoretical results presented in previous sections. Firstly,we present the characteristics of our tool. Secondly, weshow how to do the verification and debugging of formulasthat are not necessarily path RTL, but extended path RTL(e.g., the airport radar station). The benefits of our decom-position technique are also highlighted.

5.1 Characteristics of DEVA-RTL

In the following, we shall present the characteristicsof the Java implementation of our automatic aproach,called DEVA-RTL (Decompositional Extended path RTLVerifier-debugger- Analyzer). The DEVA-RTL is an ex-tended tool of the SDRTL (Systematic Debugging for path

Real-Time Logic, [4]), a Java implementation of our debug-ging algorithm (an heuristic of Procedure A from Section2). SDRTL is able to identify potential missing constraintsand to modify existing constraints.

The main difference between DEVA-RTL and SDRTLis that DEVA-RTL can do verification and debugging forextended path RTL specifications (Section 3) by applyingthe decomposition technique (Section 4). Another differ-ence between the two tools is that DEVA-RTL identifieswhich class the input formula belongs to (e.g., path RTLor extended path RTL). For instance, the first three real-time systems examples of Table 1 are expressed in pathRTL, whereas the last example (radar station) is expressedin extended path RTL. As for SDRTL, the DEVA-RTL takesas input an old specification, followed by the necessarychanges that are made to it, namely the incremental spec-ification and the removed specification. The old specifica-tion represents the set of formulæ modelling the previousinstance. The incremental part refers to the new set of for-mulæ that should be added to the old specification, while theremoved part represents the set of sub-formulæ which haveto be removed from the old specification. All these three in-put files of DEVA-RTL and SDRTL contain the Presburgerarithmetic formula obtained after skolemizing the real-timelogic formula. DEVA-RTL, as well as SDRTL, give as out-puts the execution times details and the intermediate debug-ging results for the new complete specification.

5.2 Experimental Results of DEVA-RTL

First, we discuss about a comparison of the incrementalautomatic debugging of real-time systems specified in thepath RTL and systems specified in extended path RTL. Byautomatic debugging here, we mean the ability of DEVA-RTL to identify potential missing constraints from the ini-tial specification. We demonstrate the below experimentsby randomly removing one, two, three and four constraintsfrom a correct specification and check the execution timespent by DEVA-RTL. We ran DEVA-RTL on a PentiumIV computer system, with 2.4GHz using 512MB of mainmemory. Table 1 describes the output results obtained formore industrial real-time systems expressed in either thepath RTL or the extended path RTL. This table demonstratesthat the debugging times increase linearly as the number ofmissing constraints increase.

Although the specification of the radar station examplelooks smaller than the X 38, the verification and debuggingfor it takes longer time (i.e., 13.94 seconds against 5.92 sec-onds to identify four missing constraints) because the cor-responding propositional formula needs more variables andclauses. This is because the radar station is specified in theextended path RTL and the other three systems are still ex-pressed in traditional path RTL, so the number of proposi-


tional variables is double than a system expressed in pathRTL only. However, Table 1 demonstrates that even if thepropositional formula of the radar station is much largerthan the previous systems, the execution time of DEVA-RTL spent to identify the missing one, two, three and fourconstraints is quite reasonable.

The real-time -1 cons. -2 cons. -3 cons. -4 cons.system Time Time Time Time

sec. sec. sec. sec.railroad crossing 0.15 0.18 0.27 0.35reactor 0.81 1.43 2.07 2.82X 38 1.21 2.28 3.48 5.92radar station 3.12 5.38 8.75 13.94

Table 1. The DEVA-RTL experimental results

In the second part of this section, we illustrate the effi-ciency of the decomposition technique. Let us consider theX 38 specification (Section 4). The experimental results ofour verification and debugging technique is shown in Table2. We have tested the ability of DEVA-RTL to identify pos-sible missing constraints from the X 38 specification. Theidentification of missing one, two, three and four constraintshas been done not only for the complete X 38 specifica-tion, but also for each strongly connected component SCC1,SCC2, and SCC3 (Figure 2). Since the arcs from SCC1 toSCC2, and from SCC1 to SCC3 do not appear in any dis-junction of the formula, it follows that all SCC1, SCC2, andSCC3 are locally neighbour independent components.

