Symbolic Model Checking for Incomplete Designs

We consider the problem of checking whether an incomplete design can still be extended to a complete design satisfying a given CTL formula and whether the property is satisfied for all possible extensions. Motivated by the fact that well-known model checkers like SMV or VIS produce incorrect results when handling unknowns by using the programs' non-de-terministic signals, we present a series of approximate, yet sound algorithms to process incomplete designs with increasing quality and computational resources. Furthermore, we present an exact algorithm to process incomplete designs in which for each unknown area a fixed upper bound on the number of internal states is assumed and an approximate, yet sound method based on this. Finally we give a series of experimental results demonstrating the effectiveness and feasibility of the presented methods. Deciding the question whether a circuit implementation fulfills its specification is an essential problem in computer-aided design of VLSI circuits. Growing interest in universities and industry has led to new results and significant advances concerning topics like property checking, state space traversal and combinational equivalence checking. For proving properties of sequential circuits, Clarke, Emerson, and Sistla presented model checking for the temporal logic CTL [1]. Burch, Clarke, and McMillan et al. improved the technique by using symbolic methods based on binary decision diagrams [2] for both state set representation and state traversal in [3, 4]. In this paper we will consider how to perform model checking of incomplete circuits, i.e. circuits which contain unknown parts. These unknown parts are combined into so-called Black Boxes. In doing so, we will address two interesting questions: The question whether it is still possible to replace the Black Boxes by circuit implementations, so that a given