The real-time -1 cons. -2 cons. -3 cons. -4 cons.system Time Time Time Time

sec. sec. sec. sec.X 38 1.21 2.28 3.48 5.92X 38 10FC 0.31 0.58 0.98 1.62X 38 50FC 0.28 0.59 0.96 1.58X 38 50NFC 0.27 0.60 0.97 1.60X 38extended 2.12 4.82 8.49 14.63X 38 40FC 0.30 0.54 0.92 1.48X 38 30FC 0.29 0.52 0.92 1.44X 38 20FC 0.31 0.53 0.90 1.52

Table 2. Decomposition technique debugging results

We ran DEVA-RTL on a Pentium IV, 1.7GHz computersystem, and the output results are shown in Table 2. This ta-ble demonstrates that the execution times for the verificationand debugging of each individual strongly connected com-ponent are smaller than the verification and debugging ofthe entire X 38 specification. We denote by X 38 10FC,X 38 50FC and X 38 50NFC the X 38 specificationcorresponding to each SCC1, SCC2, and SCC3, respec-tively. The columns of Table 2 (“cons.” stands for “con-straints”) refer to the various instances of the debuggingproblem where one, two, three, or four constraints weremissing. The time represents the average number of sec-onds until the DEVA-RTL identifies the missing constraints,

updates the specification, and checks the validity of the for-mula (we have tried many random one, two, three and fourmissing constraints for several times). That is, if one ofthese strongly connected components is unsatisfiable, thenthe complete formula is unsatisfiable, too. For example,if two missing constraints are from X 38 10FC specifi-cation, then DEVA-RTL needs only 0.58 seconds for theiridentification, and not searching the entire X 38 specifica-tion (which takes 2.28 seconds).

SCC3 SCC6SCC4SCC2 SCC5

SCC1

Figure 3. The extended X 38 constraint graph

In fact, the more strongly connected components theconstraint graph has, the better the performance of the de-composition technique. To demonstrate that, we extendedthe X 38 specification to three more X 38 flight-criticalcontrol loops, namely for 40 Hz, 30 Hz, and 20 Hz. Thenewly added constraints are very similar to the flight-criticalcontrol loop specification of 10 Hz. The new X 38 specifi-cation can be schematically drawn in Figure 3, where SCC1,SCC2, and SCC3 are the same as in Figure 1, whereasSCC4, SCC5, and SCC6 correspond to the new componentsof 40 Hz, 30 Hz, and 20 Hz, respectively. These are denotedin Table 1 by X 38 40FC, X 38 30FC, and X 38 20FC,respectively.

The verification and debugging of the X 38, the ex-tended X 38, and all strongly connected components havebeen captured in the second half of Table 2. The executiontimes necessary for the verification and debugging of eachstrongly connected component is approximately the same.Compared with the whole extended X 38 specification, theverification and debugging of each strongly connected com-ponent is approximately six times faster. For instance, sup-pose that during the debugging of the extended X 38, themissing constraint was from the component X 38 40FC.Then our tool is able to identify the missing constraint in0.30 seconds rather than considering the entire specification(which takes 2.12 seconds). We demonstrated that our de-composition technique can be effectively applied as a betteralternative to previous works [4].

6 Related Work

A number of efficient algorithms for obtaining the posi-tive cycles in a constraint graph have been analyzed in [7].


The debugging task from there is opposite to our approach.In Dasdan’s approach, a system is inconsistent if the con-straint graph has at least one positive cycle. On the contrary,in our debugging approach, we look for inserting as manypositive cycles as needed till the real-time system becomessafe.

There exist similar works for the verification of real-timesystems, based on a simple depth-first reachability analysison the simulation graph. One such example is [5], whichshowed an on-the-fly and symbolic algorithm for checkingwhether a timed automaton satisfies a formula of a timedtemporal logic.

The decomposition techniques are known to be very use-ful for systems specification. For example, such a tech-nique was presented in [1] to allows modular specificationof interacting hybrid systems. Another example of a de-composition technique was described in [15] in order todevelop a compositional real-time scheduling frameworkso that global system-level timing properties can be estab-lished by composing independently specified and analyzedlocal component-level timing properties. The decompo-sition techniques are used for component based mechani-cal systems verification. Such a technique was presentedin [11] to demonstrate that the decomposition of a fault-tolerant program into its components is useful in its me-chanical verification.

Papers [3, 4] represent a contribution where countingSAT-based algorithms have replaced the SAT-based algo-rithms for doing the verification and debugging of real-timesystems specification. There exist also other different areasof computer science where counting SAT algorithms can beused. One such interesting work is [13], which describes anew technique for optimal conformant planning based on apolynomial time complexity algorithm that use a countingSAT algorithm for the d-DNNF subclass of propositionalformulæ.

7 Conclusions and Future Work

The contribution of this paper is two-fold. Firstly, weextended the class of path RTL by allowing a larger varietyof inequalities and equalities to be described. As such, weremoved some of the limitations of path RTL, and providedat the same time a fast algorithm for the verification anddebugging of real-time systems specified in the extendedpath RTL class of formulas. Secondly, we described a newefficient divide-and-conquer method to solve the verifica-tion and debugging problem of large real-time systems tim-ing specifications using decomposition techniques. Conse-quently, dealing with smaller components leads to efficientverification and debugging of the entire real-time system.

Acknowledgments: We thank Professor Aloysius Mokfor useful comments on some past work and encourage-

ments to extend the path RTL class of formulae. We thankto Chen Chunqing for the useful comments that improvedthis work. Albert M. K. Cheng is supported in part by a2006 grant from the Institute for Space Systems Operationsand a 2006-2007 GEAR grant.

References

[1] R. Alur, R. Grosu, I. Lee, and O. Sokolsky. Compositionalrefinement for hierarchical hybrid systems. In Proceedingsof HSCC 2001, LNCS 2034, pages 33–48, 2001.

[2] S. Andrei. Counting for satisfiability by inverting resolution.Artificial Intelligence Review, 22(4):339–366, 2004.

[3] S. Andrei and W.-N. Chin. Incremental satisfiability count-ing for real-time systems. In Proceedings of RTAS’04, pages482–489, 2004.

[4] S. Andrei, W.-N. Chin, A. Cheng, and M. Lupu. System-atic debugging of real-time systems based on incrementalsatisfiability counting. In Proceedings of RTAS’05, pages519–528, 2005.

[5] A. Bouajjani, S. Tripakis, and S. Yovine. On-the-fly sym-bolic model checking for real-time systems. In Proceedingsof RTSS’97, pages 25–34, 1997.

[6] A. M. K. Cheng. Real-time systems. Scheduling, Analysis,and Verification. Wiley-Interscience.

[7] A. Dasdan. Efficient algorithms for debugging timing con-straint violations. In Proceedings of the 8th ACM/IEEE in-ternational workshop on Timing issues in the specificationand synthesis of digital systems, pages 50–56, 2002.

[8] F. Jahanian and A. Mok. Safety analysis of timing proper-ties in real-time systems. IEEE Transactions on SoftwareEngineering, SE-12(9):890–904, 1986.

[9] F. Jahanian and A. Mok. A graph-theoretic approach fortiming analysis and its implementation. IEEE Transactionson Computers, C-36(8):961–975, 1987.

[10] F. Jahanian and D. A. Stuart. A method for verifying proper-ties of modechart specifications. In Proceedings of RTSS’88,pages 12–21, 1988.

[11] S. S. Kulkarni, J. M. Rushby, and N. Shankar. A case-studyin component-based mechanical verification of fault-tolerantprograms. In ICDCS Workshop on Self-stabilizing Systems,pages 33–40, 1999.

[12] A. K. Mok, D.-C. Tsou, and R. C. M. de Rooij. TheMSP.RTL real-time scheduler synthesis tool. In Proceed-ings of RTSS ’96, pages 118–128, 1996.

[13] H. Palacios, B. Bonet, A. Darwiche, and H. Geffner. Pruningconformant plans by counting models on compiled d-dnnfrepresentations. In ICAPS, pages 141–150, 2005.

[14] L. E. P. Rice and A. M. K. Cheng. Timing analysis of theX-38 space station crew return vehicle avionics. In Proceed-ings of RTAS’99, pages 255–264, 1999.

[15] I. Shin and I. Lee. Compositional real-time schedulingframework. In RTSS, pages 57–67, 2004.

[16] F. Wang and A. K. Mok. RTL and refutation by positivecycles. In Proceedings of FME’94, volume 873 of LNCS.


Faster Verification of RTL-Specified Systems via Decomposition and Constraint Extension

Documents

Transcript of Faster Verification of RTL-Specified Systems via Decomposition and Constraint Extension